| Komm mal ins RZ komm her zu mir | |
| Siehst du da drüben gleich da hinten im Netzwerkraum | |
| Ja da drüben in dem Rack vorm Storage haben sie | |
| unsre Patches in'n Kernel gehaun | |
| Komm an den Bildschirm komm her zu mir | |
| Überall nur Skripte und Pakete halb compiled | |
| Sieht so aus als hätten die unser Gentoo heute Nacht | |
| schon ohne uns verteilt |
mspaint.exe does not properly verify Dib data from the clipboard. Therefore we can craft some Dib data in the clipboard which e.g. suggests a size of 0x100 by 0x100 pixels and contains not more than the Dib header itself. So the acutal image data rendered by mspaint.exe is its own heap data =)
Run the following code in PowerShell:
$bytes = 40,0,0,0,0,1,0,0,0,1,0,0,1,0,24,0,0,0,0,0,136,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
| GitHub RCE by Environment variable injection Bug Bounty writeup | |
| Disclaimer: I'll keep this really short but I hope you'll get the key points. | |
| GitHub blogged a while ago about some internal tool called gerve: | |
| https://github.com/blog/530-how-we-made-github-fast | |
| Upon git+sshing to github.com gerve basically looks up your permission | |
| on the repo you want to interact with. Then it bounces you further in | |
| another forced SSH session to the back end where the repo actually is. |
| This turns https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt | |
| into a Remote Command Execution: | |
| NOTE: It relies on the PHP expect module being loaded | |
| (see http://de.php.net/manual/en/book.expect.php) | |
| joern@vbox-1:/tmp$ cat /var/www/server.php | |
| <? | |
| require_once("/usr/share/php/libzend-framework-php/Zend/Loader/Autoloader.php"); | |
| Zend_Loader_Autoloader::getInstance(); |