Last Week in Security (LWiS) - 2023-04-10

Windows installer LPE (@a_denkiewicz), unhooking without direct syscalls (@Kharosx0), dynamic linking injection (@praetorianlabs), suspending AV (@freefirex2), dir2json (@bitsadmin), DPAPISnoop (@lefterispan), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-03-20 to 2023-04-10.

News

Techniques and Write-ups

Tools and Exploits

  • Tool Release - shouganaiyo-loader: A Tool to Force JVM Attaches. Inject your own Java code into processes that have disabled the agent attach API.
  • PoC for CVE-2023-28206 - exploit for an out-of-bounds write in the IOSurfaceAccelerator, allowing a malicious actor to execute arbitrary code with kernel privileges on macOS/iOS by utilizing a specially crafted application. Note this is just a kernel panic PoC.
  • EPScalate - Exploit for elevation of privilege vulnerability in QuickHeal's Seqrite EPS.
  • OffensiveCpp - This repo contains C/C++ snippets that can be handy in specific offensive scenarios.
  • Implant execution via PrintBrm.exe - use PrintBrm to extract & execute an implant from an ISO.
  • EntropyReducer - Reduce Entropy And Obfuscate Your Payload With Serialized Linked Lists.
  • PhoenixC2 - Command & Control-Framework created for collaboration in python3. This looks very alpha.
  • HardHatC2 - A C# Command & Control framework. Another alpha C2, but this one has a lot of features in the agent already.
  • dir2json - Tool for efficient directory enumeration. Read the blog post.
  • DPAPISnoop - A C# tool to output crackable DPAPI hashes from user MasterKeys.
  • GodPotato - ImpersonatePrivilege == SYSTEM. At this point I think its just a feature of Windows.
  • Chaos-Rootkit - x64 ring0 Rootkit with Process Hiding and Privilege Escalation Capabilities.
  • rogue - A barebones template of 'rogue' aka a simple recon and agent deployment I built to communicate over ICMP. Well, without the ICMP code.
  • wmiexec-Pro - Lateral movement with WMI using only port 135.
  • inline-syscall - Inline syscalls made for MSVC supporting x64 and x86.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • serge - A web interface for chatting with Alpaca through llama.cpp. Fully dockerized, with an easy to use API.
  • Game Hacks: Among Us - IL2CPP Walkthrough. The same techniques can be used to locate sensitive data and craft exploits in more serious applications.
  • espanso - Cross-platform Text Expander written in Rust.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.