gyrospectre
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import socket | |
| BANNER = [ | |
| "bash: cannot set terminal process group (5237): Inappropriate ioctl for device", | |
| "bash: no job control in this shell", | |
| ] | |
| LISTEN_ON = '0.0.0.0' | |
| PORT = 51337 | |
| LOGFILE = './honey.log' |
gyrospectre
/ tamper_proof
Created
October 4, 2021 01:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ curl -X POST <API URL> -d "{test12344: 'test1'}" | |
| {"test12344": "test1"} | |
| $./exploit.sh ... | |
| [+] Creating evil yaml with payload 'switch_runtime.py' and data 'exploit.tmp' | |
| [+] Done, evil yaml at evil_yaml | |
| {"Output": "Successfully took over the bootstrap runtime"} | |
| $ curl -X POST <API URL> -d "{test12344: 'test1'}" | |
| Exception('Runtime has been tampered with, aborting! File: /tmp/new_runtime.py') |
gyrospectre
/ tamper_protect_py
Created
October 4, 2021 01:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_entrypoint(): | |
| stack = inspect.stack() | |
| entrypoint = { | |
| 'filename': stack[-1].filename, | |
| 'code_context': stack[-1].code_context | |
| } | |
| return entrypoint | |
| def check_entrypoint(): |
gyrospectre
/ stack_compare
Created
October 4, 2021 01:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "stack_hash": "2f74ab12d499b7e418d71593dcd1eff56c81a764ec44a2e01a675066bf303047", | |
| "entry_frame": { | |
| "filename": "/var/runtime/bootstrap.py", | |
| "code_context": [ | |
| " main()\n" | |
| ] | |
| } | |
| } |
gyrospectre
/ get_stackinfo.py
Created
October 4, 2021 01:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_stackinfo(): | |
| stack = inspect.stack() | |
| stack_hash = hashlib.sha256(str(stack).encode('utf-8')).hexdigest() | |
| stack_info = { | |
| 'stack_hash': stack_hash, | |
| 'entry_frame': { | |
| 'filename': stack[-1].filename, | |
| 'code_context': stack[-1].code_context | |
| } |
gyrospectre
/ lambda.js
Created
October 4, 2021 01:11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const StackTrace = require('error-stack-parser') | |
| function check_entrypoint () { | |
| var st = StackTrace.parse(new Error()) | |
| var entrypoint = st[ st.length -1 ] | |
| console.log(serialize(entrypoint)) | |
| entry_file = entrypoint.fileName | |
| if (!entry_file.startsWith('/var/runtime/')) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| START RequestId: ecc7732f-6d4d-484c-92b3-fdf41508ad2a Version: $LATEST | |
| [DEBUG] 2021-10-02T05:41:24.876Z Starting new HTTPS connection (1): en713emlh144f.x.pipedream.net:443 | |
| END RequestId: ecc7732f-6d4d-484c-92b3-fdf41508ad2a |
gyrospectre
/ frameinfo
Created
October 3, 2021 06:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FrameInfo( | |
| frame=<frame at 0x7fead1ce39a0, file '/tmp/new_runtime.py', line 168, code main>, | |
| filename='/tmp/new_runtime.py', | |
| lineno=168, function='main', | |
| code_context=[' backdoored_run(app_root, handler, lambda_runtime_api_addr)\n'], | |
| index=0 | |
| ), |
gyrospectre
/ options.yaml
Created
December 30, 2019 01:03
Fleet options config to enable ATC for Mac quarantine and chrome history
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: options | |
| spec: | |
| config: | |
| decorators: | |
| load: | |
| - SELECT uuid AS host_uuid FROM system_info; | |
| - SELECT hostname AS hostname FROM system_info; | |
| - SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time LIMIT 1 | |
| options: |