Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
The truth of the 'phantom market merger' of NEC / Fujitsu, the Hinomaru Union set up by NTTT.
#International
#International
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Hack/ Pentesting ios browser's with bug: guide
https://bugs.chromium.org/p/project-zero/issues/detail?id=1858
1) The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled.
2) This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called.
3) This presents two problems. First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage).
4) Second, it allows an NSData object to be created with a length that is different than the length of its byte array. This violates a very basic property that should always be true of NSData objects. This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.
π¦To reproduce the issue with the files in filebacked.zip:
1) install frida (pip3 install frida)
2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
in injectMessage.js replace the marker "PATH" with the path of the obj file
3) in the local directory, run:
4) python3 sendMessage.py
Please note that the attached repro case is a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious. This PoC only works on devices with iOS 12 or later.
code/ref :
https://github.com/TinToSer/ios-RCE-Vulnerability
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Hack/ Pentesting ios browser's with bug: guide
https://bugs.chromium.org/p/project-zero/issues/detail?id=1858
1) The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled.
2) This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called.
3) This presents two problems. First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage).
4) Second, it allows an NSData object to be created with a length that is different than the length of its byte array. This violates a very basic property that should always be true of NSData objects. This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.
π¦To reproduce the issue with the files in filebacked.zip:
1) install frida (pip3 install frida)
2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
in injectMessage.js replace the marker "PATH" with the path of the obj file
3) in the local directory, run:
4) python3 sendMessage.py
Please note that the attached repro case is a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious. This PoC only works on devices with iOS 12 or later.
code/ref :
https://github.com/TinToSer/ios-RCE-Vulnerability
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - TinToSer/ios-RCE-Vulnerability: Latest ios RCE Vulnerability disclosed by Google Security Researcher
Latest ios RCE Vulnerability disclosed by Google Security Researcher - TinToSer/ios-RCE-Vulnerability
Forwarded from DailyCVE
Dailycve
Umbraco path traversal vulnerability | CVE
Details:
Umbraco is a Content Management System (CMS) open source written by Umbraco, Denmark, in C#. There is a path traversal flaw in Umbraco CMS 8.9.1 and earlier versions, allowing arbitrary files to be written outside the home directory of the site andβ¦
Umbraco is a Content Management System (CMS) open source written by Umbraco, Denmark, in C#. There is a path traversal flaw in Umbraco CMS 8.9.1 and earlier versions, allowing arbitrary files to be written outside the home directory of the site andβ¦
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Undetected. Get Keyboard,Mouse,ScreenShot,Microphone Inputs from Target Computer and Send to your Mail.
#Hacking
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
β’ DOWNLOAD : https://github.com/aydinnyunus/Keylogger
β’Set your own MAIL and PASSWORD on "keylogger.py".
β’Run keylogger.py on Target Computer
β’Every 10 seconds,You Get the Data from the Target Computer
β’If Target finds the Code and Open the File for Want to Learn your MAIL and Password The Program DELETE itself.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Undetected. Get Keyboard,Mouse,ScreenShot,Microphone Inputs from Target Computer and Send to your Mail.
#Hacking
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
β’ DOWNLOAD : https://github.com/aydinnyunus/Keylogger
β’Set your own MAIL and PASSWORD on "keylogger.py".
β’Run keylogger.py on Target Computer
β’Every 10 seconds,You Get the Data from the Target Computer
β’If Target finds the Code and Open the File for Want to Learn your MAIL and Password The Program DELETE itself.
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - aydinnyunus/Keylogger: Get Keyboard,Mouse,ScreenShot,Microphone Inputs from Target Computer and Send to your Mail.
Get Keyboard,Mouse,ScreenShot,Microphone Inputs from Target Computer and Send to your Mail. - aydinnyunus/Keylogger
Forwarded from DailyCVE
Dailycve
AIRDROPX BORN security vulnerability | CVE
Details:
AIRDROPX BORN is an AIRDROPX BORN API token service which can be used for Bitcoin and other network currencies to be transferred and exchanged. Version 2019-05-29 of AIRDROPX BORN and older versions have a security flaw.
The flaw derives from a constructor'sβ¦
AIRDROPX BORN is an AIRDROPX BORN API token service which can be used for Bitcoin and other network currencies to be transferred and exchanged. Version 2019-05-29 of AIRDROPX BORN and older versions have a security flaw.
