Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

View roycewilliams's full-sized avatar
💭
:cheeeeeese:

Royce Williams roycewilliams

💭
:cheeeeeese:
View GitHub Profile
@smx-smx
smx-smx / XZ Backdoor Analysis
Last active April 21, 2024 16:12
[WIP] XZ Backdoor Analysis and symbol mapping
XZ Backdoor symbol deobfuscation. Updated as i make progress
@q3k
q3k / hashes.txt
Last active April 14, 2024 17:11
liblzma backdoor strings extracted from 5.6.1 (from a built-in trie)
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'
@thesamesam
thesamesam / xz-backdoor.md
Last active April 22, 2024 18:06
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is still a new situation. There is a lot we don't know. We don't know if there are more possible exploit paths. We only know about this one path. Please update your systems regardless.

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

const NEW_CHARMAP = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20!\"#$%&'{([])}*+-.\\/0123456789:;,<=>?@EeAaUuOoIiFfGgHhJjLl|WwMmNnBbDdTtPpQqRrKkCcSsZzVvXxYy^_`~";
function get_new_char_code(old_char_code){
return NEW_CHARMAP.indexOf(String.fromCharCode(old_char_code));
}
function get_old_char_code(new_char_code){
return NEW_CHARMAP.charCodeAt(new_char_code);
}
RSA Private-Key: (6969 bit, 69 primes)
modulus:
01:01:a2:9e:47:bc:24:44:b8:5a:6d:ee:28:5a:e0:
66:13:46:f1:b6:33:54:91:86:c2:91:1c:5e:b9:4a:
7b:0f:b8:24:86:a1:66:5a:fd:0e:59:a1:bf:e8:8f:
7a:50:29:47:d5:6e:03:c4:50:1d:ac:38:7d:c3:30:
9a:5e:07:b8:1c:21:d8:c7:d1:91:b2:59:da:0d:66:
9d:99:12:51:9d:e4:04:f4:3b:30:b4:b9:96:91:4b:
4c:6f:73:e5:09:86:ee:d2:fa:5f:a1:98:0b:ba:05:
6e:ab:4d:c9:29:a8:b7:eb:06:84:f2:c4:46:a9:cd:
@malexmave
malexmave / ntstatus.csv
Last active November 16, 2023 15:04
There are a bunch of versions of the list of NTSTATUS codes online, but many of them are invalid CSVs. This one is cleaned so that it is accepted by Azure Sentinel for import as a Watchlist.
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
Return value;Return code;Description
0x00000000;STATUS_SUCCESS;The operation completed successfully.
0x00000000;STATUS_WAIT_0;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000001;STATUS_WAIT_1;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000002;STATUS_WAIT_2;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000003;STATUS_WAIT_3;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x0000003F;STATUS_WAIT_63;The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.
0x00000080;STATUS_ABANDONED;The caller attempted to wait for a mutex that has been abandoned.
0x00000080;STATUS_ABANDONED_WAIT_0;The call
Date,Details,Email Payload Type,Users Targeted
10/1/2023,FW: damaged Goods; xlam -> agenttesla continued to 10/9,Attachment,
10/2/2023,RE: SHIPPING DOCUMENT & PACKING LIST; r15 -> agenttesla,Attachment,2
10/2/2023,RE: CONFIRM REVISED PIURCHASE ORDER; zip -> formbook,Attachment,2
10/2/2023,Signed Purchase Order: PO/US/4509622207; zip -> formbook,Attachment,2
10/2/2023,Attachment name is Document.zip; zip -> agenttesla,Attachment,2
10/3/2023,RE: New Order; r15 -> agenttesla,Attachment,2
10/3/2023,Wrong Payment Information; zip -> agenttesla,Attachment,2
10/4/2023,RE: Status For September SOA; xls -> agenttesla continued to 10/5,Attachment,4
10/5/2023,Purchase Order - HOM-OS-20-23-813; r15 -> agenttesla,Attachment,2
@adulau
adulau / http2-rapid-reset-ddos-attack.md
Last active April 4, 2024 17:59
HTTP/2 Rapid Reset DDoS Attack

Introduction

This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.

Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.

References

@mttaggart
mttaggart / electron-versions.csv
Last active November 18, 2023 03:15
CVE-2023-4863 Electron App Tracker | THIS LIST IS NOW DEPRECATED. PLEASE VISIT https://github.com/mttaggart/electron-app-tracker FOR THE LATEST DATA
app_name repo electron_version vulnerable
1Clipboard https://github.com/wiziple/1clipboard
1Password None 25.8.1 FALSE
3CX Desktop App 19.0.8 TRUE
5EClient None
Abstract None
Account Surfer None
Advanced REST Client https://github.com/advanced-rest-client/arc-electron ^17.0.0 TRUE
Aedron Shrine None
Aeon https://github.com/leinelissen/aeon 23.2.0 TRUE
@april
april / find-all-electron-versions.sh
Last active March 15, 2024 00:56
find all apps using Electron and their versions, on macOS systems
#!/usr/bin/env zsh
# patched versions for CVE-2023-4863: 22.3.24, 24.8.3, 25.8.1, 26.2.1
mdfind "kind:app" 2>/dev/null | sort -u | while read app;
do
filename="$app/Contents/Frameworks/Electron Framework.framework/Electron Framework"
if [[ -f $filename ]]; then
echo "App Name: $(basename ${app})"
electronVersion=$(strings "$filename" | grep "Chrome/" | grep -i Electron | grep -v '%s' | sort -u | cut -f 3 -d '/')