Revisiting the NSIS-based crypter

This blog post was authored by hasherezade NSIS Nullsoft Scriptable Install System is a framework dedicated to creating software installers. It allows to bundle various elements of an application together i.e. the main executable, used DLLs, configs, along with a script that controls where are th...

Charlotte - C++ Fully Undetected Shellcode Launcher

c++ fully undetected shellcode launcher ; releasing this to celebrate the birth of my newborn description 13/05/2021: 1. c++ shellcode launcher, fully undetected 0/26 as of 13th May 2021. 2. dynamic invoking of win32 api functions 3. XOR encryption of shellcode and function names 4. randomised XO...

Linux/x86 - setreuid(0) + execve(/bin/sh) Shellcode (29 bytes)

/ Author: Artur ajes Szymczak 2021 Function: Linux x86 shellcode, setreuid to 0 and then execute /bin/sh Size: 29 bytes Testing: $ gcc -fno-stack-protector -z execstack shellcodetester.c -o shellcode shellcodetester.c: In function ‘main’: shellcodetester.c:25:2: warning: incompatible implicit...

Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)

Shellcode Title: Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode 205 Bytes Shellcode Author: Bobby Cooke boku Tested on: Windows 10 v2004 x64 Shellcode Description: 64bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB & ExportTable method. Contai...

Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)

Shellcode Title: Windows/x64 - Dynamic NoNull Add RDP Admin BOKU:SP3C1ALM0V3 Shellcode 387 Bytes Shellcode Author: Bobby Cooke boku Tested on: Windows 10 v2004 x64 Compiled from: Kali Linux x8664 Full Disclosure: github.com/boku7/x64win-AddRdpAdminShellcode Shellcode Description: 64bit Windows 10...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft

This is a proof-of-concept PoC exploit for CVE-2020-0796, also known as SMBGhost, a pre-authentication remote code execution RCE vulnerability in the SMBv3 protocol. The exploit is written in Python and uses the SMB protocol to inject shellcode into the target system. The exploit targets Windows...

Targeted Malware Reverse Engineering Workshop follow-up. Part 1

On April 8, 2021, we conducted a webinar with Ivan Kwiatkowski and Denis Legezo, Senior Security Researchers from our Global Research & Analysis Team GReAT, who gave live workshops on practical disassembling, decrypting and deobfuscating authentic malware cases, moderated by GReATs own Dan Demete...

Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)

Linux/x86 - execve/bin/sh Shellcode 17 bytes Author: s1ege Tested on: i686 GNU/Linux Shellcode length: 17 / ; nasm -felf32 shellcode.asm && ld -melfi386 shellcode.o -o shellcode section .text global start start: push 0x0b pop eax push 0x0068732f push 0x6e69622f mov ebx, esp int 0x80 / include...

Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)

Linux/x64 - execve/bin/sh Shellcode 21 bytes Author: s1ege Tested on: x8664 GNU/Linux Shellcode Length: 21 / objdump disassembly 401000: 50 push %rax 401001: 48 31 d2 xor %rdx,%rdx 401004: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 40100b: 2f 73 68 40100e: 53 push %rbx 40100f: 54 push...

CTF-All-In-One

This is a comprehensive guide to CTF Capture The Flag competitions, specifically focusing on the Pwn binary exploitation aspect. The book is written by Yang Chao, a member of L-Team, and is intended for beginners. It covers the basics of binary exploitation, including memory management, buffer...

Exploit for Improper Input Validation in Google Chrome

PoC exploit for CVE-2020-16040, an out-of-bounds write vulnerability in the WebAssembly WASM engine of various browsers. The exploit targets the WASM engine's handling of large arrays, allowing an attacker to write arbitrary data to the heap. The exploit is implemented in JavaScript, using the...

D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem ======== ========================================= 0. Overview 1. Details 2. Solution 3. Disclosure Timeline 4. Thanks & Acknowledgements 5. References 6. Credits 7. Legal...

D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow Vulnerability

The D-Link DSL-320B-D1 ADSL modem suffers from multiple pre-authentication stack buffer overflow vulnerabilities. Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem ======== ========================================= 0. Overview 1. Details 2. Solution 3. Disclosure Timeline 4...

Google Chrome 81.0.4044 V8 Remote Code Execution

Exploit Title: Google Chrome prior 83.0.4103.106 V8 - Remote Code Execution Date: 06/04/2021 Exploit Author: Tobias Marcotto Tested on: Kali Linux x64 Version: 83.0.4103.106 Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially...

The leap of a Cycldek-related threat actor

Introduction In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropp...

SyncBreeze 10.1.16 Buffer Overflow

Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow Date: 03/27/2021 Author: Filipe Oliveira - filipecenturiaoathotmail.com Rafael Machado - nnszsatprotonmail.com Vendor: https://www.syncbreeze.com/ Software Link:...

BadOutlook - (Kinda) Malicious Outlook Reader

A simple PoC which leverages the Outlook Application Interface COM Interface to execute shellcode on a system based on a specific trigger subject line. By utilizing the Microsoft.Office.Interop.Outlook namespace, developers can represent the entire Outlook Application or at least according to...

FastStone Image Viewer 7.5 Buffer Overflow

Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow ASLR & DEP Bypass Exploit Author: Paolo Stagno Date: 15/03/2020 Vendor Homepage: https://www.faststone.org/ Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe...

FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER (BitCount) Stack Based Buffer Overflow Exploit

Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow ASLR & DEP Bypass Exploit Author: Paolo Stagno Vendor Homepage: https://www.faststone.org/ Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe...

FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)

Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow ASLR & DEP Bypass Exploit Author: Paolo Stagno Date: 15/03/2020 Vendor Homepage: https://www.faststone.org/ Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe...