what you don't know can hurt you
Showing 1 - 8 of 8 RSS Feed

Files from Sean Dillon

Email addresssean.dillon at risksense.com
First Active2015-12-03
Last Active2019-09-23
BlueKeep RDP Remote Windows Kernel Use-After-Free
Posted Sep 23, 2019
Authored by OJ Reeves, Sean Dillon, Brent Cook, Ryan Hanson | Site metasploit.com

The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause a use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2019-0708
MD5 | 4069a796ff839c408647778ed5820d03
Cisco ASA Crash Proof Of Concept
Posted Feb 7, 2018
Authored by Sean Dillon

Cisco ASA crash proof of concept exploit.

tags | exploit, denial of service, proof of concept
systems | cisco
advisories | CVE-2018-0101
MD5 | 49a72c843e58b62bc3926abab78f08ed
EternalBlue Exploit Analysis And Port To Microsoft Windows 10
Posted Jun 7, 2017
Authored by Sean Dillon, Dylan Davis

On April 14, 2017, the Shadow Brokers Group released the FUZZBUNCH framework, an exploitation toolkit for Microsoft Windows. The toolkit was allegedly written by the Equation Group, a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA). The framework included ETERNALBLUE, a remote kernel exploit originally targeting the Server Message Block (SMB) service on Microsoft Windows XP (Server 2003) and Microsoft Windows 7 (Server 2008 R2). In this paper, the RiskSense Cyber Security Research team analyzes how using wrong-sized CPU registers leads to a seemingly innocuous mathematical miscalculation. This causes a chain reaction domino effect ultimately culminating in code execution, making ETERNALBLUE one of the most complex exploits ever written. They will discuss what was necessary to port the exploit to Microsoft Windows 10, and future mitigations Microsoft has already deployed, which can prevent vulnerabilities of this class from being exploited in the future. The FUZZBUNCH version of the exploit contains an Address Space Layout Randomization (ASLR) bypass, and the Microsoft Windows 10 version required an additional Data Execution Prevention (DEP) bypass not needed in the original exploit.

tags | paper, remote, kernel, vulnerability, code execution
systems | windows, xp, 7
MD5 | 0e04e472a5f9e98389f5f1e13ec2bf50
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Posted May 17, 2017
Authored by Sean Dillon, Shadow Brokers, Dylan Davis, Equation Group | Site metasploit.com

This Metasploit module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.

tags | exploit, overflow, shell, kernel
advisories | CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
MD5 | aa3f38db6f272747aa8f84141f87e6e4
Microsoft Windows MS17-010 SMB Remote Code Execution
Posted Apr 17, 2017
Authored by Sean Dillon | Site metasploit.com

This Metasploit module uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. This Metasploit module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

tags | exploit, info disclosure
advisories | CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
MD5 | 89159784c9ed66494a7cec42e5285517
Cisco ASA EXTRABACON Improved Shellcode
Posted Sep 16, 2016
Authored by Sean Dillon

69 bytes small Cisco ASA authentication bypass (EXTRABACON) better shellcode.

tags | shellcode
systems | cisco
MD5 | 78b1a2e173a31e3a168166f9141ee22d
Cisco ASA 9.2(3) EXTRABACON Module / Authentication Bypass
Posted Sep 16, 2016
Authored by Sean Dillon, Zachary Harding

This is an additional EXTRABACON module for Cisco ASA version 9.2(3). This does not use the same shellcode as the Equation Group version, but accomplishes the same task of disabling the auth functions in less stages/bytes.

tags | exploit, shellcode, bypass
systems | cisco
MD5 | d1064fab44ff0ae1866c7533208d6639
Banner Student XSS / Information Disclosure / Open Redirect
Posted Dec 3, 2015
Authored by Sean Dillon

Banner Student suffers from cross site scripting, information disclosure, user enumeration, and open redirect vulnerabilities. Versions affected range through to 8.7.

tags | advisory, vulnerability, xss, info disclosure
advisories | CVE-2015-4687, CVE-2015-4688, CVE-2015-4689, CVE-2015-5054
MD5 | b91400b80b1df8d0a07db08a9a65127a
Page 1 of 1

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By