| Email address | private |
|---|---|
| Website | hyp3rlinx.altervista.org |
| First Active | 2015-04-28 |
| Last Active | 2024-05-31 |
RansomLord is a proof-of-concept tool that automates the creation of PE files, used to compromise ransomware pre-encryption. This tool uses dll hijacking to defeat ransomware by placing PE files in the x32 or x64 directories where the program is run from.
647494bda466e645768d6f7d1cd051097aee319f88018d1a80547d8d538c98dbRansomLord generated PE files are saved in x32 and x64 directories and need to be placed in directories where programs execute. The goal of the project is to exploit vulnerabilities inherent in certain strains of ransomware by deploying exploits that defend the network! The DLLs may also provide additional coverage against generic and info stealer malwares.
ef2191f83e9ff1d18ac9614bac588bc60c2d30481f853513caeecc6ed52d5e14Back in 2022, the researcher released a proof of concept to bypass the Backdoor:JS/Relvelshe.A detection in Windows Defender but it no longer works as it was mitigated. However, adding a simple javascript try catch error statement and eval'ing the hex string, it executes as of the time of this post.
7ab1d57cbbb29f8168521971a747af06eab9ef184d9f61ee316413db3f71e0c9This is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass. This issue was addressed. The fix was short lived as the researcher found yet another third trivial bypass. Previously, the researcher disclosed 3 bypasses using rundll32 javascript, but this example leverages the VBSCRIPT and ActiveX engines.
59fee3164e2fd340144dd80b39280328ebce07f8d7f86686261fc6d4a98c71ebThis is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass. This issue was addressed. The fix was short lived as the researcher has found yet another third trivial bypass.
09eed6afe6c6a0d197c6fce088deb76b497d50bef2a85bdfb38c66cb355c03b0This is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass.
e971dc3b534b295048fd3f54dd5db062074da676f542175f826bc2b31edb7eb1An issue was discovered on WyreStorm Apollo VX20 versions prior to 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.
71ed0ed4b76f256b8bd1404c82d84f6ea9cb5e1dc7d524c924f1e48e87fda240WyreStorm Apollo VX20 versions prior to 1.3.58 suffer from a cleartext credential disclosure vulnerability when accessing /device/config with an HTTP GET.
a6feae36b231357c01d0981614dd1286ff4a68f77ee073b39519e2b9ab1fa9aaAn issue was discovered on WyreStorm Apollo VX20 devices prior to version 1.3.58. The TELNET service prompts for a password only after a valid username is entered. Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts allowing for account discovery.
0b5b3f6f63dbbe4ccb26f4481406f14577c20d109b328e3475a09901003f0751IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 suffer from a remote credential theft vulnerability.
964bea5b3a06403a9b60507182c010125d6a43a4aeb3c4908a6fba63b7df0c99RansomLord generated PE files are saved in x32 and x64 directories and need to be placed in directories where programs execute. The goal of the project is to exploit vulnerabilities inherent in certain strains of ransomware by deploying exploits that defend the network! The DLLs may also provide additional coverage against generic and info stealer malwares.
3d0954a58224a8f54be67a55a09030ed0b5de5923f0fb95816b6be7924a22000Prior work from this researcher disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on their PSTrojanFile work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab, completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename got wrapped in single quotes it failed, that is until now.
135e14fd69533eeb6ad57b35ae864360f36364f43f82818935023a4f7ee929caMicrosoft Defender API and PowerShell APIs suffer from an arbitrary code execution due to a flaw in powershell not handling user provided input that contains a semicolon.
fe92bef621155fd9c83158e63e2b87c27bed041ce6cc8df753d8ab75d5fcd6afRansomLord generated PE files are saved in x32 and x64 directories and need to be placed in directories where programs execute. The goal of the project is to exploit vulnerabilities inherent in certain strains of ransomware by deploying exploits that defend the network! The DLLs may also provide additional coverage against generic and info stealer malwares.
be0ca518deef51df0a96636cca863c555649559f4b5ef25817a684ecfa1b4b9aThis python script mints a .ps1 file with an exploitable semicolon condition that allows for command execution from Microsoft Windows PowerShell. This is an updated exploit to work with Python3.
4213f6f37e107f80de8ae921a759ed1c060b04954405f63904e79423474d16caRSA NetWitness Endpoint EDR Agent version 12.x suffers from incorrect access controls that allow for code execution. It allows local users to stop the Endpoint Windows agent from sending the events to a SIEM or make the agent run user-supplied commands.
333a8ac7961133a2011484d388d8eb8b73eb8c6c85cc5b1e9b6f99f2c14747dbThis advisory ties together older research on a contact file handling flaw on Microsoft Windows as well as recent research discovered that uses the same methodologies.
bd483c57b86b3adc56157efdf3dd779e6e9b6a498c944d78ee46fe9d56a01c00Microsoft Windows Defender suffers from a detection bypass vulnerability due to a sub-par mitigation priorly adopted.
b5337b4ff0ded5ddda0becffc0c9002fdf3288c10396de61b829b2dacbf22ab9Microsoft Windows suffers from a registration file dialog spoofing vulnerability and their last fix to this issue can be bypassed.
3d0c712557e8ea256ea96f38c4729251ae893ca640831654a5a638e72b4d841eMicrosoft Internet Explorer suffers from an active-x related bypass vulnerability. Microsoft will not address the issue as it is end of life.
fa22daaea0233f0b687f938d605627bbae7fbc5bb28632e8d17422cd0cf0af81Microsoft Windows cmd.exe suffers from a stack buffer overflow vulnerability.
c0c6e1e6e941a667fff8d2e3a59cb00e4f436bf4e75ed0004cb71c6091fe1a0fRecon-Informer is a basic real-time anti-reconnaissance detection tool for offensive security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy.
7f97a6b15e928a7250bd0474cc2f213abf8cc02a26b7e424d31838675907162fNtFileSins.py is a Windows file enumeration intel gathering tool.
cd7f7668a2bd1ab454e0856174991064837bd101596c5b6b4aca04e244ce7d70Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy.
631fc764a07667ba55ccff741ea4c5d703fb716cdd19dbee4f7067779fe7db39CloudMe version 1.11.2 exploit that uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be running as administrator.
fa72c3ffb403b1cf08f01966de80e025ee648636329bef78008faa0a5aee32e9
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed