Unravelling .NET with the Help of WinDBG

This blog was authored by Paul Rascagneres and Warren Mercer.Introduction.NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other...

Counter Strike: Condition Zero - '.BSP' Map File Code Execution

!/usr/bin/env python Counter Strike: Condition Zero BSP map exploit By @DigitalCold Jun 11, 2017 E-DB Note: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42325.zip bsp-exploit-source.zip from binascii import hexlify, unhexlify from struct import pack, unpack...

http-vuln-cve2017-8917 NSE Script

An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component, comfields, which was introduced in version 3.7. This component is publicly accessible, which means this can be...

VMware vSphere Data Protection 5.x/6.x - Java Deserialization

!/usr/bin/env python import socket import sys import ssl def getHeader: return '\x4a\x52\x4d\x49\x00\x02\x4b' def payload: cmd = sys.argv4 cmdlen = lencmd data2 =...

Run HTTP Flood DDoS Attacks: Wreckuests

Stress Testing: Run HTTP Flood DDoS Attacks Wreckuests is a script, which allows you to run DDoS attacks with HTTP-floodGET/POST. It’s written in pure Python and uses proxy-servers as “bots”. This script is published for educational purposes only! Features Cache bypass with random ?abcd=efg...

TerraMaster F2-420 NAS TOS 3.0.30 - Root Remote Code Execution

Source: https://www.evilsocket.net/2017/05/30/Terramaster-NAS-Unauthenticated-RCE-as-root/ !/usr/bin/python coding: utf8 Exploit: Unauthenticated RCE as root. Vendor: TerraMaster Product: TOS import sys import requests def upload address, port, filename, path = '/usr/www/' : url =...

DokuWiki Proof Of Concept Shell Upload

c@kali:/src/napalm2.2/modules$ cat shell-dokuwiki.py !/usr/bin/env python shell-dokuwiki.py - module to upload shell, based on previous version created 28.04.2017. Bug 'feature' is exploitable only when you will have a valid credentials. for this proof-of-concept you'll also need host with...

Apple MacOS NSUnarchiver Heap Corruption(CVE-2017-2523)

Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled int using decodeValueOfObjCType:"i" then either passes it to CFCharacterSetGetPredefined or uses it directly to manipulate NSBuiltinSetTable. Neither path has any bounds checking and the...

Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)

!/usr/bin/python from impacket import smb, ntlm from struct import pack import sys import socket ''' EternalBlue exploit for Windows 8 and 2012 by sleepya The exploit might FAIL and CRASH a target system depended on what is overwritten The exploit support only x64 target EDB Note: Shellcode - x64...

NETATTACK 2 - An Advanced Wireless Network Scan and Attack Script

NETATTACK 2 is a python script that scans and attacks local and wireless networks. Everything is super easy because of the GUI that makes it unnecessary to remember commands and parameters. FUNCTIONS SCAN-FUNCTIONS Scan for Wi-Fi networks Scan for local hosts in your network ATTACK-FUNCTIONS...

OpenVPN 2.4.0 - Denial of Service

OpenVPN 2.4.0 - Denial of Service !/usr/bin/env python3 ''' $ ./dosserver.py & $ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf ... Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from AFINET192.168.149.1:64249, sid=9a6c48a6 1467f5e1 Fri Feb 24 10:19:19 2017...

Dahua Generation 2/3 - Backdoor Access

!/usr/bin/python2.7 if False: ''' 2017-05-03 Public rerelease of Dahua Backdoor PoC https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py 2017-03-20 With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua / OEM units, where...

HideMyAss Pro VPN Client for macOS 3.x - Local Privilege Escalation

HideMyAss Pro VPN Client for macOS 3.x - Local Privilege Escalation Source: https://www.securify.nl/advisory/SFY20170408/localprivilegeescalationvulnerabilityinhidemyassprovpnclientv3xformacos.html Abstract A local privilege escalation vulnerability has been found in the helper binary...

HideMyAss Pro VPN Client 3.3.0.3 Privilege Escalation Vulnerability

HideMyAss Pro VPN client version 3.3.0.3 for OS X suffers from a helper binary com.privax.hmaprovpn.helper local privilege escalation vulnerability. ------------------------------------------------------------------------ Local privilege escalation vulnerability in HideMyAss Pro VPN client v3.x f...

Weblate: Bypassing captcha in registration on Hosted site

Hello again, I believe the captcha on the user registration form is very simple and can be easily bypassed to automatically register any number of accounts. A program can read the math captcha, solve it and submit the form with the answer and the other required parameters & headers. Note: I read...

Squirrelmail 1.4.22 Remote Code Execution

Advisory ID: SGMA17-001 Title: Squirrelmail Remote Code Execution Product: Squirrelmail Version: 1.4.22 and probably prior Vendor: squirrelmail.org Type: Command Injection Risk level: 4 / 5 Credit: [email protected] CVE: CVE-2017-7692 Vendor notification: 2017-04-04 Vendor fix:...

Microsoft RTF Remote Code Execution

''' Exploit toolkit CVE-2017-0199 - v2.0 https://github.com/bhdresh/CVE-2017-0199 Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payloa...

Exploit for CVE-2017-0199

Exploit toolkit CVE-2017-0199 - v4.0 Exploit toolkit CVE-201...

Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution

!/usr/bin/python Author: Artem Kondratenko @artkond import socket import sys from time import sleep setcredless = True if lensys.argv 3: print sys.argv0 + ' host --set/--unset' sys.exit elif sys.argv2 == '--unset': setcredless = False elif sys.argv2 == '--set': pass else: print sys.argv0 + ' host...

netattack - Scan and Attack Wireless Networks

The netattack.py is a python script that allows you to scan your local area for WiFi Networks and perform deauthentification attacks. The effectiveness and power of this script highly depends on your wireless card. USAGE EASY SCANNING FOR WIFI NETWORKS python netattack.py -scan -mon This example...