#exploit
1. CVE-2022-42895:
Linux Kernel: Infoleak in Bluetooth L2CAP Handling
https://seclists.org/oss-sec/2022/q4/190

2. CVE-2021-43444 - 43449:
Exploiting ONLYOFFICE Web Sockets for Unauth RCE
https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution

3. Exploiting SUID Binaries
https://medium.com/@tinopreter/linux-privesc-3-exploiting-suid-binaries-72ec5460c6a

#Infographics
#Offensive_security
DACLs (Active Directory Discretionary Access Control Lists) abuse
https://www.thehacker.recipes/ad/movement/dacl

🌐 Cooprudea.com

ip, ip_long, user_login, user_id, stamp, activity, session_id, country, details, ac_bot, ac_status, ac_by_user
email_to, subject, content, sender_name, sender_email, debug_mode, debugging_output, timestamp, status

📣

PLS REPORT THIS PEDO GROUP
https://t.me/secret_s0ciety

🔥🔥🔥Foxit PDF Reader UAF RCE Exploit JIT Spraying(CVE-2022-28672) - blog post.

This research shows that if Foxit Reader had been compiled with CFG support, the discovered bug would have been more difficult to exploit. However, the lack of CFG support allowed the attacker to use JIT spraying to bypass existing mitigations such as ASLR and DEP. This highlights the importance of using multiple layers of defense to protect against attacks.

💥PoC Exploit

📺Demo: Foxit PDF Reader RCE Demo - CVE-2022-28672

⌨️Javascript Keylogger can come handy in case you are able to access only
DOM/JS of a website and want to get naughty.

Usage:
💾change url variable in keylogger.js to url address where keylogger.php is located
💾load keylogger.js in the DOM of the attacked application
💾put keylogger.php and data.txt to your server where you have data write access (don't forget to set pertinent file privileges).
💥Profit! You're done, just let the victim come to attacked website with JS allowed in the browser and type something.

🔓Defeating Windows ASLR via low-entropy shared libraries in 2 hours

As it was demonstrated in this article, ASLR implementation on Windows has important nuances and in some situation can introduce additional risk for an application, especially if the target is a 32-bit program or it is linked with a library which was compiled without /HIGHENTROPYVA and /LARGEADDRESSAWARE flags. While the best solution would be to have per-execution randomization as it is done in Linux and modern MacOS, the good decision would be to move away from 32-bit to 64-bit applications and avoid linkage with shared libraries compiled without /HIGHENTROPYVA and /LARGEADDRESSAWARE flags. This would help to significantly increase complexity of an attack.

🔥String Obfuscation The Malware Way - blog post

While this technique is not as secure as encryption, it can still be useful for malware authors who want to avoid detection by simple string analysis and other static analysis techniques. Not encrypting or encoding the strings will also help avoid entropy-based detections.

💥MurkyStrings is a string obfuscator for .NET applications, built to evade static string analysis. It does not rely on encryption or encoding to evade entropy-based detections. Instead, it transforms strings into a murky mess by inserting special characters and random words. Removing them again on runtime.

Usage:
MurkyStrings.exe <file path> [--mode=<mode>]
Available modes:
💾replace[glyph] - Insert a variety of homoglyph characters that look identical to alphabetical characters
💾replace[simple] - Insert random amounts of a special character in between all actual characters
💾combine[glyph] - Combines remove and replace[glyph]
💾combine[simple] - Combines remove and replace[simple]

На Source Zero Con 2022 представили данный инструмент. Если кратко: кидаете скомпилированный бинарь, тулза из бинаря убирает известные IoC строки, подписывает сертом из другого бинаря, ну и помогает EDR обходить (за счёт увеличения размера файла)

https://github.com/optiv/Mangle

#redteam #pentest #bypass

Бэкдоры в FreePBX
PHP бэкдор, который добавляет своего пользователя (mgknight), удаляет законных юзеров, кодируется в base64 и переписывает .htaccess - встречайте на ваших серваках телефонии)))
Пятничное расследование читать

#freepbx #backdoor

🛡Akamai’s Perspective on December’s Patch Tuesday 2022

In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed.

🛡December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack(crowdstrike)

🛡Microsoft Patch Tuesday for December 2022 — Snort rules and prominent vulnerabilities(talos intelligence)

🛡The December 2022 Security Update Review(ZDI)

🛡Microsoft’s December 2022 Patch Tuesday Addresses 48 CVEs(tenable)

🛡Microsoft Patch Tuesday, December 2022 Edition(KrebsonSecurity)

🛡Patch Tuesday - December 2022(rapid7)

🔥🔥🔥 EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)

Recently, BitsByWill have discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, he have decided to term this attack “EntryBleed.”