what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 26 RSS Feed

Files from Craig Heffner

Email addresscraig at craigheffner.com
First Active2005-09-23
Last Active2015-06-01
D-Link Devices HNAP SOAPAction-Header Command Execution
Posted Jun 1, 2015
Authored by Craig Heffner, Samuel Huntley | Site metasploit.com

Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR

tags | exploit
SHA-256 | fc44a93eba283e1584275d9596c2494164e66d54813e74e0886f302958943e2e
D-Link Devices UPnP SOAPAction-Header Command Execution
Posted May 29, 2015
Authored by Craig Heffner, Samuel Huntley | Site metasploit.com

Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR

tags | exploit
SHA-256 | e20ef0dd89ff88caf92c753721ba8454b95e56f6cc1668c930745008c71c7246
D-Link info.cgi POST Request Buffer Overflow
Posted Jul 11, 2014
Authored by Craig Heffner | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component, when handling specially crafted POST HTTP requests addresses to the /common/info.cgi handler. This Metasploit module has been successfully tested on D-Link DSP-W215 in an emulated environment.

tags | exploit, remote, web, overflow, cgi, code execution
SHA-256 | 43736a283718e26edea62c6eac8d7fee90f2153854e5ba828b05e5d93aada113
D-Link HNAP Request Remote Buffer Overflow
Posted Jul 11, 2014
Authored by Craig Heffner | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to an stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This Metasploit module has been successfully tested on D-Link DIR-505 in an emulated environment.

tags | exploit, remote, web, overflow, code execution
advisories | CVE-2014-3936
SHA-256 | d5c1234114f0d3f1eea91c96527721cb48a9b2b6cddece427779fb9fdccd3e20
D-Link authentication.cgi Buffer Overflow
Posted Jun 24, 2014
Authored by Craig Heffner, Roberto Paleari | Site metasploit.com

This Metasploit module exploits an remote buffer overflow vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the authentication.cgi with long password values. The vulnerability can be exploitable without authentication. This Metasploit module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.

tags | exploit, remote, web, overflow, cgi
advisories | OSVDB-95951
SHA-256 | 450e0c17e9ed8a5889f1222fd8943a072ac89cff24fdb5117836d675f119995d
D-Link hedwig.cgi Buffer Overflow in Cookie Header
Posted Jun 24, 2014
Authored by Craig Heffner, Roberto Paleari | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with long value cookies. This Metasploit module has been tested successfully on D-Link DIR300v2.14, DIR600 and the DIR645A1_FW103B11 firmware.

tags | exploit, remote, web, cgi, code execution
advisories | OSVDB-95950
SHA-256 | 34fd8be52c6556ed2de772a2ee3aff9ac71be9f460f14eb17c88ae1909383dd4
WRT120N 1.0.0.7 Stack Overflow
Posted Feb 20, 2014
Authored by Craig Heffner

WRT120N version 1.0.0.7 stack overflow exploit which clears the admin password.

tags | exploit, overflow
SHA-256 | e1aa2a251a9986b0b7cc00e00e274da9c8e78a9cfc2a13541756864a4b3830d7
D-Link DIR-605L Captcha Handling Buffer Overflow
Posted Oct 22, 2013
Authored by Craig Heffner, juan vazquez | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution on D-Link DIR-605L routers. The vulnerability exists while handling user supplied captcha information, and is due to the insecure usage of sprintf on the getAuthCode() function. This Metasploit module has been tested successfully on DLink DIR-605L Firmware 1.13 under a QEMU environment.

tags | exploit, remote, code execution
advisories | OSVDB-86824
SHA-256 | 0a2625495d220d8e34aeaeab3b030e38d5c3d8c061e96a0d097c1527e36f1458
Reaver-WPS 1.1
Posted Dec 30, 2011
Authored by Craig Heffner | Site code.google.com

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

Changes: Fixed getopt bug in x64. Fixed association failure bug.
tags | tool, wireless
systems | unix
SHA-256 | eb0ab404a41e58a9c8d3dbaf9f79b310c14ffa514716f7e578dd2ae6d3777aad
Reaver-WPS 1.0
Posted Dec 29, 2011
Authored by Craig Heffner | Site code.google.com

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

tags | tool, wireless
systems | unix
SHA-256 | ded5b9b2c8f52c1ee9a2ccae0a4957eee5c2a8acbd45a13ae2480551c9a9a525
DD-WRT 24-preSP2 Information Disclosure
Posted Dec 27, 2010
Authored by Craig Heffner | Site devttys0.com

Remote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate geolocation. This is exploitable even if remote administration is disabled. Version 24-preSP2 is affected.

tags | exploit, remote, info disclosure
SHA-256 | 7102053c920ae264843dc40d0a21522a645ecbba49d6f4df097245cfdadc92f8
D-Link WBR-1310 Authentication Bypass
Posted Dec 23, 2010
Authored by Craig Heffner | Site devttys0.com

The D-Link WBR-1310 suffers from a direct access authentication bypass vulnerability that can also be exploited by cross site request forgery even if remote administration is disabled.

tags | exploit, remote, bypass, csrf
SHA-256 | c8c2e3b11bddb617e900bf397c0b626d6f2c53ce614c6501340229ba39656a76
DIR-615 Privilege Escalation
Posted Dec 5, 2010
Authored by Craig Heffner | Site devttys0.com

