This PoC has been moved to an actual repo here.
Welcome to Jordan's grab-bag of common Binary Ninja Snippets. | |
These snippest are meant to run with the Binary Ninja Snippets Plugin | |
(http://github.com/Vector35/snippets) though they can all also be pasted | |
directly into the python console or turned into stand-alone plugins if needed. | |
To install the entire collection at once, just install the Snippets plugin via | |
the plugin manager (CMD/CTL-SHIFT-M), confirm the Snippet Editor works | |
(Tool/Snippets/Snippet Editor), and unzip this bundle (Download ZIP above) into | |
your Snippets folder. |
|=-----------------------------------------------------------------------=| | |
|=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=| | |
|=-----------------------------------------------------------------------=| | |
|=------------------------------=[ saelo ]=------------------------------=| | |
|=-----------------------------------------------------------------------=| | |
The following are some brief notes about the changes that have taken place | |
since the release of the "Attacking JavaScript Engines" paper [1]. In | |
general, no big conceptional changes have happened since. Mitigations have | |
been added to break some of the presented techniques and, as expected, a |
Heap Overflow Case Study: CVE-2015-3104 Proof of Concept | |
Heap Overflow Case Study: A Deeper Look at the Bug | |
Heap Overflow Case Study: Allocation Control. | |
Heap Overflow Case Study: Gaining Read/Write Access to the Memory Space | |
Heap Overflow Case Study: Defeating ASLR | |
Heap Overflow Case Study: Gaining code execution | |
Heap Overflow Case Study: Stack Pivoting | |
Heap Overflow Case Study: Defeating DEP | |
Executing Shellcode and Restoring the execution flow | |
Sandbox Escape |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
# Imports | |
from scapy.all import * | |
from pprint import pprint | |
import operator | |
# Parameters | |
interface = "eth0" # Interface you want to use | |
dns_source = "local-ip" # IP of that interface | |
dns_destination = ["ip1","ip2","ip3"] # List of DNS Server IPs |
#!/bin/bash | |
ABOUT="piactl 0.10 | |
Copyright (c) 2018-2020 Peeter P. Mõtsküla <peeterpaul@motskula.net> | |
https://gist.github.com/ppmotskula/4288167460de27d22225e4959c44c6c4 | |
License: MIT License (https://opensource.org/licenses/MIT) | |
piactl helps you to install, configure and control CNIL's PIA software | |
(https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment) |
<?xml version="1.0" encoding="UTF-8"?> | |
<configuration> | |
<system.webServer> | |
<handlers accessPolicy="Read, Script, Write"> | |
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> | |
</handlers> | |
<security> | |
<requestFiltering> | |
<fileExtensions> | |
<remove fileExtension=".config" /> |
Open the debugger VM's .vmx file. delete the existing serial0 lines (used for printing, not needed) add these lines:
serial0.present = "TRUE"
serial0.pipe.endPoint = "client"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.tryNoRxLoss = "FALSE"
serial0.startConnected = "TRUE"
Abstract
This is a document explaining how to locate WaitForSingleObject(..., INFINITE)
within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.
Contents: