PikPikcU pikpikcu

Assembly Language / Reversing / Malware Analysis -resources

⭐Assembly Language

CVE-2020-8597 - Buffer Overflow in pppd

In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.

We will use our own pppd binary compiled from source, using the latest version: 2.4.8.

To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.

I spun up two VMs:

Executing Python in MSSQL

MSSQL 2017 includes Microsoft Machine Learning Services, which allows for the execution of Python and R scripts within MSSQL via sp_execute_external_script. This is an expansion of the functionality available in MSSQL 2016, which allowed for the execution of R scripts with SQL Server R Services. Examples of how to abuse this functionality with R scripts are available elsewhere.

To execute Python code:

Machine Learning Services (In-Database) and Python must have been selected during installation
External scripts must be enabled
- EXEC sp_configure 'external scripts enabled', 1
- RECONFIGURE WITH OVERRIDE
- Restart the database server
The user must have EXECUTE ANY EXTERNAL SCRIPT

	0
	1
	11
	12
	13
	14
	15
	16
	17
	2

	#Tool based on a resolver.rb by @melvinsh
	#Original Repository: https://github.com/melvinsh/subresolve
	#Modified by @ehsahil for Personal Use.
	require 'socket'
	require 'colorize'

	begin
	file = File.open(ARGV[0], "r")
	rescue
	puts "Usage: ruby recon.rb wordlist"

	#!/usr/bin/env bash

	# Step 1: Fill in EMAIL, TOKEN, DOMAIN and SUBDOMAIN. Your API token is here: https://www.cloudflare.com/a/account/my-account
	# Make sure the token is the Global token, or has these permissions: #zone:read, #dns_record:read, #dns_records:edit
	# If you want to set the root domain instead of a subdomain, set SUBDOMAIN to "@"
	# Step 2: Create an A record on Cloudflare with the subdomain you chose
	# Step 3: Run "./ddns.sh -l" to get the zone_id and rec_id of the record you created.
	# Fill in ZONE_ID and REC_ID below
	# This step is optional, but will save you 2 requests every time you run this script
	# Step 4: Run "./ddns.sh". It should tell you that record was updated or that it didn't need updating.

	echo "Blind SSRF testing - append to parameters and add new parameters @hussein98d"
	echo "Usage: bash script.sh domain.com http://server-callbak"
	echo "This script uses https://github.com/ffuf/ffuf, https://github.com/lc/gau, https://github.com/tomnomnom/waybackurls"
	if [ -z "$1" ]; then
	echo >&2 "ERROR: Domain not set"
	exit 2
	fi
	if [ -z "$2" ]; then
	echo >&2 "ERROR: Sever link not set"
	exit 2

	#!/bin/bash
	if [ $# -eq 0 ]
	then
	echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
	exit 1
	fi

	echo "Checking if there's SMB v3.11 in" $1 "..."

	nmap -p445 --script smb-protocols -Pn -n $1 \| grep -P '\d+\.\d+\.\d+\.\d+\|^\\|.\s+3.11' \| tr '\n' ' ' \| replace 'Nmap scan report for' '@' \| tr "@" "\n" \| grep 3.11 \| tr '\|' ' ' \| tr '_' ' ' \| grep -oP '\d+\.\d+\.\d+\.\d+'


	" _ _ "
	" _ /\|\| . . \|\|\ _ "
	" ( } \\|\|D ' ' ' C\|\|/ { % "
	" \| /\__,=_[_] ' . . ' [_]_=,__/\ \|"
	" \|_\_ \|----\| \|----\| _/_\|"
	" \| \|/ \| \| \| \| \\| \|"
	" \| /_ \| \| \| \| _\ \|"

	It is all fun and games until someone gets hacked!

	#!/bin/bash

	#####
	#
	# St8out - Extra one-liner for reconnaissance
	#
	# Usage: ./st8out.sh target.com
	#
	# Resources:
	# - https://github.com/j3ssie/metabigor