PingPlant.zip
15.4 KB
🔥PingPlant is a Linux implant PoC that starts a custom listener for ICMP data, and parses the ethernet frame to check for a special payload.
If this payload is found, it will then initiate a callback to a defined IP. Even though I have this connect back with a reverse shell, you could edit this to have it execute anything on the infected system when the special payload is received.
Features:
💾Runtime process renaming
💾No listening ports
💾Written in Go, so almost all AV's will never pick this up
If this payload is found, it will then initiate a callback to a defined IP. Even though I have this connect back with a reverse shell, you could edit this to have it execute anything on the infected system when the special payload is received.
Features:
💾Runtime process renaming
💾No listening ports
💾Written in Go, so almost all AV's will never pick this up
#exploit
1. CVE-2022-28672:
Foxit PDF Reader - UaF RCE Exploit
https://hacksys.io/blogs/foxit-reader-uaf-rce-jit-spraying-cve-2022-28672
]-> https://github.com/hacksysteam/CVE-2022-28672
2. CVE-2022-45451:
Acronis Cyber Protect/Home Cyber Protect - Arbitrary File Read
https://github.com/alfarom256/CVE-2022-45451
1. CVE-2022-28672:
Foxit PDF Reader - UaF RCE Exploit
https://hacksys.io/blogs/foxit-reader-uaf-rce-jit-spraying-cve-2022-28672
]-> https://github.com/hacksysteam/CVE-2022-28672
2. CVE-2022-45451:
Acronis Cyber Protect/Home Cyber Protect - Arbitrary File Read
https://github.com/alfarom256/CVE-2022-45451
#Offensive_security
1. How to Detect Malicious OAuth Device Code Phishing in M365
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
2. It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications
https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8
1. How to Detect Malicious OAuth Device Code Phishing in M365
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
2. It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications
https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8
Traffers.pdf
5.3 MB
#Malware_analysis
"Traffers: a deep dive into the information stealer ecosystem", 2022.
"Traffers: a deep dive into the information stealer ecosystem", 2022.
#Threat_Research
1. Unusual Cache Poisoning between Akamai and S3 buckets
https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3
2. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
https://hackerone.com/reports/1665156
1. Unusual Cache Poisoning between Akamai and S3 buckets
https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3
2. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
https://hackerone.com/reports/1665156
AISY.pdf
727.7 KB
#Research
BlackHat Asia 2022:
"AISY - Deep Learning-based Framework for Side-channel Analysis".
]-> Repo: https://github.com/AISyLab/AISY_Framework
BlackHat Asia 2022:
"AISY - Deep Learning-based Framework for Side-channel Analysis".
]-> Repo: https://github.com/AISyLab/AISY_Framework
#Blue_Team_Techniques
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
Spamworld.php
24.1 KB
New mini shell :)
⚠️ Bypass All waf
📌 Non Encoded :::)))
⚠️ Bypass All waf
📌 Non Encoded :::)))
linux_injector.zip
5.5 KB
💉linux_injector is a simple ptrace-less shared library injector for x64 Linux(Most Linuxes that use glibc should be supported).
For control flow hijacking, this program needs a hijacking candidate. The code presented here uses malloc(), this can be changed by editing FUN_NAME and recompiling. Make sure the hooked function can run under 100ms, so that it won't be overwritten while it executes. This means calls like sleep or wait are bad candidates for the initial shellcode. The function in question also needs to be more than 0x50 long for the shellcode not to overwrite other functions.
Usage:
linux_injector <pid> <module>
Where pid is target process id & module is a module to inject, will be dlopened in the remote process
⚠️The code expects that the target uses the same libc as available to us. If it does not, then the remote symbols won't be found. This could be fixed by reading the remote libraries and scanning for our symbols in them.
For control flow hijacking, this program needs a hijacking candidate. The code presented here uses malloc(), this can be changed by editing FUN_NAME and recompiling. Make sure the hooked function can run under 100ms, so that it won't be overwritten while it executes. This means calls like sleep or wait are bad candidates for the initial shellcode. The function in question also needs to be more than 0x50 long for the shellcode not to overwrite other functions.
Usage:
linux_injector <pid> <module>
Where pid is target process id & module is a module to inject, will be dlopened in the remote process
⚠️The code expects that the target uses the same libc as available to us. If it does not, then the remote symbols won't be found. This could be fixed by reading the remote libraries and scanning for our symbols in them.
