accept no compromises
Showing 1 - 25 of 61 RSS Feed

Files from Ruben Santamarta

Email addressruben at reversemode.com
First Active2006-02-02
Last Active2013-06-23
Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation
Posted Jun 23, 2013
Authored by Ruben Santamarta, juan vazquez | Site metasploit.com

This Metasploit module exploits a flaw in the nwfs.sys driver to overwrite data in kernel space. The corruption occurs while handling ioctl requests with code 0x1438BB, where a 0x00000009 dword is written to an arbitrary address. An entry within the HalDispatchTable is overwritten in order to execute arbitrary code when NtQueryIntervalProfile is called. The module has been tested successfully on Windows XP SP3 with Novell Client 4.91 SP4.

tags | exploit, arbitrary, kernel
systems | windows, xp
advisories | OSVDB-46578
MD5 | 1d2d33a6125fc4b11802e1bb7a9ae2cd
SCADA Trojans: Attacking The Grid
Posted Mar 23, 2011
Authored by Ruben Santamarta | Site reversemode.com

Presentation slides from "SCADA Trojans: Attacking the Grid" as it was presented at RootedCon'11 in Madrid.

tags | paper, trojan
MD5 | 03bf99a42d0af2409634999d4ede25df
Advantec/BroadWin SCADA WebAccess 7.0 Network Service RPC Party Exploit
Posted Mar 23, 2011
Authored by Ruben Santamarta | Site reversemode.com

Advantec/BroadWin SCADA WebAccess 7.0 Network Service RPC party exploit that demonstrates the leaking of a security code and remote command execution.

tags | exploit, remote
MD5 | a4a920ce14e86e68e5a38f81ebed215f
Win32k Keyboard Layout Vulnerability
Posted Jan 13, 2011
Authored by Ruben Santamarta

Demonstration code for the Win32k Keyboard Layout vulnerability as described in MS10-073.

tags | exploit
advisories | CVE-2010-2743
MD5 | f1e986e144d55f6411679f832c025620
MOXA Device Manager Tool 2.1 Buffer Overflow
Posted Nov 8, 2010
Authored by Ruben Santamarta, MC | Site metasploit.com

This Metasploit module exploits a stack overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw (MDM2_Gateway) response, an attacker may be able to execute arbitrary code.

tags | exploit, overflow, arbitrary
MD5 | 68671664e061aaddf6fca682ec028a87
Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution
Posted Aug 30, 2010
Authored by Ruben Santamarta, jduck | Site metasploit.com

This Metasploit module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This Metasploit module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

tags | exploit, arbitrary, code execution, activex
systems | windows, apple
advisories | CVE-2010-1818
MD5 | 7ad044f928efe468c6ea9c5cb5d51a74
Apple QuickTime _Marshaled_pUnk Backdoor Parameter Code Execution
Posted Aug 30, 2010
Authored by Ruben Santamarta | Site reversemode.com

Apple QuickTime suffers from a "_Marshaled_pUnk" backdoor parameter client-side arbitrary code execution vulnerability.

tags | exploit, arbitrary, code execution
systems | apple
MD5 | e93ace586ff41f998cf0bacbb39e6d88
Microsoft mshtml.dll CTimeoutEventList::InsertIntoTimeoutList Memory Leak
Posted Jul 1, 2010
Authored by Ruben Santamarta | Site reversemode.com

Microsoft mshtml.dll CTimeoutEventList::InsertIntoTimeoutList proof of concept memory leak exploit.

tags | exploit, proof of concept, memory leak
MD5 | 9c22da9d51da460666f5003cf146ec03
Consona Cross Site Scripting / Code Execution / Buffer Overflow
Posted May 8, 2010
Authored by Ruben Santamarta | Site wintercore.com

Consona products uses a proprietary ActiveX site-lock mechanism that can be defeated through XSS attacks. Once an attacker can inject arbitrary JS code within the context of an allowed domain, unsafe methods can invoked to download and execute arbitrary binaries. A local privilege escalation flaw discovered in the Consona's Repair Service can be used to bypass IE8 Protected Mode, thus gaining SYSTEM privileges.

