Thomas Gregory - Spentera Blog

Zahir Accounting Enterprise Plus 6 <= build 10b 0day Exploit Vulnerability Discovery

Zahir Accounting adalah software akuntansi yang sangat banyak digunakan oleh tingkatan SOHO (Small Office Home Office) di Indonesia. Selain harganya yang terjangkau, Zahir memiliki fitur yang lebih dari cukup untuk menyelesaikan pencatatan akuntansi yang tanggung, dalam arti mampu menyisir tingkat menengah ke bawah dan juga mampu menghadapi tantangan akuntansi yang

Exploit Development

CyberLink LabelPrint: Buffer Overflow

It’s been a while since our last post about exploitation. This time, we try to explain a stack-based overflow on Cyberlink LabelPrint, a tool to assist in designing labels for CD / DVD covers. It is included in the installation of Cyberlink Power2Go, PowerDVD, and Power Producer software and

Security Advisory

Centreon Enterprise Server 2.3.3 - 2.3.9-4: Blind SQL Injection

We discovered the vulnerability when we’re looking for alternate software in network monitoring. We know and we love Nagios, and so the Centreon, they provide a very nice interface of Nagios. Centreon provide nice features and ease of use when you’re dealing with network monitoring. The backend

Security Advisory

PC Media Antivirus: Insecure Library Loading Vulnerability

PC Media Antivirus (PCMAV) is an AV software made in Indonesia. It’s quite popular back in 2006 since many virus creators in Indonesia actively spread viruses, and infecting most computers. At the time, some people started to claim a special AV to detect viruses, some of which are

Security Advisory

SmadAV: Null Pointer Dereference Vulnerability

We discovered that SmadAV antivirus 9.1 is susceptible to null pointer exploitation. The application does not properly filter the scanner input that is processed into smadengine.dll. The successful exploitation of this vulnerability could potentially result a crash on the application, since it will refer to a null pointer,

Security Advisory

Trend Micro Control Manager: SQL Injection Vulnerability

Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input

Security Advisory

webERP: SQL Injection

webERP (ver. 4.08.4) is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability we discovered sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu.

Security Advisory

Trend Micro InterScan Messaging Security Suite: Multiple Vulnerabilities

We discovered that Trend Micro InterScan Messaging Security Suite is vulnerable to Cross Site Scripting and Cross-site Request Forgery. Proof of Concept The vulnerabilities POC are as follow: Cross-site Scripting (CVE-2012-2995) (CWE-79) Persistent/Stored XSS hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"<script>

Security Advisory

Ezhometech Ezserver: Stack Overflow Vulnerability

EZserver version 6.4.017 or below contains a buffer overflow vulnerability which may be exploited to cause a denial of service or arbitrary code execution. Vulnerability Details Buffer overflow condition exist in URL handling, sending long GET request to the server on port 8000 will cause server process to

Security Advisory

Hexamail Server: Persistent XSS Vulnerability

Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email. Vulnerability Description Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing malicious user to execute scripts in a victim’s browser to hijack user sessions, redirect users, and or

Exploit Development

CyberLink Power2Go: Unicode Stack Overflow

The proof of concept of the vulnerability has been released on 9 December 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’t contact me anymore. A week after our last email, they updated the product, and yes it’s Power2Go

Security Advisory

Distinct TFTP Server: Directory Traversal Vulnerability

Overview Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. We discovered that version 3.10 is susceptible to directory traversal attack. Attackers can exploit this vulnerability to retrieve or upload files outside the TFTP server root directory. Software Description From Distinct website: Distinct Intranet Servers,

Tutorials

Directory Traversal with DotDotPwn (HTTPS Mode)

This is my experience when I was dealing with some applications that have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding a vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when doing a pentest on my client. So,

Security Advisory

Aviosoft DTV Player 1.x Stack Buffer Overflow

Aviosoft DTV Player is a multiple format video player application. Aviosoft DTV Player 1.0.1.2 and possibly earlier versions fail to properly handle malformed user-supplied data within a playlist (.plf) file before copying it into an insufficiently sized buffer, resulting in a buffer overflow. Software Description Aviosoft

