what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 28 RSS Feed

Files from Mati Aharoni

Email addressmuts at offensive-security.com
First Active2004-11-20
Last Active2012-04-20
TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
Posted Apr 20, 2012
Authored by Mati Aharoni, Datacut | Site metasploit.com

This Metasploit module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to open this with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution under the context of SYSTEM if run as a service, or the user if run as a standalone. A failed attempt will result a denial-of-service.

tags | exploit, remote, code execution
advisories | CVE-2008-1611, OSVDB-43785
SHA-256 | 97a2a64a4d7b26a5088cf3d73076bee782c41a2cccb84de4ec3d8a09cc34adad
HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow
Posted Dec 31, 2009
Authored by Mati Aharoni, bannedit | Site metasploit.com

This Metasploit module exploits a stack overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this.

tags | exploit, remote, web, overflow, shell, shellcode
advisories | CVE-2008-1697
SHA-256 | 3dc7da1a36dedf13ddf7ea5539aaac3f51e4cbdb8ecfab2652405871dd1aca71
HP NNM 7.53 ovalarm.exe Buffer Overflow
Posted Dec 13, 2009
Authored by Mati Aharoni, sinn3r

HP NNM version 7.53 ovalarm.exe CGI pre-authentication remote buffer overflow exploit.

tags | exploit, remote, overflow, cgi
SHA-256 | c3254e5bce844de2beae7b43c17e8ca6a8e7cc2e902e7f875b73fd47ddbfe34d
GlobalSCAPE Secure FTP Server Input Overflow
Posted Nov 26, 2009
Authored by Mati Aharoni, riaf | Site metasploit.com

This Metasploit module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work.

tags | exploit, overflow
advisories | CVE-2005-1415
SHA-256 | f92b038b30321d1e394a2a78f7f7a4672a2b84c28b02a128fdaf5a46600f586c
IIS 5.0 FTP Stack Overflow Exploit
Posted Nov 18, 2009
Authored by Kingcope, Mati Aharoni, Tomoki Sanaki

Remake of the IIS 5.0 FTP server / remote SYSTEM exploit. Useful for Win2k/JP SP0 through SP3.

tags | exploit, remote
systems | windows
SHA-256 | ed41a61ee6a96323a70d1473d264138fe153fd8d0c341f6b6c99253319cc1ba0
Microsoft IIS 5.0 FTP Stack Overflow
Posted Sep 1, 2009
Authored by Mati Aharoni

Microsoft IIS version 5.0 FTP server remote stack overflow exploit for Windows 2000 SP4. Binds a shell to port 4444.

tags | exploit, remote, overflow, shell
systems | windows
SHA-256 | ce40cb6da965a415dbfc5397a6839d38275511d3ed979f7ce1fdfec8d8278203
Microsoft Internet Explorer Vista XML Overflow
Posted Dec 10, 2008
Authored by Mati Aharoni | Site offensive-security.com

Microsoft Internet Explorer 7 XML parsing remote buffer overflow exploit that spawns calc.exe.

tags | exploit, remote, overflow
SHA-256 | 68f9fa88b21b8862740cac4d6058e5ea49f525f8a10b4724d1d4297a7a3e4da5
trixbox261-pwn.txt
Posted Jul 15, 2008
Authored by Mati Aharoni | Site offensive-security.com

Trixbox version 2.6.1 remote root exploit written in Python that spawns a reverse shell.

tags | exploit, remote, shell, root, python
SHA-256 | 3f6ae161657fee10bb1b94f8851f662ec45c6d00a9982ae5161a385caba2cc38
divx66.py.txt
Posted Apr 18, 2008
Authored by Mati Aharoni | Site offensive-security.com

DivX Player version 6.6.0 .SRT file handling SEH buffer overflow exploit.

tags | exploit, overflow
SHA-256 | d0c776b167346cb7b3bbbba959c1a956ee1363a07541a2a131ddbbc93d0153b6
hpopenviewnnm-overflow.txt
Posted Apr 3, 2008
Authored by Mati Aharoni | Site offensive-security.com

HP OpenView NNM version 7.5.1 pre-authentication SEH overflow exploit that takes advantage of OVAS.EXE and spawns a shell on port 4444.

tags | exploit, overflow, shell
SHA-256 | 2a87cd0d72e24941751c9b2458bcad6fef042e1ef4977ab83e8bcd7be9a4421c
novell-dos.txt
Posted Apr 3, 2008
Authored by Mati Aharoni | Site offensive-security.com

Novell eDirectory HTTP denial of service exploit.

tags | exploit, web, denial of service
SHA-256 | 2c961b1cde60fd28279cf7e9b53458f1a01c1d0b1131d03732e76b4866e70814
mcafeeepo-dos.txt
Posted Apr 3, 2008
Authored by Mati Aharoni | Site offensive-security.com

McAfee EPO version 4.0 remote denial of service exploit that takes advantage of FrameworkService.exe.

tags | exploit, remote, denial of service
SHA-256 | cb56841f9c46eb5a51ac3a43af27a3dcf1131d28c3139972272f110b7ea86d68
quick-tftp-poc.py.txt
Posted Mar 26, 2008
Authored by Mati Aharoni | Site offensive-security.com

Quick TFTP Pro version 2.1 SEH overflow zero day exploit that binds a shell to port 4444.

