Mark Janssen praseodym

## osv2020.diff
diff --color=auto -r osv2020-u-versie-1.9.1.2/elect-base-jar.jar/de/ivu/elect/business/dokumente/boundary/DokumentVorlageEdit.java nl-was-war-1.9.1.3-sources-all/elect-base-jar.jar/de/ivu/elect/business/dokumente/boundary/DokumentVorlageEdit.java
53c53
<       // msc: Ich mache es mir einfach und ersetze die vorhandene Datei auf dem Server... nicht ganz sauber, für den Fall,
---
>       // elect Ich mache es mir einfach und ersetze die vorhandene Datei auf dem Server... nicht ganz sauber, für den Fall,
diff --color=auto -r osv2020-u-versie-1.9.1.2/elect-base-jar.jar/de/ivu/elect/business/gebietsbaum/entity/AbstractGebiet.java nl-was-war-1.9.1.3-sources-all/elect-base-jar.jar/de/ivu/elect/business/gebietsbaum/entity/AbstractGebiet.java
95c95
<     // msc: nicht ändern (Performance, Lambdas und Sets machen die Sache nicht schenller...)
---
>     // elect nicht ändern (Performance, Lambdas und Sets machen die Sache nicht schenller...)

## _vmdir-exploit.md

      
              3 files
            
          
              3 forks
            
          
              0 comments
            
          
              0 stars
            
          
                praseodym
                / _vmdir-exploit.md
            
            
              Last active
              January 4, 2023 08:16
            
              
                Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006
              
          
    Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006

This is my proof-of-concept exploit code for the VMware vCenter Directory Service (vmdir) sensitive information
disclosure vulnerability
(CVE-2020-3952 / VMSA-2020-0006).
It turns out that the vmdir service, which provides an LDAP directory server (and more), allows anonymous LDAP connections (also called LDAP binding) in the ACL MODE: Legacy configuration that is present
after upgrading from vCenter 6.5. While the LDAP tree doesn't expose password
hashes for administrative users, it does expose the VMware SSO server's SAML identity provider (IdP) certificates
and private key. This key can be downloaded and used to sign arbitrary SAML responses, allowing an attacker to

  
## csr.sh
#!/bin/bash
# csr.sh: Certificate Signing Request Generator

set -e

if [ $# -lt 1 ]; then
    echo "Usage: $0 hostname [alt.hostname1] [alt.hostname2]"
    exit 1
fi

## config.gateway.json
{
  "firewall": {
    "all-ping": "enable",
    "broadcast-ping": "disable",
    "group": {
      "address-group": {
        "authorized_guests": {
          "description": "authorized guests MAC addresses"
        },
        "guest_allow_addresses": {

## AESGCMUpdateAAD2.java
import javax.crypto.*;
import javax.crypto.spec.GCMParameterSpec;
import java.nio.ByteBuffer;
import java.security.SecureRandom;
import java.util.Arrays;

public class AESGCMUpdateAAD2 {

    // AES-GCM parameters
    public static final int AES_KEY_SIZE = 128; // in bits

## common_tasks_apt.yml
---

- name: ensure wheezy-backports is present
  apt_repository: repo="deb http://ftp.nl.debian.org/debian/ wheezy-backports main contrib non-free" state=present update_cache=yes
  when: ansible_distribution_release == 'wheezy'

- name: ensure jessie-backports is present
  apt_repository: repo="deb http://ftp.nl.debian.org/debian/ jessie-backports main contrib non-free" state=present update_cache=yes
  when: ansible_distribution_release == 'jessie'

## ingress-nginx.yaml
apiVersion: v1
kind: Namespace
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx
---

kind: ConfigMap

## Migration.java
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.sql.*;
import java.time.LocalDate;

public class Migration {
    public static void main(String[] args) throws Exception {
        String url = "jdbc:postgresql://joost.chnet/choice?ssl=true&sslrootcert=wisvch.crt";
        Connection conn = DriverManager.getConnection(url, "user", "password");

## kind-config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker

## ingress-nginx.log
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       0.30.0
  Build:         git-7e65b90c4
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.17.8

-------------------------------------------------------------------------------

W0301 00:31:38.725688       8 flags.go:260] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
	diff --color=auto -r osv2020-u-versie-1.9.1.2/elect-base-jar.jar/de/ivu/elect/business/dokumente/boundary/DokumentVorlageEdit.java nl-was-war-1.9.1.3-sources-all/elect-base-jar.jar/de/ivu/elect/business/dokumente/boundary/DokumentVorlageEdit.java
	53c53
	< // msc: Ich mache es mir einfach und ersetze die vorhandene Datei auf dem Server... nicht ganz sauber, für den Fall,
	---
	> // elect Ich mache es mir einfach und ersetze die vorhandene Datei auf dem Server... nicht ganz sauber, für den Fall,
	diff --color=auto -r osv2020-u-versie-1.9.1.2/elect-base-jar.jar/de/ivu/elect/business/gebietsbaum/entity/AbstractGebiet.java nl-was-war-1.9.1.3-sources-all/elect-base-jar.jar/de/ivu/elect/business/gebietsbaum/entity/AbstractGebiet.java
	95c95
	< // msc: nicht ändern (Performance, Lambdas und Sets machen die Sache nicht schenller...)
	---
	> // elect nicht ändern (Performance, Lambdas und Sets machen die Sache nicht schenller...)
	#!/bin/bash
	# csr.sh: Certificate Signing Request Generator

	set -e

	if [ $# -lt 1 ]; then
	echo "Usage: $0 hostname [alt.hostname1] [alt.hostname2]"
	exit 1
	fi
	{
	"firewall": {
	"all-ping": "enable",
	"broadcast-ping": "disable",
	"group": {
	"address-group": {
	"authorized_guests": {
	"description": "authorized guests MAC addresses"
	},
	"guest_allow_addresses": {
	import javax.crypto.*;
	import javax.crypto.spec.GCMParameterSpec;
	import java.nio.ByteBuffer;
	import java.security.SecureRandom;
	import java.util.Arrays;

	public class AESGCMUpdateAAD2 {

	// AES-GCM parameters
	public static final int AES_KEY_SIZE = 128; // in bits
	---

	- name: ensure wheezy-backports is present
	apt_repository: repo="deb http://ftp.nl.debian.org/debian/ wheezy-backports main contrib non-free" state=present update_cache=yes
	when: ansible_distribution_release == 'wheezy'

	- name: ensure jessie-backports is present
	apt_repository: repo="deb http://ftp.nl.debian.org/debian/ jessie-backports main contrib non-free" state=present update_cache=yes
	when: ansible_distribution_release == 'jessie'
	apiVersion: v1
	kind: Namespace
	metadata:
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	name: ingress-nginx
	---

	kind: ConfigMap
	import java.io.ByteArrayInputStream;
	import java.io.ObjectInputStream;
	import java.sql.*;
	import java.time.LocalDate;

	public class Migration {
	public static void main(String[] args) throws Exception {
	String url = "jdbc:postgresql://joost.chnet/choice?ssl=true&sslrootcert=wisvch.crt";
	Connection conn = DriverManager.getConnection(url, "user", "password");
	kind: Cluster
	apiVersion: kind.x-k8s.io/v1alpha4
	nodes:
	- role: control-plane
	- role: worker
	- role: worker
	- role: worker
	-------------------------------------------------------------------------------
	NGINX Ingress controller
	Release: 0.30.0
	Build: git-7e65b90c4
	Repository: https://github.com/kubernetes/ingress-nginx
	nginx version: nginx/1.17.8

	-------------------------------------------------------------------------------

	W0301 00:31:38.725688 8 flags.go:260] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)