exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 123 RSS Feed

Files from Michal Zalewski

Email addresslcamtuf at coredump.cx
First Active1999-11-03
Last Active2015-04-14
SQLite 22 Bugs
Posted Apr 14, 2015
Authored by Michal Zalewski

SQLite has had 22 security bugs reported including stack buffer overflow and uninitialized memory vulnerabilities. Version 3.8.9 addresses these issues.

tags | advisory, overflow, vulnerability
SHA-256 | dfcb47d73272992e7252b26d33b182b0375b26d2dbe341b5d13c61cb13af7742
CUPS Filter Bash Environment Variable Code Injection
Posted Oct 28, 2014
Authored by Michal Zalewski, Stephane Chazelas | Site metasploit.com

This Metasploit module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default.

tags | exploit, bash
advisories | CVE-2014-6271, CVE-2014-6278
SHA-256 | 5a376a0f4e8be0b42906123abc72f100a271655c6310963fc913fc7504861155
libbfd Out Of Bounds
Posted Oct 27, 2014
Authored by Michal Zalewski

Zalewski has noted that binaries which have dependencies on libbfd may be leveraged for attacks due to libbfd having a large range of possibly exploitable out-of-bounds crashes.

tags | advisory
SHA-256 | 482143b943dd09a0acc6d1703848e32a2c8bccd80bde134ced14a899fc368d68
Firefox / MSIE Memory Disclosure Bugs
Posted Oct 15, 2014
Authored by Michal Zalewski

Firefox versions prior to 33 leak bits of uninitialized memory when rendering certain types of truncated images onto canvas tags. Secondly, MSRC case #19611cz is a seemingly similar issue with Internet Explorer apparently using bits of uninitialized stack data when handling JPEG files with an oddball DHT.

tags | exploit, info disclosure
systems | linux
advisories | CVE-2014-1580
SHA-256 | 8b9a6d35010ff886448c6426873326338f84f0a0385c80c92c4b6d3104a7d64c
Bash Me Some More
Posted Oct 1, 2014
Authored by Michal Zalewski, Paul Vixie

This is information regarding more bash vulnerabilities and how the original bash patches are ineffective.

tags | exploit, vulnerability, bash
advisories | CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-6279
SHA-256 | 9bef4f643cbc941c231d0995aa7df24f7322c03118f4cd7d60f56a5e05ccb428
Mozilla Firefox Secret Leak
Posted Sep 3, 2014
Authored by Michal Zalewski

The recent release of Firefox 32 fixes another interesting image parsing issue found by afl. Following a refactoring of memory management code, the past few versions of the browser ended up using uninitialized memory for certain types of truncated images, which is easily measurable with a simple <canvas> + toDataURL() harness that examines all the fuzzer-generated test cases. Depending on a variety of factors, problems like that may leak secrets across web origins, or more prosaically, may help attackers bypass security measures such as ASLR. This code is a proof of concept for versions prior to 32.

tags | exploit, web, proof of concept, fuzzer
advisories | CVE-2014-1564
SHA-256 | 7c5c90b2004b180e2ba9b417077aadeb4d76b33775e460d93cce1e056c3e1b29
p0f 3.07b Windows Port
Posted May 23, 2014
Authored by Michal Zalewski, David Coomber | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: This is a Windows port of the latest release created by David Coomber.
tags | tool, web, scanner, tcp
systems | unix
SHA-256 | f2dd6d877e15363bbb90325683e06abdd781aa3fa18b4e97de95fd0b8d904817
IJG jpeg6b / libjpeg-turbo Uninitialized Memory
Posted Nov 12, 2013
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

jpeg6b and some of its optimized clones (e.g., libjpeg-turbo) will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb).

tags | advisory
advisories | CVE-2013-6629, CVE-2013-6630
SHA-256 | 75281af87c2ac01e67120a1b37a4356f62199b948183ba8069556c239c29df05
Javascript Page Interaction History Leak
Posted May 6, 2013
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

Michal Zalewski put together a really amusing asteroids proof of concept to demonstrate how a modified version of the javascript ":visited" attack can be leveraged based on visibility. Proof of concept js included.

tags | exploit, javascript, proof of concept
systems | linux
SHA-256 | 0c1b7330caf6f1622bcdfe153cd13fde591641b80ff7a9881a550469301c5a39
Skipfish Web Application Scanner 2.09b
Posted Sep 13, 2012
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Fixed a crash that could be triggered during 404 fingerprint failures. Signature IDs for detected issues are now stored in the report JSON files. Added mod_status, mod_info, MySQL dump, phpMyAdmin SQL dump and robots.txt signatures. Improved the Flash and Silverlight crossdomain policy signatures to only warn about them when they use wildcards.
tags | tool, web, scanner
systems | linux, unix
SHA-256 | 12ea7c74ed8a3fa29668d95172f46c976997cd393c908a7704b97610bfcd350a
Browser Navigation Download Trick
Posted May 31, 2012
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

It is an important and little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition: attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file. Proof of concept code included.

