Skip to content

Instantly share code, notes, and snippets.

☠️
thought bleeding

Brandon Perry brandonprry

☠️
thought bleeding
Block or report user

Report or block brandonprry

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View gist:0d6ce3faabd8e6e58293cf54ef27c3f6
cred_collection = ::Metasploit::Framework::CredentialCollection.new(
user_file: datastore['USER_FILE'],
username: datastore['USERNAME'],
blank_passwords: true
)
View gist:c18b643a7a98eda64caa9e505630c84e
apt-get install xvfb && Xvfb :1 -screen 0 640x480x8 && export DISPLAY=:1.0 ; xcalc
View gist:a8ee7a356393ab69115ebe25c7e1f685
bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst -l libsc_fi.so -d
Skipping library: libAflDyninst.so
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module: libsc_fi.so
Segmentation fault
bperry@ubuntu:~/tmp$
View gist:89539d9c363d0aa12fce11794cc32fbe
for( j = 0; j < n->classname_len && j<9; j++)
kv[j] = b[j*2];
kv[8] = 0;
sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );
@brandonprry
brandonprry / gist:1fec884bc1253e972e77
Last active Jan 15, 2016
Apache Jetspeed 2 Unauthenticated Reflected XSS
View gist:1fec884bc1253e972e77

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):


http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

@brandonprry
brandonprry / afl-ptmin.sh
Last active May 6, 2018
Parallelize afl-tmin to use multiple cores
View afl-ptmin.sh
#!/bin/bash
cores=$1
inputdir=$2
outputdir=$3
pids=""
total=`ls $inputdir | wc -l`
for k in `seq 1 $cores $total`
do
View gist:e66b18168bdb610942a3
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============================-===========================-============-===============================================================================
ii acl 2.2.52-2 amd64 Access control list utilities
ii acpi 1.7-1 amd64 displays information on ACPI devices
ii acpi-support-base 0.142-6 all scripts for handling base ACPI events such as the power button
ii acpid 1:2.0.23-2 amd64 Advanced Configuration and Power Interface event daemon
ii adduser 3.113+nmu3 all add and remove users and groups
View gist:4525ded8fca350e98d46
# LD_PRELOAD=preeny/x86_64-linux-gnu/desock.so strace ./main < get
execve("./main", ["./main"], [/* 23 vars */]) = 0
brk(0) = 0x801000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd14ca18000
open("preeny/x86_64-linux-gnu/desock.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18659, ...}) = 0
getcwd("/root", 128) = 6
mmap(NULL, 2240912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd14c5d0000
View gist:ef1f5ecf7f7d0cc8da03
# LD_PRELOAD=preeny/x86_64-linux-gnu/desock.so strace ./main < get
execve("./main", ["./main"], [/* 23 vars */]) = 0
brk(0) = 0x1ce9000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f75d449e000
open("preeny/x86_64-linux-gnu/desock.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18659, ...}) = 0
getcwd("/root", 128) = 6
mmap(NULL, 2240912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f75d4050000
View gist:028e924b6a3fe86d18ea
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <microhttpd.h>
#define PORT 8081
int done = 0;
You can’t perform that action at this time.