what you don't know can hurt you
Showing 1 - 25 of 26 RSS Feed

Files from Craig Heffner

Email addresscraig at craigheffner.com
First Active2005-09-23
Last Active2015-06-01
D-Link Devices HNAP SOAPAction-Header Command Execution
Posted Jun 1, 2015
Authored by Craig Heffner, Samuel Huntley | Site metasploit.com

Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR

tags | exploit
MD5 | 3441fbd8c1fcc5a225cc156757ccb483
D-Link Devices UPnP SOAPAction-Header Command Execution
Posted May 29, 2015
Authored by Craig Heffner, Samuel Huntley | Site metasploit.com

Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR

tags | exploit
MD5 | 9120bc404ccb10c6abc177860b52fe17
D-Link info.cgi POST Request Buffer Overflow
Posted Jul 11, 2014
Authored by Craig Heffner | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component, when handling specially crafted POST HTTP requests addresses to the /common/info.cgi handler. This Metasploit module has been successfully tested on D-Link DSP-W215 in an emulated environment.

tags | exploit, remote, web, overflow, cgi, code execution
MD5 | 6536bc2c5fe1aa932ecb74dca292aac3
D-Link HNAP Request Remote Buffer Overflow
Posted Jul 11, 2014
Authored by Craig Heffner | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to an stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This Metasploit module has been successfully tested on D-Link DIR-505 in an emulated environment.

tags | exploit, remote, web, overflow, code execution
advisories | CVE-2014-3936
MD5 | 27690b7b0e20b8d8e44f2d6a42ccbd96
D-Link authentication.cgi Buffer Overflow
Posted Jun 24, 2014
Authored by Craig Heffner, Roberto Paleari | Site metasploit.com

This Metasploit module exploits an remote buffer overflow vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the authentication.cgi with long password values. The vulnerability can be exploitable without authentication. This Metasploit module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.

tags | exploit, remote, web, overflow, cgi
advisories | OSVDB-95951
MD5 | e86843e76fd74450b6a58bebe5f22c7f
D-Link hedwig.cgi Buffer Overflow in Cookie Header
Posted Jun 24, 2014
Authored by Craig Heffner, Roberto Paleari | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with long value cookies. This Metasploit module has been tested successfully on D-Link DIR300v2.14, DIR600 and the DIR645A1_FW103B11 firmware.

tags | exploit, remote, web, cgi, code execution
advisories | OSVDB-95950
MD5 | f42a41ed103516610ddf009f7f6aba79
WRT120N 1.0.0.7 Stack Overflow
Posted Feb 20, 2014
Authored by Craig Heffner

WRT120N version 1.0.0.7 stack overflow exploit which clears the admin password.

tags | exploit, overflow
MD5 | 6fc4c70e2261e1d8caee7ac0a799ed98
D-Link DIR-605L Captcha Handling Buffer Overflow
Posted Oct 22, 2013
Authored by Craig Heffner, juan vazquez | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution on D-Link DIR-605L routers. The vulnerability exists while handling user supplied captcha information, and is due to the insecure usage of sprintf on the getAuthCode() function. This Metasploit module has been tested successfully on DLink DIR-605L Firmware 1.13 under a QEMU environment.

tags | exploit, remote, code execution
advisories | OSVDB-86824
MD5 | 0547694f381c1caecddb6f60063679db
Reaver-WPS 1.1
Posted Dec 30, 2011
Authored by Craig Heffner | Site code.google.com

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

Changes: Fixed getopt bug in x64. Fixed association failure bug.
tags | tool, wireless
systems | unix
MD5 | e073021df56b2e6499f8c894564805eb
Reaver-WPS 1.0
Posted Dec 29, 2011
Authored by Craig Heffner | Site code.google.com

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

tags | tool, wireless
systems | unix
MD5 | 7c22180fac128f898c68a8c6b18796f1
DD-WRT 24-preSP2 Information Disclosure
Posted Dec 27, 2010
Authored by Craig Heffner | Site devttys0.com

Remote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate geolocation. This is exploitable even if remote administration is disabled. Version 24-preSP2 is affected.

tags | exploit, remote, info disclosure
MD5 | f578fa34e93c6d161f93ffda8f027233
D-Link WBR-1310 Authentication Bypass
Posted Dec 23, 2010
Authored by Craig Heffner | Site devttys0.com

The D-Link WBR-1310 suffers from a direct access authentication bypass vulnerability that can also be exploited by cross site request forgery even if remote administration is disabled.

