exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ishopcart-cgi-bof.c.txt

ishopcart-cgi-bof.c.txt
Posted Jun 3, 2006
Site awarenetwork.org

ishopcart.cgi suffers from a buffer overflow in the vGetPost() function. POC included.

tags | exploit, overflow, cgi
SHA-256 | f4b07660ad5a348c1dbafdfd6cc4b4787cab9c62bf3ca8f7b05872ffe58d50e8

ishopcart-cgi-bof.c.txt

Change Mirror Download
Vendor: ishopcart inc
Vendor Site: ishopcart.com
Vendor Status: notified via telephone

While spending a night auditing I have found 2 buffer overflows and 1
directory traversal in the ishopcart cgi, which is written in C.

The directory traversal is caused by how the cgi chooses to show pages.
If, for example, the CGI is tould to show an order form, the order
form's name is taken as argv[1] and opens this file and prints it, ie:

/cgi-bin/easy-scart.cgi?../../../../../../../etc/passwd

The first buffer overflow is in main()'s szTmp[100] variable. argv[1] is
placed in this variable through a sprintf, although no check is made on
the size of argv[1] before putting it in szTmp:

sprintf(szTmp,"%s",argv[1]);

The other buffer overflow (of which I have succesfuly exploited) lies in
main() also, but is overflowed in vGetPost(). char szBuf[4000]; is
passed to vGetPost() under the circumstance that argv[1] contains
specific criteria. vGetPost() reads POST data until the word "Submit" is
encountered, doing absolutely no bounds checking on the ammount of data
supplied.

When notified via telephone, the author claimed to be in the process of
fixing these errors, and at the same time took ishopcart.com offline.
Provided is the exploit code that spawns a connect back shell. It has been tested both localy and remotely
and has proved to work 100%

The real issue lies in the fact that this is a shopping cart system.
Also, since this is a cgi script, apache forks before executing it and
hence does not die on unsuccessful attempts, meaning that combined with
a massive 4000 NOP buffer, brute forcing of the offset is possible
leading to a theoretical 100% probability of remote code execution.

The good news is that this program doesn't seem to be common. If you you
would like to view the site and the code, search 'ishopcart' on google
and click it's cached link, then hit the source code link and you'll see
easy-scart.c through easy-scart6.c (all, of which, are vulnerable)

--K-sPecial
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    45 Files
  • 9
    Dec 9th
    9 Files
  • 10
    Dec 10th
    6 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close