what you don't know can hurt you
Showing 1 - 8 of 8 RSS Feed

Files from Sean Dillon

Email addresssean.dillon at risksense.com
First Active2015-12-03
Last Active2019-09-23
BlueKeep RDP Remote Windows Kernel Use-After-Free
Posted Sep 23, 2019
Authored by OJ Reeves, Sean Dillon, Brent Cook, Ryan Hanson | Site metasploit.com

The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause a use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2019-0708
SHA-256 | 1aecbe52ce929c3de3a4cf90e7b8a03dc74a2a1edd4797fbc7bf61bee611bb3c
Cisco ASA Crash Proof Of Concept
Posted Feb 7, 2018
Authored by Sean Dillon

Cisco ASA crash proof of concept exploit.

tags | exploit, denial of service, proof of concept
systems | cisco
advisories | CVE-2018-0101
SHA-256 | 22410b089089e7b8ffef27f7fb0a008e7affff448aee37013b0a41335bb533a6
EternalBlue Exploit Analysis And Port To Microsoft Windows 10
Posted Jun 7, 2017
Authored by Sean Dillon, Dylan Davis

On April 14, 2017, the Shadow Brokers Group released the FUZZBUNCH framework, an exploitation toolkit for Microsoft Windows. The toolkit was allegedly written by the Equation Group, a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA). The framework included ETERNALBLUE, a remote kernel exploit originally targeting the Server Message Block (SMB) service on Microsoft Windows XP (Server 2003) and Microsoft Windows 7 (Server 2008 R2). In this paper, the RiskSense Cyber Security Research team analyzes how using wrong-sized CPU registers leads to a seemingly innocuous mathematical miscalculation. This causes a chain reaction domino effect ultimately culminating in code execution, making ETERNALBLUE one of the most complex exploits ever written. They will discuss what was necessary to port the exploit to Microsoft Windows 10, and future mitigations Microsoft has already deployed, which can prevent vulnerabilities of this class from being exploited in the future. The FUZZBUNCH version of the exploit contains an Address Space Layout Randomization (ASLR) bypass, and the Microsoft Windows 10 version required an additional Data Execution Prevention (DEP) bypass not needed in the original exploit.

tags | paper, remote, kernel, vulnerability, code execution
systems | windows
SHA-256 | fa13189f37eae3318ce25b3bd600e5e83270e401b53f1a2fd4a6340b7b1a8803
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Posted May 17, 2017
Authored by Sean Dillon, Shadow Brokers, Dylan Davis, Equation Group | Site metasploit.com

This Metasploit module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.

tags | exploit, overflow, shell, kernel
advisories | CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
SHA-256 | fcd672e1db61c5667abd4ad7d59c77b0f8210801d49bddeb68652ed4c77084d2
Microsoft Windows MS17-010 SMB Remote Code Execution
Posted Apr 17, 2017
Authored by Sean Dillon | Site metasploit.com

This Metasploit module uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. This Metasploit module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

tags | exploit, info disclosure
advisories | CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
SHA-256 | 406793a6d738119ccb6d6413edb253d56dcc7567c30b9802bc8d69cb7209cb0b
Cisco ASA EXTRABACON Improved Shellcode
Posted Sep 16, 2016
Authored by Sean Dillon

69 bytes small Cisco ASA authentication bypass (EXTRABACON) better shellcode.

tags | shellcode
systems | cisco
SHA-256 | 52d60da7cead5faec24d4586ff3dc647622de7386e5e131d3f21e84ea31b0773
Cisco ASA 9.2(3) EXTRABACON Module / Authentication Bypass
Posted Sep 16, 2016
Authored by Sean Dillon, Zachary Harding

This is an additional EXTRABACON module for Cisco ASA version 9.2(3). This does not use the same shellcode as the Equation Group version, but accomplishes the same task of disabling the auth functions in less stages/bytes.

tags | exploit, shellcode, bypass
systems | cisco
SHA-256 | b48c246e5c9d0e2536c96945fc13c72466f5ca13beb249ed401f73eedaf53ac4
Banner Student XSS / Information Disclosure / Open Redirect
Posted Dec 3, 2015
Authored by Sean Dillon

Banner Student suffers from cross site scripting, information disclosure, user enumeration, and open redirect vulnerabilities. Versions affected range through 8.5.1.2 to 8.7.

tags | advisory, vulnerability, xss, info disclosure
advisories | CVE-2015-4687, CVE-2015-4688, CVE-2015-4689, CVE-2015-5054
SHA-256 | ac1224d3a2c05dfbbfdcac9ff7ec8f63d106fdc3c9fd7d2a3d28f25b3baf9aac
Page 1 of 1
Back1Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close