#Blue_Team_Techniques
1. Linux kernel module generator for Hidden firewall that follows the rules in the external YAML file
https://github.com/CoolerVoid/HiddenWall
2. Guide to Use Sigma EVTX Checker
https://gist.github.com/Neo23x0/9eb505a00f7ba591645a6246fa6c5246
// Fast go-based scanner for Linux, Windows, macOS that applies Sigma rules and outputs the matches as JSON
1. Linux kernel module generator for Hidden firewall that follows the rules in the external YAML file
https://github.com/CoolerVoid/HiddenWall
2. Guide to Use Sigma EVTX Checker
https://gist.github.com/Neo23x0/9eb505a00f7ba591645a6246fa6c5246
// Fast go-based scanner for Linux, Windows, macOS that applies Sigma rules and outputs the matches as JSON
Privacy_Practice.pdf
5.8 MB
#Tech_book
"Privacy in Practice: Establish and Operationalize a Holistic Data Privacy Program", 2023.
"Privacy in Practice: Establish and Operationalize a Holistic Data Privacy Program", 2023.
#Malware_analysis
1. Zerobot Malware
https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities
2. IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
1. Zerobot Malware
https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities
2. IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
Microsoft Security Blog
Microsoft research uncovers new Zerobot capabilities | Microsoft Security Blog
The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities.
#tools
#OSINT
CVE and PoC SearchBot v.0.5.0:
Added:
- New sources of information about CVE vendor/products: nvd.nist.gov and cve.org;
- Feedback answer option.
Changed:
- App's architecture;
- APIv2 from nvd.nist.gov is now used;
- Changed message-broker software;
- Default level now is set to ALL;
- PoC search based on CVE description and vendor/product;
- The manual query PoCs now uses the logical AND.
Fixed:
- Vendor/products duplication issue;
- Settings menu errors;
- Number of minor bugs.
#OSINT
CVE and PoC SearchBot v.0.5.0:
Added:
- New sources of information about CVE vendor/products: nvd.nist.gov and cve.org;
- Feedback answer option.
Changed:
- App's architecture;
- APIv2 from nvd.nist.gov is now used;
- Changed message-broker software;
- Default level now is set to ALL;
- PoC search based on CVE description and vendor/product;
- The manual query PoCs now uses the logical AND.
Fixed:
- Vendor/products duplication issue;
- Settings menu errors;
- Number of minor bugs.
#reversing
Reverse Engineering Tiktok's VM Obfuscation
https://nullpt.rs/reverse-engineering-tiktok-vm-1
Reverse Engineering Tiktok's VM Obfuscation
https://nullpt.rs/reverse-engineering-tiktok-vm-1
www.nullpt.rs
Reverse Engineering Tiktok's VM Obfuscation (Part 1)
TikTok has a reputation for its aggressive data collection. The platform has implemented various methods to make it difficult for reverse-engineers to understand exactly what data is being collected and how it is being used.
#tools
#Red_Team_Tactics
1. Blindside - technique for evading the monitoring of EDR / XDR platforms using hardware breakpoints to inject commands
https://github.com/CymulateResearch/Blindside
2. Avoiding Detection with Shellcode Mutator
https://labs.nettitude.com/blog/shellcode-source-mutations
]-> https://github.com/nettitude/ShellcodeMutator
#Red_Team_Tactics
1. Blindside - technique for evading the monitoring of EDR / XDR platforms using hardware breakpoints to inject commands
https://github.com/CymulateResearch/Blindside
2. Avoiding Detection with Shellcode Mutator
https://labs.nettitude.com/blog/shellcode-source-mutations
]-> https://github.com/nettitude/ShellcodeMutator
GitHub
GitHub - CymulateResearch/Blindside: Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms
Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms - GitHub - CymulateResearch/Blindside: Utilizing hardware breakpoints to evade monitoring by Endpoin...
Hello everyone in this auspicious day we are going to launch our Forum powered by @H4ckerinthehouse where you can connect, share and communicate with each others.
Here are some features of this forum:
You can ask questions, create polls, answer to any question. You can refer to anyone using your refferal code. You can make a public discussion group as well as a private discussion group! Also you can send a private message to an individual and you can ask anything.
A lot of upcoming features and surprises are coming in upcoming days.
So what you guys are looking for? Go and register on the Hackerinthehouse Forum.
Here is the link of the forum to register: https://forum.hackerinthehouse.in
Here are some features of this forum:
You can ask questions, create polls, answer to any question. You can refer to anyone using your refferal code. You can make a public discussion group as well as a private discussion group! Also you can send a private message to an individual and you can ask anything.
A lot of upcoming features and surprises are coming in upcoming days.
So what you guys are looking for? Go and register on the Hackerinthehouse Forum.
