Advertisement
Guest User

Untitled

a guest
Apr 20th, 2017
1,321
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.19 KB | None | 0 0
  1. # Content
  2. # Unknown
  3. - **JACKLADDER**
  4. - **DAMPCROWD**
  5. - **ELDESTMYDLE**
  6. - **SUAVEEYEFUL**
  7. - **WATCHER**
  8. - **YELLOWSPIRIT**
  9.  
  10. # Misc
  11. - **DITTLELIGHT (HIDELIGHT)** unhide **NOPEN** window to run unix oracle db scripts
  12. - **DUL** shellcode packer
  13. - **egg_timer** execution delayer (equivalent to `at`)
  14. - **ewok** [snmpwalk](http://www.net-snmp.org/docs/man/snmpwalk.html)-like?
  15. - **gr** Web crontab manager? wtf. NSA are webscale dude
  16. - **jackladderhelper** simple port binder
  17. - **magicjack** [DES](https://en.wikipedia.org/wiki/Data_Encryption_Standard) implementation in Perl
  18. - **PORKSERVER** inetd-based server for the **PORK** implant
  19. - **ri** equivalent to `rpcinfo`
  20. - **uX_local** Micro X server, likely for remote management
  21. - **ITIME** Change Date/Time of a last change on a file of an unix filesystem
  22.  
  23. # Remote Code Execution
  24. ## Solaris
  25. - **CATFLAP** Solaris 7/8/9 (SPARC and Intel) RCE (for a [__LOT__]( https://twitter.com/hackerfantastic/status/850799265723056128 ) of versions)
  26. - **EASYSTREET**/**CMSEX** and **cmsd** Solaris `rpc.cmsd` remote root
  27. - **EBBISLAND**/**ELVISCICADA**/**snmpXdmid** and **frown**: `CVE-2001-0236`, Solaris 2.6-2.9 - snmpXdmid Buffer Overflow
  28. - **sneer**: *mibissa* (Sun snmpd) RCE, with *DWARF* symbols :D
  29. - **dtspcdx_sparc** dtspcd RCE for SunOS 5. -5.8. what a useless exploit
  30. - **TOOLTALK** DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE
  31. - **VIOLENTSPIRIT** RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86
  32. - **EBBISLAND** RCE Solaris 2.6 -> 2.10 Inject shellcode in vulnerable rpc service
  33.  
  34. ## Netscape Server
  35. - **xp_ns-httpd** NetScape Server RCE
  36. - **nsent** RCE for NetScape Enterprise server 4.1 for Solaris
  37. - **eggbasket** another NetScape Enterprise RCE, this time version `3.5`, likely SPARC only
  38.  
  39. ## FTP servers
  40. - **EE** proftpd 1.2.8 RCE, for RHL 7.3+/Linux, `CVE-2011-4130`? another reason not to use proftpd
  41. - **wuftpd** likely `CVE-2001-0550`
  42.  
  43. ## Web
  44. - **ESMARKCONANT** exploits phpBB remote command execution (<[2.0.11](https://www.phpbb.com/community/viewtopic.php?t=240636)) `CVE-2004-1315`
  45. - **ELIDESKEW** Public known vulnerablity in [SquirrelMail](https://squirrelmail.org/) versions 1.4.0 - 1.4.7
  46. - **ELITEHAMMER** Runs against RedFlag Webmail 4, yields user `nobody`
  47. - **ENVISIONCOLLISION** RCE for phpBB (derivative)
  48. - **EPICHERO** RCE for Avaya Media Server
  49. - **COTTONAXE** RCE to retrieve log and information on LiteSpeed Web Server
  50.  
  51. ## Misc
  52. - **calserver** spooler RPC based RCE
  53. - **EARLYSHOVEL** RCE RHL7 using sendmail ` CVE-2003-0681 ` ` CVE-2003-0694 `
  54. - **ECHOWRECKER**/**sambal**: samba 2.2 and 3.0.2a - 3.0.12-5 RCE (with *DWARF* symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely `CVE-2003-0201`. There is also a Solaris version
  55. - **ELECTRICSLIDE** RCE (heap-overflow) in [Squid](http://www.squid-cache.org/), with a chinese-looking vector
  56. - **EMBERSNOUT** a remote exploit against Red Hat 9.0's httpd-2.0.40-21
  57. - **ENGAGENAUGHTY**/**apache-ssl-linux** Apache2 mod-ssl RCE (2008), SSLv2
  58. - **ENTERSEED** Postfix RCE, for 2.0.8 - 2.1.5
  59. - **ERRGENTLE**/**xp-exim-3-remote-linux** Exim remote root, likely `CVE-2001-0690`, Exim 3.22 - 3.35
  60. - **EXPOSITTRAG** exploit pcnfsd version 2.x
  61. - **extinctspinash**: `Chili!Soft ASP` stuff RCE? and *Cobalt RaQ* too?
  62. - **KWIKEMART** (**km** binary) RCE for SSH1 padding crc32 thingy (https://packetstormsecurity.com/files/24347/ssh1.crc32.txt.html)
  63. - **prout** (ab)use of `pcnfs` RPC program (version 2 only) (1999)
  64. - **slugger**: various printers RCE, looks like `CVE-1999-0078`
  65. - **statdx** Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)
  66. - **telex** Telnetd RCE for RHL? `CVE-1999-0192`?
