what you don't know can hurt you
Showing 1 - 25 of 38 RSS Feed

Files from FX

Email addressfx at phenoelit.de
First Active2000-06-13
Last Active2020-06-03
Node.js Hostname Verification Bypass
Posted Jun 3, 2020
Authored by FX, Google Security Research

Insecure TLS session reuse can lead to a hostname verification bypass in Node.js.

tags | exploit
MD5 | 9bde5356a44eb307d096d404cbcdc1d0
haproxy hpack-tbl.c Out-Of-Bounds Write
Posted Apr 21, 2020
Authored by FX, Google Security Research

The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. This can lead to a fully controlled relative out-of-bounds write when processing a malicious HTTP2 request (or response).

tags | exploit, web
advisories | CVE-2020-11100
MD5 | ec4200ed138e11159b83e1a1d18ff6d3
Git Credential Helper Protocol Newline Injection
Posted Apr 15, 2020
Authored by FX, Google Security Research

A git clone action can leak cached / stored credentials for github.com to example.com due to insecure handling of newlines in the credential helper protocol.

tags | exploit, protocol
advisories | CVE-2020-5260
MD5 | c958ad3ac0a7a989d1f7f2c9f24fadb6
KVM VMX Preemption Timer Use-After-Free
Posted Feb 16, 2019
Authored by FX, Google Security Research

KVM suffers from a use-after-free vulnerability after using the emulated VMX preemption timer.

tags | exploit
advisories | CVE-2019-7221
MD5 | a0d1f27f5e38bc4b60b7e3417a578978
KVM kvm_inject_page_fault Uninitialized Memory Leak
Posted Feb 16, 2019
Authored by FX, Google Security Research

KVM suffers from an uninitialized memory leak vulnerability in kvm_inject_page_fault.

tags | exploit, memory leak
advisories | CVE-2019-7222
MD5 | d143badc5670e32e28cf7e6fb40d4424
Evince CBT File Command Injection
Posted Feb 7, 2019
Authored by FX, Sebastian Krahmer, Brendan Coles, Matlink | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload.

tags | exploit
advisories | CVE-2017-1000083
MD5 | 518ed0c670d289725a426edf1b4243c3
NetworkManager Daemon Command Execution
Posted Sep 6, 2018
Authored by FX, Sameer Goyal

This is a small tutorial write up that provides a DynoRoot exploit proof of concept.

tags | exploit, proof of concept
advisories | CVE-2018-1111
MD5 | 34564033c2577542c76d3de9c82d2615
Xen xen-netback xenvif_set_hash_mapping Integer Overflow
Posted Aug 17, 2018
Authored by FX, Google Security Research

Xen suffers from an integer overflow vulnerability in xen-netback xenvif_set_hash_mapping.

tags | advisory, overflow
MD5 | 056a37f9c265e3d9566b012c2ea95423
KVM Nest Virtualization L1 Guest Privilege Escalation
Posted Jun 25, 2018
Authored by FX, Google Security Research

When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.

tags | exploit
MD5 | 52237ddbf09d9e8e93706408732deecf
DHCP Client Command Injection (DynoRoot)
Posted Jun 12, 2018
Authored by FX | Site metasploit.com

This Metasploit module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

tags | exploit, arbitrary, local, root, spoof, protocol
systems | linux, redhat, fedora
advisories | CVE-2018-1111
MD5 | 5260d2ef5bb8f8bbc5edbc0ec7cb7c67
EMC Replication Manager / Network Module Remote Code Execution
Posted Oct 4, 2016
Authored by FX | Site emc.com

EMC Replication Manager (RM) is affected by a remote code execution vulnerability that may be exploited by an attacker to compromise an affected system. A remote unauthenticated attacker may execute arbitrary commands on an RM Client, with high privileges, by starting a rogue RM Server that connects to the RM Client and executes the malicious script/payload that is placed in an SMB share, by the attacker, that is accessible to the RM Client. Affected include EMC Replication Manager versions prior to 5.5.3 on all supported OS, EMC Network Module for Microsoft version 3.x, and EMC Networker Module for Microsoft version 8.2.x.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2016-0913
MD5 | 4196d1c352856a42a93ca08de065887a
Action Pack DoS / SQL Injection / Code Execution
Posted Jan 8, 2013
Authored by FX, Jonathan Rudenberg, Ben Murphy, Bryan Helmkamp, Magnus Holm, Charlie Somerville, Aaron Patterson, Darcy Laycock, Benoist Claassen

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a denial of service attack on a Rails application.

tags | advisory, denial of service, arbitrary, sql injection, ruby
advisories | CVE-2013-0156
MD5 | 85e44204ba7170674ab3b48f8e9aa554
Router Exploitation
Posted Nov 23, 2012
Authored by FX | Site recurity-labs.com

This is a presentation called Router Exploitation. It was given at BlackHat 2009. It discusses various vendors such as Cisco, Juniper, Huawei, and more.

tags | paper
systems | cisco, juniper
MD5 | e392d0b1fc69f4d7ac2a5079ed9c7203
Cisco CUCM Directory Traversal / Reversible Obfuscation
Posted Nov 8, 2011
Authored by FX, Sandro Gauci | Site recurity-labs.com

Cisco CUCM environment and the IP Phone CP-7975G suffer from a directory traversal, have a reversible obfuscation algorithm, security issues related to SCCP, CTFTP, and Voice VLAN separation. Versions 7.0 and 8.0(2) are affected.

