v-p-b / Avpwn
List of real-world threats against endpoint protection software
Stars: ✭ 179
Projects that are alternatives of or similar to Avpwn
Herpaderping
Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.
Stars: ✭ 614 (+243.02%)
Mutual labels: vulnerability, exploits, antivirus
raptor infiltrate20
#INFILTRATE20 raptor's party pack
Stars: ✭ 24 (-86.59%)
Mutual labels: exploits, vulnerability
CVE-2019-8449
CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
Stars: ✭ 66 (-63.13%)
Mutual labels: exploits, vulnerability
Vfeed
The Correlated CVE Vulnerability And Threat Intelligence Database API
Stars: ✭ 826 (+361.45%)
Mutual labels: vulnerability, exploits
Springbootvulexploit
SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list
Stars: ✭ 3,196 (+1685.47%)
Mutual labels: exploits, vulnerability
H4cker
This repository is primarily maintained by Omar Santos and includes thousands of resources related to ethical hacking / penetration testing, digital forensics and incident response (DFIR), vulnerability research, exploit development, reverse engineering, and more.
Stars: ✭ 10,451 (+5738.55%)
Mutual labels: vulnerability, exploits
Huorong vulnerabilities
Huorong Internet Security vulnerabilities 火绒安全软件漏洞
Stars: ✭ 85 (-52.51%)
Mutual labels: vulnerability, antivirus
Hacker ezines
A collection of electronic hacker magazines carefully curated over the years from multiple sources
Stars: ✭ 72 (-59.78%)
Mutual labels: vulnerability, exploits
Arissploit
Arissploit Framework is a simple framework designed to master penetration testing tools. Arissploit Framework offers simple structure, basic CLI, and useful features for learning and developing penetration testing tools.
Stars: ✭ 114 (-36.31%)
Mutual labels: vulnerability, exploits
Exploit Framework
🔥 An Exploit framework for Web Vulnerabilities written in Python
Stars: ✭ 144 (-19.55%)
Mutual labels: vulnerability, exploits
Js Vuln Db
A collection of JavaScript engine CVEs with PoCs
Stars: ✭ 2,087 (+1065.92%)
Mutual labels: vulnerability
Flying Sandbox Monster
Sandboxed, Rust-based, Windows Defender Client
Stars: ✭ 158 (-11.73%)
Mutual labels: antivirus
Burp Retire Js
Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
Stars: ✭ 157 (-12.29%)
Mutual labels: vulnerability
Cve Check Tool
Original Automated CVE Checking Tool
Stars: ✭ 172 (-3.91%)
Mutual labels: vulnerability
Vulscan
Advanced vulnerability scanning with Nmap NSE
Stars: ✭ 2,305 (+1187.71%)
Mutual labels: vulnerability
Hacker101
Source code for Hacker101.com - a free online web and mobile security class.
Stars: ✭ 12,246 (+6741.34%)
Mutual labels: vulnerability
Exploits
Exploits by 1N3 @CrowdShield @xer0dayz @XeroSecurity
Stars: ✭ 154 (-13.97%)
Mutual labels: exploits
AVPWN
List of real-world threats against endpoint protection software - For future reference. The list is based on public information and thus is obviously incomplete.
