Skip to content

Instantly share code, notes, and snippets.

View orangetw's full-sized avatar
🍊
This is orange!

Orange Tsai orangetw

🍊
This is orange!
4.1k followers · 67 following
View GitHub Profile
@c3c
c3c / redis-lua-linux-x86-poc.py
Created February 24, 2017 09:29
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@ryhanson
ryhanson / ExcelXLL.md
Last active March 29, 2024 05:27
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@jhaddix
jhaddix / all.txt
Last active May 2, 2024 10:20
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@niklasb
niklasb / railspwn.rb
Last active March 7, 2021 12:14
Rails 5.1.4 YAML unsafe deserialization RCE payload
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
@g0tmi1k
g0tmi1k / drupalgeddon2_CVE-2018-7600_SA-CORE-2018-002.md
Last active February 16, 2023 12:37
drupalgeddon2 / SA-CORE-2018-002 / CVE-2018-7600 cURL (PoC)
@ndavison
ndavison / hbh-header-abuse-test.py
Last active May 5, 2024 13:44
Attempts to find hop-by-hop header abuse potential against the provided URL.
# github.com/ndavison
import requests
import random
import string
from argparse import ArgumentParser
parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")
@mdjx
mdjx / ExchangeProxyNotFoundTest.ps1
Last active May 7, 2021 07:55
"https://mail.yourcompany.com" | % {try {iwr "$_/ecp/DDI/DDIService.svc/GetList?ActivityCorrelationID=X&schema=Antimalware&SecurityToken=Y" -UseBasicParsing} catch {$E=$_.ErrorDetails.Message; if (($E |sls "404.0 - Not Found" -Quiet) -and ($E | sls "Logon User(.*)Anonymous" -Quiet)) {Write-Output "Protected"} elseif (($E |sls "404.0 - Not Found" -Quiet) -and ($E | sls "Logon User" -Quiet)) {Write-Output "Vulnerable"} else {Write-Output "Unknown: Returned data does not contain expected values"}}}