what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 17 of 17

Files from joernchen

Git Submodule Arbitrary Code Execution

Posted Oct 17, 2018

Authored by joernchen

This write up provides a proof of concept with technical details for the git submodule arbitrary code execution vulnerability.

tags | exploit, arbitrary, code execution, proof of concept

advisories | CVE-2018-17456

SHA-256 | e19e46c66ca213278e2e5071ab8ca2967a9ee4af6d8e8a3c08f2175f8fa16633

Download | Favorite | View

Git cvsserver Remote Command Execution

Posted Sep 28, 2017

Authored by joernchen | Site phenoelit.de

The git subcommand cvsserver is a Perl script which makes excessive use of the backtick operator to invoke git. Unfortunately user input is used within some of those invocations and it allows for OS command injection. Versions before before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 are affected.

tags | exploit, perl

SHA-256 | 2de6037444f7b5a4cba7811fd7636e3e1a89d1b61face8188b179e5a4d83797b

Download | Favorite | View

Metasploit Web UI Static secret_key_base Value

Posted Sep 24, 2016

Authored by joernchen, Justin Steven | Site metasploit.com

This Metasploit module exploits the Web UI for Metasploit Community, Express and Pro where one of a certain set of Weekly Releases have been applied. These Weekly Releases introduced a static secret_key_base value. Knowledge of the static secret_key_base value allows for deserialization of a crafted Ruby Object, achieving code execution. This Metasploit module is based on exploits/multi/http/rails_secret_deserialization.

tags | exploit, web, code execution, ruby

SHA-256 | 0aed762884874a2a56109540ad0db42b6eefad643e2cf8d5c9179b0f1d8783a6

Download | Favorite | View

JRuby Sandbox 0.2.2 Bypass

Posted Apr 24, 2014

Authored by joernchen

jruby-sandbox aims to allow safe execution of user given Ruby code within a JRuby [0] runtime. However via import of Java classes it is possible to circumvent those protections and execute arbitrary code outside the sandboxed environment. Versions 0.2.2 and below are affected.

tags | exploit, java, arbitrary, ruby

SHA-256 | 95989cd8d69be3950435d2b8b421d281337ab209a2bdeb9f0d15a7d1b1f1dd76

Download | Favorite | View

Github Remote Command Execution

Posted Feb 24, 2014

Authored by joernchen

Github suffered from a remote command execution vulnerability via variable injection.

tags | exploit, remote

SHA-256 | 9f7a407ba51e7296ee3742308b11d9a6e7b6f2bcb28af5feb69321525261aeef

Download | Favorite | View

Open-Xchange 7.4.1 Script Insertion

Posted Feb 11, 2014

Authored by joernchen, Martin Braun

Open-Xchange AppSuite version 7.4.1 fails to properly neutralize javascript inserted at the header of an SVG image file.

tags | advisory, javascript

advisories | CVE-2014-1679

SHA-256 | 902503927eb1161ffb0b2ded9523ac54b5ca2dc0ca6eb132a17f1234f1998415

Download | Favorite | View

Fat Free CRM CSRF / SQL Injection / Known Secret

Posted Dec 24, 2013

Authored by joernchen

Fat Free CRM suffers from cross site request forgery, known session secret, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, info disclosure, csrf

SHA-256 | e36735d125c4d5e421f622b4448eb7831f1aded7c14c184b6ede1eee0bf01c06

Download | Favorite | View

sup Remote Command Execution

Posted Oct 29, 2013

Authored by joernchen

sup versions prior to 0.14.1.1 and prior to 0.13.2.1 suffer from an arbitrary command execution vulnerability via a forged content type of an email attachment.