The list should include:
- Non-public 0-day exploits at the time of reference
- Public incidents where attackers exploited endpoint protection software
- Supporting public evidence should be provided for all records
The list doesn't include:
- Exploits intentionally disclosed to the vendor in any way (including full uncoordinated disclosure)
- Detection bypasses, because I don't want to fill up the storage space of GitHub
- Attacks or exploits against perimeter products, because I'm lazy
The List
Name | Link | Internal ID | Server Side | Client Side | Known Incident |
---|---|---|---|---|---|
avast! Local Information Disclosure | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-005 | 0 | 1 | Brokered |
avast! Local Privilege Escalation | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-010 | 0 | 1 | Brokered |
McAfee ePolicy Orchestrator Privileged Remote Code Execution | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-019 | 1 | 0 | Brokered |
McAfee ePolicy Orchestrator Post-Auth Privileged Remote Code Execution | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-023 | 1 | 0 | Brokered |
McAfee ePolicy Orchestrator Post-Auth Privileged Remote Code Execution | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-024 | 1 | 0 | Brokered |
ESET NOD32 Antivirus and ESET Smart Security Remote Pre-auth Code Execution | https://wikileaks.org/hackingteam/emails/emailid/45441 | 2010-0021 | 0 | 1 | Brokered, Sold |
Symantec AntiVirus Remote Stack Buffer Overflow | http://www.securityfocus.com/news/11426 | CVE-2006-2630 | 0 | 1 | Exploited ItW |
McAfee Stinger Portable DLL Sideloading | https://wikileaks.org/ciav7p1/cms/page_27492400.html | Fine Dining | 0 | 1 | CIA collection |
Sophos Virus Removal Tool DLL sideloading | https://wikileaks.org/ciav7p1/cms/page_27263043.html | Fine Dining | 0 | 1 | CIA collection |
Kaspersky TDSS Killer Portable DLL Sideloading | https://wikileaks.org/ciav7p1/cms/page_27492393.html | Fine Dining | 0 | 1 | CIA collection |
ClamWin Portable DLL Hijack | https://wikileaks.org/ciav7p1/cms/page_27262995.html | Fine Dining | 0 | 1 | CIA collection |
Kaspersky ?? SUID command injection | https://hackmd.io/s/r1gLMUUpx | evolvingstrategy | 0 | 1 | EQGRP exploit leaked by Shadow Brokers |
Symantec rastlsc.exe DLL side-loading | https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf | OceanLotus | 0 | 1 | ESET report |
Trend Micro Office Scan server ZIP path traversal | https://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/ | CVE-2019-18187 | 1 | 0 | Mitsubishi Electric |
Trend Micro Apex One and OfficeScan migration tool RCE | https://www.darkreading.com/vulnerabilities---threats/trend-micro-patches-two-zero-days-under-attack/d/d-id/1337338 https://success.trendmicro.com/solution/000245571 https://www.tenable.com/blog/cve-2020-8467-cve-2020-8468-vulnerabilities-in-trend-micro-apex-one-and-officescan-exploited-in | CVE-2020-8467 | 1 | 0 | N/A |
Trend Micro Apex One and OfficeScan content validation escape | https://www.darkreading.com/vulnerabilities---threats/trend-micro-patches-two-zero-days-under-attack/d/d-id/1337338 https://success.trendmicro.com/solution/000245571 https://www.tenable.com/blog/cve-2020-8467-cve-2020-8468-vulnerabilities-in-trend-micro-apex-one-and-officescan-exploited-in | CVE-2020-8468 | 0 | 1 | N/A |
Windows Defender buffer overflow | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647 | CVE-2021-1647 | 0 | 1 | Exploitation was detected before fix was released. Snort rules detect shellcode. May be related to the SolarWinds breach (although this remark was deleted from ZDI's original post) |
Immortal exploits
The following list contains exploits of "immortal" vulnerabilities - ones that for some reason can't be fixed by the vendor.
Name | Link | Internal ID | Server Side | Client Side | Known Incident |
---|---|---|---|---|---|
Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation | https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-agnitum-driver.html https://twitter.com/cherepanov74/status/762654147841781760 | N/A | 0 | 1 | Remsec / Cremes malware |
Agnitum Sandbox.sys Kernel Driver Arbitrary DLL Loading | https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-agnitum-driver.html https://twitter.com/cherepanov74/status/762654147841781760 | N/A | 0 | 1 | Remsec / Cremes malware |
Honorable mentions
- As of November 2016. Zerodium (a prominent vulnerability broker) is offering up to $40.000 for Antivirus LPE/RCE
- In 2017. the price for AV LPE exploits dropped to $10.000 (presumably because of the easy accessibility to such exploits).
- In 2014. Kaspersky reported that the Careto malware was attempting to exploit a vulnerability in their products "to make the malware 'invisible' in the system". The targeted vulnerability was fixed in 2008.
- In 2015. Kaspersky reported a compromise of their own systems. According to the report "neither [Kaspersky's] products nor services have been compromised", and attackers were after information about "ongoing investigations [...] detection methods and analysis capabilities". In 2017 NYT reported that Kaspersky was compromised by the Israeli intelligence that found that Russian services were using the companies infrastructure/products to "scour the world for U.S. secrets".
- In 2013. Bit9, a security firm mostly known for it's white-list based endpoint protection product, was hacked and code-signing certificates with private keys were stolen. With these, attackers were able to sign malware with Bit9's code-signing certificate. The signed malware was used to bypass Bit9 protection on the client.
- In May 2019. Advanced Inteligence LLC claimed that Fxmsp - a threat actor they've been monitoring for some time - compromised four antivirus companies including Symantec, Trend Micro, and McAfee. Fxmsp was said to sell access to the source code and internal networks on the darknet. Advanced Intelligence LLC was registered right before the announcement in Delaware.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].