Here is the link of the forum to register: https://forum.hackerinthehouse.in
Overview of Glibc Heap Exploitation Techniques (currently up to v2.34)
https://ift.tt/dnPVLZc
Submitted December 25, 2022 at 10:17AM by himeko98
via reddit https://ift.tt/YqBW6Sz
https://ift.tt/dnPVLZc
Submitted December 25, 2022 at 10:17AM by himeko98
via reddit https://ift.tt/YqBW6Sz
Low-level adventures
Overview of GLIBC heap exploitation techniques
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way
dnscrypt-proxy
A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH).
▫️ dnscrypt-proxy documentation ← Start here
▫️ DNSCrypt project home page
▫️ Discussions
▫️ DNS-over-HTTPS and DNSCrypt resolvers
▫️ Server and client implementations
▫️ DNS stamps
▫️ FAQ
https://github.com/DNSCrypt/dnscrypt-proxy
#DNS #privacy
A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH).
▫️ dnscrypt-proxy documentation ← Start here
▫️ DNSCrypt project home page
▫️ Discussions
▫️ DNS-over-HTTPS and DNSCrypt resolvers
▫️ Server and client implementations
▫️ DNS stamps
▫️ FAQ
https://github.com/DNSCrypt/dnscrypt-proxy
#DNS #privacy
EvilWfshbr
CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation
https://github.com/kkent030315/CVE-2022-42046
CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation
https://github.com/kkent030315/CVE-2022-42046
ServerlessRedirector
Serverless Redirector in various cloud vendors for red teaming
https://github.com/KINGSABRI/ServerlessRedirector
Serverless Redirector in various cloud vendors for red teaming
https://github.com/KINGSABRI/ServerlessRedirector
Network Scanner
Universal Network Scanner is a multi-brand ultra-fast network discovery tool based on multicast and broadcast discovery. This network discovery scanner is implemented based on a flexible framework to ease implementation of any vanilla discovery IP protocol such as SSDP/UPnP, mDNS, proprietary discovery protocols, etc.
https://github.com/julienblitte/UniversalScanner
Universal Network Scanner is a multi-brand ultra-fast network discovery tool based on multicast and broadcast discovery. This network discovery scanner is implemented based on a flexible framework to ease implementation of any vanilla discovery IP protocol such as SSDP/UPnP, mDNS, proprietary discovery protocols, etc.
https://github.com/julienblitte/UniversalScanner
|The Apocalypse of the Heap - Shizo edit.|
💥Painless intro to the Linux userland heap
The heap is hard to maintain, especially in this implementation due to being threaded. Hopefully this article helps you understand the process of making a chunk free from its allocation and which structures play in the game of freeing chunks.
💥Understanding glibc malloc
💾How heap memory is obtained from kernel?
💾How efficiently memory is managed?
💾Is it managed by kernel or by library or by application itself?
💾Can heap memory be exploited?
💥ptmalloc fanzine episodes(collection of resources related to glibc heap meta-data corruptions):
💾episode 01: munmap madness
💾episode 02: fastbin fever
💾episode 03: scraps of notes on ptmalloc metadata corruptions
💾episode 04: once upon a realloc()
💾episode 05: thread local caching in glibc malloc
💥Heap exploitation for Dummies.
This short book is written for people who want to understand the internals of 'heap memory', particularly the implementation of glibc's 'malloc' and 'free' procedures, and also for security researchers who want to get started in the field of heap exploitation.
🔖github repo
💥Educational Heap Exploitation(how2heap) is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases.
💥GlibC Malloc for Exploiters presentation
💥Linux Heap Exploitation Intro Series:
💾printf might be leaking!
💾Used and Abused – Use After Free
💾The magicians cape – 1 Byte Overflow
💾Riding free on the heap – Double free attacks!
💾Set you free() – part 1
💾Set you free() – part 2
💥How to exploit a double free vulnerability in 2021(Exploiting an ARM-only race condition)
You will learn how to exploit a double free vulnerability or exploit a UAF vulnerability.
💥Linux kernel heap feng shui in 2022
In this article we discuss changes in the Linux kernel slab allocator implementation and exploitation challenges associated with kernel heap-related vulnerabilities. We focus on the SLUB (unqueued slab allocator) implementation in this article since it is the most common allocator enabled by default on most Linux distributions and Android devices.
💥Overview of GLIBC heap exploitation techniques
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way.