tags | advisory, arbitrary, local, activex
MD5 | fc7e35986eaf8367ccb3508e1a2dd010
JAVA Web Start Arbitrary Command-Line Injection
Posted Apr 9, 2010
Authored by Ruben Santamarta | Site reversemode.com

JAVA Web Start suffers from an arbitrary command-line injection vulnerability.

tags | exploit, java, web, arbitrary
MD5 | 45abd8f02c35aa152d8e879ad2a15203
HMS HICP Modification / Intellicom NetBiterConfing.exe Stack Overflow
Posted Dec 15, 2009
Authored by Ruben Santamarta | Site reversemode.com

This advisory documents vulnerabilities in the HMS HICP protocol as well as an Intellicom NetBiterConfing.exe remote stack overflow vulnerability. Proof of concept code included.

tags | exploit, remote, overflow, vulnerability, protocol, proof of concept
MD5 | 84f74d2ec52cd79c8d5e11a07868b61e
Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
Posted Nov 26, 2009
Authored by Ruben Santamarta, MC | Site metasploit.com

This Metasploit module exploits a stack overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted.

tags | exploit, overflow, arbitrary
advisories | CVE-2009-1350
MD5 | d6e6600af22fbaa6a1eb6e5af2edc05f
iDEFENSE Security Advisory 2009-06-25.2
Posted Jun 26, 2009
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 06.25.09 - Remote exploitation of a stack-based buffer overflow vulnerability in Motorola Inc.'s Timbuktu Pro could allow attackers to execute arbitrary code with SYSTEM privileges. Timbuktu fails to properly handle user-supplied data passed through a named pipe session. When the PlughNTCommand named pipe receives an overly large character string, a buffer overflow will occur resulting in arbitrary code execution. iDefense has confirmed the existence of this vulnerability in Timbuktu Pro version 8.6.5. Previous versions may also be affected.

tags | advisory, remote, overflow, arbitrary, code execution
advisories | CVE-2009-1394
MD5 | 7b1727374e978e65be5b7f035032e7ed
Kaspersky Klim5.sys Advisory
Posted Feb 2, 2009
Authored by Ruben Santamarta | Site wintercore.com

KIS 2008 and Kaspersky AntiVirus for Workstations suffer from a local privilege escalation vulnerability in Klim5.sys.

tags | advisory, local
MD5 | c5388878a3fd6e86236734a2652706ee
Kaspersky Klim5.sys Privilege Escalation Exploit
Posted Feb 2, 2009
Authored by Ruben Santamarta | Site wintercore.com

KIS 2008 and Kaspersky AntiVirus for Workstations local privilege escalation exploit for Klim5.sys.

tags | exploit, local
MD5 | 8560d920fbeed67cfe99edaee9879e3a
Wintercore Advisory WM01-0109
Posted Jan 21, 2009
Authored by Ruben Santamarta | Site wintercore.com

Wintercore Advisory - PXEService.exe is prone to a remote buffer overflow due to improper bounds checking when handling PXE requests. A remote unauthenticated malicious attacker can take advantage of this flaw to execute arbitrary code by sending a specially crafted UDP packet. SystemcastWizard Lite versions 2.0 and below are affected.

tags | advisory, remote, overflow, arbitrary, udp
MD5 | 521d7d593e7cd3099c540eedd01897f7
afd_plugin.zip
Posted Oct 16, 2008
Authored by Ruben Santamarta | Site reversemode.com

K-Plugin for Kartoffel that exploits a kernel memory overwrite in AFD.sys as outlined in MS08-066. Applies to Microsoft Windows XP and 2003.

tags | exploit, kernel
systems | windows, xp
MD5 | 1cb47aa297bcdcce88506ae96e34cbc5
advisory_W021008.txt
Posted Oct 9, 2008
Authored by Ruben Santamarta

Microsoft Windows Kernel is prone to a local privilege escalation due to an integer overflow error within the IopfCompleteRequest function. This vulnerability may allow attackers to execute arbitrary code in the kernel context, thus allowing to escalate privileges to SYSTEM.

tags | advisory, overflow, arbitrary, kernel, local
systems | windows
MD5 | e490214eb95d7caee876f060c592f734
exploit_realwin.c
Posted Sep 26, 2008
Authored by Ruben Santamarta | Site reversemode.com

