Jar2 The NSA Tools

 

DEDICATED TO VITALY CHURKIN AND ALL THE GOOD PEOPLE KILLED BY THE NSA/CIA/MOSSAD AND THEIR AGENTS

 

 

UNENCRYPTED ZIPPED FILE: DOWNLOAD AT YOUR OWN RISK

http://www.jar2.biz/Files/NSA_TOOLS/EQGRP-master.zip

SOURCE of FILES: The Shadow Brokers, Analysis by GITHUB, HOSTING by JAR2 BIZ

MESSAGE FROM SHADOW BROKERS:

https://github.com/x0rz/EQGRP/blob/master/README.md

http://www.zerohedge.com/news/2017-04-08/hacker-group-releases-password-nsas-top-secret-arsenal-protest-trump-betrayal

Unknown

COTTONAXE

EBBISLAND related rce

STOICSURGEON

INCISION

ITIME

JACKLADDER

DAMPCROWD

ELDESTMYdLE

SUAVEEYEFUL

WATCHER

YELLOWSPIRIT

Misc

DITTLELIGHT (HIDELIGHT) unhide NOPEN window to run unix oracle db scripts

DUL shellcode packer

egg_timer execution delayer (equivalent to at)

ewok snmpwalk-like?

gr Web crontab manager? wtf. NSA are webscale dude

jackladderhelper simple port binder

magicjack DES implementation in Perl

PORKSERVER inetd-based server for the PORK implant

ri equivalent to rpcinfo

uX_local Micro X server, likely for remote management

Remote Code Execution

Solaris

CATFLAP Solaris 7/8/9 (SPARC and Intel) RCE (for a LOT of versions)

EASYSTREET/CMSEX and cmsd Solaris rpc.cmsd remote root

EBBISLAND/ELVISCICADA/snmpXdmid and frown: CVE-2001-0236, Solaris 2.6-2.9 - snmpXdmid Buffer Overflow

sneer: mibissa (Sun snmpd) RCE, with DWARF symbols :D

dtspcdx_sparc dtspcd RCE for SunOS 5. -5.8. what a useless exploit

TOOLTALK DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE

VIOLENTSPIRIT RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86

Netscape Server

xp_ns-httpd NetScape Server RCE

nsent RCE for NetScape Enterprise server 4.1 for Solaris

eggbasket another NetScape Enterprise RCE, this time version 3.5, likely SPARC only

FTP servers

EE proftpd 1.2.8 RCE, for RHEL 7.3+/Linux, CVE-2011-4130? another reason not to use proftpd

wuftpd likely CVE-2001-0550

Web

ESMARKCONANT exploits phpBB vulnerability (<2.0.11)

ELIDESKEW Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7

ELITEHAMMER Runs against RedFlag Webmail 4, yields user nobody

ENVISIONCOLLISION RCE for phpBB (derivative)

EPICHERO RCE for Avaya Media Server

Misc

calserver spooler RPC based RCE

EARLYSHOVEL RCE RHL7 using sendmail

ECHOWRECKER/sambal: samba 2.2 and 3.0.2a - 3.0.12-5 RCE (with DWARF symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely CVE-2003-0201. There is also a Solaris version

ELECTRICSLIDE RCE (heap-overflow) in Squid, with a chinese-looking vector

EMBERSNOUT a remote exploit against Red Hat 9.0's httpd-2.0.40-21

ENGAGENAUGHTY/apache-ssl-linux Apache2 mod-ssl RCE (2008), SSLv2

ENTERSEED Postfix RCE, for 2.0.8-2.1.5

ERRGENTLE/xp-exim-3-remote-linux Exim remote root, likely CVE-2001-0690, Exim 3.22-3.35

EXPOSITTRAG exploit pcnfsd version 2.x

extinctspinash: Chili!Soft ASP stuff RCE? and Cobalt RaQ too?

KWIKEMART (km binary) RCE for SSH1 padding crc32 thingy (https://packetstormsecurity.com/files/24347/ssh1.crc32.txt.html)

prout (ab)use of pcnfs RPC program (version 2 only) (1999)

slugger: various printers RCE, looks like CVE-1999-0078looks

statdx Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)

telex Telnetd RCE for RHEL ? CVE-1999-0192?

toffeehammer RCE for cgiecho part of cgimail, exploits fprintf

VS-VIOLET Solaris 2.6 - 2.9, something related to XDMCP

SKIMCOUNTRY Steal mobile phone log data

SLYHERETIC_CHECKS Check if a target is ready for SLYHERETIC (not included)

EMPTYBOWL RCE for MailCenter Gateway (mcgate) - an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version 2.9.5.1

Anti-forensic

toast: wtmps editor/manipulator/querier

pcleans: pacctl manipulator/cleaner

DIZZYTACHOMETER: Alters RPM database when system file is changed so that RPM (>4.1) verify doesn't complain

DUBMOAT Manipulate utmp

scrubhands post-op cleanup tool?

