Exploit the possiblities
Showing 1 - 25 of 51 RSS Feed

Files from Ramon de C Valle

Email addressprivate
First Active2003-09-13
Last Active2015-11-06
View User Profile
Java Secure Socket Extension (JSSE) SKIP-TLS
Posted Nov 6, 2015
Authored by Ramon de C Valle

Java Secure Socket Extension (JSSE) SKIP-TLS exploit that has been tested on JDK 8u25 and 7u72. This is a stand-alone ruby exploit and does not require Metasploit.

tags | exploit, java
advisories | CVE-2014-6593
MD5 | 67a97ff13fef641743175656e610fabf
OpenSSL Alternative Chains Certificate Forgery
Posted Nov 6, 2015
Authored by Ramon de C Valle

OpenSSL alternative chains certificate forgery exploit that has been tested on OpenSSL 1.0.2c, 1.0.2b, 1.0.1o, 1.0.1n, and Fedora 22 (1.0.1k-fips). This is a stand-alone ruby exploit and does not require Metasploit.

tags | exploit, ruby
systems | linux, fedora
advisories | CVE-2015-1793
MD5 | cbe7f7b97e5ea083dd73abc376c891d6
Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy
Posted Aug 12, 2015
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits an incomplete internal state distinction in Java Secure Socket Extension (JSSE) by impersonating the server and finishing the handshake before the peers have authenticated themselves and instantiated negotiated security parameters, resulting in a plaintext SSL/TLS session with the client. This plaintext SSL/TLS session is then proxied to the server using a second SSL/TLS session from the proxy to the server (or an alternate fake server) allowing the session to continue normally and plaintext application data transmitted between the peers to be saved. This Metasploit module requires an active man-in-the-middle attack.

tags | exploit, java
advisories | CVE-2014-6593
MD5 | 33e7ee64240cb6f6f786adb319224727
OpenSSL Alternative Chains Certificate Forgery MITM Proxy
Posted Jul 27, 2015
Authored by Ramon de C Valle, Adam Langley, David Benjamin | Site metasploit.com

This Metasploit module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This Metasploit module requires an active man-in-the-middle attack.

tags | exploit, crypto
advisories | CVE-2015-1793
MD5 | 244abcb9001d9746e6846f9785dab572
DHCP Client Bash Environment Variable Code Injection
Posted Sep 26, 2014
Authored by Ramon de C Valle, scriptjunkie, Stephane Chazelas | Site metasploit.com

This Metasploit module exploits a code injection in specially crafted environment variables in Bash, specifically targeting dhclient network configuration scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.

tags | exploit, bash
advisories | CVE-2014-6271
MD5 | 19a0fcbe08d157ed9445eba999ba7bf9
Katello (Red Hat Satellite) users/update_roles Missing Authorization
Posted Mar 25, 2014
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a missing authorization vulnerability in the "update_roles" action of "users" controller of Katello and Red Hat Satellite (Katello 1.5.0-14 and earlier) by changing the specified account to an administrator account.

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2143
MD5 | 4d71139eb4f6a2e926cd6edf3113a12e
Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection
Posted Dec 27, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in the "explorer" action of "miq_policy" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by changing the password of the target account to the specified password.

tags | exploit, sql injection
systems | linux, redhat
advisories | CVE-2013-2050
MD5 | 44e41933fe930ba06179d9c0f24a5cbb
Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal
Posted Dec 23, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a path traversal vulnerability in the "linuxpkgs" action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). It uploads a fake controller to the controllers directory of the Rails application with the encoded payload as an action and sends a request to this action to execute the payload. Optionally, it can also upload a routing file containing a route to the action. (Which is not necessary, since the application already contains a general default route.)

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2068
MD5 | 48070b8026fb661ca2872ef418792414
Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment
Posted Aug 21, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a mass assignment vulnerability in the create action of users controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have create_users permission (e.g., Manager role).

tags | exploit, arbitrary
systems | linux, redhat
advisories | CVE-2013-2113, OSVDB-94655
MD5 | 6b7d123975185a045bc7808f5ce92877
Foreman (Red Hat OpenStack/Satellite) Code Injection
Posted Jul 23, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2121, OSVDB-94671
MD5 | 922587c049a42e91fe73e7fe6530dc91
Linux Kernel Sendpage Local Privilege Escalation
Posted Jul 19, 2012
Authored by Brad Spengler, Ramon de C Valle, Tavis Ormandy, Julien Tinnes, egypt | Site metasploit.com

The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4

tags | exploit, arbitrary, kernel, protocol, ppc
systems | linux
advisories | CVE-2009-2692
MD5 | 2592f40037078ac9737526c10644b4e9
Exploiting glibc __tzfile_read Part II
Posted Dec 13, 2011
Authored by Ramon de C Valle

This is a follow-up document that discusses exploiting the glibc __tzfile_read integer overflow to buffer overflow and leveraging Vsftpd.

tags | paper, overflow
MD5 | 576c8db378ded4be5d8a9e9c34114d14
Exploiting glibc __tzfile_read Integer Overflow To Buffer Overflow And Vsftpd
Posted Dec 13, 2011
Authored by Ramon de C Valle | Site rcvalle.com

