Archive for category Exploits

Black Hat DC Presentation

The materials in the presentation, including the exploits used, are downloadable here. Have fun counterattacking! Update: the actual slides are at http://www.scriptjunkie.us/files/counterattack.pdf and paper is at http://www.scriptjunkie.us/files/bhdc2011whitepaper.pdf.

, ,

No Comments

Fun with lnk files

Stuxnet used an 0day .lnk icon dll-loading vulnerability to own its targets via thumb drives. But if you don’t have a fancy 0day, chances are, you can still get someone to open a link. Link files are great because they often escape the scrutiny of executable .exe files or batch scripts since they don’t directly […]

2 Comments

Command stagers in Windows

Update: these command stagers have been integrated into metasploit Command injection/execution bugs are a relatively common vulnerability. For example, Internet Explorer, Google Chrome, and Mozilla Firefox have all had these problems, at least including common add-ons. (see http://www.securityfocus.com/archive/1/archive/1/499570/100/0/threaded, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5045, etc.) Many server-side scripts in webapps also suffer from the same issues. Against a Linux target, […]

, , , , , , ,

No Comments

Insecure service permission privilege escalation

A number of metasploit modules already exist to escalate privileges based on insecurely installed services, such as the HP PML driver. But other services also suffer from the same problems and it is not worth making a new script for every obscure service; it would be easier to have one that could scan for such […]

No Comments

PXE exploitation

Update: This complete attack, including the DHCP server, has been incorporated into Metasploit. Update and enjoy. The module is auxiliary/server/pxexploit PXE booting has been around for over a decade and is supported by most system BIOSs. And I have also seen it left on in production environments. Although it is very convenient for mass OS […]

No Comments

Maple exploit

Exploit for an 0day vulnerability (feature?) in Maple. https://www.metasploit.com/redmine/projects/framework/repository/revisions/9183 Default Maple security settings prevent code from running in a normal maple worksheet (.mw) without user interaction, but those setting do not prevent code in a .maplet from running. Put malicious code at start of .maplet, get the target to double-click and … profit. (As a […]

No Comments

XSS, no really

XSS tends to get the eyeroll treatment from security pros since a) it’s everywhere. 2 min of looking for an example on the GOP website, and tada: http://www.gopstore.com/cgi-bin/rnc/scan/st=db/co=yes/sf=prod_group/se=stick%3Cimg%20src=0%20onerror=%22alert%281%29%22%20%3Eer/op=eq/tf=description/ml=12/sp=1stickers.html b) your 8-year-old kid can find it after about 2 minutes of instruction c) it doesn’t give you a shell (directly) But it still works. And it […]

No Comments