what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 17 of 17 RSS Feed

Files from Eldar Marcussen

First Active2014-09-03
Last Active2023-07-10
ServiceNow Insecure Access Control / Full Admin Compromise
Posted Jul 10, 2023
Authored by Nadeem Salim, Eldar Marcussen, Luke Symons, Jeff Thomas, Stephen Bradshaw, Tony Wu, Gareth Phillips | Site x64.sh

ServiceNow suffered from having an insecure access control that could lead to full administrative compromise. The associated link has a proof of concept.

tags | advisory, proof of concept
advisories | CVE-2022-43684
SHA-256 | 1ba72d97e5b5609910fcc6b7107bef5cb14d772f105f4a4b5e856f37da0c93f2
PrinterLogic Build 1.0.757 XSS / SQL Injection / Authentication Bypass
Posted May 30, 2023
Authored by Nadeem Salim, Eldar Marcussen, Luke Symons, Jeff Thomas, Stephen Bradshaw, Yianna Paris, Tony Wu, Gareth Phillips

PrinterLogic build version 1.0.757 suffers from authentication bypass, cross site request forgery, cross site scripting, session fixation, insufficient checks, impersonation, remote SQL injection, and various other vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, bypass, csrf
SHA-256 | 1631d9ea880d645fa96e60ab35dadd9fa31ea602fc8d3ea5528a7418cc9cfc0b
PHP Library Remote Code Execution
Posted Jul 1, 2022
Authored by Eldar Marcussen

Several PHP compatibility libraries contain a potential remote code execution flaw in their json_decode() function based on having copy pasted existing vulnerable code. Affected components include the WassUp Realtime analytics WordPress plugin, AjaXplorer Core, and more.

tags | exploit, remote, php, code execution
SHA-256 | 15c734bb46c83c88ca1f44b832953d3f324999fb6a6e5fa2aaf519830ded1198
Sabberworm PHP CSS Code Injection
Posted Jun 3, 2020
Authored by Eldar Marcussen

Sabberworm PHP CSS parser suffers from a code injection vulnerability. Many versions are affected.

tags | exploit, php
advisories | CVE-2020-13756
SHA-256 | cbff4c11162bd6a8c86cb798bce9beeaaea906f988d1e1211fcc87823ed3acb5
HP ThinPro 6.x / 7.x Privileged Command Injection
Posted Mar 25, 2020
Authored by Eldar Marcussen

HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from a privileged command injection vulnerability.

tags | exploit
advisories | CVE-2019-18910
SHA-256 | 14f2502cce1f48d90d5604ec27b5fd00b49d92dca7461a8a5b30b18ade28ee1f
HP ThinPro 6.x / 7.x Citrix Command Injection
Posted Mar 25, 2020
Authored by Eldar Marcussen

HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from a Citrix receiver connection wrapper command injection vulnerability.

tags | exploit
advisories | CVE-2019-18909
SHA-256 | eb4c697a97d752e546087c1c92f72f5ac8c5d658671e63bf3352ddfb5a13cb26
HP ThinPro 6.x / 7.x Privilege Escalation
Posted Mar 25, 2020
Authored by Eldar Marcussen

HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2019-16287
SHA-256 | 7f1293575b0e76de415de2ab20c4993ec2addd8fcc7cbbb76e519c22ef4b967d
HP ThinPro 6.x / 7.x Filter Bypass
Posted Mar 25, 2020
Authored by Eldar Marcussen

HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from an application filter bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2019-16286
SHA-256 | 99ae4d99639a753124299498c99f9195e518195f8a8f6da78f571fd9c30371c5
HP ThinPro 6.x / 7.x Information Disclosure
Posted Mar 25, 2020
Authored by Eldar Marcussen

HP ThinPro versions 7.1, 7.0, 6.2.1, and 6.2 suffer from a local physical access information disclosure vulnerability.

