Royce Williams roycewilliams

## XZ Backdoor Analysis
XZ Backdoor symbol deobfuscation. Updated as i make progress

## hashes.txt
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'

## xz-backdoor.md

      
              1 file
            
          
              62 forks
            
          
              564 comments
            
          
              1291 stars
            
          
                thesamesam
                / xz-backdoor.md
            
            
              Last active
              May 4, 2024 09:26
            
              
                xz-utils backdoor situation (CVE-2024-3094)
              
          
    FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good
faith of being accurate, but like I just said; we don't yet know everything
about what's going on.
Background

On March 29th, 2024, a backdoor was discovered in
xz-utils, a suite of software that

  
## gist:7dc65a7ee9b3430f439da55f33c60c14

const NEW_CHARMAP = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20!\"#$%&'{([])}*+-.\\/0123456789:;,<=>?@EeAaUuOoIiFfGgHhJjLl|WwMmNnBbDdTtPpQqRrKkCcSsZzVvXxYy^_`~";
function get_new_char_code(old_char_code){
	return NEW_CHARMAP.indexOf(String.fromCharCode(old_char_code));
}
function get_old_char_code(new_char_code){
  return NEW_CHARMAP.charCodeAt(new_char_code);
}


## nice.key
RSA Private-Key: (6969 bit, 69 primes)
modulus:
    01:01:a2:9e:47:bc:24:44:b8:5a:6d:ee:28:5a:e0:
    66:13:46:f1:b6:33:54:91:86:c2:91:1c:5e:b9:4a:
    7b:0f:b8:24:86:a1:66:5a:fd:0e:59:a1:bf:e8:8f:
    7a:50:29:47:d5:6e:03:c4:50:1d:ac:38:7d:c3:30:
    9a:5e:07:b8:1c:21:d8:c7:d1:91:b2:59:da:0d:66:
    9d:99:12:51:9d:e4:04:f4:3b:30:b4:b9:96:91:4b:
    4c:6f:73:e5:09:86:ee:d2:fa:5f:a1:98:0b:ba:05:
    6e:ab:4d:c9:29:a8:b7:eb:06:84:f2:c4:46:a9:cd:

## ntstatus.csv
Return value;Return code;Description
0x00000000;STATUS_SUCCESS;The operation completed successfully.
0x00000000;STATUS_WAIT_0;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000001;STATUS_WAIT_1;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000002;STATUS_WAIT_2;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000003;STATUS_WAIT_3;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x0000003F;STATUS_WAIT_63;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000080;STATUS_ABANDONED;The caller attempted to wait for a mutex that has been abandoned.
0x00000080;STATUS_ABANDONED_WAIT_0;The call

## gist:06d709336bc90faaabe8c36af504b71c
Date,Details,Email Payload Type,Users Targeted
10/1/2023,FW: damaged Goods; xlam -> agenttesla continued to 10/9,Attachment,
10/2/2023,RE: SHIPPING DOCUMENT & PACKING LIST; r15 -> agenttesla,Attachment,2
10/2/2023,RE: CONFIRM REVISED PIURCHASE ORDER; zip -> formbook,Attachment,2
10/2/2023,Signed Purchase Order: PO/US/4509622207; zip -> formbook,Attachment,2
10/2/2023,Attachment name is Document.zip; zip -> agenttesla,Attachment,2
10/3/2023,RE: New Order; r15 -> agenttesla,Attachment,2
10/3/2023,Wrong Payment Information; zip -> agenttesla,Attachment,2
10/4/2023,RE: Status For September SOA; xls -> agenttesla continued to 10/5,Attachment,4
10/5/2023,Purchase Order - HOM-OS-20-23-813; r15 -> agenttesla,Attachment,2

## http2-rapid-reset-ddos-attack.md

      
              1 file
            
          
              0 forks
            
          
              24 comments
            
          
              37 stars
            
          
                adulau
                / http2-rapid-reset-ddos-attack.md
            
            
              Last active
              April 4, 2024 17:59
            
              
                HTTP/2 Rapid Reset DDoS Attack
              
          
    Introduction

This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.
Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.
References


CVE-2023-44487, CIRCL CVE Search
How AWS protects customers from DDoS events, AWS


## electron-versions.csv

          
            app_name
            repo
            electron_version
            vulnerable

            
              1Clipboard
              https://github.com/wiziple/1clipboard

            
              1Password
              None
              25.8.1
              FALSE

            
              3CX Desktop App
              
              19.0.8
              TRUE

            
              5EClient
              None

            
              Abstract
              None

            
              Account Surfer
              None

            
              Advanced REST Client
              https://github.com/advanced-rest-client/arc-electron
              ^17.0.0
              TRUE

            
              Aedron Shrine
              None

            
              Aeon
              https://github.com/leinelissen/aeon
              23.2.0
              TRUE

