A new Windows C implant from @_batsec_, a tool to detect .NET in memory by @domchell, big updates to Covenant from @cobbr_io, a new process injection technique from @0x00dtm, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-01 to 2020-06-08. No MITRE ATT&CK techniques are in brackets this week, too much content!
News
- Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution. Normally I would jump on the chance to shame Zoom, but these vulnerability are pretty weak - a path traversal that can drop an empty exe, or a code snippet that could drop an exe that requires a user to click to save. These are legitimate vulnerabilities that should be patched (and were in just 5 days and a month respectively), but not a 8.5/8.0 CVSS score that Talos gave them. Judge for yourself - TALOS-2020-1055 and TALOS-2020-1056.
- Zoom to exclude free calls from end-to-end encryption to allow FBI cooperation. Normally cooperation with the FBI is assumed but Eric Yuan, Zoom's CEO said in a call with analysts, "we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose." At least he is being open about it.
- Wallpaper crash explained: Here’s how a simple image can soft-brick phones. We've seen comedy bugs like this in iOS before but this is the first for android in a long time. A good reminder that despite how reliable modern software seems, it's all susceptible to silly bugs that can bring it all down.
- Disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way. Firefox steps back their DNS over HTTPS push fearing a possible DDoS against providers when all users update in a short timespan. Interesting to see a major browser take a step back like this. The default provider is Cloudflare, which seems like the most qualified entity to handle a large influx of traffic.
Techniques
- Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability brings back CVE-2010-2554 (Vista!) by having Windows authenticate to itself (a la *potato exploits). Another great one from @itm4n.
- Retrieving ntdll Syscall Stubs from Disk at Run-time is an interesting technique to keep windows syscalling flexible. However, it may increase the detection rate of your tool, so be sure to test before abandoning static syscall tables. For a different take on the same technique, check out HellsGate (obligatory C# version here). Want more syscall information from this week? Check out Using Syscalls to Inject Shellcode on Windows.
- smjobbless is a showcase for launching Privileged Helper via SMJobBless() and communicating with it using XPC. For more information on XPC, see LWiS 2020-05-18 (Adobe LPE) and 2020-03-23 (Abusing & Securing XPC in macOS apps).
- Detecting and Advancing In-Memory .NET Tradecraft. With all the .NET tools released over the past year+, defenders needed a break. @domchell discusses methods of detecting in memory .NET and provides a proof of concept tool to do so.
- Applied Purple Teaming is the courseware and labs for @DefensiveOGs's Applied Purple Teaming: Infrastructure, Threat Optics, and Continuous Improvement 4 hour course. Some great content, and good scripts to use as inspiration for lab setup.
- Red Team: How to embed Golang tools in C# if you've been writing your tools in Go but still want to take advantage of all the great C# implants/loaders, this blog will show you how to wrap your Go and load it in memory with C#!
- When it’s not only about a Kubernetes CVE… When everything has a web API, a server side request forgery (SSRF) bug can be an infrastructure bug.
- The WizardOpium LPE: Exploiting CVE-2019-1458 explores an older kernel exploit from December 2019. This is a great starting point if you are interested in Windows kernel exploitation.
- Guide to Setting Up Android Pentesting Lab Many developers consider mobile applications "safer" than desktop applications due to the hurdle of getting access to a phone (i.e. jailbreak, root, etc) for testing. This post gives a step-by-step walkthrough on setting up a virtual Android lab to start exploring.
- NINA: x64 Process Injection is a new experimental process injection technique with a hard restriction on the usage of common and "dangerous" functions, i.e. WriteProcessMemory, VirtualAllocEx, VirtualProtectEx, CreateRemoteThread, NtCreateThreadEx, QueueUserApc, and NtQueueApcThread. PoC code here.
Tools and Exploits
- epic_shell is a new PHP webshell with encryption that shows a decoy 404 page for anyone browsing it without the proper key. shell_exec is required for proper functionality.
- SMBGhost_RCE_PoC is the remote version of the LPE released a few months ago that works against Windows 10 1903 (SMBv3 compression). Full technical writeup here.
- CVE-2020-3956 is a proof of concept exploit for a VMware Cloud Director remote code execution vulnerability. Full writeup here, demo here.
- Covenant v0.5 is not a new tool but this update includes a new cross platform .Net-Core implant: Brutes.
- shad0w is a post exploitation framework designed to operate covertly on heavily monitored environments from @_batsec_ and is written in C, uses syscalls, blocks userland API hooking, and can load basically anything (.Net, DLL, EXE, VBS, JS, XSL) into memory. Code here.
- kerbrute is a script to perform kerberos bruteforcing by using impacket.
- HawkEye is a malware dynamic instrumentation tool based on frida.re framework. It will hook common functions to log malware activities and output the results in a nice web page report. Use it in your sandbox to get nice HTML reports. Demo here.
- SharpCollection is a repository of nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. Great use of CI to keep tools fresh and built for different framework versions.
- SwiftBelt is a macOS enumerator inspired by @harmj0y's Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to a macOS host. I
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way. This one is fairly new (30 days) so it must have slipped by, but looks to have very good results for a one shot subdomain enumeration tool. Give it a try on your next assessment or bug bounty.
This post is cross-posted on SIXGEN's blog.