EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-09-2017, 10:22
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 433
Rept. Given: 363
Rept. Rcvd 174 Times in 75 Posts
Thanks Given: 466
Thanks Rcvd at 860 Times in 215 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Talking NSA Exploit Kit (Decrypted Files) - AUCTION FILE Archive

NSA Exploit Kit (Decrypted Files) - Confirmed by Snowden Himself on TWITTER to be the REAL DEAL :


As can be seen from this news article from August last year :

Hackers Steal NSA Exploit Kit and Put it up for Auction , there were TWO sets of archives that contained the "Spying Tools" of the NSA.

The FREE version was made available last year itself.

The OTHER one (nicknamed the "Auction Version") was been sold for huge sums of money (Around 100 bitcoins).

Yesterday, the decrypted files from the AUCTION version were also released.

Link to Decrypted Version of the AUCTION FILES ARCHIVE files :

Code:
https://github.com/x0rz/EQGRP
The Decryption Key (If needed) is :

Code:
CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN


The FREE version also can be got here, for your convenience :
Code:
https://github.com/atiger77/EQGRP-Free-Files
Password for the FREE file archive (If needed) :
Code:
theequationgroup
EDIT on 15 April 2017 : Added New Material :


The Shadow Brokers "Lost In Translation" leak :

Code:
https://github.com/misterch0c/shadowbroker/
[QUOTE]Contents of this archive :

Quote:
Exploits

EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit
EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.
ECHOWRECKER remote Samba 3.0.x Linux exploit.
EASYBEE appears to be an MDaemon email server vulnerability
EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2
EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)
EDUCATEDSCHOLAR is a SMB exploit (MS09-050)
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)
EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2
ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users
EPICHERO 0-day exploit (RCE) for Avaya Call Server
ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)
ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
ETERNALCHAMPION is a SMBv1 exploit
ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)
ETRE is an exploit for IMail 8.10 to 8.22
FUZZBUNCH is an exploit framework, similar to MetaSploit
ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors

Utilities

PASSFREELY utility which "Bypasses authentication for Oracle servers"
SMBTOUCH check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE
ERRATICGOPHERTOUCH Check if the target is running some RPC
IISTOUCH check if the running IIS version is vulnerable
RPCOUTCH get info about windows via RPC
DOPU used to connect to machines exploited by ETERNALCHAMPIONS
Decrypted content of odd.tar.xz.gpg, swift.tar.xz.gpg and windows.tar.xz.gpg can be downloaded here :

Code:
https://github.com/x0rz/EQGRP_Lost_in_Translation
Original post from the #ShadowBrokers :
Code:
https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
Read also :

Code:
https://www.emptywheel.net/
and

Do note that according to this post, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products.

This is according to a Microsoft blog post published late Friday night.


Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers

Microsoft fixed critical vulnerabilities in uncredited update released in March.

Quote:
Details of patches released by Microsoft :

Microsoft provided the following table showing when various vulnerabilities were patched:
Code Name Solution
“EternalBlue” Addressed by MS17-010
“EmeraldThread” Addressed by MS10-061
“EternalChampion” Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
“EsikmoRoll” Addressed by MS14-068
“EternalRomance” Addressed by MS17-010
“EducatedScholar” Addressed by MS09-050
“EternalSynergy” Addressed by MS17-010
“EclipsedWing” Addressed by MS08-067
Full article here .

ADDED 17 April 2017 :
Table showing Details of the Exploits and the Versions of OS-es they are Effective Against :

View it HERE .

