NTLM BITS SYSTEM Token Impersonation Exploit

This Metasploit module exploit BITS behavior which tries to connect to the local Windows Remote Management server WinRM every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server,...

SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.

This module exploit BITS behavior which tries to connect to the local Windows Remote Management server WinRM every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allo...

NTLM BITS SYSTEM Token Impersonation

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/post/windows/reflectivedllinjection' class MetasploitModule 'SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.',...

RogueWinRM - Windows Local Privilege Escalation From Service Account To System

RogueWinRM is a local privilege escalation exploit that allows to escalate from a Service account with SeImpersonatePrivilege to Local System account if WinRM service is not running default on Win10 but NOT on Windows Server 2019. Briefly, it will listen for incoming connection on port 5985 fakin...

Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path

Exploit Title: Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path Discovery by: Ismael Nava Discovery Date: 02-12-2020 Vendor Homepage: https://www.microsoft.com Software Links : https://www.microsoft.com/en-us/p/xbox-beta/9mv0b5hzvk9z?activetab=pivot:overviewtab Teste...

UBUNTU-CVE-2020-29074

scan.c in x11vnc 0.9.16 uses IPCCREAT|0777 in shmget calls, which allows access by actors other than the current user...

Deep Instinct Windows Agent 1.2.24.0 Unquoted Service Path

Exploit Title: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path Discovery by: Paulina Girón Discovery Date: 2020-11-07 Vendor Homepage: https://www.deepinstinct.com/ Software Links :...

Canon Inkjet Extended Survey Program 5.1.0.8 - (IJPLMSVC.EXE) - Unquoted Service Path Vulnerability

Exploit Title: Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path Discovery by: Carlos Roa Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home Tested Version: 5.1.0.8 Vulnerability Type: Unquoted Service Path Tested on OS: Windows 7 Professional 6...

Hash Collision

Bouncy Castle is vulnerable to hash collision attacks. The library keystore files uses a HMAC hash that is only 16 bits long, allowing a malicious user to retrieve the password used for keystore integrity verification checks. This vulnerability only affects users of the BKS-V1 keystore format,...

The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.

...

Arbitrary Code Execution

GIMP is vulnerable to arbitrary code execution. A heap-based buffer over-read in ReadImage in plug-ins/common/file-tga.c allows an attacker to execute arbitrary code via a malicious bits-per-pixel value for an RGBA image...

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

The U.S. government on Thursday imposed sweeping sanctions against an Iranian threat actor backed by the country's Ministry of Intelligence and Security MOIS for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors...

LOLBITS v2.0.0 - C2 Framework That Uses Background Intelligent Transfer Service (BITS) As Communication Protocol And Direct Syscalls + Dinvoke For EDR User-Mode Hooking Evasion

LOLBITS is a C2 framework that uses Microsoft's Background Intelligent Transfer Service BITS to establish the communication channel between the compromised host and the backend. The C2 backend is hidden behind an apparently harmless flask web application and it's only accesible when the HTTP...

CVE-2020-5917

In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2 and BIG-IQ versions 5.2.0-7.0.0, the host OpenSSH servers utilize keys of less than 2048 bits which are no longer considered secure...

GNU LibreDWG Denial of Service Vulnerability

GNU LibreDWG is a GNU Project C library for working with DWG files. A security vulnerability exists in the bitcalcCRC of the bits.c file in GNU LibreDWG version 0.9.3 and earlier. An attacker could exploit this vulnerability to cause a denial of service...

Background Intelligent Transfer Service Privilege Escalation Exploit

This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service BITS, to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code executio...

Kernel: net: using kernel space address bits to derive IP ID may potentially break KASLR

A flaw was found in the way the Linux kernel derived the IP ID field from a partial kernel space address returned by a nethashmix function. A remote user could observe this IP ID field to extract the kernel address bits used to derive its value, which may result in leaking the hash key and...

Background Intelligent Transfer Service Privilege Escalation

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability', 'Description' = %q This module exploits...

Microsoft Windows Multiple Vulnerabilities (KB4561643)

This host is missing a critical security update according to Microsoft KB4561643 SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

KB4557957: Windows 10 Version 2004 June 2020 Security Update

The remote Windows host is missing security update 4557957. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute...