Exploit PoCs

[joedf]

@HeffalumpVersion2 as gregster suggests, if you can PM your PoCs to me instead of posting them here. I will share them with the staff. thanks.

[gregster]

Thank you, joedf. But until he reaches 10 posts (which could be soon), he can't send PMs, afaik. Until then, if necessary, your email mentioned above?

[HeffalumpVersion2]

Edit to add: If a malicious attacker has access to my computer and is going to establish presence, and has access to write to the CHM file which is normally under Program Files and is accessible only by administrators, don't they have literally endless other better ways to establish persistence than modifying a CHM file? And if we replaced the CHM file with literally anything else that runs as a local application, couldn't they just as easily tamper with that? I don't see what's unique about the chm format that makes this situation more exploitable than not having a chm file.

I got it to work and retested it. Sent PoCs through email.

[joedf]

Yes email is fine too

[HeffalumpVersion2]

I got it to work and retested it. Sending PoCs through email.

[tank]

What a bunch of utter dribble and nonsense next you're going to say nobody should use csvs because those are exploitable too. Your post has nothing to do with our hotkey and everything to do with what you think is wrong with help files this isn't new nearly every software vendor publishes some kind of help file if you don't want to use a help file don't use one. If someone gains access to someone's computer infecting their help file is probably the last thing that they're going to care about doing. Be so much easier to just gain root access and do whatever they want. I don't know if you're like 10 or 11 and just discovering things on the internet but please. There is no need to post a details about common problems there is literally nothing on your file system that can't be exploited get over it

[HeffalumpVersion2]

What a bunch of utter dribble and nonsense next you're going to say nobody should use csvs because those are exploitable too. Your post has nothing to do with our hotkey and everything to do with what you think is wrong with help files this isn't new nearly every software vendor publishes some kind of help file if you don't want to use a help file don't use one. If someone gains access to someone's computer infecting their help file is probably the last thing that they're going to care about doing. Be so much easier to just gain root access and do whatever they want. I don't know if you're like 10 or 11 and just discovering things on the internet but please. There is no need to post a details about common problems there is literally nothing on your file system that can't be exploited get over it

I had to reread what you wrote a few times. I think it really adds to the discussion.

[HeffalumpVersion2]

I went through and I edited my replies. I've been asking for six days for this thread to be made private. This is the fifth or sixth time I've asked. At one point I explained the full attack to someone that was just a random person. Awesome.

We are at 784 views. I've asked half a dozen times over half a dozen days. The wrong person is going to see this.

[tank]

There is no attack. You are making noise for no reason

[tank]

You are neither clever nor informative.

[HeffalumpVersion2]

There are at least three or four PoCs. They have been sent in. They clearly show the ability to leak NTLM. They clearly show remote file inclusion. They clearly show remote code execution. You trigger the RCE through the RFI. If you can't understand the PoCs I don't know why you are responding. It works on Windows 10 and it works on Windows 11 -- I've tested them numerous times. I even sent in a video that explains it and it combines the exploits -- ask Joedf for it. Maybe you are a visual learner and you want to see how one exploit enables the other? Ask Joedf. I don't really know how you argue with something that you can see and is demonstratably true. I'm also fairly certain that there's a priv esc and I explained that attack. But, luckily those aren't bugs. When someone said that I needed to be system I redid it as a regular user on both Windows 10 and Windows 11. Your developers never put in the time or effort to see if there are any changes or tampering. They also forgot to do any sort of input validation ANYWHERE. At no point did I run into any sort of input validation. That's not a bug either, I guess. Overwriting functions and software that can't be bothered to tell the difference that enables persistence? That's just surprise friends that you can't get rid of! As a non-priv user? No problem! Truly great software! Reliance on things that were abandoned two decades ago for being insecure? Well, akshually Microsoft was wrong and they are very secure. Just ignore the PoCs. Activex? Internet Explorer 8? That's all the security you need! Input validation? Never heard of it!

You are also talking out of both sides of your mouth. By your logic any bug that's introduced after an attacker has access isn't a bug. That's very silly and it would mean that a lot of bugs that have been accepted shouldn't be considered bugs. You should go tell everyone. I guess we can start telling everyone that all privilege escalation bugs aren't bugs! Enabling pass the hash? Secret feature for auto hotkey users. Ability to use software that was abandoned two decades ago as a c2 channel to bring in more malware? Not a bug, actually! A secret feature for auto hotkey users! Videos and PoCs that clealy show exploits? Maybe if you don't believe in them they don't exist.

The thing you are trying to defend using was abandoned two decades ago for being an unfixable mess. Saying "the bugs I can clearly see here that have been demonstrated on two different OSes isn't a bug because it requires initial access" is silly. You don't get to decide what is an exploit and what isn't. At one point there's arguments that it's not a bug because you'd have to by system. When you don't have to be system it's still not a bug.

Leaking ntlm? Not a bug. RCE? Nope, not a bug. Persistence? Still not a bug! Lack of input validation? Nope! RFI? No, I don't want to fix this so it's clearly not a bug. Videos that show how you combine the bugs and how you can do it as a regular user? Not a bug!

I keep changing the PoC for whatever nonsense definition of what a bug "is" and it still keeps working. Why do you think that is?

[joedf]

I am not sure I received your email if one was sent. Regardless, you should be able to send a PM on the forums now.

[iseahound]

It’s like saying that somebody’s home windows are insecure because a burglar could get into the house by merely unlocking and opening the windows from the inside. (But if the burglar has to get inside in order to unlock the windows…)

https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31283

[HeffalumpVersion2]

Microsoft refused to classify mimikatz as an exploit for a bit because you already needed access. Quoting Microsoft is like quoting a person that drowned on how not to drown.

[tank]

You can exploit any file type. The files on our server are clean and secure. You are just wasting everyone's time. You can do way more damage with a malicious ahk script than editing individual chm. Like I said why don't you go cry about the exploits to Csv? Way easier vector. I can only assume you are a neglected child needing attention

[guest3456]

reminds me of jeeswg

[joedf]

The attention and concern is appreciated here, but I am locking this topic as this thread is no longer productive and we will be handling this matter internally.
We shall report any actions or changes accordingly once we know more and reach a consensus.