x0rz / eqgrp Goto Github PK

The pain, the pain.

Where is the code showing hacking of Pakistan mobile system ???

https://github.com/x0rz/EQGRP/blob/master/Linux/bin/alarm.py#L164

My eyes hurt.

ITIME is a tool used for changing file times, useful for hiding changes. Does not work on Linux Mint Serena KDE.
Note: atime = Access time; mtim = Modified time; ctime = Creation time.

Usage: ./itime.i686-pc-linux-gnu-2.2.14-5.0 [-hdDvf] [-a atime] [-m mtime] [-c ctime] file
-h Help
-d Debugging
-D Detailed debugging
-v verbose
-f force changes
atime, mtime, & ctime are in seconds

You need to be able to read the 'file' and write to /dev/kmem

May be useful in saving everyone time by summarizing previous discoveries...

Jackladder is an implant method used on various systems as:

Sparc Sun Solaris 2.x
UNIX SCO OpenServer
SGI Irix
...

Usage is listed here as jacktelnet.sh and here as suntelnet.sh, allegedly it allows to open a raw socket through telnet command, communicating with a previously uploaded or injected daemon
as sendmail and poptop (PPTP Server) that acts as a disposable RAT on the target.

here line 6:
⚠️ Some binaries may have been deleted by my antivirus
For real now?

My Antivirus keeps putting certain binaries into quarantine. Does anyone use all the binaries? Are they really safe? I mean, this is legit but would that stop dangerous files from being in there?

Not sure if you want to integrate the following, how you want to credit, etc. So opening a ticket instead of a PR.

https://twitter.com/RevBits/status/851083571506929670
Our early analysis: "esna" is a 0day RCE for iPlanet Messaging Server.Have hardcoded offsets for different versions

https://twitter.com/juliocesarfort/status/850755910322532353
up/extinctspinach seems to be exploiting this vulnerability from 2001 in Chili!Soft:
https://lwn.net/2001/0222/a/sec-chilisoft.php3

https://twitter.com/buherator/status/851170464466653185
estopmoonlit is a Linux kernel exploit

https://twitter.com/buherator/status/851169307060994048
estesfox is a logwatch race condition privesc, probably CVE-2002-0162 http://www.securityfocus.com/bid/4374 (possible bug collision?)

https://twitter.com/buherator/status/851173226088730625
evolvingstrategy seems to exploit a basic SUID command injection in /var/emdg/sbin/iptaction - any ideas what this SW is?

https://twitter.com/buherator/status/851174712965312512
./Linux/bin/EE is a remote post-auth proftpd 1.2.8 exploit

https://twitter.com/buherator/status/851176013103026176
ESCROWUPGRADE seems like this Solaris cachefsd exploit by LSD - copyright notice removed :P https://www.exploit-db.com/exploits/21437/

https://twitter.com/GlassKeys/status/850780470682030081
xmlrpc.php used in Drupal, b2evolution, TikiWiki

https://twitter.com/buherator/status/850710836259815424
Based on strings EXACTCHANGE looks like a kernel exploit

https://twitter.com/juliocesarfort/status/850753804790312968
/Linux/bin/apache-ssl-linux seems to be a variant of openssl-too-open.c SSL2 KEY_ARG overflow - maybe OpenFuckv2?

https://twitter.com/adriaan92/status/850746329575948289
ELECTRICSLIDE: "Heap Overflow in squid 2.5.STABLE1-2 redhat 9.0" #shadowbrokers

https://twitter.com/RevBits/status/851077319485784064
Our early analysis: sneer is a 0day remote root exploit for SunOS snmp agent, mibissa. Uses UDP. ~takes 4:04 mins

https://twitter.com/hackerfantastic/status/850797960652890112
dw.linux - this looks like a previously unknown one (0day?), RPC dmispd exploit for Solaris 6 / 7 / 8

Content of the SE folder includes opscript.se, specific for a mail server in Tokyo.

Is it possible to share the key used to decrypt (or is it somewhere here and I just haven't seen it?)

I'm sorry but I refuse to believe that the government hires people who are this bad at coding..

