what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 50 RSS Feed

Files from Rafay Baloch

Email addressrhainfosec at gmail.com
First Active2012-12-24
Last Active2024-08-31
Android Browser Remote Code Execution Through Google Play Store XFO
Posted Aug 31, 2024
Authored by Rafay Baloch, joev | Site metasploit.com

This Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Androids open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play stores web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Plays remote installation feature, as any application available on the Google Play store can be installed and launched on the users device. This Metasploit module requires that the user is logged into Google with a vulnerable browser. To list the activities in an APK, you can use aapt dump badging /path/to/app.apk.

tags | exploit, remote, web, vulnerability, code execution, xss
advisories | CVE-2014-6041
SHA-256 | 328d1360b3bebdb1d86c00098a6491927d2bd65f1172897b674f5d8cc7695731
Android Open Source Platform (AOSP) Browser UXSS
Posted Aug 31, 2024
Authored by Rafay Baloch, joev | Site metasploit.com

This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Androids open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.

tags | exploit, xss
SHA-256 | 515d589ae7fa921c6c47ddf5fa3b3cc8aad06aec0fe62c65331d5cac2c574d51
Android Browser File Theft
Posted Aug 31, 2024
Authored by Rafay Baloch, joev | Site metasploit.com

This Metasploit module steals the cookie, password, and autofill databases from the Browser application on AOSP 4.3 and below.

tags | exploit
SHA-256 | 461f161dc15f2136e113fe628614a254fcbe8647f9473ac567fe7752ac4fa00a
Android Browser Open in New Tab Cookie Theft
Posted Aug 31, 2024
Authored by Rafay Baloch, joev | Site metasploit.com

In Androids stock AOSP Browser application and WebView component, the "open in new tab" functionality allows a file URL to be opened. On versions of Android before 4.4, the path to the sqlite cookie database could be specified. By saving a cookie containing a <script> tag and then loading the sqlite database into the browser as an HTML file, XSS can be achieved inside the cookie file, disclosing *all* cookies (HttpOnly or not) to an attacker.

tags | exploit
SHA-256 | 70b3a8344e4fcf5439123086e568b9e7984fe8d61764dc191d64ca919125593d
Android Open Source Platform (AOSP) Browser UXSS
Posted Aug 31, 2024
Authored by Rafay Baloch, joev | Site metasploit.com

This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Androids open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option, which will cause a popup window to be used. This requires a click from the user and is much less stealthy, but is generally harmless-looking. By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this module also allows running arbitrary javascript in the context of the targeted URL. Some sample UXSS scripts are provided in data/exploits/uxss.

tags | exploit, arbitrary, javascript, xss
advisories | CVE-2014-6041
SHA-256 | c310932b590c18e1c4846f4e90d57edda5909db4103dc3c5954aec52431efc71
Google Chrome 109.0.5414.74 Unsafe Library Load
Posted Mar 27, 2023
Authored by Rafay Baloch, Muhammad Samak

Google Chrome version 109.0.5414.74 on Ubuntu attempts to load libnssckbi.so from a user-writable location and if missing, a replacement piece of malware can be used by an attacker to achieve code execution. Although privilege escalation is not likely as an attacker would already need access to the user's privilege level to place the malware, it could be a target for other malicious software leaving backdoors for persistence.

tags | exploit, code execution
systems | linux, ubuntu
SHA-256 | f717eb6fe35e231271a4dd4e77bba5c4985b8a2f9c10d2fb10a342b7a8064b5a
DuckDuckGo 7.64.4 Address Bar Spoofing
Posted Dec 3, 2021
Authored by Rafay Baloch, Muhammad Samak

DuckDuckGo version 7.64.4 suffers from an address bar spoofing vulnerability.

tags | exploit, spoof
SHA-256 | efdcb758ade79facf3f10510cb498316be314f1e2b14b262a9abfbe486f35f4c
Parallels Plesk Panel 9.5 Cross Site Scripting
Posted Nov 6, 2019
Authored by Rafay Baloch, Muhammad Samak

Parallels Plesk Panel version 9.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2019-18793
SHA-256 | f479f494df9b2a23a64dc1f5f4af1968885c089c5bc642df0528b82a09b48557
Poking A Hole In Whitelist For Bypassing Firewall
Posted Jan 10, 2018
Authored by Rafay Baloch

Whitepaper called Poking a Hold in Whitelist for Bypassing Firewall.

tags | paper
SHA-256 | 79d27322d7343cce530650c961b0ec621d40db22977741a043bcd9f6a0729587
Bypassing Browser Security Policies For Fun And Profit
Posted Nov 6, 2017
Authored by Rafay Baloch

In this paper, the authors present their research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy". They present several bypasses that were found in various mobile browsers. In addition, they also uncover other interesting security flaws found during their research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass etc. as found in Android Browsers. This is from a talk given at BlackHat ASIA 2016.

tags | paper, spoof
SHA-256 | 5a69b239b2474e58b1ae71b86cf3b0aeb2d70db3a14e35ae2083a8a6439e312b
Microsoft Internet Explorer 11 XSS Filter Bypass
Posted Jun 12, 2016
Authored by Rafay Baloch

Microsoft Internet Explorer 11 suffers from a cross site scripting filter bypass vulnerability.

