Re: ul
Teodolinda Mattson
The MSF eXploit Builder (MSF-XB) is a free win32 application (GUI) that wants to be an Exploit Development Platform. The main goal is to speed up the exploit development process, this is accomplished by using the powerful functionalities and neat design of The Metasploit Framework.
I agree with Pantagruel. The curiosity here is paramount and intoxicating. Although I am not someone who normally looks to craft exploits (not for lack of want), but this is something with which I shall have to experiment. I just need to get Windows on a system somewhere.
CVE-2023-23397 is a critical privilege elevation/authentication bypass vulnerability in Outlook, released as part of the March Patch Tuesday set of fixes. The vulnerability, which affects all versions of Windows Outlook, was given a 9.8 CVSS rating and is one of two zero-day exploits disclosed on March 14. We summarise the points that security teams need to know about this vulnerability and how they can mitigate the risks of this gap.
CVE-2023-23397 is an elevation of privilege (EoP) vulnerability in Microsoft Outlook. It is a zero-touch exploit, meaning the security gap requires low complexity to abuse and requires no user interaction.
This feature provides configurable exploit mitigation to safeguard both endpoints and applications from potential vulnerabilities. You can enhance your protection by uploading an XML file with specific settings.
We discovered a new exploit kit named Capesand in October 2019. Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). Based on our investigation, it also exploits a 2015 vulnerability for IE. It seems the cybercriminals behind the exploit kit are continuously developing it and are reusing source code from a publicly shared exploit kit code.
The Capesand panel is used to check the status of exploit kit usage. Any threat actors using this exploit kit can also download frontend source code which they can deploy on their server. In the case we identified, the campaign deployed it with their fake blockchain malvertisement. While we checked the frontend source code, we found that it looks similar to a very old exploit kit called Demon Hunter, leading us to believe that Capesand is probably derived from it.
As the source code is descripted, the exploit kit appears to be upgraded to exploit newer vulnerabilities compared to its parent exploit kit like CVE-2018-4878 (affects Adobe Flash) and CVE-2018-8174 and CVE-2019-0752 (both affecting Microsoft Internet Explorer). CVE-2019-0752 is a vulnerability discovered by Trend Micro ZDI this year. We also found the same vulnerability being used in a watering-hole attack that delivered SLUB malware.
Another thing to note is that the frontend exploit kit source code package does not include its exploits. Typically, some exploit kits already have the exploits inside the source code. In the case of Capesand, each time the exploit kit wants to deliver an exploit, it needs to send a request to the API of the Capesand server to receive the requested exploit payload. Perhaps this is a way to ensure that the exploits are not shared easily.
All information mentioned above will be encrypted using AES encryption with a pre-generated API key inside a configuration file. When the Capesand server receives the request, it verifies if a valid API key encrypts the request. It also gets information on the usage of the exploit kit by users and collects the information of victims for stats. Then, it returns the exploit payload to the frontend exploit kit and then delivers it to the victim.
As we progressed in our investigation, we observed a Capesand exploit kit in the wild that uses the old IE exploit for CVE-2015-2419. We also identified two exploits for the Adobe Flash vulnerabilities CVE-2018-4878 and CVE-2018-15982 and an exploit for the IE vulnerability CVE-2018-8174 on their server. But we did not see the exploit for the newer IE vulnerability CVE-2019-0752 indicated in their source code. This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use.
After successful exploitation via Capesand, the first stage will download mess.exe and attempt to exploit CVE-2018-8120 to escalate privileges and then execute njcrypt.exe. The njcrypt binary is a multilayer obfuscated .NET application where the obfuscation is done using publicly known tools. The sample execution delivers the payload njRAT version 0.7d. The following diagram shows the complete attack flow with the de-obfuscation layers simplified.
I think it is really important for exploit builders to understand what it takes to build good shellcode. The goal is not to tell people to write their own shellcode, but rather to understand how shellcode works (knowledge that may come handy if you need to figure out why certain shellcode does not work) , and write their own if there is a specific need for certain shellcode functionality, or modify existing shellcode if required.
