Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-21036 PoC — Google Pixel 安全漏洞

Source
https://github.com/qixils/AntiCropalypse
Associated Vulnerability
Title:Google Pixel 安全漏洞 (CVE-2023-21036)
Description:Google Pixel是美国谷歌(Google)公司的一款智能手机。 Google Pixel 存在安全漏洞,该漏洞源于代码中的逻辑错误,可能无法截断图像。
Description
Discord bot for mitigating the aCropalypse vulnerability (CVE-2023-21036, CVE-2023-28303) by retroactively deleting vulnerable images
Readme
# March 31st, 2023 Update

As of today, Discord's CDN now strips trailing data from PNGs in-flight, meaning that even old uploads are now safe from
the aCropalypse vulnerability. As such, this bot is no longer necessary, but it will remain online to allow users to
download their archived images.

The original README for the bot can be found below.

# [AntiCropalypse](https://anticropalypse.qixils.dev)

Discord bot which searches for and deletes images vulnerable to the aCropalypse exploit
(CVE-2023-21036 & CVE-2023-28303).
You can learn more about the project and add the public bot to your server
[**here**](https://anticropalypse.qixils.dev).

## Self-hosting

This bot is written in Kotlin and requires Java 17 to compile and run.

### Releases

Running the bot is as simple as downloading the
[latest release](https://github.com/qixils/anticropalypse/releases/latest),
setting the required environment variables (see below),
and running the `bin/bot` script.

### Building from source

To create a distributable build like the published releases, run `./gradlew build`
and share/extract the resulting archive from `bot/build/distributions`.

Otherwise, you can run the bot directly by setting the required environment variables (see below)
and running `./gradlew :bot:run`.

### Environment variables

| Name            | Description                         |         Required         |
|-----------------|-------------------------------------|:------------------------:|
| `BOT_TOKEN`     | Token for the Discord bot to run as |            ✔️            |
| `S3_BUCKET`     | S3 bucket name to archive images to |      For S3 support      |
| `S3_REGION`     | Region for the S3 archival bucket   |      For S3 support      |
| `S3_ACCESS_KEY` | Your S3 access key                  |      For S3 support      |
| `S3_SECRET_KEY` | Your S3 private key                 |      For S3 support      |
| `S3_ENDPOINT`   | Endpoint for S3 archival bucket     | No, defaults to Amazon's |
File Snapshot

 [4.0K]  /data/pocs/6777617552236e174f13c96d62bb3b29ac0adb98
├── [4.0K]  bot
│   ├── [1.0K]  build.gradle.kts
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  kotlin
│           │   └── [4.0K]  dev
│           │       └── [4.0K]  qixils
│           │           └── [4.0K]  anticropalypse
│           │               ├── [ 48K]  Bot.kt
│           │               ├── [2.3K]  BotState.kt
│           │               ├── [ 14K]  Scanner.kt
│           │               └── [ 933]  Utils.kt
│           └── [4.0K]  resources
│               └── [ 374]  logback.xml
├── [ 549]  build.gradle.kts
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 59K]  gradle-wrapper.jar
│       └── [ 201]  gradle-wrapper.properties
├── [ 325]  gradle.properties
├── [7.9K]  gradlew
├── [2.6K]  gradlew.bat
├── [1.0K]  LICENSE
├── [1.9K]  README.md
├── [  52]  settings.gradle.kts
└── [4.0K]  web
    ├── [ 12K]  apple-touch-icon.png
    ├── [4.0K]  assets
    │   └── [4.0K]  css
    │       └── [1.4K]  styles.css
    ├── [6.8K]  favicon-32.png
    ├── [ 18K]  favicon-512.png
    ├── [7.2K]  favicon.ico
    └── [8.9K]  index.html

13 directories, 21 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.