Auditcleaner cleans up audit.log

Control

Iting HP-UX, Linux, SunOS

FUNNELOUT: database-based web-backdoor for vbulletin

hi UNIX bind shell

jackpop bind shell for SPARC

NOPEN Backdoor? A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6 source

ORLEANSTRIDE

SAMPLEMAN / ROUTER TOUCH Clearly hits Cisco via some sort of redirection via a tool on port 2323... (thanks to @cynicalsecurity)

SECONDDATE Implant for Linux/FreeBSD/Solaris/JunOS

SHENTYSDELIGHT Linux keylogger

SIDETRACK implant used for PITCHIMPAIR

SIFT Implant for Solaris/Linux/FreeBSD

SLYHERETIC SLYHERETIC is a light-weight implant for AIX 5.1-5.2 Uses Hide-in-Plain-Sight techniques to provide stealth.

STRIFEWORLD: Network-monitoring for UNIX, needs to be launched as root. Strifeworld is a program that captures data transmitted as part of TCP connections and stores the data in a memory for analysis. Strifeworld reconstructs the actual data streams and stores each session in a file for later analysis.

SUCTIONCHAR: 32 or 64 bit OS, solaris sparc 8,9, Kernel level implant - transparent, sustained, or realtime interception of processes input/output vnode traffic, able to intercept ssh, telnet, rlogin, rsh, password, login, csh, su, …

CnC

Seconddate_CnC: CnC for SECONDDATE

ELECTRICSIDE likely a big-fat-ass CnC

NOCLIENT Seems to be the CnC for NOPEN*

DEWDROP

Privesc

Linux

h: linux kernel privesc, old-day compiled hatorihanzo.c, do-brk() in 2.4.22

CVE-2003-0961

gsh: setreuid(0,0);execl("bash","/bin/bash")

PTRACE/FORKPTY/km3: linux kernel lpe, kmod+ptrace, CVE-2003-0127, (https://mjt.nysv.org/scratch/ptrace_exploit/km3.c)

EXACTCHANGE: NULL-deref based local-root, based on various sockets protocols, compiled in 2004, made public in 2005

ghost:statmon/tooltalk privesc?

elgingamble:

ESTOPFORBADE local root gds_inet_server for, Cobalt Linux release 6.0, to be used with complexpuzzle

ENVOYTOMATO LPE through bluetooth stack(?)

ESTOPMOONLIT Linux LPE

EPOXYRESIN Linux LPE

AIX

EXCEEDSALON-AIX privesc

Others

procsuid: setuid perl (yes, it's a real thing) privesc through unsanitized environnement variables. wtf dude

elatedmonkey: cpanel privesc (0day) using /usr/local/cpanel/3rdparty/mailman/. Creates mailman mailing list: mailman config_list

estesfox: logwatch privesc, old-day

evolvingstrategy: privesc, likely for Kaspersky Anti-virus (/sbin/keepup2date is kaspersky's stuff) (what is ey_vrupdate?)

eh OpenWebMail privesc

escrowupgrade cachefsd for solaris 2.6 2.7 sparc

ENGLANDBOGY local exploit against Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9, Includes the following distributions: MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, RedHat Fedora Core5, MandrakeSoft Linux 2006.0. requires a setuid Xorg

endlessdonut: Apache fastcgi privesc

Interesting stuff

default passwords list (courtesy of x0rz)

gov.ru (stoicsurgeon_ctrl__v__1.5.13.5_x86-freebsd-5.3-sassyninja-mail.aprf.gov.ru) (wow

 

 

Last Update: 04/28/2017 03:50 +0300

 

Site 1JAR2 Blog Button

 

JAR2 Biz

 

  Please help keep us going and make a donation Thanks to all supporters!

PayPal, Yandex, Qiwi, Сбербанк Sberbank Visa 4276 3800 4543 8756

 

Copyright JAR2 2003-2017 All Rights Reserved

Publishing Banned Truth Since June 06, 2003