## find-all-electron-versions.sh
#!/usr/bin/env zsh

# patched versions for CVE-2023-4863: 22.3.24, 24.8.3, 25.8.1, 26.2.1
mdfind "kind:app" 2>/dev/null | sort -u | while read app;
do
  filename="$app/Contents/Frameworks/Electron Framework.framework/Electron Framework"
  if [[ -f $filename ]]; then
    echo "App Name:          $(basename ${app})"

    electronVersion=$(strings "$filename" | grep "Chrome/" | grep -i Electron | grep -v '%s' | sort -u | cut -f 3 -d '/')
	0810 b' from '
	0678 b' ssh2'
	00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
	0708 b'%s'
	0108 b'/usr/sbin/sshd\x00'
	0870 b'Accepted password for '
	01a0 b'Accepted publickey for '
	0c40 b'BN_bin2bn\x00'
	06d0 b'BN_bn2bin\x00'
	0958 b'BN_dup\x00'

	const NEW_CHARMAP = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20!\"#$%&'{([])}*+-.\\/0123456789:;,<=>?@EeAaUuOoIiFfGgHhJjLl\|WwMmNnBbDdTtPpQqRrKkCcSsZzVvXxYy^_`~";
	function get_new_char_code(old_char_code){
	return NEW_CHARMAP.indexOf(String.fromCharCode(old_char_code));
	}
	function get_old_char_code(new_char_code){
	return NEW_CHARMAP.charCodeAt(new_char_code);
	}
	RSA Private-Key: (6969 bit, 69 primes)
	modulus:
	01:01:a2:9e:47:bc:24:44:b8:5a:6d:ee:28:5a:e0:
	66:13:46:f1:b6:33:54:91:86:c2:91:1c:5e:b9:4a:
	7b:0f:b8:24:86:a1:66:5a:fd:0e:59:a1:bf:e8:8f:
	7a:50:29:47:d5:6e:03:c4:50:1d:ac:38:7d:c3:30:
	9a:5e:07:b8:1c:21:d8:c7:d1:91:b2:59:da:0d:66:
	9d:99:12:51:9d:e4:04:f4:3b:30:b4:b9:96:91:4b:
	4c:6f:73:e5:09:86:ee:d2:fa:5f:a1:98:0b:ba:05:
	6e:ab:4d:c9:29:a8:b7:eb:06:84:f2:c4:46:a9:cd:
	Return value;Return code;Description
	0x00000000;STATUS_SUCCESS;The operation completed successfully.
	0x00000000;STATUS_WAIT_0;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
	0x00000001;STATUS_WAIT_1;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
	0x00000002;STATUS_WAIT_2;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
	0x00000003;STATUS_WAIT_3;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
	0x0000003F;STATUS_WAIT_63;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
	0x00000080;STATUS_ABANDONED;The caller attempted to wait for a mutex that has been abandoned.
	0x00000080;STATUS_ABANDONED_WAIT_0;The call
	Date,Details,Email Payload Type,Users Targeted
	10/1/2023,FW: damaged Goods; xlam -> agenttesla continued to 10/9,Attachment,
	10/2/2023,RE: SHIPPING DOCUMENT & PACKING LIST; r15 -> agenttesla,Attachment,2
	10/2/2023,RE: CONFIRM REVISED PIURCHASE ORDER; zip -> formbook,Attachment,2
	10/2/2023,Signed Purchase Order: PO/US/4509622207; zip -> formbook,Attachment,2
	10/2/2023,Attachment name is Document.zip; zip -> agenttesla,Attachment,2
	10/3/2023,RE: New Order; r15 -> agenttesla,Attachment,2
	10/3/2023,Wrong Payment Information; zip -> agenttesla,Attachment,2
	10/4/2023,RE: Status For September SOA; xls -> agenttesla continued to 10/5,Attachment,4
	10/5/2023,Purchase Order - HOM-OS-20-23-813; r15 -> agenttesla,Attachment,2
app_name	repo	electron_version	vulnerable
1Clipboard	https://github.com/wiziple/1clipboard
1Password	None	25.8.1	FALSE
3CX Desktop App		19.0.8	TRUE
5EClient	None
Abstract	None
Account Surfer	None
Advanced REST Client	https://github.com/advanced-rest-client/arc-electron	^17.0.0	TRUE
Aedron Shrine	None
Aeon	https://github.com/leinelissen/aeon	23.2.0	TRUE
	#!/usr/bin/env zsh

	# patched versions for CVE-2023-4863: 22.3.24, 24.8.3, 25.8.1, 26.2.1
	mdfind "kind:app" 2>/dev/null \| sort -u \| while read app;
	do
	filename="$app/Contents/Frameworks/Electron Framework.framework/Electron Framework"
	if [[ -f $filename ]]; then
	echo "App Name: $(basename ${app})"

	electronVersion=$(strings "$filename" \| grep "Chrome/" \| grep -i Electron \| grep -v '%s' \| sort -u \| cut -f 3 -d '/')