Skip to content

Instantly share code, notes, and snippets.

View TheCjw's full-sized avatar
💭
I may be slow to respond.

TheCjw TheCjw

💭
I may be slow to respond.
222 followers · 105 following
View GitHub Profile
@buptczq
buptczq / detect.py
Last active January 30, 2022 06:39
QQ URL detect
import hashlib
import struct
import sqlite3
def md5hash(buf):
return hashlib.md5(buf.encode("utf-16")[2:]).digest()
def md5cmp(buf, postfix, a1, a2, a3, a4):
if len(buf) < postfix:
return False
@littlelailo
littlelailo / apollo.txt
Created September 27, 2019 12:04
Apple Bootrom Bug
This bug was also called moonshine in the beginning
Basically the following bug is present in all bootroms I have looked at:
1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
4. it then returns wLength which is the length it wants to recieve into the buffer
5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
7. if all the data was recieved th
@ulidtko
ulidtko / qnap-qts-fw-cryptor.py
Last active July 1, 2024 18:27
QNAP QTS firmware encryptor/decryptor.
#!/usr/bin/env python3
import os, sys
import argparse
import struct
from functools import reduce
"""
QNAP QTS firmware encryptor/decryptor.
Based on https://pastebin.com/KHbX85nG
@wdormann
wdormann / acltest.ps1
Created May 1, 2018 15:20
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
Break
}
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
@hjbotha
hjbotha / free_ports.sh
Last active June 20, 2024 14:34
Free ports 80 and 443 on Synology NAS
#! /bin/bash
# NEWLY ADDED BACKUP FUNCTIONALITY IS NOT FULLY TESTED YET, USE WITH CARE, ESPECIALLY DELETION
# Developed for DSM 6 - 7.0.1. Not tested on other versions.
# Steps to install
# Save this script in one of your shares
# Edit it according to your requirements
# Backup /usr/syno/share/nginx/ as follows:
# # cd /usr/syno/share/
# # tar cvf ~/nginx.tar nginx
@hfiref0x
hfiref0x / akagi_41.c
Created August 16, 2017 03:31
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@oleavr
oleavr / trust-manager.js
Created June 8, 2017 13:49
How to implement an X509TrustManager using Frida
'use strict';
var TrustManager;
var manager;
Java.perform(function () {
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
TrustManager = Java.registerClass({
name: 'com.example.TrustManager',
@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active March 10, 2024 11:03 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@Epivalent
Epivalent / Wannacrypt0r-FACTSHEET.md
Created May 12, 2017 20:17

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Malware samples

@torresashjian
torresashjian / linux-kali-install-wifi-drivers.sh
Last active April 16, 2024 15:40
How to install Broadcom BCM43142 Drivers on Kali Linux
apt-get update
apt-get install linux-image-$(uname -r|sed 's,[^-]*-[^-]*-,,') linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,') broadcom-sta-dkms
modprobe -r b44 b43 b43legacy ssb brcmsmac bcma
modprobe wl