exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 42 RSS Feed

Files

sparc.zip
Posted Jan 25, 2002
Authored by David Litchfield | Site atstake.com

This document describes buffer overrun vulnerabilities on Sun Microsystems SPARC machines. We will begin by examining the SPARC architecture, looking at the registers and the stack. We will then go on to see exact how buffer overrun vulnerabilities occur and how control over the processes execution is gained under SPARC and then detail how, from here, the vulnerability can be exploited to gain control over the computer by looking at exploit code that spawns a shell under Solaris.

tags | paper, overflow, shell, vulnerability
systems | unix, solaris
SHA-256 | ea2827088b20a431d2ee4be68183cd2ee8cf525ff70d198af4b747cffecabe5c

Related Files

Solaris/SPARC chmod() Shellcode
Posted Feb 18, 2022
Authored by Marco Ivaldi

64 bytes small Solaris/SPARC setuid(0) + chmod (/bin/ksh) + exit(0) shellcode.

tags | shellcode
systems | solaris
SHA-256 | ac0a8ce6fdd207649a67626e1818a1afd680783d1a46fb94677718a1d1994210
Solaris/SPARC execve() Shellcode
Posted Feb 18, 2022
Authored by Marco Ivaldi

60 bytes small Solaris/SPARC setuid(0) + execve (/bin/ksh) shellcode.

tags | shellcode
systems | solaris
SHA-256 | d785c150823ddd32cb42d29580182ea9055608bea403fff7662eca6bf006f946
Solaris/SPARC chmod() Shellcode
Posted Feb 18, 2022
Authored by Marco Ivaldi

Solaris/SPARC chmod() shellcode with a max size of 36 bytes.

tags | shellcode
systems | solaris
SHA-256 | 844bef47108ea6b399c1949416ca0526422e2fc8ce504d583c3f36aaa4144470
Practical Insight Into Injections
Posted Jan 13, 2021
Authored by Hanut Kumar Arora

Whitepaper called Practical Insight into Injections. This document describes the meaning, working, implementation, and impact of injection vulnerabilities.

tags | paper, vulnerability
SHA-256 | 6a5ae62578e03e5fae5499de0f9c9079fad4dbf7a91b087fa7ff48b6c628a503
NETGEAR R6700v3 Password Reset / Remote Code Execution
Posted Jun 25, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site github.com

This document describes a stack overflow vulnerability that was found in October, 2019 and presented in the Pwn2Own Mobile 2019 competition in November 2019. The vulnerability is present in the UPNP daemon (/usr/sbin/upnpd), running on NETGEAR R6700v3 router with firmware versions V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58. It allows for an unauthenticated reset of the root password and then spawns a telnetd to remotely access the account.

tags | exploit, overflow, root
SHA-256 | 3ccd57c2afc9c37bec7729262aa2b172845c46c639bdb363b6009f40ca166d05
A Tale of openssl_seal(), PHP, and Apache2handle
Posted Feb 2, 2016
Authored by Filip Palian, Marek Kroemeke, Mateusz Kocielski

openssl_seal() is prone to use uninitialized memory that can be turned into a code execution. This document describes technical details of the journey to hijack apache2 requests. It is a very well written and thoroughly documented piece of research.

tags | exploit, paper, code execution
SHA-256 | 7328b4676384b96b2489eec8e7c79cb066123cadf924ac7ffb3cdc3f203e52c4
TestDisk 6.14 Check_OS2MB Stack Buffer Overflow
Posted Apr 30, 2015
Authored by Denis Andzakovic | Site security-assessment.com

This document details a stack based buffer overflow vulnerability within TestDisk version 6.14. A buffer overflow is triggered within the software when a malicious disk image is attempted to be recovered. This may be leveraged by an attacker to crash TestDisk and gain control of program execution. An attacker would have to coerce the victim to run TestDisk against their malicious image.

tags | exploit, overflow
SHA-256 | 7a37d596089ffb1fa811b151734f591791c8d53219a3fdd9ea5cf26e1b134cc6
The Palinopsia Bug
Posted Mar 24, 2015
Authored by Bastian

This document describes a method of reading and displaying previously used framebuffers from a variety of popular graphics cards. In all 4 tested laptops the content of the VRAM was not erased upon reboot. It is also possible to show that the content of the host VRAM can be accessed from a VirtualBox guest, thereby leaking possibly confidential information from a trusted host into an untrusted guest machine.

tags | advisory
SHA-256 | b4aaca0e9f25ac73a7469f0a528eb42aba706fce9a84dc3b2b658276a24ab28d
RFC7359 - Layer 3 Virtual Private Network (VPN) Tunnel Traffic Leakages In Dual-Stack Hosts/Networks
Posted Aug 27, 2014
Authored by Fernando Gont

The subtle way in which the IPv6 and IPv4 protocols coexist in typical networks, together with the lack of proper IPv6 support in popular Virtual Private Network (VPN) tunnel products, may inadvertently result in VPN tunnel traffic leakages. That is, traffic meant to be transferred over an encrypted and integrity- protected VPN tunnel may leak out of such a tunnel and be sent in the clear on the local network towards the final destination. This document discusses some scenarios in which such VPN tunnel traffic leakages may occur as a result of employing IPv6-unaware VPN software. Additionally, this document offers possible mitigations for this issue.

