DiabloHorn DiabloHorn

## poc_client.py
#!/usr/bin/env python
"""
    DiabloHorn - https://diablohorn.com
    POC client on 'infected' machines to receive injected packets
    intended to bypass IP whitelisting
"""
import sys
import time
import socket
from threading import Thread

## xprotect-brute-js.user.js
// ==UserScript==
// @name        xprotect-brute-js
// @namespace   ns-xprotect-brute-js
// @description Brute force Milestone XProtect Web Client
// @include     http://localhost:8081/index.html
// @version     1
// @grant       none
// ==/UserScript==
//DiabloHorn - https://diablohorn.com
var foundcreds = 0;

## Makefile.target
# -*- Mode: makefile -*-

BUILD_DIR?=$(CURDIR)/..

include ../config-host.mak
include config-target.mak
include config-devices.mak
include $(SRC_PATH)/rules.mak

$(call set-vpath, $(SRC_PATH):$(BUILD_DIR))

## file_processor.py
#!/usr/bin/env python
#DiabloHorn - https://diablohorn.com
import sys
import os
import csv
import argparse
import shutil

try:
    import magic

## ChangePassword.java
import java.util.*;
import java.io.*;
import java.security.*;

public class ChangePassword
{
  private final static JKS j = new JKS();

  public static void main(String[] args) throws Exception
  {

## whitelist_finder.py
#!/usr/bin/env python
#DiabloHorn - https://diablohorn.com
#Find whitelisted IP addresses on a network & application level
import sys
import logging
import threading
import argparse

from scapy.all import *

## gdb-session.fish
❯ gcc -g minimal.c -o minimal

❯ sudo gdb minimal
Password:

(gdb) break main
Breakpoint 1 at 0x100000f90: file minimal.c, line 3.
(gdb) run
Starting program: /private/tmp/c-repl/minimal

## ManualPayloadGenerate.java
/*
    DiabloHorn - https://diablohorn.com
    For learning purposes we build the groovy payload ourselves instead of using
    ysoserial. This helps us better understand the chain and the mechanisms
    involved in exploiting this bug.

    compile with:
        javac -cp <path to groovy lib> ManualPayloadGenerate.java
    Example:
        javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java

## deserlab_exploit.py
#!/usr/bin/env python
"""
    DiabloHorn - https://diablohorn.com
    References
        https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
        https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
        https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
        http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
        https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
        https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478

## pe-aware-split.py
#!/usr/bin/env python
# DiabloHorn https://diablohorn.com
# blank out bytes taking into account the PE file format
# input file: base64 malware.exe | rev > enc.txt
import sys
import os
#pip install pefile
import pefile
import argparse
import logging
	#!/usr/bin/env python
	"""
	DiabloHorn - https://diablohorn.com
	POC client on 'infected' machines to receive injected packets
	intended to bypass IP whitelisting
	"""
	import sys
	import time
	import socket
	from threading import Thread
	// ==UserScript==
	// @name xprotect-brute-js
	// @namespace ns-xprotect-brute-js
	// @description Brute force Milestone XProtect Web Client
	// @include http://localhost:8081/index.html
	// @version 1
	// @grant none
	// ==/UserScript==
	//DiabloHorn - https://diablohorn.com
	var foundcreds = 0;
	# -- Mode: makefile --

	BUILD_DIR?=$(CURDIR)/..

	include ../config-host.mak
	include config-target.mak
	include config-devices.mak
	include $(SRC_PATH)/rules.mak

	$(call set-vpath, $(SRC_PATH):$(BUILD_DIR))
	#!/usr/bin/env python
	#DiabloHorn - https://diablohorn.com
	import sys
	import os
	import csv
	import argparse
	import shutil

	try:
	import magic
	import java.util.*;
	import java.io.*;
	import java.security.*;

	public class ChangePassword
	{
	private final static JKS j = new JKS();

	public static void main(String[] args) throws Exception
	{
	#!/usr/bin/env python
	#DiabloHorn - https://diablohorn.com
	#Find whitelisted IP addresses on a network & application level
	import sys
	import logging
	import threading
	import argparse

	from scapy.all import *
	❯ gcc -g minimal.c -o minimal

	❯ sudo gdb minimal
	Password:

	(gdb) break main
	Breakpoint 1 at 0x100000f90: file minimal.c, line 3.
	(gdb) run
	Starting program: /private/tmp/c-repl/minimal
	/*
	DiabloHorn - https://diablohorn.com
	For learning purposes we build the groovy payload ourselves instead of using
	ysoserial. This helps us better understand the chain and the mechanisms
	involved in exploiting this bug.

	compile with:
	javac -cp <path to groovy lib> ManualPayloadGenerate.java
	Example:
	javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java
	#!/usr/bin/env python
	"""
	DiabloHorn - https://diablohorn.com
	References
	https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
	https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
	https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
	http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
	https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
	https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
	#!/usr/bin/env python
	# DiabloHorn https://diablohorn.com
	# blank out bytes taking into account the PE file format
	# input file: base64 malware.exe \| rev > enc.txt
	import sys
	import os
	#pip install pefile
	import pefile
	import argparse
	import logging