A copy is also attached to this post.
Attached Images
File Type: jpg NSA Exploits Table.jpg‎ (128.8 KB, 2 views)

Last edited by TechLord; 04-18-2017 at 13:18.
Reply With Quote
The Following 11 Users Say Thank You to TechLord For This Useful Post:
abhi93696 (04-17-2017), atom0s (04-09-2017), chants (04-10-2017), cjack (04-16-2017), demon_da (05-08-2017), evlncrn8 (04-09-2017), MOV_EDI_EDI (04-27-2017), niculaita (04-09-2017), Shub-Nigurrath (04-10-2017), tonyweb (04-09-2017), uranus64 (04-15-2017)
  #2  
Old 04-09-2017, 15:49
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 738
Rept. Given: 756
Rept. Rcvd 81 Times in 53 Posts
Thanks Given: 1,095
Thanks Rcvd at 88 Times in 64 Posts
niculaita Reputation: 81
can you put original decryption key in hex format?
__________________
Decode and Conquer
Reply With Quote
  #3  
Old 04-09-2017, 19:41
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 243
Rept. Given: 0
Rept. Rcvd 253 Times in 90 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 28 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
The password is
Code:
CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN
The 5th letter is a "quotation mark" (U+0022) and not a "right double quotation mark" (U+201D). Everything is just plain ASCII text.

And these files weren't sold for 100 bitcoins, they were offered for 100 bitcoins. Nobody paid. In the end they did a "highest bid wins" and the winning bid was 0.12 bitcoin.

Last edited by Kerlingen; 04-09-2017 at 19:47.
Reply With Quote
The Following 3 Users Say Thank You to Kerlingen For This Useful Post:
evlncrn8 (04-09-2017), niculaita (04-10-2017), tonyweb (04-09-2017)
  #4  
Old 04-10-2017, 12:59
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 433
Rept. Given: 363
Rept. Rcvd 174 Times in 75 Posts
Thanks Given: 466
Thanks Rcvd at 860 Times in 215 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Quote:
Originally Posted by niculaita View Post
can you put original decryption key in hex format?
Updated the password (Key). There is NO need for it as the files are all already in a decrypted state

@Kerlingen :
No, they were sold for MUCH higher prices in several underground forums. Obviously, as time went by, most of the buyers kept trying to re-sell them for lower and lower amounts, till it finally came to around 0.12 BTC and then finally released for free yesterday !

This is something similar to what happens to our "Dongle Emulator Kits" . At first they ar esold for $5000+ . Then the buyers try to keep making money by trying to re-sell them to others at lower and lower costs, till the cost of the kit comes down to around $100+.
This was what happened to the HASP Sentinel Emulator kit last year. I was offered the kit for around $150 USD by certain members here. Its original price at one time was a few thousand dollars

Last edited by TechLord; 04-10-2017 at 13:04.
Reply With Quote
  #5  
Old 04-10-2017, 23:03
bolo2002 bolo2002 is online now
VIP
 
Join Date: Apr 2002
Posts: 327
Rept. Given: 96
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 49
Thanks Rcvd at 28 Times in 21 Posts
bolo2002 Reputation: 9
is this relevant,i mean is this leak bringing trouble,information,something that will increase knowledge of hackers/coders?
__________________
I like this forum!
Reply With Quote
  #6  
Old 04-10-2017, 23:48
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 738
Rept. Given: 756
Rept. Rcvd 81 Times in 53 Posts
Thanks Given: 1,095
Thanks Rcvd at 88 Times in 64 Posts
niculaita Reputation: 81
Any screen shots of "Dongle Emulator Kits" and HASP Sentinel Emulator kit?
__________________
Decode and Conquer
Reply With Quote
  #7  
Old 04-11-2017, 05:31
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 433
Rept. Given: 363
Rept. Rcvd 174 Times in 75 Posts
Thanks Given: 466
Thanks Rcvd at 860 Times in 215 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Quote:
Originally Posted by bolo2002 View Post
is this relevant,i mean is this leak bringing trouble,information,something that will increase knowledge of hackers/coders?
The SOURCES are included. They can obviously be used for various purposes (Reversing/Hacking) etc in our own tools.

Did not have time to go through ALL of the SOURCES in that archive but whatever I could check, I can confirm that they are genuine
Reply With Quote
The Following 2 Users Say Thank You to TechLord For This Useful Post:
bolo2002 (04-11-2017), niculaita (04-11-2017)
  #8  
Old 04-11-2017, 05:53
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 25
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
Quote:
Originally Posted by bolo2002 View Post
is this relevant,i mean is this leak bringing trouble,information,something that will increase knowledge of hackers/coders?
mostly into how NSA operates I think, it's all very old stuff.

