Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
...derping

Pattern Juggled ie ðørkßöt pjstorm

💭
...derping
View GitHub Profile
@pjstorm
pjstorm / gist:b1616d28483780fc0304
Created May 27, 2015
Flame malware, cert funk, ASN.1, and unicode for fun & APT-class network injection attacks on https...
View gist:b1616d28483780fc0304
This is a quick note to keep track of some work-in-process data relating to the forged 'Flame' certificates used as part of the Stuxnet attacks. I've bumped into Didier's analysis of those certs (http://blog.didierstevens.com/2012/06/06/flame-authenticode-dumps-kb2718704/) several times, and each time felt there was a piece we're all missing, right under our noses.
I think we've begun to understand what that piece is, now. As this is a partial post, not a full exposition, I'll go thin on the backstory. And jump right to the interesting bits.
Looking at the certs in question, there's obvious formatting issues in some of the fields - in terms of how they come out of a conventional de-pem'ing tool. That's always seemed particularly salient to me, but statistical work on those outputs got me nowhere. Now that I'm less ignorant of the underlying non-transitive parsing and encoding that can (and is) done in certs, I had a better idea where to look.
Based on other research cryptostorm has done for several months
View gist:3a904f12dfcc5c943b3b
package main
import (
"bufio"
"fmt"
"io"
"net"
"strings"
)
View check_freak.sh
#!/usr/bin/env bash
# check_freak.sh
# (c) 2015 Martin Seener
# Simple script which checks SSL/TLS services for the FREAK vulnerability (CVE 2015-0204)
# It will output if the checked host is vulnerable and returns the right exit code
# so it can also be used as a nagios check!
PROGNAME=$(basename $0)
View check_freak.sh
#!/usr/bin/env bash
# check_freak.sh
# (c) 2015 Martin Seener
# Simple script which checks SSL/TLS services for the FREAK vulnerability (CVE 2015-0204)
# It will output if the checked host is vulnerable and returns the right exit code
# so it can also be used as a nagios check!
PROGNAME=$(basename $0)
View sha512.html
<meta name="description" content="Easily calculate SHA-512 algorithms" />
<script type="text/javascript" src="assets/js/sha512.js">
</script>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript">
//<![CDATA[
function calcSHA()
{
calcHash("SHA-512");
View gist:359cf3243c10e655cf50
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.
Superfish isn't the only product to use that sdk. there's others too.
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.
First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
View fb.js
var a='';
for(var i=0;i<50000;i++){a+='=';}
var wait = setTimeout(function(){
alert('Logged in fb')
},15000)
var cb=function(){
clearTimeout(wait);
alert('Not logged in fb');
View fb.js
var a='';
for(var i=0;i<50000;i++){a+='=';}
var wait = setTimeout(function(){
alert('Logged in fb')
},15000)
var cb=function(){
clearTimeout(wait);
alert('Not logged in fb');
View gist:d14ad9eeadab77117481
Verifying that +pjstorm is my openname (Bitcoin username). https://onename.com/pjstorm
View gist:9c98366106b5eaa7d5a7
### Keybase proof
I hereby claim:
* I am pjstorm on github.
* I am p_j (https://keybase.io/p_j) on keybase.
* I have a public key whose fingerprint is 5209 C8E4 70D1 0149 C79D 43A2 F353 E403 758E 787B
To claim this, I am signing this object: