🧪 NtQueueApcThreadEx — NTDLL Gadget Injection
This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
Source:
https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection
#apc #ntdll #injection #clang #redteam
This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
Source:
https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection
#apc #ntdll #injection #clang #redteam
🔥5👍1
💥 Fortinet FortiNAC Unauthenticated RCE
On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.
PoC:
https://github.com/horizon3ai/CVE-2022-39952
Research:
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
#fortinet #fortinac #rce #cve
On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.
PoC:
https://github.com/horizon3ai/CVE-2022-39952
Research:
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
#fortinet #fortinac #rce #cve
🔥4👍2❤1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Это реально круто!
Вкратце: позволяет записывать файлы, созданные маяком кобальта (на примере кобальта), в память, а не на диск в системе.
https://github.com/Octoberfest7/MemFiles
#redteam #pentest #git #cs #bypass
Вкратце: позволяет записывать файлы, созданные маяком кобальта (на примере кобальта), в память, а не на диск в системе.
https://github.com/Octoberfest7/MemFiles
#redteam #pentest #git #cs #bypass
👍7
📜 Abusing Code Signing Certificates
Abusing code signing certificates is not new. In the past few years alone, it has proven to be an effective method of bypassing certain security controls to allow malicious software to run and look seemingly benign. This article describes code signing methods, as well as tools for copying the signature from legitimate PE files.
Source:
https://axelarator.github.io/posts/codesigningcerts/
#sign #code #certificate #abuse #redteam
Abusing code signing certificates is not new. In the past few years alone, it has proven to be an effective method of bypassing certain security controls to allow malicious software to run and look seemingly benign. This article describes code signing methods, as well as tools for copying the signature from legitimate PE files.
Source:
https://axelarator.github.io/posts/codesigningcerts/
#sign #code #certificate #abuse #redteam
🔥5👍2
⚛️ AtomLdr
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
🔥7👍3
🌐 DroppedConnection — Cisco ASA Anyconnect Emulator
Fake VPN server that captures credentials and executes code via the Cisco AnyConnect client.
Source:
https://github.com/nccgroup/DroppedConnection
Research:
https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-cisco-anyconnect-client-to-drop-and-run-payloads/
#cisco #asa #anyconnect #credentials #redteam
Fake VPN server that captures credentials and executes code via the Cisco AnyConnect client.
Source:
https://github.com/nccgroup/DroppedConnection
Research:
https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-cisco-anyconnect-client-to-drop-and-run-payloads/
#cisco #asa #anyconnect #credentials #redteam
🔥12👍3
🔑 KeePass2: DLL Hijacking and Hooking API
This new article about a way to get the Master Password of a KeePass database.
https://skr1x.github.io/keepass-dll-hijacking/
#keepass #dll #hijacking #redteam
This new article about a way to get the Master Password of a KeePass database.
https://skr1x.github.io/keepass-dll-hijacking/
#keepass #dll #hijacking #redteam
👍8😁1
Forwarded from 1N73LL1G3NC3
This media is not supported in your browser
VIEW IN TELEGRAM
LPE exploit for CVE-2023-21768
(Windows Ancillary Function Driver for WinSock Elevation of Privilege)
Complete exploit works on vulnerable Windows 11 22H2 systems. Write primitive works on all vulnerable systems.
(Windows Ancillary Function Driver for WinSock Elevation of Privilege)
Complete exploit works on vulnerable Windows 11 22H2 systems. Write primitive works on all vulnerable systems.
👍5
🔥3
🦛 PetitPotam: Local Privilege Escalation
Now PetitPotato can elevate to SYSTEM on the latest windows.
My test version is 10.0.20348.1547
https://github.com/wh0amitz/PetitPotato/
#windows #privesc #rpc #petitpotam
Now PetitPotato can elevate to SYSTEM on the latest windows.
My test version is 10.0.20348.1547
https://github.com/wh0amitz/PetitPotato/
#windows #privesc #rpc #petitpotam
👍8
Forwarded from Offensive Xwitter
👹 [ snovvcrash, sn🥶vvcr💥sh ]
Have been playing around with Domain Fronting via Fastly and discovered that you actually do not need to confirm the domain name ownership (by adding a CNAME) for the traffic to flow towards your IP. A bug or feature? 🤔
🐥 [ tweet ]
Have been playing around with Domain Fronting via Fastly and discovered that you actually do not need to confirm the domain name ownership (by adding a CNAME) for the traffic to flow towards your IP. A bug or feature? 🤔
🐥 [ tweet ]
игрались тут с @Acrono с домен фронтингом и вот такую фичу интересную нашли👍4
Forwarded from Offensive Xwitter
Offensive Xwitter
👹 [ snovvcrash, sn🥶vvcr💥sh ] Have been playing around with Domain Fronting via Fastly and discovered that you actually do not need to confirm the domain name ownership (by adding a CNAME) for the traffic to flow towards your IP. A bug or feature? 🤔 🐥 [ tweet…
🔥10👍1
Forwarded from 1N73LL1G3NC3
CVE-2023-23397
Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user.