tags | paper, local, protocol
SHA-256 | fa98023a273f3231dab648bba72fdf7f52dd2a529b75297420d89773222e1c25
VPN Traffic Leakages In Dual-Stack Hosts/Networks
Posted Jan 19, 2013
Authored by Fernando Gont

The subtle way in which the IPv6 and IPv4 protocols co-exist in typical networks, together with the lack of proper IPv6 support in popular Virtual Private Network (VPN) products, may inadvertently result in VPN traffic leaks. That is, traffic meant to be transferred over a VPN connection may leak out of such connection and be transferred in the clear on the local network. This document discusses some scenarios in which such VPN leakages may occur, either as a side effect of enabling IPv6 on a local network, or as a result of a deliberate attack from a local attacker. Additionally, it discusses possible mitigations for the aforementioned issue.

tags | paper, local, protocol
SHA-256 | 9effe2e0fcf845f3f698a422ede8446c43df6f4d6472aafb96dd9a13c554fe6a
Recommendations On Filtering IPv4 Packets Containing IPv4 Options
Posted Jan 19, 2013
Authored by Fernando Gont

This document document provides advice on the filtering of IPv4 packets based on the IPv4 options they contain. Additionally, it discusses the operational and interoperability implications of dropping packets based on the IP options they contain.

tags | paper
SHA-256 | f955987c95afee36773fb986f0bf5b02f89c6d9a9973c325dcbc1e926676ad9a
Security Implications Of IPv6 On IPv4 Networks Revision 02
Posted Jan 19, 2013
Authored by Fernando Gont

This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on "IPv4-only" networks, and describes possible mitigations for the aforementioned issues.

Changes: Updated version for 01/2013.
tags | paper
SHA-256 | 903ddcb4eca069a1e4d2bb9516b478eda66b60596e5457b418a1891a5c85d510
Processing Of IPv6 Atomic Fragments
Posted Jan 19, 2013
Authored by Fernando Gont

The IPv6 specification allows packets to contain a Fragment Header without the packet being actually fragmented into multiple pieces (we refer to these packets as "atomic fragments"). Such packets typically result from hosts that have received an ICMPv6 "Packet Too Big" error message that advertises a "Next-Hop MTU" smaller than 1280 bytes, and are currently processed by some implementations as "fragmented traffic". Thus, by forging ICMPv6 "Packet Too Big" error messages an attacker can cause hosts to employ "atomic fragments", and then launch any fragmentation-based attacks against such traffic. This document discusses the generation of the aforementioned "atomic fragments", the corresponding security implications, and formally updates RFC 2460 and RFC 5722 such that fragmentation-based attack vectors against traffic employing "atomic fragments" are completely eliminated.

tags | paper
SHA-256 | feac00abce76ecd39bf1bb5b6c8804af13f2781cf51012a6d77c2a65a15888df
Security Implications Of IPv6 Options Of Type 10xxxxxx Revision 01
Posted Jan 19, 2013
Authored by Fernando Gont

When an IPv6 node processing an IPv6 packet does not support an IPv6 option whose two-highest-order bits of the Option Type are '10', it is required to respond with an ICMPv6 Parameter Problem error message, even if the Destination Address of the packet was a multicast address. This feature provides an amplification vector, opening the door to an IPv6 version of the 'Smurf' Denial-of-Service (DoS) attack found in IPv4 networks. This document discusses the security implications of the aforementioned options, and formally updates RFC 2460 such that this attack vector is eliminated. Additionally, it describes a number of operational mitigations that could be deployed against this attack vector.

Changes: Updated version for 01/2013.
tags | paper
SHA-256 | fb4961bf8357488cad14ec9267d3578def97ef7eb554541ecd35f6f1114d3f2c
Security / Robustness Assessment Of IPv6 ND Implementations
Posted Dec 18, 2012
Authored by Fernando Gont

Recent security research seems to indicate that a number of IPv6 Neighbor Discovery implementations fail to implement basic sanity checks on received packets and/or fail to properly manage protocol data structures, being subject of trivial Denial of Service (DoS) attacks. Additionally, some IPv6 protocol features allow a number of attacks, ranging from man-in-the-middle to Denial of Service (DoS). This document discusses how to conduct a security/robustness assessment of Neighbor Discovery implementations by means of the SI6 Networks' IPv6 toolkit - a free, portable, and fully-featured IPv6 security assessment and trouble-shooting toolkit. Additionally, it provides pointers to ongoing work in this area, such that the aforementioned issues can be mitigated where appropriate.

tags | paper, denial of service, protocol
SHA-256 | 00689e040da9e663b0fd1da9b9db7839be24c443cac8af491a0154bbdf4e6c94
Security Implications Of IPv6 On IPv4 Networks
Posted Sep 5, 2012
Authored by Fernando Gont

This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on "IPv4-only" networks, and describes possible mitigations for the aforementioned issues.