tags | exploit, file inclusion
systems | cisco
MD5 | 0beac78c5f61b53a31e06e89fff5f7b2
CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit
Posted Nov 20, 2010
Authored by FX, tdz | Site metasploit.com

CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.

tags | exploit, web, arbitrary, php
advisories | OSVDB-69352
MD5 | 27a4713b86a9f2dc74fea03d6d22680a
Cisco IOS Router Exploitation
Posted Jul 26, 2009
Authored by FX | Site recurity-labs.com

Whitepaper called Cisco IOS Router Exploitation. This paper describes the challenges with the exploitation of memory corruption software vulnerabilities in Cisco IOS. The goal is to map out the problem space in order to allow for the anticipation of developments in the future, as current research suggests that exploitation of such vulnerabilities in the wild is not currently the case. By understanding the challenges that an attacker faces, defensive strategies can be better planned, a required evolution with the current state of Cisco IOS router networks.

tags | paper, vulnerability
systems | cisco
MD5 | e3af39385998611d3c8c240c4d54b972
Posted May 28, 2008
Authored by FX, Alexander Klink | Site cynops.de

Opera versions below 9.25 are susceptible to a heap-based buffer overflow that allows for a denial of service and possibly code execution.

tags | advisory, denial of service, overflow, code execution
advisories | CVE-2007-6521
MD5 | 4b4ae0f9c353645fb3e0a5010c2ef188
Posted Mar 13, 2008
Authored by FX | Site recurity-labs.com

The Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application suffers from buffer overflow and cross site scripting vulnerabilities. Details provided.

tags | exploit, overflow, vulnerability, xss
systems | cisco, windows
advisories | CVE-2008-0532, CVE-2008-0533
MD5 | 961e3eb6859ac0685950a52be2066222
Cisco Security Advisory 20080312-ucp
Posted Mar 13, 2008
Authored by FX, Cisco Systems | Site cisco.com

Cisco Security Advisory - Two sets of vulnerabilities were discovered in the Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application. The first set of vulnerabilities address several buffer overflow conditions in the UCP application that could result in remote execution of arbitrary code on the host system where UCP is installed. The second set of vulnerabilities address cross-site scripting in the UCP application pages.

tags | advisory, remote, overflow, arbitrary, vulnerability, xss
systems | cisco, windows
advisories | CVE-2008-0532, CVE-2008-0533
MD5 | 383c5bf5fc0d9bcd46fd639132dd50a6
Posted Nov 14, 2006
Authored by FX

Original Win32 version of the exploit for the gwrd bug in SAP versions below 4.6D patch 1767 and versions below 6.40 patch 4. Allows for remote command execution.

tags | exploit, remote
systems | windows
MD5 | 655cccf80e97da3df892dd6b0ef94ce3
Posted Sep 14, 2006
Authored by FX | Site phenoelit.de

Phenoelit Advisory - Cisco Systems IOS contains bugs when handling the VLAN Trunking Protocol (VTP). Specially crafted packets may cause denial of service conditions, confusion of the network operator and a heap overflow with the possibility for arbitrary code execution.

tags | advisory, denial of service, overflow, arbitrary, code execution, protocol
systems | cisco
MD5 | b8a3f27492d23e7b9594e53bc2864839
Posted Sep 7, 2006
Authored by FX | Site phenoelit.de

Phenoelit Advisory - Cisco Systems IOS contains a bug when parsing GRE packets with GRE source routing information. A specially crafter GRE packet can cause the router to reuse packet packet data from unrelated ring buffer memory. The resulting packet is reinjected in the routing queues. Tested on C3550 IOS 12.1(19).

tags | advisory
systems | cisco
MD5 | f09a97e7d16b1d3caf71b6f332a4a856
Posted Apr 28, 2004
Authored by FX | Site phenoelit.de

Linux root and Windows NT/2000 Administrator remote exploit for HP Web JetAdmin 6.5.

tags | exploit, remote, web, root
systems | linux, windows, nt
MD5 | 5cd19d9db75680df1b4b9a5cd6ca9642
Posted Apr 28, 2004
Authored by FX | Site phenoelit.de

Phenoelit Advisory #0815 - Multiple vulnerabilities exist in the HP Web JetAdmin product. Version 6.5 is fully affect. Versions 7.0 and 6.2 and below are partially affected. A vulnerability summary list: Source disclosure of HTS and INC files, real path disclosure of critical files, critical files accessible through web server, user and administrator password disclosure and decryption, user and administrator password replay, and many, many others.

tags | advisory, web, vulnerability
MD5 | e3e5f8476c574e691368a1f5161fc720
Posted Aug 10, 2003
Authored by FX | Site phenoelit.de

Cisco Systems IOS 11.x UDP echo memory leak remote sniffer. The UDP echo service (UDP port 7) has to be enabled on the device. The bug will cause the Cisco router to send about 20 kilobytes of data from the interface buffer pools containing packets in the send/recv/forward queues. This tool will identify IOS memory blocks, find the router specific offset for packets in the block and decode the packet to the screen. Note that this is not a full dump of the traffic through the remote router but rather a subset of received data. Features include a packet checksum cache to prevent repeated output of the same packet, auto identification of packets and buffer offsets, and IPv4 decoding.

tags | remote, udp, memory leak
systems | cisco
MD5 | ad960f073fda285b82dea6d8225ec6f8
Page 1 of 2

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By