ProcessHider is a post-exploitation tool designed to hide processes from monitoring tools such as Task Manager and Process Explorer, thus preventing the admins from discovering payload’s processes. The tool works on both 32 and 64 bit versions, by self detecting the OS version and using the right version of the tool.
ProcessHider is available as a EXE file or as a Powershell script.
The exploit samples database is a repository for RCE (remote code execution) exploits and Proof-of-Concepts for WINDOWS, the samples are uploaded for education purposes for red and blue teams.
Proof of Concepts are alwayes idetified by #PoC# in the name of the relevant exploit folder, and those samples will alwayes pop out a calculator or a message box and therefore will be easily identified by many AV’s (which prevent the calculator shellcode).
Each sub-category includes a list of folders that represent the different CVE’s (vulerabilities).
Reptile is a LKM rootkit written for evil purposes that runs on kernel 2.6.x/3.x/4.x.
Would you like to see his fatality?
- Give root to unprivileged users
- Hide files and directories
- Hide files contents
- Hide processes
- Hide himself
- Hidden boot persistence
- ICMP/UDP/TCP port-knocking backdoor
- Full TTY/PTY shell with file transfer
- Client to handle Reptile Shell
The Empire Multiuser GUI is a graphical interface to the Empire post-exploitation Framework. It was written in Electron and utilizes websockets (SocketIO) on the backend to support multiuser interaction. The main goal of this project is to enable red teams, or any other color team, to work together on engagements in a more seamless and integrated way than using Empire as a command line tool.
Read more about the Empire Framework
** BETA NOTICE **
This is a BETA release and does not have all the functionality of the full Empire Framework. The goal is to get community involvement early on to help fix bugs before adding in many of the bells and whistles. The main interaction with Agents at this point is soley through a shell prompt. The next release will have Module support, etc.
- Multiplatorm Support (OSX,Window,Linux)
- Traffic over HTTPS
- User Authentication
- Multiuser Support
- Agent Shell Interaction
Microsoft shipped and fixed four win32k kernel Escalation of Privilege vulnerabilities in the May security bulletin. This article will discover and analyze one of these vulnerabilities caused by a null pointer dereference fixed by the patch program, and will finally attempt to implement its proof and exploitation code. The analyzing and debugging process will take place in a virtual machine of Windows 7 x86 SP1 basic environment.
To avoid attacks from exploiting this vulnerability, users who are using Windows operating system must install the latest official security updates as soon as possible.
This article discovers and analyzes a kernel Escalation of Privilege vulnerability caused by a null pointer dereference in the win32k kernel module by matching the patch. According to the information released by FortiGuard Labs, the bug is CVE-2018-8120 that was fixed in the May patch. The vulnerability exists in the kernel function
SetImeInfoEx. In the case where the pointer field
spklList of the target window station has not been validated, the function directly reads the memory address pointed to by the field.
It is possible that the value of field
spklList of window station
tagWINDOWSTATION object reaches
0. If an user process creates a window station whose filed
spklList points to
NULL address, and associates the window station with the current process, at the time when calling system service
NtUserSetImeInfoEx to set extended IME information, the kernel function
SetImeInfoEx would access the memory in zero page which is located in the user address space. The operation of the function will cause the page fault exception, resulting in the occurrence of the system BSOD.
If the exploitation code in the user process allocates zero page memory in advance, to make the zero page mapped, and crafts some fake kernel objects in the zero page, the data in the zero page will be mistaken for a correct keyboard layout
tagKL node object by the kernel function, which implements the arbitrary address writing primitive. Using the implemented writing primitive to override the function pointer field of a particular kernel object (such as
tagWND), or to modify the relevant flag bits that represent kernel mode or user mode execution, the ability of arbitrary code execution is then implemented, the kernel Escalation of Privilege is achieved ultimately as well.
continue reading the original article at xiaodaozhi.com
This blogpost describes how I got annoyed by vulnerabilities in 3rd party Windows applications, which allowed to execute local files but without parameters. So I decided to find a vulnerability in Windows itself to properly exploit them.
Abusing the download folder
The first idea, which could come to mind, is abusing the vulnerable application to trigger a download of a file. As soon as the file is downloaded the vulnerability could be triggered again and the downloaded file gets executed. This approach has two problems:
1) It requires that I am able to trigger a download of a file without user interaction
2) Even if the requirement of step 1 are fulfilled, Windows has another hurdle: The Zone model for downloaded files or to be exact: Zone.Identifiers
continue reading the original article
There are currently three different lists.
The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques.
Definition of LOLBAS candidates (Binaries,scripts and libraries):
- LOLBAS candidates must be present on the system by default or introduced by application/software “installation” from a “reputable” vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
- Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 – execute code from SCT online)
- executing code
- downloading/upload files
- bypass UAC
- compile code
- getting creds/dumping process
- surveillance (keylogger, network trace)
- evade logging/remove log entry
- side-loading/hijacking of DLL
- pass-through execution of other programs, script (via a LOLBin)
- pass-through persistence utilizing existing LOLBin
- persistence (Hide data in ADS, execute at logon etc)
Right now it is me that decides if the files are a valid contribution or not. I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything. Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.
Every binary, script and library has it’s own .md file in the subfolders. That way I should be easier to maintain and reuse. I have borrowed examples from the community (And a lot from Red Canary – Atomic Red Team – Thanks @subtee) Would really love if the community could contribute as much as possible. That would make it better for everyone. If you think it is hard to make a pull request using github, don’t hesitate to send me a tweet and I will add the contribution for you.
projects github repository
It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?
mimikatz comes in two flavors: x64 or Win32, depending on your windows version (32/64 bits).
Win32 flavor cannot access 64 bits process memory (like lsass), but can open 32 bits minidump under Windows 64 bits.
Some operations need administrator privileges, or SYSTEM token, so be aware of UAC from Vista version.
A collection of open source and commercial tools that aid in red team operations. This repository will help you during red team engagement. If you want to contribute to this list send me a pull request.
- Command and Control
- Lateral Movement
- Establish Foothold
- Escalate Privileges
- Data Exfiltration