Skip to content

Instantly share code, notes, and snippets.


Frycos Frycos

  • Germany
View GitHub Profile
#!/usr/bin/env python3
Author: @frycos
Authenticated Remote Command Execution in all CrushFTP versions
User account has to be admin or needs job creation permissions
Should give you a root reverse shell in most cases
Vendor website:


Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

/* ysoserial URLDNS gadget
* but this time with equals() trampoline
* hashcode is not set to -1
* author: @frycos
static void buildDNSGadget(String url) throws Exception {
URLStreamHandler handler = new SilentURLStreamHandler();
URL u = new URL(null, url, handler);
* author: @frycos
* heavily inspired by ysoserial FileUpload gadget
* Don't forget needed imports:
* import org.apache.catalina.connector.Request,
* import org.apache.catalina.fileupload.Multipart,
* and e.g. import org.glassfish.grizzly.servlet.WebappContext
* only applicable for non-default classpaths (but seen "in the wild") including Glassfish's web-core.jar
View CheckTypedDeserialization.cs
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.Serialization.Formatters;
using System.Runtime.Serialization.Formatters.Binary;
namespace CheckTypedDeser