Boris Larin oct0xor

## calculator_exploit.py
#!/usr/bin/python

# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF
# We control 4 bytes every 8 bytes
# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode
# that does one instruction and a short branch to skip the next dword

from unicorn import *
from unicorn.arm_const import *
from keystone import *

## rich.py
# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
import sys
import struct

# I'm trying not to bury the magic number...
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
RICH_TEXT = 'Rich'
RICH_TEXT_LENGTH = len(RICH_TEXT)
PE_START = 0x3c
PE_FIELD_LENGTH = 4

## ohfortuna.py
from subprocess import Popen, PIPE
import base64
import random
import re
import requests
import select
import socket
import string
import struct
import sys

## hint_calls.py
'''
IDA plugin to display the calls and strings referenced by a function as hints.

Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils

## idapython_hints.py
'''
example of:
  - using ctypes with the IDA SDK
  - providing custom UI hints with dynamic data from Python

in this silly example, we display UI hints with the current timestamp.
a more useful plugin might inspect the hovered line, and display some documentation.

Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0

## adwareroi.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                Wack0
                / adwareroi.md
            
            
              Last active
              April 21, 2016 10:19
            
              
                AdwareROI MiTM certificates and private keys
              
          
    AdwareROI

AdwareROI is basically the world's shittiest MiTM malware ever.
It's being sold for $5.5k for one panel/binary, $16k for multiple panels/binaries, and probably ten times that if you want src too. That doesn't include the SSL MiTM functionality which is another $1k.
And.. as I said, it's shitty. The MiTM functionality relies on WinDivert, the SSL MiTM uses a custom component, which is (seriously!) called mitm_test_poc. And it uses a hardcoded CA cert and private key, that's installed with the other components.
So, what to do but disclose these as I obtain them?

  
## chrome-uri.txt
chrome://-alkuisissa
chrome://-nettadresser
chrome://-webbadresser
chrome://ChromeTestChromeWebUIControllerFactory
chrome://DummyURL
chrome://URLs
chrome://about
chrome://accessibility
chrome://anything
chrome://app-list

## chrome2ca.sh
locate -r '/History$' | fgrep chrom | while read x; do echo select url from urls\; | sqlite3 "$x"; done > hist
cut -d/ -f 3 hist | sort -u | xargs -P200 -I{} -n1 -- sh -c ': | openssl s_client -connect {}:443 2> {}.path > {}.handshake'

for f in *.path; do if ! fgrep 'verify erro' $f >/dev/null; then grep -m1 '^depth' $f; fi; done | cut -d' ' -f 2- | sort | uniq -c | sort -n
for f in *.path; do if ! fgrep 'verify erro' $f >/dev/null; then grep -m1 '^depth' $f; fi; done | cut -d' ' -f 2- | sed 's/.*O = //;s/, OU =.*//;s/, CN = //;s/The //;s/[",.]//g;s/ Inc//' | sort | uniq -c | sort -n

## prologue.py
#  Fix clang function prologues
#  WARNING: this WILL patch bytes in the database
#
#  Copyright (c) 2015 xerub
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#

## Skeptics_Guide_to_Security_Cons.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              10 stars
            
          
                v-p-b
                / Skeptics_Guide_to_Security_Cons.md
            
            
              Last active
              January 23, 2020 13:43
            
              
                Skeptics Guide to Security Conferences
              
          
    Skeptics Guide to Security Conferences

Dictionary


Anonymous - Script kiddies. Also see: Slacktivism
Advanced - More advanced than the products the presenter sells
APT - "Fancy name for shit you have in your network and didn't notice for a while"
China - Because why not? Also see: Attribution Dice
	#!/usr/bin/python

	# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF
	# We control 4 bytes every 8 bytes
	# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode
	# that does one instruction and a short branch to skip the next dword

	from unicorn import *
	from unicorn.arm_const import *
	from keystone import *
	# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
	import sys
	import struct

	# I'm trying not to bury the magic number...
	CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
	RICH_TEXT = 'Rich'
	RICH_TEXT_LENGTH = len(RICH_TEXT)
	PE_START = 0x3c
	PE_FIELD_LENGTH = 4
	from subprocess import Popen, PIPE
	import base64
	import random
	import re
	import requests
	import select
	import socket
	import string
	import struct
	import sys
	'''
	IDA plugin to display the calls and strings referenced by a function as hints.

	Installation: put this file in your %IDADIR%/plugins/ directory.
	Author: Willi Ballenthin <william.ballenthin@fireeye.com>
	Licence: Apache 2.0
	'''
	import idc
	import idaapi
	import idautils
	'''
	example of:
	- using ctypes with the IDA SDK
	- providing custom UI hints with dynamic data from Python

	in this silly example, we display UI hints with the current timestamp.
	a more useful plugin might inspect the hovered line, and display some documentation.

	Author: Willi Ballenthin <william.ballenthin@fireeye.com>
	Licence: Apache 2.0
	chrome://-alkuisissa
	chrome://-nettadresser
	chrome://-webbadresser
	chrome://ChromeTestChromeWebUIControllerFactory
	chrome://DummyURL
	chrome://URLs
	chrome://about
	chrome://accessibility
	chrome://anything
	chrome://app-list
	locate -r '/History$' \| fgrep chrom \| while read x; do echo select url from urls\; \| sqlite3 "$x"; done > hist
	cut -d/ -f 3 hist \| sort -u \| xargs -P200 -I{} -n1 -- sh -c ': \| openssl s_client -connect {}:443 2> {}.path > {}.handshake'

	for f in *.path; do if ! fgrep 'verify erro' $f >/dev/null; then grep -m1 '^depth' $f; fi; done \| cut -d' ' -f 2- \| sort \| uniq -c \| sort -n
	for f in .path; do if ! fgrep 'verify erro' $f >/dev/null; then grep -m1 '^depth' $f; fi; done \| cut -d' ' -f 2- \| sed 's/.O = //;s/, OU =.*//;s/, CN = //;s/The //;s/[",.]//g;s/ Inc//' \| sort \| uniq -c \| sort -n
	# Fix clang function prologues
	# WARNING: this WILL patch bytes in the database
	#
	# Copyright (c) 2015 xerub
	#
	# This program is free software; you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation; either version 2 of the License, or
	# (at your option) any later version.
	#