Exploit Development

BlazeVideo HDTV Player 6.x Buffer Overflow (another version)

Hi again, we tried to make a universal DEP and ASLR bypass version on BlazeVideo HDTV Player 6.x. This exploit is already public, but we just want to make it universal. Take a look at mona.py ? awesome tool developed by corelanc0d3r and his team So here is the

Exploit Development

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (MSF)

You might be read about the previous post ScriptFTP Remote BOF, if you are a Metasploit user, you can add this exploit module to your Metasploit Framework. Update: Metasploit has released module for ScriptFTP. You can use it now on Metasploit. . Credit goes to: Cyberheb Otoy TecR0c mr_me

Exploit Development

Porting Your Exploit to Metasploit

Beberapa waktu yang lalu saya udah memberikan tutorial basic exploit development (direct return technique) dan exploit development berbasis SEH. Sekarang mari kita porting exploit tersebut ke Metasploit Framework agar exploit tersebut semakin reliable dan bisa menggunakan macam-macam payload, fitur-fitur canggih yang ada di Metasploit. Kita akan meng-konversi exploit yang pertama,

Security Advisory

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (0day)

ScriptFTP client is vulnerable against remote buffer overflow vulnerability. The condition is triggered while processing LIST FTP command with excessive length. The vulnerability is confirmed in version 3.3. Other version may also be affected. Software Description ScriptFTP is a FTP client designed to automate file transfers. It follows the

Exploit Development

SEH Based Stack Overflow - The Basic

Kali ini saya akan coba tehnik lain dari stack overflow, yaitu stack overflow berbasis SEH. Apa itu SEH? silakan dibaca diliteratur-literatur berikut: Structured Exception Handling Win32 Exception handling for assembler programmers Tidak ada yang lebih menyenangkan daripada belajar sambil mencoba. Kita akan mencoba SEH based stack overflow pada program yang

Tutorials

MSF Postgres Problem on BT5

If you read this post then I bet you have the same problem with me. When I tried to run the msfconsole on my BT5 I have this buggy information. [-] Failed to connect to the database: could not connect to server: Connection refused Is the server running on host

Tutorials

Silent Backdoor with Weevely

Ever think to gain access to your backdoor undetected? Well, maybe not all web administrators examine their php files? Weevely is the answer. Just follow these actions (I was doing this on Backtrack 5): root@bt:~# >cd /pentest/backdoors/web/weevely root@bt:/pentest/backdoors/web/weevely#./main.py

Exploit Development

Mel0nPlayer 1.0.11.x Denial of Service POC

Software Description Mel0n Player is a famous software in Indonesia to play songs that are provided by the Melon portal (http://www.melon.co.id). This software can play any music file types such as mp3, wav, wma, mp4, and others. This player can also play the files on your

Tutorials

Metasploit Meterpreter Command Shell Upgrade

Seeing is believing ? root@bt:~# msfconsole =[ metasploit v3.8.0-dev [core:3.8 api:1.0] + -- --=[ 707 exploits - 359 auxiliary - 57 post + -- --=[ 225 payloads - 27 encoders - 8 nops =[ svn r13065 updated today (2011.06.29) msf > use exploit/windows/smb/ms08_

Exploit Development

Some Documents of File Specifications/Formats

Here are some documents to help you understand some file formats/headers, for file format fuzzing purpose: WAVE PCM soundfile format (RIFF) https://ccrma.stanford.edu/courses/422/projects/WaveFormat/ ZIP File format specification http://www.pkware.com/documents/casestudies/APPNOTE.TXT MPEG File format http://www.mpgedit.org/mpgedit/

Tutorials

Backtrack 5: How to install VMware Workstation 7.1.3

So I want to install VMware Workstation 7.1.3 on Backtrack 5, but there were errors after I ran the binary (e.g: ./VMware-Workstation-Full-7.1.3-324285.x86_64.bundle), so here’s the solution: Prepare the Kernel Look here: http://www.backtrack-linux.org/forums/backtrack-5-how-tos/40276-backtrack-5-how-prepare-kernel-sources-vmare-tools-drivers-etc.html Download