tags | exploit, xss, bypass
SHA-256 | fa9a25ccb1840d327a7b15c7d2bf4c2f73c91940a80f05817225078bd17d4011
Drupal 8.0.x-dev Cross Site Scripting
Posted Feb 20, 2016
Authored by Rafay Baloch

Drupal version 8.0.x-dev suffers from a cross site scripting vulnerability on IE8 and older versions.

tags | exploit, xss
SHA-256 | 6033651a038afbdd206da94672f053201eacaf29cd9cdb3888fc615957ea8087
Shell Shock Auto Exploitation Script
Posted Oct 6, 2015
Authored by Rafay Baloch

This is a small python script that will enumerate through a list of targets and test their user agent for the shellshock vulnerability.

tags | exploit, tool, python
SHA-256 | 394a7921e89370c9d46b7105136fa1e127f06fefe2c6d6a4c8bb66f41b592170
Maxthon Browser Address Bar Spoofing
Posted Dec 28, 2014
Authored by Rafay Baloch

Maxthon Browser suffers from an address bar spoofing vulnerability.

tags | exploit, spoof
SHA-256 | c47f0080021348ecb3774a79ab8175c0d570a04c31241c9fa2c9e4a652e64275
CM Browser SOP Bypass
Posted Sep 16, 2014
Authored by Rafay Baloch

The CM browser suffers from a same-origin bypass vulnerability.

tags | exploit, bypass
SHA-256 | cb90f770b05e8da7d463a807bfd4d9059503a0f35122054dd9d80e1817d37c57
Google Chrome 36.0 XSS Auditor Bypass
Posted Sep 1, 2014
Authored by Rafay Baloch

Google chrome XSS auditor was found prone to a bypass when the user input passed though location.hash was being written to the DOM by using document.write property. Normally, XSS auditor checks XSS by comparing the request and response however, it also checks for request itself, if it contains an untrusted input to prevent DOM XSS as well.

tags | exploit, bypass
SHA-256 | 1726b972e5f7b81516b54d146c54fb1608b841f8ba39f275b51934e65215d5cd
Android Browser Same Origin Policy Bypass
Posted Sep 1, 2014
Authored by Rafay Baloch

A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, this is very rarely found in modern browsers. However, they are found once in a while.

tags | exploit, bypass
SHA-256 | b5c1e22000f4ed24662d0911996baf893391c569633c0cd44a70ed8a1525e169
HTML5 Modern Day Attack And Defence Vectors
Posted Jul 2, 2014
Authored by Rafay Baloch

Whitepaper called HTML5 Modern Day Attack and Defence Vectors. This paper analyzes most of the features introduced in HTML5 along with the vulnerabilities each feature introduces.

tags | paper, vulnerability
SHA-256 | 8513f4316667a90362b7aad6528db9107c77904abf213c45d1e612037dd3eaf3
WordPress TimThumb Finder 1.0 Beta
Posted May 25, 2014
Authored by Rafay Baloch

This is a python script that scans a webserver for timthumb.php.

tags | tool, scanner, php, python
systems | unix
SHA-256 | c5de670c6b138663f9aa17471dccac1ef63011cac2b9b79114f492b672ae8720
Lavarel-Security XSS Filter Bypass
Posted Apr 29, 2014
Authored by Rafay Baloch

Lavarel-Security cross site scripting filter suffers from a bypass vulnerability.

tags | exploit, xss, bypass
SHA-256 | 74a3d9484d7c2708d5444ae78215745101425b380c8a4b50a833eee46fd07a68
WordPress Infocus Theme Cross Site Scripting
Posted Jan 27, 2014
Authored by Rafay Baloch

WordPress Infocus Theme suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 72175cc3a0ba10815ddba1acc6812efb9bf950f993641bc2dc35d2e2ee6ad9bd
phpMyRecipes 1.x.x XSS / CSRF / SQL Injection
Posted Dec 20, 2013
Authored by Rafay Baloch, Sikandar Ali

phpMyRecipes version 1.x.x suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
SHA-256 | 717dd33446428aed6b6a79a2fadd94fc507d0138e82b80c3ab389ab431f81f92
Bypassing Modern Web Application Firewalls
Posted Dec 14, 2013
Authored by Rafay Baloch

This whitepaper is called Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters.

tags | paper, web
SHA-256 | 65acaee3edb30787203ec67ebd4b8e85f2ced5170a1f786efb797a9df09856b3
Joomla Flexicontent Remote Code Execution
Posted Dec 8, 2013
Authored by Rafay Baloch, Deepankar Arora

Joomla Flexicontent component suffers from a code execution vulnerability due to the inclusion of phpthumb.

tags | exploit, code execution
SHA-256 | c420d44bcbccfa07f1cc718d8e71b7f4694db8ff878f20b384431b23ab5c659b
phpThumb 1.7.12 Server Side Request Forgery
Posted Dec 2, 2013
Authored by Rafay Baloch, Deepankar Arora

phpThumb version 1.7.12 allows for arbitrary request forgery server-side that can be used maliciously.

tags | exploit, arbitrary
SHA-256 | e913a843b81d9d2b74184a8e642eab8b19aa74dddc1489ee2c4b3c63fb7f54b4
Page 1 of 2
Back12Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close