tags | exploit, remote, bypass, csrf
MD5 | 41ecf5385d6c8dde407a5a19f330a84f
DIR-615 Privilege Escalation
Posted Dec 5, 2010
Authored by Craig Heffner | Site devttys0.com

This file provides a detailed description of a privilege escalation vulnerability that has been confirmed to affect the DIR-615 revD router running firmware version 4.11.

tags | advisory
MD5 | 6055ee70d3d25a676d82d2f4c845194a
D-Link Router Authentication Bypass
Posted Dec 3, 2010
Authored by Craig Heffner | Site devttys0.com

D-Link routers such as the DIR-615 revD, DIR-320 and DIR-300 all suffer from multiple remote authentication bypass vulnerabilities.

tags | exploit, remote, vulnerability
MD5 | 1ff0a8ee52d8919c993fbb2e173fd2f4
miranda.tar.gz
Posted Nov 8, 2008
Authored by Craig Heffner | Site sourcesec.com

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities.

tags | tool, scanner, vulnerability, python
systems | unix
MD5 | 7a918e216859c92bc47dec41ced50092
intercept_apis_dll_redirection.pdf
Posted Nov 6, 2006
Authored by Craig Heffner | Site craigheffner.com

Short whitepaper discussing API hooking/interception via DLL redirection.

tags | paper
MD5 | 4e78af66fd03f49d6878ac5a06b14467
httprox.txt
Posted Oct 14, 2006
Authored by Craig Heffner | Site craigheffner.com

Httprox is a perl-based HTTP proxy that modifies or adds an HTTP header for all outgoing HTTP traffic. It can handle multiple connections and is useful for Web-application penetration testing, such as modification of the Cookie, User-Agent and Referrer fields, or adding HTTP headers that would normally not be present.

tags | web, perl
MD5 | e10a97075e3d43e3d85baada44328db1
RCE_PDF.zip
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

This paper is intended as an introduction to reverse engineering for someone who has no experience on the subject.

tags | paper
MD5 | d0323f4d500864e2a4fd71e1607fc5a1
Taking_Back_Netcat.pdf
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

While there are some easy ways of changing the antivirus signature of a program (packers, encryptors, etc), they may not always be viable options for those wishing to bypass antivirus applications. This paper will show how to locate the signature used to identify Netcat, and modify it so that the executable no longer matches Symantec's AV signature, without interfering with any of the program's functionality. This is an exercise in identifying and modifying sections of code (aka, signatures) that are used by antivirus programs to identify malicious code; the tools and techniques used here can be applied to any program that is marked as malicious by AV applications.

tags | paper, virus
MD5 | 595c987f017f5351e9fbd2d609a5acc0
stacksmash.txt
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

Modern whitepaper that is along the lines of 'Smashing The Stack For Fun And Profit' that also takes into account how the GNU C compiler has evolved since 1998.

tags | paper
MD5 | 4a7b8193e8080f8b199753921c2eaa78
win_mod.zip
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

This multi-part tutorial will present several ways in which you can add functionality to closed source Windows executables through DLLs, PE header modification, and good old assembly code. Adding code to existing code caves, modifying PE headers to create code caves and/or importing DLL functions, adding backdoors to programs, and adding plugin support to closed-source programs are all covered.

tags | paper
systems | windows
MD5 | 12b2cdafaf8a4dc8244d3cd2859947c7
wesley-fixed.tar.gz
Posted Aug 27, 2006
Authored by Craig Heffner

Wesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.

Changes: Fixed a segmentation fault.
systems | unix
MD5 | 175affe3badc4ac0935af6d5f9f1cd5d
sec_cloak.zip
Posted Mar 9, 2006
Authored by Craig Heffner | Site craigheffner.com

Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.

tags | registry, tcp
MD5 | 71270c9f80595377033308ee642d084d
wesley.tar.gz
Posted Nov 30, 2005
Authored by Craig Heffner

Wesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.

systems | unix
MD5 | c6f5d8c96c60ada2efdcd4f00a4ceca2
wlan_webauth.txt
Posted Sep 27, 2005
Authored by Craig Heffner

This is a quick script to redirect a wireless client to a fake a login page for a WLAN. This is much stealthier than implementing a rouge AP in conjunction with layer 1/2 attacks against the WAP. It uses tethereal to listen for IP addresses being assigned to a new wireless client via DHCP, then runs dnsa-ng to redirect DNS queries from the new client to the specified IP.

tags | tool, wireless
MD5 | 50dfde5d23deac368489c5cfb63291a2
Page 1 of 2
Back12Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close