nixbyte

Recently, it was necessary to write an RCE exploit for a remote UAF N-day vulnerability (ZDI-17-836). This post goes through root cause analysis and exploitation. Also, I present a tool / methodology to avoid heap sprays. primalcerebral.com/blog/egregious…

@byt3bl33d3r @TalBeerySec @cyb3rops @anthomsec @SpecialHoang

@TalBeerySec @cyb3rops @anthomsec github.com/hoangprod/Andr…

Got your special tool, Andrew 😸 #FireEye #RedTeam

@TheRealWover @_RastaMouse Perfect time to get everything up to par then

Hey @nixbyte Are you planning to keep donutCS up to date with new donut releases?

@_RastaMouse @TheRealWover I’ll take a look this week and see exactly “how” far behind I am

@nixbyte @TheRealWover There's quite a lot added in 0.9.3 (current change log: github.com/TheWover/donut…) The one I'm interested in is the -x option, which tells the loader how to exit.

@_RastaMouse @TheRealWover I haven’t been up to date but which feature? I don’t know that the core code needs too much to be updated though. I’ll take a look next week and try to get it updated

@nixbyte @TheRealWover Yeah those guys are machines 😁 I've been using your Nuget package for "stuff" 😏 and it's been awesome. But there's something in 0.9.3 that I'd *really* like in donutCS so was wondering if I was better off waiting or bodging it in somehow.

Thanks to @NCCGroupInfosec for releasing their write up on CVE-2019-1405 and CVE-2019-1322. I figured it is time for me to learn some COM stuff so I whip up a PoC. Source: github.com/apt69/COMahawk . Video: vimeo.com/373051209 Thanks to @leoloobeek and @TomahawkApt69

github.com/n1xbyte/donutCS .NET Core version of @TheRealWover's Donut. Rewrote for dynamic usage with C2 payload generation. Stable in .NET for Linux and Windows. Other cool stuff in store. Possible Nuget package in the futureeeeeezzzzz

@SBousseaden @SwiftOnSecurity And contrary to popular belief the channel (MS_T120) is absolutely needed for RDP. There is just no reason for the client to request it as it's used all internally, server-side

@SBousseaden @SwiftOnSecurity If you don't see log generation on your normal RDP sessions then it could very well be a client attempting to open the channel (scanner, etc) and the server automatically closing or something of the sort. Worth looking into

@SwiftOnSecurity @SBousseaden Since you cannot open this channel arbitrarily like you could in Win7/2008 and below (the root cause of Bluekeep) I'm going to guess that these are internal logs and should not be considered an IoC.

@SwiftOnSecurity @SBousseaden The actual vulnerability was not exploitable in Win8+. You're looking at logs from RDPCoreTS which is the new/unaffected remote desktop services in Win8+. The channel is valid and used internally in every RDS session (Every one I've performed anyways)

After 10 days of minimal sleep and thank to @nixbyte for the majority of the work, here we have it - #bluekeep #LPE. I've learned so much along the way and I am looking forward to the RCE version. vimeo.com/349496580

Like y’all ain’t running burp at 500 threads too

@hannibals @vkamluk hey could one of you guys ping me about Absolute research back from 2014? Questions :)

@jack_daniel i have a bad habit of suggesting things when I'd take the easy way out too haha noip.net it is

@jack_daniel Probably makes the most sense to stand up a server (or two for failover), have all the devices check in to it one on one or more services, log source ip and update records server side

@jack_daniel Custom script with registrar API developer.godaddy.com

@QjA4OFk Thanks!

Nice work btw @nixbyte

#BlueKeep CVE-2019-0708 #BSOD PoC #exploit in action

@notdan @GossiTheDog @2sec4u @MalwareTechBlog @zerosum0x0 So work in progress I imagine will be quite awhile. Thanks nonetheless though

@notdan @GossiTheDog @2sec4u @MalwareTechBlog @zerosum0x0 After talking with zero earlier there is definitely a common agreement that going from this to RCE is no easy task. Kernel pool grooming isn’t so bad locally for kernel sploits but remotely is difficult using just RDP components