Minh-Triet Pham Tran trietptm

## w3af-console-shell-shock-exploit.txt
w3af>>> plugins
w3af/plugins>>> audit shell_shock
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://shellshock.notsosecure.com/cgi-bin/status
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
Shell shock was found at: "http://shellshock.notsosecure.com/cgi-bin/status", using HTTP method GET.
The modified header was: "User-Agent" and it's value was: "() { :;}; echo "shellshock: check"".

## gist:7df04f4b21f55c7b7413

struct s0 {
    signed char[124] pad124;
    uint32_t f124;
};

struct s1 {
    signed char[124] pad124;
    int32_t f124;
};

## ashare11.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                dwendt
                / ashare11.md
            
            
              Last active
              August 29, 2015 14:08
            
              
                CyberSEED "ashare11"
              
          
    #CyberSEED Software Challenge :: Phase1 :: ashare11
This past weekend was a "buffer overflow" competition put together by UConn. Our team of four went up and lost to UIUC who had a team of one! Great job Sam! We also got beaten by BUILDS, who did not use radare2, Jeff. 🙅
The first phase was three 32-bit challenges on a VM given to us, they were setuid binaries and we were told to automate exploiting them, spawning a shell(with tabcomplete/arrow support!) and include the key along with our script in our submission. Judging was performed manually and the scoreboard was not real-time at all. ASLR and NX were disabled, but we did have to take in mind that the stack would be located at a different spot for every restart/separate VM.
##Reversing
The actual output of the bin:
Usage: ./ashare11 [command and options]


## gist:fa6e9532a23001d0f43c
/*
  sectalks 0x01
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <time.h>

char *globalPassword = "PIGEONS";

## Security Education.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                cephurs
                / Security Education.md
            
            
              Last active
              August 29, 2015 14:13
                — forked from HockeyInJune/Security Education.md
            
          
    Accredited Universities

List of Centers of Academic Excellence for Cyber Operations
National Centers of Academic Excellence in Information Assurance (IA)/Cyber Defense (CD)
/r/netsec's Q3 2013 Academic Program Thread
/r/netsec's Q1 2013 Academic Program Thread

Full Online Courses

NYU Polytechnic School of Engineering ISIS Lab's Hack Night  Source Code Auditing, Web Security, Reverse Engineering, Exploitation, Post-Exploitation, Application Security
OpenSecurityTraining  Reverse Engineering, Exploitation, Forensics, Malware Analysis
[Florida State University's Offensive Secu


## gist:bd8153f4288badcd02d7
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt

  56
   6 Argentina
  35 Australia
   1 Austria
   6 Belarus
   1 Belgium
  16 Brazil
  92 British Virgin Islands

## dyre-dga.py
#! /usr/bin/env python
# Dyre/Dyreza DGA
# Implementation by Talos
# From http://blogs.cisco.com/security/talos/threat-spotlight-dyre
# Another Python implementation was also posted back in December 2014 by moritz.kroll:
# https://www.virustotal.com/en/file/3716902c64afe40369e6ed67f9b9f7eea30f809348b3558adcff622965e80435/analysis/

from datetime import date
from hashlib import sha256
from socket import gethostbyname, gaierror

## 0ctf_polyquine.py
 #include/*
q='''*/<stdio.h>
main(){char*_;/*=;sub _:lvalue{$_}<<q;#';<<q#'''
def printf(a,*b):__import__('sys').stdout.write(a%b)
q
#*/
_=" #include/*%cq='''*/<stdio.h>%cmain(){char*_;/*=;sub _:lvalue{%c_}<<q;#';<<q#'''%cdef printf(a,*b):__import__('sys').stdout.write(a%%b)%cq%c#*/%c_=%c%s%c;printf(_,10,10,36,10,10,10,10,34,_,34,10,10,10,10);%c#/*%cq='''*/%c}//'''#=%c";printf(_,10,10,36,10,10,10,10,34,_,34,10,10,10,10);
#/*
q='''*/
}//'''#=