DATAC RealWin versions 2.0 SCADA Software remote pre-auth exploit.

tags | exploit, remote
MD5 | b85b2faab758d113e2afdcd634316164
iDEFENSE Security Advisory 2008-08-12.4
Posted Aug 13, 2008
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 08.12.08 - Remote exploitation of an integer overflow vulnerability in Microsoft Corp.'s PowerPoint Viewer 2003 could allow an attacker to execute arbitrary code in the context of the user running the application. This vulnerability specifically exists when handling CString objects embedded in a PowerPoint presentation file. An issue in this object results in a very small amount of buffer being allocated while a very large amount of data is copied into it. This leads to an exploitable heap-based buffer overflow. iDefense has confirmed that pptview.exe file version 11.0.5703.0 and file version 11.0.6566.0, as included in Microsoft Office 2003 SP2, are vulnerable. Other versions are also likely to be affected.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2008-0120
MD5 | 396ecf4f3a5c65f6dd3bccd2fad6f1ef
iDEFENSE Security Advisory 2008-08-12.3
Posted Aug 13, 2008
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 08.12.08 - Remote exploitation of an out of boundary array index vulnerability in Microsoft Corp.'s PowerPoint Viewer 2003 could allow an attacker to execute arbitrary code in the context of the user running the application. This vulnerability specifically exists in PowerPoint Viewer 2003 when handling certain records in a PowerPoint presentation file. In some circumstances, an array index can be directly controlled by data from within the PowerPoint presentation file. Thus, a function pointer can be directly controlled by the attacker and leveraged for arbitrary code execution. iDefense has confirmed that pptview.exe file version 11.0.5703.0 is vulnerable. Previous versions are also likely to be affected.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2008-0121
MD5 | 2678fdce1c494b2f84914fc23378da20
iDEFENSE Security Advisory 2008-05-12.1
Posted May 12, 2008
Authored by iDefense Labs, Ruben Santamarta | Site idefense.com

iDefense Security Advisory 05.12.08 - Local exploitation of an input validation vulnerability within version 5.1.2600.2180 of i2omgmt.sys, as included with Microsoft Corp's Windows XP operating system, could allow an attacker to execute arbitrary code in the context of the kernel. iDefense has confirmed the existence of this vulnerability in i2omgmt.sys version 5.1.2600.2180 as installed on some Windows XP SP2 systems. All other Windows releases with this driver, including previous versions, are suspected to be vulnerable.

tags | advisory, arbitrary, kernel, local
systems | windows, xp
advisories | CVE-2008-0322
MD5 | 9a855b4f3e57f9d46308c1a0f2293ded
ms08-25-exploit.zip
Posted Apr 29, 2008
Authored by Ruben Santamarta | Site reversemode.com

Microsoft Windows XP SP2 privilege escalation exploit that leverages win32k.sys and takes advantage of the vulnerability noted in MS08-025.

tags | exploit
systems | windows, xp
MD5 | 7aabcf4001e815925060355ccd596234
W01-0408.txt
Posted Apr 24, 2008
Authored by Ruben Santamarta | Site wintercore.com

Wintercore Advisory - Realtek HD Audio Codec Drivers are prone to a local privilege escalation due to insufficient validation of user-mode buffers. RTKVHDA.sys versions below 6.0.1.5605 and RTKVHDA64.sys signed versions below 6.0.1.5605 are affected.

tags | advisory, local
MD5 | 47a309b2daf808a41f1509b4c34eb2bc
Zero Day Initiative Advisory 08-017
Posted Apr 4, 2008
Authored by Tipping Point, Ruben Santamarta | Site zerodayinitiative.com

A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the quicktime.qts library responsible for parsing Kodak encoded images. A lack of proper error checking can result in a heap based buffer overflow leading to arbitrary code execution under the context of the currently logged in user. Version 7.4.1 is affected.

tags | advisory, overflow, arbitrary, code execution
systems | apple
advisories | CVE-2008-1020
MD5 | 71f08357b01b38db42fb821eaa3dce66
Page 1 of 3
Back123Next

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close