Popping calc with CVE-2021-40444 (MS Office exploit)
Thanks to
@BouncyHat
for collaborating 😀
Not planning to release but my bet is with itw exploits, it won't be long..
.NET exploit for Zerologon is now released 🥳
Identify and exploit vulnerable DCs using execute-assembly, no python required
Includes detection tips for each step of the exploit chain. PRs accepted for more detections! 🙏
Go find those DCs and patch!
We found an RCE vulnerability in the Citrix Workspace & Receiver clients. It can be triggered through the browser simply by visiting a malicious website. No need to log into a rogue Citrix server.. Fix has now been released.
CVE-2019-19781 post-exploitation notes:
If you are seeing attackers reading your /flash/nsconfig/ns.conf file then you need to change all passwords. The SHA512 passwords are easily crackable with hashcat.
I reproduced the full chain of Ivanti Connect Secure CVE-2023-46805 (auth bypass) + CVE-2024-21887 (RCE) 🥳
While it is mentioned in the advisory, it's worth noting that 21887 is multiple command injection vulns under one CVE. I counted 5 before I got bored looking 😆
Here is a CNA script for abusing the print spooler named pipe impersonation trick by
@itm4n
Useful to get SYSTEM with only SeImpersonatePrivilege and can be used as an alternative to getsystem.
Came in handy recently and wanted to share the ❤️
Just published advisories for Pulse Connect Secure CVE-2020-8260 and CVE-2020-8255. Auth file read and auth RCE.
Documenting some new RCE techniques for arbitrary file write on PCS with
@johnnyspandex
Releasing PyBeacon. A collection of scripts for dealing with Cobalt Strike beacons in Python.
Covers:
- staging
- asymmetric encryption and metadata parsing
- symmetric encryption (tasks) and decoding
- beacon registration
- beacon callbacks
Confirming SandboxEscaper's latest AppXSvc LPE (aka CVE-2019-0841-BYPASS) is indeed a 0day and works up to the latest 1903 build (but no collector abuse anymore 😢) . Weaponised demo on 1809..
Had a lot of fun this weekend working on exploiting Exchange with
@BouncyHat
and
@amlweems
. Between us we managed to get the full RCE chain working on a single server environment 🎉
Here is an example showing how to do named pipe IPC in Cobalt Strike. Useful for getting output from (self)injected ReflectiveDlls.
CS 4.1 bofs sound like they will solve this problem, but maybe still useful 👍
Here is the advisory for CVE-2019-11114, a Local Privilege Escalation vulnerability I found in Intel DSA. If you have an Intel based machine, double check if it's installed and update if required 👍
@itm4n
I made it into EOP by making a mount point targetting \\.\pipe\ , then creating a named pipe with the name ..\..\something.xml , the dir listing thinks ..\ is part of the filename, so the copy goes outside the intended dir, where I had a symbolic link ready :)
Today we release our blog post that demonstrates a new single request exploit for CVE-2019-19781 that is effective even if all of the "vulnerable" Perl files have been deleted 🙀
We also share stats on devices that are patched but still contain backdoors
Had fun today writing a .NET exploit for
@itm4n
's CVE-2020-0787 BITS LPE and UsoLoader technique.
Check out his blog posts and research if you haven't already. They are all brilliant 👏🙏
Popping calc with CVE-2021-40444 (MS Office exploit)
Thanks to
@BouncyHat
for collaborating 😀
Not planning to release but my bet is with itw exploits, it won't be long..
Build events aren't the only way to backdoor a Visual Studio project.
@StanHacked
documented some other interesting ways in his awesome "COMpromise" research:
TypeLibs are another sneaky way to gain code execution. Yara rule:
Turns out it was an 0day at the time! Sample is CVE-2018-0802 😵
"Fw_ Invitation letter of FW review meeting.rtf"
sha256 81c733c0bae854e280d0d3c2e7ff1fdcd0f1eef2a653286a641437dcea21f409
#Malware
using Word add-in persistence
Sample uses the CVE-2017-11882 %temp% dropper method to %APPDATA%\Microsoft\word\startup\w.wll
@MalwareParty
#infosec
On CVE-2021-22986 (F5 iControl REST RCE)..
This is a great writeup. I've also been looking at this in my spare time and have finally got the full RCE chain working 🚀
Props to
@wvuuuuuuuuuuuuu
for the awesome notes which helped confirm I was going down the right rabbitholes! 🙏
Got the ProxyShell exploit by
@orange_8361
working. That was fun 😃
Thanks Orange for the amazing research, and also to
@peterjson
and
@testanull
for their detailed blog post 🙏
This creative, obfuscated RTF doc exploits Equation Editor 7(!) times to write out b64 file to %tmp%, then decodes /w certutil and executes .bat. Loads remote HTA from RFC1918 address. Malware testing? Red Team? 🤷♂️ Fun though 😋
Today's RTF obfuscation trick:
obj = "010500000200"
s = ""
for x,y in zip(obj[::2], obj[1::2]):
s += "%s%s\\'%s" % (x+y, randint(0, 9), os.urandom(1).encode('hex'))
print s
In personal news, I no longer work for NCC Group. I’m taking some time out, but hopefully will announce something exciting in the near future. Until then I’ll be playing video games, working on my old VW and breaking my one rule of staying away from computers 👾🥳😎
🚨 CVE-2019-11510 under active exploitation 🚨
From: 185.25.51[.]58
Exploiting the recent Pulse Secure SSL VPN arbitrary file download vulnerability to extract cleartext passwords and hashes.
