漏洞平台

POC详情： 6777617552236e174f13c96d62bb3b29ac0adb98

来源

https://github.com/qixils/AntiCropalypse

关联漏洞

标题： Google Pixel 安全漏洞 (CVE-2023-21036)
描述：Google Pixel是美国谷歌（Google）公司的一款智能手机。 Google Pixel 存在安全漏洞，该漏洞源于代码中的逻辑错误，可能无法截断图像。

描述

Discord bot for mitigating the aCropalypse vulnerability (CVE-2023-21036, CVE-2023-28303) by retroactively deleting vulnerable images

介绍

# March 31st, 2023 Update

As of today, Discord's CDN now strips trailing data from PNGs in-flight, meaning that even old uploads are now safe from
the aCropalypse vulnerability. As such, this bot is no longer necessary, but it will remain online to allow users to
download their archived images.

The original README for the bot can be found below.

# [AntiCropalypse](https://anticropalypse.qixils.dev)

Discord bot which searches for and deletes images vulnerable to the aCropalypse exploit
(CVE-2023-21036 & CVE-2023-28303).
You can learn more about the project and add the public bot to your server
[**here**](https://anticropalypse.qixils.dev).

## Self-hosting

This bot is written in Kotlin and requires Java 17 to compile and run.

### Releases

Running the bot is as simple as downloading the
[latest release](https://github.com/qixils/anticropalypse/releases/latest),
setting the required environment variables (see below),
and running the `bin/bot` script.

### Building from source

To create a distributable build like the published releases, run `./gradlew build`
and share/extract the resulting archive from `bot/build/distributions`.

Otherwise, you can run the bot directly by setting the required environment variables (see below)
and running `./gradlew :bot:run`.

### Environment variables

| Name            | Description                         |         Required         |
|-----------------|-------------------------------------|:------------------------:|
| `BOT_TOKEN`     | Token for the Discord bot to run as |            ✔️            |
| `S3_BUCKET`     | S3 bucket name to archive images to |      For S3 support      |
| `S3_REGION`     | Region for the S3 archival bucket   |      For S3 support      |
| `S3_ACCESS_KEY` | Your S3 access key                  |      For S3 support      |
| `S3_SECRET_KEY` | Your S3 private key                 |      For S3 support      |
| `S3_ENDPOINT`   | Endpoint for S3 archival bucket     | No, defaults to Amazon's |

文件快照


 [4.0K]  /data/pocs/6777617552236e174f13c96d62bb3b29ac0adb98
├── [4.0K]  bot
│   ├── [1.0K]  build.gradle.kts
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  kotlin
│           │   └── [4.0K]  dev
│           │       └── [4.0K]  qixils
│           │           └── [4.0K]  anticropalypse
│           │               ├── [ 48K]  Bot.kt
│           │               ├── [2.3K]  BotState.kt
│           │               ├── [ 14K]  Scanner.kt
│           │               └── [ 933]  Utils.kt
│           └── [4.0K]  resources
│               └── [ 374]  logback.xml
├── [ 549]  build.gradle.kts
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 59K]  gradle-wrapper.jar
│       └── [ 201]  gradle-wrapper.properties
├── [ 325]  gradle.properties
├── [7.9K]  gradlew
├── [2.6K]  gradlew.bat
├── [1.0K]  LICENSE
├── [1.9K]  README.md
├── [  52]  settings.gradle.kts
└── [4.0K]  web
    ├── [ 12K]  apple-touch-icon.png
    ├── [4.0K]  assets
    │   └── [4.0K]  css
    │       └── [1.4K]  styles.css
    ├── [6.8K]  favicon-32.png
    ├── [ 18K]  favicon-512.png
    ├── [7.2K]  favicon.ico
    └── [8.9K]  index.html

13 directories, 21 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。