Skip to content

Instantly share code, notes, and snippets.

View joernchen's full-sized avatar
🙃

joernchen joernchen

🙃
View GitHub Profile
@joernchen
joernchen / Wir sind Admins - Gentoo.txt
Created October 22, 2017 19:05
Wir sind Admins - Gentoo // Written by @astera and @joernchen in 2010
Komm mal ins RZ komm her zu mir
Siehst du da drüben gleich da hinten im Netzwerkraum
Ja da drüben in dem Rack vorm Storage haben sie
unsre Patches in'n Kernel gehaun
Komm an den Bildschirm komm her zu mir
Überall nur Skripte und Pakete halb compiled
Sieht so aus als hätten die unser Gentoo heute Nacht
schon ohne uns verteilt
@joernchen
joernchen / PaintBleed.md
Created March 14, 2017 22:42
PaintBleed

Summary

mspaint.exe does not properly verify Dib data from the clipboard. Therefore we can craft some Dib data in the clipboard which e.g. suggests a size of 0x100 by 0x100 pixels and contains not more than the Dib header itself. So the acutal image data rendered by mspaint.exe is its own heap data =)

PoC

Run the following code in PowerShell:

$bytes = 40,0,0,0,0,1,0,0,0,1,0,0,1,0,24,0,0,0,0,0,136,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
@joernchen
joernchen / bounty.txt
Created February 22, 2014 16:17
Bounty writeup
GitHub RCE by Environment variable injection Bug Bounty writeup
Disclaimer: I'll keep this really short but I hope you'll get the key points.
GitHub blogged a while ago about some internal tool called gerve:
https://github.com/blog/530-how-we-made-github-fast
Upon git+sshing to github.com gerve basically looks up your permission
on the repo you want to interact with. Then it bounces you further in
another forced SSH session to the back end where the repo actually is.
@joernchen
joernchen / gist:3623896
Created September 4, 2012 17:34
XXE to RCE
This turns https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
into a Remote Command Execution:
NOTE: It relies on the PHP expect module being loaded
(see http://de.php.net/manual/en/book.expect.php)
joern@vbox-1:/tmp$ cat /var/www/server.php
<?
require_once("/usr/share/php/libzend-framework-php/Zend/Loader/Autoloader.php");
Zend_Loader_Autoloader::getInstance();