jjarmoc

#Handy functions for .bashrc loading.
#
# $ atoi 192.168.1.1
# 3232235777
# $ itoa 3232235777
# 192.168.1.1


function atoi
{

jjarmoc

# To decode:
#   qp -d string 
# To encode:
#   qp string

alias qpd='perl -MMIME::QuotedPrint -pe '\''$_=MIME::QuotedPrint::decode($_);'\'''
alias qpe='perl -MMIME::QuotedPrint -pe '\''$_=MIME::QuotedPrint::encode($_);'\'''
function qp {
if [[ "$1" = "-d" ]]
then

jjarmoc

# XOR an input file with a single byte, save as input.xor
# xorfile(0xff, input)
def xorfile(key, file)
 File.open("#{file}.xor", 'w') {|f| f.write(File.open("#{file}","rb") {|io| io.read}.unpack('C*').map{|x| x ^ key}.pack('C*')) }
end

# string pack/unpack w/ XOR
"ABCD".unpack('C*').collect{|x| (x ^ 0xa2).chr}.join
 => "\xE3\xE0\xE1\xE6" 
"E3E0E1E6".scan(/../).collect{|x| (x.to_i(16) ^ 0xa2).chr}.join

jjarmoc

MSF Module;
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_json_yaml_code_exec.rb

See also;
https://gist.github.com/4660248
https://github.com/ronin-ruby/ronin-ruby.github.com/blob/master/blog/_posts/2013-01-28-new-rails-poc.md

jjarmoc

- Apache configured to accept SSL on a number of ports, each with their own cert demonstrating an individual test case.
- ELBs performing PAT so I had :443 on a number of IPs ending up hitting apache on it's various ports.
- PHP on the webserver would parse the Host Header, and return a response setting a corresponding div to vulnerable
- When the main domain name was accessed, it would instead return a bunch of DIV's each named to correspond to a given vuln, and including the CSS file (generated by PHP above) to test for cert validation.

The end result of all this was a table that looked like the ones shown near the end of;
http://www.secureworks.com/cyber-threat-intelligence/threats/transitive-trust/

Tested included;
- Mismatched CN

jjarmoc

Twitter公式クライアントのコンシューマキー

Twitter for iPhone

Consumer key: IQKbtAYlXLripLGPWd0HUA
Consumer secret: GgDYlkSvaPxGxC4X8liwpUoqKwwr3lCADbz8A7ADU

Twitter for Android

Consumer key: 3nVuSoBZnx6U4vzUxf5w
Consumer secret: Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys

Twitter for iPad

Consumer key: CjulERsDeqhhjSme66ECg

jjarmoc

require 'httpclient'

cmds = [
	{ :method => "POST", :uri => "http://www.example.com/posthere", :body=>{ 'userid' => 'user', 'pw'=>'password'}, :response=>nil},
	{ :method => "GET", :uri =>"http://www.example.com/gethere", :body=>{}, :response=>nil}
	]

client = HTTPClient.new
client.set_cookie_store('cookie.dat')
cmds.each do |cmd|

jjarmoc

require 'packetfu'
require 'ipaddr'

puts "-- Reading packets"
packets = PacketFu::PcapFile.read_packets('./whatinzeus')

output = packets.inject([]){|ret, pkt|
  ret.push(PacketFu::EthHeader.str2mac(pkt.eth_dst) =~ "01:00:5e" ? 1 : 0)
}

jjarmoc

# See https://twitter.com/k8em0/status/411247236610134016 for the check I found this on.

1.9.3p484 :001 >   nums = [0b01001101, 0b01101001, 0b01100011, 0b01110010, 0b01101111, 0b01110011, 0b01101111, 0b01100110, 0b01110100]
 => [77, 105, 99, 114, 111, 115, 111, 102, 116] 
1.9.3p484 :001 > nums.map{|x| x.chr }.join
 => "Microsoft" 
 

jjarmoc

$ echo "@jjarmoc has your key" | openssl sha1 -sign server.key -sha1 | openssl enc -base64
kzhDRl4Br8KByqSYccdo4QfiVd82M1tkgELodYy5O7gFTOsKsrdl4VITI2LaJ2Fl
A6OzUnTAXnsib/yWtYV+TzQ2auM+C93cHyTU/2ze4YXF2eGZaBr+mXmbkE5TKnAf
sdIkJD1Rax9Rel+YGTQYWFI+tE2+WddHf9yDj787lOIw+GzoXQeAYP7eC0rQXath
+i4g3Sngd1g0q+/g4X0tLLRCEtZqj9gTM6V1JGNvDqA+LAeGkEd4kMzx8p5SvFDM
qChEx32ygA/Im57OQmFJiErhxic3oYG2iKvKBza6+/4madzRRqF2+Sb8Aipenyb0
hY68QU41LimjVtW/X1syRw==