Skip to content

Instantly share code, notes, and snippets.

View schrodyn's full-sized avatar

Schrodinger schrodyn

75 followers · 262 following
View GitHub Profile
@smx-smx
smx-smx / XZ Backdoor Analysis
Last active June 2, 2024 07:22
[WIP] XZ Backdoor Analysis and symbol mapping
XZ Backdoor symbol deobfuscation. Updated as i make progress
@q3k
q3k / hashes.txt
Last active May 16, 2024 16:49
liblzma backdoor strings extracted from 5.6.1 (from a built-in trie)
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'
@thesamesam
thesamesam / xz-backdoor.md
Last active July 21, 2024 05:59
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

@Dump-GUY
Dump-GUY / hint_calls.py
Created March 18, 2024 07:30
Modified version of Willi Ballenthin IDA Plugin hint_calls.py ported to support Python2/3 and IDA>=7.4 (tested IDA 7.7, 8.4)
'''
IDA plugin to display the calls and strings referenced by a function as hints.
Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils
@xanda
xanda / gist:819b43a4b72db169d51ddd818efa0869
Created February 5, 2024 09:30
Kimsuky related
nts-info.website
nts-mailer.website
nts-news.website
nts-post.website
nts-poster.website
nts-viewer.store
ntshome.website
ntsinfo.website
ntsmail.website
ntsmailer.store
@awakecoding
awakecoding / Install-DbgHelp.ps1
Created December 12, 2023 03:27
function Install-DbgHelp {
param (
[Parameter(Mandatory=$true, Position=0)]
[string] $DbgHelpBaseDir,
[Parameter()]
[string[]] $DbgHelpFiles = @('dbghelp.dll','symsrv.dll','srcsrv.dll'),
[Parameter()]
[switch] $Cleanup
@v-p-b
v-p-b / exchange-ssrf-fileleak.py
Last active December 7, 2023 20:13
ZDI-CAN-22101 / ZDI-23-1581 - Exchange SSRF PoC exploit with response retrieval for Burp Suite
# -*- coding: utf-8 -*-
from burp import IBurpExtender
from burp import IHttpListener
import json
# ZDI-CAN-22101 / ZDI-23-1581 - Exchange SSRF PoC exploit with response retrieval for Burp Suite
# by buherator, original research by Piotr Bazydło (@chudypb)
#
@Dump-GUY
Dump-GUY / GetStringHeapObjects.ps1
Created November 13, 2023 14:08
# Recovering strings objects from .NET Heap
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process
[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null
$processID = (Get-Process -Name "TestStrings_confused").Id
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
$clrInfo = $dataTarget.ClrVersions[0]
$clrRuntime = $clrInfo.CreateRuntime()
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}
@BushidoUK
BushidoUK / Israel_Palestine_Hacktivism_OSINT
Created October 8, 2023 15:26
Israel_Palestine_Hacktivism_OSINT
Twitter Accounts
https://twitter.com/ReVolution44Tm
https://twitter.com/barbbyofficial
https://twitter.com/Team_insane_pk1
https://twitter.com/anonymusweare
https://twitter.com/PalCyberNews
https://twitter.com/AnonAnonymous
Telegram Channels
https://t.me/s/CyberAv3ngers
@duffney
duffney / readingList.md
Last active December 3, 2023 22:54
Duffney's Reading List