PoC:
https://github.com/sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY
https://github.com/api0cradle/CVE-2023-23397-POC-Powershell
Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user.
PoC:
https://github.com/sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY
https://github.com/api0cradle/CVE-2023-23397-POC-Powershell
MDSec
Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability - MDSec
Date: 14th March 2023 Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows: Microsoft Office Outlook contains a privilege escalation vulnerability that allows...
🔥5
Forwarded from Offensive Xwitter
😈 [ fr0gger_, Thomas Roccia 🤘 ]
New EDR/AV evasion technique added to the #UnprotectProject by @Praetorian_GRD "Unloading Module Using FreeLibrary". Check out the detailed description, code snippet and CAPA rule👇 #cybersecurity #malware #infosec cf: @DarkCoderSc
https://t.co/Td7ogFwVcZ
🔗 https://unprotect.it/technique/unloading-module-with-freelibrary/
🐥 [ tweet ]
New EDR/AV evasion technique added to the #UnprotectProject by @Praetorian_GRD "Unloading Module Using FreeLibrary". Check out the detailed description, code snippet and CAPA rule👇 #cybersecurity #malware #infosec cf: @DarkCoderSc
https://t.co/Td7ogFwVcZ
🔗 https://unprotect.it/technique/unloading-module-with-freelibrary/
🐥 [ tweet ]
🔥3
Veeam Backup and Replication (CVE-2023-27532)
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
Research:
https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/
Exploit 1:
https://github.com/sfewer-r7/CVE-2023-27532
Exploit 2:
https://github.com/horizon3ai/CVE-2023-27532
Exploit 3 (RCE):
https://github.com/puckiestyle/CVE-2023-27532-RCE-Only
#veeam #credentials #rce #cve
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
Research:
https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/
Exploit 1:
https://github.com/sfewer-r7/CVE-2023-27532
Exploit 2:
https://github.com/horizon3ai/CVE-2023-27532
Exploit 3 (RCE):
https://github.com/puckiestyle/CVE-2023-27532-RCE-Only
#veeam #credentials #rce #cve
🔥7👍2👎2
⚙️ Joomla < 4.2.8 — Unauthenticated Information Disclosure (CVE-2023-23752)
Research:
https://vulncheck.com/blog/joomla-for-rce
Exploit:
https://github.com/Acceis/exploit-CVE-2023-23752
UPD:
Research:
https://vulncheck.com/blog/joomla-for-rce
Exploit:
https://github.com/Acceis/exploit-CVE-2023-23752
UPD:
httpx -l ip.txt -path '/api/index.php/v1/config/application?public=true'#joomla #information #disclosure #cve
🔥11👍1
Forwarded from Codeby
Друзья, рады вам сообщить, что уже в эту субботу, 1 апреля, мы проведём наш первый стрим в этом году!
Мы пригласили экспертов информационной безопасности, которые поделятся опытом работы в Red Team и расскажут о самых интересных и необычных ситуациях, с которыми они сталкивались в проектах по тестированию на проникновение. Вы узнаете, как они решают проблемы и справляются с непредсказуемыми ситуациями в процессе работы.
🌟 У нас в гостях:
🔹 @T3m3t_N0sc3 – гуру инфраструктурных пентестов и автор множества статей по Red Team;
🔹 @clevergod – вице-капитан команды Кодебай с колоссальным опытом в ред тим проектах;
🔹 @Riocool – основатель группы единомышленников RedTeam Brazzers, участник команды True0xA3;
🔹 @Acrono – создатель группы Telegram APT и автор нескольких CVE для Windows.
🎤 И, конечно же, ваш незаменимый ведущий – @puni1337!
⏰ Мы ждем вас 1 апреля в 17:00 по московскому времени!
#pentest #redteam #stream
Please open Telegram to view this post
VIEW IN TELEGRAM
❤🔥8👍4❤3
Forwarded from Offensive Xwitter
😈 [ elkement, elkement ]
Hi Active Directory / ADCS hackers, I've published something! You can add the new SID extension manually if certificate templates allow for custom names: https://t.co/SndcHH3Kz7
🔗 https://elkement.blog/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/
🐥 [ tweet ]
Hi Active Directory / ADCS hackers, I've published something! You can add the new SID extension manually if certificate templates allow for custom names: https://t.co/SndcHH3Kz7
🔗 https://elkement.blog/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/
🐥 [ tweet ]
👍3