tags | exploit, arbitrary

SHA-256 | 7f25065280e73ca0e7c1a1f6429061cd9ee6353dfc98cf483575c0a5d76a0da5

Download | Favorite | View

Ruby on Rails Known Secret Session Cookie Remote Code Execution

Posted Aug 11, 2013

Authored by joernchen | Site metasploit.com

This Metasploit module implements remote command execution on Ruby on Rails applications. Prerequisite is knowledge of the "secret_token" (Rails 2/3) or "secret_key_base" (Rails 4). The values for those can be usually found in the file "RAILS_ROOT/config/initializers/secret_token.rb". The module achieves RCE by deserialization of a crafted Ruby Object.

tags | exploit, remote, ruby

SHA-256 | 11be9f012016644efb3d2156025a67454ab17fda375b0d1a9de05a368b0ca5e5

Download | Favorite | View

sudo 1.8.3p1 Format String

Posted Jan 30, 2012

Authored by joernchen | Site phenoelit.de

sudo versions 1.8.0 through 1.8.3p1 suffer from a format string vulnerability that allows for privilege escalation.

tags | exploit

SHA-256 | 81fb04538af951a21c660e19f143b2d360f83aa70ff21c86befc1fc8af952094

Download | Favorite | View

Gitorious Remote Command Execution

Posted Jan 28, 2012

Authored by joernchen | Site phenoelit.de

Gitorious versions prior to 2.1.1 suffer from a remote command execution vulnerability.

tags | exploit, remote

SHA-256 | 6eaad22fe33effe3e4d1a3e355ffa9f4cb239465e6efdd17446f0304e8263e07

Download | Favorite | View

Gitorious Arbitrary Command Execution

Posted Jan 21, 2012

Authored by joernchen | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution.

tags | exploit, arbitrary, shell

SHA-256 | 023996dd7d2c62a5dab4704f9115739776acd6d35999b55954dfb79301ee71fe

Download | Favorite | View

Spreecommerce 0.60.1 Arbitrary Command Execution

Posted Oct 10, 2011

Authored by joernchen | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in the Spreecommerce search. Unvalidated input is called via the Ruby send method allowing command execution.

tags | exploit, arbitrary, ruby

advisories | OSVDB-76011

SHA-256 | d3108b6b1413b6aeeeff914cbc18a85d9770bf726d64b72125ff0d155c918d7a

Download | Favorite | View

Spreecommerce Arbitrary Command Execution

Posted Apr 22, 2011

Authored by joernchen | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in the Spreecommerce API searchlogic. Unvalidated input is called via the Ruby send method allowing command execution.

tags | exploit, arbitrary, ruby

advisories | OSVDB-71900

SHA-256 | 5f324564c756ec1163ada3b1c576328ce33a96570f58fa83e43acb3bf9d56e4e

Download | Favorite | View

Distributed Ruby Send instance_eval/syscall Code Execution

Posted Mar 28, 2011

Authored by joernchen | Site metasploit.com

This Metasploit module exploits remote code execution vulnerabilities in dRuby.

tags | exploit, remote, vulnerability, code execution

SHA-256 | a681602f532ac58f4f6a9e537c9a81e6dec64369d00b6b75f0ed0815a4eb1b33

Download | Favorite | View

Distributed Ruby Send Syscall Vulnerability

Posted Mar 23, 2011

Authored by joernchen | Site metasploit.com

This Metasploit module exploits remote syscalls in DRuby.

tags | exploit, remote

SHA-256 | a802a00709712a959585c5ee44f6a3601a7d2f74fae2b7984b61b541d1f3a35f

Download | Favorite | View

Redmine SCM Repository Arbitrary Command Execution

Posted Dec 27, 2010

Authored by joernchen | Site metasploit.com

This Metasploit module exploits an arbitrary command execution vulnerability in the Redmine repository controller. The flaw is triggered when a rev parameter is passed to the command line of the SCM tool without adequate filtering.

tags | exploit, arbitrary

advisories | OSVDB-70090

SHA-256 | b07063132a30d982b8374ebb512a724b5c8499987169c5fc9e3ffb5ff0057e46

Download | Favorite | View