Offensive Security
Check CVE-2024-6387 https://github.com/xaitax/CVE-2024-6387_Check
The provided exploit code is optimized only for the i386 (32-bit) architecture.
https://github.com/zgzhang/cve-2024-6387-poc
https://github.com/zgzhang/cve-2024-6387-poc
Lesser Known Linux Persistence Mechanisms
John Hammond
https://youtu.be/whhOYRWd_rs?si=ThofWaLJoEauQkfH
John Hammond
https://youtu.be/whhOYRWd_rs?si=ThofWaLJoEauQkfH
YouTube
Lesser Known Linux Persistence Mechanisms
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: h…
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: h…
SERVER-SIDE TEMPLATE INJECTION:
https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/
https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/
Check Point Research
Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities - Check Point Research
Executive Summary Research by Erez Goldberg Server-Side Template Injection (SSTI) vulnerabilities refer to weaknesses in web applications which attackers can exploit to inject malicious code into server-side templates. This allows them to execute arbitrary…
CVE-2025-39727
CVE-2025-39727 is a security vulnerability in the Linux kernel, specifically within the memory management (mm) subsystem, affecting the swap handling mechanism. The issue occurs due to a potential buffer overflow in the setup_clusters() function. In the setup_swap_map() function, only bad pages within the range (0, last_page] are checked. However, if maxpages is less than last_page, setup_clusters() may access memory beyond its allocated buffer when processing a badpage with an index greater than or equal to maxpages. This can lead to undefined behavior, including system crashes, memory corruption, or privilege escalation under certain conditions.
⸻
Potential Impact
This vulnerability is serious because it resides in the Linux kernel, which operates at ring 0, giving full control over system resources. Potential consequences include:
1. Local Privilege Escalation (LPE):
• A user with local access could exploit this vulnerability to overwrite kernel memory structures, potentially gaining root privileges.
• Example: Modifying the cred structure of a process to escalate a low-privilege account to full administrative rights.
2. Denial of Service (DoS):
• The overflow may trigger a kernel panic, crashing the system.
• Example: A server handling swap-intensive workloads could become unavailable until rebooted.
3. Memory Corruption / Data Leakage:
• The buffer overflow could corrupt adjacent kernel memory, leading to unpredictable behavior. In some scenarios, it may allow reading sensitive kernel data.
Note: Unlike some other kernel vulnerabilities, remote exploitation is highly unlikely without local code execution, as attackers must influence the swap system or memory directly.
⸻
Technical Details
The vulnerability arises from improper bounds checking in setup_clusters():
If badpages[i] >= maxpages, clusters[] is accessed out-of-bounds, leading to a heap or stack memory corruption.
This memory corruption can have multiple outcomes:
• Overwriting critical kernel structures → privilege escalation.
• Overwriting control data → kernel panic (DoS).
• In rare cases, manipulating data to execute code in kernel context (requires bypassing SMEP/SMAP/KASLR).
⸻
Example Scenario
1. A Linux server (e.g., Ubuntu 24.04) is running a vulnerable kernel.
2. An attacker has local access (low-privilege user or compromised process).
3. The attacker runs a crafted program that injects invalid badpage entries into the swap system, triggering the overflow in setup_clusters().
4. Consequences may include:
• Escalating privileges to root.
• Crashing the system (DoS).
• Potentially corrupting kernel memory or leaking sensitive data.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-39727
https://git.kernel.org/stable/c/152c1339dc13ad46f1b136e8693de15980750835
#Kernel #Linux
CVE-2025-39727 is a security vulnerability in the Linux kernel, specifically within the memory management (mm) subsystem, affecting the swap handling mechanism. The issue occurs due to a potential buffer overflow in the setup_clusters() function. In the setup_swap_map() function, only bad pages within the range (0, last_page] are checked. However, if maxpages is less than last_page, setup_clusters() may access memory beyond its allocated buffer when processing a badpage with an index greater than or equal to maxpages. This can lead to undefined behavior, including system crashes, memory corruption, or privilege escalation under certain conditions.
⸻
Potential Impact
This vulnerability is serious because it resides in the Linux kernel, which operates at ring 0, giving full control over system resources. Potential consequences include:
1. Local Privilege Escalation (LPE):
• A user with local access could exploit this vulnerability to overwrite kernel memory structures, potentially gaining root privileges.
• Example: Modifying the cred structure of a process to escalate a low-privilege account to full administrative rights.