tags | exploit, local, info disclosure
advisories | CVE-2019-16285
SHA-256 | 64f3925e91a779a52ebd3d1823441c27cdb0af76a86d87a223161adc1862bbed
LibreNMS Collectd Command Injection
Posted Sep 6, 2019
Authored by Eldar Marcussen, Shelby Pace | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the Collectd graphing functionality in LibreNMS. The to and from parameters used to define the range for a graph are sanitized using the mysqli_escape_real_string() function, which permits backticks. These parameters are used as part of a shell command that gets executed via the passthru() function, which can result in code execution.

tags | exploit, shell, code execution
advisories | CVE-2019-10669
SHA-256 | e40f291b536ddb530c9c679f17c98644fcd1bd9ef0a75a355c8b3a8fc1d135c0
ABB IDAL HTTP Server Uncontrolled Format String
Posted Jun 24, 2019
Authored by Eldar Marcussen

The IDAL HTTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server. The IDAL HTTP server does not safely handle username or cookie strings during the authentication process. Attempting to authenticate with the username "%25s%25p%25x%25n" will crash the server. Sending "%08x.AAAA.%08x.%08x" will log memory content from the stack.

tags | exploit, web
advisories | CVE-2019-7228
SHA-256 | 2710131973cb651b312b3b4490bb6638b5ec8ddf6b94183de3c0860cb2228091
ABB IDAL HTTP Server Stack-Based Buffer Overflow
Posted Jun 24, 2019
Authored by Eldar Marcussen

The IDAL HTTP server is vulnerable to a stack-based buffer overflow when receiving a large host header in a HTTP request. The host header value overflows a buffer and overwrites the Structured Exception Handler (SEH) address with a larger buffer. An unauthenticated attacker can send a Host header value of 2047 bytes or more to overflow the host headers and overwrite the SEH address which can then be leveraged to execute attacker controlled code on the server.

tags | exploit, web, overflow
advisories | CVE-2019-7232
SHA-256 | 2421624e7ad840181ca84c4621cdcea0f08c090f97ea23834ea7b42bf7a3e813
ABB IDAL HTTP Server Authentication Bypass
Posted Jun 21, 2019
Authored by Eldar Marcussen

The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session in an authenticated state and return the session ID along with the username and plaintext password of the user. An attacker can then login with the provided credentials or supply the string 'IDALToken=......' in a cookie which will allow them to perform privileged operations such as restarting the service with /cgi/restart.

tags | exploit, web, cgi
advisories | CVE-2019-7226
SHA-256 | 2617e6ac047295c7fb8c7aca613dea0e8f19f61ec746d1002bff8329b0e82b21
ABB IDAL FTP Server Uncontrolled Format String
Posted Jun 21, 2019
Authored by Eldar Marcussen

The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.

tags | exploit
advisories | CVE-2019-7230
SHA-256 | 97f45ac950dcf506a57f347833ae16de5edfa742a6d69f781cb6a6095d7d3ef0
ABB IDAL FTP Server Path Traversal
Posted Jun 21, 2019
Authored by Eldar Marcussen

The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with "cd ..". An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.

tags | exploit, arbitrary, root
advisories | CVE-2019-7227
SHA-256 | 00c2ac3a1ecb33776d1003c082f02f6355b49f02e6dd423c518718f20b434e76
ABB IDAL FTP Server Buffer Overflow
Posted Jun 21, 2019
Authored by Eldar Marcussen

The IDAL FTP server is vulnerable to a buffer overflow where a large string is sent by an authenticated attacker that causes a buffer overflow. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer causing an exception that terminates the server. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.

tags | exploit, overflow
advisories | CVE-2019-7231
SHA-256 | e9908b2bf53d554da934fea45c01279a24ea790f35632602c380884910cf6d18
Mpay24 Payment Module 1.5 Information Disclosure / SQL Injection
Posted Sep 3, 2014
Authored by Eldar Marcussen

Mpay24 Payment Module versions 1.5 and below suffer from information disclosure and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, info disclosure
advisories | CVE-2014-2008, CVE-2014-2009
SHA-256 | d66f449493790a1e98ef90672f5ab7b9b5deff6e10cb67a05b35be7af45b6a95
Page 1 of 1
Back1Next

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close