The flaw derives from a constructor'sβ¦
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦A cheat sheet that contains common enumeration and attack methods for Windows Active Directory:
Enum Domain Computers:
Get-NetComputer -FullData
Get-DomainGroup
#Enumerate Live machines
Get-NetComputer -Ping
Enum Groups and Group Members:
Get-NetGroupMember -GroupName "<GroupName>" -Domain <DomainName>
#Enumerate the members of a specified group of the domain
Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member
#Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
Enumerate Shares
#Enumerate Domain Shares
Find-DomainShare
#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
Enum Group Policies:
Get-NetGPO
# Shows active Policy on specified machine
Get-NetGPO -ComputerName <Name of the PC>
Get-NetGPOGroup
#Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName <ComputerName>
Enum OUs:
Get-NetOU -FullData
Get-NetGPO -GPOname <The GUID of the GPO>
Enum ACLs:
# Returns the ACLs associated with the specified account
Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
#Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
Enum Domain Trust:
Get-NetDomainTrust
Get-NetDomainTrust -Domain <DomainName>
Enum Forest Trust:
Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>
#Domains of Forest Enumeration
Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>
#Map the Trust of the Forest
Get-NetForestTrust
Get-NetDomainTrust -Forest <ForestName>
User Hunting:
#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
#Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -Verbose
#Find computers were a Domain Admin OR a spesified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
#Confirming admin access:
Invoke-UserHunter -CheckAccess
AVAIBLE HERE Β» : https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦A cheat sheet that contains common enumeration and attack methods for Windows Active Directory:
Enum Domain Computers:
Get-NetComputer -FullData
Get-DomainGroup
#Enumerate Live machines
Get-NetComputer -Ping
Enum Groups and Group Members:
Get-NetGroupMember -GroupName "<GroupName>" -Domain <DomainName>
#Enumerate the members of a specified group of the domain
Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member
#Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
Enumerate Shares
#Enumerate Domain Shares
Find-DomainShare
#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
Enum Group Policies:
Get-NetGPO
# Shows active Policy on specified machine
Get-NetGPO -ComputerName <Name of the PC>
Get-NetGPOGroup
#Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName <ComputerName>
Enum OUs:
Get-NetOU -FullData
Get-NetGPO -GPOname <The GUID of the GPO>
Enum ACLs:
# Returns the ACLs associated with the specified account
Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
#Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
Enum Domain Trust:
Get-NetDomainTrust
Get-NetDomainTrust -Domain <DomainName>
Enum Forest Trust:
Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>
#Domains of Forest Enumeration
Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>
#Map the Trust of the Forest
Get-NetForestTrust
Get-NetDomainTrust -Forest <ForestName>
User Hunting:
#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
#Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -Verbose
#Find computers were a Domain Admin OR a spesified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
#Confirming admin access:
Invoke-UserHunter -CheckAccess
AVAIBLE HERE Β» : https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methodsβ¦
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
Is the iPhone folding screen coming? Two prototypes are subject to preliminary testing.
#Technologies
#Technologies
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection:
Amphibians (scientific names)
Belgian Beers
Desserts in English, Arabic, Thai, Russian, Hindi, Chinese, Persian, and Muppet (Swedish Chef)
Emoji
evadeAV (smallest cipher space, x3 payload size)
GeoCoords World Capitals (Lat/Lon)
GeoCaching Coordinates (w/ Site Names)
IPv4 Addresses of Popular Websites
MD5 Password Hashes
PokemonGo Monsters
Shortened URLs pointing to different Youtube videos of Rick Astley's "Never Gonna Give You Up"
Ski Resorts
Status Codes (generic)
Star Trek characters
Top 100 Websites
World Beaches
World Cup Teams
Prepackaged scripts for adding noise / entropy to your cloaked payloads:
prependEmoji.py: Adds a randomize emoji to each line
prependID.py: Adds a randomized ID tag to each line
prependLatLonCoords.py: Adds randomized LatLong coordinates to each line
prependTimestamps.py: Adds timestamps (log file style) to each line
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/TryCatchHCF/Cloakify.git
2) cd Cloakify
3) look at examples inhttps://github.com/TryCatchHCF/Cloakify
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection:
Amphibians (scientific names)
Belgian Beers
Desserts in English, Arabic, Thai, Russian, Hindi, Chinese, Persian, and Muppet (Swedish Chef)
Emoji
evadeAV (smallest cipher space, x3 payload size)
GeoCoords World Capitals (Lat/Lon)
GeoCaching Coordinates (w/ Site Names)
IPv4 Addresses of Popular Websites
MD5 Password Hashes
PokemonGo Monsters
Shortened URLs pointing to different Youtube videos of Rick Astley's "Never Gonna Give You Up"
Ski Resorts
Status Codes (generic)
Star Trek characters
Top 100 Websites
World Beaches
World Cup Teams
Prepackaged scripts for adding noise / entropy to your cloaked payloads:
prependEmoji.py: Adds a randomize emoji to each line
prependID.py: Adds a randomized ID tag to each line
prependLatLonCoords.py: Adds randomized LatLong coordinates to each line
prependTimestamps.py: Adds timestamps (log file style) to each line
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/TryCatchHCF/Cloakify.git
2) cd Cloakify
3) look at examples inhttps://github.com/TryCatchHCF/Cloakify
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - TryCatchHCF/Cloakify: CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into listβ¦
CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whi...
Forwarded from UNDERCODE NEWS
