Skip to content

Instantly share code, notes, and snippets.

☠️
thought bleeding

Brandon Perry brandonprry

☠️
thought bleeding
Block or report user

Report or block brandonprry

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@brandonprry
brandonprry / afl-ptmin.sh
Last active May 6, 2018
Parallelize afl-tmin to use multiple cores
View afl-ptmin.sh
#!/bin/bash
cores=$1
inputdir=$2
outputdir=$3
pids=""
total=`ls $inputdir | wc -l`
for k in `seq 1 $cores $total`
do
@brandonprry
brandonprry / gist:5726268
Last active Mar 3, 2018
Dirty C# decompiler
View gist:5726268
using System;
using ICSharpCode.Decompiler.Ast;
using System.IO;
using Mono.Cecil;
using ICSharpCode.Decompiler;
using System.Collections.Generic;
namespace Decompiler {
class MainClass {
public static void Main (string[] args) {
View gist:0d6ce3faabd8e6e58293cf54ef27c3f6
cred_collection = ::Metasploit::Framework::CredentialCollection.new(
user_file: datastore['USER_FILE'],
username: datastore['USERNAME'],
blank_passwords: true
)
View gist:c18b643a7a98eda64caa9e505630c84e
apt-get install xvfb && Xvfb :1 -screen 0 640x480x8 && export DISPLAY=:1.0 ; xcalc
@brandonprry
brandonprry / mediawiki_djvu_thumb_exec.rb
Last active Dec 28, 2016
Quick mediawiki thumb.php exploit
View mediawiki_djvu_thumb_exec.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
View gist:a8ee7a356393ab69115ebe25c7e1f685
bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst -l libsc_fi.so -d
Skipping library: libAflDyninst.so
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module: libsc_fi.so
Segmentation fault
bperry@ubuntu:~/tmp$
View gist:36b4b8df1cde279a9305
Dell Scrutinizer 11.01 several vulnerabilities
http://www.mysonicwall.com has a trial available.
Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with
remote code execution. An attacker needs to be authenticated, but not as an administrator.
However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that
any authenticated user can change any other user’s password, including the admin. One SQL
injection, which a Metasploit module was provided for, requires this privilege escalation to reach
since it exists in the new user mechanism only available to admins.
View gist:89539d9c363d0aa12fce11794cc32fbe
for( j = 0; j < n->classname_len && j<9; j++)
kv[j] = b[j*2];
kv[8] = 0;
sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );
@brandonprry
brandonprry / gist:1fec884bc1253e972e77
Last active Jan 15, 2016
Apache Jetspeed 2 Unauthenticated Reflected XSS
View gist:1fec884bc1253e972e77

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):


http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

@brandonprry
brandonprry / gist:7885229
Created Dec 10, 2013
to_sym vs :"#{string}"
View gist:7885229
branperry-mbk:~ brandon.perry$ ruby syntax
2.725053
branperry-mbk:~ brandon.perry$ ruby to_sym
2.451621
branperry-mbk:~ brandon.perry$ ruby syntax
2.768495
branperry-mbk:~ brandon.perry$ ruby to_sym
2.47925
branperry-mbk:~ brandon.perry$ cat to_sym
x = Time.now
You can’t perform that action at this time.