Last Week in Security (LWiS) - 2021-03-01

JSON interop vulns (@theBumbleSec), PHPWind RCE presentation (@orange_8361), infra automation (@cedowens), AMSI knowledge (@ShitSecure), actual magic (@JustineTunney), modular password spraying (@0xZDH), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-22 to 2021-03-01.

News

Techniques

Tools and Exploits

  • spraygen is a password list generator for password spraying - prebaked with goodies like sports team names, seasons, years, etc.
  • BadOutlook is a simple PoC which leverages the Outlook Application Interface (COM Interface) to execute shellcode on a system based on a specific trigger subject line. This can be used to build an Entire C2 Framework that relies on E-Mails as a mean of communication (Where the Implant never speaks to the internet directly).
  • 1u.ms is a small set of zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities. It provides easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents. A hosted version is available at 1u.ms. You may want to protect the /last and /log endpoints if self-hosting.
  • Alaris is not technically a new tool (LWiS 2020-10-19), but it has had a major update to use direct syscalls with SysWhispers2, a new builder, and new dynamic encryption primitives.
  • redbean - single-file distributable web server. This is both a zip file that contains all content that is served and a truly cross platform (Windows, Linux, MacOS, and BSD) binary webserver. This may be actual magic.
  • Callback_Shellcode_Injection contains POCs for shellcode injection via callbacks. These uncommon API calls are likely much less monitored than standard methods of shellcode injection (although they still use VirtualAlloc).
  • goc2 is a new macOS post exploitation C2 framework. Pairs with goc2-agent.
  • Omnispray aims to replace tools such as o365spray and provide a modular framework to expand enumeration and spraying beyond just a single target/application.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • pillager is designed to provide a simple means of leveraging Go's strong concurrency model to recursively search directories for sensitive information in files. Once pillager finds files that match the specified pattern, the file is scanned using a series of concurrent workers that each take a line of the file from the job queue and hunt for sensitive pattern matches. The available pattern filters can be defined in a rules.toml file or you can use the default ruleset.
  • LsassSilentProcessExit is a new method of causing WerFault.exe to dump lsass.exe process memory to disk for credentials extraction via silent process exit mechanism without crashing lsass.exe.

This post is cross-posted on SIXGEN's blog.