Heartbleed vulnerability exploited🩸
▪️https://github.com/Saiprasad16/Heartbleed
#hackgit #github #soft #Heartbleed
▪️https://github.com/Saiprasad16/Heartbleed
#hackgit #github #soft #Heartbleed
GitHub
GitHub - Saiprasad16/Heartbleed: Heartbleed vulnerability exploited 🩸
Heartbleed vulnerability exploited 🩸. Contribute to Saiprasad16/Heartbleed development by creating an account on GitHub.
rsGen - Reverse Shell Payload Generator
▪️https://github.com/FlyfishSec/rsGen
#hackgit #github #Shell #rsGen #Reverse
▪️https://github.com/FlyfishSec/rsGen
#hackgit #github #Shell #rsGen #Reverse
GitHub
GitHub - FlyfishSec/rsGen: rsGen is a Reverse Shell Payload Generator for hacking.
rsGen is a Reverse Shell Payload Generator for hacking. - GitHub - FlyfishSec/rsGen: rsGen is a Reverse Shell Payload Generator for hacking.
#Analytics
#Malware_analysis
1. Ransomware Business Models: Future Pivots and Trends
https://www.trendmicro.com/en_us/research/22/l/ransomware-business-models-future-trends.html
2. SentinelSneak: Malicious PyPI module poses as security software development kit
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
#Malware_analysis
1. Ransomware Business Models: Future Pivots and Trends
https://www.trendmicro.com/en_us/research/22/l/ransomware-business-models-future-trends.html
2. SentinelSneak: Malicious PyPI module poses as security software development kit
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Trend Micro
Ransomware Business Models: Future Pivots and Trends
Ransomware groups and their business models are expected to change from what and how we know it to date. In this blog entry, we summarize from some of our insights the triggers that spark the small changes in the short term (“evolutions”) and the bigger deviations…
VTI_Cheatsheet.pdf
946.6 KB
#Infographics
"VT Intelligence Cheat Sheet", 2022.
"VT Intelligence Cheat Sheet", 2022.
#tools
#Offensive_security
1. Shennina - Automating Host Exploitation with AI
https://github.com/mazen160/shennina
2. AMSI-bypass obfuscation + ETW-block obfuscation + powershell command obfuscation
https://github.com/H4de5-7/powershell-obfuscation
#Offensive_security
1. Shennina - Automating Host Exploitation with AI
https://github.com/mazen160/shennina
2. AMSI-bypass obfuscation + ETW-block obfuscation + powershell command obfuscation
https://github.com/H4de5-7/powershell-obfuscation
GitHub
GitHub - mazen160/shennina: Automating Host Exploitation with AI
Automating Host Exploitation with AI. Contribute to mazen160/shennina development by creating an account on GitHub.
#exploit
1. MeshyJSON:
A TP-Link tdpServer JSON Stack Overflow
https://research.nccgroup.com/2022/12/19/meshyjson-a-tp-link-tdpserver-json-stack-overflow
2. [Google VRP] Hijacking Google Docs Screenshots
https://blog.geekycat.in/google-vrp-hijacking-your-screenshots
1. MeshyJSON:
A TP-Link tdpServer JSON Stack Overflow
https://research.nccgroup.com/2022/12/19/meshyjson-a-tp-link-tdpserver-json-stack-overflow
2. [Google VRP] Hijacking Google Docs Screenshots
https://blog.geekycat.in/google-vrp-hijacking-your-screenshots
#Red_Team_Tactics
1. Blindside: A New Technique for EDR Evasion with Hardware Breakpoints
https://cymulate.com/blog/blindside-a-new-technique-for-edr-evasion-with-hardware-breakpoints
2. Raw sockets hacking
https://antonio-cooler.gitbook.io/coolervoid-tavern/port-knocking-from-the-scratch
]-> Secure shell using port Knocking technique with AES256-GCM: https://github.com/CoolerVoid/ninja_shell
1. Blindside: A New Technique for EDR Evasion with Hardware Breakpoints
https://cymulate.com/blog/blindside-a-new-technique-for-edr-evasion-with-hardware-breakpoints
2. Raw sockets hacking
https://antonio-cooler.gitbook.io/coolervoid-tavern/port-knocking-from-the-scratch
]-> Secure shell using port Knocking technique with AES256-GCM: https://github.com/CoolerVoid/ninja_shell
Cymulate
Blindside: A New Technique for EDR Evasion with Hardware Breakpoints
Cymulate researchers have discovered a new vulnerability and created a proof of concept. The technique based on it allows attackers to circumvent many EDR vendors.
