Offensive Security
Check CVE-2024-6387 https://github.com/xaitax/CVE-2024-6387_Check
The provided exploit code is optimized only for the i386 (32-bit) architecture.
https://github.com/zgzhang/cve-2024-6387-poc
https://github.com/zgzhang/cve-2024-6387-poc
Lesser Known Linux Persistence Mechanisms
John Hammond
https://youtu.be/whhOYRWd_rs?si=ThofWaLJoEauQkfH
John Hammond
https://youtu.be/whhOYRWd_rs?si=ThofWaLJoEauQkfH
YouTube
Lesser Known Linux Persistence Mechanisms
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: h…
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: h…
SERVER-SIDE TEMPLATE INJECTION:
https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/
https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/
Check Point Research
Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities - Check Point Research
Executive Summary Research by Erez Goldberg Server-Side Template Injection (SSTI) vulnerabilities refer to weaknesses in web applications which attackers can exploit to inject malicious code into server-side templates. This allows them to execute arbitrary…
CVE-2025-39727
CVE-2025-39727 is a security vulnerability in the Linux kernel, specifically within the memory management (mm) subsystem, affecting the swap handling mechanism. The issue occurs due to a potential buffer overflow in the setup_clusters() function. In the setup_swap_map() function, only bad pages within the range (0, last_page] are checked. However, if maxpages is less than last_page, setup_clusters() may access memory beyond its allocated buffer when processing a badpage with an index greater than or equal to maxpages. This can lead to undefined behavior, including system crashes, memory corruption, or privilege escalation under certain conditions.
⸻
Potential Impact
This vulnerability is serious because it resides in the Linux kernel, which operates at ring 0, giving full control over system resources. Potential consequences include:
1. Local Privilege Escalation (LPE):
• A user with local access could exploit this vulnerability to overwrite kernel memory structures, potentially gaining root privileges.
• Example: Modifying the cred structure of a process to escalate a low-privilege account to full administrative rights.
2. Denial of Service (DoS):
• The overflow may trigger a kernel panic, crashing the system.
• Example: A server handling swap-intensive workloads could become unavailable until rebooted.
3. Memory Corruption / Data Leakage:
• The buffer overflow could corrupt adjacent kernel memory, leading to unpredictable behavior. In some scenarios, it may allow reading sensitive kernel data.
Note: Unlike some other kernel vulnerabilities, remote exploitation is highly unlikely without local code execution, as attackers must influence the swap system or memory directly.
⸻
Technical Details
The vulnerability arises from improper bounds checking in setup_clusters():
If badpages[i] >= maxpages, clusters[] is accessed out-of-bounds, leading to a heap or stack memory corruption.
This memory corruption can have multiple outcomes:
• Overwriting critical kernel structures → privilege escalation.
• Overwriting control data → kernel panic (DoS).
• In rare cases, manipulating data to execute code in kernel context (requires bypassing SMEP/SMAP/KASLR).
⸻
Example Scenario
1. A Linux server (e.g., Ubuntu 24.04) is running a vulnerable kernel.
2. An attacker has local access (low-privilege user or compromised process).
3. The attacker runs a crafted program that injects invalid badpage entries into the swap system, triggering the overflow in setup_clusters().
4. Consequences may include:
• Escalating privileges to root.
• Crashing the system (DoS).
• Potentially corrupting kernel memory or leaking sensitive data.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-39727
https://git.kernel.org/stable/c/152c1339dc13ad46f1b136e8693de15980750835
#Kernel #Linux
CVE-2025-39727 is a security vulnerability in the Linux kernel, specifically within the memory management (mm) subsystem, affecting the swap handling mechanism. The issue occurs due to a potential buffer overflow in the setup_clusters() function. In the setup_swap_map() function, only bad pages within the range (0, last_page] are checked. However, if maxpages is less than last_page, setup_clusters() may access memory beyond its allocated buffer when processing a badpage with an index greater than or equal to maxpages. This can lead to undefined behavior, including system crashes, memory corruption, or privilege escalation under certain conditions.
⸻
Potential Impact
This vulnerability is serious because it resides in the Linux kernel, which operates at ring 0, giving full control over system resources. Potential consequences include:
1. Local Privilege Escalation (LPE):
• A user with local access could exploit this vulnerability to overwrite kernel memory structures, potentially gaining root privileges.
• Example: Modifying the cred structure of a process to escalate a low-privilege account to full administrative rights.
2. Denial of Service (DoS):
• The overflow may trigger a kernel panic, crashing the system.
• Example: A server handling swap-intensive workloads could become unavailable until rebooted.
3. Memory Corruption / Data Leakage:
• The buffer overflow could corrupt adjacent kernel memory, leading to unpredictable behavior. In some scenarios, it may allow reading sensitive kernel data.
Note: Unlike some other kernel vulnerabilities, remote exploitation is highly unlikely without local code execution, as attackers must influence the swap system or memory directly.
⸻
Technical Details
The vulnerability arises from improper bounds checking in setup_clusters():
// simplified conceptual example
for (i = 0; i < nr_badpages; i++) {
page = badpages[i];
// no check if page >= maxpages
clusters[page / CLUSTER_SIZE]++;
}
If badpages[i] >= maxpages, clusters[] is accessed out-of-bounds, leading to a heap or stack memory corruption.
This memory corruption can have multiple outcomes:
• Overwriting critical kernel structures → privilege escalation.
• Overwriting control data → kernel panic (DoS).
• In rare cases, manipulating data to execute code in kernel context (requires bypassing SMEP/SMAP/KASLR).
