Skip to content

Instantly share code, notes, and snippets.

View joernchen's full-sized avatar

joernchen joernchen

View GitHub Profile
joernchen / Wir sind Admins - Gentoo.txt
Created October 22, 2017 19:05
Wir sind Admins - Gentoo // Written by @astera and @joernchen in 2010
Komm mal ins RZ komm her zu mir
Siehst du da drüben gleich da hinten im Netzwerkraum
Ja da drüben in dem Rack vorm Storage haben sie
unsre Patches in'n Kernel gehaun
Komm an den Bildschirm komm her zu mir
Überall nur Skripte und Pakete halb compiled
Sieht so aus als hätten die unser Gentoo heute Nacht
schon ohne uns verteilt
joernchen /
Created March 14, 2017 22:42


mspaint.exe does not properly verify Dib data from the clipboard. Therefore we can craft some Dib data in the clipboard which e.g. suggests a size of 0x100 by 0x100 pixels and contains not more than the Dib header itself. So the acutal image data rendered by mspaint.exe is its own heap data =)


Run the following code in PowerShell:

$bytes = 40,0,0,0,0,1,0,0,0,1,0,0,1,0,24,0,0,0,0,0,136,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
joernchen / bounty.txt
Created February 22, 2014 16:17
Bounty writeup
GitHub RCE by Environment variable injection Bug Bounty writeup
Disclaimer: I'll keep this really short but I hope you'll get the key points.
GitHub blogged a while ago about some internal tool called gerve:
Upon git+sshing to gerve basically looks up your permission
on the repo you want to interact with. Then it bounces you further in
another forced SSH session to the back end where the repo actually is.
joernchen / gist:3623896
Created September 4, 2012 17:34
This turns
into a Remote Command Execution:
NOTE: It relies on the PHP expect module being loaded
joern@vbox-1:/tmp$ cat /var/www/server.php