This file provides a detailed description of a privilege escalation vulnerability that has been confirmed to affect the DIR-615 revD router running firmware version 4.11.

tags | advisory
SHA-256 | a160c910db3449d12d52aa5b71001bba6e2a99708a556a84bf479eddf5694cb0
D-Link Router Authentication Bypass
Posted Dec 3, 2010
Authored by Craig Heffner | Site devttys0.com

D-Link routers such as the DIR-615 revD, DIR-320 and DIR-300 all suffer from multiple remote authentication bypass vulnerabilities.

tags | exploit, remote, vulnerability
SHA-256 | f1a9231c26177ad1738cc646517d63f8730f5f15148496f3064ab23103362ee0
miranda.tar.gz
Posted Nov 8, 2008
Authored by Craig Heffner | Site sourcesec.com

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities.

tags | tool, scanner, vulnerability, python
systems | unix
SHA-256 | d14d0b979b115a202bce72bdcfd7fc749f57546b53bf094e2e1119c7c9a8c158
intercept_apis_dll_redirection.pdf
Posted Nov 6, 2006
Authored by Craig Heffner | Site craigheffner.com

Short whitepaper discussing API hooking/interception via DLL redirection.

tags | paper
SHA-256 | 4f3b2999eaf8674d18053e9c19ddc2690f09ca07ac557ea9d739cbee813c6366
httprox.txt
Posted Oct 14, 2006
Authored by Craig Heffner | Site craigheffner.com

Httprox is a perl-based HTTP proxy that modifies or adds an HTTP header for all outgoing HTTP traffic. It can handle multiple connections and is useful for Web-application penetration testing, such as modification of the Cookie, User-Agent and Referrer fields, or adding HTTP headers that would normally not be present.

tags | web, perl
SHA-256 | a32745a7befd14b31c9a2fb9978860e1cf22eedc93cd7213171a414c7df53eac
RCE_PDF.zip
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

This paper is intended as an introduction to reverse engineering for someone who has no experience on the subject.

tags | paper
SHA-256 | b8caadda8d6c36dbf640925de6b437af651606ace7a3d4487b29fdb6cce2cd18
Taking_Back_Netcat.pdf
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

While there are some easy ways of changing the antivirus signature of a program (packers, encryptors, etc), they may not always be viable options for those wishing to bypass antivirus applications. This paper will show how to locate the signature used to identify Netcat, and modify it so that the executable no longer matches Symantec's AV signature, without interfering with any of the program's functionality. This is an exercise in identifying and modifying sections of code (aka, signatures) that are used by antivirus programs to identify malicious code; the tools and techniques used here can be applied to any program that is marked as malicious by AV applications.

tags | paper, virus
SHA-256 | acfa9cdef5c30cd4848dccab719ac832c6ce65cf0aae70ef4dc41ad12ea37fd7
stacksmash.txt
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

Modern whitepaper that is along the lines of 'Smashing The Stack For Fun And Profit' that also takes into account how the GNU C compiler has evolved since 1998.

tags | paper
SHA-256 | 3972ef78d5d378100d75cd0552c59ce31b25e4c886950965b6f1767fe95d3880
win_mod.zip
Posted Sep 7, 2006
Authored by Craig Heffner | Site craigheffner.com

This multi-part tutorial will present several ways in which you can add functionality to closed source Windows executables through DLLs, PE header modification, and good old assembly code. Adding code to existing code caves, modifying PE headers to create code caves and/or importing DLL functions, adding backdoors to programs, and adding plugin support to closed-source programs are all covered.

tags | paper
systems | windows
SHA-256 | addfbf9225a75334eb73fe19aa2b943d801118f73553f9dc431330aa37f87327
wesley-fixed.tar.gz
Posted Aug 27, 2006
Authored by Craig Heffner

Wesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.

Changes: Fixed a segmentation fault.
systems | unix
SHA-256 | c4e69c01df48f32cae5b7ddcc7ffe8d28a867fdcc1d5ea4244ff74b7a234eb78
sec_cloak.zip
Posted Mar 9, 2006
Authored by Craig Heffner | Site craigheffner.com

Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.

tags | registry, tcp
SHA-256 | 66e4dab7b1c77acc36e113c187db43fce3b3e2841a33f0be05bdce710d59e95b
wesley.tar.gz
Posted Nov 30, 2005
Authored by Craig Heffner

Wesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.

systems | unix
SHA-256 | 4141b12cdfa4abc4b138353a5f8f09ad7ae2721a53d307cfb78905670c2d665c
wlan_webauth.txt
Posted Sep 27, 2005
Authored by Craig Heffner

This is a quick script to redirect a wireless client to a fake a login page for a WLAN. This is much stealthier than implementing a rouge AP in conjunction with layer 1/2 attacks against the WAP. It uses tethereal to listen for IP addresses being assigned to a new wireless client via DHCP, then runs dnsa-ng to redirect DNS queries from the new client to the specified IP.

tags | tool, wireless
SHA-256 | 17b5108909bf86dbdef1d4982b0cebc5b7051fe0b86c0c2f0fafbd25ace69bbd
Page 1 of 2
Back12Next

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close