Skip to content

Instantly share code, notes, and snippets.

thought bleeding

Brandon Perry brandonprry

thought bleeding
View GitHub Profile
View gist:1c7402b5fa9603fb124a956b3c7d9ebb
Turn on debugging.
Still install sshd. File transfer over adb push/pull is too slow.
#Disable Sound
$ adb shell input keyevent 164
$ adb shell svc power stayon true
$ adb tcpip 4321 #Enable adb over wifi.
View gist:664bdf9b9a5070b7b5fe29852e51cb02
tell application "System Events" to key code (random number from 0 to 44)
delay 8
end repeat
View gist:0d6ce3faabd8e6e58293cf54ef27c3f6
cred_collection =
user_file: datastore['USER_FILE'],
username: datastore['USERNAME'],
blank_passwords: true
View gist:c18b643a7a98eda64caa9e505630c84e
apt-get install xvfb && Xvfb :1 -screen 0 640x480x8 && export DISPLAY=:1.0 ; xcalc
View gist:a8ee7a356393ab69115ebe25c7e1f685
bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/ LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst -l -d
Skipping library:
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module:
Segmentation fault
View gist:89539d9c363d0aa12fce11794cc32fbe
for( j = 0; j < n->classname_len && j<9; j++)
kv[j] = b[j*2];
kv[8] = 0;
sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );
brandonprry / gist:1fec884bc1253e972e77
Last active Jan 15, 2016
Apache Jetspeed 2 Unauthenticated Reflected XSS
View gist:1fec884bc1253e972e77

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

brandonprry /
Last active Mar 23, 2021
Parallelize afl-tmin to use multiple cores
total=`ls $inputdir | wc -l`
for k in `seq 1 $cores $total`
View gist:e66b18168bdb610942a3
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
ii acl 2.2.52-2 amd64 Access control list utilities
ii acpi 1.7-1 amd64 displays information on ACPI devices
ii acpi-support-base 0.142-6 all scripts for handling base ACPI events such as the power button
ii acpid 1:2.0.23-2 amd64 Advanced Configuration and Power Interface event daemon
ii adduser 3.113+nmu3 all add and remove users and groups
View gist:4525ded8fca350e98d46
# LD_PRELOAD=preeny/x86_64-linux-gnu/ strace ./main < get
execve("./main", ["./main"], [/* 23 vars */]) = 0
brk(0) = 0x801000
access("/etc/", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd14ca18000
open("preeny/x86_64-linux-gnu/", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18659, ...}) = 0
getcwd("/root", 128) = 6
mmap(NULL, 2240912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd14c5d0000