A few exploits…

So, lately I have been experimenting a lot with the “Requests” module for python. It makes creating and sending HTTP GET and POST requests so incredibly easy, that I had to use it to write some incredibly simple PoC exploits.

First off, recently there was an advisory about a PHPTax remote code execution vulnerability. So, naturally, I wrote a quick and nasty PoC for it. There is a better one in the Metasploit framework, but I simply wrote this to stave off boredom one evening. This one simply throws you a reverse shell (if the moon, sun and Andromeda galaxy are correctly lined up).

http://code.google.com/p/insecurety-research/source/browse/trunk/misc-exploits/phptax_RCE.py

Using “requests”, you can send a GET request using just requests.get(url)
It is that simple.

The second was an earlier exploit I wrote, before I remembered I could simply inject a reverse shell.

It was an exploit for an Xoops RCE bug. I simply had my exploit wget a shell from a remote server.

http://code.google.com/p/insecurety-research/source/browse/trunk/misc-exploits/xoops_rce.py

There are others in that SVN repo to look at, just have a look :)

I will likely write more later on “Rapid Proof of Concept Creation using ‘requests'” if I could be bothered, there are more vulns to exploit in the meanwhile ;)

Short Post – Smart 0day Hunting

Ok, ampoule so I had to notice the “Sammy FORGIT” guy dropping exploits all over Packetstorm and Exploit-DB lately. Most of them in WordPress plugins. You can check out the shit he is dropping here – http://packetstormsecurity.org/files/author/9818/

So, patient I had to take a look to see could I notice any “trick” he was using to find ALL THOSE VULNZ! I want the 0day too!

Lets look at two of the exploits as an example – if you look more there IS a discernable pattern, see , I promise you.

http://packetstormsecurity.org/files/113844/WordPress-LB-Mixed-Slideshow-1.0-Shell-Upload.html

http://packetstormsecurity.org/files/113898/e107-Hupsi-Fancybox-1.0.4-Shell-Upload.html

Now, what part of both of those is the vuln in?
/uploader/uploadify.php
/uploadify/upload.php
Now, is this just me, or are both using the Uploadify library?
Could be a coincidence, but I must look deeper! I must find MORE examples of this!

This file explains it:

http://packetstormsecurity.org/files/113576/WordPress-plugin-Foxypress-uploadify.php-Arbitrary-Code-Execution.html

So it is the “uploadify.php” file that is buggy as hell. Lets find more examples of this!

http://packetstormsecurity.org/files/113568/WordPress-Auctions-2.0.1.3-Shell-Upload.html

-> It has “vuln path” of uploadify/upload.php

http://packetstormsecurity.org/files/113283/WordPress-Foxypress-Shell-Upload.html

-> Has “vuln path” uploadify/uploadify.php

http://packetstormsecurity.org/files/113277/WordPress-HTML5-AV-Manager-0.2.7-Shell-Upload.html

-> Has “vuln path” uploadify/custom.php

http://packetstormsecurity.org/files/113274/WordPress-WP-Property-1.35.0-Shell-Upload.html

-> Has “vuln path” uploadify/uploadify.php

So, as you can see, all these use the “Uploadify” PHP library to handle file uploads. This library is the vulnerability that makes ALL these plugins buggy.
ANY software using a vulnerable library like that, is vulnerable to this bug.

So what does this all mean? Well, if you want the 0day to flood in, you should do as Sammy does. Look for libraries a lot of things use, and find vulns in THEM. The product may be secure, but its libraries are likely not. This way, you canhaz ALL the 0day you ever needed.

Now, excuse me while I SVN checkout the entire repo of WordPress plugins :P