ZoneAlarmEoP
Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV
https://github.com/Wh04m1001/ZoneAlarmEoP
Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV
https://github.com/Wh04m1001/ZoneAlarmEoP
🔥🔥🔥Type confusion vulnerability(CVE-2022-42823) exists in the Apple Safari JSC Inspector(Root Cause Analysis + PoC).
A Type confusion vulnerability exists in the Apple Safari JSC Inspector. This issue causes Memory Corruption due to Type confusion. A victim must open an arbitrary generated HTML file to trigger this vulnerability.
PoC:
<script>
let object = {};
Object.prototype.__defineSetter__('type', function() {
object.x = {};
object[0] = object.x;
});
</script>
🛡Fixed in: macOS 13, tvOS 16.1, iOS 16.1 & iPadOS 16, Safari 16.1, watchOS 9.1.
A Type confusion vulnerability exists in the Apple Safari JSC Inspector. This issue causes Memory Corruption due to Type confusion. A victim must open an arbitrary generated HTML file to trigger this vulnerability.
PoC:
<script>
let object = {};
Object.prototype.__defineSetter__('type', function() {
object.x = {};
object[0] = object.x;
});
</script>
🛡Fixed in: macOS 13, tvOS 16.1, iOS 16.1 & iPadOS 16, Safari 16.1, watchOS 9.1.
🔥Linux Kernel: Exploiting a Netfilter UAF in kmalloc-cg
We describe a method to exploit a UAF in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.
We describe a method to exploit a UAF in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.
Forwarded from 卩ro 爪Cracker
This media is not supported in your browser
VIEW IN TELEGRAM
Forwarded from 卩ro 爪Cracker
This media is not supported in your browser
VIEW IN TELEGRAM
💥In-Memory Execution in macOS: the Old and the New
As part of our work, it’s often interesting to try to find possible avenues of attack that bypass detections on EDR products. On macOS, EDR products specifically collect telemetry from fork and exec syscalls. macOS has alternative ways of executing code, which side-step these system calls by executing code directly in-memory.
In this writeup, we touch on all 3 aforementioned APIs and then create a PoC loader which uses NSCreateObjectFileImageFromFile and CFBundleCreate to load a bundle from disk and execute it.
As part of our work, it’s often interesting to try to find possible avenues of attack that bypass detections on EDR products. On macOS, EDR products specifically collect telemetry from fork and exec syscalls. macOS has alternative ways of executing code, which side-step these system calls by executing code directly in-memory.
In this writeup, we touch on all 3 aforementioned APIs and then create a PoC loader which uses NSCreateObjectFileImageFromFile and CFBundleCreate to load a bundle from disk and execute it.
|FORCEDENTRY, ты тут?|
🕵️♂️Думаю, что многие не забыли про сделавший много шума год назад data-only 0-click RCE сплойт FORCEDENTRY(CVE-2021-30860, integer overflow в JBIG2 реализации для xpdf в Apple (JBIG2Stream::readTextRegionSeg(), посредством программирования JBIG2 weird machine в парсере), что относится к CoreGraphics по сути) через iMessage от NSO Group. То есть прилетает тебе PDF файл, который якобы ".gif" и за счет того, что IMTranscoderAgent анализировал как раз такого рода самозванцев за пределами BlastDoor песочницы, израильтяне могли достичь SBX. В действительности эксплуатация была намного сложнее и можно почитать подробнее: на канале, тут и тут.
Причем исследователи из Google Project Zero не смогли установить точный след после IMTranscoderAgent SBX и как предположение выдвинули несколько сценариев эксплуатации:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
Проблема для безопасников и по сей день стоит в том, что в публичном доступе до сих пор нет сэмплов(отсюда можем сделать вывод, что стандартными методами детектить не выйдет). В этом посте Мэтта помимо разбора атаки идет речь и о детектировании без испльзования регулярок или проверок имени процесса, в конечном итоге был представлен инструмент(ELEGANTBOUNCER) для анализа файлов non-fileless(data-only) атаки, причем не основываясь на сэмплах.
🔖Более подробно можно почитать в статье Мэтта.
🕵️♂️I think that many have not forgotten about the FORCEDENTRY exploit that made a lot of noise a year ago (CVE-2021-30860, integer overflow in the JBIG2 implementation for xpdf in Apple (JBIG2Stream::readTextRegionSeg(), by programming the JBIG2 weird machine in the parser), which refers to CoreGraphics in fact) via iMessage from NSO Group. That is, a PDF file arrives to you, which is allegedly ".gif" and due to the fact that IMTranscoderAgent analyzed just such impostors outside the BlastDoor sandbox, the Israelis could achieve SBX. In fact, the operation was much more complicated and you can read more: a on the channel, here and here.
