Skip to content

Instantly share code, notes, and snippets.

View danzek's full-sized avatar
🎵
Listening to meowzek

Dan danzek

🎵
Listening to meowzek
107 followers · 240 following
View GitHub Profile
@hackermondev
hackermondev / research.md
Last active May 2, 2025 07:20
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

@stong
stong / cups-browsed.md
Last active January 15, 2025 14:08
CUPS disclosure leaked online. Not my report. The original author is @evilsocket

Original report

  • Affected Vendor: OpenPrinting
  • Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
  • Affected Version: All versions <= 2.0.1 (latest release) and master.
  • Significant ICS/OT impact? no
  • Reporter: Simone Margaritelli [[email protected]]
  • Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:
@Dziurwa14
Dziurwa14 / spy.pet accounts
Last active April 28, 2025 17:31
[
"928350122843193385",
"1185047194261274665",
"956202276408688650",
"956104664821157918",
"1185047092478095443",
"1185046791826178099",
"1185047045413797898",
"928483283698851901",
"1185047444619284641",
@msuhanov
msuhanov / test_prefetch.py
Created April 8, 2024 19:10
#!/usr/bin/env python3
import ctypes
import time
import threading
def test():
def access(path):
f = open(path, 'rb')
__ = f.read(8192)
@sgammon
sgammon / gist:ec604c3fabd1a22dd3cdc381b736b03e
Created March 31, 2024 03:25
XZ mitigation
There appears to be a string encoded in the binary payload:
https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115
Which functions as a killswitch:
https://piaille.fr/@zeno/112185928685603910
Thus, one workaround for affected systems might be to add this to `/etc/environment`:
```
@thesamesam
thesamesam / xz-backdoor.md
Last active April 29, 2025 14:00
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Update: I've disabled comments as of 2025-01-26 to avoid everyone having notifications for something a year on if someone wants to suggest a correction. Folks are free to email to suggest corrections still, of course.

Background

@heck-gd
heck-gd / cs_volatility_config.py
Created October 13, 2023 11:51
CobaltStrike Volatility Config Extractor
from __future__ import annotations
import re
from itertools import cycle
MAX_SETTINGS = 128
def load_mapping(filename: str) -> dict[int, int]:
"""Processes textual Volatility memmap output into a page mapping."""
@BushidoUK
BushidoUK / Malicious Hostnames.txt
Created June 14, 2023 21:19
Malicious Hostnames belonging to Malware Operators, Ransomware Groups, and Advanced Persistence Threats
WIN-QQ80VPAFRNH
84.252.95.225 - SolarMarker
37.120.237.251 - SolarMarker
217.138.205.170 - Ursnif
185.236.202.184 - Pegasus, NSO Group
DESKTOP-2NFCDE2
94.142.138.32 - Aurora Stealer
45.15.156.250 - Aurora Stealer
45.15.156.40 - Raccoon Stealer
@brokensound77
brokensound77 / RMM-detection.md
Last active April 9, 2025 19:21
Detection Engineering: RMM analysis

Detecting RMM

ℹ️ This was duplicated to this blog for readability and reference

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

@cablej
cablej / ESXi ransomware payment addresses
Last active February 26, 2023 22:32
A list of ESXi ransomware payment addresses from https://ransomwhe.re/, collected from Censys and Shodan.
15m7FP7U4kDJhAVtjjUdUB8WYswpf7Dtho
1Nm2TMEFEdyb2BP6tLyuREoKECztibuK6P
1LJYrTxrQA5pFRRg2bSyJLT6MGezmMBVfX
1EiCssanXmavzjtffYHzK6aVeQHngUxX1s
1H65AnxCg7mT4rTZmRzH8cxENk1N12rhkZ
1CVbdRQQ3TeWaPWqARKP9wvAEPvavJDrKo
1B9APV4ARm26MUW74ZcGNQE9hBHM5XGPbg
14u8xH6KdJFoTP93Lep9tpb1KQQvshQaAj
145V8AXLZpFv1ABVEsMYFsGpaZPwgKNZbf
1LGBP4iwrwv3GxybQ5QZJ19M3MAP76cw6U