vp777

## wsl_path_completion.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                vp777
                / wsl_path_completion.md
            
            
              Last active
              February 17, 2024 08:42
            
          
    originally inspired by https://gist.github.com/irsdl/5fc80ebad0d6fa211d3efdec288250a6
#examples:
#cdw C:\Use[tab]
#cdw C:\Program\ [double tab]
#cdw "C:\Program Files\[double tab]
#
#lsw should also work, eg lsw -lh C:\Use[tab]
#

  
## Win7x86-CVE-2020-17087.c
/*

The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20)
For example:
user input                      : 0                 129
output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00

With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation:
vulnerable_chunk_size = (user_controlled_size*6)%65536;
vulnerable_chunk = AllocateMemory(vulnerable_chunk_size);

## last_modified_detector.sh
#!/bin/bash

#not sure how useful If-Modified-Since/If-Unmodified-Since would be if Last-Modified header is not available:)

resource=${1?Missing the URL of the resource}
accuracy=${2:-2} #by default, tries to identify the first 2 most significant metrics, the year and month

function replacer {
    local result i pattern replacement
    result=$1

## ip_range_check.sh
#!/bin/bash

: '
examples:
./ip_range_check.sh <(echo 1.1.1.1) <(echo 1.1.1.2)
#no results
./ip_range_check.sh <(echo -e '127.0/8\n1.1.1.1/31') <(echo -e '7f000001.7f000002.rbndr.us\n1.1.256\n1.1.1.2\n2.2.2.36')
#7f000001.7f000002.rbndr.us 127.0.0.1
#1.1.256 1.1.256
'

## babel-plugin-deob.js
/*

babeljs plugin that unravels a number of common obfuscation patterns (originally found in F5 JS obfuscation library).
tip: for better results you can feed the output of the below plugin to minify

usage: set the plugins in your .babelrc to the path of this script

What it does, it gets as input the following obfuscated code:

function toBeGone(s, u, m){

## dsl_cpe_poc.py
'''
A poc for a device having the ScriptExecute buffer overflow originally reported by:
https://www.redteam-pentesting.de/en/advisories/rt-sa-2015-001/-avm-fritz-box-remote-code-execution-via-buffer-overflow

As suggested in the above advisory, parts of the source code of the vulnerable application can be found at:
https://github.com/mirror/dd-wrt/tree/master/src/router/dsl_cpe_control
Nevertheless, in the above repository there is an imposed maximum length on the user input, which mitigates the
vulnerability in the unsafe sscanf call.

This poc targets the variation without the user input length limitations.

## domain_fronting.sh
#!/bin/bash

frontable_domain=${1:-www.amazon.co.uk}
fronted_domain=${2:-your.cloudfront.net}
cert_path="ssl cert path"
cdn_port=443
local_port=443


echo "Frontable domain: $frontable_domain, Fronted: $fronted_domain"

## sandbag.vba
'Note: this "issue" was reported to checkpoint back in June/2018.
'This is mostly a reverse_https payload generated through msfvenom.
'It's modified on execution time to embed information (in base64 form) about the running environment in the domain used for the reverse
'connection.
'When the document is analysed, we should get back a report showing the "malicious" url that the document attempted to connect, which
'includes our encoded data. Some other potential avenues for data exfiltration are file and registry modifications which are normally
'included in the document analysis report.
'Note: Simple dns queries/http requests even though they are detected, the domain is not displayed in the report. I haven't spent any
'more time on this but I guess the payload has to be properly dressed/execute specific actions before getting back the full details
'of its behavior from the report

## crack_vba_password.vba
'Originally posted at: https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project/53358962#53358962
'This version should work for both x86 and amd64 versions of Microsoft Office

Option Explicit

Private Const PAGE_EXECUTE_READWRITE = &H40

Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
(Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)

## bannerweb_bot.sh
#! /bin/bash

#A script for automatic course registration through bannerweb.
#Last time this script was used was in 2016, so i expect to need some changes before it resurrects again.

base_url="https://bannerweb.server:9091"
user_agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
cookies_file="./.ucycookies"
#cookies_file=`date +%s%N`
	/*

	The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20)
	For example:
	user input : 0 129
	output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00

	With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation:
	vulnerable_chunk_size = (user_controlled_size*6)%65536;
	vulnerable_chunk = AllocateMemory(vulnerable_chunk_size);
	#!/bin/bash

	#not sure how useful If-Modified-Since/If-Unmodified-Since would be if Last-Modified header is not available:)

	resource=${1?Missing the URL of the resource}
	accuracy=${2:-2} #by default, tries to identify the first 2 most significant metrics, the year and month

	function replacer {
	local result i pattern replacement
	result=$1
	#!/bin/bash

	: '
	examples:
	./ip_range_check.sh <(echo 1.1.1.1) <(echo 1.1.1.2)
	#no results
	./ip_range_check.sh <(echo -e '127.0/8\n1.1.1.1/31') <(echo -e '7f000001.7f000002.rbndr.us\n1.1.256\n1.1.1.2\n2.2.2.36')
	#7f000001.7f000002.rbndr.us 127.0.0.1
	#1.1.256 1.1.256
	'
	/*

	babeljs plugin that unravels a number of common obfuscation patterns (originally found in F5 JS obfuscation library).
	tip: for better results you can feed the output of the below plugin to minify

	usage: set the plugins in your .babelrc to the path of this script

	What it does, it gets as input the following obfuscated code:

	function toBeGone(s, u, m){
	'''
	A poc for a device having the ScriptExecute buffer overflow originally reported by:
	https://www.redteam-pentesting.de/en/advisories/rt-sa-2015-001/-avm-fritz-box-remote-code-execution-via-buffer-overflow

	As suggested in the above advisory, parts of the source code of the vulnerable application can be found at:
	https://github.com/mirror/dd-wrt/tree/master/src/router/dsl_cpe_control
	Nevertheless, in the above repository there is an imposed maximum length on the user input, which mitigates the
	vulnerability in the unsafe sscanf call.

	This poc targets the variation without the user input length limitations.
	#!/bin/bash

	frontable_domain=${1:-www.amazon.co.uk}
	fronted_domain=${2:-your.cloudfront.net}
	cert_path="ssl cert path"
	cdn_port=443
	local_port=443


	echo "Frontable domain: $frontable_domain, Fronted: $fronted_domain"
	'Note: this "issue" was reported to checkpoint back in June/2018.
	'This is mostly a reverse_https payload generated through msfvenom.
	'It's modified on execution time to embed information (in base64 form) about the running environment in the domain used for the reverse
	'connection.
	'When the document is analysed, we should get back a report showing the "malicious" url that the document attempted to connect, which
	'includes our encoded data. Some other potential avenues for data exfiltration are file and registry modifications which are normally
	'included in the document analysis report.
	'Note: Simple dns queries/http requests even though they are detected, the domain is not displayed in the report. I haven't spent any
	'more time on this but I guess the payload has to be properly dressed/execute specific actions before getting back the full details
	'of its behavior from the report
	'Originally posted at: https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project/53358962#53358962
	'This version should work for both x86 and amd64 versions of Microsoft Office

	Option Explicit

	Private Const PAGE_EXECUTE_READWRITE = &H40

	Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
	(Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)
	#! /bin/bash

	#A script for automatic course registration through bannerweb.
	#Last time this script was used was in 2016, so i expect to need some changes before it resurrects again.

	base_url="https://bannerweb.server:9091"
	user_agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
	cookies_file="./.ucycookies"
	#cookies_file=`date +%s%N`