Moreover, researchers from Google Project Zero were unable to establish an exact trace after IMTranscoderAgent SBX and, as an assumption, put forward several operating scenarios:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
The problem for security guards to this day is that there are still no samples in the public domain (from here we can conclude that it will not be possible to detect using standard methods). In this post by Matt, in addition to analyzing the attack, we are talking about detecting without using regular expressions or checking the process name, eventually a tool for analyzing non-fileless(data-only) attack files was introduced, and not based on samples(ELEGANTBOUNCER).
🔖You can read more in Matt's article.
#NSO #PegasusSpyware #FORCEDENTRY #iOS #iMessage #forensics #security #expoitation #sbx #xpdf #weirdMachine #JBIG2
🕵️♂️Думаю, что многие не забыли про сделавший много шума год назад data-only 0-click RCE сплойт FORCEDENTRY(CVE-2021-30860, integer overflow в JBIG2 реализации для xpdf в Apple (JBIG2Stream::readTextRegionSeg(), посредством программирования JBIG2 weird machine в парсере), что относится к CoreGraphics по сути) через iMessage от NSO Group. То есть прилетает тебе PDF файл, который якобы ".gif" и за счет того, что IMTranscoderAgent анализировал как раз такого рода самозванцев за пределами BlastDoor песочницы, израильтяне могли достичь SBX. В действительности эксплуатация была намного сложнее и можно почитать подробнее: на канале, тут и тут.
Причем исследователи из Google Project Zero не смогли установить точный след после IMTranscoderAgent SBX и как предположение выдвинули несколько сценариев эксплуатации:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
Проблема для безопасников и по сей день стоит в том, что в публичном доступе до сих пор нет сэмплов(отсюда можем сделать вывод, что стандартными методами детектить не выйдет). В этом посте Мэтта помимо разбора атаки идет речь и о детектировании без испльзования регулярок или проверок имени процесса, в конечном итоге был представлен инструмент(ELEGANTBOUNCER) для анализа файлов non-fileless(data-only) атаки, причем не основываясь на сэмплах.
🔖Более подробно можно почитать в статье Мэтта.
🕵️♂️I think that many have not forgotten about the FORCEDENTRY exploit that made a lot of noise a year ago (CVE-2021-30860, integer overflow in the JBIG2 implementation for xpdf in Apple (JBIG2Stream::readTextRegionSeg(), by programming the JBIG2 weird machine in the parser), which refers to CoreGraphics in fact) via iMessage from NSO Group. That is, a PDF file arrives to you, which is allegedly ".gif" and due to the fact that IMTranscoderAgent analyzed just such impostors outside the BlastDoor sandbox, the Israelis could achieve SBX. In fact, the operation was much more complicated and you can read more: a on the channel, here and here.
Moreover, researchers from Google Project Zero were unable to establish an exact trace after IMTranscoderAgent SBX and, as an assumption, put forward several operating scenarios:
1️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ iOS kernel LPE
2️⃣iMessage RCE ➡️ IMTranscoderAgent SBX ➡️ some_service ➡️ iOS kernel LPE
The problem for security guards to this day is that there are still no samples in the public domain (from here we can conclude that it will not be possible to detect using standard methods). In this post by Matt, in addition to analyzing the attack, we are talking about detecting without using regular expressions or checking the process name, eventually a tool for analyzing non-fileless(data-only) attack files was introduced, and not based on samples(ELEGANTBOUNCER).
🔖You can read more in Matt's article.
#NSO #PegasusSpyware #FORCEDENTRY #iOS #iMessage #forensics #security #expoitation #sbx #xpdf #weirdMachine #JBIG2
Magnet Forensics
FORCEDENTRY: Detecting the Exploit With No Samples
This is a deep dive into the CVE-2021-30860 vulnerability, also known as FORCEDENTRY, and how to detect it with root cause analysis.
CVE-2020-6418-exploit.js
3.9 KB
🔥Deconstructing and Exploiting CVE-2020-6418 (exploit here)
This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, Daniel Toh Jing En will give a step-by-step analysis of the vulnerability, from the root cause to exploitation.
This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, Daniel Toh Jing En will give a step-by-step analysis of the vulnerability, from the root cause to exploitation.