Skip to content

Instantly share code, notes, and snippets.

Avatar
☠️
thought bleeding

Brandon Perry brandonprry

☠️
thought bleeding
390 followers · 0 following
View GitHub Profile
@brandonprry
brandonprry / gist:1c7402b5fa9603fb124a956b3c7d9ebb
Last active August 12, 2022 13:23
View gist:1c7402b5fa9603fb124a956b3c7d9ebb
Turn on debugging.
Still install sshd. File transfer over adb push/pull is too slow.
#Disable Sound
$ adb shell input keyevent 164
$ adb shell svc power stayon true
$ adb tcpip 4321 #Enable adb over wifi.
@brandonprry
brandonprry / gist:664bdf9b9a5070b7b5fe29852e51cb02
Created August 20, 2020 13:35
View gist:664bdf9b9a5070b7b5fe29852e51cb02
repeat
tell application "System Events" to key code (random number from 0 to 44)
delay 8
end repeat
@brandonprry
brandonprry / gist:0d6ce3faabd8e6e58293cf54ef27c3f6
Created April 26, 2017 20:16
View gist:0d6ce3faabd8e6e58293cf54ef27c3f6
cred_collection = ::Metasploit::Framework::CredentialCollection.new(
user_file: datastore['USER_FILE'],
username: datastore['USERNAME'],
blank_passwords: true
)
@brandonprry
brandonprry / gist:c18b643a7a98eda64caa9e505630c84e
Created January 6, 2017 23:31
View gist:c18b643a7a98eda64caa9e505630c84e
apt-get install xvfb && Xvfb :1 -screen 0 640x480x8 && export DISPLAY=:1.0 ; xcalc
@brandonprry
brandonprry / gist:a8ee7a356393ab69115ebe25c7e1f685
Created July 21, 2016 01:20
View gist:a8ee7a356393ab69115ebe25c7e1f685
bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst -l libsc_fi.so -d
Skipping library: libAflDyninst.so
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module: libsc_fi.so
Segmentation fault
bperry@ubuntu:~/tmp$
@brandonprry
brandonprry / gist:89539d9c363d0aa12fce11794cc32fbe
Created April 13, 2016 02:20
View gist:89539d9c363d0aa12fce11794cc32fbe
for( j = 0; j < n->classname_len && j<9; j++)
kv[j] = b[j*2];
kv[8] = 0;
sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );
@brandonprry
brandonprry / gist:1fec884bc1253e972e77
Last active January 15, 2016 20:59
Apache Jetspeed 2 Unauthenticated Reflected XSS
View gist:1fec884bc1253e972e77

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

@brandonprry
brandonprry / afl-ptmin.sh
Last active March 15, 2023 11:44
Parallelize afl-tmin to use multiple cores
View afl-ptmin.sh
#!/bin/bash
cores=$1
inputdir=$2
outputdir=$3
pids=""
total=`ls $inputdir | wc -l`
for k in `seq 1 $cores $total`
do
@brandonprry
brandonprry / gist:e66b18168bdb610942a3
Created September 20, 2015 17:13
View gist:e66b18168bdb610942a3
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============================-===========================-============-===============================================================================
ii acl 2.2.52-2 amd64 Access control list utilities
ii acpi 1.7-1 amd64 displays information on ACPI devices
ii acpi-support-base 0.142-6 all scripts for handling base ACPI events such as the power button
ii acpid 1:2.0.23-2 amd64 Advanced Configuration and Power Interface event daemon
ii adduser 3.113+nmu3 all add and remove users and groups
@brandonprry
brandonprry / gist:4525ded8fca350e98d46
Created September 11, 2015 01:22
Uninstrumented strace
View gist:4525ded8fca350e98d46
# LD_PRELOAD=preeny/x86_64-linux-gnu/desock.so strace ./main < get
execve("./main", ["./main"], [/* 23 vars */]) = 0
brk(0) = 0x801000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd14ca18000
open("preeny/x86_64-linux-gnu/desock.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18659, ...}) = 0
getcwd("/root", 128) = 6
mmap(NULL, 2240912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd14c5d0000