2. Denial of Service (DoS):
• The overflow may trigger a kernel panic, crashing the system.
• Example: A server handling swap-intensive workloads could become unavailable until rebooted.
3. Memory Corruption / Data Leakage:
• The buffer overflow could corrupt adjacent kernel memory, leading to unpredictable behavior. In some scenarios, it may allow reading sensitive kernel data.
Note: Unlike some other kernel vulnerabilities, remote exploitation is highly unlikely without local code execution, as attackers must influence the swap system or memory directly.
⸻
Technical Details
The vulnerability arises from improper bounds checking in setup_clusters():
// simplified conceptual example
for (i = 0; i < nr_badpages; i++) {
page = badpages[i];
// no check if page >= maxpages
clusters[page / CLUSTER_SIZE]++;
}
If badpages[i] >= maxpages, clusters[] is accessed out-of-bounds, leading to a heap or stack memory corruption.
This memory corruption can have multiple outcomes:
• Overwriting critical kernel structures → privilege escalation.
• Overwriting control data → kernel panic (DoS).
• In rare cases, manipulating data to execute code in kernel context (requires bypassing SMEP/SMAP/KASLR).
⸻
Example Scenario
1. A Linux server (e.g., Ubuntu 24.04) is running a vulnerable kernel.
2. An attacker has local access (low-privilege user or compromised process).
3. The attacker runs a crafted program that injects invalid badpage entries into the swap system, triggering the overflow in setup_clusters().
4. Consequences may include:
• Escalating privileges to root.
• Crashing the system (DoS).
• Potentially corrupting kernel memory or leaking sensitive data.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-39727
https://git.kernel.org/stable/c/152c1339dc13ad46f1b136e8693de15980750835
#Kernel #Linux
🔥1
Exploiting an array-Out-Of-Bounds vulnerability in the Linux network packet scheduler (CVE-2025-37752)
https://syst3mfailure.io/two-bytes-of-madness/
#CVE #Linux
https://syst3mfailure.io/two-bytes-of-madness/
#CVE #Linux
The book MAoS, written by Uriel Kosayev, an Israeli author and researcher, was recently published. About this book, he wrote:
• It is the result of several years of practical and personal research, including long nights of reverse engineering and real-world incident response experiences.
• Its content is designed to be highly operational, going far beyond theory alone.
کتاب MAoS اثر اورئیل کوسایف، نویسنده و محقق اسرائیلی، بهتازگی منتشر شده است. او درباره این کتاب نوشت:
• این کتاب حاصل چندین سال پژوهش عملی و شخصی است؛ شامل شبهای طولانی مهندسی معکوس و تجربههای مستقیم از Incident Responseهای واقعی.
• محتوای آن کاملاً عملیاتی طراحی شده و تنها به مباحث تئوری محدود نمیشود.
https://www.amazon.com/MAoS-Analysis-Steroids-Real-World-Engineering/dp/B0FQF2Z176
• It is the result of several years of practical and personal research, including long nights of reverse engineering and real-world incident response experiences.
• Its content is designed to be highly operational, going far beyond theory alone.
کتاب MAoS اثر اورئیل کوسایف، نویسنده و محقق اسرائیلی، بهتازگی منتشر شده است. او درباره این کتاب نوشت:
• این کتاب حاصل چندین سال پژوهش عملی و شخصی است؛ شامل شبهای طولانی مهندسی معکوس و تجربههای مستقیم از Incident Responseهای واقعی.
• محتوای آن کاملاً عملیاتی طراحی شده و تنها به مباحث تئوری محدود نمیشود.
https://www.amazon.com/MAoS-Analysis-Steroids-Real-World-Engineering/dp/B0FQF2Z176
👍1
How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations
در این وبلاگ، تیم Huntress گزارشی از یک اشتباه مهاجم ارائه میدهد که منجر به دسترسی به فعالیتهای روزانه او شد.
Tweet:
https://x.com/huntresslabs/status/1965450929987031484?s=46
Blog:
https://www.huntress.com/blog/rare-look-inside-attacker-operation
#malware #threat
در این وبلاگ، تیم Huntress گزارشی از یک اشتباه مهاجم ارائه میدهد که منجر به دسترسی به فعالیتهای روزانه او شد.
Tweet:
https://x.com/huntresslabs/status/1965450929987031484?s=46
Blog:
https://www.huntress.com/blog/rare-look-inside-attacker-operation
#malware #threat