Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
April 9, 2017 17:37
April 12, 2017 11:08

Browsable content of eqgrp-auction-file.tar.xz

⚠️ Some binaries may be picked up by your antivirus

Nested Tar archives have been uncompressed in the archive_files folder.





  • DITTLELIGHT (HIDELIGHT) unhide NOPEN window to run unix oracle db scripts
  • DUL shellcode packer
  • egg_timer execution delayer (equivalent to at)
  • ewok snmpwalk-like?
  • gr Web crontab manager? wtf. NSA are webscale dude
  • jackladderhelper simple port binder
  • magicjack DES implementation in Perl
  • PORKSERVER inetd-based server for the PORK implant
  • ri equivalent to rpcinfo
  • uX_local Micro X server, likely for remote management
  • ITIME Change Date/Time of a last change on a file of an unix filesystem

Remote Code Execution


  • CATFLAP Solaris 7/8/9 (SPARC and Intel) RCE (for a LOT of versions)
  • EASYSTREET/CMSEX and cmsd Solaris rpc.cmsd remote root
  • EBBISLAND/ELVISCICADA/snmpXdmid and frown: CVE-2001-0236, Solaris 2.6-2.9 - snmpXdmid Buffer Overflow
  • sneer: mibissa (Sun snmpd) RCE, with DWARF symbols :D
  • dtspcdx_sparc dtspcd RCE for SunOS 5. -5.8. what a useless exploit
  • TOOLTALK DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE
  • VIOLENTSPIRIT RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86
  • EBBISLAND RCE Solaris 2.6 -> 2.10 Inject shellcode in vulnerable rpc service

Netscape Server

  • xp_ns-httpd NetScape Server RCE
  • nsent RCE for NetScape Enterprise server 4.1 for Solaris
  • eggbasket another NetScape Enterprise RCE, this time version 3.5, likely SPARC only

FTP servers

  • EE proftpd 1.2.8 RCE, for RHL 7.3+/Linux, CVE-2011-4130? another reason not to use proftpd
  • wuftpd likely CVE-2001-0550


  • ESMARKCONANT exploits phpBB remote command execution (<2.0.11) CVE-2004-1315
  • ELIDESKEW Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7
  • ELITEHAMMER Runs against RedFlag Webmail 4, yields user nobody
  • ENVISIONCOLLISION RCE for phpBB (derivative)
  • EPICHERO RCE for Avaya Media Server
  • COTTONAXE RCE to retrieve log and information on LiteSpeed Web Server


  • calserver spooler RPC based RCE
  • EARLYSHOVEL RCE RHL7 using sendmail CVE-2003-0681 CVE-2003-0694
  • ECHOWRECKER/sambal: samba 2.2 and 3.0.2a - 3.0.12-5 RCE (with DWARF symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely CVE-2003-0201. There is also a Solaris version
  • ELECTRICSLIDE RCE (heap-overflow) in Squid, with a chinese-looking vector
  • EMBERSNOUT a remote exploit against Red Hat 9.0's httpd-2.0.40-21
  • ENGAGENAUGHTY/apache-ssl-linux Apache2 mod-ssl RCE (2008), SSLv2
  • ENTERSEED Postfix RCE, for 2.0.8 - 2.1.5
  • ERRGENTLE/xp-exim-3-remote-linux Exim remote root, likely CVE-2001-0690, Exim 3.22 - 3.35
  • EXPOSITTRAG exploit pcnfsd version 2.x
  • extinctspinash: Chili!Soft ASP stuff RCE? and Cobalt RaQ too?
  • KWIKEMART (km binary) RCE for SSH1 padding crc32 thingy (
  • prout (ab)use of pcnfs RPC program (version 2 only) (1999)
  • slugger: various printers RCE, looks like CVE-1999-0078
  • statdx Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)
  • telex Telnetd RCE for RHL? CVE-1999-0192?
  • toffeehammer RCE for cgiecho part of cgimail, exploits fprintf
  • VS-VIOLET Solaris 2.6 - 2.9, something related to XDMCP
  • SKIMCOUNTRY Steal mobile phone log data
  • SLYHERETIC_CHECKS Check if a target is ready for SLYHERETIC (not included)
  • EMPTYBOWL RCE for MailCenter Gateway (mcgate) - an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version
  • CURSEHAPPY Parser of CDR (Call Detail Records) (siemens, alcatel, other containing isb hki lhr files) probably upgrade of ORLEANSTRIDE
  • ORLEANSTRIDE Parser of CDR (Call Detail Records)


