Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution Exploit

Exploit for windows platform in category remote exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote...

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10...

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote Code Execution Summary: Accessing a compromised WMI serve...

Windows: ManagementObject Arbitrary .NET Serialization RCE（CVE-2017-0160）

Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote Code Execution Summary: Accessing a compromised WMI server over DCOM using System.Management classes or the Powershell...

CVE-2017-0199: Microsoft Office RTF vulnerability using the PoC-vulnerability warning-the black bar safety net

0x01 description From FireFye detect and publish CVE-2017-0199 since, I have been researching this vulnerability in Microsoft officially released the patch, I decided to release this PoC. I use way possible with other researchers using different methods, the use of the method may be little bit...

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

PoshC2 - Powershell C2 Server and Implants

PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework...

Security and Quality Rollup for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: April 11, 2017

Security and Quality Rollup for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: April 11, 2017 Note Known issues in this security update After you apply this security update, the PowerShell v3.0+ stop-computer...

Against DeviceGuard: in-depth analysis of the CVE-2017-0007-vulnerability warning-the black bar safety net

Over the past few months, I'm happy and Matt Graeber and Casey Smith together with the study Device Guard user-mode integrity UMCI around it. If you are not familiar with Device Guard, you can read: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide the. I...

Windows PowerShell LLMNR/NBNS spoofer: Inveigh

Windows PowerShell LLMNR/NBNS spoofer Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted...

WMI Based Agentless Post-Exploitation PowerShell RAT: WMImplant

WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant will likely require local administrator permissions on the targeted machine. It is designed to run both...

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

Malware That Targets Both Microsoft, Apple Operating Systems Found

Researchers came across a malicious Word document last week that doesn’t discriminate between OS platforms. The malicious Word document is designed to spread malware on either Mac OS X or Microsoft Windows, depending on where it’s opened. Like many other strains of malware these days, the sample,...

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

Dr0p1t-Framework 1.2 - A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ? In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ; Features Framework works with Windows and Linux Download executable on target system and...

Security feature bypass

Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."...

CVE-2017-0007

Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."...