Skip to content

Instantly share code, notes, and snippets.

View JLLeitschuh's full-sized avatar

Jonathan Leitschuh JLLeitschuh

View GitHub Profile
import tutorial
from Person t
where t.getHeight() > 150 and
t.getHairColor() != "blond" and
exists (string c | t.getHairColor() = c) and
t.getAge() >= 30 and
t.getLocation() = "east" and
(t.getHairColor() = "black" or t.getHairColor() = "brown") and
not (t.getHeight() > 180 and t.getHeight() < 190) and
@JLLeitschuh
JLLeitschuh / CVE-2019-10779_GCHQ_Stroom_POC.md
Last active January 21, 2020 17:11
POC for CVE-2019-10779

GCHQ Stroom is vulnerable to Cross-Site Scripting due to the ability to load the Stroom dashboard on another site and insufficient protection against window event origins.

Versions

  • Affected versions: < 5.5.12 & < 6.0.25
  • Patched versions: 5.5.12 & 6.0.25

POC

Launch Stroom and assign it a hostname like stroom.my-company.com, then log in.

Safer-Eval Sandbox Escape POC

safer-eval is a node JS library that supposedly provides a 'safe' way to 'eval' untrusted javascript.

As the maintainer warns in the README:

Warning: The saferEval function may be harmful - so you are warned!

However, it is still used by various libraries to parse/execute untrusted code in such a way that there is an implied

@JLLeitschuh
JLLeitschuh / CVE-2019-19389-Ktor-CWE-113.md
Last active October 23, 2020 08:29
POC For: CVE-2019-19389
@JLLeitschuh
JLLeitschuh / How To Use GitHub Security Advisories.md
Last active July 14, 2020 16:55
An explanation of how to work with GitHub security advisories.

GitHub Security Advisories

If this is your first time using GitHub Security Advisories, please allow me to guide you through how they work.

Advisories are Private

As of September 17th, 2019, when advisories are published, the entire discussion within the advisory will not be made public. Any information you want to provide to the public should be included in the advisory body.

Updating an Advisory

Artifact Server Annoucements

This document captures the links to all of the different artifact server hosts that have announced they will be formally depricating downloading dependencies over HTTP and will only be supporting HTTPS starting in January 2020.

mitm_build

Want to take over the Java ecosystem? All you need is a MITM!

Maven Sonatype

@JLLeitschuh
JLLeitschuh / CVE-2019-15848.md
Last active December 29, 2019 01:30
Full POC for CVE-2019-15848

CVE-2019-15848: TeamCity XSS to Remote Code Execution

This POC demonstrates taking advantage of a XSS vulnerability in TeamCity allowing an attacker to achieve Remote Code Execution on a build agent if the victim has the ability to add steps to a CI job.

POC

The POC can be simplified to the following URL:

https://[domain.com]/project.html?projectId=[target_project_id]&amp;tab=problems%27%7D)%3B%7D)()%3B[JS_PAYLOAD]
# To prevent the vulnerable server from running on your machine
# (this does not impact Zoom functionality), run these two lines in your Terminal.
pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;
# (You may need to run these lines for each user on your machine.)
# For just your local account
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1