Hi, i downloaded the file and when i try to open some files its a unknown file which application should i install to use them?

jvoisin's list at https://hackmd.io/s/r1gLMUUpx is close to the readme.md here, but not quite in sync. Recommend this become a central place for collaboration, and to integrate jvoisin's information here too.

Yellowspirit is a wrapper. Listed as ys.auto it works with $PROG like:

 	wrap-aix-telnet.sh
	wrap-aix.ftp.sh
	wrap-aix.sh
	wrap-aix.sh.old
	wrap-alpha.sh
	wrap-hpux.sh
	wrap-irix.sh
	wrap-perl.sh
	wrap-ratload.sh
	wrap-sco.sh
	wrap-sun.sh
	wrap-telnet.sh

The Options are listed as {OPTARG} from this line onward.

Watcher is a remote logging tool used on various systems as:

FreeBSD 7.4
Linux Redhat 7.3 Fedora 7 Debian 4.0 Slackware 12.0
Sparc Sun Solaris 2.10
...

Watcher appears to be similar to TACACS or RADIUS protocols and has different versions for
i386 and x86_64 architectures. Watcher parsed format is defined as a 6 pipe delimited fields:

User | RAS-Client | IP | Phone | Date | From-To

Its options are listed here.

nope

I am just curious. I tried to decrypt by myself but I found that I couldn't find the private key. I only know the"unzip password" is "theequationgroup" , but I have no way to find more clues. Could anyone tell me the decrypting progress? Thanks.

scrubhands.sh is a shell script used to unpack, run and update scripts as scripme (a parser), sendopnotes, getopnotes, bashfunctions or copywhat and it's related to findzip and others.

It's a suite of packed scripts used on a physically reachable op machine, as its code unpacks the most recent op tarball on either a USB mountable flash drive, mountable ZIP, or tar floppy or ZIP disk.

A Perl version that runs on Windows is here.

It appears 'watcher' is a headless packet sniffer used for spying.
The first few lines makes calls to /lib64/ld-linux-x86-64.so.2 to find a process ID; next it makes a call to libc.so.6 where it opens up some sort of connection, either to localhost or to a remote server (further disassembly required).

this program was probably written in 2002 or so (judging by the glibc version), definitely before 2011 as libc.so.6 stopped being hard-coded after that afaik.

The strings that give it away as a sniffer are:

monitor_type
set_prismhdr
forceprismheader
forceprism
prismhdr
rfmontx
monitor

Dampcrowd appears to my untrained eyes to be a priv-esc attempt.
It creates a shell with setuid and guid set to 0 (root).
13: 080484fc 0 FUNC WEAK DEFAULT UND setuid
14: 080484ac 0 FUNC WEAK DEFAULT UND setgid
The exploit did not work on Linux Mint Serena; it just opened up a new /bin/sh shell.

Hi,

Can someone help me, where can i find elideskew.pl script which is used in ELIDESKEW ???

Thanks

Earn free bitcoin

When start the Start.jar, I got this error.

• Added Ops library to Python search path.

• !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

• !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

• ERROR: Your local CP address is not z0.0.0.1.

• !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

• !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

YOU MUST RECONFIGURE YOUR SESSION TO CONTINUE!
YOU MUST RECONFIGURE YOUR SESSION TO CONTINUE!

• DISABLED - pc_listen (LOCAL)
• DISABLED - pc_connect (LOCAL)

YOU MUST RECONFIGURE YOUR SESSION TO CONTINUE!
YOU MUST RECONFIGURE YOUR SESSION TO CONTINUE!

• Setting environment variable OPS_PROJECTNAME to 'test'
• Could not find DSZOpsDisk zip. Disk version NOT recorded.
• 2 of 8 startup items indicated failure to execute correctly.
• Session did not pass configuration sanity check. Close, clean up if necessary, and try again.

The project name is test, in D:\logs\test
The generated directory is z192.168.1.11

I double clicked the start.jar and configured the directory to project directory, then Local Comms set to z192.168.1.11.

Then got the above error.
Where should I change?
Thanks