| XZ Backdoor symbol deobfuscation. Updated as i make progress |
This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| #!/usr/bin/env osascript -l JavaScript | |
| const App = Application.currentApplication(); | |
| App.includeStandardAdditions = true; | |
| const kCFPrefsFeatureFlagsDir = '/Library/Preferences/FeatureFlags/Domain'; | |
| const kCFPrefsFeatureEnabledKey = 'Enabled'; | |
| const kUIKitDomainPrefsTemporaryPath = '/tmp/UIKit.plist'; | |
| const kUIKitRedesignedTextCursorKey = 'redesigned_text_cursor'; |
| #!/usr/bin/env zsh | |
| # patched versions for CVE-2023-4863: 22.3.24, 24.8.3, 25.8.1, 26.2.1 | |
| mdfind "kind:app" 2>/dev/null | sort -u | while read app; | |
| do | |
| filename="$app/Contents/Frameworks/Electron Framework.framework/Electron Framework" | |
| if [[ -f $filename ]]; then | |
| echo "App Name: $(basename ${app})" | |
| electronVersion=$(strings "$filename" | grep "Chrome/" | grep -i Electron | grep -v '%s' | sort -u | cut -f 3 -d '/') |
| import httpx | |
| import argparse | |
| from http import HTTPStatus | |
| from datetime import datetime | |
| from contextlib import suppress | |
| from collections import namedtuple | |
| from typing import Dict, List, Optional, Tuple, Union |
| #! /usr/bin/env python3 | |
| ''' | |
| Needs Requests (pip3 install requests) | |
| Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
| License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License) | |
| This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021. |
There was a reddit post about installing Arch on NTFS3 partition. Since Windows and Linux doesn't have directories with same names under the /(C:\), I thought it's possible, and turned out it was actually possible.
If you are not familiar to Linux, for example you've searched on Google "how to dualboot Linux and Windos" or brbrbr... you mustn't try this. This is not practical.
| // This is a hack, a quick and dirty console script for RT/tweets (with replies) removal w/o API | |
| // To be used in: https://twitter.com/Username/with_replies | |
| // Set your username (without @) below (case-sensitive) to correctly trigger the right Menu | |
| const tweetUser = 'Username' | |
| // BUG, With above we still trigger Menu on some replies but relatively harmless. | |
| // @Hack Implement simple has() for querySelector | |
| const querySelectorHas = function( parent, child ){ |
| # docker network create nextcloud | |
| NOTES: | |
| 1. certificatesresolvers.myresolver.acme.email=myemail@gmail.com | |
| 2. TRUSTED_PROXIES values based on your 'nexcloud network' | |
| 3. remove traefik.http.middlewares.nextcloud.headers.contentSecurityPolicy and | |
| traefik.http.middlewares.nextcloud.headers.customFrameOptionsValue if you don't want to allow iframe your domain | |
| 3 | |
| # cat docker-compose.yml |
| import idaapi, idc, idautils | |
| class DecryptorError(Exception): | |
| pass | |
| def rc4crypt(key, data): | |
| x = 0 | |
| box = range(256) |