View gist:0d6ce3faabd8e6e58293cf54ef27c3f6
cred_collection = ::Metasploit::Framework::CredentialCollection.new(
user_file: datastore['USER_FILE'],
username: datastore['USERNAME'],
blank_passwords: true
)
View gist:c18b643a7a98eda64caa9e505630c84e
apt-get install xvfb && Xvfb :1 -screen 0 640x480x8 && export DISPLAY=:1.0 ; xcalc
View gist:a8ee7a356393ab69115ebe25c7e1f685
bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst -l libsc_fi.so -d
Skipping library: libAflDyninst.so
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module: libsc_fi.so
Segmentation fault
bperry@ubuntu:~/tmp$
View gist:89539d9c363d0aa12fce11794cc32fbe
for( j = 0; j < n->classname_len && j<9; j++)
kv[j] = b[j*2];
kv[8] = 0;
sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );
View gist:1fec884bc1253e972e77

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):


http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

View afl-ptmin.sh
#!/bin/bash
cores=$1
inputdir=$2
outputdir=$3
pids=""
total=`ls $inputdir | wc -l`
for k in `seq 1 $cores $total`
do
View gist:e66b18168bdb610942a3
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============================-===========================-============-===============================================================================
ii acl 2.2.52-2 amd64 Access control list utilities
ii acpi 1.7-1 amd64 displays information on ACPI devices
ii acpi-support-base 0.142-6 all scripts for handling base ACPI events such as the power button
ii acpid 1:2.0.23-2 amd64 Advanced Configuration and Power Interface event daemon
ii adduser 3.113+nmu3 all add and remove users and groups
View gist:4525ded8fca350e98d46
# LD_PRELOAD=preeny/x86_64-linux-gnu/desock.so strace ./main < get
execve("./main", ["./main"], [/* 23 vars */]) = 0
brk(0) = 0x801000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd14ca18000
open("preeny/x86_64-linux-gnu/desock.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18659, ...}) = 0
getcwd("/root", 128) = 6
mmap(NULL, 2240912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd14c5d0000
View gist:ef1f5ecf7f7d0cc8da03
# LD_PRELOAD=preeny/x86_64-linux-gnu/desock.so strace ./main < get
execve("./main", ["./main"], [/* 23 vars */]) = 0
brk(0) = 0x1ce9000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f75d449e000
open("preeny/x86_64-linux-gnu/desock.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18659, ...}) = 0
getcwd("/root", 128) = 6
mmap(NULL, 2240912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f75d4050000
View gist:028e924b6a3fe86d18ea
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <microhttpd.h>
#define PORT 8081
int done = 0;