Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   NSA Exploit Kit (Decrypted Files) (https://forum.exetools.com/showthread.php?t=18201)

TechLord 04-09-2017 10:22

NSA Exploit Kit (Decrypted Files) - AUCTION FILE Archive
 
NSA Exploit Kit (Decrypted Files) - Confirmed by Snowden Himself on TWITTER to be the REAL DEAL :


As can be seen from this news article from August last year :

Hackers Steal NSA Exploit Kit and Put it up for Auction , there were TWO sets of archives that contained the "Spying Tools" of the NSA.

The FREE version was made available last year itself.

The OTHER one (nicknamed the "Auction Version") was been sold for huge sums of money (Around 100 bitcoins).

Yesterday, the decrypted files from the AUCTION version were also released.

Link to Decrypted Version of the AUCTION FILES ARCHIVE files :

Code:

https://github.com/x0rz/EQGRP
The Decryption Key (If needed) is :

Code:

CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN


The FREE version also can be got here, for your convenience :
Code:

https://github.com/atiger77/EQGRP-Free-Files
Password for the FREE file archive (If needed) :
Code:

theequationgroup
EDIT on 15 April 2017 : Added New Material :


The Shadow Brokers "Lost In Translation" leak :

Code:

https://github.com/misterch0c/shadowbroker/
[QUOTE]Contents of this archive :

Quote:

Exploits

EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit
EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.
ECHOWRECKER remote Samba 3.0.x Linux exploit.
EASYBEE appears to be an MDaemon email server vulnerability
EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2
EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)
EDUCATEDSCHOLAR is a SMB exploit (MS09-050)
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)
EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2
ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users
EPICHERO 0-day exploit (RCE) for Avaya Call Server
ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)
ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
ETERNALCHAMPION is a SMBv1 exploit
ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)
ETRE is an exploit for IMail 8.10 to 8.22
FUZZBUNCH is an exploit framework, similar to MetaSploit
ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors

Utilities

PASSFREELY utility which "Bypasses authentication for Oracle servers"
SMBTOUCH check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE
ERRATICGOPHERTOUCH Check if the target is running some RPC
IISTOUCH check if the running IIS version is vulnerable
RPCOUTCH get info about windows via RPC
DOPU used to connect to machines exploited by ETERNALCHAMPIONS
Decrypted content of odd.tar.xz.gpg, swift.tar.xz.gpg and windows.tar.xz.gpg can be downloaded here :

Code:

https://github.com/x0rz/EQGRP_Lost_in_Translation
Original post from the #ShadowBrokers :
Code:

https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
Read also :

Code:

https://www.emptywheel.net/
and

Do note that according to this post, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products.

This is according to a Microsoft blog post published late Friday night.


Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers

Microsoft fixed critical vulnerabilities in uncredited update released in March.

Quote:

Details of patches released by Microsoft :

Microsoft provided the following table showing when various vulnerabilities were patched:
Code Name Solution
“EternalBlue” Addressed by MS17-010
“EmeraldThread” Addressed by MS10-061
“EternalChampion” Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
“EsikmoRoll” Addressed by MS14-068
“EternalRomance” Addressed by MS17-010
“EducatedScholar” Addressed by MS09-050
“EternalSynergy” Addressed by MS17-010
“EclipsedWing” Addressed by MS08-067
Full article here .

ADDED 17 April 2017 :
Table showing Details of the Exploits and the Versions of OS-es they are Effective Against :

View it HERE .

A copy is also attached to this post.

niculaita 04-09-2017 15:49

can you put original decryption key in hex format?

Kerlingen 04-09-2017 19:41

The password is
Code:

CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN
The 5th letter is a "quotation mark" (U+0022) and not a "right double quotation mark" (U+201D). Everything is just plain ASCII text.

And these files weren't sold for 100 bitcoins, they were offered for 100 bitcoins. Nobody paid. In the end they did a "highest bid wins" and the winning bid was 0.12 bitcoin. ;)

TechLord 04-10-2017 12:59

Quote:

Originally Posted by niculaita (Post 108995)
can you put original decryption key in hex format?

Updated the password (Key). There is NO need for it as the files are all already in a decrypted state :)

@Kerlingen :
No, they were sold for MUCH higher prices in several underground forums. Obviously, as time went by, most of the buyers kept trying to re-sell them for lower and lower amounts, till it finally came to around 0.12 BTC and then finally released for free yesterday !

This is something similar to what happens to our "Dongle Emulator Kits" . At first they ar esold for $5000+ . Then the buyers try to keep making money by trying to re-sell them to others at lower and lower costs, till the cost of the kit comes down to around $100+.
This was what happened to the HASP Sentinel Emulator kit last year. I was offered the kit for around $150 USD by certain members here. Its original price at one time was a few thousand dollars :)

bolo2002 04-10-2017 23:03

is this relevant,i mean is this leak bringing trouble,information,something that will increase knowledge of hackers/coders?

niculaita 04-10-2017 23:48

Any screen shots of "Dongle Emulator Kits" and HASP Sentinel Emulator kit?

TechLord 04-11-2017 05:31

Quote:

Originally Posted by bolo2002 (Post 109008)
is this relevant,i mean is this leak bringing trouble,information,something that will increase knowledge of hackers/coders?

The SOURCES are included. They can obviously be used for various purposes (Reversing/Hacking) etc in our own tools.

Did not have time to go through ALL of the SOURCES in that archive but whatever I could check, I can confirm that they are genuine :)

H4vC 04-11-2017 05:53

Quote:

Originally Posted by bolo2002 (Post 109008)
is this relevant,i mean is this leak bringing trouble,information,something that will increase knowledge of hackers/coders?

mostly into how NSA operates I think, it's all very old stuff.

bolo2002 04-11-2017 23:18

Quote:

Originally Posted by H4vC (Post 109015)
mostly into how CIA operates I think, it's all very old stuff.

All those didn't worth a buck then? :)

TechLord 04-12-2017 05:58

Quote:

Originally Posted by H4vC (Post 109015)
mostly into how CIA operates I think, it's all very old stuff.

Most of the SOURCES in that archive are mainly useful for stuff like intercepting network traffic and basically for stuff that is related to "spying" , as in what NSA is thought to do.

Yes, they are quite old. But if you incorporate them into your own sources and create your own tools based on them, then they could be found to be very useful.

The concepts that the tools were based on, are quite good. So now that we have the SOURCES, it's upto us to incorporate them into our own tools and make the best use of them !

Cheers :)

mr.exodia 04-13-2017 10:06

So why was this closed exactly?

TechLord 04-14-2017 07:22

Quote:

Originally Posted by mr.exodia (Post 109042)
So why was this closed exactly?

Messaged you :)

TechLord 04-15-2017 16:16

Added new material to my original first post :)

Could I please request everyone to kindly keep the posts of this thread on-topic ? ;)

Thank you

H4vC 04-15-2017 18:48

Quote:

Originally Posted by bolo2002 (Post 109027)
All those didn't worth a buck then? :)

Well according to Zerodium the dump from yesterday is worth about 2million usd :) and this one has 0days for all versions of windows. Fun times.

TechLord 04-16-2017 08:01

Added more details about the exploits and additional links.

Please refer to my first post on this thread for further details.

Quote:

Also, Important Update 4/15/2017 11:45 AM California time None of the exploits reported are, in fact, zerodays that work against supported Microsoft products. Readers should read this update for further details.
Do note that after MODIFICATION of the sources, we can create really effective tools though :D

Happy Easter everyone :)


All times are GMT +8. The time now is 08:37.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX