what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 18 of 18 RSS Feed

Files from Nicolas Gregoire

Email addressngregoire at exaprobe.com
First Active2004-12-12
Last Active2015-12-17
PyAMF 0.7.2 XXE Injection
Posted Dec 17, 2015
Authored by Nicolas Gregoire, Open Source CERT

PyAMF suffers from insufficient AMF input payload sanitization which results in the XML parser not preventing the processing of XML external entities (XXE). A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger denial of service (DoS) conditions or arbitrarily return the contents of files that are accessible with the running application privileges. Versions 0.7.2 and below are affected.

tags | advisory, denial of service, xxe
advisories | CVE-2015-8549
SHA-256 | 939e9f52f635c72d8bc7877b8213d3c23d28d84296a37c4314ff4368f14040f1
IPy Blacklist Bypass
Posted Oct 16, 2014
Authored by Nicolas Gregoire

IPy suffers from a blacklist bypass vulnerability.

tags | exploit, bypass
SHA-256 | 52330e16a8c0db217b73de740ed229579f3d9b070a700c148046face2ef36557
Xalan-Java 2.7.0 Insufficient Secure Processing
Posted Mar 25, 2014
Authored by Andrea Barisani, Nicolas Gregoire, Open Source CERT

The Xalan-Java library is a popular XSLT processor from the Apache Software Foundation. The library implements the Java API for XML Processing (JAXP) which supports a secure processing feature for interpretive and XSLCT processors. The intent of this feature is to limit XSLT/XML processing behaviours to "make the XSLT processor behave in a secure fashion". It has been discovered that the secure processing features suffers from several limitations that undermine its purpose. Versions 2.7.0 and above are affected.

tags | advisory, java
advisories | CVE-2014-0107
SHA-256 | 2661a94be4bbc4822c2a0c9ff839ec7aafe7ef60fc89113bfb792b62e32262d9
Apache Solr XXE Injection / Directory Traversal
Posted Dec 9, 2013
Authored by Nicolas Gregoire

Apache Solr recently patched multiple XXE injection vulnerabilities and a directory traversal vulnerability.

tags | advisory, vulnerability, file inclusion, xxe
advisories | CVE-2013-6397, CVE-2013-6407, CVE-2013-6408
SHA-256 | 283241697730163df45a2dba0aa6828858f6868f3b33129bdabe8c4bbf74fba4
Burp Suite Pro Real-Life Tips And Tricks
Posted Jun 23, 2013
Authored by Nicolas Gregoire

These are the presentation slides given at Hack in Paris 2013 giving tips and tricks for using Burp Suite Pro.

tags | paper
SHA-256 | 6eb93e4f370bae913fe79dd342c4f800b20b1c02177cbc5a77b10acdf66ce7e3
HP StorageWorks P4000 Virtual SAN Appliance Command Execution
Posted May 22, 2012
Authored by Nicolas Gregoire, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838.

tags | exploit, arbitrary
SHA-256 | 1f354fd80321e3a8c75c32db994ccf7fbd51de54814d94d9641e5bfccae9d6f6
Squiggle 1.7 SVG Browser Java Code Execution
Posted May 18, 2012
Authored by Nicolas Gregoire, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The "Enforce secure scripting" check must be disabled. The module has been tested against Windows and Linux platforms.

tags | exploit, java, arbitrary, code execution
systems | linux, windows
SHA-256 | 24c7b9f43ad4bc7ab845971e498435dbb71b35eb0f5542e9973eab4ad82fb513
HP VSA Command Execution
Posted May 18, 2012
Authored by Nicolas Gregoire

HP VSA remote command execution exploit.

tags | exploit, remote
SHA-256 | e2634c82bf61b7660279ef87efb9959dc4f17ce4f09dbbb9b22dc962a374b58e
SVG Java Execution Trigger
Posted May 15, 2012
Authored by Nicolas Gregoire

Some SVG specifications, like SVG 1.1 and SVG tiny 1.2, allow Java code execution when the file is opened. Proof of concept code included.

tags | exploit, java, code execution, proof of concept
systems | linux
SHA-256 | d11b15fccafdf18190f23d0b7a7f20f25dfc6fada15ef8cba05227b1c2721da0
Liferay XSL Command Execution
Posted Apr 7, 2012
Authored by Nicolas Gregoire, Spencer McIntyre | Site metasploit.com

This Metasploit module exploits a vulnerability in the XSL parser of the XSL Content Portlet. When Tomcat is present, arbitrary code can be executed via java calls in the data fed to the Xalan XSLT processor. If XSLPAGE is defined, the user must have rights to change the content of that page (to add a new XSL portlet), otherwise it can be left blank and a new one will be created. The second method however, requires administrative privileges.

tags | exploit, java, arbitrary
advisories | CVE-2011-1571, OSVDB-73652
SHA-256 | 7495092f0f3708dd15dbc023f72927b1df95d3321e5d2ee8abfac8bf7f05f086
Traceroute-Like HTTP Scanner
Posted Nov 21, 2011
Authored by Nicolas Gregoire

This is a python script that uses the Max-Forwards header in HTTP and SIP to perform a traceroute-like scanning functionality.

tags | tool, web, scanner, python
systems | unix
SHA-256 | 5e42c04c9cc710f988a0f3080b9bf3da5742497a0cc702712f9040b3b4444404
Apple Safari Webkit libxslt Arbitrary File Creation
Posted Oct 18, 2011
Authored by Nicolas Gregoire | Site metasploit.com

This Metasploit module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This Metasploit module has been tested on Safari and Maxthon. Code execution can be achieved by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS.

tags | exploit, remote, arbitrary, code execution
systems | windows
advisories | CVE-2011-1774, OSVDB-74017
SHA-256 | c3cc069840b33d66dc0f5eb936fd86d7c0e81a9ca3077cb540669d0523d716eb
SharePoint 2007 / 2010 And DotNetNuke File Disclosure
Posted Sep 21, 2011
Authored by Nicolas Gregoire

SharePoint 2007 / 2010 and DotNetNuke versions prior to 6 suffer from a file disclosure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2011-1892
SHA-256 | 8374996d630a396dfa8c66032e2d7425570f3f5bcac4ab501cc5cc12f9a4a0fd
SLP (Service Location Protocol) Denial Of Service
Posted Jul 26, 2011
Authored by Nicolas Gregoire

SLP (Service Location Protocol) remote denial of service proof of concept exploit that can trigger the condition via unicast, broadcast, or multicast.

tags | exploit, remote, denial of service, protocol, proof of concept
advisories | CVE-2010-3609
SHA-256 | c9ad95fc494bae9d2eb2c0be708f1ac0e9a1c10697cc75ee4e041e68f87945b2
SBLIM SFCB Pre-Auth Remote Integer / Heap Overflows
Posted Jun 3, 2010
Authored by Nicolas Gregoire

SBLIM SFCB versions up to 1.3.7 suffer from pre-auth remote integer and heap overflow vulnerabilities.

tags | advisory, remote, overflow, vulnerability
advisories | CVE-2010-1937, CVE-2010-2054
SHA-256 | 42a0184386c97d12e4c2ad22e97d99cd9c594992d99abe06d01433004567fb5f
Barracuda IMG.PL Remote Command Execution
Posted Oct 30, 2009
Authored by Nicolas Gregoire

This Metasploit module exploits an arbitrary command execution vulnerability in the Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.

tags | exploit, arbitrary
advisories | CVE-2005-2847
SHA-256 | 98f68f02962b87f0c2a1221f7accf276203796571faa6c22c97dc9329849ad36
Posted Dec 30, 2004
Authored by Nicolas Gregoire | Site exaprobe.com

phpMyAdmin versions prior to 2.6.1-rc1 suffer from command execution and file disclosure vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2004-1147, CVE-2004-1148
SHA-256 | 8c02984588af24414345fa396fdc8e625f4669598c3f3c57ac6388d30d94e921
Exaprobe Security Advisory 2004-12-06
Posted Dec 12, 2004
Authored by Nicolas Gregoire, Exaprobe | Site exaprobe.com

Exaprobe Security Advisory - The w3who.dll in Windows 2000 is susceptible to multiple cross site scripting attacks and a buffer overflow.

tags | advisory, overflow, xss
systems | windows
advisories | CVE-2004-1133, CVE-2004-1134
SHA-256 | 8ece849689003d2f57457e84d45b0e4e644b9bb92da86652b968cbe2ed278a03
Page 1 of 1

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By