💥Perfect Spray: A Journey From Finding a New Type of Logical Flaw at Linux Kernel To Developing a New Heap Exploitation Technique
In this talk, we will present Pspray, a new memory exploitation technique for the Linux kernel, dramatically improving the exploitation reliability. In particular, we designed a heap exploitation technique effective for most memory vulnerabilities, including heap OOB, UAF, and double-free. The key idea behind this new attack is in developing timing side-channels in Linux's SLUB allocator. Then using this timing side-channel, we carefully redesigned the traditional exploitation technique to precisely predict the runtime behavior of SLUB, allowing Pspray to avoid unexpected exploitation failure. We used Pspray's exploitation technique for 10 real-world Linux kernel vulnerabilities, which significantly improved the attack success probability from 56.1% to 97.92%.
💥Painless intro to the Linux userland heap
The heap is hard to maintain, especially in this implementation due to being threaded. Hopefully this article helps you understand the process of making a chunk free from its allocation and which structures play in the game of freeing chunks.
💥Understanding glibc malloc
💾How heap memory is obtained from kernel?
💾How efficiently memory is managed?
💾Is it managed by kernel or by library or by application itself?
💾Can heap memory be exploited?
💥ptmalloc fanzine episodes(collection of resources related to glibc heap meta-data corruptions):
💾episode 01: munmap madness
💾episode 02: fastbin fever
💾episode 03: scraps of notes on ptmalloc metadata corruptions
💾episode 04: once upon a realloc()
💾episode 05: thread local caching in glibc malloc
💥Heap exploitation for Dummies.
This short book is written for people who want to understand the internals of 'heap memory', particularly the implementation of glibc's 'malloc' and 'free' procedures, and also for security researchers who want to get started in the field of heap exploitation.
🔖github repo
💥Educational Heap Exploitation(how2heap) is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases.
💥GlibC Malloc for Exploiters presentation
💥Linux Heap Exploitation Intro Series:
💾printf might be leaking!
💾Used and Abused – Use After Free
💾The magicians cape – 1 Byte Overflow
💾Riding free on the heap – Double free attacks!
💾Set you free() – part 1
💾Set you free() – part 2
💥How to exploit a double free vulnerability in 2021(Exploiting an ARM-only race condition)
You will learn how to exploit a double free vulnerability or exploit a UAF vulnerability.
💥Linux kernel heap feng shui in 2022
In this article we discuss changes in the Linux kernel slab allocator implementation and exploitation challenges associated with kernel heap-related vulnerabilities. We focus on the SLUB (unqueued slab allocator) implementation in this article since it is the most common allocator enabled by default on most Linux distributions and Android devices.
💥Overview of GLIBC heap exploitation techniques
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way.
💥Perfect Spray: A Journey From Finding a New Type of Logical Flaw at Linux Kernel To Developing a New Heap Exploitation Technique
In this talk, we will present Pspray, a new memory exploitation technique for the Linux kernel, dramatically improving the exploitation reliability. In particular, we designed a heap exploitation technique effective for most memory vulnerabilities, including heap OOB, UAF, and double-free. The key idea behind this new attack is in developing timing side-channels in Linux's SLUB allocator. Then using this timing side-channel, we carefully redesigned the traditional exploitation technique to precisely predict the runtime behavior of SLUB, allowing Pspray to avoid unexpected exploitation failure. We used Pspray's exploitation technique for 10 real-world Linux kernel vulnerabilities, which significantly improved the attack success probability from 56.1% to 97.92%.
Sensepost
SensePost | Painless intro to the linux userland heap
Leaders in Information Security
🔥🔥🔥AD manager Plus full RCE PoC
At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability.
When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE.
At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability.
When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE.
💥Introduction to the Windows Filtering Platform
The Windows Filtering Platform (WFP) provides flexible ways to control network filtering. It exposes user-mode and kernel-mode APIs, that interact with several layers of the networking stack. Some configuration and control is available directly from user-mode, without requiring any kernel-mode code (although it does require administrator-level access). WFP replaces older network filtering technologies, such as Transport Driver Interface (TDI) filters some types of NDIS filters.
The Windows Filtering Platform (WFP) provides flexible ways to control network filtering. It exposes user-mode and kernel-mode APIs, that interact with several layers of the networking stack. Some configuration and control is available directly from user-mode, without requiring any kernel-mode code (although it does require administrator-level access). WFP replaces older network filtering technologies, such as Transport Driver Interface (TDI) filters some types of NDIS filters.
🔥🔥🔥KITCTFCTF 2022 V8 Heap SBX
(V8 exploitation challenge)
In this writeup, I’ll go over the intended solution in detail which leads to a V8 (heap) sandbox escape without using the JIT technique that is very popular currently.
(V8 exploitation challenge)
In this writeup, I’ll go over the intended solution in detail which leads to a V8 (heap) sandbox escape without using the JIT technique that is very popular currently.
This media is not supported in your browser
VIEW IN TELEGRAM
🔥🔥🔥rp++ or rp is a C++ ROP gadget finder for PE/ELF/Mach-O executables and x86/x64/ARM/ARM64 architectures.