A proof-of-concept WordPress plugin fuzzer

https://github.com/kazet/wpgarlic#usage-cheatsheet

#wordpress #redteam #BugBounty

WatchGuard Pre-Auth RCE - CVE-2022-26318

https://blog.assetnote.io/2022/04/13/watchguard-firebox-rce/
#watchgaurd #rce

cve-2022-29072
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

https://github.com/kagancapar/CVE-2022-29072
#7zip #lpe

Use-After-Free Exploit in HackSysExtremeVulnerableDriver
https://sophieboyle.github.io/2022/04/09/HEVD-UAF-Exploit.html
https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
#LPE

A Python based gitleaks wrapped tool to enable scanning of multiple Gitlab repositories in parallel.
https://github.com/codekuu/Gitlab-Scanner
#Gitlab #scanner

Inspired by 7-Zip CVE-2022-29072 this vulnerability also exist in XVI32
by: will dormann

https://twitter.com/wdormann/status/1516217431437500419?s=21&t=f9YqLUEf65ykpDUdF5MCYw

7zip: https://news.1rj.ru/str/Peneter_Tools/305

Security Researcher Maddie stone from google’s Project Zero has published a blog to review in-the-wild 0-days exploits discovered in 2021:

I added Pocs or available exploits for easier access

Blog :

https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html


Exploits:


RCE in #Apache HTTP CVE-2021-41773

https://github.com/thehackersbrain/CVE-2021-41773


14 in Google #Chrome

6 JavaScript Engine - v8 (CVE-2021-21148, CVE-2021-30551, CVE-2021-30563, CVE-2021-30632, CVE-2021-37975, CVE-2021-38003)

https://github.com/xmzyshypnc/CVE-2021-30551

https://github.com/Phuong39/PoC-CVE-2021-30632

https://github.com/github/securitylab/tree/main/SecurityExploits/Chrome/v8/CVE-2021-37975

2 DOM Engine - Blink (CVE-2021-21193 & CVE-2021-21206)

1 WebGL (CVE-2021-30554)

1 IndexedDB (CVE-2021-30633)

1 webaudio (CVE-2021-21166)

1 Portals (CVE-2021-37973)

1 Android Intents (CVE-2021-38000)

1 Core (CVE-2021-37976)



7 in Webkit #safari

4 Javanoscript Engine - JavaScript Core (CVE-2021-1870, CVE-2021-1871, CVE-2021-30663, CVE-2021-30665)

1 IndexedDB (CVE-2021-30858)

1 Storage (CVE-2021-30661)

1 Plugins (CVE-2021-1879)



4 in #IE

MSHTML browser engine (CVE-2021-26411, CVE-2021-33742, CVE-2021-40444)

Javanoscript Engine - JScript9 (CVE-2021-34448)


10 in #Windows

2 Enhanced crypto provider (CVE-2021-31199, CVE-2021-31201)

2 NTOS kernel (CVE-2021-33771, CVE-2021-31979)

2 Win32k (CVE-2021-1732, CVE-2021-40449)

https://github.com/Al1ex/WindowsElevation/tree/master/CVE-2021-1732

https://github.com/Kristal-g/CVE-2021-40449_poc

1 Windows update medic (CVE-2021-36948)

1 SuperFetch (CVE-2021-31955)

https://github.com/freeide/CVE-2021-31955-POC

1 dwmcore.dll (CVE-2021-28310)

https://github.com/Rafael-Svechinskaya/IOC_for_CVE-2021-28310/blob/main/Malicious%20Payloads

1 ntfs.sys (CVE-2021-31956)

https://github.com/aazhuliang/CVE-2021-31956-EXP



5 in #iOS and #macOS

IOMobileFrameBuffer (CVE-2021-30807, CVE-2021-30883)

https://github.com/jsherman212/iomfb-exploit

XNU Kernel (CVE-2021-1782 & CVE-2021-30869)

https://github.com/synacktiv/CVE-2021-1782

CoreGraphics (CVE-2021-30860)

https://github.com/jeffssh/CVE-2021-30860

CommCenter (FORCEDENTRY sandbox escape - CVE requested, not yet assigned)