Forwarded from CYBER TRICKS ZONE 🇮🇳 (𝙋𝙧𝙤𝙩𝙤𝙘𝙤𝙡 𝙉𝙞𝙘𝙠)
Linux Hacking Tools
Nessus– this tool can be used for Ubuntu hack, scan configuration settings, patches, and networks etc. it can be found at https://www.tenable.com/products/nessus
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at https://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html
The above list is not exhaustive; it gives you an idea of the tools available for Ubuntu hacking and hacking Linux systems.
Nessus– this tool can be used for Ubuntu hack, scan configuration settings, patches, and networks etc. it can be found at https://www.tenable.com/products/nessus
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at https://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html
The above list is not exhaustive; it gives you an idea of the tools available for Ubuntu hacking and hacking Linux systems.
Tenable®
Nessus Vulnerability Scanner: Network Security Solution
Find out more about Nessus - the trusted gold standard for vulnerability assessment, designed for modern attack surfaces - used by thousands of organizations.
#Malware_analysis
1. VidarStealer analysis
https://github.com/m4now4r/VidarStealer
2. Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC/Cobalt Strike
https://isc.sans.edu/diary/Monster+Libra+TA551Shathak+pushes+IcedID+Bokbot+with+Dark+VNC+and+Cobalt+Strike/28934
1. VidarStealer analysis
https://github.com/m4now4r/VidarStealer
2. Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC/Cobalt Strike
https://isc.sans.edu/diary/Monster+Libra+TA551Shathak+pushes+IcedID+Bokbot+with+Dark+VNC+and+Cobalt+Strike/28934
GitHub
GitHub - m4now4r/VidarStealer: Notes some analysis related to VidarStealer sample
Notes some analysis related to VidarStealer sample - m4now4r/VidarStealer
First_Do_No_Harm.pdf
412.7 KB
#Research
"First, Do No Harm: Studying the manipulation of security headers in browser extensions", 2021.
]-> Fast JavaScript parser: https://github.com/acornjs/acorn
"First, Do No Harm: Studying the manipulation of security headers in browser extensions", 2021.
]-> Fast JavaScript parser: https://github.com/acornjs/acorn
#Red_Team_Tactics
1. {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
2. How To Exploit File Inclusion Vulnerabilities
https://infosecwriteups.com/how-to-exploit-file-inclusion-vulnerabilities-a-beginners-introduction-stackzero-a55267b5fafb
1. {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
2. How To Exploit File Inclusion Vulnerabilities
https://infosecwriteups.com/how-to-exploit-file-inclusion-vulnerabilities-a-beginners-introduction-stackzero-a55267b5fafb
Claroty
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
Team82 developed a generic web application firewall bypass exploiting a lack of JSON syntax support in leading vendors' SQL injection like AWS and Imperva WAF.
FSI_Masscan_Ransomware.pdf
40.7 MB
#Threat_Research
"Operation MaRS: Masscan Ransomware Threat Analysis Report", 2022.
"Operation MaRS: Masscan Ransomware Threat Analysis Report", 2022.
#exploit
1. CVE-2022-41050:
A vulnerability in the MS Windows' User-Mode Printer Drivers
https://ssd-disclosure.com/win32k-user-mode-printer-drivers-startdoc-uaf
2. CVE-2022-46689:
macOS Dirty Cow bug
https://github.com/zhuowei/MacDirtyCowDemo
1. CVE-2022-41050:
A vulnerability in the MS Windows' User-Mode Printer Drivers
https://ssd-disclosure.com/win32k-user-mode-printer-drivers-startdoc-uaf
2. CVE-2022-46689:
macOS Dirty Cow bug
https://github.com/zhuowei/MacDirtyCowDemo
SSD Secure Disclosure
Win32k User-Mode Printer Drivers StartDoc UAF - SSD Secure Disclosure
Summary A vulnerability in the UMPD (User-Mode Printer Drivers) allows local users to trigger a use-after-free vulnerability. The vulnerability works from Windows 8 and above, and is fairly easy to exploit on older Windows machines. Credit An independent…
#tools
#Offensive_security
1. A simple ptrace-less shared library injector for x64 Linux
https://github.com/namazso/linux_injector
2. EDRs Hooked APIs
https://github.com/vysecurity/EDRs
#Offensive_security
1. A simple ptrace-less shared library injector for x64 Linux
https://github.com/namazso/linux_injector
2. EDRs Hooked APIs
https://github.com/vysecurity/EDRs
GitHub
GitHub - namazso/linux_injector: A simple ptrace-less shared library injector for x64 Linux
A simple ptrace-less shared library injector for x64 Linux - namazso/linux_injector