Analysis of "r00t 4 LFI Toolkit"

[MaXe]

Dear EH'netters,


Recently I saw a couple of people tweet about this newly released "tool", which in essence should be able to: "This tool is a php script that assists in performing local file inclusion attacks."

Unfortunately, it only performs one type of LFI attack (via /proc/self/environ), and furthermore, it is also backdoored.

Screenshot: http://i.imgur.com/PXcSX.png

Proof of Concept:

Code:

Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw==

You can read the full analysis here: http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html


Best regards,
MaXe

[millwalll]

Thanks for the info

[nytfox]

Thanks for the update

[MaXe]

No problem  I found out today, that the tool has been removed from Packet Storm, preventing e.g., further infections of anyone using it. So that's great news, as I don't want to see people use a tool that contains backdoors, where the tool doesn't really do anything faster than you could do manually (which is also more fun and it provides more debugging info).