felmoltor

#!/usr/bin/python3

import csv
import random
import colorama
import sys,os
import tempfile

colors=list(vars(colorama.Fore).values())

felmoltor

# Author: Felipe Molina de la Torre (@felmoltor)

# If not already defined, define in your suricata.yaml document the variable $DNS_SERVERS pointing to your Windows DNS servers array
# e.g. DNS_SERVERS = [10.20.30.1,10.20.30.2,10.20.30.3]

# A DNS Answer with TC flag enabled: 10000010=0x82=130
# The byte_test part means: Bitwise AND the flags of the DNS UDP packet at offset 2 with the bynary value 0100 0010 (0x82)
# The |00 00 18 00 01| payload means "termination of the domain name string" (0x00) with a following SIG (0x0018) IN (0x0001) answer within the first 120 bytes of the DNS packet

alert dns $EXTERNAL_NET 53 -> $DNS_SERVERS any (msg:"Windows DNS SigRed Exploit (TC header)";flow:established,to_client;classtype:denial-of-service;byte_test:2,&,0x82,2;content: "|00 00 18 00 01|";within: 120;xbits:set,tc_requested,track ip_pair;noalert;reference:cve,2020-1350;sid:666661;rev:2;)

felmoltor

# Author: Felipe Molina (@felmoltor)
# Date: 2017/08
# Summary: These functions are used to print colored messages on powershell.
 
Function Print-Ok (){
    param(
        [Parameter(Mandatory=$true,Position=0)][string]$msg
    )
    Write-Host -NoNewline "[ "
    Write-Host -NoNewline -ForegroundColor Green "OK"

felmoltor

Problem
-------

https://exploit-exercises.com/nebula/level01/

Solution
--------

The binary uses the binary "/usr/bin/env echo" call to show a message to the user.
As /usr/bin/env searches for the specified binary in the PATH variable, we can just fake the "echo" binary with our own binary to get a shell.

felmoltor

$tasks = Get-ScheduledTask | 
    Where-Object { $_.Principal.RunLevel -ne "Limited" -and 
                   $_.Principal.LogonType -ne "ServiceAccount" -and 
                   $_.State -ne "Disabled" -and 
                   $_.Actions[0].CimClass.CimClassName -eq "MSFT_TaskExecAction" }

felmoltor

// Author: Felipe Molina (@felmoltor)
// 

// MinGW DLL Hijack Privilege Escalation POC.
// This dll will suplantate the legitimate library "zlib1.dll" residing inside 
// the default installation folder of MinGW "C:\MinGW\bin\zlib1.dll"
// 

// g++ -c -DPRIVESC_DLL mingwprivesc.dll.cpp & g++ -shared -o mingwprivesc.dll mingwprivesc.dll.o -Wl,--out-implib,main.a & copy /y mingwprivesc.dll C:\MinGW\bin\zlib1.dll

felmoltor

#!/bin/bash

#################
# CONFIG COLORS #
#################

# Text color variables
txtund=$(tput sgr 0 1)          # Underline
txtbld=$(tput bold)             # Bold
bldred=${txtbld}$(tput setaf 1) #  red

felmoltor

________________ __________         ____    _______   
\_   _____/  _  \\______   \ ___  _/_   |   \   _  \  
 |    __)/  /_\  \|     ___/ \  \/ /|   |   /  /_\  \ 
 |    | /    |    \    |      \   / |   |   \  \_/   \
 \__  | \____|__  /____|       \_/  |___| /\ \_____  /
    \/          \/                        \/       \/ 

Author: @felmoltor
License: GPLv3
Summary: This tool analyzes password dump. The dump can be of this three kinds (option -F):

felmoltor

________________ __________         ____    _______   
\_   _____/  _  \\______   \ ___  _/_   |   \   _  \  
 |    __)/  /_\  \|     ___/ \  \/ /|   |   /  /_\  \ 
 |    | /    |    \    |      \   / |   |   \  \_/   \
 \__  | \____|__  /____|       \_/  |___| /\ \_____  /
    \/          \/                        \/       \/ 

Author: @felmoltor
License: GPLv3
Summary: This tool analyzes password dump. The dump can be of this three kinds (option -F):

felmoltor

====================
= Top 15 source IP =
====================
103.41.124.12:6480 (Hong Kong)
103.41.124.53:6363 (Hong Kong)
103.41.124.19:5809 (Hong Kong)
112.171.173.137:1691 (Korea, Republic of)
222.186.21.82:1596 (China)
117.27.249.4:1470 (China)
222.186.56.171:1302 (China)