tags | exploit, overflow, shell
SHA-256 | 1bac570fc98c5f940e65509f6372e870bf2fe8387dd7abd28dbe29874b43bf7a
sourceforge-tftpd.py.txt
Posted Mar 26, 2008
Authored by Mati Aharoni | Site offensive-security.com

TFTP Server for Windows version 1.4 ST zero day buffer overflow exploit. Binds a shell to port 4444.

tags | exploit, overflow, shell
systems | windows
SHA-256 | 67086b8e331febb1aa873729f1bee0fc7975c00a401b0d11aa39d04f9b68c580
pt360dos.py.txt
Posted Mar 26, 2008
Authored by Mati Aharoni | Site offensive-security.com

PacketTrap Networks pt360 version 2.0.39 TFTPD remote denial of service exploit.

tags | exploit, remote, denial of service
SHA-256 | 1d5e31bb3ab9232256d0c7e623888840055c80f3d02ab0d300875e0a291d9905
hpopen-overflow.txt
Posted Dec 12, 2007
Authored by Mati Aharoni | Site offensive-security.com

HP OpenView Network Node Manager version 07.50 CGI remote buffer overflow exploit that spawns a shell on tcp/4444.

tags | exploit, remote, overflow, shell, cgi, tcp
SHA-256 | c1b6e6242b27a389d95d0a8c0c0d9590bc8a620c50eb280474996d727d7eb991
aquick-universal.txt
Posted Nov 27, 2007
Authored by Mati Aharoni | Site offensive-security.com

Apple QuickTime versions 7.2 and 7.3 RTSP response universal exploit that works with Internet Explorer 7, Firefox, and Opera.

tags | exploit
systems | apple
SHA-256 | f4fa5a6b0803d5abdd488b565446a702e500b49822e7ebe4be0f1cd8ed357563
ibmtivoli-preauth.txt
Posted Jun 7, 2007
Authored by Mati Aharoni | Site offensive-security.com

IBM Tivoli Provisioning Manager PRE AUTH remote exploit that binds a shell to TCP port 4444.

tags | exploit, remote, shell, tcp
SHA-256 | 274b58c71804e51a1b53bb25dfe6e426f2dad792e863c34a4944ce547967aa3a
0day.tar.gz
Posted Apr 10, 2007
Authored by Mati Aharoni | Site offensive-security.com

Muts' python fuzzer found several format bugs in Microsoft Word 2007. file789-1.doc causes an unspecified overflow in Word 2007. file798-1.doc causes a CPU exhaustion denial of service in Word 2007. file614-1.doc causes a CPU exhaustion denial of service and ends with a ding in Word 2007. evil.hlp demonstrates a heap overflow in Windows HLP files.

tags | exploit, denial of service, overflow, python, fuzzer
systems | windows
SHA-256 | 0bf99d28ae1aa96a0bc1342073df4220be09213fe84ae13ec1e089bbb109bd1e
muts_mailenable_imap_examine.pm.txt
Posted Dec 28, 2005
Authored by Mati Aharoni

Metasploit exploit for a remote buffer overflow that exists in the MailEnable Enterprise 1.1 IMAP EXAMINE command. This vulnerability affects MailEnable Enterprise 1.1 without the ME-10009.EXE patch.

tags | exploit, remote, overflow, imap
SHA-256 | 32ff7a89101f26206751b513c937584a52058c2d9de29807a446083ec6427bd4
mailenable-imap-examine.py.txt
Posted Dec 28, 2005
Authored by Mati Aharoni

Python exploit for a remote buffer overflow that exists in the MailEnable Enterprise 1.1 IMAP EXAMINE command. This vulnerability affects MailEnable Enterprise 1.1 without the ME-10009.EXE patch.

tags | exploit, remote, overflow, imap, python
SHA-256 | 2aa22f6b90d94adeab514c49934be2084dd51651d81239a49cd2c99a68e85f55
mailenable11.txt
Posted Dec 28, 2005
Authored by Mati Aharoni

A remote buffer overflow exists in the MailEnable Enterprise 1.1 IMAP EXAMINE command, which allows for post authentication code execution. This vulnerability affects MailEnable Enterprise 1.1 without the ME-10009.EXE patch.

tags | advisory, remote, overflow, imap, code execution
SHA-256 | 5d7e90c97562012dbbe25f0619abebad7142aa518eb5388cad9554f74af3d76c
Globalscape30.pdf
Posted Jul 2, 2005
Authored by Mati Aharoni

A buffer overflow was discovered in GlobalScape Secure FTP Server 3.0.2 which allows remote code execution by sending a malformed FTP request. Various methods of exploitation provided.

tags | exploit, remote, overflow, code execution
SHA-256 | 38e3ab9713454d5f7622f50845d5d6a61dbec81b4affb2623e8faa92359188bd
mailenable.tar.gz
Posted Mar 22, 2005
Authored by Mati Aharoni | Site see-security.com

Denial of service exploit that makes use of a format string vulnerability in MailEnable Standard Edition 1.8.

tags | exploit, denial of service
SHA-256 | 8a00478be0a8dc102229ae0af5901d3d9b81f6f9a086a712f08d589f8d2b366a
savant31FR.txt
Posted Feb 25, 2005
Authored by Mati Aharoni, Tal Zeltzer

Savant Web Server version 3.1 remote buffer overflow exploit with French Windows support.

tags | exploit, remote, web, overflow
systems | windows
SHA-256 | 89050effe3dcbd193a8864b77cdcb028ed19a86e32efeeaa53483bd62f985f61
Page 1 of 2
Back12Next

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close