Skip to content

Instantly share code, notes, and snippets.

Wack0 / gist:17c56b77a90073be81d3
Last active Jul 23, 2021
It's not just superfish that's the problem.
View gist:17c56b77a90073be81d3
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.
Superfish isn't the only product to use that sdk. there's others too.
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.
First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
Wack0 / gist:f865ef369eb8c23ee028
Last active May 9, 2018
Komodia rootkit findings by @TheWack0lian
View gist:f865ef369eb8c23ee028

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
                  // at least, not after writing to it first.
Wack0 / gist:bda47c2bfadfb68d73ea
Created Jul 29, 2015
Cards against Security: list of all cards
View gist:bda47c2bfadfb68d73ea
Database: heroku_1ed5a148e6d9415
Table: black_cards
[16 entries]
| id | content |
| 1 | _____ means never having to say you're sorry. |
| 2 | The pen tester found _____ in the trash while dumpster diving. |
| 3 | Our CIO has a framed a picture of _____. |
| 4 | 9 out of 10 experts agree, _____ will increase your security effectiveness. |
Wack0 / ayy-oh-lmao.js
Last active Dec 8, 2015
AOL Desktop <= 9.8.1 FS Read/Write via MITM, <= 9.8.0 Remote Command Execution via MITM PoC
View ayy-oh-lmao.js
AOL Desktop <= 9.8.0 File Write and Remote Command Execution via MITM
AOL Desktop <= 9.8.1 File Write via MITM.
by slipstream/RoL, between August and December 2015. #rol ** ** twitter @TheWack0lian
The custom AOL protocol, includes a scripting language called FDO91 (FDO), that's compiled into a bytecode.
Compiled FDO makes up part of the data sent from server to client and client to server.
Wack0 /
Last active Apr 13, 2018
Torrents Time bundles certificates and private keys.

Torrents Time bundles certificates and private keys

So, with all the news about how Torrents Time is insecure.. I figured I might as well reverse it.

It seems to have three components, one (on windows) is a native service (TTService.exe) that runs as SYSTEM, another (TTPlayer.exe) runs under a lower privileged user. There's also a nodejs application, server.js.

The native service seems to set up a localhost HTTPd, on either port 12400, 11400, 10400 or 9400, using whichever is open.

So, I browsed to it, and was astonished to discover it was running with TLS, and gave the browser a valid certificate, signed by Thawte! (the cert was issued to, obviously to work around new CA rules. For the record, it currently resolves to as you'd probably expect.)

Wack0 /
Last active Apr 21, 2016
AdwareROI MiTM certificates and private keys


AdwareROI is basically the world's shittiest MiTM malware ever.

It's being sold for $5.5k for one panel/binary, $16k for multiple panels/binaries, and probably ten times that if you want src too. That doesn't include the SSL MiTM functionality which is another $1k.

And.. as I said, it's shitty. The MiTM functionality relies on WinDivert, the SSL MiTM uses a custom component, which is (seriously!) called mitm_test_poc. And it uses a hardcoded CA cert and private key, that's installed with the other components.

So, what to do but disclose these as I obtain them?

Wack0 / 86box-td0.php
Last active Mar 20, 2018
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) Code Execution PoC
View 86box-td0.php
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) can cause code execution
calc.exe PoC for both builds (the x86 AMD and Intel binaries!)
a *Ring of Lightning* production by slipstream/RoL!
Please note that due to lack of available hardware, exploitation of the AMD binaries has not been tested.
So you may have to fix that yourself.
86Box is a fork of PCem maintained by Battler aka Tenshi aka Kiririn/RoL.
Wack0 / programmatic_poc.cs
Last active Dec 14, 2016
Command injection in MS' One Step / DPLauncher / "Get ready for the Internet" application, for UAC / RCE through social engineering using MS signed exe / clickonce.
View programmatic_poc.cs
using System;
using System.Runtime.InteropServices;
class DPPwned {
public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
public static void Main() {
Wack0 / upwned247.php
Last active Jun 14, 2021
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC. (works only in qemu usermode)
View upwned247.php
Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
usermode emulation (seems I pushed an old version), and removed debug output.
If anyone wants to fix this, go ahead (no pun intended).
However, I don't have a vulnerable product and am unwilling to acquire one.
Wack0 / nit2016.asm
Created Nov 29, 2016
NIT2016? Very similar to the 2013 payload...
View nit2016.asm
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
; Input CRC32 : B326AB6B
; ---------------------------------------------------------------------------
; File Name : C:\Users\raylee\nit - Copy.bin
; Format : Binary file
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh