This is the SVN for web app backdoors. As I find em, I add em. I also try purge dupes time to time, but have not yet got a good method of doing so just yet.
I also plan to eventually analyse them for backdoors, so if you find a backdoor in one please mail me so I can mark it as backdoored.
Finally, I take NO RESPONSIBILITY WHATSOEVER for ANY use of this collection, it is designed for educational purposes and so you AV people can write signatures for this shit.
So SVN UP!!
Web Shell Collection
Monday 30 January 2012
Sunday 29 January 2012
New Linux Local Root Exploit in the wild
Just a quick post, plan to test this in a VM later and make a video for all to see... (if I remember!)
http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Very interesting technique!
Play safe...
http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Very interesting technique!
Play safe...
Friday 27 January 2012
Web Backdoors: Video
This is a video I made to quickly demonstrate some Web App Backdoors.
I demonstrate Weevely; FireInTheHole.py; PHPSploit; and two standard "web shells", the WSO2.php shell and the ITSecTeam shell.
I occasionally comment on each ones shortfalls, but here is the simple TL;DR one.
Weevely is amazing to use, has LOADS of features, the netcat bind and backconneect shells work perfectly, but it is slightly confusing for the first time user. It also remembers your current working dir and has a very intuitive shell (just like BASH) and fairly good error handling.
You can get it HERE: Weevely
FireInTheHole.py is fast, simple to use, uses both POST and/or GET and gives a terminal like session. It has no advanced features but has a couple of bugs, namely its non-interactive state. It *does* remember your current working dir however, which is very advantageous.
You can download it HERE: Fireinthehole.py
PHPSploit is a VERY nice "framework" which is currently in beta and has great potential. It looks a LOT like Metasploit, and I envision it becoming popular sometime in the future. It works fine, allows you to pull a lot of info, however it has some issues. It does not remember current working dir at all, so it can be rather annoying to "stack" commands for different dirs.
You can download it HERE: PHPSploit
I then demo the WSO2 PHP backdoor, which was failing pretty hard (some functions missing) and the ITSecTeam PHP backdoor, which seems designed to be "skid friendly" and has loads of features. I suspect both may be backdoored but have not investigated... YET. Neither had a functional backconnect or bindshell, and had a load of errors/bugs. I recommend *not* using these. You may find examples on google, and I plan to upload them myself later.
Now its video time!
I demonstrate Weevely; FireInTheHole.py; PHPSploit; and two standard "web shells", the WSO2.php shell and the ITSecTeam shell.
I occasionally comment on each ones shortfalls, but here is the simple TL;DR one.
Weevely is amazing to use, has LOADS of features, the netcat bind and backconneect shells work perfectly, but it is slightly confusing for the first time user. It also remembers your current working dir and has a very intuitive shell (just like BASH) and fairly good error handling.
You can get it HERE: Weevely
FireInTheHole.py is fast, simple to use, uses both POST and/or GET and gives a terminal like session. It has no advanced features but has a couple of bugs, namely its non-interactive state. It *does* remember your current working dir however, which is very advantageous.
You can download it HERE: Fireinthehole.py
PHPSploit is a VERY nice "framework" which is currently in beta and has great potential. It looks a LOT like Metasploit, and I envision it becoming popular sometime in the future. It works fine, allows you to pull a lot of info, however it has some issues. It does not remember current working dir at all, so it can be rather annoying to "stack" commands for different dirs.
You can download it HERE: PHPSploit
I then demo the WSO2 PHP backdoor, which was failing pretty hard (some functions missing) and the ITSecTeam PHP backdoor, which seems designed to be "skid friendly" and has loads of features. I suspect both may be backdoored but have not investigated... YET. Neither had a functional backconnect or bindshell, and had a load of errors/bugs. I recommend *not* using these. You may find examples on google, and I plan to upload them myself later.
Now its video time!
Quick note...
So as I slowly realize that some parts of my mind are eroding due to excessive stress, I decided "why not fucking blog about it like all those other people with inflated self-opinion?"
So, for the hell of it, my rantings and general idiocy will be posted to my other blog that I just set up. expect lots of emotional/drunken/pseudo-philosophical rantings.
