Skip to content

Instantly share code, notes, and snippets.

View cxzero's full-sized avatar
☺️

Juan Pablo Perata cxzero

☺️
70 followers · 897 following
View GitHub Profile
@tothi
tothi / ms-msdt.MD
Last active April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active June 24, 2024 22:11
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@DanielIntruder
DanielIntruder / turbointruder-cachepoisoning.py
Created October 20, 2021 18:59
A script to exploit cache poisoning using CL.CL request smuggling
# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1, # if you increase this from 1, you may get false positives
resumeSSL=False,
timeout=10,
pipeline=False,
@DanielIntruder
DanielIntruder / turbointruder-404.py
Created October 20, 2021 18:57
A Turbo Intruder script for confirming CL.CL request smuggling
# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1, # if you increase this from 1, you may get false positives
resumeSSL=False,
timeout=10,
pipeline=False,
@A1vinSmith
A1vinSmith / Privilege Escalation.md
Last active June 1, 2024 11:46
Privilege Escalation: Systemctl (Misconfigured Permissions — sudo/SUID)
@AvasDream
AvasDream / oscp_prep.md
Last active July 1, 2024 17:21
Resource for OSCP like HTB Boxes with Ippsec Videos and Writeups.
@slok
slok / pprof.md
Last active July 1, 2024 11:41
Go pprof cheat sheet

Enable profiling

Default http server

import (
    _ "net/http/pprof"
    "net/http"
)
@teknogeek
teknogeek / universalUnpin.js
Last active July 2, 2024 20:36
Frida Universal™ SSL Unpinner
Java.perform(function() {
console.log('\n[.] Cert Pinning Bypass');
// Create a TrustManager that trusts everything
console.log('[+] Creating a TrustyTrustManager that trusts everything...');
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var TrustyTrustManager = Java.registerClass({
name: 'com.example.TrustyTrustManager',
implements: [X509TrustManager],
methods: {
@DarkCoderSc
DarkCoderSc / distccd_rce_CVE-2004-2687.py
Last active June 26, 2024 09:41
(CVE-2004-2687) DistCC Daemon - Command Execution (Python)
# -*- coding: utf-8 -*-
'''
distccd v1 RCE (CVE-2004-2687)
This exploit is ported from a public Metasploit exploit code :
https://www.exploit-db.com/exploits/9915
The goal of that script is to avoid using Metasploit and to do it manually. (OSCP style)
@prachauthit
prachauthit / ippsec-tmux
Last active September 26, 2023 18:49
# create or add this to ur ~/.tmux.conf
#set prefix
set -g prefix C-a
bind C-a send-prefix
unbind C-b
set -g history-limit 100000
set -g allow-rename off