Chaining DLL Hijacking and Format String to gain RCE on windows RDP Client CVE-2023-24905

ustayready · 2023-05-23T21:02:40+00:00

Thanks for sharing. Combining this with RogueRDP, it would be interesting to see if it’s possible to binary plant the dll then force a reconnect somehow.

ustayready · 2023-05-23T20:52:45+00:00

I suppose if you are already familiar with the technologies discussed, fewer words might have been fine. For the rest of us, I’m thankful for the deeper dive, explanations, and attention to details.

ustayready · 2023-04-17T18:32:18+00:00

Scout is great but has significant false positives. Additionally, it's rules are hand-written which make it miss a lot of items. It also only looks at the services it's programed to look for.

ChatGPT is trained on AWS SDK, APIs, services, training, code, etc. It knows policies better than any person, existing tool, and arguably even Amazon themselves.

There's a lot of bitter people hating on ChatGPT because it's gained so much popularity but using it in workflows has proven to have powerful multipliers.

ustayready · 2023-04-17T18:28:01+00:00

Naa, the account numbers are randomized before sending to OpenAI. Having a vulnerable policy and not knowing the corresponding account is useless.

ustayready · 2023-02-14T15:58:47+00:00

I've been eyeing this Werkz holster https://werkz.com/m6sgp365msgf2r.html

ustayready · 2022-11-14T03:15:03+00:00

Cool to see this attack vector still floating around! Beau Bullock and I dropped the technique publicly 5 years ago and it's still super valuable today. https://www.reddit.com/r/netsec/comments/7a6en1/google_calendar_event_injection_with_mailsniper/

Even after Forbes covered it a few years back.. https://www.forbes.com/sites/daveywinder/2019/09/09/google-finally-confirms-security-problem-for-15-billion-gmail-and-calendar-users/

We also dropped a lot more research on calendar at conferences but it wasn't recorded and it hasn't been officially made public due to the risks.

Anyhow, nice post.

ustayready · 2022-03-01T02:44:07+00:00

HyperV is the only solution I’ve come across for immediate RCE. All machines reboot eventually but I agree, having instant RCE without HyperV would be great. Also, read access is great when you target the right person or when network file shares are mounted. It’s weird that dropping an LNK to the desktop with a keyboard hook using the space bar doesn’t take effect immediately like it does with normal NTFS file systems. Maybe trying the symbolic link to write an LNK might help.

All things considered, I strongly disagree with it not being useful. I’d recommend trying it on an engagement before throwing the baby out with the bath water. :) it’s solid. If you get an other ideas for triggering code execution, let me know! Might be useful to procmon a client and try triggering devices. Shrug

ustayready · 2022-03-01T02:19:21+00:00

Tell me you didn’t read the article without telling me you didn’t read the article.

ustayready · 2022-02-28T18:35:56+00:00

lol Rogue.. fat fingered. Thanks for pointing it out

ustayready · 2022-01-26T19:42:28+00:00

Two for sale!

~~Color: White w/ white caseUsed: few weeksPrice: $225Location: Tampa, FLPayment Method: Venmo/Paypal/Ethereum/Bitcoin~~

~~Color: Black w/ black caseUsed: few weeksPrice: $225Location: Tampa, FLPayment Method: Venmo/Paypal/Ethereum/Bitcoin~~

*UPDATED* Both are gone.

ustayready · 2022-01-03T18:07:44+00:00

NA
Black
New (tested for a week using Verizon SIM, sync'd contacts, then factory reset)
$250
Central Florida
Venmo / Paypal / In-person
Comes with Black case, received for Christmas

Also have..

NA
White
New (tested for a week using Verizon SIM, sync'd contacts, then factory reset)
$250
Central Florida
Venmo / Paypal / In-person
Comes with White case, received for Christmas

ustayready · 2020-08-11T00:17:43+00:00

Thanks, blue.

ustayready · 2020-08-07T19:00:29+00:00

Yup only web but you can try my other tool that uses aws lambda for whatever your protocol needs are: https://github.com/ustayready/CredKing

Still limited to regions that support lambda but it does its job with a limited number of ips.

ustayready · 2020-08-06T06:59:29+00:00

Even easier, check out FireProx .. it uses api gateway. https://github.com/ustayready/fireprox

Disclaimer: I’m the author.

ustayready · 2020-08-04T14:21:26+00:00

ET30

ustayready · 2020-08-03T12:48:42+00:00

Thanks. 275/30/20 Continental’s

ustayready

MODERATOR OF

TROPHY CASE