Skip to content

Instantly share code, notes, and snippets.

View schrodyn's full-sized avatar

Schrodinger schrodyn

76 followers · 266 following
View GitHub Profile
@jurajlutter
jurajlutter / z2m
Last active September 15, 2024 19:20
FreeBSD rc.d script for zigbee2mqtt
#!/bin/sh
#
# PROVIDE: z2m
# REQUIRE: NETWORKING
# KEYWORD: shutdown
#
# FreeBSD rc.d script for zigbee2mqtt
#
# (c) 2024 Juraj Lutter <otis@FreeBSD.org>
#
@psifertex
psifertex / compare.py
Created July 17, 2024 20:22
items = {}
def constructs(i):
match i:
case Comparison():
return "comparisons"
case HighLevelILFor():
return "for"
case HighLevelILWhile():
return "while"
case HighLevelILDoWhile():
@smx-smx
smx-smx / XZ Backdoor Analysis
Last active July 27, 2024 22:52
[WIP] XZ Backdoor Analysis and symbol mapping
XZ Backdoor symbol deobfuscation. Updated as i make progress
@q3k
q3k / hashes.txt
Last active May 16, 2024 16:49
liblzma backdoor strings extracted from 5.6.1 (from a built-in trie)
0810 b' from '
0678 b' ssh2'
00d8 b'%.48s:%.48s():%d (pid=%ld)\x00'
0708 b'%s'
0108 b'/usr/sbin/sshd\x00'
0870 b'Accepted password for '
01a0 b'Accepted publickey for '
0c40 b'BN_bin2bn\x00'
06d0 b'BN_bn2bin\x00'
0958 b'BN_dup\x00'
@thesamesam
thesamesam / xz-backdoor.md
Last active September 17, 2024 08:32
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

@Dump-GUY
Dump-GUY / hint_calls.py
Created March 18, 2024 07:30
Modified version of Willi Ballenthin IDA Plugin hint_calls.py ported to support Python2/3 and IDA>=7.4 (tested IDA 7.7, 8.4)
'''
IDA plugin to display the calls and strings referenced by a function as hints.
Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils
@xanda
xanda / gist:819b43a4b72db169d51ddd818efa0869
Created February 5, 2024 09:30
Kimsuky related
nts-info.website
nts-mailer.website
nts-news.website
nts-post.website
nts-poster.website
nts-viewer.store
ntshome.website
ntsinfo.website
ntsmail.website
ntsmailer.store
@awakecoding
awakecoding / Install-DbgHelp.ps1
Created December 12, 2023 03:27
function Install-DbgHelp {
param (
[Parameter(Mandatory=$true, Position=0)]
[string] $DbgHelpBaseDir,
[Parameter()]
[string[]] $DbgHelpFiles = @('dbghelp.dll','symsrv.dll','srcsrv.dll'),
[Parameter()]
[switch] $Cleanup
@v-p-b
v-p-b / exchange-ssrf-fileleak.py
Last active December 7, 2023 20:13
ZDI-CAN-22101 / ZDI-23-1581 - Exchange SSRF PoC exploit with response retrieval for Burp Suite
# -*- coding: utf-8 -*-
from burp import IBurpExtender
from burp import IHttpListener
import json
# ZDI-CAN-22101 / ZDI-23-1581 - Exchange SSRF PoC exploit with response retrieval for Burp Suite
# by buherator, original research by Piotr Bazydło (@chudypb)
#
@Dump-GUY
Dump-GUY / GetStringHeapObjects.ps1
Created November 13, 2023 14:08
# Recovering strings objects from .NET Heap
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process
[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null
$processID = (Get-Process -Name "TestStrings_confused").Id
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
$clrInfo = $dataTarget.ClrVersions[0]
$clrRuntime = $clrInfo.CreateRuntime()
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}