| # should works on any cloud-init enabled hypervisor (openstack.. ) | |
| # start from a normal ubuntu 20.04 install as minimal was not available for ARM64 | |
| # Since ARM64 machines has higher RAM, Shrinking is desired but not necessary. Instead we will increase tmpfs to 1700MB | |
| # Getting root (if sudo -i doesn't work then set a root password beforehand using 'sudo passwd root' | |
| sudo -i | |
| # make sure we are on the highest kernel, so we can delete all the others ... |
Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)
Canonical UbuntuBoot volume
| # should works on any cloud-init enabled hypervisor (openstack.. ) | |
| # start from a ubuntu minimal install | |
| # we need to shrink down the used space to move it in a tmpfs of 700MB | |
| # make sure we are on the highest kernel, so we can delete all the others ... | |
| sudo apt update && sudo apt upgrade -y && reboot | |
| # ... reconnect | |
| sudo apt install lsof |
| # CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? ) | |
| # @0xSha | |
| # (C) 2020 0xSha.io | |
| # Advisory : https://www.solarwinds.com/securityadvisory | |
| # Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip | |
| # Details : https://kb.cert.org/vuls/id/843464 | |
| # C:\inetpub\SolarWinds\bin\OrionWeb.DLL | |
| # According to SolarWinds.Orion.Web.HttpModules |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Principal; | |
| //Based on https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html | |
| namespace GetSystem | |
| { | |
| class Program | |
| { |
| # github.com/ndavison | |
| import requests | |
| import random | |
| import string | |
| from argparse import ArgumentParser | |
| parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.") | |
| parser.add_argument("-u", "--url", help="URL to target (without query string)") |
This is a technique for extracting all imported modules from a packaged Python application as .pyc files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).
This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.
In Python we can leverage the fact that any module import involving a .py* file will eventually arrive as ready-to-execute Python code object at this function:
PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);
| #!/bin/bash | |
| # this script was written by viss as a challenge from @random_robbie | |
| # This one-liner replaces a fairly lengthy python script | |
| # if you want to be walked through it, sign up for square cash, send $viss 20 dollars. Otherwise, flex your google fu! | |
| # oh, ps: you need to pip install shodan, and then configure the shodan cli client by giving it your api key. | |
| # then you're off to the races. | |
| shodan search --fields ip_str --limit 1000 'product:"Oracle Weblogic" port:"7001" country:"US"' | sort -u | nmap -sT -Pn -n -oG - -iL - -p 7001 | grep open | awk '{print $2}' | xargs -I % -n 1 -P 30 bash -c 'RESULT=`curl -s -I -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko0100101 Firefox/54.0" -H "Connection":"close" -H "Accept-Language":"en-US -H en;q=0.5" -H "Accept":"text/html -H application/xhtml+xml -H application/xml;q=0.9 -H */*;q=0.8" -H "Upgrade-Insecure-Requests":"1" %:7001/ws_utc/config.do | egrep HTTP`; echo "%: $RESULT";' |