This is a write up that discusses exploiting the glibc __tzfile_read integer overflow to buffer overflow and leveraging Vsftpd.

tags | paper, overflow
MD5 | 761eafe34246bc9609dce3ba94413dea
Apache Range Header Denial Of Service
Posted Dec 9, 2011
Authored by Ramon de C Valle

This is a reverse engineered version of the exploit by ev1lut10n that triggers a denial of service condition using a vulnerability in the Range header of Apache versions 1.3.x, 2.0.64 and below and 2.2.19 and below.

tags | exploit, denial of service
advisories | CVE-2011-3192
MD5 | 9f5363e14c1fb3f5e64d4c431ff3e68a
Unixasm Assembly Components 1.4.0
Posted May 25, 2010
Authored by Ramon de C Valle | Site risesecurity.org

A collection of shellcodes for various platforms such as bsd-x86, linux-x86, sco-x86, and solaris-x86. This project contains a set of assembly components for proof of concept codes on different operating systems and architectures. These components were carefully designed and implemented for maximum reliability, following strict coding standards and requirements, such as system call invocation standards, position independent, register independent and zero free code. A special attention was put on code length when designing and implementing them, resulting in the most reliable and shortest codes for such purpose available today.

Changes: Added support to AIX Versions 6.1.4, 6.1.3, 6.1.2, 6.1.1, 5.3.10, 5.3.9, 5.3.8, 5.3.7. Changed the base value used for calculating the system call numbers and arguments to avoid null bytes in newer versions of AIX.
tags | x86, shellcode, proof of concept
systems | linux, solaris, bsd
MD5 | 60a76fdf12cb7a857ec72598b222d90c
Firebird Relational Database isc_attach_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted create request.

tags | exploit, overflow
advisories | CVE-2007-5243
MD5 | d17ecb0c8825e699cbfc4ab9d9342164
Firebird Relational Database isc_create_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted create request.

tags | exploit, overflow
advisories | CVE-2007-5243
MD5 | 9b3d806b79e920c84b6bc3eb29bcf061
Firebird Relational Database SVC_attach() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted service attach request.

tags | exploit, overflow
advisories | CVE-2007-5243
MD5 | 1ea324be8ea8e7ff7f474978dc9d54e0
Borland InterBase isc_attach_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted attach request.

tags | exploit, overflow
advisories | CVE-2007-5243
MD5 | a309e699ae44406d74ac0fa0e8c0da85
Borland InterBase isc_create_database() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted create request.

tags | exploit, overflow
advisories | CVE-2007-5243
MD5 | ff7271f28dbab6b339eb80b560771d39
Borland InterBase SVC_attach() Buffer Overflow
Posted Nov 26, 2009
Authored by Ramon de C Valle, Adriano Lima | Site metasploit.com

This Metasploit module exploits a stack overflow in Borland InterBase by sending a specially crafted service attach request.

tags | exploit, overflow
advisories | CVE-2007-5243
MD5 | 221842da93044ac6124e2e9fcd093224
Linux sock_sendpage() NULL Pointer Dereference
Posted Sep 11, 2009
Authored by Ramon de C Valle | Site risesecurity.org

Linux 2.4 and 2.6 kernel sock_sendpage() NULL pointer dereference exploit. The third and final version of this exploit. This third version features: Complete support for i386, x86_64, ppc and ppc64; The personality trick published by Tavis Ormandy and Julien Tinnes; The TOC pointer workaround for data items addressing on ppc64 (i.e. functions on exploit code and libc can be referenced); Improved search and transition to SELinux types with mmap_zero permission.

tags | exploit, kernel, ppc
systems | linux
MD5 | ba34279bc16e75755c6ccde2abc364ed
Linux sock_sendpage() NULL Pointer Dereference
Posted Sep 7, 2009
Authored by Ramon de C Valle | Site risesecurity.org

Linux 2.4 and 2.6 kernel sock_sendpage() NULL pointer dereference exploit. This newer version of the exploit also works with Linux kernel versions that implement COW credentials (e.g. Fedora 11). For SELinux enforced systems, it automatically searches in the SELinux policy rules for types with mmap_zero permission it can transition, and tries to exploit the system with that types.

tags | exploit, kernel
systems | linux, fedora
MD5 | a2d1ab561d33990a4b43f745be2ca019
Linux sock_sendpage() Local Root Exploit
Posted Sep 2, 2009
Authored by Ramon de C Valle | Site risesecurity.org

Linux 2.4 and 2.6 kernel sock_sendpage() local root exploit for powerpc.

tags | exploit, overflow, kernel, local, root
systems | linux
MD5 | 3370375cc70e25d04ffb4ff9b97b23ef
Linux eCryptfs parse_tag_3_packet Encrypted Key Overflow
Posted Jul 28, 2009
Authored by Ramon de C Valle | Site risesecurity.org

There exists a vulnerability within a function of Linux eCryptfs (Enterprise Cryptographic Filesystem), which when properly exploited can lead to compromise of the vulnerable system. This vulnerability was confirmed in the Linux kernel version 2.6.30.3. Linux kernel versions 2.6.19 and later have eCryptfs support and may be also affected.

tags | advisory, kernel
systems | linux
MD5 | 4264bc14bc62583865240a418b894751
Page 1 of 3
Back123Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close