Monthly Archives: November 2016

Home » Archives for November 2016

Microsoft Windows Server 2008 / 2012 – LDAP RootDSE Netlogon Denial Of Service (PoC)

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: Todor Donev
#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon
#  (CLDAP “AD Ping”) query reflection DoS PoC
#

#
#  MS Windows Server 2016      
#
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector
#  supporting the Connectionless LDAP […]

By |November 13th, 2016|Exploits|

Android Proxy Auto Config (PAC) Crash Vulnerability

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Yakov Shafranovich
Summary

Android devices can be crashed forcing a halt and then a soft reboot
by downloading a large proxy auto config (PAC) file when adjusting the
Android networking settings. This can also be exploited by an MITM
attacker that can intercept and replace the PAC file. However, the […]

By |November 13th, 2016|Exploits|

Microsoft Internet Explorer WININET.dll

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: SkyLined
Synopsis
 
A specially crafted HTTP response can cause the CHttp­Header­Parser::Parse­Status­Line method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET […]

By |November 13th, 2016|Exploits|

What Does The IP Address 0.0.0.0 Really Mean? What Are Its Different Uses?

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

You might have heard about the IP address 0.0.0.0 but never thought much about it. Some of you would be knowing that it’s a ‘no particular address’ placeholder’. But, what else? What does it really mean in different situations? Well, here I’ll try to answer these […]

By |November 7th, 2016|Papers|

Hack Sticky Key Feature And Reset Windows Password Using CMD

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Protecting your Windows machine with a password is a must. It’s a great layer of security disabling unauthorized people from using your computer. But there are times when your own security layer restricts you from using your Windows OS. Probably, because you aren’t worthy of […]

By |November 7th, 2016|Papers|

Linux Kernel (Ubuntu / Fedora / Redhat) – ‘Overlayfs’ Privilege Escalation Exploit – Metasploit Code

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require “msf/core”
 
class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
 
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
        ‘Name’           => ‘Overlayfs Privilege Escalation’,
        ‘Description’    => %q{
          This module attempts to exploit two different CVEs related to overlayfs.
          CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
                                            3.16.0-25 […]

By |November 3rd, 2016|Exploits|

MySQL / MariaDB / PerconaDB – ‘root’ Privilege Escalation Vulnerability – Metasploit Code

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Dawid
I. VULNERABILITY
————————-
 
MariaDB / MySQL / PerconaDB   –   Root Privilege Escalation
 
MySQL 
    <= 5.5.51
    <= 5.6.32
    <= 5.7.14
 
MariaDB
    All current
 
Percona Server
    < 5.5.51-38.2
    < 5.6.32-78-1
    < 5.7.14-8
 
Percona XtraDB Cluster
    < 5.6.32-25.17
    < 5.7.14-26.17
    < 5.5.41-37.0
 
 
II. BACKGROUND
————————-
 
MySQL:
 
“MySQL is the world’s most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL […]

By |November 3rd, 2016|Exploits|

NVIDIA Driver – NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Priv

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.
 
In this particular routine,
 
if ( cur->image_names_count > 0 ) {
  // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
  image_filename = info_->ImageFileName;
  buf = image_filename->Buffer;
  if ( buf )
  {
    if ( !v5 )
    {
      i = 0i64;
      num_chars = image_filename->Length […]

By |November 3rd, 2016|Exploits|