FrankSpierings

Requirements

sudo apt update -y
sudo apt install -y yubikey-manager

Unlock LUKS boot

FrankSpierings

FROM ubuntu:focal AS build

ARG DEBIAN_FRONTEND=noninteractive

RUN apt-get update \
 && apt-get dist-upgrade -y \
 && apt-get install -y locales sudo \
 && rm -rf /var/lib/apt/lists/*

RUN locale-gen en_US.UTF-8 \

FrankSpierings

<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title></title>
</head>

<body>

FrankSpierings

The Marshalled OBJREF

• https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html
• https://github.com/foxglovesec/RottenPotato/blob/80d797742b9828057b49e100e8dd421646243f0a/Potato/Potato/TestClass.cs#L7
• Explanation of the nested objref and how it connects to localhost

        unsafe void IMarshal.MarshalInterface(Windows.Win32.System.Com.IStream pStm, Guid* riid, void* pv, uint dwDestContext, void* pvDestContext, uint mshlflags)
        {
            uint written;

FrankSpierings

References

• This is mostly other peoples work!

• https://www.tiraniddo.dev/2022/06/finding-running-rpc-server-information.html

• https://www.powershellgallery.com/packages/NtObjectManager/2.0.1

• https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/

Install tiraniddo's NtObjectManager in PowerShell

FrankSpierings

<!DOCTYPE html>
<html lang="en">

<head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/pdf.js/4.1.392/pdf.min.mjs" type="module"></script>
</head>

<body>
    <h1>CVE-2024-4367</h1>
    <div id="pdf-viewer"></div>

FrankSpierings

Java.perform(() => {
    // Register a new WebAppInterface Javascript environment
    const WebView = Java.use('android.webkit.WebView');    
    const WebAppInterface = Java.registerClass({
        name: 'com.evil.WebAppInterface',
        fields: {
            mContext: 'android.content.Context',
        },
        methods: {
            $init: [{

FrankSpierings

# From the current working directory...

mkdir -p app/src/main/res/values
mkdir -p app/src/main/res/layout
mkdir -p app/src/main/java/com/example/helloworld
cat > app/src/main/AndroidManifest.xml << _EOF
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example.helloworld">

FrankSpierings

for app in /var/containers/Bundle/Application/*; do
  guid=$(basename "$app")
  name=$(plutil $app/*.app/Info.plist | grep CFBundleIdentifier)
  echo "$name => $guid"
done

FrankSpierings

Java.perform(function() {
    var TextView = Java.use("android.widget.TextView");

    // Constants for InputType flags
    var TYPE_CLASS_TEXT = 0x00000001;
    var TYPE_CLASS_NUMBER = 0x00000002;
    var TYPE_CLASS_PHONE = 0x00000003;
    var TYPE_CLASS_DATETIME = 0x00000004;

    var TYPE_TEXT_VARIATION_PASSWORD = 0x00000080;