Often times while writing a proof of concept for an exploit or doing vulnerability research its necessary to make a raw syscall on Windows. Usually syscalls are called by a thin wrapping function in userland, often provided as an exported function from within a DLL. Many of these userland functions modify and manipulate the arguments prior to passing them to the kernel, which ... READ MORE
I’ve Got 1.2 Million Keys But A Private Ain’t One
GitHub has grown in popularity over the past few years as one of the defacto standard locations to share and collaborate on open source projects. Accounts on GitHub are encouraged to use key based authentication, and to that end, users to upload a public key to allow them to authenticate to their accounts while making changes to code. This summer I crawled, collected, and ... READ MORE
An Analysis of MS16-098 / ZDI-16-453
This past patch Tuesday, Microsoft released MS16-098, a patch for multiple vulnerabilities in "Kernel-Mode Drivers". Within this patch, the vulnerability identified as CVE-2016-3308 and ZDI-16-453 was addressed. This post is an analysis of this vulnerability and how it could potentially be leveraged by an attacker in the form of a Local Privilege Escalation (LPE) ... READ MORE
King Phisher 1.3 Released
Yesterday RSM released the latest version of its open source Phishing Campaign toolkit, King Phisher. This new release includes some very exciting new features. One of the two primary new features is the addition of auto-completion for the Jinja and basic HTML tags in the message editor. King Phisher supports a large number of template variables on top of the ones built into ... READ MORE
SMShing Like Clockwork
Phishing utilizing SMS messages or SMShing is an increasingly common technique used in European countries. Many users are very aware that they should not trust all incoming email messages and thus it might be desirable for a pentester to try and take a different approach. To meet this need, the King Phisher project now includes simple instructions on how to send SMS messages as ... READ MORE
BMP / x86 Polyglot
It's often desirable for an attacker to cover their tracks and hide their actions. This is often accomplished by randomization of any combination of bytes and strings, order of contact or time delays. While this can be effective in certain scenarios, a trained eye will still be suspicious of anomalous data traveling across their network. Take as a prime example the recent trend ... READ MORE
King Phisher 1.1 Released
King Phisher version 1.1 has been released today with numerous improvements since the last release in October. One of the most exciting new features is the ability to send phishing emails in the form of calendar invites. This causes an email to be sent to the target that looks like a typical meeting request. More information on using the new calendar invite mode (including an ... READ MORE
5 Tips For Pentesters Switching To Python 3
Python has been a popular language among penetration testers from some time now and is used extensively here at RSM. Python version 3 has been out since December 2008 and yet many scripts currently being produced by the security community exclusively target version 2.7. Given that Python 2.7 is in maintenance mode only at this point, it's important for people to have the tools ... READ MORE
King Phisher 1.0 Released
Since it's inception almost two years ago King Phisher has changed the way we at RSM provide email based social engineering services to our clients. We have integrated it into our external penetration testing methodology as well as relied on it for dedicated social engineering assessments. At the time, other phishing projects did not have the flexibility to meet all of the ... READ MORE
Crontab One Time Payload Execution
Recently, I was writing an exploit for a vulnerability that I had discovered in a Linux based server application. The flaw, when successfully exploited, allowed a file to be written anywhere on the file system with the permissions of the user running the server. In the case of the application I was targeting, it was often executed as root in order to bind to a privileged port ... READ MORE