## gist:8c92d10dfad9d4b38b04

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                wxsBSD
                / gist:8c92d10dfad9d4b38b04
            
            
              Last active
              August 29, 2015 14:18
            
          
    I was recently asked how to check the entropy of a given section in YARA, and because the person who asked is clearly looking to learn how to fish instead of just being given fish I went into some detail on the explanation. With his permission I am sharing my response here.
It's a combination of a number of things:
math.in_range(test, lower, upper):
Given a test value, check to see if it is in range of the lower and upper bounds. This is an inclusive test.
math.entropy(offset, length):

  
## gist:12df771275ee7860b48e
# Simple example to color every instruction in a function that writes to memory.

def run
	result = cm.synchronize_write do
		# Pull out the RVA of the function the user has selected in the GUI
		func_rva = @relyze.tab_current_function_rva( cm ) || (break 'No function selected')
		# Pull out the corresponding function object
		func = cm.function( func_rva ) || (break 'Function not found')
		# Iterate over every block in the function
		func.blocks do | block |
	w3af>>> plugins
	w3af/plugins>>> audit shell_shock
	w3af/plugins>>> back
	w3af>>> target
	w3af/config:target>>> set target http://shellshock.notsosecure.com/cgi-bin/status
	w3af/config:target>>> back
	The configuration has been saved.
	w3af>>> start
	Shell shock was found at: "http://shellshock.notsosecure.com/cgi-bin/status", using HTTP method GET.
	The modified header was: "User-Agent" and it's value was: "() { :;}; echo "shellshock: check"".

	struct s0 {
	signed char[124] pad124;
	uint32_t f124;
	};

	struct s1 {
	signed char[124] pad124;
	int32_t f124;
	};
	/*
	sectalks 0x01
	*/

	#include <stdio.h>
	#include <stdlib.h>
	#include <windows.h>
	#include <time.h>

	char *globalPassword = "PIGEONS";
	https://isc.sans.edu/feeds/suspiciousdomains_Low.txt

	56
	6 Argentina
	35 Australia
	1 Austria
	6 Belarus
	1 Belgium
	16 Brazil
	92 British Virgin Islands
	#! /usr/bin/env python
	# Dyre/Dyreza DGA
	# Implementation by Talos
	# From http://blogs.cisco.com/security/talos/threat-spotlight-dyre
	# Another Python implementation was also posted back in December 2014 by moritz.kroll:
	# https://www.virustotal.com/en/file/3716902c64afe40369e6ed67f9b9f7eea30f809348b3558adcff622965e80435/analysis/

	from datetime import date
	from hashlib import sha256
	from socket import gethostbyname, gaierror
	#include/*
	q='''*/<stdio.h>
	main(){char_;/=;sub _:lvalue{$_}<<q;#';<<q#'''
	def printf(a,*b):__import__('sys').stdout.write(a%b)
	q
	#*/
	_=" #include/%cq='''/<stdio.h>%cmain(){char_;/=;sub _:lvalue{%c_}<<q;#';<<q#'''%cdef printf(a,b):__import__('sys').stdout.write(a%%b)%cq%c#/%c_=%c%s%c;printf(_,10,10,36,10,10,10,10,34,_,34,10,10,10,10);%c#/%cq='''/%c}//'''#=%c";printf(_,10,10,36,10,10,10,10,34,_,34,10,10,10,10);
	#/*
	q='''*/
	}//'''#=
	# Simple example to color every instruction in a function that writes to memory.

	def run
	result = cm.synchronize_write do
	# Pull out the RVA of the function the user has selected in the GUI
	func_rva = @relyze.tab_current_function_rva( cm ) \|\| (break 'No function selected')
	# Pull out the corresponding function object
	func = cm.function( func_rva ) \|\| (break 'Function not found')
	# Iterate over every block in the function
	func.blocks do \| block \|