Some of you may even get a good laugh as my mind melts down into jelly! As if it ever was *not* a quivering blob of jelly...
Link to blog! ---> My Own Idiotic Ranting
Oh, some other people may occasionally use it to "vent" also. So spread it around, and if you want to anonymously vent and want to publish it there, just message me @info_dox on twatter or email at: the.infodox [at] gmail.com :)
~infodox
So, for the hell of it, my rantings and general idiocy will be posted to my other blog that I just set up. expect lots of emotional/drunken/pseudo-philosophical rantings.
Some of you may even get a good laugh as my mind melts down into jelly! As if it ever was *not* a quivering blob of jelly...
Link to blog! ---> My Own Idiotic Ranting
Oh, some other people may occasionally use it to "vent" also. So spread it around, and if you want to anonymously vent and want to publish it there, just message me @info_dox on twatter or email at: the.infodox [at] gmail.com :)
~infodox
Sunday 22 January 2012
802.11 Race Condition Exploitation
802.11 Race Condition Exploitation
This post is about the Race Condition Exploitation method for "hijacking" WiFi clients.
Basically how it works is, the client sends a GET request for whatever. You respond with a 301 redirect to your content.
How you do this is by sniffing the traffic, and when you see a GET you inject a 301 to the client and a FIN or RST to the AP. You essentially pretend to be the access point for a second.
SO far there are several variants out there, including a Metasploit module. It can be found in auxiliary/spoof/wifi/airpwn
The technique was originally demoed by "toast" at DEFCON 12, and used to replace images with shock porn like Goatse or Tubgirl.
Some links of interest...
http://evilscheme.org/defcon/
http://airpwn.sourceforge.net/Airpwn.html
http://sourceforge.net/projects/airpwn/
http://securitysumo.wordpress.com/2008/04/22/running-airpwn/
Aaaaand some video...
So naturally, I wondered. I can inject images and javascript... So what about executables? (you see where I am going...)
Then I found someone else was doing this exact thing with updates. Hijacking them ala airpwn. Their tool is named "IPPON", and is very interesting, albeit buggy as fuck. If you can make it work, please god message me!
Here be their presentation from DEFCON 17, and their code!
http://www.slideshare.net/itzikk/ippondefcon17
http://code.google.com/p/ippon-mitm/
Now on to the best of the bunch (IMO). RCX. Developed by Melchi Salins, it allows you to do *anything*, is written in Python using SCAPY, and generally is fucking BADASS! With it, you can redirect ANYTHING to ANYTHING.
http://rcx.sourceforge.net/rcx.html
Coming Soon... The RCX config file for mass update hijacking!
##
Ok. Comments were asking for how to install AirPwn in Ubuntu 10.04/Back Track 5.
Here is how it is SUGGESTED to do it...
http://www.timashley.me/node/718
Now I found the second part of that (install lorcon + airpwn) did not work for me. So... I did things a bit differently.
Check out this LaunchPad: https://launchpad.net/~nagos/+archive/ppa?field.series_filter=
Now, I simply grabbed the .deb files for Airpwn and Liblorcon from there.
Install Liblorcon FIRST. Then Airpwn.
However, this PPA should work fine also: ppa:nagos/ppa
It just didn't work for me :P
This post is about the Race Condition Exploitation method for "hijacking" WiFi clients.
Basically how it works is, the client sends a GET request for whatever. You respond with a 301 redirect to your content.
How you do this is by sniffing the traffic, and when you see a GET you inject a 301 to the client and a FIN or RST to the AP. You essentially pretend to be the access point for a second.
SO far there are several variants out there, including a Metasploit module. It can be found in auxiliary/spoof/wifi/airpwn
The technique was originally demoed by "toast" at DEFCON 12, and used to replace images with shock porn like Goatse or Tubgirl.
Some links of interest...
http://evilscheme.org/defcon/
http://airpwn.sourceforge.net/Airpwn.html
http://sourceforge.net/projects/airpwn/
http://securitysumo.wordpress.com/2008/04/22/running-airpwn/
Aaaaand some video...
So naturally, I wondered. I can inject images and javascript... So what about executables? (you see where I am going...)