⸻
Example Scenario
1. A Linux server (e.g., Ubuntu 24.04) is running a vulnerable kernel.
2. An attacker has local access (low-privilege user or compromised process).
3. The attacker runs a crafted program that injects invalid badpage entries into the swap system, triggering the overflow in setup_clusters().
4. Consequences may include:
• Escalating privileges to root.
• Crashing the system (DoS).
• Potentially corrupting kernel memory or leaking sensitive data.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-39727
https://git.kernel.org/stable/c/152c1339dc13ad46f1b136e8693de15980750835
#Kernel #Linux
🔥1
Exploiting an array-Out-Of-Bounds vulnerability in the Linux network packet scheduler (CVE-2025-37752)
https://syst3mfailure.io/two-bytes-of-madness/
#CVE #Linux
https://syst3mfailure.io/two-bytes-of-madness/
#CVE #Linux
The book MAoS, written by Uriel Kosayev, an Israeli author and researcher, was recently published. About this book, he wrote:
• It is the result of several years of practical and personal research, including long nights of reverse engineering and real-world incident response experiences.
• Its content is designed to be highly operational, going far beyond theory alone.
کتاب MAoS اثر اورئیل کوسایف، نویسنده و محقق اسرائیلی، بهتازگی منتشر شده است. او درباره این کتاب نوشت:
• این کتاب حاصل چندین سال پژوهش عملی و شخصی است؛ شامل شبهای طولانی مهندسی معکوس و تجربههای مستقیم از Incident Responseهای واقعی.
• محتوای آن کاملاً عملیاتی طراحی شده و تنها به مباحث تئوری محدود نمیشود.
https://www.amazon.com/MAoS-Analysis-Steroids-Real-World-Engineering/dp/B0FQF2Z176
• It is the result of several years of practical and personal research, including long nights of reverse engineering and real-world incident response experiences.
• Its content is designed to be highly operational, going far beyond theory alone.
کتاب MAoS اثر اورئیل کوسایف، نویسنده و محقق اسرائیلی، بهتازگی منتشر شده است. او درباره این کتاب نوشت:
• این کتاب حاصل چندین سال پژوهش عملی و شخصی است؛ شامل شبهای طولانی مهندسی معکوس و تجربههای مستقیم از Incident Responseهای واقعی.
• محتوای آن کاملاً عملیاتی طراحی شده و تنها به مباحث تئوری محدود نمیشود.
https://www.amazon.com/MAoS-Analysis-Steroids-Real-World-Engineering/dp/B0FQF2Z176
👍1
How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations
در این وبلاگ، تیم Huntress گزارشی از یک اشتباه مهاجم ارائه میدهد که منجر به دسترسی به فعالیتهای روزانه او شد.
Tweet:
https://x.com/huntresslabs/status/1965450929987031484?s=46
Blog:
https://www.huntress.com/blog/rare-look-inside-attacker-operation
#malware #threat
در این وبلاگ، تیم Huntress گزارشی از یک اشتباه مهاجم ارائه میدهد که منجر به دسترسی به فعالیتهای روزانه او شد.
Tweet:
https://x.com/huntresslabs/status/1965450929987031484?s=46
Blog:
https://www.huntress.com/blog/rare-look-inside-attacker-operation
#malware #threat
LockBit is down again —XOXO from Prague
LockBit's 5.0 panel just got wrecked
lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad.onion
#LockBit #Ransomware
LockBit's 5.0 panel just got wrecked
lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad.onion
#LockBit #Ransomware
New HybridPetya ransomware can bypass UEFI Secure Boot
https://www.bleepingcomputer.com/news/security/new-hybridpetya-ransomware-can-bypass-uefi-secure-boot/
https://www.bleepingcomputer.com/news/security/new-hybridpetya-ransomware-can-bypass-uefi-secure-boot/
BleepingComputer
New HybridPetya ransomware can bypass UEFI Secure Boot
A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
YUREI & THE GHOST OF OPEN SOURCE RANSOMWARE
https://research.checkpoint.com/2025/yurei-the-ghost-of-open-source-ransomware/
https://research.checkpoint.com/2025/yurei-the-ghost-of-open-source-ransomware/
Forwarded from Peneter Tools (Soheil)
usenix25-tlbsidechannel.pdf
1.1 MB
This is a research paper and it shows that some Linux kernel hardening tricks accidentally create TLB side-channel leaks that let an unprivileged attacker find where critical kernel objects live, for example heap objects, page tables and kernel stacks. The authors use allocator shaping plus Evict+Reload-style TLB measurements and show practical results on recent Intel CPUs and kernels.
این یه مقالهٔ تحقیقاتیه که نشون میده چندتا از مکانیزمهای سختسازی کرنل لینوکس به صورت ناخواسته الگوهای نشتی توی TLB درست میکنن و با این کار میشه آدرس اشیای حساس کرنل مثل ساختارهای heap، جداول صفحه و استک کرنل رو لو داد. روششون ترکیبیه از دستکاری تخصیصدهندهها و اندازهگیریهای شبیه Evict+Reload روی TLB و تو آزمایشها روی پردازندههای جدید اینتل و کرنلهای مدرن کار کرده.
#kernel #linux
این یه مقالهٔ تحقیقاتیه که نشون میده چندتا از مکانیزمهای سختسازی کرنل لینوکس به صورت ناخواسته الگوهای نشتی توی TLB درست میکنن و با این کار میشه آدرس اشیای حساس کرنل مثل ساختارهای heap، جداول صفحه و استک کرنل رو لو داد. روششون ترکیبیه از دستکاری تخصیصدهندهها و اندازهگیریهای شبیه Evict+Reload روی TLB و تو آزمایشها روی پردازندههای جدید اینتل و کرنلهای مدرن کار کرده.
#kernel #linux
👍2