gerry

Current benchmark

Component	Link	Est. Price
Case	GrayMatter 6-GPU Server Case V2.1	$500
Motherboard	ASRock H97 Anniversary	$85
Risers	---	Included w/case
GPUs	GeForce GTX 980 Ti	4x $470
PSU	Corsair AXi Series, AX1200i, 1200 Watt	2x $310
Power-Splitter	Phobya 24 Pin 2-Way PSU Starting Cable	$15

gerry

hashcat (v3.10-3-g13cbe42) starting in benchmark-mode...

OpenCL Platform #1: NVIDIA Corporation
======================================
- Device #1: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #2: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #3: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU
- Device #4: GeForce GTX 980 Ti, 1519/6077 MB allocatable, 22MCU

Hashtype: MD4

gerry

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

gerry

Arbitrary file data write (leading to RCE)

./sources/export.queries.php:471: $outstream = fopen($_POST['file'], "a"); (place php in item description) ./sources/admin.queries.php:1110: $fh = fopen($tmp_skfile, 'w'); (admin required)

SQLi

./sources/views.queries.php:437: ORDER BY ".$_POST['order']." ".$_POST['direction']." (admin required)

No Authz on file download:

./sources/downloadFile.php:47: $fp = fopen($_SESSION['settings']['path_to_upload_folder'].'/'.$result['file'], 'rb');

gerry

#!/bin/sh -e
DEFAULT_IFACE=enp0s3
LOCAL_NET=$(ip -o -f inet addr show $DEFAULT_IFACE | awk '{print $4}')
HOST_IPS=198.8.80.220,198.8.80.223,198.8.80.33,198.8.80.149,198.8.80.180,198.8.80.221,198.8.80.50,198.8.80.203,198.8.80.162,198.8.80.176,107.152.98.168,198.8.80.222,107.152.98.159

ufw --force reset
ufw default deny outgoing
ufw default deny incoming
ufw allow out on tun0 from any to any
ufw allow in on tun0 from any to any

gerry

#!/bin/sh -e
HOSTNAME=us-california.privateinternetaccess.com
# host us-california.privateinternetaccess.com|cut -d' ' -f4|tr \\n ,
HOST_IPS=198.8.80.220,198.8.80.223,198.8.80.33,198.8.80.149,198.8.80.180,198.8.80.221,198.8.80.50,198.8.80.203,198.8.80.162,198.8.80.176,107.152.98.168,198.8.80.222,107.152.98.159

IP=$(echo $HOST_IPS | tr , \\n | shuf - | head -n 1)
if grep -q $HOSTNAME /etc/hosts; then
  sed -i "s/.*$HOSTNAME/$IP $HOSTNAME/" /etc/hosts
else
  echo $IP $HOSTNAME >> /etc/hosts

gerry

#!/usr/bin/env python
import sys
import random
import string
import datetime
import itertools
import threading
import traceback
import SocketServer
import operator as op

gerry

Keybase proof

I hereby claim:

• I am gerry on github.
• I am gerry (https://keybase.io/gerry) on keybase.
• I have a public key whose fingerprint is F120 587B A599 B6B6 1ED6 1A37 DD61 36D6 59E5 4DEF

To claim this, I am signing this object:

gerry

#!/usr/bin/env python
# decrypt_dbvis.py ~ gerry@twitter.com
# DbVisualizer uses PBEWithMD5AndDES with a static key to store passwords.
# This is a quick hack to extract and decrypt credentials from DbVisualizer config files.
# Tested against DbVisualizer Free 9.0.9 and 9.1.6
"""
[2014-03-25 02:05:30][not-the-sea workspace]$ security/p/gerry/misc/decrypt_dbvis.py
[+] DbVisualizer Password Extractor and Decryptor (@gerryeisenhaur)
[+] Additional Usage Options:
[+]     security/p/gerry/misc/decrypt_dbvis.py <config filename>

gerry

diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index 7e0bc73..9b5c8d8 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -5163,11 +5163,11 @@ class DBManager
        # There is no place the NBE actually stores the plugin name used to
        # scan. You get "Security Note" or "Security Warning," and that's it.
        def import_nessus_nbe(args={}, &block)
-               data = args[:data]
+               nbe_data = args[:data]