Redis is a in memory key-value database. Due to the nature of the database design, typical use cases are session caching, full page cache, message queue applications, leaderboards and counting among others. By default, the service runs on port 6379. In my case, redis was running on a range of ports 7081-7090. So an nmap […]
Author Archives: buffered4ever
CVE-2018-2894 – Weblogic JSP File Upload
CVE-2018-2894 – Weblogic JSP File Upload vulnerability Oracle weblogic suffers from a trivial file upload vulnerability. Here are the steps to reproduce the vulnerability. 1) Go to http://172.17.0.2:7001/ws_utc/config.do If you can’t access 172.17.0.2:7001/ws_utc. This means the webservice test client is disabled for your weblogic server which is a good thing. 2) Change the Work Home […]
CVE-2018-3004 – Oracle Database Privilege Escalation via XML Deserialization
Oracle Database Privilege Escalation via XML Deserialization Since this is a privilege escalation, lets assume you have access to oracle database with atleast the following roles: CONNECT and RESOURCE In this example the user tom has been granted connect and resource roles XML Deserialization Java.beans library has two classes XMLEncoder to serialize a Java object […]
CVE-2018-17246 – Kibana Local File Inclusion
Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch. Elasticsearch, Logstash, and Kibana, when used together is known as an ELK stack. Vulnerability: Affected URL: http://<IP>:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../<js file> Affected Parameter: apis The […]
SLAE 0x7 – Custom crypter
Crypters are programs that encrypt an executable/shellcode, decrypt it at runtime and then run them. So the idea is to use a key/string to encrypt the shellcode. The encrypted shellcode will then be decrypted with the same key and then run. To understand this further we will create our custom crypter using the AES encryption […]
SLAE 0x6 – Polymorphic Shellcode
Anti-Virus and IDS vendors constantly create signatures for any new type of shellcode to keep their products updated to protect against attacks. But malware developers also try and remain ahead of the game by finding new ways to evade AV/IDS . Today we will cover creating Polymorphic shellcodes that are often used to defeat signature […]
SLAE 0x5 – Shellcode Analysis
Today, we find shellcodes on various websites like shell-storm.org, exploit-db.com and other internet forums. Running shellcode without understanding the code could have catastrophic results . For instance, a shellcode could do an rm -rf on the file system even though the comments in the shellcode indicate otherwise. Therefore, I think its important we learn whats going […]
SLAE 0x4 – Custom Encoder
Encoding is the process of converting data from one form to another. Encoding is very different from Encryption. Encoding converts data using an algorithm that can be easily reversed. The purpose of encoding is simply to transform data into another form which can be consumed by another system. On the other hand, Encryption is used to […]
SLAE 0x3 – Egghunter Shellcode
Egghunter is shellcode that searches for an 8-byte egg that we delibrately place in memory. Once found, this egg points to a much larger space in memory where are shellcode can run. Egghunter can can be very useful in a buffer overflow situation where we control the flow of the program and cannot execute our […]
SLAE 0x2 – Shell_Reverse_Tcp
In the last post, we looked at writing the shell_bind_tcp assembly program. In this post, we will write reverse shell in assembly. Unlike bind tcp where the port is opened on the target system. Here we have a port listening on our attacker machine and the victim connects to our open port and sends us […]