Last edited by H4vC; 04-15-2017 at 18:49.
Reply With Quote
  #9  
Old 04-11-2017, 23:18
bolo2002 bolo2002 is online now
VIP
 
Join Date: Apr 2002
Posts: 327
Rept. Given: 96
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 49
Thanks Rcvd at 28 Times in 21 Posts
bolo2002 Reputation: 9
Quote:
Originally Posted by H4vC View Post
mostly into how CIA operates I think, it's all very old stuff.
All those didn't worth a buck then?
__________________
I like this forum!
Reply With Quote
  #10  
Old 04-12-2017, 05:58
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 433
Rept. Given: 363
Rept. Rcvd 174 Times in 75 Posts
Thanks Given: 466
Thanks Rcvd at 860 Times in 215 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Quote:
Originally Posted by H4vC View Post
mostly into how CIA operates I think, it's all very old stuff.
Most of the SOURCES in that archive are mainly useful for stuff like intercepting network traffic and basically for stuff that is related to "spying" , as in what NSA is thought to do.

Yes, they are quite old. But if you incorporate them into your own sources and create your own tools based on them, then they could be found to be very useful.

The concepts that the tools were based on, are quite good. So now that we have the SOURCES, it's upto us to incorporate them into our own tools and make the best use of them !

Cheers
Reply With Quote
The Following User Says Thank You to TechLord For This Useful Post:
niculaita (04-12-2017)
  #11  
Old 04-13-2017, 10:06
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 817
Rept. Given: 475
Rept. Rcvd 1,149 Times in 307 Posts
Thanks Given: 72
Thanks Rcvd at 414 Times in 166 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
So why was this closed exactly?
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #12  
Old 04-14-2017, 07:22
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 433
Rept. Given: 363
Rept. Rcvd 174 Times in 75 Posts
Thanks Given: 466
Thanks Rcvd at 860 Times in 215 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Quote:
Originally Posted by mr.exodia View Post
So why was this closed exactly?
Messaged you
Reply With Quote
  #13  
Old 04-15-2017, 16:16
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 433
Rept. Given: 363
Rept. Rcvd 174 Times in 75 Posts
Thanks Given: 466
Thanks Rcvd at 860 Times in 215 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Added new material to my original first post

Could I please request everyone to kindly keep the posts of this thread on-topic ?

Thank you
Reply With Quote
The Following User Says Thank You to TechLord For This Useful Post:
niculaita (04-15-2017)
  #14  
Old 04-15-2017, 18:48
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 25
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
Quote:
Originally Posted by bolo2002 View Post
All those didn't worth a buck then?
Well according to Zerodium the dump from yesterday is worth about 2million usd and this one has 0days for all versions of windows. Fun times.
Reply With Quote
  #15  
Old 04-16-2017, 08:01
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 433
Rept. Given: 363
Rept. Rcvd 174 Times in 75 Posts
Thanks Given: 466
Thanks Rcvd at 860 Times in 215 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Added more details about the exploits and additional links.

Please refer to my first post on this thread for further details.

Quote:
Also, Important Update 4/15/2017 11:45 AM California time None of the exploits reported are, in fact, zerodays that work against supported Microsoft products. Readers should read this update for further details.
Do note that after MODIFICATION of the sources, we can create really effective tools though

Happy Easter everyone

Last edited by TechLord; 04-16-2017 at 08:07.
Reply With Quote
The Following 3 Users Say Thank You to TechLord For This Useful Post:
abhi93696 (04-17-2017), bolo2002 (04-16-2017), niculaita (04-16-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Rowhammer Exploit mcp General Discussion 1 03-11-2015 05:52
Can the VFP Compiler be decrypted? giv General Discussion 8 05-05-2011 14:17


All times are GMT +8. The time now is 23:57.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX