The Real Hugo
Husk
Enumeration
Containers
Docs
aws
cewl
dns
docker_enumeration
ffuf
gobuster
kerberoast
kubectl
ldap
linux_basics
microk8s
nfs
nikto
nmap
port_knocking
rpcclient
rsync
rustscan
shodan
Snmp
onesixtyone
snmpcheck
websites
wfuzz
wpscan
Network_scanners
Windows
bloodhound
event_log
manual_enum
powershell
rpcclient
sysinternals
sysmon
vss
Exploit
CPUs
meltdown
Binaries
Shellcode
aslr
Buffer_overflow
Docs
amd64
amd64_instructions
buffer_overflow
cut_stack_in_half
pwntools_specifics
ret_address_reuse
ropping
Canary_bypass
canary_bypass
Format_string
format_string
Integral_promotion
integral_promotion
plt_got
r2
ret2libc
Dns
zone_transfer
Hashes
collision
Imagemagick
imagetragick
Java
OGNL
cve_2022_26134
ghidra_debug
ghostcat
log4shell
spring4shell
Level3_hypervisor
Docker_sec
docker
kubernetes
lxc
microk8s
Linux
capabilities
Dirty_pipe
dirty_pipe
exiftool
groups
ld_preload
nfs_rootsquash
overlayfs
Pkexec
CVE_2021_4034
polkit
racing_conditions
setcap
shared_object_injection
shell_shock
Sudo
CVE_2019_14287
CVE_2019_18634
baron_samedit
tokens
wildard_exploitation
MacOS
Network
mac_spoofing
Padding
padbuster
Python
code_injection
jail_escape
lib_hijack
pickle
pwntools
pyc
scapy
Samba
smbmap
Sqli
mssql
no_sqli
sqli
sqlmap
Ssl_tls
heartbleed
Web
Bypass_rate_limiting
bypass_rate_limiting
command_injection
Content_security_policy
content_security_policy
cookie_tampering
csrf
Forced_browsing
forced_browsing
http_header_injection
Idor
idor
Javascript
bypass_filters
prototype_pollution
Jwt
jwt
local_file_inclusion
methodology
Nodejs
deserialization
Php
command_injection
password_reset
php_base64_filter
php_image_exif
php_user_agent_rce
preload_lib
unserialize
re_registration
remote_file_inclusion
Ssrf
iframe
ssrf
Ssti
ssti
url_forgery
wordpress
xpath
xss
Xxe
wp_xxe_
xml_external_entity
Windows
Portable Executables
Shellcode
Dll_hijacking
dll_hijacking
Docs
always_installed_elevated
crackmapexec
dpapi
impacket
llmnr
lnk_exploit
pass_the_hash
password_in_registry
potatoes
printnightmare
responder
unquoted_path
Macros
macros
Payloads
windows_scripting_host
Print_nightmare
CVE-2021-1675
Nightmare-dll
print_nightmare
Process_injection
dll_injection
process_hollowing
shellcode_injection
thread_hijacking
Service_escalation
service_escalation
Zero_logon
zero_logon
Yaml
deserialization
Forensics
ios
kape
ntfs
oletools
volatility
windows_registry
Hashes
Bruteforce
patator
generate_wordlists
haiti
hashcat_utils
Password_cracking
hydra
john
smb_challenge
sucrack
vnc
Password_guessing
standard_passwords
Persistence
bashrc
crontab
meterpreter
persistence
wmi
Post exploitation
Seatbelt
.github
ISSUE_TEMPLATE
bug_report
feature_request
CHANGELOG
Seatbelt
Commands
Windows
EventLogs
Output
Bc_security
Docs
c2
crackmapexec
empire
ids_ips_evation
linux
metasploit
mimikatz
mitm
nfs_root_squash
powershell
secretsdump
Windows
Signature-Evasion
antivirus_evasion
applocker
evade_event_tracing
living_off_the_land
pass_the_hash
powershell_logs
registry
sebackupprivilege
user_account_control
pivoting
Priv_esc
Docs
linux_priv_esc
pspy
Windows
add_user
windows_priv_esc
Kernel-exploits
Privesc-scripts
Docs
get_script_onto_target
Suid
Reverse engineering
Android
misc
Docs
deobfuscation
dll_reversing
firmware
function_mangling
scada
Java
krakatau
Windows
portable-executable
Reverse shells
Docs
evil-winrm
msfconsole
msfvenom
netcat
powershell
shell_upgrade
socat
webshell
firewalls
Windows
CVE-2022-0847
Usage
CVE-2022-0847
Max Kellerman's post
5.8 < Vulnerable kernels < 5.10.102
If a file can be read, it can be written also.
Usage
splice(2)
moves data between files and through pipes without copying between kernel and user adress space
Anonymous pipes permissions are not checked
Read only permissions on pages do not matter on a pipe level
Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
PIPE_BUF_FLAG_CAN_MERGE
flag has to be activated in order to write back to a file
Works as long as there is an offset to start of a page in the beginning of the writing