tags | paper
SHA-256 | 2ca68992f1e854362ce2fe5d00357f8634430a612c312dba8e00ad5d586e35f4
Security Implicaitons Of IPv6 On IPv4 Networks
Posted Apr 24, 2012
Authored by Fernando Gont

This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on "IPv4-only" networks, and describes possible mitigations for the aforementioned issues.

tags | paper
SHA-256 | b620fd364138e64c6e10717389b326fd4176c5005ea71cbad80cb84096381fe9
IPv6 Router Advertisement Guard (RA-Guard) Evasion
Posted Jun 1, 2011
Authored by Fernando Gont | Site ietf.org

The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly employed to mitigate attack vectors based on forged ICMPv6 Router Advertisement messages. Many existing IPv6 deployments rely on RA-Guard as the first line of defense against the aforementioned attack vectors. This document describes possible ways in which current RA- Guard implementations can be circumvented, and discusses possible mitigations.

tags | paper
SHA-256 | 419dbe3a0dedd1c464fb648a00b9ab7d264f3801038e9c2fc543db909c6fa908
Cisco Security Advisory 20110202-tandberg
Posted Feb 3, 2011
Authored by Cisco Systems | Site cisco.com

Cisco Security Advisory - Tandberg C Series Endpoints and E/EX Personal Video units that are running software versions prior to TC4.0.0 ship with a root administrator account that is enabled by default with no password. An attacker could use this account in order to modify the application configuration or operating system settings. Resolving this default password issue does not require a software upgrade and can be changed or disabled by a configuration command for all affected customers. The workaround detailed in this document demonstrates how to disable the root account or change the password.

tags | advisory, root
systems | cisco
advisories | CVE-2011-0354
SHA-256 | 0bf1d1a2a5073105e6e57bd85957a61f87e2f9a536784275c073ea397c43b70b
Google Docs PDF Repurposing
Posted May 11, 2009
Authored by Aditya K Sood | Site secniche.org

This document discusses cookie hijacking in Google Docs through PDF repurposing attacks. This has since been fixed by Google.

tags | advisory
SHA-256 | 84043a14c6b544193ef554abc031b0e021f2e7a63dfe4048ecfc5c7db290d8e8
IETF TCP Urgent Data Draft
Posted Feb 27, 2009
Authored by Fernando Gont | Site ietf.org

This is the IETF Internet-Draft entitled "On the implementation of TCP urgent data". This document describes current issues relevant to the implementation and use of TCP urgent data, aims to change the IETF specifications so that they accommodate what virtually all implementations have been doing with urgent data.

tags | paper, tcp
SHA-256 | 384e21ff4feb6dfa943d320a646ab513ba681507acc08360bf5b6874ae7476f9
draft-ietf-tsvwg-port-randomization-02.txt
Posted Sep 3, 2008
Authored by Fernando Gont, Michael Vittrup Larsen | Site ietf.org

This document describes a simple and efficient method for random selection of a client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods, the described port number randomization algorithms provide improved security/obfuscation with very little effort and without any key management overhead. The mechanisms described in this document are a local modification that may be incrementally deployed, and that does not violate the specifications of any of the transport protocols that may benefit from it, such as TCP, UDP, SCTP, DCCP, and RTP.

Changes: This new revision of the document addresses the feedback we got from Amit Klein, Matthias Bethke, and Alfred Hoenes.
tags | paper, local, udp, tcp, protocol
SHA-256 | 61b14f84224795032551d1a5e2ebfe45a4f86868563581fff491e9408e636381
draft-ietf-tsvwg-port-randomization-01.txt
Posted Jul 17, 2008
Authored by Fernando Gont, Michael Vittrup Larsen | Site ietf.org

This document describes a simple and efficient method for random selection of a client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods, the described port number randomization algorithms provide improved security/obfuscation with very little effort and without any key management overhead. The mechanisms described in this document are a local modification that may be incrementally deployed, and that does not violate the specifications of any of the transport protocols that may benefit from it, such as TCP, UDP, SCTP, DCCP, and RTP.

tags | paper, local, udp, tcp, protocol
SHA-256 | 1ce58606d3eddff9223fe3a488f8c0cc0f6238e521811ffc418b4dd84491b12b
draft-ietf-tsvwg-port-randomization-00.txt
Posted Dec 8, 2007
Authored by Fernando Gont, Michael Vittrup Larsen | Site ietf.org

This document describes a simple and efficient method for random selection of a client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods, the described port number randomization algorithms provide improved security/obfuscation with very little effort and without any key management overhead. The mechanisms described in this document are a local modification that may be incrementally deployed, and that does not violate the specifications of any of the transport protocols that may benefit from it, such as TCP, UDP, SCTP, DCCP, and RTP.

tags | paper, local, udp, tcp, protocol
SHA-256 | f6784276bc77577f72c09f503deab41ce6fabf7bb9a8b44edd61410211141a2c
sparc_stack-overflow.txt
Posted Aug 11, 2007
Authored by skew

Writing local stack overflows on Solaris SPARC.

tags | paper, overflow, local
systems | solaris
SHA-256 | 1178fffed1c888d3076dac7a5c02c32cb12d80ea6e89eb2c63ef61178491c43f
Page 1 of 2
Back12Next

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close