User Controls
Evidence Fabrication Tool.
-
2015-07-06 at 6:02 PM UTCSo the recent 'Hacking Team' hack has revealed some pretty fucked up tools. Take this one for instance that can be used to fabricate evidence of CP on your target's computer among other damning 'evidence'.
#This is just an excerpt, the complete code is provided below via the github link.
[TABLE="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_highlight wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_tab-size wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line-container"]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]require 'rcs-common/evidence/common'[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]require 'digest/md5'[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]module RCS[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]module FileopenEvidence[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]ELEM_DELIMITER = 0xABADC0DE[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]def content(*args)[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]hash = [args].flatten.first || {}[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]process = hash[:process] || ["Explorer.exe\0", "Firefox.exe\0", "Chrome.exe\0"].sample[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]process.encode!("US-ASCII")[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line, bgcolor: #F8EEC7"]path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"].sample[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]path = path.to_utf16le_binary_null[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"] [/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content = StringIO.new[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]t = Time.now.getutc[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.write [t.sec, t.min, t.hour, t.mday, t.mon, t.year, t.wday, t.yday, t.isdst ? 0 : 1].pack('l*')[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.write process[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.write [ 0 ].pack('L') # size hi[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.write [ hash[:size] || 123456789 ].pack('L') # size lo[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.write [ 0x80000000 ].pack('l') # access mode[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.write path[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.write [ ELEM_DELIMITER ].pack('L')[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]content.string[/TD]
[/TR]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line"]end[/TD]
[/TR]
[/TABLE]
Imagine being the victim of that, you can kiss your life goodbye. https://github.com/hackedteam/rcs-co...ce/file.rb#L17 -
2015-07-06 at 6:13 PM UTCUse a good rule-based software firewall with manual control and they can't get shit on your computer. Any port they open, every packet they transfer, every command they run, every process they start, is enhancemented through the firewall's engine, locked down, and presented for convenient management. It's the closest anyone will ever get to a bullet-proof machine.
-
2015-07-06 at 6:18 PM UTC
Use a good rule-based software firewall with manual control and they can't get shit on your computer. Any port they open, every packet they transfer, every command they run, every process they start, is enhancemented through the firewall's engine, locked down, and presented for convenient management. It's the closest anyone will ever get to a bullet-proof machine.
Obviously this is a post exploitation tool, meaning that when you have this type of shenanigans to deal with you're already past the point of prevention. -
2015-07-06 at 6:23 PM UTCYeah, I knew that. I was just pointing out that if people don't take at least reasonable precautions, in this day and age, to prevent the possibility of this happening in the first place, then they fully deserve to get fucked over and GTFO the Internet.
-
2015-07-14 at 3:31 AM UTC
Obviously this is a post exploitation tool, meaning that when you have this type of shenanigans to deal with you're already past the point of prevention.
This is what my friend and I were just arguing. Totally post-exploitation. The file path is very specific. Does this vary from machine to machine with:
[TABLE="class: wysiwyg_table_text_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_highlight wysiwyg_table_text_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_tab-size wysiwyg_table_text_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line-container"]
[TR]
[TD="class: wysiwyg_table_text_table_wysiwyg_table_wysiwyg_table_wysiwyg_tab wysiwyg_table_le_wysiwyg_table_blob-code wysiwyg_table_le_wysiwyg_table_blob-code-inner wysiwyg_table_le_wysiwyg_table_js-file-line, bgcolor: #F8EEC7"]path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"].sample[/TD]
[/TR]
[TR]
[/TR]
[/TABLE]
Like is it "randomly" generated? -
2015-07-14 at 3:43 AM UTC
This is what my friend and I were just arguing. Totally post-exploitation. The file path is very specific. Does this vary from machine to machine with: [TABLE="class: wysiwyg_table_wysiwyg_table_text_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_highlight wysiwyg_table_wysiwyg_table_text_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_tab-size wysiwyg_table_wysiwyg_table_text_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_wysiwyg_table_js-file-line-container"]
[TR]
[TD="class: wysiwyg_table_wysiwyg_table_text_table_wysiwyg_table_wysiwyg_tab wysiwyg_table_le_wysiwyg_tab wysiwyg_table_wysiwyg_table_le_wysiwyg_table_blob-code wysiwyg_table_wysiwyg_table_le_wysiwyg_table_blob-code-inner wysiwyg_table_wysiwyg_table_le_wysiwyg_table_js-file-line, bgcolor: #F8EEC7"]path = hash[:path] || ["C:\\Utenti\\pippo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"].sample[/TD]
[/TR]
[TR]
[/TR]
[/TABLE]
Like is it "randomly" generated?
I honestly have no idea, i didn't read all the related materials yet and there are quite a lot as you can see under this category in the specific github page https://github.com/hackedteam/rcs-co...ommon/evidence
-
2015-07-14 at 4:28 AM UTCThis sort of program was a rumor for many years, the people who contract the work out to these companies are some ruthless, evil fucks.
-
2015-07-14 at 5:25 AM UTCWhen you stop to consider the fact that any attacker could quite easily inject shellcode by way of "driveby" attack directly through the browser's port, thus gaining complete control of the system in seconds with a single view of the webpage, it makes these specialized attacks look kind of lame by comparison.
-
2019-08-19 at 12:22 PM UTCNow how is this old thread bumped when the last post was above me in 2015?
What’s up with that? I saw a bunch of bumped threads yesterday with the last post being in 2015.
What’s up with that? -
2019-08-19 at 2:52 PM UTCyeah im sure having "ppo\\pedoporno.mpg", "C:\\Utenti\\pluto\\Documenti\\childporn.avi", "C:\\secrets\\bomb_blueprints.pdf"]" is gonna get you locked up for a long time
-
2019-08-19 at 4:10 PM UTC
-
2019-08-19 at 9:42 PM UTC