Brandon Perry brandonprry

## mediawiki_djvu_thumb_exec.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

## gist:a8ee7a356393ab69115ebe25c7e1f685
bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst  -l libsc_fi.so -d
Skipping library: libAflDyninst.so
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module: libsc_fi.so
Segmentation fault
bperry@ubuntu:~/tmp$

## gist:36b4b8df1cde279a9305
Dell Scrutinizer 11.01 several vulnerabilities
http://www.mysonicwall.com has a trial available.


Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with
remote code execution. An attacker needs to be authenticated, but not as an administrator.
However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that
any authenticated user can change any other user’s password, including the admin. One SQL
injection, which a Metasploit module was provided for, requires this privilege escalation to reach
since it exists in the new user mechanism only available to admins.

## gist:89539d9c363d0aa12fce11794cc32fbe
    for( j = 0; j < n->classname_len && j<9; j++)
      kv[j] = b[j*2];

    kv[8] = 0;
    sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );

## gist:1fec884bc1253e972e77

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              0 stars
            
          
                brandonprry
                / gist:1fec884bc1253e972e77
            
            
              Last active
              January 15, 2016 20:59
            
              
                Apache Jetspeed 2 Unauthenticated Reflected XSS
              
          
    During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.
I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

  
## gist:7885229
branperry-mbk:~ brandon.perry$ ruby syntax
2.725053
branperry-mbk:~ brandon.perry$ ruby to_sym
2.451621
branperry-mbk:~ brandon.perry$ ruby syntax
2.768495
branperry-mbk:~ brandon.perry$ ruby to_sym
2.47925
branperry-mbk:~ brandon.perry$ cat to_sym
x = Time.now

## gist:7273935
bperry@w00den-pickle:~/Projects/metasploit-framework$ ./msfconsole -q
msf > use auxiliary/admin/http/openbravo_xxe
msf auxiliary(openbravo_xxe) > set RHOST 192.168.1.8
RHOST => 192.168.1.8
msf auxiliary(openbravo_xxe) > show options

Module options (auxiliary/admin/http/openbravo_xxe):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------

## gist:6826061
H4sIAJ4t9FEAA+z9a3BkydYoBvXlGnAX2OZp3ianWmdUmilVqUqPnpZU+o6krp6Wj1rSJ6lnznxH
c4pdVVvSnq7au87eVVJrenR/mSCAgIAIBxgHF/7cMDiACCDiYh73B4YgMAQvgyPgB3CDH/iHwWBf
+758fbmsR2buzP2oKj26p3uONNMq1d6ZKzNXrly51sq1Vp650dALvEFrsbJQffR+fhbg5+nyMn7W
ni4vmJ/q51GtXnu69HR5caX+9NFCDf5efiSW31N/rJ9RNHRCIR65o547rtyk95/oz5k5/7s72829
7eZ908FU819bebq0CI9XajD/iwsLSw/z/yF+Muf/bNCbh++V4dvhfbQxdv5rC0vLtcXE/C+tLML8
L9xH45N+/sjnX2T8fL33Wnzd3Gsebu6Kg9dbQBWCKOOoWcgqDj/fuGHkBb5YLIv6M/GPjnxX1GHO
CwWxHQyuQu/sfChK23P0ULwIXVccBafDSyd0xYtg5HcdoEG/LHb8TkWsnw+Hg9Vq9TQ6rQThWXWj
IJoXbngVAFAvEgM37HvDodsVw0B0ALpw/K7oetEw9NqjoSugbBvg9fGl50YFEZyK4TnU7Hkd149c
0Q06o77rD8sCyovOueOfef6Z8IYI3g+Gwun1gku3WynkDZd+DkLX6bd7LpY6PncZa67vhk5PHIza
0JrYlS0CXEecwrDL1OOeezrUvTkNwkKkkIFDCYbnbijeeH43wq5fBuGbqKIakbUirCb6QTQUGXUH

## gist:6373428
using System;

namespace floor
{
	class MainClass
	{
		public static void Main (string[] args)
		{
			Random r = new Random ();