The first thing you should do, even before trying to disassemble the bytes, is look at the contents of this file. Just looking at the file may already rule out the fact that this may be a fake exploit or not.
While this code is clearly shorter than the others, it may lead to unpredictable results. If an exception handler is set up, and you are taking advantage of the exception handler in your exploit (SEH based exploit), then the shellcode may loop. That may be ok in certain cases (if, for example, you are trying to keep a machine exploitable instead of exploit it just once)
Skylined recently released the alpha3 encoding utility (improved version of alpha2, which I have discussed in the unicode tutorial). Alpha3 will produce 100% alphanumeric code, and offers some other functionality that may come handy when writing shellcode/building exploits. Definitely worth while checking out !
Out of 98 patches, 11 are rated critical, and 87 are rated important. This large volume of patches is unusual for a January release from Microsoft, and it is momentous to see if this trend continues throughout the year 2023. Additionally, One of the newly addressed vulnerabilities is known to be public, and one is known to be actively exploited at the time of release.
The vulnerability identified as CVE-2023-21674 is a Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Attackers are actively exploiting this vulnerability to gain kernel-level execution and SYSTEM privileges. It allows a local attacker to escalate privileges from sandboxed execution inside Chromium. Vulnerabilities of this nature are frequently leveraged in tandem with malware or ransomware delivery. This vulnerability was reported to Microsoft by researchers from Avast, indicating a potential risk of such malicious activity.
The recently discovered vulnerability, designated as CVE-2023-21743, affects the security features of the Microsoft SharePoint Server and has been rated as critical. An unauthenticated, remote attacker may exploit this vulnerability to launch and establish an anonymous connection to the concerned SharePoint server, thereby bypassing security criteria.
As a result, it is highly advised that system administrators take prompt action to mitigate this vulnerability and upgrade the affected SharePoint Server using the update provided.
The vulnerabilities designated as CVE-2023-21730, CVE-2023-21561, and CVE-2023-21551 in Microsoft Cryptographic Services have been recognised as Elevation of Privilege vulnerabilities. These vulnerabilities can be exploited by a locally authenticated attacker who sends specially crafted data to the local CSRSS service. This allows attackers to elevate their privileges from an AppContainer environment to SYSTEM-level access.
It is important to note that these bugs have not yet been publicly disclosed and currently do not have any known exploitation in the wild, making the likelihood of successful exploitation relatively low. However, it is still crucial to take necessary protection to ensure that the system is secured.
AppContainer is considered a secure boundary, and any process that is able to bypass this boundary means a change in scope. An attacker who successfully exploits these vulnerabilities would be able to execute code or access resources at a higher integrity level than the AppContainer execution environment.
To exploit this vulnerability, an attacker would require valid credentials and must be able to log on locally to a targeted system. An attacker who successfully exploited this vulnerability could gain SYSTEM-level privileges.
These vulnerabilities can be exploited by an unauthenticated attacker who sends a specially crafted connection request to a RAS (Remote Access Server) server. This could lead to remote code execution (RCE) on the RAS server machine. It is important to mention that successfully exploiting these vulnerabilities requires an attacker to take additional actions to prepare the target environment and win a race condition.
These vulnerabilities in Windows Secure Socket Tunneling Protocol (SSTP) are identified as Remote Code Execution vulnerabilities. These vulnerabilities can be exploited by an attacker who sends a specially crafted malicious SSTP packet to an SSTP server. This could result in remote code execution on the server side.
It is essential to note that successfully exploiting these vulnerabilities requires the attacker to win a race condition. While Microsoft has listed the exploit complexity as high due to this requirement, it is vital to rely on something other than that mitigation. It is advised to apply patches. Additionally, monitoring for suspicious activity on the affected systems and implementing network segmentation can also help to limit the potential impact of an exploitation attempt.
There are 14 fixes for vulnerabilities found in the 3D Builder component. These vulnerabilities can be exploited by opening a maliciously crafted file, allowing an attacker to gain code execution at the same level as the logged-in user. The same is true for other bugs related to Visual Studio and Office, including two in Visio.
aa06259810