Spentera Blog

Windows Red Team Lab Review

Windows Red Team Lab Review

Students will be given remote desktop access to student machines that are connected to the Windows Active Directory with least privilege, and privilege escalation on student machine is part of challenge.

Zahir Accounting Enterprise Plus 6 <= build 10b 0day Exploit Vulnerability Discovery

Exploit Development

Zahir Accounting Enterprise Plus 6 <= build 10b 0day Exploit Vulnerability Discovery

Zahir Accounting adalah software akuntansi yang sangat banyak digunakan oleh tingkatan SOHO (Small Office Home Office) di Indonesia. Selain harganya yang terjangkau, Zahir memiliki fitur yang lebih dari cukup untuk

FileRun: Blind SQL Injection Vulnerability

Security Advisory

FileRun: Blind SQL Injection Vulnerability

We discovered a vulnerability during a pentest in a file sharing web application named FileRun. It allows us to access files anywhere through a self-hosted secure cloud storage, backup and

CyberLink LabelPrint: Buffer Overflow

Exploit Development

CyberLink LabelPrint: Buffer Overflow

It’s been a while since our last post about exploitation. This time, we try to explain a stack-based overflow on Cyberlink LabelPrint, a tool to assist in designing

ALLPlayer: Buffer Overflow (SEH Unicode)

Exploit Development

ALLPlayer: Buffer Overflow (SEH Unicode)

After playing around with unicode stack overflow, I try to do it on an application called AllPlayer. The techniques used are not much different, so the result will be the

NetGain Enterprise Manager: Authentication Bypass / Local File Inclusion

NetGain Enterprise Manager: Authentication Bypass / Local File Inclusion

We discovered a vulnerability on NetGain Enterprise Manager (ver. 7.2.647) during a pentest. We believe that this vulnerability is quite rare and worth to share. Local File Inclusion

SMB Exploit (MS17-010) dengan EternalBlue dan DoublePulsar

SMB Exploit (MS17-010) dengan EternalBlue dan DoublePulsar

EternalBlue dapat digunakan untuk melakukan eksploitasi pada layanan Server Message Block (SMB) tanpa membutuhkan proses otentikasi. Kemudian ditambah dengan menggunakan DoublePulsar untuk mengirim sekaligus mengeksekusi malicious Dynamic-Link Libraries (DLL) atau

Wordpress: Multiple Vulnerabilities in Simple Login Log Plugin

Security Advisory

Wordpress: Multiple Vulnerabilities in Simple Login Log Plugin

We discovered a vulnerability in a WordPress plugin called Simple Login Log Plugin. Vulnerability: Authenticated Blind SQL Injection, Source IP Address Manipulation Affected Version: 1.1.1 (below version may

Hackfest 2016 Orcus Walkthrough

Hackfest 2016 Orcus Walkthrough

This is a write up for Hackfest 2016 Orcus found in Vulnhub, just to fill my leisure time! Download here Hackfest 2016 Orcus Nmap [email protected]:~# nmap -sC -sV

NetGain Enterprise Manager: 'Ping' Command Injection

Security Advisory

NetGain Enterprise Manager: 'Ping' Command Injection

We discovered a vulnerability on NetGain Enterprise Manager (ver. 7.2.562) during a pentest. We believe that this vulnerability is quite rare and worth to share. Description: Command injection

Security Advisory

Wordpress Profile Builder Plugin: Stored XSS

Simple stored Cross Site Scripting (XSS) found in WordPress Profile Builder Plugin version 5.2.7 and below. This is just a PoC example, just fill in the minimum password

TAKE DOWN Mr-Robot: 1

TAKE DOWN Mr-Robot: 1

Yesterday, I opened Vulnhub.com and there was challenge from Mr Robot. The same TV series will be released soon in the month of July 2016. So here it goes,

Centreon Enterprise Server 2.3.3 - 2.3.9-4: Blind SQL Injection

Security Advisory

Centreon Enterprise Server 2.3.3 - 2.3.9-4: Blind SQL Injection

We discovered the vulnerability when we’re looking for alternate software in network monitoring. We know and we love Nagios, and so the Centreon, they provide a very nice

PC Media Antivirus: Insecure Library Loading Vulnerability

Security Advisory

PC Media Antivirus: Insecure Library Loading Vulnerability

PC Media Antivirus (PCMAV) is an AV software made in Indonesia. It’s quite popular back in 2006 since many virus creators in Indonesia actively spread viruses, and infecting

SmadAV: Null Pointer Dereference Vulnerability

Security Advisory

SmadAV: Null Pointer Dereference Vulnerability

We discovered that SmadAV antivirus 9.1 is susceptible to null pointer exploitation. The application does not properly filter the scanner input that is processed into smadengine.dll. The successful

Trend Micro Control Manager: SQL Injection Vulnerability

Security Advisory

Trend Micro Control Manager: SQL Injection Vulnerability

Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application

webERP: SQL Injection

Security Advisory

webERP: SQL Injection

webERP (ver. 4.08.4) is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability we discovered sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu.

Trend Micro InterScan Messaging Security Suite: Multiple Vulnerabilities

Security Advisory

Trend Micro InterScan Messaging Security Suite: Multiple Vulnerabilities

We discovered that Trend Micro InterScan Messaging Security Suite is vulnerable to Cross Site Scripting and Cross-site Request Forgery. Proof of Concept The vulnerabilities POC are as follow: Cross-site Scripting

gtAkademik Gamatechno: SQL Injection and Persistent XSS

Security Advisory

gtAkademik Gamatechno: SQL Injection and Persistent XSS

We discovered that gtAkademik Gamatechno web application is susceptible to SQL Injection and Cross-site Scripting (XSS). Stored/Persistent XSS The web application allows an attacker to inject XSS script inside

Ezhometech Ezserver: Stack Overflow Vulnerability

Security Advisory

Ezhometech Ezserver: Stack Overflow Vulnerability

EZserver version 6.4.017 or below contains a buffer overflow vulnerability which may be exploited to cause a denial of service or arbitrary code execution. Vulnerability Details Buffer overflow

Hexamail Server: Persistent XSS Vulnerability

Security Advisory

Hexamail Server: Persistent XSS Vulnerability

Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email. Vulnerability Description Hexamail Server suffers persistent XSS vulnerability in the mail

CyberLink Power2Go: Unicode Stack Overflow

Exploit Development

CyberLink Power2Go: Unicode Stack Overflow

The proof of concept of the vulnerability has been released on 9 December 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’

Distinct TFTP Server: Directory Traversal Vulnerability

Security Advisory

Distinct TFTP Server: Directory Traversal Vulnerability

Overview Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. We discovered that version 3.10 is susceptible to directory traversal attack. Attackers can exploit this

Directory Traversal with DotDotPwn (HTTPS Mode)

Directory Traversal with DotDotPwn (HTTPS Mode)

This is my experience when I was dealing with some applications that have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding a vulnerability on Quickshare File

Aviosoft DTV Player 1.x Stack Buffer Overflow

Security Advisory

Aviosoft DTV Player 1.x Stack Buffer Overflow

Aviosoft DTV Player is a multiple format video player application. Aviosoft DTV Player 1.0.1.2 and possibly earlier versions fail to properly handle malformed user-supplied data within a