FWIW this honeypot was online for ~48 hrs. If you have an unpatched VPN, patch quick
I wrote an exploit for CVE-2017-11882 that uses Packager.dll to drop+exec (as seen itw by
@MalwareParty
+
@HaifeiLi
). Maybe it's useful if you don't wanna use webdav.
Another good thing to look out for, is webshells saved as attachments in people's mailboxes. They are encoded, but can be decoded with this simple script:
#ProxyShell
Finally had some time today to write something I've wanted every time I need to dump cookies.. 🍪
Just extract masterkey once, download the Cookie file and import 🪄
We're seeing more than just scanning for the recent pair of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) - we're seeing real exploitation attempts - this one installs a Bitcoin miner! Patch your hosts ASAP!
If you are wanting to develop Cobalt Strike bofs in Visual Studio, this template might be useful for you:
It can probably be improved with some better compiler flag combos, but a good starter if like me you prefer working in VS 👍
Hmm seems like not everyone understood. This is a honeypot. Im not outsourcing my patching to randoms on the internet 😂
Of course their intentions were bad. They did it on multiple servers and left their webshells there for persistence
3 months of honeypot data related to F5 (& a small amount of Citrix) exploitation released today
Includes:
✅ PCAP of all web traffic
✅ IDS Rules for mitigation F5 bypass
✅ Interesting findings and stats
✅ A pretty cool webshell
Dive into the data and see what you can find!
Blog: We have released three months of honeypot web traffic data related to the F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 exploitation events from earlier this year - insights and intel on Iran and others -
RE: CVE-2019-19781 detections (Citrix NetScaler/ADC RCE)
Although the vulnerable code mandates the the first request *must* be a POST request - the second request can be a HEAD or even a PUT and will still get processed by the template engine.
Finally had some time today to write something I've wanted every time I need to dump cookies.. 🍪
Just extract masterkey once, download the Cookie file and import 🪄
ZScaler has published an advisory for CVE-2020-11635, an LPE vulnerability reported by myself and others. It is fixed on client connector versions 3.1.0 and upwards 🙂
Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities. This one dropped a c# aspx webshell in the /aspnet_client/ directory:
Some attempts itw on CVE-2021-20038 (SonicWall SMA RCE). Also some password spraying of default passwords from the past few days
Remember to update AND change default passwords :)
Today's RTF obfuscation trick:
obj = "010500000200"
s = ""
for x,y in zip(obj[::2], obj[1::2]):
s += "%s%s\\'%s" % (x+y, randint(0, 9), os.urandom(1).encode('hex'))
print s
Wow, interesting sample.. I think I count 3 exploits (CVE-2017-11882, CVE-2018-0802, CVE-2017-8570). Wins 🏅4 noisiest sample 4sure! 😂 Looks like its dropping
#remcos
12/57 on VT.
@anyrun_app
working nice 👍
I went to check for these IOCs on my Exchange honeypot, but instead of finding APT, all I got was this lousy Zeppelin ransomware note 😅
And all my files were indeed encrypted, including the webshells (oops!)
ProxyShell continues to be a trash fire
I mentioned this before but didn't try it. It works 👍
dropper.rtf -> load doc from webdav -> serve correct macro stripped doc for detected office ver
Problem:
Background:
@malcomvetter
@JohnLaTwC
@ItsReallyNick
@Mao_Ware
@VessOnSecurity
True. You mean the differences in office versions? I think that could be solved by using an intermediate doc with ole2link to remote (macro)doc. The server then serves correct version based on user agent. Could be a fun one to try :)
Detection: Exploited with 1 POST + 1 GET reqest. As mentioned before, you can look for "/vpns/" in the path, but also "../" in header values for the POST. Probably shouldn't say *which* header at this point. This will be followed by a GET request for a file ending in ".xml".
I’ve not looked at the exchange bugs yet but my speculation is that because MS never fixed the path confusion of proxyshell (just stopped sending auth to the backend), that this same path can be used to send your own auth or attack another unauth backend svc
Useful to know: the tool works on a default domain-joined firewall config without the need for admin
How?
We used a technique from
@NinjaParanoid
to make use of http.sys with default allowed URL ACLs / firewall rules
Worth blocking these if not needed
#PROTIP
: If you can't listen on port 80 during a bind shell, try adding the URI '/Temporary_Listen_Address/' to ur listener. Magic! You don't need administrative privileges to listen on port 80 on Windows anymore
#redteam
#windows
The Pulse Secure integrity checker contains hashes for a load of different PCS firmware versions. This can be used to build a passive version fingerprint
Oh what do we have here? An updated "Word Silent Exploit Builder" appears. Complete with stolen exploit code.
@ItsReallyNick
this is where your 15 character-name SCT files are coming from 🙃
Cracked? ✅
Backdoored? 🤷♀️
They are using this exploit. I guess you get what you pay for 😋
Once they drop the follow-up webshell, they delete the first. Might be a race condition if they delete it too early. Not going to debug it for them though! 😂
Pushed a small update to Chlonium to support offline statekey decryption using
@harmj0y
's excellent SharpDPAPI project
Supports decryption with a domain backup key or user's password 👍
Per the
@SonicWall
advisory - - we've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall - we've also seen indication of indiscriminate use of an exploit in the wild - check logs