  • toast: wtmps editor/manipulator/querier
  • pcleans: pacctl manipulator/cleaner
  • DIZZYTACHOMETER: Alters RPM database when system file is changed so that RPM (>4.1) verify doesn't complain
  • DUBMOAT Manipulate utmp
  • scrubhands post-op cleanup tool?
  • Auditcleaner cleans up audit.log


Iting HP-UX, Linux, SunOS

  • FUNNELOUT: database-based web-backdoor for vbulletin
  • hi UNIX bind shell
  • jackpop bind shell for SPARC
  • NOPEN Backdoor? A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6 source** SunOS5.8
  • SAMPLEMAN / ROUTER TOUCH Clearly hits Cisco via some sort of redirection via a tool on port 2323... (thanks to @cynicalsecurity)
  • SECONDDATE Implant for Linux/FreeBSD/Solaris/JunOS
  • SHENTYSDELIGHT Linux keylogger
  • SIDETRACK implant used for PITCHIMPAIR
  • SIFT Implant for Solaris/Linux/FreeBSD
  • SLYHERETIC SLYHERETIC is a light-weight implant for AIX 5.1:-5.2 Uses Hide-in-Plain-Sight techniques to provide stealth.
  • STRIFEWORLD: Network-monitoring for UNIX, needs to be launched as root. Strifeworld is a program that captures data transmitted as part of TCP connections and stores the data in a memory for analysis. Strifeworld reconstructs the actual data streams and stores each session in a file for later analysis.
  • SUCTIONCHAR: 32 or 64 bit OS, solaris sparc 8,9, Kernel level implant - transparent, sustained, or realtime interception of processes input/output vnode traffic, able to intercept ssh, telnet, rlogin, rsh, password, login, csh, su, …
  • STOICSURGEON Rootkit/Backdoor Linux MultiArchi
  • INCISION Rootkit/Backdoor Linux Can be upgrade to StoicSurgeon(more recent version)


  • Seconddate_CnC: CnC for SECONDDATE
  • ELECTRICSIDE likely a big-fat-ass CnC
  • NOCLIENT Seems to be the CnC for NOPEN*



  • h: linux kernel privesc, old-day compiled hatorihanzo.c, do-brk() in 2.4.22 CVE-2003-0961
  • gsh: setreuid(0,0);execl("bash","/bin/bash")
  • PTRACE/FORKPTY/km3: linux kernel lpe, kmod+ptrace, CVE-2003-0127, (
  • EXACTCHANGE: NULL-deref based local-root, based on various sockets protocols, compiled in 2004, made public in 2005
  • ghost:statmon/tooltalk privesc?
  • elgingamble:
  • ESTOPFORBADE local root gds_inet_server for, Cobalt Linux release 6.0, to be used with complexpuzzle
  • ENVOYTOMATO LPE through bluetooth stack(?)




  • procsuid: setuid perl (yes, it's a real thing) privesc through unsanitized environnement variables. wtf dude
  • elatedmonkey: cpanel privesc (0day) using /usr/local/cpanel/3rdparty/mailman/. Creates mailman mailing list: mailman config_list
  • estesfox: logwatch privesc, old-day
  • evolvingstrategy: privesc, likely for Kaspersky Anti-virus (/sbin/keepup2date is kaspersky's stuff) (what is ey_vrupdate?)
  • eh OpenWebMail privesc
  • escrowupgrade cachefsd for solaris 2.6 2.7 sparc
  • ENGLANDBOGY local exploit against Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9, Includes the following distributions: MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, RedHat Fedora Core5, MandrakeSoft Linux 2006.0. requires a setuid Xorg
  • endlessdonut: Apache fastcgi privesc

Interesting stuff


Decrypted content of eqgrp-auction-file.tar.xz







No releases published


No packages published

Contributors 4