exploit the possibilities
Showing 1 - 18 of 18 RSS Feed

Files from Nicolas Gregoire

Email addressngregoire at exaprobe.com
First Active2004-12-12
Last Active2015-12-17
PyAMF 0.7.2 XXE Injection
Posted Dec 17, 2015
Authored by Nicolas Gregoire, Open Source CERT

PyAMF suffers from insufficient AMF input payload sanitization which results in the XML parser not preventing the processing of XML external entities (XXE). A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger denial of service (DoS) conditions or arbitrarily return the contents of files that are accessible with the running application privileges. Versions 0.7.2 and below are affected.

tags | advisory, denial of service, xxe
advisories | CVE-2015-8549
MD5 | d27e2dac83345eabf472e84ed7130b4a
IPy Blacklist Bypass
Posted Oct 16, 2014
Authored by Nicolas Gregoire

IPy suffers from a blacklist bypass vulnerability.

tags | exploit, bypass
MD5 | 13ca9eab3b6159c0a1ab64e3aee39e3e
Xalan-Java 2.7.0 Insufficient Secure Processing
Posted Mar 25, 2014
Authored by Andrea Barisani, Nicolas Gregoire, Open Source CERT

The Xalan-Java library is a popular XSLT processor from the Apache Software Foundation. The library implements the Java API for XML Processing (JAXP) which supports a secure processing feature for interpretive and XSLCT processors. The intent of this feature is to limit XSLT/XML processing behaviours to "make the XSLT processor behave in a secure fashion". It has been discovered that the secure processing features suffers from several limitations that undermine its purpose. Versions 2.7.0 and above are affected.

tags | advisory, java
advisories | CVE-2014-0107
MD5 | d274ff5f63281d441f0f9514f291ddb7
Apache Solr XXE Injection / Directory Traversal
Posted Dec 9, 2013
Authored by Nicolas Gregoire

Apache Solr recently patched multiple XXE injection vulnerabilities and a directory traversal vulnerability.

tags | advisory, vulnerability, file inclusion, xxe
advisories | CVE-2013-6397, CVE-2013-6407, CVE-2013-6408
MD5 | 28b6042779b71f876b8300ed763a4710
Burp Suite Pro Real-Life Tips And Tricks
Posted Jun 23, 2013
Authored by Nicolas Gregoire

These are the presentation slides given at Hack in Paris 2013 giving tips and tricks for using Burp Suite Pro.

tags | paper
MD5 | 3185451419d91e88729d68dba756ab09
HP StorageWorks P4000 Virtual SAN Appliance Command Execution
Posted May 22, 2012
Authored by Nicolas Gregoire, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838.

tags | exploit, arbitrary
MD5 | 805aa9b54275410ba2172135738fec35
Squiggle 1.7 SVG Browser Java Code Execution
Posted May 18, 2012
Authored by Nicolas Gregoire, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The "Enforce secure scripting" check must be disabled. The module has been tested against Windows and Linux platforms.

tags | exploit, java, arbitrary, code execution
systems | linux, windows
MD5 | 2c8371ebf9277f065c37c6f9a57a0aa1
HP VSA Command Execution
Posted May 18, 2012
Authored by Nicolas Gregoire

HP VSA remote command execution exploit.

tags | exploit, remote
MD5 | 569ace67aa28a559c95f0ea2dcf7e73c
SVG Java Execution Trigger
Posted May 15, 2012
Authored by Nicolas Gregoire

Some SVG specifications, like SVG 1.1 and SVG tiny 1.2, allow Java code execution when the file is opened. Proof of concept code included.

tags | exploit, java, code execution, proof of concept
systems | linux
MD5 | 14de63077e55a7c29ecb567ff57d0d25
Liferay XSL Command Execution
Posted Apr 7, 2012
Authored by Nicolas Gregoire, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in the XSL parser of the XSL Content Portlet. When Tomcat is present, arbitrary code can be executed via java calls in the data fed to the Xalan XSLT processor. If XSLPAGE is defined, the user must have rights to change the content of that page (to add a new XSL portlet), otherwise it can be left blank and a new one will be created. The second method however, requires administrative privileges.

tags | exploit, java, arbitrary
advisories | CVE-2011-1571, OSVDB-73652
MD5 | 6a8ea2e6b7c50e4cc43ad8970fee954e
Traceroute-Like HTTP Scanner
Posted Nov 21, 2011
Authored by Nicolas Gregoire

This is a python script that uses the Max-Forwards header in HTTP and SIP to perform a traceroute-like scanning functionality.

tags | tool, web, scanner, python
systems | unix
MD5 | ae56d53ec6967cafda77f5544aeaabba
Apple Safari Webkit libxslt Arbitrary File Creation
Posted Oct 18, 2011
Authored by Nicolas Gregoire | Site metasploit.com

This Metasploit module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This Metasploit module has been tested on Safari and Maxthon. Code execution can be achieved by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS.

tags | exploit, remote, arbitrary, code execution
systems | windows
advisories | CVE-2011-1774, OSVDB-74017
MD5 | f0f60d7d29a3200a4856dadf181df880
SharePoint 2007 / 2010 And DotNetNuke File Disclosure
Posted Sep 21, 2011
Authored by Nicolas Gregoire

SharePoint 2007 / 2010 and DotNetNuke versions prior to 6 suffer from a file disclosure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2011-1892
MD5 | 6a326646b36ed624b8f7d616a21f8a63
SLP (Service Location Protocol) Denial Of Service
Posted Jul 26, 2011
Authored by Nicolas Gregoire

SLP (Service Location Protocol) remote denial of service proof of concept exploit that can trigger the condition via unicast, broadcast, or multicast.

tags | exploit, remote, denial of service, protocol, proof of concept
advisories | CVE-2010-3609
MD5 | bb6addc3734f7da3292f2e465fe17046
SBLIM SFCB Pre-Auth Remote Integer / Heap Overflows
Posted Jun 3, 2010
Authored by Nicolas Gregoire

SBLIM SFCB versions up to 1.3.7 suffer from pre-auth remote integer and heap overflow vulnerabilities.

tags | advisory, remote, overflow, vulnerability
advisories | CVE-2010-1937, CVE-2010-2054
MD5 | 409c0c8d8c0567ad93eb7ca689cf24e8
Barracuda IMG.PL Remote Command Execution
Posted Oct 30, 2009
Authored by Nicolas Gregoire

This Metasploit module exploits an arbitrary command execution vulnerability in the Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.

tags | exploit, arbitrary
advisories | CVE-2005-2847
MD5 | e19faa53d1b2d356c59201c2cddaf94a
Posted Dec 30, 2004
Authored by Nicolas Gregoire | Site exaprobe.com

phpMyAdmin versions prior to 2.6.1-rc1 suffer from command execution and file disclosure vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2004-1147, CVE-2004-1148
MD5 | d276543b1c17e03eb47b583955c9ef8f
Exaprobe Security Advisory 2004-12-06
Posted Dec 12, 2004
Authored by Nicolas Gregoire, Exaprobe | Site exaprobe.com

Exaprobe Security Advisory - The w3who.dll in Windows 2000 is susceptible to multiple cross site scripting attacks and a buffer overflow.

tags | advisory, overflow, xss
systems | windows, 2k
advisories | CVE-2004-1133, CVE-2004-1134
MD5 | c39fa17ccdf03bb2ab44699a7d527492
Page 1 of 1

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By