RCE using XSS in Electron applications
Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).
Notable is a markdown-based note-taking app that is developed using Electron framework. Notable was originally released as open-source but newer versions of it are no longer open-source.
From a development perspective, an Electron application…
Serialization is the process of converting objects to a sequential stream of bytes so that it can be easily stored in a database or transmitted over a network. Deserialization is the exact opposite of serialization. It is the process of converting this sequential stream of bytes to a fully functional object.
The object’s state is also persisted which means that the object’s attributes are preserved, along with their assigned values. The process of preventing a field from being serialized varies from language to language.
Insecure deserialization is when user-controllable data is deserialized by an application. This allows an attacker to…
I was writing my windows privilege escalation guide when I came across a potential DLL hijacking vulnerability reported by PowerUp. After searching on the internet I found that its due to a vulnerability in the IKEEXT service. I placed the missing DLL
C:\Temp and tried restarting the service IKEEXT service but it did to restart because I did not have enough privileges. I tried using this script and it worked. Now I was curious to know how this script worked. …
Privilege Escalation may be daunting at first but it becomes easier once you know what to look for and what to ignore. Privilege escalation always comes down to proper enumeration. This guide will mostly focus on the common privilege escalation techniques and exploiting them.
The starting point for this tutorial is an unprivileged shell on a box. For demonstration purpose, I have used
netcat to get a reverse shell from a Windows 7 x86 VM.
I cannot stress enough how important enumeration is. There are a lot of cheat sheets out there to extract valuable information from the systems. In…
In this post, we will be exploiting the GMON command of Vulnerver using SEH based buffer overflow. If you are not acquainted with SEH based buffer overflows you can refer to the Exploit Research Megaprimer on Security Tube or Corelan’s tutorials on buffer overflows. If you want to read about vanilla buffer overflows you can read my post here. This post is a writeup for vulnserver and not for understanding how SEH is exploited.
We are running the Vulnserver on a Windows 7 x86 VM without any patches. Keep in mind that your exploit may not work if Windows has…
Bypassing application security checks & manipulating code at runtime.
Frida is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. What this means in simple language is that it can hook function calls made by an application and modify them at runtime. Using this we can easily bypass security checks like root detection and SSL Pinning. It is also possible to get encryption keys which maybe used for encrypting data in the application.
Installing frida is quite easy and you will need the following:
Stack-based buffer overflow exploits are likely the shiniest and most common form of exploit for remotely taking over the code execution of a process. These exploits were extremely common 20 years ago, but since then, a huge amount of effort has gone into mitigating stack-based overflow attacks by operating system developers, application developers, and hardware manufacturers, with changes even being made to the standard libraries developers use.
Arrays allocate storage space in what is called a buffer.
char input; // An array of up to 50 characters.
char c = input  // max
“Every battle is won or lost before it’s ever fought.”
TL;DR useful resources at the end of the post.
The story begins in January, 2018 when I got a cyber security internship. At that time I was still in college and had no idea about cyber security (I did try to hack Wi-Fis and crack windows passwords when I was in school just to be cool 😅 but failed miserably). So after working for around 3–4 months I found out how interesting and vast this field was and decided to pursue this a full time career.
I like computers and offensive security.