Affected Product: TP-Link TL-WA855RE Version: tested on TL-WA855RE(EU)_V5_200415 (possible earlier versions too) Description: TP-Link TL-WA855RE V5 20200415-rel37464 d evices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The…
If you’re interested in removing some of the memory protections (especially around RWX) in the Linux kernel version 5+, here are some pointers: In the arch folder, edit the Kconfig file, and look for config STRICT_KERNEL_RWX and config STRICT_MODULE_RWX. You…
If you ever want to disable the WriteProtect (WP) bit you’ll need to read/write access to the CR0 register. The problem is that the write_cr0 function provided by the linux kernel has been tweaked to prevent this exact thing. Here…
Here is a really small Go reverse shell (30-ish lines of code that includes comments). Environment setup: Download/install Go from here. If you use Windows, you may want to download/install the TDM-GCC compiler from here as well. Code: First, we…
Below is a basic example on how to use the detours library to hook APIs. #include <stdio.h> #include <windows.h> #include <detours.h> // API that we want to hook DWORD (WINAPI * Real_SleepEx)(DWORD dwMilliseconds, BOOL bAlertable) = SleepEx; // This function…
I’ve made some changes to bytefuzz to support files generated by other fuzzers. I’ve used the domato fuzzer to generate 1000 html files and then through bytefuzz, I’ve sent those files to a browser that I use when I do…
Let’s assume you have a program that just crashed and you have a core dump. You can enable core dumps by using the ulimit -c unlimited command. If you want to analyze what happened, here are some steps you can…
If you want to do web app security testing using either Chrome or Chromium, you may want to disable a few security options so you can actually go through your test cases. You can use the same command line parameters…
If you have a hash for either a domain admin or a local admin on a domain controller, you can use mimikatz to exfil the entire Active Directory database. From mimikatz, run the following command to spawn a shell as…
If you’re doing a penetration test and you’ve got credentials for an account on a remote machine, you can try to run remote commands by taking advantage of the PowerShell remoting feature. First make sure that the TCP ports 5985/5986…