7 in #Android

Qualcomm Adreno GPU driver (CVE-2020-11261, CVE-2021-1905, CVE-2021-1906)

ARM Mali GPU driver (CVE-2021-28663, CVE-2021-28664)

Upstream Linux kernel (CVE-2021-1048, CVE-2021-0920)



5 in Microsoft #Exchange Server

(CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

https://github.com/0xAbdullah/CVE-2021-26855

https://github.com/sirpedrotavares/Proxylogon-exploit

https://github.com/hictf/CVE-2021-26855-CVE-2021-27065

(CVE-2021-42321)

https://github.com/DarkSprings/CVE-2021-42321

An open source, lightweight, fast, and cross-platform website vulnerability scanning tool that helps you quickly detect potential website security risks.
https://github.com/hktalent/scan4all

MalSCCM
Tooling for red teams and attackers has long since shifted to .NET, however there are very few tools publicly available for abusing SCCM, making it an attack path that may not be explored as much.
https://labs.nettitude.com/blog/introducing-malsccm/

PoC for an NTLM relay attack dubbed DFSCoerce.
The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.
https://github.com/Wh04m1001/DFSCoerce

It's a Docker Environment for pentesting which having all the required tool for VAPT.
https://github.com/RAJANAGORI/Nightingale
Tools List:
https://owasp.org/www-project-nightingale/

BadUSB cable based on Attiny85 microcontroller. Emulating keyboard and mouse actions, payloads can be completely customized and can be highly targeted. Undetectable by firewalls, AV software (depending on payload of course) or visual inspection
#redteam
https://github.com/joelsernamoreno/BadUSB-Cable

JetBrains TeamCity - account takeover via CSRF in GitHub authentication (PoC)

https://github.com/yuriisanin/CVE-2022-24342

Amsi-Bypass-Powershell

This repo contains some Antimalware Scan Interface (AMSI) bypass / avoidance methods i found on different Blog Posts.

Most of the noscripts are detected by AMSI itself. So you have to find the trigger(https://github.com/RythmStick/AMSITrigger) and change the signature at the part via variable/function renaming, string replacement or encoding and decoding at runtime. Alternatively obfuscate them via ISESteroids and or Invoke-Obfuscation to get them working. You can also take a look at blog(https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/) post about manually changing the signature to get a valid bypass again.


https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Source:
https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Korkos-AMSI-and-Bypass.pdf

For more and Reference :

https://twitter.com/ShitSecure

use a Kerberos relay attack to authenticate as that user to an RDP server due to a lack of user checking in the ticket authentication process
https://bugs.chromium.org/p/project-zero/issues/detail?id=2268

UAC bypass
https://github.com/Wh04m1001/IDiagnosticProfileUAC

Abusing functionality to exploit a super SSRF in #Jira Server (CVE-2022-26135)

Jira is vulnerable to SSRF which requires authentication to exploit.

Exploit:

https://github.com/assetnote/jira-mobile-ssrf-exploit

https://blog.assetnote.io/2022/06/26/exploiting-ssrf-in-jira/…

A vulnerability (CVE-2022-34265) in Django is due to improper string processing when executing SQL for the arguments of the functions Trunc and Extract used for date data in Django. By specifying the request parameters as is in the kind argument of Trunc or the lookup_name argument of Extract, there is a risk that arbitrary SQL minutes can be executed. By exploiting this vulnerability, a third party can send commands to the database to access unauthorized data or delete the database.

Affected Versions

Django 3.2.x prior to 3.2.14

Django 4.0.x prior to 4.0.6


Countermeasures

Update to Django 3.2.14 or higher.

Update to Django 4.0.6 or higher.

https://github.com/aeyesec/CVE-2022-34265

Get persistence via freaky scheduled task download cradles.
https://github.com/VirtualAlllocEx/Taskschedule-Persistence-Download-Cradles

A python noscript to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
features :
Automatically detects open SMB pipes on the remote machine.
Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
Analyze mode with --analyze, which only lists the vulnerable protocols and functions listening, without performing a coerced authentication.
Perform coerce attack on a list of targets from a file with --targets-file
https://github.com/p0dalirius/Coercer