tags | exploit, web, arbitrary, proof of concept
systems | windows
SHA-256 | c8e117983282dd44d231f39a10dc8b0b2bf8c46c42490f1cf78aeb4b75db6be8
p0f 3.03b Windows Port
Posted Jan 25, 2012
Authored by Michal Zalewski, David Coomber | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: This is a Windows port of the latest release created by David Coomber.
tags | tool, web, scanner, tcp
systems | windows
SHA-256 | ae853ced1e0f3446f86a75db60b1aa28e2344aae92002f1ae7860e5b0620124e
P0f 3.0.0b
Posted Jan 17, 2012
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: This complete rewrite adds a range of new TCP fingerprinting mechanisms, sophisticated NAT detection, HTTP inspection and fingerprinting, and updated signatures.
tags | tool, web, scanner, tcp
systems | linux, unix
SHA-256 | b4d041b7f5b2f8accca3d9e64e5e1f672057d30337b51ea621cfebdf78c6beae
P0f 3.0.0 Release Candidate 1
Posted Jan 10, 2012
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: Complete rewrite.
tags | tool, web, scanner, tcp
systems | linux, unix
SHA-256 | dbc8dcdc290b010ac9b9917d53afc6ae8f0fe24ee6aae0ed5b337ca39cd35159
ClickIt Proof Of Concept
Posted Dec 13, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as window positioning, history.forward() and history.back(), open some scary possibilities that we are completely unprepared to deal with. This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to conceal its operation, the transitions can be made seamless and very difficult to perceive. Very accurate click prediction can be achieved by carefully measuring mouse velocity and distance to destination, too.

tags | exploit, javascript
SHA-256 | d7658f0d5bd78b6a2d13c915b7f4668b18228fb508f0cca309cdc5652565e5c9
JavaScript Switcharoo Proof Of Concept 2
Posted Dec 9, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

Firefox and Opera allow you to omit MIME type in data: URLs, possibly put random garbage into that section, and still get a valid HTML document. This is a natural extension of how the Content-Type header is handled in HTTP, but probably makes little or no sense here. With the use of Unicode homographs, you can create fairly believable URLs especially in Firefox.

tags | exploit, web
SHA-256 | 8b57d561f4e10efd5110b290028c3daaae1403920829de2c3cc32719b52d7e6e
JavaScript Switcharoo Proof Of Concept
Posted Dec 8, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

It seems that relatively few people realize that holding a JavaScript handle to another window allows the attacker to tamper with the location and history objects at will, largely bypassing the usual SOP controls. With some minimal effort and the help of data: / javascript: URLs or precached pages, this can be leveraged to replace content in a manner that will likely escape even fairly attentive users.

tags | exploit, javascript
SHA-256 | fcf6a2f8bd756f73ae0cea59488d296084adcdadeda5ca6d9e401595b8736f42
Firefox CSS :visited Proof Of Concept
Posted Dec 3, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

This code is a proof of concept that demonstrates history extraction in Firefox through non-destructive cache timing.

tags | exploit, proof of concept
systems | linux
SHA-256 | cbb18dbf852eed470c1735fe94fe71da7a9d688fa9c6f2a7c8668720d84a7c08
Firefox 3.6.13 pseudo-URL SOP Check Bug
Posted Dec 9, 2010
Authored by Michal Zalewski

Firefox version 3.6.13 fixes an interesting bug in their same-origin policy logic for pseudo-URLs that do not have any inherent origin associated with them.

tags | advisory
SHA-256 | db05b815023c5d8efd32e05c077cb830085cc4463b38385fc38d090ecd936b12
Skipfish Web Application Scanner 1.78b
Posted Nov 23, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Substantial bugs in coverage and security checks were fixed. Multiple feature and stability improvements were made. Differential scanning tools were added.
tags | tool, web, scanner
systems | linux, unix
SHA-256 | 0682c65365408c6d51c6381d0478bb9155d259a2bdb792defe36472fba43dfe1
Juniper SSL VPN Bypass / Cross Site Scripting
Posted Nov 9, 2010
Authored by Michal Zalewski

This is a list of older cross site scripting and bypass vulnerabilities associated with older Juniper IVE releases.

tags | exploit, vulnerability, xss, bypass
systems | juniper
SHA-256 | 373b779224dfe366049456b486a0f52893693761af7861f0c2f4e45a15feacc4
Skipfish Web Application Scanner 1.52b
Posted Jul 23, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Fixed HTTP read loop after 1.48b.
tags | tool, web, scanner
systems | unix
SHA-256 | 4f7aab33039ef0826cbb1473f80c7de5c0319bb5c435c94688e44069e395bcd8
Safari SOP Bypass / Firefox Address Bar Spoofing
Posted Jun 29, 2010
Authored by Michal Zalewski

Michal Zalewski has noted some interested security bugs with Safari, Firefox and WebKit-based browsers.

tags | advisory
advisories | CVE-2010-0544, CVE-2010-1422, CVE-2010-1206
SHA-256 | b2d75a7a2b8d07a15dc2b6df82f44922d3b9274562a07ae028d56c9612463f25
Skipfish Web Application Scanner 1.11b
Posted Mar 22, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Multiple bug fixes and SIGWINCH support.
tags | tool, web, scanner
systems | unix
SHA-256 | ed3d45cf54770db9cae12422c36f1e3f90857da4381a47956b355bc9d7f35ea0
Skipfish Web Application Scanner 1.03b
Posted Mar 20, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

tags | tool, web, scanner
systems | unix
SHA-256 | b8be1811b5922084c753cd6de2d0b9a6cc88bcfc43203dab14e4d92599a9f218
Page 1 of 5
Back12345Next

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close