  67. - **toffeehammer** RCE for `cgiecho` part of `cgimail`, exploits fprintf
  68. - **VS-VIOLET** Solaris 2.6 - 2.9, something related to [XDMCP](https://en.wikipedia.org/wiki/X_display_manager_(program_type)#X_Display_Manager_Control_Protocol)
  69. - **SKIMCOUNTRY** Steal mobile phone log data
  70. - **SLYHERETIC_CHECKS** Check if a target is ready for **SLYHERETIC** (not included)
  71. - **EMPTYBOWL** RCE for MailCenter Gateway (mcgate) - an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version 2.9.5.1
  72. - **CURSEHAPPY** Parser of CDR (Call Detail Records) (siemens, alcatel, other containing isb hki lhr files) probably upgrade of ORLEANSTRIDE
  73. - **ORLEANSTRIDE** Parser of CDR (Call Detail Records)
  74.  
  75. # Anti-forensic
  76. - **toast**: `wtmps` editor/manipulator/querier
  77. - **pcleans**: `pacctl` manipulator/cleaner
  78. - **DIZZYTACHOMETER**: Alters RPM database when system file is changed so that RPM (>4.1) verify doesn't complain
  79. - **DUBMOAT** Manipulate utmp
  80. - **scrubhands** post-op cleanup tool?
  81. - **Auditcleaner** cleans up `audit.log`
  82.  
  83. # Control
  84. ## Iting HP-UX, Linux, SunOS
  85. - **FUNNELOUT**: database-based web-backdoor for `vbulletin`
  86. - **hi** UNIX bind shell
  87. - **jackpop** bind shell for SPARC
  88. - **NOPEN** Backdoor? A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6 [source](http://electrospaces.blogspot.nl/p/nsas-tao-division-codewords.html)** SunOS5.8
  89. - **SAMPLEMAN / ROUTER TOUCH** Clearly hits Cisco via some sort of redirection via a tool on port 2323... (thanks to @cynicalsecurity)
  90. - **SECONDDATE** Implant for Linux/FreeBSD/Solaris/JunOS
  91. - **SHENTYSDELIGHT** Linux keylogger
  92. - **SIDETRACK** implant used for **PITCHIMPAIR**
  93. - **SIFT** Implant for Solaris/Linux/FreeBSD
  94. - **SLYHERETIC** SLYHERETIC is a light-weight implant for AIX 5.1:-5.2 Uses Hide-in-Plain-Sight techniques to provide stealth.
  95. - **STRIFEWORLD**: Network-monitoring for UNIX, needs to be launched as root. Strifeworld is a program that captures data transmitted as part of TCP connections and stores the data in a memory for analysis. Strifeworld reconstructs the actual data streams and stores each session in a file for later analysis.
  96. - **SUCTIONCHAR**: 32 or 64 bit OS, solaris sparc 8,9, Kernel level implant - transparent, sustained, or realtime interception of processes input/output vnode traffic, able to intercept ssh, telnet, rlogin, rsh, password, login, csh, su, …
  97. - **STOICSURGEON** Rootkit/Backdoor Linux MultiArchi
  98. - **INCISION** Rootkit/Backdoor Linux Can be upgrade to StoicSurgeon(more recent version)
  99.  
  100. ## CnC
  101. - **Seconddate_CnC**: CnC for **SECONDDATE**
  102. - **ELECTRICSIDE** likely a big-fat-ass CnC
  103. - **NOCLIENT** Seems to be the CnC for **NOPEN***
  104. - **DEWDROP**
  105.  
  106. # Privesc
  107.  
  108. ## Linux
  109.  
  110. - **h**: linux kernel privesc, old-day compiled `hatorihanzo.c`, do-brk() in 2.4.22 [CVE-2003-0961](https://nvd.nist.gov/vuln/detail/CVE-2003-0961)
  111. - **gsh**: `setreuid(0,0);execl("bash","/bin/bash")`
  112. - **PTRACE/FORKPTY**/**km3**: linux kernel lpe, kmod+ptrace, [CVE-2003-0127](https://nvd.nist.gov/vuln/detail/CVE-2003-0127), (https://mjt.nysv.org/scratch/ptrace_exploit/km3.c)
  113. - **EXACTCHANGE**: NULL-deref based local-root, based on various sockets protocols, compiled in 2004, made public in 2005
  114. - **ghost**:`statmon`/tooltalk privesc?
  115. - **elgingamble**:
  116. - **ESTOPFORBADE** local root `gds_inet_server` for, Cobalt Linux release 6.0, to be used with **complexpuzzle**
  117. - **ENVOYTOMATO** LPE through bluetooth stack(?)
  118. - **ESTOPMOONLIT** Linux LPE
  119. - **EPOXYRESIN** Linux LPE
  120.  
  121. ## AIX
  122. - **EXCEEDSALON-AIX** privesc
  123.  
  124. ## Others
  125. - **procsuid**: setuid perl (yes, it's a real thing) privesc through unsanitized environnement variables. wtf dude
  126. - **elatedmonkey**: cpanel privesc (0day) using `/usr/local/cpanel/3rdparty/mailman/`. Creates mailman mailing list: `mailman config_list`
  127. - **estesfox**: logwatch privesc, [old-day](http://www.securiteam.com/exploits/5OP0S2A6KI.html)
  128. - **evolvingstrategy**: privesc, likely for Kaspersky Anti-virus (`/sbin/keepup2date` is kaspersky's stuff) (what is `ey_vrupdate`?)
  129. - **eh** OpenWebMail privesc
  130. - **escrowupgrade** cachefsd for solaris 2.6 2.7 sparc
  131. - **ENGLANDBOGY** local exploit against Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9, Includes the following distributions: MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, RedHat Fedora Core5, MandrakeSoft Linux 2006.0. requires a setuid Xorg
  132. - **endlessdonut**: Apache fastcgi privesc
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement