'modus operandi' - Piwigo 2.9.2

As I 'promised': Vendor received the details but after all* - to this day - I have no idea what's goin on now... No response, no feedback, so "Vendor don't care" in my opinion. Full disclosure.

'modus operandi' - Horde 5.2.x

Last time we saw few 'moments' when modus.py was started against GeniXCMS. Today we will do the same with Horde (partially described here as well as [1],[2],[3]). So...

'modus operandi' - GeniXCMS 1.1.5

During last few days I tried to rewrite few parts of modus.py to get more similar results to those described for the 'latest' version of Horde.

 TL;DR - we have a new version of modus.py =]

First results from modus.py

Ok. Here we go again... During last few days after I had a pleasure to received some 'results' from CVE Team (1,2,3). I decided that it should be good ('enough';]) idea to create a small 'poc script' (again) to automate a little bit the process of 'finding bugs' (for example: like those mentioned in CVE's reference(s)). Below you will find few details collected after few days of 'research' and pinging the Vendors...

RCE via XSS - Horde 5.2.19

This time I decided to sit for a while with Horde Groupware (5.2.19). “Ready to go” virtual machine we can find at Bitnami’s webpage (big thanks!) so using for example VirtualBox – you can set all things up very quickly. Below you will find few publicly disclosed bugs found during last few days...

Friday surprise from Kali.org

Standard friday evening... checking some twitter and news at net... and then I found...

More SQL Injections in ManageEngine Applications Manager 13

Last time we saw few bugs found in latest ManageEngine Applications Manager 13. Today I decided to publish another 6 (so called ;] '0day') exploits (found between 6-7.11.2017). Details below...

SQL Injection in ManageEngine Applications Manager 13

This morning I decided to start some new "challenge" related to webapp pentesting. That's how I found latest version of ManageEngine Applications Manager.(You can grab a copy here.) Below you will find some 'results'...

Microsoft Outlook 2016 - RW/RA Crash

Below I will present 2 bugs from last fuzzing session with Microsoft Outlook 2016. Vendor was notified about those bugs. Just like before (1, 2, 3, 4) here you will find some details...

Night fuzzing session - Kaspersky10 on Windows 10 - part 2

In the middle of time, just like before I was playling a little bit with Kaspersky Endpoint Security 10 for Windows 10. New results from the 'night fuzzing session' you will find below...

Patch your Fortinet - CVE-2017-14182

Few weeks ago during some pentest I found that tested Fortinet-appliance is sometime restarting... I wasn't sure about the reason so I decided to contact directly with the Fortinet's PSIRT. Patch is ready so below you will find few details about it. Enjoy...

ZBX-11023 quick autopsy

When I was reading descriptions of bugs at VulDB I found that there is an SQL injection vulnerability in Zabbix (<2.2.13 and <3.0.4). I decided that it will be a good exercise to write a small proof-of-concept for that bug. Below you'll find results...

Protostart CTF - format0 - walkthrough

Next challenge from Protostar CTF. This time we will check format0. Let's get to work!

Protostart CTF - heap3 - walkthrough

Final (heap3) challenge from ProtostarCTF - solved. Below details about it...

Protostart CTF - heap2 - walkthrough

As a quick writeup - this time we will take a look for a heap2 challenge from Protostar CTF (you can find the game here). Let's go...

Protostart CTF - heap1 - walkthrough

In our last challenge we were able to overwrite the pointer of winner(). Let's see if we can expoit heap1 available also in ProtostarCTF. Details below...

Protostart CTF - heap0 - walkthrough

During last few days I had a pleasure to learn a little bit more about heap exploitation in Linux. I decided that it will be a good moment to take a look for a ProtostarCTF. Below you will find few details about it...

Privilege Escalation in ProFTPd 1.3.0

During last few days I was preparing to another CTF competition. As a warm-up I decided to do a(nother;)) quick autopsy, this time of an old bug found in Proftpd - described as CVE-2006-6563. Below you will find some results...

Night fuzzing session - Kaspersky10 on Windows 10

During last few days I was playling a little bit with Kaspersky Endpoint Security 10 for Windows 10. Below you will find few results.

SIGSEGV in Python2.7

It was a real pleasure to work with Python Team during this weekend. Below few details about it...

Metasploit module for RCE in Trend Micro IMSVA 9.1

According to the story posted yesterday below you will find quick&dirty proof-of-concent module for Metasploit. Big thanks goes to Mehmet for his research. Poc is based mostly on his work.

RCE in Trend Micro IMSVA 9.1

Found 16.08.2017 during some research. Maybe you will find it useful.

And, yeah... It's for auth-users only. Anyway... ;) Have fun.

DEP Violation in IBM Notes 9

Found 16.08.2017. Maybe you will find it useful.

ReadAVonIP Crash in IBM Notes9

Found 16.08.2017. Maybe you will find it useful.

ReadAV Crash in IBM Notes9

Found 16.08.2017. Maybe you will find it useful.

Read/Write Crash in IBM Notes 9

Found 16.08.2017. Maybe you will find it useful.

Reading malware - Backdoor.SpyNet

According to few other examples I finally had a chance to sit back to some malware sample I found here (big thanks again!) Below few details about the file (md5:ff35edacb8c847e85a6494e7858ecada).

Microsoft Outlook 2016 - WriteAV

During last few days I found a place where Microsoft Outlook 2016 (16.0.6014.1000) will crash. Below you will find few details about it...

Microsoft Outlook 2010 - Write AV

During last few days I found another place where Outlook 2010 will crash. Below few details...

Reading malware - Trojan.Delf

In the middle of time I found another test case on MalwareDB - this time we will try to analyze malware described as "Trojan.Delf". MD5 for the sample is b5597304495be0c425e512abd6f39f8c. Let's go!

CVE-2013-1048 quick autopsy

When I was looking for some hints related to "priviledge escalation bugs" I found (on vuldb.com) short description about Apache2 and symlinks. Below few details...

GeniXCMS SQL Injection quick autopsy - part 2

In the middle of time I was looking for another CVE with a bug described as SQL Injection. Below you will find more details about it.

Read/Write Access Violation - Acunetix

During last session fuzzing I found that Acunetix can be crashed by malformed PRE file. Below you will find few details about it...

Few bugs in vBulletin 4.2.3

During one blackbox testing I found few bugs in vBulletin 4.2.3. Below you will find few details about it...

Reading malware - Backdoor:Win32/Darkddoser

Thanks to Malekal’s page (just like before) I was able to „read” some (more) malware(s). Below you will find few details about the "new" (for me) one case (afaik dated to 2015) I had a chance to check…

Reading malware

During the weekend I started playing with few malware examples. All (malicious) ‘resources’ described in this text you can find online (here or here). Let’s go.

Exploiting MODX - Bitnami Edition

Thanks to Bitnami I had a chance to use latest MODX. I assumed that poc-code will work for both versions: Bitnami's and the one available here, so let's get to work.

Multiple crashes in RealPlayer 18.1.7.344

Few bugs found in RealPlayer 18.1.7.344 during last fuzzing (Win7/32bit) - FYI...

Exploiting Joomla 3.x - Bitnami Edition

Similar scenario could be performed agains numbers of Joomla installation, including 3.7 of course.

Exploiting DokuWiki - Bitnami Edition

Attack scenario similar to the one described before. This time we will try it again Bitnami's DokuWiki installation. Details below...

Exploiting Concrete5 CMS 8.1.0 - Bitnami Edition

As it was mentioned in my last post related to Napalm and Testlink bug(s), you probably saw there 'few other started modules'. As we can say that those 'bugs' are only 'features' I decided to publish them all. Below uploading shell for latest Concrete5 CMS (8.1.0).

Playing offline CTF's

In the middle of time I started some new exercises related to CTF adventures. This time I tried to pass some challenges related to “binarypwn”. Few cases you’ll find described below.

Divided RealPlayer 16.0.2.32

Crash found during fuzzing an old app - RealPlayer 16.0.2.32. Below few details...

Exploiting TestLink 1.9.16 - Bitnami Edition

Hi, in my last post you probably saw some ("started") modules for TestLink... So, yeah, below you will find some details about one of the bug(s) I found during tests related to (last available version of) TestLink (1.9.16) - thanks goes to Bitnami for preparing VM. So...

Napalm 2.1 feat. Bitnami

I started creating the code basing on ideas from wrapper I created some time ago. Other tool – similar to this one – is of course grabash but here, I decided to change an approach of the tool to the one idea grabbed from the eternalblue-paper – targeted attacks.

TurnKeyLinux feat. OTRS

Few days ago I found a pretty cool site - TurnKeyLinux. You will find there ready-to-go, pre-installed webapps. I decided to findout if there is also OTRS ready to check... Few notes below.

Multiple Crashes in MS Publisher 2010/16 - part 2

Hi, as I promised last time today you'll find below few more bugs found during fuzzing session with MSPublisher 2010. Try it on 2016 because few of them will work there as well. ;)

Multiple Crashes in MS Publisher 2010/16

Below you will find few details about it...

Learning routers

Lately I finaly found a few hours to sit back and join the whole proces of 'learning routers'... Below you will find few notes from those adventures...

Multiple Crashes in VLC 2.2.4

Just as a 'quick note'... Below few examples and notes as usual...

Multiple Crashes in IrfanView 4.44

Below you will find few details about some results from fuzzing IrfanView (4.44).

LinkedIn scam changes

Due to the fact that I found some weird behaviour on LinkedIn, my accounts will not be available any more. See some screens below for more details.

Bug in ab from Apache 2.2.22

Some time ago I found that ab from Apache can be crashed by malformed CLI arguments. Below few notes about it.

Upload shell to phpMyAdmin

Yesterday I was reading about some vulnerabilities found in phpMyAdmin. I decided to create my own poc for uploading shell to PMA.

GeniXCMS SQL Injection quick autopsy

After my last CTF I found one new SQL injection in CMS called GeniXCMS. Below few details about the bug.

Kvasir CTF - Writeup

Man. I played few CTFs in my life. But this one, to be honest, was one of the best I’ve ever tried…;) Have fun.

Automated scans with OpenVAS and Kali - part 3

For all of those who liked my post about automating scans with OpenVas in Kali Linux, below I prepared a new version of the poc. Maybe you will find it useful too. ;)

Few bugs in TestLink

During one of my latest project, I was asked to analyze a security of one web server.