## gist:6325845
using System;
using metasploitsharp;
using System.Collections.Generic;

namespace ModuleExecuteExample
{
	class MainClass
	{
		public static void Main (string[] args)
		{
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking
	bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst -l libsc_fi.so -d
	Skipping library: libAflDyninst.so
	Skipping library: crtstuff.c
	Skipping library: libAflDyninst.cpp
	Instrumenting module: fisimple
	Instrumenting module: crtstuff.c
	Skipping library: DEFAULT_MODULE
	Instrumenting module: libsc_fi.so
	Segmentation fault
	bperry@ubuntu:~/tmp$
	Dell Scrutinizer 11.01 several vulnerabilities
	http://www.mysonicwall.com has a trial available.


	Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with
	remote code execution. An attacker needs to be authenticated, but not as an administrator.
	However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that
	any authenticated user can change any other user’s password, including the admin. One SQL
	injection, which a Metasploit module was provided for, requires this privilege escalation to reach
	since it exists in the new user mechanism only available to admins.
	for( j = 0; j < n->classname_len && j<9; j++)
	kv[j] = b[j*2];

	kv[8] = 0;
	sscanf( kv, "%x", (unsigned int)( &key[i4] ) );
	branperry-mbk:~ brandon.perry$ ruby syntax
	2.725053
	branperry-mbk:~ brandon.perry$ ruby to_sym
	2.451621
	branperry-mbk:~ brandon.perry$ ruby syntax
	2.768495
	branperry-mbk:~ brandon.perry$ ruby to_sym
	2.47925
	branperry-mbk:~ brandon.perry$ cat to_sym
	x = Time.now
	bperry@w00den-pickle:~/Projects/metasploit-framework$ ./msfconsole -q
	msf > use auxiliary/admin/http/openbravo_xxe
	msf auxiliary(openbravo_xxe) > set RHOST 192.168.1.8
	RHOST => 192.168.1.8
	msf auxiliary(openbravo_xxe) > show options

	Module options (auxiliary/admin/http/openbravo_xxe):

	Name Current Setting Required Description
	---- --------------- -------- -----------
	H4sIAJ4t9FEAA+z9a3BkydYoBvXlGnAX2OZp3ianWmdUmilVqUqPnpZU+o6krp6Wj1rSJ6lnznxH
	c4pdVVvSnq7au87eVVJrenR/mSCAgIAIBxgHF/7cMDiACCDiYh73B4YgMAQvgyPgB3CDH/iHwWBf
	+758fbmsR2buzP2oKj26p3uONNMq1d6ZKzNXrly51sq1Vp650dALvEFrsbJQffR+fhbg5+nyMn7W
	ni4vmJ/q51GtXnu69HR5caX+9NFCDf5efiSW31N/rJ9RNHRCIR65o547rtyk95/oz5k5/7s72829
	7eZ908FU819bebq0CI9XajD/iwsLSw/z/yF+Muf/bNCbh++V4dvhfbQxdv5rC0vLtcXE/C+tLML8
	L9xH45N+/sjnX2T8fL33Wnzd3Gsebu6Kg9dbQBWCKOOoWcgqDj/fuGHkBb5YLIv6M/GPjnxX1GHO
	CwWxHQyuQu/sfChK23P0ULwIXVccBafDSyd0xYtg5HcdoEG/LHb8TkWsnw+Hg9Vq9TQ6rQThWXWj
	IJoXbngVAFAvEgM37HvDodsVw0B0ALpw/K7oetEw9NqjoSugbBvg9fGl50YFEZyK4TnU7Hkd149c
	0Q06o77rD8sCyovOueOfef6Z8IYI3g+Gwun1gku3WynkDZd+DkLX6bd7LpY6PncZa67vhk5PHIza
	0JrYlS0CXEecwrDL1OOeezrUvTkNwkKkkIFDCYbnbijeeH43wq5fBuGbqKIakbUirCb6QTQUGXUH
	using System;

	namespace floor
	{
	class MainClass
	{
	public static void Main (string[] args)
	{
	Random r = new Random ();
	using System;
	using metasploitsharp;
	using System.Collections.Generic;

	namespace ModuleExecuteExample
	{
	class MainClass
	{
	public static void Main (string[] args)
	{