Backdoor.Win32.Beastdoor.oq MVID-2024-0674 Remote Command Execution

Discovery / credits: Malvuln John Page aka hyp3rlinx c 2024 Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Beastdoor.oq Vulnerability: Unauthenticated Remote Command Execution...

NimHollow - Nim Implementation Of Process Hollowing Using Syscalls (PoC)

Playing around with the Process Hollowing technique using Nim. Features: Direct syscalls for triggering Windows Native API functions with NimlineWhispers. Shellcode encryption/decryption with AES in CTR mode. Simple sandbox detection methods from the OSEP course by @offensive-security. AMSI...

Backdoor.Win32.Tonerok.d Code Execution

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/b297c565899ace88f40e5da833f41561.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Tonerok.d Vulnerability: Unauthenticated Remote Command Execution Description: The...

Virus.Win32.Sality.gen Insecure Permissions

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/423a5a63bed721e479c156b309bb58fd.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Virus.Win32.Sality.gen Vulnerability: Insecure Permissions Description: Sality.gen creates a dir nam...

Microsoft Windows RRAS Service MIBEntryGet Overflow Exploit

This Metasploit module exploits an overflow in the Windows Routing and Remote Access Service RRAS to execute code as SYSTEM. The RRAS DCERPC endpoint is accessible to unauthenticated users via SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts; however, this module targets Windo...

Phorpiex Insecure Permissions / Privilege Escalation

Discovery / credits: malvuln - Malvuln.com c 2021 Original source: http://malvuln.com/advisory/f4d7d721f68bc9a80aaf53bc184a3c58.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Phorpiex Vulnerability: Insecure permissions EoP Description: Change permissions are granted to...

Astaroth Spy Trojan Uses Facebook, YouTube Profiles to Cover Tracks

Facebook and YouTube profiles are at the heart of an ongoing phishing campaign spreading the Astaroth trojan, bent on the eventual exfiltration of sensitive information. The attack is sophisticated in that it uses normally trusted sources as cover for malicious activities – thus evading usually...

CVE-2019-3971

Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to a local Denial of Service affecting CmdVirth.exe via its LPC port "cmdvrtLPCServerPort". A low privileged local process can connect to this port and send an LPCDATAGRAM, which triggers an Access Violation due to hardcoded NULLs used fo...

MS08-067: Vulnerability in Server service could allow remote code execution

MS08-067: Vulnerability in Server service could allow remote code execution Support for Windows Vista Service Pack 1 SP1 ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 SP2. For more information, refer to this...

Windows Kernel 64-bit stack memory disclosure in msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage(CVE-2018-0896)

We have discovered that the msrpc!LRPCCASSOCIATION::AlpcSendCancelMessage function sends an ALPC message with portions of uninitialized memory from the local stack frame on Windows 7 64-bit other versions were not tested. The message is 0x18 bytes long, 8 of which are uninitialized. The layout of...

Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection

Introduction TLS Thread Local Storage callbacks are provided by the Windows operating system to support additional initialization and termination for per-thread data structures. As previously reported, malicious TLS callbacks, as an anti-analysis trick, have been observed for quite some time and...

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

Windows Manage Privilege Based Process Migration

This module will migrate a Meterpreter session based on session privileges. It will do everything it can to migrate, including spawning a new User level process. For sessions with Admin rights: It will try to migrate into a System level process in the following order: ANAME if specified,...

McAfee DAT 5958 Issues

US-CERT is aware of public reports indicating that McAfee DAT release 5958 is incorrectly identifying the valid system file, C:\Windows\system32\svchost.exe, as containing malicious code. Reports indicate that a false positive detection occurs on Windows XP Service Pack 3 systems. Symptoms includ...

Microsoft RRAS Service Overflow

$Id$ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/ require 'msf/core' class Metasploit3 'Microsoft RR...

Immunity Canvas: MS08_049

Name| ms08049 ---|--- CVE| CVE-2008-1457 Exploit Pack| CANVAS Description| EventSystem Service Overflow Notes| CVE Name: CVE-2008-1457 VENDOR: Microsoft Notes: Due to the fact that the svchost.exe instance where the EventSystem service is running is DEP protected, and that all loaded DLLs have GS...

MS Windows RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)

No description provided by source. This file is part of the Metasploit Framework and may be redistributed according to the licenses defined in the Authors field below. In the case of an unknown or missing license, this file defaults to the same license as the core Framework dual GPLv2 and Artisti...

MS Windows NetrWkstaUserEnum() Remote DoS Exploit (0day)

No description provided by source. !/usr/bin/python MS Windows Workstation Service NetrWkstaUserEnum 0day Memory Allocation Remote DoS Exploit Bug discovered by h07 [email protected] Tested on:.. - Windows XP SP2 Polish - Windows 2000 SP4 Polish + All Microsoft Security Bulletins Example: wksdos.py...

CVE-2006-5614

CVE-2006-5614 concerns Microsoft Windows NAT Helper Components (ipnathlp.dll) on Windows XP SP2 with Internet Connection Sharing enabled. The vulnerability allows remote attackers to trigger a denial-of-service (svchost.exe crash) by sending a malformed DNS query that leads to a null pointer dere...