Then I found someone else was doing this exact thing with updates. Hijacking them ala airpwn. Their tool is named "IPPON", and is very interesting, albeit buggy as fuck. If you can make it work, please god message me!
Here be their presentation from DEFCON 17, and their code!
http://www.slideshare.net/itzikk/ippondefcon17
http://code.google.com/p/ippon-mitm/
Now on to the best of the bunch (IMO). RCX. Developed by Melchi Salins, it allows you to do *anything*, is written in Python using SCAPY, and generally is fucking BADASS! With it, you can redirect ANYTHING to ANYTHING.
http://rcx.sourceforge.net/rcx.html
Coming Soon... The RCX config file for mass update hijacking!
##
Ok. Comments were asking for how to install AirPwn in Ubuntu 10.04/Back Track 5.
Here is how it is SUGGESTED to do it...
http://www.timashley.me/node/718
Now I found the second part of that (install lorcon + airpwn) did not work for me. So... I did things a bit differently.
Check out this LaunchPad: https://launchpad.net/~nagos/+archive/ppa?field.series_filter=
Now, I simply grabbed the .deb files for Airpwn and Liblorcon from there.
Install Liblorcon FIRST. Then Airpwn.
However, this PPA should work fine also: ppa:nagos/ppa
It just didn't work for me :P
Saturday 21 January 2012
Friday 13 January 2012
MITM w/ ARP Toxin and Driftnet - Video + Tool
Quick into video about using ARP Toxin to preform MITM attacks, with extra fun involvin' using Driftnet to sniff images sent across the network.
Code is here -- Sauce Code
Bug reports and suggestions welcome!
Video made for CampusCon :D
Code is here -- Sauce Code
Bug reports and suggestions welcome!
Video made for CampusCon :D
Tuesday 10 January 2012
Downtime part 2
SO I think the shell I hosted the main site on is dead.
Once I retrieve backups of my homedir there I will have it back online.
All files are slowly being mirrored and I am working to rectify the issue...
Once I retrieve backups of my homedir there I will have it back online.
All files are slowly being mirrored and I am working to rectify the issue...
Thursday 5 January 2012
Interesting Stats... Browser and OS choice of my readers
So, I noticed blogger.com autodetects OS and Browser of viewers to the blog. I then thought... "Wow, this is interesting..." and decided to publish. I wonder how they run the detection? User Agent? Fascinating stuff, especially the variety xD Pageviews by Browsers | ||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||
Pageviews by Operating Systems | ||||||||||||||||||||||||||||||||||||||
|
Collection of web app backdoors (v1)
This is a collection of the common PHP (and ASP if I find them) backdoors used by malicious hackers to take over servers.
I am NOT responsible for your use of this!
Warning: There is every possibility these backdoors may be backdoored. I am going to eventually sort them into two folders - backdoored backdoors and clean backdoors. Then I can sit back and watch y'all go apeshit at some skiddies who backdoor their backdoors :D
Download the list here...Web Backdoors
I am NOT responsible for your use of this!
Warning: There is every possibility these backdoors may be backdoored. I am going to eventually sort them into two folders - backdoored backdoors and clean backdoors. Then I can sit back and watch y'all go apeshit at some skiddies who backdoor their backdoors :D
Download the list here...Web Backdoors
Tuesday 3 January 2012
Quick Post - package of Perl shells
Ok, very short post. 4 Perl shells/backdoors, 3 are reverse shells and one is a Bind shell. Seems to me everyone uses the same trick to get reverse shell :/
Anyways, more to come later! Download link below!
Perl Shells Tarball
Anyways, more to come later! Download link below!
Perl Shells Tarball
Sunday 1 January 2012
CVE-2011-4885 PHP HashTables Exploit
Hey guys, time for some exploit code!
Here is the exploit for CVE-2011-4885
Info on vuln:
http://secunia.com/advisories/47404
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
Exploit Code:
PHP Exploit Code
Pastebin Mirror
Here is the exploit for CVE-2011-4885
Info on vuln:
http://secunia.com/advisories/47404
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
Exploit Code:
PHP Exploit Code
Pastebin Mirror
Subscribe to:
Posts (Atom)