Skip to content

Instantly share code, notes, and snippets.

View DiabloHorn's full-sized avatar

DiabloHorn DiabloHorn

168 followers · 0 following
View GitHub Profile
@DiabloHorn
DiabloHorn / ipless-scan.py
Created October 26, 2017 21:41
Perform a port scan without having an IP configured on your network interface
#!/usr/bin/env python
# DiabloHorn - https://diablohorn.com
# scan target IP from an interface with no IP configured
# POC - scapy
# pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='172.16.218.178',src='172.16.218.255') / TCP(dport=445,flags='S')
# sendp(pkt,iface='eth0')
import sys
from scapy.all import *
@DiabloHorn
DiabloHorn / ManualPayloadGenerate.java
Created September 9, 2017 18:46
Java class to generate a Groovy serialized payload
/*
DiabloHorn - https://diablohorn.com
For learning purposes we build the groovy payload ourselves instead of using
ysoserial. This helps us better understand the chain and the mechanisms
involved in exploiting this bug.
compile with:
javac -cp <path to groovy lib> ManualPayloadGenerate.java
Example:
javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java
@DiabloHorn
DiabloHorn / deserlab_exploit.py
Created September 9, 2017 18:37
Exploit for the DeserLab vulnerable implementation
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
References
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
@DiabloHorn
DiabloHorn / xprotect-brute-js.user.js
Created August 14, 2017 23:37
// ==UserScript==
// @name xprotect-brute-js
// @namespace ns-xprotect-brute-js
// @description Brute force Milestone XProtect Web Client
// @include http://localhost:8081/index.html
// @version 1
// @grant none
// ==/UserScript==
//DiabloHorn - https://diablohorn.com
var foundcreds = 0;
@DiabloHorn
DiabloHorn / xprotect-brute.py
Created August 13, 2017 18:26
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
Brute force the Milestone XProtect Web Client interface
python xprotect-brute.py http://127.0.0.1:8081/XProtectMobile/Communication --userlist u.txt --pwdlist p.txt --httpproxy http://127.0.0.1:9090
"""
import sys
import base64
import argparse
@DiabloHorn
DiabloHorn / poc_server.py
Created April 9, 2017 21:09
Server part of IP whitelist bypass POC
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
POC server to inject packets towards 'infected' machine
intended to bypass IP whitelisting
"""
import time
import socket
from scapy.all import *
@DiabloHorn
DiabloHorn / poc_client.py
Created April 9, 2017 21:09
Client part of IP whitelist bypass POC
#!/usr/bin/env python
"""
DiabloHorn - https://diablohorn.com
POC client on 'infected' machines to receive injected packets
intended to bypass IP whitelisting
"""
import sys
import time
import socket
from threading import Thread
@DiabloHorn
DiabloHorn / pyrawcap.py
Created March 9, 2017 23:24
Python sniffer using only raw sockets
#!/usr/bin/env python
#DiabloHorn https://diablohorn.com
#raw python pcap creater
#based on
# http://askldjd.com/2014/01/15/a-reasonably-fast-python-ip-sniffer/
#additional references
# http://www.kanadas.com/program-e/2014/08/raw_socket_communication_on_li.html
import sys
import time