paralax

import random
import string

from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient

class Exploit(HTTPClient):
    __info__ = {
        "name": "ASUS Router Password Reset",
        "description": "Module exploits remote flaw in ASUS devices to reset the "

paralax

import          java.io.IOException;
import          java.net.MalformedURLException;
import          java.net.URL;
import          java.net.URLConnection;
import          java.util.ArrayList;
import          java.util.List;
import          java.util.Map;
import          java.security.MessageDigest;

/*

paralax

import random
import re
import string

from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient

class Exploit(HTTPClient):
    __info__ = {
        "name": "Axis Network Camera RCE",

paralax

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- "https://malware.news/t/20-common-tools-techniques-used-by-macos-threat-actors-malware/46801" -->
<!-- "https://objective-see.org/blog/blog_0x71.html" -->
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.mylaptop.watchhostconfig</string>
    <key>ProgramArguments</key>
    <array>

paralax

import random

from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient

class Exploit(HTTPClient):
    __info__ = {
        "name": "D-Link Router Credential Retrieval",
        "description": """This module exploits a vulnerability in D-Link router httpd server. An unauthenticated attacker may retrieve plaintext authentication credentials from the system.""",
        "authors": (

paralax

rule JavaDeswerializePayload
{
	meta:
		author = "@jnazario"
		date = "2022-01-27"
		version = 1
	
	strings:
		$s1 = "java.lang.Runtime.getRuntime().exec" ascii fullword
		$s2 = "javaSerializedData" ascii fullword

paralax

-- MySQL dump 10.13  Distrib 8.0.26, for Linux (x86_64)
--
-- Host: localhost    Database: staff
-- ------------------------------------------------------
-- Server version	8.0.26

--
-- Table structure for table `person`
--

paralax

Found a request in my HTTP honeypot I couldn't explain. Investigation revealed it's been scanning widely and attempting to exploit a FreePBX command injection vulnerability and install a webshell.

77.247.108.81 - - [21/Sep/2021:18:54:34 -0400] "GET /gbr.php HTTP/1.1" 400 226 "-" "gbrmss/7.29.0" "ct:text/html"

Using this IP I spotted this link which showed me the form data: https://threatwar.com/attackers/695a2a8e-3cb6-4d74-8af8-d5058079a909

Based on the request there this appears to be an RCE injected via the "language" header. Exploit here: https://www.exploit-db.com/exploits/40434

From there I investigated the initial dropper:

paralax

Using Terraform and Docker on OSX

Recently I had to learn myself some Terraform for real, and it hit me - Docker (which I have come to use extensively) would be a perfect environment in which to do this.

Before you begin, make sure you have Terraform installed:

$ brew install terraform

Start the Docker TCP listener

paralax

open System.Text

/// https://fsharpforfunandprofit.com/posts/serializating-your-domain-model/ 
#I "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/"
#r "/usr/local/share/dotnet/sdk/NuGetFallbackFolder/newtonsoft.json/9.0.1/lib/net40/Newtonsoft.Json.dll"

module Json =

   open Newtonsoft.Json